github.com/vtorhonen/terraform@v0.9.0-beta2.0.20170307220345-5d894e4ffda7/builtin/providers/aws/resource_aws_kms_key_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 "time" 7 8 "github.com/aws/aws-sdk-go/aws" 9 "github.com/aws/aws-sdk-go/service/kms" 10 "github.com/hashicorp/terraform/helper/resource" 11 "github.com/hashicorp/terraform/terraform" 12 "github.com/jen20/awspolicyequivalence" 13 ) 14 15 func TestAccAWSKmsKey_basic(t *testing.T) { 16 var keyBefore, keyAfter kms.KeyMetadata 17 18 resource.Test(t, resource.TestCase{ 19 PreCheck: func() { testAccPreCheck(t) }, 20 Providers: testAccProviders, 21 CheckDestroy: testAccCheckAWSKmsKeyDestroy, 22 Steps: []resource.TestStep{ 23 { 24 Config: testAccAWSKmsKey, 25 Check: resource.ComposeTestCheckFunc( 26 testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &keyBefore), 27 ), 28 }, 29 { 30 Config: testAccAWSKmsKey_removedPolicy, 31 Check: resource.ComposeTestCheckFunc( 32 testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &keyAfter), 33 ), 34 }, 35 }, 36 }) 37 } 38 39 func TestAccAWSKmsKey_policy(t *testing.T) { 40 var key kms.KeyMetadata 41 expectedPolicyText := `{"Version":"2012-10-17","Id":"kms-tf-1","Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":"*"},"Action":"kms:*","Resource":"*"}]}` 42 43 resource.Test(t, resource.TestCase{ 44 PreCheck: func() { testAccPreCheck(t) }, 45 Providers: testAccProviders, 46 CheckDestroy: testAccCheckAWSKmsKeyDestroy, 47 Steps: []resource.TestStep{ 48 { 49 Config: testAccAWSKmsKey, 50 Check: resource.ComposeTestCheckFunc( 51 testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &key), 52 testAccCheckAWSKmsKeyHasPolicy("aws_kms_key.foo", expectedPolicyText), 53 ), 54 }, 55 }, 56 }) 57 } 58 59 func TestAccAWSKmsKey_isEnabled(t *testing.T) { 60 var key1, key2, key3 kms.KeyMetadata 61 62 resource.Test(t, resource.TestCase{ 63 PreCheck: func() { testAccPreCheck(t) }, 64 Providers: testAccProviders, 65 CheckDestroy: testAccCheckAWSKmsKeyDestroy, 66 Steps: []resource.TestStep{ 67 { 68 Config: testAccAWSKmsKey_enabledRotation, 69 Check: resource.ComposeTestCheckFunc( 70 testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key1), 71 resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "true"), 72 testAccCheckAWSKmsKeyIsEnabled(&key1, true), 73 resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "true"), 74 ), 75 }, 76 { 77 Config: testAccAWSKmsKey_disabled, 78 Check: resource.ComposeTestCheckFunc( 79 testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key2), 80 resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "false"), 81 testAccCheckAWSKmsKeyIsEnabled(&key2, false), 82 resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "false"), 83 ), 84 }, 85 { 86 Config: testAccAWSKmsKey_enabled, 87 Check: resource.ComposeTestCheckFunc( 88 testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key3), 89 resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "true"), 90 testAccCheckAWSKmsKeyIsEnabled(&key3, true), 91 resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "true"), 92 ), 93 }, 94 }, 95 }) 96 } 97 98 func testAccCheckAWSKmsKeyHasPolicy(name string, expectedPolicyText string) resource.TestCheckFunc { 99 return func(s *terraform.State) error { 100 rs, ok := s.RootModule().Resources[name] 101 if !ok { 102 return fmt.Errorf("Not found: %s", name) 103 } 104 105 if rs.Primary.ID == "" { 106 return fmt.Errorf("No KMS Key ID is set") 107 } 108 109 conn := testAccProvider.Meta().(*AWSClient).kmsconn 110 111 out, err := conn.GetKeyPolicy(&kms.GetKeyPolicyInput{ 112 KeyId: aws.String(rs.Primary.ID), 113 PolicyName: aws.String("default"), 114 }) 115 if err != nil { 116 return err 117 } 118 119 actualPolicyText := *out.Policy 120 121 equivalent, err := awspolicy.PoliciesAreEquivalent(actualPolicyText, expectedPolicyText) 122 if err != nil { 123 return fmt.Errorf("Error testing policy equivalence: %s", err) 124 } 125 if !equivalent { 126 return fmt.Errorf("Non-equivalent policy error:\n\nexpected: %s\n\n got: %s\n", 127 expectedPolicyText, actualPolicyText) 128 } 129 130 return nil 131 } 132 } 133 134 func testAccCheckAWSKmsKeyDestroy(s *terraform.State) error { 135 conn := testAccProvider.Meta().(*AWSClient).kmsconn 136 137 for _, rs := range s.RootModule().Resources { 138 if rs.Type != "aws_kms_key" { 139 continue 140 } 141 142 out, err := conn.DescribeKey(&kms.DescribeKeyInput{ 143 KeyId: aws.String(rs.Primary.ID), 144 }) 145 146 if err != nil { 147 return err 148 } 149 150 if *out.KeyMetadata.KeyState == "PendingDeletion" { 151 return nil 152 } 153 154 return fmt.Errorf("KMS key still exists:\n%#v", out.KeyMetadata) 155 } 156 157 return nil 158 } 159 160 func testAccCheckAWSKmsKeyExists(name string, key *kms.KeyMetadata) resource.TestCheckFunc { 161 return func(s *terraform.State) error { 162 rs, ok := s.RootModule().Resources[name] 163 if !ok { 164 return fmt.Errorf("Not found: %s", name) 165 } 166 167 if rs.Primary.ID == "" { 168 return fmt.Errorf("No KMS Key ID is set") 169 } 170 171 conn := testAccProvider.Meta().(*AWSClient).kmsconn 172 173 out, err := conn.DescribeKey(&kms.DescribeKeyInput{ 174 KeyId: aws.String(rs.Primary.ID), 175 }) 176 if err != nil { 177 return err 178 } 179 180 *key = *out.KeyMetadata 181 182 return nil 183 } 184 } 185 186 func testAccCheckAWSKmsKeyIsEnabled(key *kms.KeyMetadata, isEnabled bool) resource.TestCheckFunc { 187 return func(s *terraform.State) error { 188 if *key.Enabled != isEnabled { 189 return fmt.Errorf("Expected key %q to have is_enabled=%t, given %t", 190 *key.Arn, isEnabled, *key.Enabled) 191 } 192 193 return nil 194 } 195 } 196 197 var kmsTimestamp = time.Now().Format(time.RFC1123) 198 var testAccAWSKmsKey = fmt.Sprintf(` 199 resource "aws_kms_key" "foo" { 200 description = "Terraform acc test %s" 201 deletion_window_in_days = 7 202 policy = <<POLICY 203 { 204 "Version": "2012-10-17", 205 "Id": "kms-tf-1", 206 "Statement": [ 207 { 208 "Sid": "Enable IAM User Permissions", 209 "Effect": "Allow", 210 "Principal": { 211 "AWS": "*" 212 }, 213 "Action": "kms:*", 214 "Resource": "*" 215 } 216 ] 217 } 218 POLICY 219 }`, kmsTimestamp) 220 221 var testAccAWSKmsKey_removedPolicy = fmt.Sprintf(` 222 resource "aws_kms_key" "foo" { 223 description = "Terraform acc test %s" 224 deletion_window_in_days = 7 225 }`, kmsTimestamp) 226 227 var testAccAWSKmsKey_enabledRotation = fmt.Sprintf(` 228 resource "aws_kms_key" "bar" { 229 description = "Terraform acc test is_enabled %s" 230 deletion_window_in_days = 7 231 enable_key_rotation = true 232 }`, kmsTimestamp) 233 var testAccAWSKmsKey_disabled = fmt.Sprintf(` 234 resource "aws_kms_key" "bar" { 235 description = "Terraform acc test is_enabled %s" 236 deletion_window_in_days = 7 237 enable_key_rotation = false 238 is_enabled = false 239 }`, kmsTimestamp) 240 var testAccAWSKmsKey_enabled = fmt.Sprintf(` 241 resource "aws_kms_key" "bar" { 242 description = "Terraform acc test is_enabled %s" 243 deletion_window_in_days = 7 244 enable_key_rotation = true 245 is_enabled = true 246 }`, kmsTimestamp)