github.com/turtlemonvh/terraform@v0.6.9-0.20151204001754-8e40b6b855e8/builtin/providers/aws/resource_aws_iam_policy_attachment_test.go (about)

     1  package aws
     2  
     3  import (
     4  	"fmt"
     5  	"testing"
     6  
     7  	"github.com/aws/aws-sdk-go/aws"
     8  	"github.com/aws/aws-sdk-go/service/iam"
     9  	"github.com/hashicorp/terraform/helper/resource"
    10  	"github.com/hashicorp/terraform/terraform"
    11  )
    12  
    13  func TestAccAWSPolicyAttachment_basic(t *testing.T) {
    14  	var out iam.ListEntitiesForPolicyOutput
    15  
    16  	resource.Test(t, resource.TestCase{
    17  		PreCheck:     func() { testAccPreCheck(t) },
    18  		Providers:    testAccProviders,
    19  		CheckDestroy: testAccCheckAWSPolicyAttachmentDestroy,
    20  		Steps: []resource.TestStep{
    21  			resource.TestStep{
    22  				Config: testAccAWSPolicyAttachConfig,
    23  				Check: resource.ComposeTestCheckFunc(
    24  					testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attach", 3, &out),
    25  					testAccCheckAWSPolicyAttachmentAttributes([]string{"test-user"}, []string{"test-role"}, []string{"test-group"}, &out),
    26  				),
    27  			},
    28  			resource.TestStep{
    29  				Config: testAccAWSPolicyAttachConfigUpdate,
    30  				Check: resource.ComposeTestCheckFunc(
    31  					testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attach", 6, &out),
    32  					testAccCheckAWSPolicyAttachmentAttributes([]string{"test-user3", "test-user3"}, []string{"test-role2", "test-role3"}, []string{"test-group2", "test-group3"}, &out),
    33  				),
    34  			},
    35  		},
    36  	})
    37  }
    38  func testAccCheckAWSPolicyAttachmentDestroy(s *terraform.State) error {
    39  
    40  	return nil
    41  }
    42  
    43  func testAccCheckAWSPolicyAttachmentExists(n string, c int64, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc {
    44  	return func(s *terraform.State) error {
    45  		rs, ok := s.RootModule().Resources[n]
    46  		if !ok {
    47  			return fmt.Errorf("Not found: %s", n)
    48  		}
    49  
    50  		if rs.Primary.ID == "" {
    51  			return fmt.Errorf("No policy name is set")
    52  		}
    53  
    54  		conn := testAccProvider.Meta().(*AWSClient).iamconn
    55  		arn := rs.Primary.Attributes["policy_arn"]
    56  
    57  		resp, err := conn.GetPolicy(&iam.GetPolicyInput{
    58  			PolicyArn: aws.String(arn),
    59  		})
    60  		if err != nil {
    61  			return fmt.Errorf("Error: Policy (%s) not found", n)
    62  		}
    63  		if c != *resp.Policy.AttachmentCount {
    64  			return fmt.Errorf("Error: Policy (%s) has wrong number of entities attached on initial creation", n)
    65  		}
    66  		resp2, err := conn.ListEntitiesForPolicy(&iam.ListEntitiesForPolicyInput{
    67  			PolicyArn: aws.String(arn),
    68  		})
    69  		if err != nil {
    70  			return fmt.Errorf("Error: Failed to get entities for Policy (%s)", arn)
    71  		}
    72  
    73  		*out = *resp2
    74  		return nil
    75  	}
    76  }
    77  func testAccCheckAWSPolicyAttachmentAttributes(users []string, roles []string, groups []string, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc {
    78  	return func(s *terraform.State) error {
    79  		uc := len(users)
    80  		rc := len(roles)
    81  		gc := len(groups)
    82  
    83  		for _, u := range users {
    84  			for _, pu := range out.PolicyUsers {
    85  				if u == *pu.UserName {
    86  					uc--
    87  				}
    88  			}
    89  		}
    90  		for _, r := range roles {
    91  			for _, pr := range out.PolicyRoles {
    92  				if r == *pr.RoleName {
    93  					rc--
    94  				}
    95  			}
    96  		}
    97  		for _, g := range groups {
    98  			for _, pg := range out.PolicyGroups {
    99  				if g == *pg.GroupName {
   100  					gc--
   101  				}
   102  			}
   103  		}
   104  		if uc != 0 || rc != 0 || gc != 0 {
   105  			return fmt.Errorf("Error: Number of attached users, roles, or groups was incorrect:\n expected %d users and found %d\nexpected %d roles and found %d\nexpected %d groups and found %d", len(users), len(users)-uc, len(roles), len(roles)-rc, len(groups), len(groups)-gc)
   106  		}
   107  		return nil
   108  	}
   109  }
   110  
   111  const testAccAWSPolicyAttachConfig = `
   112  resource "aws_iam_user" "user" {
   113      name = "test-user"
   114  }
   115  resource "aws_iam_role" "role" {
   116      name = "test-role"
   117  	  assume_role_policy = <<EOF
   118  {
   119    "Version": "2012-10-17",
   120    "Statement": [
   121      {
   122        "Action": "sts:AssumeRole",
   123        "Principal": {
   124          "Service": "ec2.amazonaws.com"
   125        },
   126        "Effect": "Allow",
   127        "Sid": ""
   128      }
   129    ]
   130  }
   131  EOF
   132  }
   133  
   134  resource "aws_iam_group" "group" {
   135      name = "test-group"
   136  }
   137  
   138  resource "aws_iam_policy" "policy" {
   139      name = "test-policy"
   140      description = "A test policy"
   141      policy = <<EOF
   142  {
   143    "Version": "2012-10-17",
   144    "Statement": [
   145      {
   146        "Action": [
   147          "iam:ChangePassword"
   148        ],
   149        "Resource": "*",
   150        "Effect": "Allow"
   151      }
   152    ]
   153  }
   154  EOF
   155  }
   156  
   157  resource "aws_iam_policy_attachment" "test-attach" {
   158      name = "test-attachment"
   159      users = ["${aws_iam_user.user.name}"]
   160      roles = ["${aws_iam_role.role.name}"]
   161      groups = ["${aws_iam_group.group.name}"]
   162      policy_arn = "${aws_iam_policy.policy.arn}"
   163  }
   164  `
   165  
   166  const testAccAWSPolicyAttachConfigUpdate = `
   167  resource "aws_iam_user" "user" {
   168      name = "test-user"
   169  }
   170  resource "aws_iam_user" "user2" {
   171      name = "test-user2"
   172  }
   173  resource "aws_iam_user" "user3" {
   174      name = "test-user3"
   175  }
   176  resource "aws_iam_role" "role" {
   177      name = "test-role"
   178  	  assume_role_policy = <<EOF
   179  {
   180    "Version": "2012-10-17",
   181    "Statement": [
   182      {
   183        "Action": "sts:AssumeRole",
   184        "Principal": {
   185          "Service": "ec2.amazonaws.com"
   186        },
   187        "Effect": "Allow",
   188        "Sid": ""
   189      }
   190    ]
   191  }
   192  EOF
   193  }
   194  
   195  resource "aws_iam_role" "role2" {
   196      name = "test-role2"
   197  	  assume_role_policy = <<EOF
   198  {
   199    "Version": "2012-10-17",
   200    "Statement": [
   201      {
   202        "Action": "sts:AssumeRole",
   203        "Principal": {
   204          "Service": "ec2.amazonaws.com"
   205        },
   206        "Effect": "Allow",
   207        "Sid": ""
   208      }
   209    ]
   210  }
   211  EOF
   212  
   213  }
   214  resource "aws_iam_role" "role3" {
   215      name = "test-role3"
   216  	  assume_role_policy = <<EOF
   217  {
   218    "Version": "2012-10-17",
   219    "Statement": [
   220      {
   221        "Action": "sts:AssumeRole",
   222        "Principal": {
   223          "Service": "ec2.amazonaws.com"
   224        },
   225        "Effect": "Allow",
   226        "Sid": ""
   227      }
   228    ]
   229  }
   230  EOF
   231  
   232  }
   233  resource "aws_iam_group" "group" {
   234      name = "test-group"
   235  }
   236  resource "aws_iam_group" "group2" {
   237      name = "test-group2"
   238  }
   239  resource "aws_iam_group" "group3" {
   240      name = "test-group3"
   241  }
   242  
   243  resource "aws_iam_policy" "policy" {
   244      name = "test-policy"
   245      description = "A test policy"
   246      policy = <<EOF
   247  {
   248    "Version": "2012-10-17",
   249    "Statement": [
   250      {
   251        "Action": [
   252          "iam:ChangePassword"
   253        ],
   254        "Resource": "*",
   255        "Effect": "Allow"
   256      }
   257    ]
   258  }
   259  EOF
   260  }
   261  
   262  resource "aws_iam_policy_attachment" "test-attach" {
   263      name = "test-attachment"
   264      users = [
   265          "${aws_iam_user.user2.name}",
   266          "${aws_iam_user.user3.name}"
   267      ]
   268      roles = [
   269          "${aws_iam_role.role2.name}",
   270          "${aws_iam_role.role3.name}"
   271      ]
   272      groups = [
   273          "${aws_iam_group.group2.name}",
   274          "${aws_iam_group.group3.name}"
   275      ]
   276      policy_arn = "${aws_iam_policy.policy.arn}"
   277  }
   278  `