github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/builtin/providers/aws/resource_aws_s3_bucket_policy_test.go (about)

     1  package aws
     2  
     3  import (
     4  	"fmt"
     5  	"testing"
     6  
     7  	"github.com/aws/aws-sdk-go/aws"
     8  	"github.com/aws/aws-sdk-go/service/s3"
     9  	"github.com/hashicorp/terraform/helper/acctest"
    10  	"github.com/hashicorp/terraform/helper/resource"
    11  	"github.com/hashicorp/terraform/terraform"
    12  	"github.com/jen20/awspolicyequivalence"
    13  )
    14  
    15  func TestAccAWSS3BucketPolicy_basic(t *testing.T) {
    16  	name := fmt.Sprintf("tf-test-bucket-%d", acctest.RandInt())
    17  
    18  	expectedPolicyText := fmt.Sprintf(
    19  		`{"Version":"2012-10-17","Statement":[{"Sid": "", "Effect":"Allow","Principal":"*","Action":"s3:*","Resource":["arn:aws:s3:::%s/*","arn:aws:s3:::%s"]}]}`,
    20  		name, name)
    21  
    22  	resource.Test(t, resource.TestCase{
    23  		PreCheck:     func() { testAccPreCheck(t) },
    24  		Providers:    testAccProviders,
    25  		CheckDestroy: testAccCheckAWSS3BucketDestroy,
    26  		Steps: []resource.TestStep{
    27  			{
    28  				Config: testAccAWSS3BucketPolicyConfig(name),
    29  				Check: resource.ComposeTestCheckFunc(
    30  					testAccCheckAWSS3BucketExists("aws_s3_bucket.bucket"),
    31  					testAccCheckAWSS3BucketHasPolicy("aws_s3_bucket.bucket", expectedPolicyText),
    32  				),
    33  			},
    34  		},
    35  	})
    36  }
    37  
    38  func TestAccAWSS3BucketPolicy_policyUpdate(t *testing.T) {
    39  	name := fmt.Sprintf("tf-test-bucket-%d", acctest.RandInt())
    40  
    41  	expectedPolicyText1 := fmt.Sprintf(
    42  		`{"Version":"2012-10-17","Statement":[{"Sid": "", "Effect":"Allow","Principal":"*","Action":"s3:*","Resource":["arn:aws:s3:::%s/*","arn:aws:s3:::%s"]}]}`,
    43  		name, name)
    44  
    45  	expectedPolicyText2 := fmt.Sprintf(
    46  		`{"Version":"2012-10-17","Statement":[{"Sid": "", "Effect":"Allow","Principal":"*","Action":["s3:DeleteBucket", "s3:ListBucket", "s3:ListBucketVersions"], "Resource":["arn:aws:s3:::%s/*","arn:aws:s3:::%s"]}]}`,
    47  		name, name)
    48  
    49  	resource.Test(t, resource.TestCase{
    50  		PreCheck:     func() { testAccPreCheck(t) },
    51  		Providers:    testAccProviders,
    52  		CheckDestroy: testAccCheckAWSS3BucketDestroy,
    53  		Steps: []resource.TestStep{
    54  			{
    55  				Config: testAccAWSS3BucketPolicyConfig(name),
    56  				Check: resource.ComposeTestCheckFunc(
    57  					testAccCheckAWSS3BucketExists("aws_s3_bucket.bucket"),
    58  					testAccCheckAWSS3BucketHasPolicy("aws_s3_bucket.bucket", expectedPolicyText1),
    59  				),
    60  			},
    61  
    62  			{
    63  				Config: testAccAWSS3BucketPolicyConfig_updated(name),
    64  				Check: resource.ComposeTestCheckFunc(
    65  					testAccCheckAWSS3BucketExists("aws_s3_bucket.bucket"),
    66  					testAccCheckAWSS3BucketHasPolicy("aws_s3_bucket.bucket", expectedPolicyText2),
    67  				),
    68  			},
    69  		},
    70  	})
    71  }
    72  
    73  func testAccCheckAWSS3BucketHasPolicy(n string, expectedPolicyText string) resource.TestCheckFunc {
    74  	return func(s *terraform.State) error {
    75  		rs, ok := s.RootModule().Resources[n]
    76  		if !ok {
    77  			return fmt.Errorf("Not found: %s", n)
    78  		}
    79  
    80  		if rs.Primary.ID == "" {
    81  			return fmt.Errorf("No S3 Bucket ID is set")
    82  		}
    83  
    84  		conn := testAccProvider.Meta().(*AWSClient).s3conn
    85  
    86  		policy, err := conn.GetBucketPolicy(&s3.GetBucketPolicyInput{
    87  			Bucket: aws.String(rs.Primary.ID),
    88  		})
    89  		if err != nil {
    90  			return fmt.Errorf("GetBucketPolicy error: %v", err)
    91  		}
    92  
    93  		actualPolicyText := *policy.Policy
    94  
    95  		equivalent, err := awspolicy.PoliciesAreEquivalent(actualPolicyText, expectedPolicyText)
    96  		if err != nil {
    97  			return fmt.Errorf("Error testing policy equivalence: %s", err)
    98  		}
    99  		if !equivalent {
   100  			return fmt.Errorf("Non-equivalent policy error:\n\nexpected: %s\n\n     got: %s\n",
   101  				expectedPolicyText, actualPolicyText)
   102  		}
   103  
   104  		return nil
   105  	}
   106  }
   107  
   108  func testAccAWSS3BucketPolicyConfig(bucketName string) string {
   109  	return fmt.Sprintf(`
   110  resource "aws_s3_bucket" "bucket" {
   111  	bucket = "%s"
   112  	tags {
   113  		TestName = "TestAccAWSS3BucketPolicy_basic"
   114  	}
   115  }
   116  
   117  resource "aws_s3_bucket_policy" "bucket" {
   118  	bucket = "${aws_s3_bucket.bucket.bucket}"
   119  	policy = "${data.aws_iam_policy_document.policy.json}"
   120  }
   121  
   122  data "aws_iam_policy_document" "policy" {
   123    statement {
   124      effect = "Allow"
   125  
   126      actions = [
   127        "s3:*",
   128      ]
   129  
   130      resources = [
   131        "${aws_s3_bucket.bucket.arn}",
   132        "${aws_s3_bucket.bucket.arn}/*",
   133      ]
   134  
   135      principals {
   136        type        = "AWS"
   137        identifiers = ["*"]
   138      }
   139    }
   140  }
   141  `, bucketName)
   142  }
   143  
   144  func testAccAWSS3BucketPolicyConfig_updated(bucketName string) string {
   145  	return fmt.Sprintf(`
   146  resource "aws_s3_bucket" "bucket" {
   147  	bucket = "%s"
   148  	tags {
   149  		TestName = "TestAccAWSS3BucketPolicy_basic"
   150  	}
   151  }
   152  
   153  resource "aws_s3_bucket_policy" "bucket" {
   154  	bucket = "${aws_s3_bucket.bucket.bucket}"
   155  	policy = "${data.aws_iam_policy_document.policy.json}"
   156  }
   157  
   158  data "aws_iam_policy_document" "policy" {
   159    statement {
   160      effect = "Allow"
   161  
   162      actions = [
   163        "s3:DeleteBucket",
   164        "s3:ListBucket",
   165        "s3:ListBucketVersions"
   166      ]
   167  
   168      resources = [
   169        "${aws_s3_bucket.bucket.arn}",
   170        "${aws_s3_bucket.bucket.arn}/*",
   171      ]
   172  
   173      principals {
   174        type        = "AWS"
   175        identifiers = ["*"]
   176      }
   177    }
   178  }
   179  `, bucketName)
   180  }