github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/builtin/providers/aws/resource_aws_kms_key_test.go (about) 1 // make testacc TEST=./builtin/providers/aws/ TESTARGS='-run=TestAccAWSKmsKey_' 2 package aws 3 4 import ( 5 "fmt" 6 "testing" 7 "time" 8 9 "github.com/aws/aws-sdk-go/aws" 10 "github.com/aws/aws-sdk-go/service/kms" 11 "github.com/hashicorp/terraform/helper/resource" 12 "github.com/hashicorp/terraform/terraform" 13 "github.com/jen20/awspolicyequivalence" 14 ) 15 16 func TestAccAWSKmsKey_basic(t *testing.T) { 17 var keyBefore, keyAfter kms.KeyMetadata 18 19 resource.Test(t, resource.TestCase{ 20 PreCheck: func() { testAccPreCheck(t) }, 21 Providers: testAccProviders, 22 CheckDestroy: testAccCheckAWSKmsKeyDestroy, 23 Steps: []resource.TestStep{ 24 { 25 Config: testAccAWSKmsKey, 26 Check: resource.ComposeTestCheckFunc( 27 testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &keyBefore), 28 ), 29 }, 30 { 31 Config: testAccAWSKmsKey_removedPolicy, 32 Check: resource.ComposeTestCheckFunc( 33 testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &keyAfter), 34 ), 35 }, 36 }, 37 }) 38 } 39 40 func TestAccAWSKmsKey_disappears(t *testing.T) { 41 var key kms.KeyMetadata 42 43 resource.Test(t, resource.TestCase{ 44 PreCheck: func() { testAccPreCheck(t) }, 45 Providers: testAccProviders, 46 CheckDestroy: testAccCheckAWSKmsKeyDestroy, 47 Steps: []resource.TestStep{ 48 { 49 Config: testAccAWSKmsKey, 50 Check: resource.ComposeTestCheckFunc( 51 testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &key), 52 ), 53 }, 54 { 55 Config: testAccAWSKmsKey_other_region, 56 PlanOnly: true, 57 ExpectNonEmptyPlan: true, 58 }, 59 }, 60 }) 61 } 62 63 func TestAccAWSKmsKey_policy(t *testing.T) { 64 var key kms.KeyMetadata 65 expectedPolicyText := `{"Version":"2012-10-17","Id":"kms-tf-1","Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":"*"},"Action":"kms:*","Resource":"*"}]}` 66 67 resource.Test(t, resource.TestCase{ 68 PreCheck: func() { testAccPreCheck(t) }, 69 Providers: testAccProviders, 70 CheckDestroy: testAccCheckAWSKmsKeyDestroy, 71 Steps: []resource.TestStep{ 72 { 73 Config: testAccAWSKmsKey, 74 Check: resource.ComposeTestCheckFunc( 75 testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &key), 76 testAccCheckAWSKmsKeyHasPolicy("aws_kms_key.foo", expectedPolicyText), 77 ), 78 }, 79 }, 80 }) 81 } 82 83 func TestAccAWSKmsKey_isEnabled(t *testing.T) { 84 var key1, key2, key3 kms.KeyMetadata 85 86 resource.Test(t, resource.TestCase{ 87 PreCheck: func() { testAccPreCheck(t) }, 88 Providers: testAccProviders, 89 CheckDestroy: testAccCheckAWSKmsKeyDestroy, 90 Steps: []resource.TestStep{ 91 { 92 Config: testAccAWSKmsKey_enabledRotation, 93 Check: resource.ComposeTestCheckFunc( 94 testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key1), 95 resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "true"), 96 testAccCheckAWSKmsKeyIsEnabled(&key1, true), 97 resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "true"), 98 ), 99 }, 100 { 101 Config: testAccAWSKmsKey_disabled, 102 Check: resource.ComposeTestCheckFunc( 103 testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key2), 104 resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "false"), 105 testAccCheckAWSKmsKeyIsEnabled(&key2, false), 106 resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "false"), 107 ), 108 }, 109 { 110 Config: testAccAWSKmsKey_enabled, 111 Check: resource.ComposeTestCheckFunc( 112 testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key3), 113 resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "true"), 114 testAccCheckAWSKmsKeyIsEnabled(&key3, true), 115 resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "true"), 116 ), 117 }, 118 }, 119 }) 120 } 121 122 func TestAccAWSKmsKey_tags(t *testing.T) { 123 var keyBefore kms.KeyMetadata 124 125 resource.Test(t, resource.TestCase{ 126 PreCheck: func() { testAccPreCheck(t) }, 127 Providers: testAccProviders, 128 CheckDestroy: testAccCheckAWSKmsKeyDestroy, 129 Steps: []resource.TestStep{ 130 { 131 Config: testAccAWSKmsKey_tags, 132 Check: resource.ComposeTestCheckFunc( 133 testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &keyBefore), 134 resource.TestCheckResourceAttr("aws_kms_key.foo", "tags.%", "2"), 135 ), 136 }, 137 }, 138 }) 139 } 140 141 func testAccCheckAWSKmsKeyHasPolicy(name string, expectedPolicyText string) resource.TestCheckFunc { 142 return func(s *terraform.State) error { 143 rs, ok := s.RootModule().Resources[name] 144 if !ok { 145 return fmt.Errorf("Not found: %s", name) 146 } 147 148 if rs.Primary.ID == "" { 149 return fmt.Errorf("No KMS Key ID is set") 150 } 151 152 conn := testAccProvider.Meta().(*AWSClient).kmsconn 153 154 out, err := conn.GetKeyPolicy(&kms.GetKeyPolicyInput{ 155 KeyId: aws.String(rs.Primary.ID), 156 PolicyName: aws.String("default"), 157 }) 158 if err != nil { 159 return err 160 } 161 162 actualPolicyText := *out.Policy 163 164 equivalent, err := awspolicy.PoliciesAreEquivalent(actualPolicyText, expectedPolicyText) 165 if err != nil { 166 return fmt.Errorf("Error testing policy equivalence: %s", err) 167 } 168 if !equivalent { 169 return fmt.Errorf("Non-equivalent policy error:\n\nexpected: %s\n\n got: %s\n", 170 expectedPolicyText, actualPolicyText) 171 } 172 173 return nil 174 } 175 } 176 177 func testAccCheckAWSKmsKeyDestroy(s *terraform.State) error { 178 conn := testAccProvider.Meta().(*AWSClient).kmsconn 179 180 for _, rs := range s.RootModule().Resources { 181 if rs.Type != "aws_kms_key" { 182 continue 183 } 184 185 out, err := conn.DescribeKey(&kms.DescribeKeyInput{ 186 KeyId: aws.String(rs.Primary.ID), 187 }) 188 189 if err != nil { 190 return err 191 } 192 193 if *out.KeyMetadata.KeyState == "PendingDeletion" { 194 return nil 195 } 196 197 return fmt.Errorf("KMS key still exists:\n%#v", out.KeyMetadata) 198 } 199 200 return nil 201 } 202 203 func testAccCheckAWSKmsKeyExists(name string, key *kms.KeyMetadata) resource.TestCheckFunc { 204 return func(s *terraform.State) error { 205 rs, ok := s.RootModule().Resources[name] 206 if !ok { 207 return fmt.Errorf("Not found: %s", name) 208 } 209 210 if rs.Primary.ID == "" { 211 return fmt.Errorf("No KMS Key ID is set") 212 } 213 214 conn := testAccProvider.Meta().(*AWSClient).kmsconn 215 216 out, err := conn.DescribeKey(&kms.DescribeKeyInput{ 217 KeyId: aws.String(rs.Primary.ID), 218 }) 219 if err != nil { 220 return err 221 } 222 223 *key = *out.KeyMetadata 224 225 return nil 226 } 227 } 228 229 func testAccCheckAWSKmsKeyIsEnabled(key *kms.KeyMetadata, isEnabled bool) resource.TestCheckFunc { 230 return func(s *terraform.State) error { 231 if *key.Enabled != isEnabled { 232 return fmt.Errorf("Expected key %q to have is_enabled=%t, given %t", 233 *key.Arn, isEnabled, *key.Enabled) 234 } 235 236 return nil 237 } 238 } 239 240 var kmsTimestamp = time.Now().Format(time.RFC1123) 241 var testAccAWSKmsKey = fmt.Sprintf(` 242 resource "aws_kms_key" "foo" { 243 description = "Terraform acc test %s" 244 deletion_window_in_days = 7 245 policy = <<POLICY 246 { 247 "Version": "2012-10-17", 248 "Id": "kms-tf-1", 249 "Statement": [ 250 { 251 "Sid": "Enable IAM User Permissions", 252 "Effect": "Allow", 253 "Principal": { 254 "AWS": "*" 255 }, 256 "Action": "kms:*", 257 "Resource": "*" 258 } 259 ] 260 } 261 POLICY 262 }`, kmsTimestamp) 263 264 var testAccAWSKmsKey_other_region = fmt.Sprintf(` 265 provider "aws" { 266 region = "us-east-1" 267 } 268 resource "aws_kms_key" "foo" { 269 description = "Terraform acc test %s" 270 deletion_window_in_days = 7 271 policy = <<POLICY 272 { 273 "Version": "2012-10-17", 274 "Id": "kms-tf-1", 275 "Statement": [ 276 { 277 "Sid": "Enable IAM User Permissions", 278 "Effect": "Allow", 279 "Principal": { 280 "AWS": "*" 281 }, 282 "Action": "kms:*", 283 "Resource": "*" 284 } 285 ] 286 } 287 POLICY 288 }`, kmsTimestamp) 289 290 var testAccAWSKmsKey_removedPolicy = fmt.Sprintf(` 291 resource "aws_kms_key" "foo" { 292 description = "Terraform acc test %s" 293 deletion_window_in_days = 7 294 }`, kmsTimestamp) 295 296 var testAccAWSKmsKey_enabledRotation = fmt.Sprintf(` 297 resource "aws_kms_key" "bar" { 298 description = "Terraform acc test is_enabled %s" 299 deletion_window_in_days = 7 300 enable_key_rotation = true 301 }`, kmsTimestamp) 302 var testAccAWSKmsKey_disabled = fmt.Sprintf(` 303 resource "aws_kms_key" "bar" { 304 description = "Terraform acc test is_enabled %s" 305 deletion_window_in_days = 7 306 enable_key_rotation = false 307 is_enabled = false 308 }`, kmsTimestamp) 309 var testAccAWSKmsKey_enabled = fmt.Sprintf(` 310 resource "aws_kms_key" "bar" { 311 description = "Terraform acc test is_enabled %s" 312 deletion_window_in_days = 7 313 enable_key_rotation = true 314 is_enabled = true 315 }`, kmsTimestamp) 316 317 var testAccAWSKmsKey_tags = fmt.Sprintf(` 318 resource "aws_kms_key" "foo" { 319 description = "Terraform acc test %s" 320 tags { 321 Key1 = "Value One" 322 Description = "Very interesting" 323 } 324 }`, kmsTimestamp)