github.com/daveadams/terraform@v0.6.4-0.20160830094355-13ce74975936/builtin/providers/aws/resource_aws_iam_policy_attachment_test.go (about)

     1  package aws
     2  
     3  import (
     4  	"fmt"
     5  	"testing"
     6  
     7  	"github.com/aws/aws-sdk-go/aws"
     8  	"github.com/aws/aws-sdk-go/service/iam"
     9  	"github.com/hashicorp/terraform/helper/resource"
    10  	"github.com/hashicorp/terraform/terraform"
    11  )
    12  
    13  func TestAccAWSPolicyAttachment_basic(t *testing.T) {
    14  	var out iam.ListEntitiesForPolicyOutput
    15  
    16  	resource.Test(t, resource.TestCase{
    17  		PreCheck:     func() { testAccPreCheck(t) },
    18  		Providers:    testAccProviders,
    19  		CheckDestroy: testAccCheckAWSPolicyAttachmentDestroy,
    20  		Steps: []resource.TestStep{
    21  			resource.TestStep{
    22  				Config: testAccAWSPolicyAttachConfig,
    23  				Check: resource.ComposeTestCheckFunc(
    24  					testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attach", 3, &out),
    25  					testAccCheckAWSPolicyAttachmentAttributes([]string{"test-user"}, []string{"test-role"}, []string{"test-group"}, &out),
    26  				),
    27  			},
    28  			resource.TestStep{
    29  				Config: testAccAWSPolicyAttachConfigUpdate,
    30  				Check: resource.ComposeTestCheckFunc(
    31  					testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attach", 6, &out),
    32  					testAccCheckAWSPolicyAttachmentAttributes([]string{"test-user3", "test-user3"}, []string{"test-role2", "test-role3"}, []string{"test-group2", "test-group3"}, &out),
    33  				),
    34  			},
    35  		},
    36  	})
    37  }
    38  
    39  func TestAccAWSPolicyAttachment_paginatedEntities(t *testing.T) {
    40  	var out iam.ListEntitiesForPolicyOutput
    41  
    42  	resource.Test(t, resource.TestCase{
    43  		PreCheck:     func() { testAccPreCheck(t) },
    44  		Providers:    testAccProviders,
    45  		CheckDestroy: testAccCheckAWSPolicyAttachmentDestroy,
    46  		Steps: []resource.TestStep{
    47  			resource.TestStep{
    48  				Config: testAccAWSPolicyPaginatedAttachConfig,
    49  				Check: resource.ComposeTestCheckFunc(
    50  					testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-paginated-attach", 101, &out),
    51  				),
    52  			},
    53  		},
    54  	})
    55  }
    56  
    57  func testAccCheckAWSPolicyAttachmentDestroy(s *terraform.State) error {
    58  	return nil
    59  }
    60  
    61  func testAccCheckAWSPolicyAttachmentExists(n string, c int64, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc {
    62  	return func(s *terraform.State) error {
    63  		rs, ok := s.RootModule().Resources[n]
    64  		if !ok {
    65  			return fmt.Errorf("Not found: %s", n)
    66  		}
    67  
    68  		if rs.Primary.ID == "" {
    69  			return fmt.Errorf("No policy name is set")
    70  		}
    71  
    72  		conn := testAccProvider.Meta().(*AWSClient).iamconn
    73  		arn := rs.Primary.Attributes["policy_arn"]
    74  
    75  		resp, err := conn.GetPolicy(&iam.GetPolicyInput{
    76  			PolicyArn: aws.String(arn),
    77  		})
    78  		if err != nil {
    79  			return fmt.Errorf("Error: Policy (%s) not found", n)
    80  		}
    81  		if c != *resp.Policy.AttachmentCount {
    82  			return fmt.Errorf("Error: Policy (%s) has wrong number of entities attached on initial creation", n)
    83  		}
    84  		resp2, err := conn.ListEntitiesForPolicy(&iam.ListEntitiesForPolicyInput{
    85  			PolicyArn: aws.String(arn),
    86  		})
    87  		if err != nil {
    88  			return fmt.Errorf("Error: Failed to get entities for Policy (%s)", arn)
    89  		}
    90  
    91  		*out = *resp2
    92  		return nil
    93  	}
    94  }
    95  
    96  func testAccCheckAWSPolicyAttachmentAttributes(users []string, roles []string, groups []string, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc {
    97  	return func(s *terraform.State) error {
    98  		uc := len(users)
    99  		rc := len(roles)
   100  		gc := len(groups)
   101  
   102  		for _, u := range users {
   103  			for _, pu := range out.PolicyUsers {
   104  				if u == *pu.UserName {
   105  					uc--
   106  				}
   107  			}
   108  		}
   109  		for _, r := range roles {
   110  			for _, pr := range out.PolicyRoles {
   111  				if r == *pr.RoleName {
   112  					rc--
   113  				}
   114  			}
   115  		}
   116  		for _, g := range groups {
   117  			for _, pg := range out.PolicyGroups {
   118  				if g == *pg.GroupName {
   119  					gc--
   120  				}
   121  			}
   122  		}
   123  		if uc != 0 || rc != 0 || gc != 0 {
   124  			return fmt.Errorf("Error: Number of attached users, roles, or groups was incorrect:\n expected %d users and found %d\nexpected %d roles and found %d\nexpected %d groups and found %d", len(users), len(users)-uc, len(roles), len(roles)-rc, len(groups), len(groups)-gc)
   125  		}
   126  		return nil
   127  	}
   128  }
   129  
   130  const testAccAWSPolicyAttachConfig = `
   131  resource "aws_iam_user" "user" {
   132      name = "test-user"
   133  }
   134  resource "aws_iam_role" "role" {
   135      name = "test-role"
   136  	  assume_role_policy = <<EOF
   137  {
   138    "Version": "2012-10-17",
   139    "Statement": [
   140      {
   141        "Action": "sts:AssumeRole",
   142        "Principal": {
   143          "Service": "ec2.amazonaws.com"
   144        },
   145        "Effect": "Allow",
   146        "Sid": ""
   147      }
   148    ]
   149  }
   150  EOF
   151  }
   152  resource "aws_iam_group" "group" {
   153      name = "test-group"
   154  }
   155  
   156  resource "aws_iam_policy" "policy" {
   157      name = "test-policy"
   158      description = "A test policy"
   159      policy = <<EOF
   160  {
   161    "Version": "2012-10-17",
   162    "Statement": [
   163      {
   164        "Action": [
   165          "iam:ChangePassword"
   166        ],
   167        "Resource": "*",
   168        "Effect": "Allow"
   169      }
   170    ]
   171  }
   172  EOF
   173  }
   174  
   175  resource "aws_iam_policy_attachment" "test-attach" {
   176      name = "test-attachment"
   177      users = ["${aws_iam_user.user.name}"]
   178      roles = ["${aws_iam_role.role.name}"]
   179      groups = ["${aws_iam_group.group.name}"]
   180      policy_arn = "${aws_iam_policy.policy.arn}"
   181  }
   182  `
   183  
   184  const testAccAWSPolicyAttachConfigUpdate = `
   185  resource "aws_iam_user" "user" {
   186      name = "test-user"
   187  }
   188  resource "aws_iam_user" "user2" {
   189      name = "test-user2"
   190  }
   191  resource "aws_iam_user" "user3" {
   192      name = "test-user3"
   193  }
   194  resource "aws_iam_role" "role" {
   195      name = "test-role"
   196  	  assume_role_policy = <<EOF
   197  {
   198    "Version": "2012-10-17",
   199    "Statement": [
   200      {
   201        "Action": "sts:AssumeRole",
   202        "Principal": {
   203          "Service": "ec2.amazonaws.com"
   204        },
   205        "Effect": "Allow",
   206        "Sid": ""
   207      }
   208    ]
   209  }
   210  EOF
   211  }
   212  
   213  resource "aws_iam_role" "role2" {
   214      name = "test-role2"
   215  	  assume_role_policy = <<EOF
   216  {
   217    "Version": "2012-10-17",
   218    "Statement": [
   219      {
   220        "Action": "sts:AssumeRole",
   221        "Principal": {
   222          "Service": "ec2.amazonaws.com"
   223        },
   224        "Effect": "Allow",
   225        "Sid": ""
   226      }
   227    ]
   228  }
   229  EOF
   230  
   231  }
   232  resource "aws_iam_role" "role3" {
   233      name = "test-role3"
   234  	  assume_role_policy = <<EOF
   235  {
   236    "Version": "2012-10-17",
   237    "Statement": [
   238      {
   239        "Action": "sts:AssumeRole",
   240        "Principal": {
   241          "Service": "ec2.amazonaws.com"
   242        },
   243        "Effect": "Allow",
   244        "Sid": ""
   245      }
   246    ]
   247  }
   248  EOF
   249  
   250  }
   251  resource "aws_iam_group" "group" {
   252      name = "test-group"
   253  }
   254  resource "aws_iam_group" "group2" {
   255      name = "test-group2"
   256  }
   257  resource "aws_iam_group" "group3" {
   258      name = "test-group3"
   259  }
   260  
   261  resource "aws_iam_policy" "policy" {
   262      name = "test-policy"
   263      description = "A test policy"
   264      policy = <<EOF
   265  {
   266    "Version": "2012-10-17",
   267    "Statement": [
   268      {
   269        "Action": [
   270          "iam:ChangePassword"
   271        ],
   272        "Resource": "*",
   273        "Effect": "Allow"
   274      }
   275    ]
   276  }
   277  EOF
   278  }
   279  
   280  resource "aws_iam_policy_attachment" "test-attach" {
   281      name = "test-attachment"
   282      users = [
   283          "${aws_iam_user.user2.name}",
   284          "${aws_iam_user.user3.name}"
   285      ]
   286      roles = [
   287          "${aws_iam_role.role2.name}",
   288          "${aws_iam_role.role3.name}"
   289      ]
   290      groups = [
   291          "${aws_iam_group.group2.name}",
   292          "${aws_iam_group.group3.name}"
   293      ]
   294      policy_arn = "${aws_iam_policy.policy.arn}"
   295  }
   296  `
   297  
   298  const testAccAWSPolicyPaginatedAttachConfig = `
   299  resource "aws_iam_user" "user" {
   300      count = 101
   301      name = "${format("paged-test-user-%d", count.index + 1)}"
   302  }
   303  
   304  resource "aws_iam_policy" "policy" {
   305      name = "test-policy"
   306      description = "A test policy"
   307      policy = <<EOF
   308  {
   309    "Version": "2012-10-17",
   310    "Statement": [
   311      {
   312        "Action": [
   313          "iam:ChangePassword"
   314        ],
   315        "Resource": "*",
   316        "Effect": "Allow"
   317      }
   318    ]
   319  }
   320  EOF
   321  }
   322  
   323  resource "aws_iam_policy_attachment" "test-paginated-attach" {
   324      name = "test-attachment"
   325      users = ["${aws_iam_user.user.*.name}"]
   326      policy_arn = "${aws_iam_policy.policy.arn}"
   327  }
   328  `