github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/builtin/providers/aws/resource_aws_iam_role_policy_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/aws/aws-sdk-go/aws" 8 "github.com/aws/aws-sdk-go/aws/awserr" 9 "github.com/aws/aws-sdk-go/service/iam" 10 "github.com/hashicorp/terraform/helper/acctest" 11 "github.com/hashicorp/terraform/helper/resource" 12 "github.com/hashicorp/terraform/terraform" 13 ) 14 15 func TestAccAWSIAMRolePolicy_basic(t *testing.T) { 16 role := acctest.RandString(10) 17 policy1 := acctest.RandString(10) 18 policy2 := acctest.RandString(10) 19 20 resource.Test(t, resource.TestCase{ 21 PreCheck: func() { testAccPreCheck(t) }, 22 Providers: testAccProviders, 23 CheckDestroy: testAccCheckIAMRolePolicyDestroy, 24 Steps: []resource.TestStep{ 25 resource.TestStep{ 26 Config: testAccIAMRolePolicyConfig(role, policy1), 27 Check: resource.ComposeTestCheckFunc( 28 testAccCheckIAMRolePolicy( 29 "aws_iam_role.role", 30 "aws_iam_role_policy.foo", 31 ), 32 ), 33 }, 34 resource.TestStep{ 35 Config: testAccIAMRolePolicyConfigUpdate(role, policy1, policy2), 36 Check: resource.ComposeTestCheckFunc( 37 testAccCheckIAMRolePolicy( 38 "aws_iam_role.role", 39 "aws_iam_role_policy.bar", 40 ), 41 ), 42 }, 43 }, 44 }) 45 } 46 47 func TestAccAWSIAMRolePolicy_namePrefix(t *testing.T) { 48 role := acctest.RandString(10) 49 50 resource.Test(t, resource.TestCase{ 51 PreCheck: func() { testAccPreCheck(t) }, 52 IDRefreshName: "aws_iam_role_policy.test", 53 Providers: testAccProviders, 54 CheckDestroy: testAccCheckIAMRolePolicyDestroy, 55 Steps: []resource.TestStep{ 56 resource.TestStep{ 57 Config: testAccIAMRolePolicyConfig_namePrefix(role), 58 Check: resource.ComposeTestCheckFunc( 59 testAccCheckIAMRolePolicy( 60 "aws_iam_role.test", 61 "aws_iam_role_policy.test", 62 ), 63 ), 64 }, 65 }, 66 }) 67 } 68 69 func TestAccAWSIAMRolePolicy_generatedName(t *testing.T) { 70 role := acctest.RandString(10) 71 72 resource.Test(t, resource.TestCase{ 73 PreCheck: func() { testAccPreCheck(t) }, 74 IDRefreshName: "aws_iam_role_policy.test", 75 Providers: testAccProviders, 76 CheckDestroy: testAccCheckIAMRolePolicyDestroy, 77 Steps: []resource.TestStep{ 78 resource.TestStep{ 79 Config: testAccIAMRolePolicyConfig_generatedName(role), 80 Check: resource.ComposeTestCheckFunc( 81 testAccCheckIAMRolePolicy( 82 "aws_iam_role.test", 83 "aws_iam_role_policy.test", 84 ), 85 ), 86 }, 87 }, 88 }) 89 } 90 91 func testAccCheckIAMRolePolicyDestroy(s *terraform.State) error { 92 iamconn := testAccProvider.Meta().(*AWSClient).iamconn 93 94 for _, rs := range s.RootModule().Resources { 95 if rs.Type != "aws_iam_role_policy" { 96 continue 97 } 98 99 role, name, err := resourceAwsIamRolePolicyParseId(rs.Primary.ID) 100 if err != nil { 101 return err 102 } 103 104 request := &iam.GetRolePolicyInput{ 105 PolicyName: aws.String(name), 106 RoleName: aws.String(role), 107 } 108 109 getResp, err := iamconn.GetRolePolicy(request) 110 if err != nil { 111 if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" { 112 // none found, that's good 113 return nil 114 } 115 return fmt.Errorf("Error reading IAM policy %s from role %s: %s", name, role, err) 116 } 117 118 if getResp != nil { 119 return fmt.Errorf("Found IAM Role, expected none: %s", getResp) 120 } 121 } 122 123 return nil 124 } 125 126 func testAccCheckIAMRolePolicy( 127 iamRoleResource string, 128 iamRolePolicyResource string) resource.TestCheckFunc { 129 return func(s *terraform.State) error { 130 rs, ok := s.RootModule().Resources[iamRoleResource] 131 if !ok { 132 return fmt.Errorf("Not Found: %s", iamRoleResource) 133 } 134 135 if rs.Primary.ID == "" { 136 return fmt.Errorf("No ID is set") 137 } 138 139 policy, ok := s.RootModule().Resources[iamRolePolicyResource] 140 if !ok { 141 return fmt.Errorf("Not Found: %s", iamRolePolicyResource) 142 } 143 144 iamconn := testAccProvider.Meta().(*AWSClient).iamconn 145 role, name, err := resourceAwsIamRolePolicyParseId(policy.Primary.ID) 146 if err != nil { 147 return err 148 } 149 150 _, err = iamconn.GetRolePolicy(&iam.GetRolePolicyInput{ 151 RoleName: aws.String(role), 152 PolicyName: aws.String(name), 153 }) 154 if err != nil { 155 return err 156 } 157 158 return nil 159 } 160 } 161 162 func testAccIAMRolePolicyConfig(role, policy1 string) string { 163 return fmt.Sprintf(` 164 resource "aws_iam_role" "role" { 165 name = "tf_test_role_%s" 166 path = "/" 167 assume_role_policy = <<EOF 168 { 169 "Version": "2012-10-17", 170 "Statement": [ 171 { 172 "Action": "sts:AssumeRole", 173 "Principal": { 174 "Service": "ec2.amazonaws.com" 175 }, 176 "Effect": "Allow", 177 "Sid": "" 178 } 179 ] 180 } 181 EOF 182 } 183 184 resource "aws_iam_role_policy" "foo" { 185 name = "tf_test_policy_%s" 186 role = "${aws_iam_role.role.name}" 187 policy = <<EOF 188 { 189 "Version": "2012-10-17", 190 "Statement": { 191 "Effect": "Allow", 192 "Action": "*", 193 "Resource": "*" 194 } 195 } 196 EOF 197 } 198 `, role, policy1) 199 } 200 201 func testAccIAMRolePolicyConfig_namePrefix(role string) string { 202 return fmt.Sprintf(` 203 resource "aws_iam_role" "test" { 204 name = "tf_test_role_%s" 205 path = "/" 206 assume_role_policy = <<EOF 207 { 208 "Version": "2012-10-17", 209 "Statement": [ 210 { 211 "Action": "sts:AssumeRole", 212 "Principal": { 213 "Service": "ec2.amazonaws.com" 214 }, 215 "Effect": "Allow", 216 "Sid": "" 217 } 218 ] 219 } 220 EOF 221 } 222 223 resource "aws_iam_role_policy" "test" { 224 name_prefix = "tf_test_policy_" 225 role = "${aws_iam_role.test.name}" 226 policy = <<EOF 227 { 228 "Version": "2012-10-17", 229 "Statement": { 230 "Effect": "Allow", 231 "Action": "*", 232 "Resource": "*" 233 } 234 } 235 EOF 236 } 237 `, role) 238 } 239 240 func testAccIAMRolePolicyConfig_generatedName(role string) string { 241 return fmt.Sprintf(` 242 resource "aws_iam_role" "test" { 243 name = "tf_test_role_%s" 244 path = "/" 245 assume_role_policy = <<EOF 246 { 247 "Version": "2012-10-17", 248 "Statement": [ 249 { 250 "Action": "sts:AssumeRole", 251 "Principal": { 252 "Service": "ec2.amazonaws.com" 253 }, 254 "Effect": "Allow", 255 "Sid": "" 256 } 257 ] 258 } 259 EOF 260 } 261 262 resource "aws_iam_role_policy" "test" { 263 role = "${aws_iam_role.test.name}" 264 policy = <<EOF 265 { 266 "Version": "2012-10-17", 267 "Statement": { 268 "Effect": "Allow", 269 "Action": "*", 270 "Resource": "*" 271 } 272 } 273 EOF 274 } 275 `, role) 276 } 277 278 func testAccIAMRolePolicyConfigUpdate(role, policy1, policy2 string) string { 279 return fmt.Sprintf(` 280 resource "aws_iam_role" "role" { 281 name = "tf_test_role_%s" 282 path = "/" 283 assume_role_policy = <<EOF 284 { 285 "Version": "2012-10-17", 286 "Statement": [ 287 { 288 "Action": "sts:AssumeRole", 289 "Principal": { 290 "Service": "ec2.amazonaws.com" 291 }, 292 "Effect": "Allow", 293 "Sid": "" 294 } 295 ] 296 } 297 EOF 298 } 299 300 resource "aws_iam_role_policy" "foo" { 301 name = "tf_test_policy_%s" 302 role = "${aws_iam_role.role.name}" 303 policy = <<EOF 304 { 305 "Version": "2012-10-17", 306 "Statement": { 307 "Effect": "Allow", 308 "Action": "*", 309 "Resource": "*" 310 } 311 } 312 EOF 313 } 314 315 resource "aws_iam_role_policy" "bar" { 316 name = "tf_test_policy_2_%s" 317 role = "${aws_iam_role.role.name}" 318 policy = <<EOF 319 { 320 "Version": "2012-10-17", 321 "Statement": { 322 "Effect": "Allow", 323 "Action": "*", 324 "Resource": "*" 325 } 326 } 327 EOF 328 } 329 `, role, policy1, policy2) 330 }