github.com/daveadams/terraform@v0.6.4-0.20160830094355-13ce74975936/builtin/providers/aws/resource_aws_iam_policy_attachment_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/aws/aws-sdk-go/aws" 8 "github.com/aws/aws-sdk-go/service/iam" 9 "github.com/hashicorp/terraform/helper/resource" 10 "github.com/hashicorp/terraform/terraform" 11 ) 12 13 func TestAccAWSPolicyAttachment_basic(t *testing.T) { 14 var out iam.ListEntitiesForPolicyOutput 15 16 resource.Test(t, resource.TestCase{ 17 PreCheck: func() { testAccPreCheck(t) }, 18 Providers: testAccProviders, 19 CheckDestroy: testAccCheckAWSPolicyAttachmentDestroy, 20 Steps: []resource.TestStep{ 21 resource.TestStep{ 22 Config: testAccAWSPolicyAttachConfig, 23 Check: resource.ComposeTestCheckFunc( 24 testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attach", 3, &out), 25 testAccCheckAWSPolicyAttachmentAttributes([]string{"test-user"}, []string{"test-role"}, []string{"test-group"}, &out), 26 ), 27 }, 28 resource.TestStep{ 29 Config: testAccAWSPolicyAttachConfigUpdate, 30 Check: resource.ComposeTestCheckFunc( 31 testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attach", 6, &out), 32 testAccCheckAWSPolicyAttachmentAttributes([]string{"test-user3", "test-user3"}, []string{"test-role2", "test-role3"}, []string{"test-group2", "test-group3"}, &out), 33 ), 34 }, 35 }, 36 }) 37 } 38 39 func TestAccAWSPolicyAttachment_paginatedEntities(t *testing.T) { 40 var out iam.ListEntitiesForPolicyOutput 41 42 resource.Test(t, resource.TestCase{ 43 PreCheck: func() { testAccPreCheck(t) }, 44 Providers: testAccProviders, 45 CheckDestroy: testAccCheckAWSPolicyAttachmentDestroy, 46 Steps: []resource.TestStep{ 47 resource.TestStep{ 48 Config: testAccAWSPolicyPaginatedAttachConfig, 49 Check: resource.ComposeTestCheckFunc( 50 testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-paginated-attach", 101, &out), 51 ), 52 }, 53 }, 54 }) 55 } 56 57 func testAccCheckAWSPolicyAttachmentDestroy(s *terraform.State) error { 58 return nil 59 } 60 61 func testAccCheckAWSPolicyAttachmentExists(n string, c int64, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc { 62 return func(s *terraform.State) error { 63 rs, ok := s.RootModule().Resources[n] 64 if !ok { 65 return fmt.Errorf("Not found: %s", n) 66 } 67 68 if rs.Primary.ID == "" { 69 return fmt.Errorf("No policy name is set") 70 } 71 72 conn := testAccProvider.Meta().(*AWSClient).iamconn 73 arn := rs.Primary.Attributes["policy_arn"] 74 75 resp, err := conn.GetPolicy(&iam.GetPolicyInput{ 76 PolicyArn: aws.String(arn), 77 }) 78 if err != nil { 79 return fmt.Errorf("Error: Policy (%s) not found", n) 80 } 81 if c != *resp.Policy.AttachmentCount { 82 return fmt.Errorf("Error: Policy (%s) has wrong number of entities attached on initial creation", n) 83 } 84 resp2, err := conn.ListEntitiesForPolicy(&iam.ListEntitiesForPolicyInput{ 85 PolicyArn: aws.String(arn), 86 }) 87 if err != nil { 88 return fmt.Errorf("Error: Failed to get entities for Policy (%s)", arn) 89 } 90 91 *out = *resp2 92 return nil 93 } 94 } 95 96 func testAccCheckAWSPolicyAttachmentAttributes(users []string, roles []string, groups []string, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc { 97 return func(s *terraform.State) error { 98 uc := len(users) 99 rc := len(roles) 100 gc := len(groups) 101 102 for _, u := range users { 103 for _, pu := range out.PolicyUsers { 104 if u == *pu.UserName { 105 uc-- 106 } 107 } 108 } 109 for _, r := range roles { 110 for _, pr := range out.PolicyRoles { 111 if r == *pr.RoleName { 112 rc-- 113 } 114 } 115 } 116 for _, g := range groups { 117 for _, pg := range out.PolicyGroups { 118 if g == *pg.GroupName { 119 gc-- 120 } 121 } 122 } 123 if uc != 0 || rc != 0 || gc != 0 { 124 return fmt.Errorf("Error: Number of attached users, roles, or groups was incorrect:\n expected %d users and found %d\nexpected %d roles and found %d\nexpected %d groups and found %d", len(users), len(users)-uc, len(roles), len(roles)-rc, len(groups), len(groups)-gc) 125 } 126 return nil 127 } 128 } 129 130 const testAccAWSPolicyAttachConfig = ` 131 resource "aws_iam_user" "user" { 132 name = "test-user" 133 } 134 resource "aws_iam_role" "role" { 135 name = "test-role" 136 assume_role_policy = <<EOF 137 { 138 "Version": "2012-10-17", 139 "Statement": [ 140 { 141 "Action": "sts:AssumeRole", 142 "Principal": { 143 "Service": "ec2.amazonaws.com" 144 }, 145 "Effect": "Allow", 146 "Sid": "" 147 } 148 ] 149 } 150 EOF 151 } 152 resource "aws_iam_group" "group" { 153 name = "test-group" 154 } 155 156 resource "aws_iam_policy" "policy" { 157 name = "test-policy" 158 description = "A test policy" 159 policy = <<EOF 160 { 161 "Version": "2012-10-17", 162 "Statement": [ 163 { 164 "Action": [ 165 "iam:ChangePassword" 166 ], 167 "Resource": "*", 168 "Effect": "Allow" 169 } 170 ] 171 } 172 EOF 173 } 174 175 resource "aws_iam_policy_attachment" "test-attach" { 176 name = "test-attachment" 177 users = ["${aws_iam_user.user.name}"] 178 roles = ["${aws_iam_role.role.name}"] 179 groups = ["${aws_iam_group.group.name}"] 180 policy_arn = "${aws_iam_policy.policy.arn}" 181 } 182 ` 183 184 const testAccAWSPolicyAttachConfigUpdate = ` 185 resource "aws_iam_user" "user" { 186 name = "test-user" 187 } 188 resource "aws_iam_user" "user2" { 189 name = "test-user2" 190 } 191 resource "aws_iam_user" "user3" { 192 name = "test-user3" 193 } 194 resource "aws_iam_role" "role" { 195 name = "test-role" 196 assume_role_policy = <<EOF 197 { 198 "Version": "2012-10-17", 199 "Statement": [ 200 { 201 "Action": "sts:AssumeRole", 202 "Principal": { 203 "Service": "ec2.amazonaws.com" 204 }, 205 "Effect": "Allow", 206 "Sid": "" 207 } 208 ] 209 } 210 EOF 211 } 212 213 resource "aws_iam_role" "role2" { 214 name = "test-role2" 215 assume_role_policy = <<EOF 216 { 217 "Version": "2012-10-17", 218 "Statement": [ 219 { 220 "Action": "sts:AssumeRole", 221 "Principal": { 222 "Service": "ec2.amazonaws.com" 223 }, 224 "Effect": "Allow", 225 "Sid": "" 226 } 227 ] 228 } 229 EOF 230 231 } 232 resource "aws_iam_role" "role3" { 233 name = "test-role3" 234 assume_role_policy = <<EOF 235 { 236 "Version": "2012-10-17", 237 "Statement": [ 238 { 239 "Action": "sts:AssumeRole", 240 "Principal": { 241 "Service": "ec2.amazonaws.com" 242 }, 243 "Effect": "Allow", 244 "Sid": "" 245 } 246 ] 247 } 248 EOF 249 250 } 251 resource "aws_iam_group" "group" { 252 name = "test-group" 253 } 254 resource "aws_iam_group" "group2" { 255 name = "test-group2" 256 } 257 resource "aws_iam_group" "group3" { 258 name = "test-group3" 259 } 260 261 resource "aws_iam_policy" "policy" { 262 name = "test-policy" 263 description = "A test policy" 264 policy = <<EOF 265 { 266 "Version": "2012-10-17", 267 "Statement": [ 268 { 269 "Action": [ 270 "iam:ChangePassword" 271 ], 272 "Resource": "*", 273 "Effect": "Allow" 274 } 275 ] 276 } 277 EOF 278 } 279 280 resource "aws_iam_policy_attachment" "test-attach" { 281 name = "test-attachment" 282 users = [ 283 "${aws_iam_user.user2.name}", 284 "${aws_iam_user.user3.name}" 285 ] 286 roles = [ 287 "${aws_iam_role.role2.name}", 288 "${aws_iam_role.role3.name}" 289 ] 290 groups = [ 291 "${aws_iam_group.group2.name}", 292 "${aws_iam_group.group3.name}" 293 ] 294 policy_arn = "${aws_iam_policy.policy.arn}" 295 } 296 ` 297 298 const testAccAWSPolicyPaginatedAttachConfig = ` 299 resource "aws_iam_user" "user" { 300 count = 101 301 name = "${format("paged-test-user-%d", count.index + 1)}" 302 } 303 304 resource "aws_iam_policy" "policy" { 305 name = "test-policy" 306 description = "A test policy" 307 policy = <<EOF 308 { 309 "Version": "2012-10-17", 310 "Statement": [ 311 { 312 "Action": [ 313 "iam:ChangePassword" 314 ], 315 "Resource": "*", 316 "Effect": "Allow" 317 } 318 ] 319 } 320 EOF 321 } 322 323 resource "aws_iam_policy_attachment" "test-paginated-attach" { 324 name = "test-attachment" 325 users = ["${aws_iam_user.user.*.name}"] 326 policy_arn = "${aws_iam_policy.policy.arn}" 327 } 328 `