github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/builtin/providers/aws/resource_aws_s3_bucket_policy_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/aws/aws-sdk-go/aws" 8 "github.com/aws/aws-sdk-go/service/s3" 9 "github.com/hashicorp/terraform/helper/acctest" 10 "github.com/hashicorp/terraform/helper/resource" 11 "github.com/hashicorp/terraform/terraform" 12 "github.com/jen20/awspolicyequivalence" 13 ) 14 15 func TestAccAWSS3BucketPolicy_basic(t *testing.T) { 16 name := fmt.Sprintf("tf-test-bucket-%d", acctest.RandInt()) 17 18 expectedPolicyText := fmt.Sprintf( 19 `{"Version":"2012-10-17","Statement":[{"Sid": "", "Effect":"Allow","Principal":"*","Action":"s3:*","Resource":["arn:aws:s3:::%s/*","arn:aws:s3:::%s"]}]}`, 20 name, name) 21 22 resource.Test(t, resource.TestCase{ 23 PreCheck: func() { testAccPreCheck(t) }, 24 Providers: testAccProviders, 25 CheckDestroy: testAccCheckAWSS3BucketDestroy, 26 Steps: []resource.TestStep{ 27 { 28 Config: testAccAWSS3BucketPolicyConfig(name), 29 Check: resource.ComposeTestCheckFunc( 30 testAccCheckAWSS3BucketExists("aws_s3_bucket.bucket"), 31 testAccCheckAWSS3BucketHasPolicy("aws_s3_bucket.bucket", expectedPolicyText), 32 ), 33 }, 34 }, 35 }) 36 } 37 38 func TestAccAWSS3BucketPolicy_policyUpdate(t *testing.T) { 39 name := fmt.Sprintf("tf-test-bucket-%d", acctest.RandInt()) 40 41 expectedPolicyText1 := fmt.Sprintf( 42 `{"Version":"2012-10-17","Statement":[{"Sid": "", "Effect":"Allow","Principal":"*","Action":"s3:*","Resource":["arn:aws:s3:::%s/*","arn:aws:s3:::%s"]}]}`, 43 name, name) 44 45 expectedPolicyText2 := fmt.Sprintf( 46 `{"Version":"2012-10-17","Statement":[{"Sid": "", "Effect":"Allow","Principal":"*","Action":["s3:DeleteBucket", "s3:ListBucket", "s3:ListBucketVersions"], "Resource":["arn:aws:s3:::%s/*","arn:aws:s3:::%s"]}]}`, 47 name, name) 48 49 resource.Test(t, resource.TestCase{ 50 PreCheck: func() { testAccPreCheck(t) }, 51 Providers: testAccProviders, 52 CheckDestroy: testAccCheckAWSS3BucketDestroy, 53 Steps: []resource.TestStep{ 54 { 55 Config: testAccAWSS3BucketPolicyConfig(name), 56 Check: resource.ComposeTestCheckFunc( 57 testAccCheckAWSS3BucketExists("aws_s3_bucket.bucket"), 58 testAccCheckAWSS3BucketHasPolicy("aws_s3_bucket.bucket", expectedPolicyText1), 59 ), 60 }, 61 62 { 63 Config: testAccAWSS3BucketPolicyConfig_updated(name), 64 Check: resource.ComposeTestCheckFunc( 65 testAccCheckAWSS3BucketExists("aws_s3_bucket.bucket"), 66 testAccCheckAWSS3BucketHasPolicy("aws_s3_bucket.bucket", expectedPolicyText2), 67 ), 68 }, 69 }, 70 }) 71 } 72 73 func testAccCheckAWSS3BucketHasPolicy(n string, expectedPolicyText string) resource.TestCheckFunc { 74 return func(s *terraform.State) error { 75 rs, ok := s.RootModule().Resources[n] 76 if !ok { 77 return fmt.Errorf("Not found: %s", n) 78 } 79 80 if rs.Primary.ID == "" { 81 return fmt.Errorf("No S3 Bucket ID is set") 82 } 83 84 conn := testAccProvider.Meta().(*AWSClient).s3conn 85 86 policy, err := conn.GetBucketPolicy(&s3.GetBucketPolicyInput{ 87 Bucket: aws.String(rs.Primary.ID), 88 }) 89 if err != nil { 90 return fmt.Errorf("GetBucketPolicy error: %v", err) 91 } 92 93 actualPolicyText := *policy.Policy 94 95 equivalent, err := awspolicy.PoliciesAreEquivalent(actualPolicyText, expectedPolicyText) 96 if err != nil { 97 return fmt.Errorf("Error testing policy equivalence: %s", err) 98 } 99 if !equivalent { 100 return fmt.Errorf("Non-equivalent policy error:\n\nexpected: %s\n\n got: %s\n", 101 expectedPolicyText, actualPolicyText) 102 } 103 104 return nil 105 } 106 } 107 108 func testAccAWSS3BucketPolicyConfig(bucketName string) string { 109 return fmt.Sprintf(` 110 resource "aws_s3_bucket" "bucket" { 111 bucket = "%s" 112 tags { 113 TestName = "TestAccAWSS3BucketPolicy_basic" 114 } 115 } 116 117 resource "aws_s3_bucket_policy" "bucket" { 118 bucket = "${aws_s3_bucket.bucket.bucket}" 119 policy = "${data.aws_iam_policy_document.policy.json}" 120 } 121 122 data "aws_iam_policy_document" "policy" { 123 statement { 124 effect = "Allow" 125 126 actions = [ 127 "s3:*", 128 ] 129 130 resources = [ 131 "${aws_s3_bucket.bucket.arn}", 132 "${aws_s3_bucket.bucket.arn}/*", 133 ] 134 135 principals { 136 type = "AWS" 137 identifiers = ["*"] 138 } 139 } 140 } 141 `, bucketName) 142 } 143 144 func testAccAWSS3BucketPolicyConfig_updated(bucketName string) string { 145 return fmt.Sprintf(` 146 resource "aws_s3_bucket" "bucket" { 147 bucket = "%s" 148 tags { 149 TestName = "TestAccAWSS3BucketPolicy_basic" 150 } 151 } 152 153 resource "aws_s3_bucket_policy" "bucket" { 154 bucket = "${aws_s3_bucket.bucket.bucket}" 155 policy = "${data.aws_iam_policy_document.policy.json}" 156 } 157 158 data "aws_iam_policy_document" "policy" { 159 statement { 160 effect = "Allow" 161 162 actions = [ 163 "s3:DeleteBucket", 164 "s3:ListBucket", 165 "s3:ListBucketVersions" 166 ] 167 168 resources = [ 169 "${aws_s3_bucket.bucket.arn}", 170 "${aws_s3_bucket.bucket.arn}/*", 171 ] 172 173 principals { 174 type = "AWS" 175 identifiers = ["*"] 176 } 177 } 178 } 179 `, bucketName) 180 }