github.com/dougneal/terraform@v0.6.15-0.20170330092735-b6a3840768a4/builtin/providers/aws/resource_aws_kms_key_test.go (about) 1 // make testacc TEST=./builtin/providers/aws/ TESTARGS='-run=TestAccAWSKmsKey_' 2 package aws 3 4 import ( 5 "fmt" 6 "testing" 7 "time" 8 9 "github.com/aws/aws-sdk-go/aws" 10 "github.com/aws/aws-sdk-go/service/kms" 11 "github.com/hashicorp/terraform/helper/resource" 12 "github.com/hashicorp/terraform/terraform" 13 "github.com/jen20/awspolicyequivalence" 14 ) 15 16 func TestAccAWSKmsKey_basic(t *testing.T) { 17 var keyBefore, keyAfter kms.KeyMetadata 18 19 resource.Test(t, resource.TestCase{ 20 PreCheck: func() { testAccPreCheck(t) }, 21 Providers: testAccProviders, 22 CheckDestroy: testAccCheckAWSKmsKeyDestroy, 23 Steps: []resource.TestStep{ 24 { 25 Config: testAccAWSKmsKey, 26 Check: resource.ComposeTestCheckFunc( 27 testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &keyBefore), 28 ), 29 }, 30 { 31 Config: testAccAWSKmsKey_removedPolicy, 32 Check: resource.ComposeTestCheckFunc( 33 testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &keyAfter), 34 ), 35 }, 36 }, 37 }) 38 } 39 40 func TestAccAWSKmsKey_policy(t *testing.T) { 41 var key kms.KeyMetadata 42 expectedPolicyText := `{"Version":"2012-10-17","Id":"kms-tf-1","Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":"*"},"Action":"kms:*","Resource":"*"}]}` 43 44 resource.Test(t, resource.TestCase{ 45 PreCheck: func() { testAccPreCheck(t) }, 46 Providers: testAccProviders, 47 CheckDestroy: testAccCheckAWSKmsKeyDestroy, 48 Steps: []resource.TestStep{ 49 { 50 Config: testAccAWSKmsKey, 51 Check: resource.ComposeTestCheckFunc( 52 testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &key), 53 testAccCheckAWSKmsKeyHasPolicy("aws_kms_key.foo", expectedPolicyText), 54 ), 55 }, 56 }, 57 }) 58 } 59 60 func TestAccAWSKmsKey_isEnabled(t *testing.T) { 61 var key1, key2, key3 kms.KeyMetadata 62 63 resource.Test(t, resource.TestCase{ 64 PreCheck: func() { testAccPreCheck(t) }, 65 Providers: testAccProviders, 66 CheckDestroy: testAccCheckAWSKmsKeyDestroy, 67 Steps: []resource.TestStep{ 68 { 69 Config: testAccAWSKmsKey_enabledRotation, 70 Check: resource.ComposeTestCheckFunc( 71 testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key1), 72 resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "true"), 73 testAccCheckAWSKmsKeyIsEnabled(&key1, true), 74 resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "true"), 75 ), 76 }, 77 { 78 Config: testAccAWSKmsKey_disabled, 79 Check: resource.ComposeTestCheckFunc( 80 testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key2), 81 resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "false"), 82 testAccCheckAWSKmsKeyIsEnabled(&key2, false), 83 resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "false"), 84 ), 85 }, 86 { 87 Config: testAccAWSKmsKey_enabled, 88 Check: resource.ComposeTestCheckFunc( 89 testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key3), 90 resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "true"), 91 testAccCheckAWSKmsKeyIsEnabled(&key3, true), 92 resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "true"), 93 ), 94 }, 95 }, 96 }) 97 } 98 99 func TestAccAWSKmsKey_tags(t *testing.T) { 100 var keyBefore kms.KeyMetadata 101 102 resource.Test(t, resource.TestCase{ 103 PreCheck: func() { testAccPreCheck(t) }, 104 Providers: testAccProviders, 105 CheckDestroy: testAccCheckAWSKmsKeyDestroy, 106 Steps: []resource.TestStep{ 107 { 108 Config: testAccAWSKmsKey_tags, 109 Check: resource.ComposeTestCheckFunc( 110 testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &keyBefore), 111 resource.TestCheckResourceAttr("aws_kms_key.foo", "tags.%", "2"), 112 ), 113 }, 114 }, 115 }) 116 } 117 118 func testAccCheckAWSKmsKeyHasPolicy(name string, expectedPolicyText string) resource.TestCheckFunc { 119 return func(s *terraform.State) error { 120 rs, ok := s.RootModule().Resources[name] 121 if !ok { 122 return fmt.Errorf("Not found: %s", name) 123 } 124 125 if rs.Primary.ID == "" { 126 return fmt.Errorf("No KMS Key ID is set") 127 } 128 129 conn := testAccProvider.Meta().(*AWSClient).kmsconn 130 131 out, err := conn.GetKeyPolicy(&kms.GetKeyPolicyInput{ 132 KeyId: aws.String(rs.Primary.ID), 133 PolicyName: aws.String("default"), 134 }) 135 if err != nil { 136 return err 137 } 138 139 actualPolicyText := *out.Policy 140 141 equivalent, err := awspolicy.PoliciesAreEquivalent(actualPolicyText, expectedPolicyText) 142 if err != nil { 143 return fmt.Errorf("Error testing policy equivalence: %s", err) 144 } 145 if !equivalent { 146 return fmt.Errorf("Non-equivalent policy error:\n\nexpected: %s\n\n got: %s\n", 147 expectedPolicyText, actualPolicyText) 148 } 149 150 return nil 151 } 152 } 153 154 func testAccCheckAWSKmsKeyDestroy(s *terraform.State) error { 155 conn := testAccProvider.Meta().(*AWSClient).kmsconn 156 157 for _, rs := range s.RootModule().Resources { 158 if rs.Type != "aws_kms_key" { 159 continue 160 } 161 162 out, err := conn.DescribeKey(&kms.DescribeKeyInput{ 163 KeyId: aws.String(rs.Primary.ID), 164 }) 165 166 if err != nil { 167 return err 168 } 169 170 if *out.KeyMetadata.KeyState == "PendingDeletion" { 171 return nil 172 } 173 174 return fmt.Errorf("KMS key still exists:\n%#v", out.KeyMetadata) 175 } 176 177 return nil 178 } 179 180 func testAccCheckAWSKmsKeyExists(name string, key *kms.KeyMetadata) resource.TestCheckFunc { 181 return func(s *terraform.State) error { 182 rs, ok := s.RootModule().Resources[name] 183 if !ok { 184 return fmt.Errorf("Not found: %s", name) 185 } 186 187 if rs.Primary.ID == "" { 188 return fmt.Errorf("No KMS Key ID is set") 189 } 190 191 conn := testAccProvider.Meta().(*AWSClient).kmsconn 192 193 out, err := conn.DescribeKey(&kms.DescribeKeyInput{ 194 KeyId: aws.String(rs.Primary.ID), 195 }) 196 if err != nil { 197 return err 198 } 199 200 *key = *out.KeyMetadata 201 202 return nil 203 } 204 } 205 206 func testAccCheckAWSKmsKeyIsEnabled(key *kms.KeyMetadata, isEnabled bool) resource.TestCheckFunc { 207 return func(s *terraform.State) error { 208 if *key.Enabled != isEnabled { 209 return fmt.Errorf("Expected key %q to have is_enabled=%t, given %t", 210 *key.Arn, isEnabled, *key.Enabled) 211 } 212 213 return nil 214 } 215 } 216 217 var kmsTimestamp = time.Now().Format(time.RFC1123) 218 var testAccAWSKmsKey = fmt.Sprintf(` 219 resource "aws_kms_key" "foo" { 220 description = "Terraform acc test %s" 221 deletion_window_in_days = 7 222 policy = <<POLICY 223 { 224 "Version": "2012-10-17", 225 "Id": "kms-tf-1", 226 "Statement": [ 227 { 228 "Sid": "Enable IAM User Permissions", 229 "Effect": "Allow", 230 "Principal": { 231 "AWS": "*" 232 }, 233 "Action": "kms:*", 234 "Resource": "*" 235 } 236 ] 237 } 238 POLICY 239 }`, kmsTimestamp) 240 241 var testAccAWSKmsKey_removedPolicy = fmt.Sprintf(` 242 resource "aws_kms_key" "foo" { 243 description = "Terraform acc test %s" 244 deletion_window_in_days = 7 245 }`, kmsTimestamp) 246 247 var testAccAWSKmsKey_enabledRotation = fmt.Sprintf(` 248 resource "aws_kms_key" "bar" { 249 description = "Terraform acc test is_enabled %s" 250 deletion_window_in_days = 7 251 enable_key_rotation = true 252 }`, kmsTimestamp) 253 var testAccAWSKmsKey_disabled = fmt.Sprintf(` 254 resource "aws_kms_key" "bar" { 255 description = "Terraform acc test is_enabled %s" 256 deletion_window_in_days = 7 257 enable_key_rotation = false 258 is_enabled = false 259 }`, kmsTimestamp) 260 var testAccAWSKmsKey_enabled = fmt.Sprintf(` 261 resource "aws_kms_key" "bar" { 262 description = "Terraform acc test is_enabled %s" 263 deletion_window_in_days = 7 264 enable_key_rotation = true 265 is_enabled = true 266 }`, kmsTimestamp) 267 268 var testAccAWSKmsKey_tags = fmt.Sprintf(` 269 resource "aws_kms_key" "foo" { 270 description = "Terraform acc test %s" 271 tags { 272 Key1 = "Value One" 273 Description = "Very interesting" 274 } 275 }`, kmsTimestamp)