github.com/gabrielperezs/terraform@v0.7.0-rc2.0.20160715084931-f7da2612946f/builtin/providers/aws/data_source_aws_iam_policy_document_test.go (about) 1 package aws 2 3 import ( 4 "testing" 5 6 "fmt" 7 "github.com/hashicorp/terraform/helper/resource" 8 "github.com/hashicorp/terraform/terraform" 9 ) 10 11 func TestAccAWSIAMPolicyDocument(t *testing.T) { 12 // This really ought to be able to be a unit test rather than an 13 // acceptance test, but just instantiating the AWS provider requires 14 // some AWS API calls, and so this needs valid AWS credentials to work. 15 resource.Test(t, resource.TestCase{ 16 PreCheck: func() { testAccPreCheck(t) }, 17 Providers: testAccProviders, 18 Steps: []resource.TestStep{ 19 { 20 Config: testAccAWSIAMPolicyDocumentConfig, 21 Check: resource.ComposeTestCheckFunc( 22 testAccCheckStateValue( 23 "data.aws_iam_policy_document.test", 24 "json", 25 testAccAWSIAMPolicyDocumentExpectedJSON, 26 ), 27 ), 28 }, 29 }, 30 }) 31 } 32 33 func testAccCheckStateValue(id, name, value string) resource.TestCheckFunc { 34 return func(s *terraform.State) error { 35 rs, ok := s.RootModule().Resources[id] 36 if !ok { 37 return fmt.Errorf("Not found: %s", id) 38 } 39 if rs.Primary.ID == "" { 40 return fmt.Errorf("No ID is set") 41 } 42 43 v := rs.Primary.Attributes[name] 44 if v != value { 45 return fmt.Errorf( 46 "Value for %s is %s, not %s", name, v, value) 47 } 48 49 return nil 50 } 51 } 52 53 var testAccAWSIAMPolicyDocumentConfig = ` 54 data "aws_iam_policy_document" "test" { 55 policy_id = "policy_id" 56 statement { 57 sid = "1" 58 actions = [ 59 "s3:ListAllMyBuckets", 60 "s3:GetBucketLocation", 61 ] 62 resources = [ 63 "arn:aws:s3:::*", 64 ] 65 } 66 67 statement { 68 actions = [ 69 "s3:ListBucket", 70 ] 71 resources = [ 72 "arn:aws:s3:::foo", 73 ] 74 condition { 75 test = "StringLike" 76 variable = "s3:prefix" 77 values = [ 78 "", 79 "home/", 80 "home/&{aws:username}/", 81 ] 82 } 83 84 not_principals { 85 type = "AWS" 86 identifiers = ["arn:blahblah:example"] 87 } 88 } 89 90 statement { 91 actions = [ 92 "s3:*", 93 ] 94 resources = [ 95 "arn:aws:s3:::foo/home/&{aws:username}", 96 "arn:aws:s3:::foo/home/&{aws:username}/*", 97 ] 98 principals { 99 type = "AWS" 100 identifiers = ["arn:blahblah:example"] 101 } 102 } 103 104 statement { 105 effect = "Deny" 106 not_actions = ["s3:*"] 107 not_resources = ["arn:aws:s3:::*"] 108 } 109 110 } 111 ` 112 113 var testAccAWSIAMPolicyDocumentExpectedJSON = `{ 114 "Version": "2012-10-17", 115 "Id": "policy_id", 116 "Statement": [ 117 { 118 "Sid": "1", 119 "Effect": "Allow", 120 "Action": [ 121 "s3:GetBucketLocation", 122 "s3:ListAllMyBuckets" 123 ], 124 "Resource": [ 125 "arn:aws:s3:::*" 126 ] 127 }, 128 { 129 "Effect": "Allow", 130 "Action": [ 131 "s3:ListBucket" 132 ], 133 "Resource": [ 134 "arn:aws:s3:::foo" 135 ], 136 "NotPrincipal": { 137 "AWS": [ 138 "arn:blahblah:example" 139 ] 140 }, 141 "Condition": { 142 "StringLike": { 143 "s3:prefix": [ 144 "", 145 "home/", 146 "home/${aws:username}/" 147 ] 148 } 149 } 150 }, 151 { 152 "Effect": "Allow", 153 "Action": [ 154 "s3:*" 155 ], 156 "Resource": [ 157 "arn:aws:s3:::foo/home/${aws:username}/*", 158 "arn:aws:s3:::foo/home/${aws:username}" 159 ], 160 "Principal": { 161 "AWS": [ 162 "arn:blahblah:example" 163 ] 164 } 165 }, 166 { 167 "Effect": "Deny", 168 "NotAction": [ 169 "s3:*" 170 ], 171 "NotResource": [ 172 "arn:aws:s3:::*" 173 ] 174 } 175 ] 176 }`