github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/builtin/providers/aws/resource_aws_iam_role_policy.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "net/url" 6 "strings" 7 8 "github.com/aws/aws-sdk-go/aws" 9 "github.com/aws/aws-sdk-go/aws/awserr" 10 "github.com/aws/aws-sdk-go/service/iam" 11 12 "github.com/hashicorp/terraform/helper/resource" 13 "github.com/hashicorp/terraform/helper/schema" 14 ) 15 16 func resourceAwsIamRolePolicy() *schema.Resource { 17 return &schema.Resource{ 18 // PutRolePolicy API is idempotent, so these can be the same. 19 Create: resourceAwsIamRolePolicyPut, 20 Update: resourceAwsIamRolePolicyPut, 21 22 Read: resourceAwsIamRolePolicyRead, 23 Delete: resourceAwsIamRolePolicyDelete, 24 Importer: &schema.ResourceImporter{ 25 State: schema.ImportStatePassthrough, 26 }, 27 28 Schema: map[string]*schema.Schema{ 29 "policy": &schema.Schema{ 30 Type: schema.TypeString, 31 Required: true, 32 }, 33 "name": &schema.Schema{ 34 Type: schema.TypeString, 35 Optional: true, 36 Computed: true, 37 ForceNew: true, 38 ConflictsWith: []string{"name_prefix"}, 39 ValidateFunc: validateIamRolePolicyName, 40 }, 41 "name_prefix": &schema.Schema{ 42 Type: schema.TypeString, 43 Optional: true, 44 ForceNew: true, 45 ValidateFunc: validateIamRolePolicyNamePrefix, 46 }, 47 "role": &schema.Schema{ 48 Type: schema.TypeString, 49 Required: true, 50 ForceNew: true, 51 }, 52 }, 53 } 54 } 55 56 func resourceAwsIamRolePolicyPut(d *schema.ResourceData, meta interface{}) error { 57 iamconn := meta.(*AWSClient).iamconn 58 59 request := &iam.PutRolePolicyInput{ 60 RoleName: aws.String(d.Get("role").(string)), 61 PolicyDocument: aws.String(d.Get("policy").(string)), 62 } 63 64 var policyName string 65 if v, ok := d.GetOk("name"); ok { 66 policyName = v.(string) 67 } else if v, ok := d.GetOk("name_prefix"); ok { 68 policyName = resource.PrefixedUniqueId(v.(string)) 69 } else { 70 policyName = resource.UniqueId() 71 } 72 request.PolicyName = aws.String(policyName) 73 74 if _, err := iamconn.PutRolePolicy(request); err != nil { 75 return fmt.Errorf("Error putting IAM role policy %s: %s", *request.PolicyName, err) 76 } 77 78 d.SetId(fmt.Sprintf("%s:%s", *request.RoleName, *request.PolicyName)) 79 return nil 80 } 81 82 func resourceAwsIamRolePolicyRead(d *schema.ResourceData, meta interface{}) error { 83 iamconn := meta.(*AWSClient).iamconn 84 85 role, name, err := resourceAwsIamRolePolicyParseId(d.Id()) 86 if err != nil { 87 return err 88 } 89 90 request := &iam.GetRolePolicyInput{ 91 PolicyName: aws.String(name), 92 RoleName: aws.String(role), 93 } 94 95 getResp, err := iamconn.GetRolePolicy(request) 96 if err != nil { 97 if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" { // XXX test me 98 d.SetId("") 99 return nil 100 } 101 return fmt.Errorf("Error reading IAM policy %s from role %s: %s", name, role, err) 102 } 103 104 if getResp.PolicyDocument == nil { 105 return fmt.Errorf("GetRolePolicy returned a nil policy document") 106 } 107 108 policy, err := url.QueryUnescape(*getResp.PolicyDocument) 109 if err != nil { 110 return err 111 } 112 if err := d.Set("policy", policy); err != nil { 113 return err 114 } 115 if err := d.Set("name", name); err != nil { 116 return err 117 } 118 return d.Set("role", role) 119 } 120 121 func resourceAwsIamRolePolicyDelete(d *schema.ResourceData, meta interface{}) error { 122 iamconn := meta.(*AWSClient).iamconn 123 124 role, name, err := resourceAwsIamRolePolicyParseId(d.Id()) 125 if err != nil { 126 return err 127 } 128 129 request := &iam.DeleteRolePolicyInput{ 130 PolicyName: aws.String(name), 131 RoleName: aws.String(role), 132 } 133 134 if _, err := iamconn.DeleteRolePolicy(request); err != nil { 135 return fmt.Errorf("Error deleting IAM role policy %s: %s", d.Id(), err) 136 } 137 return nil 138 } 139 140 func resourceAwsIamRolePolicyParseId(id string) (roleName, policyName string, err error) { 141 parts := strings.SplitN(id, ":", 2) 142 if len(parts) != 2 { 143 err = fmt.Errorf("role_policy id must be of the form <role name>:<policy name>") 144 return 145 } 146 147 roleName = parts[0] 148 policyName = parts[1] 149 return 150 }