github.com/turtlemonvh/terraform@v0.6.9-0.20151204001754-8e40b6b855e8/builtin/providers/aws/resource_aws_iam_policy_attachment_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/aws/aws-sdk-go/aws" 8 "github.com/aws/aws-sdk-go/service/iam" 9 "github.com/hashicorp/terraform/helper/resource" 10 "github.com/hashicorp/terraform/terraform" 11 ) 12 13 func TestAccAWSPolicyAttachment_basic(t *testing.T) { 14 var out iam.ListEntitiesForPolicyOutput 15 16 resource.Test(t, resource.TestCase{ 17 PreCheck: func() { testAccPreCheck(t) }, 18 Providers: testAccProviders, 19 CheckDestroy: testAccCheckAWSPolicyAttachmentDestroy, 20 Steps: []resource.TestStep{ 21 resource.TestStep{ 22 Config: testAccAWSPolicyAttachConfig, 23 Check: resource.ComposeTestCheckFunc( 24 testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attach", 3, &out), 25 testAccCheckAWSPolicyAttachmentAttributes([]string{"test-user"}, []string{"test-role"}, []string{"test-group"}, &out), 26 ), 27 }, 28 resource.TestStep{ 29 Config: testAccAWSPolicyAttachConfigUpdate, 30 Check: resource.ComposeTestCheckFunc( 31 testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attach", 6, &out), 32 testAccCheckAWSPolicyAttachmentAttributes([]string{"test-user3", "test-user3"}, []string{"test-role2", "test-role3"}, []string{"test-group2", "test-group3"}, &out), 33 ), 34 }, 35 }, 36 }) 37 } 38 func testAccCheckAWSPolicyAttachmentDestroy(s *terraform.State) error { 39 40 return nil 41 } 42 43 func testAccCheckAWSPolicyAttachmentExists(n string, c int64, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc { 44 return func(s *terraform.State) error { 45 rs, ok := s.RootModule().Resources[n] 46 if !ok { 47 return fmt.Errorf("Not found: %s", n) 48 } 49 50 if rs.Primary.ID == "" { 51 return fmt.Errorf("No policy name is set") 52 } 53 54 conn := testAccProvider.Meta().(*AWSClient).iamconn 55 arn := rs.Primary.Attributes["policy_arn"] 56 57 resp, err := conn.GetPolicy(&iam.GetPolicyInput{ 58 PolicyArn: aws.String(arn), 59 }) 60 if err != nil { 61 return fmt.Errorf("Error: Policy (%s) not found", n) 62 } 63 if c != *resp.Policy.AttachmentCount { 64 return fmt.Errorf("Error: Policy (%s) has wrong number of entities attached on initial creation", n) 65 } 66 resp2, err := conn.ListEntitiesForPolicy(&iam.ListEntitiesForPolicyInput{ 67 PolicyArn: aws.String(arn), 68 }) 69 if err != nil { 70 return fmt.Errorf("Error: Failed to get entities for Policy (%s)", arn) 71 } 72 73 *out = *resp2 74 return nil 75 } 76 } 77 func testAccCheckAWSPolicyAttachmentAttributes(users []string, roles []string, groups []string, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc { 78 return func(s *terraform.State) error { 79 uc := len(users) 80 rc := len(roles) 81 gc := len(groups) 82 83 for _, u := range users { 84 for _, pu := range out.PolicyUsers { 85 if u == *pu.UserName { 86 uc-- 87 } 88 } 89 } 90 for _, r := range roles { 91 for _, pr := range out.PolicyRoles { 92 if r == *pr.RoleName { 93 rc-- 94 } 95 } 96 } 97 for _, g := range groups { 98 for _, pg := range out.PolicyGroups { 99 if g == *pg.GroupName { 100 gc-- 101 } 102 } 103 } 104 if uc != 0 || rc != 0 || gc != 0 { 105 return fmt.Errorf("Error: Number of attached users, roles, or groups was incorrect:\n expected %d users and found %d\nexpected %d roles and found %d\nexpected %d groups and found %d", len(users), len(users)-uc, len(roles), len(roles)-rc, len(groups), len(groups)-gc) 106 } 107 return nil 108 } 109 } 110 111 const testAccAWSPolicyAttachConfig = ` 112 resource "aws_iam_user" "user" { 113 name = "test-user" 114 } 115 resource "aws_iam_role" "role" { 116 name = "test-role" 117 assume_role_policy = <<EOF 118 { 119 "Version": "2012-10-17", 120 "Statement": [ 121 { 122 "Action": "sts:AssumeRole", 123 "Principal": { 124 "Service": "ec2.amazonaws.com" 125 }, 126 "Effect": "Allow", 127 "Sid": "" 128 } 129 ] 130 } 131 EOF 132 } 133 134 resource "aws_iam_group" "group" { 135 name = "test-group" 136 } 137 138 resource "aws_iam_policy" "policy" { 139 name = "test-policy" 140 description = "A test policy" 141 policy = <<EOF 142 { 143 "Version": "2012-10-17", 144 "Statement": [ 145 { 146 "Action": [ 147 "iam:ChangePassword" 148 ], 149 "Resource": "*", 150 "Effect": "Allow" 151 } 152 ] 153 } 154 EOF 155 } 156 157 resource "aws_iam_policy_attachment" "test-attach" { 158 name = "test-attachment" 159 users = ["${aws_iam_user.user.name}"] 160 roles = ["${aws_iam_role.role.name}"] 161 groups = ["${aws_iam_group.group.name}"] 162 policy_arn = "${aws_iam_policy.policy.arn}" 163 } 164 ` 165 166 const testAccAWSPolicyAttachConfigUpdate = ` 167 resource "aws_iam_user" "user" { 168 name = "test-user" 169 } 170 resource "aws_iam_user" "user2" { 171 name = "test-user2" 172 } 173 resource "aws_iam_user" "user3" { 174 name = "test-user3" 175 } 176 resource "aws_iam_role" "role" { 177 name = "test-role" 178 assume_role_policy = <<EOF 179 { 180 "Version": "2012-10-17", 181 "Statement": [ 182 { 183 "Action": "sts:AssumeRole", 184 "Principal": { 185 "Service": "ec2.amazonaws.com" 186 }, 187 "Effect": "Allow", 188 "Sid": "" 189 } 190 ] 191 } 192 EOF 193 } 194 195 resource "aws_iam_role" "role2" { 196 name = "test-role2" 197 assume_role_policy = <<EOF 198 { 199 "Version": "2012-10-17", 200 "Statement": [ 201 { 202 "Action": "sts:AssumeRole", 203 "Principal": { 204 "Service": "ec2.amazonaws.com" 205 }, 206 "Effect": "Allow", 207 "Sid": "" 208 } 209 ] 210 } 211 EOF 212 213 } 214 resource "aws_iam_role" "role3" { 215 name = "test-role3" 216 assume_role_policy = <<EOF 217 { 218 "Version": "2012-10-17", 219 "Statement": [ 220 { 221 "Action": "sts:AssumeRole", 222 "Principal": { 223 "Service": "ec2.amazonaws.com" 224 }, 225 "Effect": "Allow", 226 "Sid": "" 227 } 228 ] 229 } 230 EOF 231 232 } 233 resource "aws_iam_group" "group" { 234 name = "test-group" 235 } 236 resource "aws_iam_group" "group2" { 237 name = "test-group2" 238 } 239 resource "aws_iam_group" "group3" { 240 name = "test-group3" 241 } 242 243 resource "aws_iam_policy" "policy" { 244 name = "test-policy" 245 description = "A test policy" 246 policy = <<EOF 247 { 248 "Version": "2012-10-17", 249 "Statement": [ 250 { 251 "Action": [ 252 "iam:ChangePassword" 253 ], 254 "Resource": "*", 255 "Effect": "Allow" 256 } 257 ] 258 } 259 EOF 260 } 261 262 resource "aws_iam_policy_attachment" "test-attach" { 263 name = "test-attachment" 264 users = [ 265 "${aws_iam_user.user2.name}", 266 "${aws_iam_user.user3.name}" 267 ] 268 roles = [ 269 "${aws_iam_role.role2.name}", 270 "${aws_iam_role.role3.name}" 271 ] 272 groups = [ 273 "${aws_iam_group.group2.name}", 274 "${aws_iam_group.group3.name}" 275 ] 276 policy_arn = "${aws_iam_policy.policy.arn}" 277 } 278 `