github.com/econnell/terraform@v0.5.4-0.20150722160631-78eb236786a4/builtin/providers/aws/resource_aws_iam_policy_attachment_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "github.com/aws/aws-sdk-go/aws" 6 "github.com/aws/aws-sdk-go/service/iam" 7 "github.com/hashicorp/terraform/helper/resource" 8 "github.com/hashicorp/terraform/terraform" 9 "testing" 10 ) 11 12 func TestAccAWSPolicyAttachment_basic(t *testing.T) { 13 var out iam.ListEntitiesForPolicyOutput 14 15 resource.Test(t, resource.TestCase{ 16 PreCheck: func() { testAccPreCheck(t) }, 17 Providers: testAccProviders, 18 CheckDestroy: testAccCheckAWSPolicyAttachmentDestroy, 19 Steps: []resource.TestStep{ 20 resource.TestStep{ 21 Config: testAccAWSPolicyAttachConfig, 22 Check: resource.ComposeTestCheckFunc( 23 testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attachment", 3, &out), 24 testAccCheckAWSPolicyAttachmentAttributes([]string{"test-user"}, []string{"test-role"}, []string{"test-group"}, &out), 25 ), 26 }, 27 resource.TestStep{ 28 Config: testAccAWSPolicyAttachConfigUpdate, 29 Check: resource.ComposeTestCheckFunc( 30 testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attachment", 6, &out), 31 testAccCheckAWSPolicyAttachmentAttributes([]string{"test-user3", "test-user3"}, []string{"test-role2", "test-role3"}, []string{"test-group2", "test-group3"}, &out), 32 ), 33 }, 34 }, 35 }) 36 } 37 func testAccCheckAWSPolicyAttachmentDestroy(s *terraform.State) error { 38 39 return nil 40 } 41 42 func testAccCheckAWSPolicyAttachmentExists(n string, c int64, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc { 43 return func(s *terraform.State) error { 44 rs, ok := s.RootModule().Resources[n] 45 if !ok { 46 return fmt.Errorf("Not found: %s", n) 47 } 48 49 if rs.Primary.ID == "" { 50 return fmt.Errorf("No policy name is set") 51 } 52 53 conn := testAccProvider.Meta().(*AWSClient).iamconn 54 arn := rs.Primary.Attributes["policy_arn"] 55 56 resp, err := conn.GetPolicy(&iam.GetPolicyInput{ 57 PolicyARN: aws.String(arn), 58 }) 59 if err != nil { 60 return fmt.Errorf("Error: Policy (%s) not found", n) 61 } 62 if c != *resp.Policy.AttachmentCount { 63 return fmt.Errorf("Error: Policy (%s) has wrong number of entities attached on initial creation", n) 64 } 65 resp2, err := conn.ListEntitiesForPolicy(&iam.ListEntitiesForPolicyInput{ 66 PolicyARN: aws.String(arn), 67 }) 68 if err != nil { 69 return fmt.Errorf("Error: Failed to get entities for Policy (%s)", arn) 70 } 71 72 *out = *resp2 73 return nil 74 } 75 } 76 func testAccCheckAWSPolicyAttachmentAttributes(users []string, roles []string, groups []string, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc { 77 return func(s *terraform.State) error { 78 uc := len(users) 79 rc := len(roles) 80 gc := len(groups) 81 82 for _, u := range users { 83 for _, pu := range out.PolicyUsers { 84 if u == *pu.UserName { 85 uc-- 86 } 87 } 88 } 89 for _, r := range roles { 90 for _, pr := range out.PolicyRoles { 91 if r == *pr.RoleName { 92 rc-- 93 } 94 } 95 } 96 for _, g := range users { 97 for _, pg := range out.PolicyGroups { 98 if g == *pg.GroupName { 99 gc-- 100 } 101 } 102 } 103 if uc != 0 || rc != 0 || gc != 0 { 104 return fmt.Errorf("Error: Number of attached users, roles, or groups was incorrect:\n expected %d users and found %d\nexpected %d roles and found %d\nexpected %d groups and found %d", len(users), (len(users) - uc), len(roles), (len(roles) - rc), len(groups), (len(groups) - gc)) 105 } 106 return nil 107 } 108 } 109 110 const testAccAWSPolicyAttachConfig = ` 111 resource "aws_iam_user" "user" { 112 name = "test-user" 113 } 114 resource "aws_iam_role" "role" { 115 name = "test-role" 116 } 117 resource "aws_iam_group" "group" { 118 name = "test-group" 119 } 120 121 resource "aws_iam_policy" "policy" { 122 name = "test-policy" 123 description = "A test policy" 124 policy = <<EOF 125 { 126 "Version": "2012-10-17", 127 "Statement": [ 128 { 129 "Action": [ 130 "iam:ChangePassword" 131 ], 132 "Resource": "*", 133 "Effect": "Allow" 134 } 135 ] 136 } 137 EOF 138 } 139 140 resource "aws_iam_policy_attachment" "test-attach" { 141 name = "test-attachment" 142 users = ["${aws_iam_user.user.name}"] 143 roles = ["${aws_iam_role.role.name}"] 144 groups = ["${aws_iam_group.group.name}"] 145 policy_arn = "${aws_iam_policy.policy.arn}" 146 } 147 ` 148 149 const testAccAWSPolicyAttachConfigUpdate = ` 150 resource "aws_iam_user" "user" { 151 name = "test-user" 152 } 153 resource "aws_iam_user" "user2" { 154 name = "test-user2" 155 } 156 resource "aws_iam_user" "user3" { 157 name = "test-user3" 158 } 159 resource "aws_iam_role" "role" { 160 name = "test-role" 161 } 162 resource "aws_iam_role" "role2" { 163 name = "test-role2" 164 } 165 resource "aws_iam_role" "role3" { 166 name = "test-role3" 167 } 168 resource "aws_iam_group" "group" { 169 name = "test-group" 170 } 171 resource "aws_iam_group" "group2" { 172 name = "test-group2" 173 } 174 resource "aws_iam_group" "group3" { 175 name = "test-group3" 176 } 177 178 resource "aws_iam_policy" "policy" { 179 name = "test-policy" 180 description = "A test policy" 181 policy = <<EOF 182 { 183 "Version": "2012-10-17", 184 "Statement": [ 185 { 186 "Action": [ 187 "iam:ChangePassword" 188 ], 189 "Resource": "*", 190 "Effect": "Allow" 191 } 192 ] 193 } 194 EOF 195 } 196 197 resource "aws_iam_policy_attachment" "test-attach" { 198 name = "test-attachment" 199 users = [ 200 "${aws_iam_user.user2.name}", 201 "${aws_iam_user.user3.name}" 202 ] 203 roles = [ 204 "${aws_iam_role.role2.name}", 205 "${aws_iam_role.role3.name}" 206 ] 207 groups = [ 208 "${aws_iam_group.group2.name}", 209 "${aws_iam_group.group3.name}" 210 ] 211 policy_arn = "${aws_iam_policy.policy.arn}" 212 } 213 `