Allow importing of aws_iam_role, aws_iam_role_policy, aws_iam_policy and aws_iam_instance_profile

This commit is contained in:
Tom Wilkie 2016-10-17 12:45:09 +01:00 committed by stack72
parent c8b23954f0
commit 71e8cffeea
No known key found for this signature in database
GPG Key ID: 8619A619B085CB16
10 changed files with 315 additions and 20 deletions

View File

@ -0,0 +1,28 @@
package aws
import (
"testing"
"github.com/hashicorp/terraform/helper/resource"
)
func TestAccAWSIAMInstanceProfile_importBasic(t *testing.T) {
resourceName := "aws_iam_instance_profile.test"
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSInstanceProfileDestroy,
Steps: []resource.TestStep{
resource.TestStep{
Config: testAccAwsIamInstanceProfileConfig,
},
resource.TestStep{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
},
},
})
}

View File

@ -0,0 +1,88 @@
package aws
import (
"fmt"
"testing"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
)
func testAccAwsIamPolicyConfig(suffix string) string {
return fmt.Sprintf(`
resource "aws_iam_policy" "test_%[1]s" {
name = "test_policy_%[1]s"
path = "/"
description = "My test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
`, suffix)
}
func TestAccAWSIAMPolicy_importBasic(t *testing.T) {
suffix := randomString(10)
resourceName := fmt.Sprintf("aws_iam_policy.test_%s", suffix)
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSPolicyDestroy,
Steps: []resource.TestStep{
resource.TestStep{
Config: testAccAwsIamPolicyConfig(suffix),
},
resource.TestStep{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
},
},
})
}
func testAccCheckAWSPolicyDestroy(s *terraform.State) error {
iamconn := testAccProvider.Meta().(*AWSClient).iamconn
for _, rs := range s.RootModule().Resources {
if rs.Type != "aws_iam_policy" {
continue
}
// Try to get group
_, err := iamconn.GetPolicy(&iam.GetPolicyInput{
PolicyArn: aws.String(rs.Primary.ID),
})
if err == nil {
return fmt.Errorf("still exist.")
}
// Verify the error is what we want
ec2err, ok := err.(awserr.Error)
if !ok {
return err
}
if ec2err.Code() != "NoSuchEntity" {
return err
}
}
return nil
}

View File

@ -0,0 +1,55 @@
package aws
import (
"fmt"
"testing"
"github.com/hashicorp/terraform/helper/resource"
)
func testAccAwsIamRolePolicyConfig(suffix string) string {
return fmt.Sprintf(`
resource "aws_iam_role" "role_%[1]s" {
name = "tf_test_role_test_%[1]s"
path = "/"
assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
}
resource "aws_iam_role_policy" "foo_%[1]s" {
name = "tf_test_policy_test_%[1]s"
role = "${aws_iam_role.role_%[1]s.name}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
}
EOF
}
`, suffix)
}
func TestAccAWSIAMRolePolicy_importBasic(t *testing.T) {
suffix := randomString(10)
resourceName := fmt.Sprintf("aws_iam_role_policy.foo_%s", suffix)
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckIAMRolePolicyDestroy,
Steps: []resource.TestStep{
resource.TestStep{
Config: testAccAwsIamRolePolicyConfig(suffix),
},
resource.TestStep{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
},
},
})
}

View File

@ -0,0 +1,28 @@
package aws
import (
"testing"
"github.com/hashicorp/terraform/helper/resource"
)
func TestAccAWSIAMRole_importBasic(t *testing.T) {
resourceName := "aws_iam_role.role"
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSRoleDestroy,
Steps: []resource.TestStep{
resource.TestStep{
Config: testAccAWSRoleConfig,
},
resource.TestStep{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
},
},
})
}

View File

@ -2,7 +2,11 @@ package aws
import (
"fmt"
<<<<<<< HEAD
"regexp"
=======
"net/url"
>>>>>>> 9c051a5... Tests for importing various iam resources
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
@ -18,6 +22,9 @@ func resourceAwsIamPolicy() *schema.Resource {
Read: resourceAwsIamPolicyRead,
Update: resourceAwsIamPolicyUpdate,
Delete: resourceAwsIamPolicyDelete,
Importer: &schema.ResourceImporter{
State: schema.ImportStatePassthrough,
},
Schema: map[string]*schema.Schema{
"description": &schema.Schema{
@ -32,9 +39,15 @@ func resourceAwsIamPolicy() *schema.Resource {
ForceNew: true,
},
"policy": &schema.Schema{
<<<<<<< HEAD
Type: schema.TypeString,
Required: true,
ValidateFunc: validateJsonString,
=======
Type: schema.TypeString,
Required: true,
DiffSuppressFunc: suppressEquivalentAwsPolicyDiffs,
>>>>>>> daaae09... Add DiffSuppressFunc to support heredocs for aws_iam_role.assume_role_policy and aws_iam_policy.policy
},
"name": &schema.Schema{
Type: schema.TypeString,
@ -112,11 +125,11 @@ func resourceAwsIamPolicyCreate(d *schema.ResourceData, meta interface{}) error
func resourceAwsIamPolicyRead(d *schema.ResourceData, meta interface{}) error {
iamconn := meta.(*AWSClient).iamconn
request := &iam.GetPolicyInput{
getPolicyRequest := &iam.GetPolicyInput{
PolicyArn: aws.String(d.Id()),
}
response, err := iamconn.GetPolicy(request)
getPolicyResponse, err := iamconn.GetPolicy(getPolicyRequest)
if err != nil {
if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" {
d.SetId("")
@ -125,7 +138,29 @@ func resourceAwsIamPolicyRead(d *schema.ResourceData, meta interface{}) error {
return fmt.Errorf("Error reading IAM policy %s: %s", d.Id(), err)
}
return readIamPolicy(d, response.Policy)
getPolicyVersionRequest := &iam.GetPolicyVersionInput{
PolicyArn: aws.String(d.Id()),
VersionId: getPolicyResponse.Policy.DefaultVersionId,
}
getPolicyVersionResponse, err := iamconn.GetPolicyVersion(getPolicyVersionRequest)
if err != nil {
if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" {
d.SetId("")
return nil
}
return fmt.Errorf("Error reading IAM policy version %s: %s", d.Id(), err)
}
policy, err := url.QueryUnescape(*getPolicyVersionResponse.PolicyVersion.Document)
if err != nil {
return err
}
if err := d.Set("policy", policy); err != nil {
return err
}
return readIamPolicy(d, getPolicyResponse.Policy)
}
func resourceAwsIamPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
@ -252,20 +287,18 @@ func readIamPolicy(d *schema.ResourceData, policy *iam.Policy) error {
d.SetId(*policy.Arn)
if policy.Description != nil {
// the description isn't present in the response to CreatePolicy.
if err := d.Set("description", *policy.Description); err != nil {
if err := d.Set("description", policy.Description); err != nil {
return err
}
}
if err := d.Set("path", *policy.Path); err != nil {
if err := d.Set("path", policy.Path); err != nil {
return err
}
if err := d.Set("name", *policy.PolicyName); err != nil {
if err := d.Set("name", policy.PolicyName); err != nil {
return err
}
if err := d.Set("arn", *policy.Arn); err != nil {
if err := d.Set("arn", policy.Arn); err != nil {
return err
}
// TODO: set policy
return nil
}

View File

@ -2,6 +2,7 @@ package aws
import (
"fmt"
"net/url"
"regexp"
"time"
@ -19,6 +20,9 @@ func resourceAwsIamRole() *schema.Resource {
Read: resourceAwsIamRoleRead,
Update: resourceAwsIamRoleUpdate,
Delete: resourceAwsIamRoleDelete,
Importer: &schema.ResourceImporter{
State: schema.ImportStatePassthrough,
},
Schema: map[string]*schema.Schema{
"arn": {
@ -78,9 +82,16 @@ func resourceAwsIamRole() *schema.Resource {
ForceNew: true,
},
<<<<<<< HEAD
"assume_role_policy": {
Type: schema.TypeString,
Required: true,
=======
"assume_role_policy": &schema.Schema{
Type: schema.TypeString,
Required: true,
DiffSuppressFunc: suppressEquivalentAwsPolicyDiffs,
>>>>>>> daaae09... Add DiffSuppressFunc to support heredocs for aws_iam_role.assume_role_policy and aws_iam_policy.policy
},
"create_date": {
@ -179,7 +190,15 @@ func resourceAwsIamRoleReadResult(d *schema.ResourceData, role *iam.Role) error
if err := d.Set("unique_id", role.RoleId); err != nil {
return err
}
<<<<<<< HEAD
if err := d.Set("create_date", role.CreateDate.Format(time.RFC3339)); err != nil {
=======
assumRolePolicy, err := url.QueryUnescape(*role.AssumeRolePolicyDocument)
if err != nil {
return err
}
if err := d.Set("assume_role_policy", assumRolePolicy); err != nil {
>>>>>>> 9c051a5... Tests for importing various iam resources
return err
}
return nil

View File

@ -21,6 +21,9 @@ func resourceAwsIamRolePolicy() *schema.Resource {
Read: resourceAwsIamRolePolicyRead,
Delete: resourceAwsIamRolePolicyDelete,
Importer: &schema.ResourceImporter{
State: schema.ImportStatePassthrough,
},
Schema: map[string]*schema.Schema{
"policy": &schema.Schema{
@ -74,14 +77,16 @@ func resourceAwsIamRolePolicyPut(d *schema.ResourceData, meta interface{}) error
func resourceAwsIamRolePolicyRead(d *schema.ResourceData, meta interface{}) error {
iamconn := meta.(*AWSClient).iamconn
role, name := resourceAwsIamRolePolicyParseId(d.Id())
role, name, err := resourceAwsIamRolePolicyParseId(d.Id())
if err != nil {
return err
}
request := &iam.GetRolePolicyInput{
PolicyName: aws.String(name),
RoleName: aws.String(role),
}
var err error
getResp, err := iamconn.GetRolePolicy(request)
if err != nil {
if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" { // XXX test me
@ -99,13 +104,22 @@ func resourceAwsIamRolePolicyRead(d *schema.ResourceData, meta interface{}) erro
if err != nil {
return err
}
return d.Set("policy", policy)
if err := d.Set("policy", policy); err != nil {
return err
}
if err := d.Set("name", name); err != nil {
return err
}
return d.Set("role", role)
}
func resourceAwsIamRolePolicyDelete(d *schema.ResourceData, meta interface{}) error {
iamconn := meta.(*AWSClient).iamconn
role, name := resourceAwsIamRolePolicyParseId(d.Id())
role, name, err := resourceAwsIamRolePolicyParseId(d.Id())
if err != nil {
return err
}
request := &iam.DeleteRolePolicyInput{
PolicyName: aws.String(name),
@ -118,8 +132,13 @@ func resourceAwsIamRolePolicyDelete(d *schema.ResourceData, meta interface{}) er
return nil
}
func resourceAwsIamRolePolicyParseId(id string) (roleName, policyName string) {
func resourceAwsIamRolePolicyParseId(id string) (roleName, policyName string, err error) {
parts := strings.SplitN(id, ":", 2)
if len(parts) != 2 {
err = fmt.Errorf("role_policy id must be of the for <role name>:<policy name>")
return
}
roleName = parts[0]
policyName = parts[1]
return

View File

@ -52,14 +52,16 @@ func testAccCheckIAMRolePolicyDestroy(s *terraform.State) error {
continue
}
role, name := resourceAwsIamRolePolicyParseId(rs.Primary.ID)
role, name, err := resourceAwsIamRolePolicyParseId(rs.Primary.ID)
if err != nil {
return err
}
request := &iam.GetRolePolicyInput{
PolicyName: aws.String(name),
RoleName: aws.String(role),
}
var err error
getResp, err := iamconn.GetRolePolicy(request)
if err != nil {
if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" {
@ -96,12 +98,15 @@ func testAccCheckIAMRolePolicy(
}
iamconn := testAccProvider.Meta().(*AWSClient).iamconn
role, name := resourceAwsIamRolePolicyParseId(policy.Primary.ID)
_, err := iamconn.GetRolePolicy(&iam.GetRolePolicyInput{
role, name, err := resourceAwsIamRolePolicyParseId(policy.Primary.ID)
if err != nil {
return err
}
_, err = iamconn.GetRolePolicy(&iam.GetRolePolicyInput{
RoleName: aws.String(role),
PolicyName: aws.String(name),
})
if err != nil {
return err
}

View File

@ -168,17 +168,37 @@ func testAccCheckAWSRoleAttributes(role *iam.GetRoleOutput) resource.TestCheckFu
const testAccAWSRoleConfig = `
resource "aws_iam_role" "role" {
<<<<<<< HEAD
name = "test-role"
path = "/"
assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
=======
name = "test-role"
path = "/"
<<<<<<< HEAD
assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
>>>>>>> 9c051a5... Tests for importing various iam resources
=======
assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
>>>>>>> daaae09... Add DiffSuppressFunc to support heredocs for aws_iam_role.assume_role_policy and aws_iam_policy.policy
}
`
const testAccAWSRolePrefixNameConfig = `
resource "aws_iam_role" "role" {
<<<<<<< HEAD
name_prefix = "test-role-"
path = "/"
assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
=======
name_prefix = "test-role-"
path = "/"
<<<<<<< HEAD
assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
>>>>>>> 9c051a5... Tests for importing various iam resources
=======
assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
>>>>>>> daaae09... Add DiffSuppressFunc to support heredocs for aws_iam_role.assume_role_policy and aws_iam_policy.policy
}
`

View File

@ -47,7 +47,7 @@ func testAccCheckIAMUserPolicyDestroy(s *terraform.State) error {
continue
}
role, name := resourceAwsIamRolePolicyParseId(rs.Primary.ID)
role, name := resourceAwsIamUserPolicyParseId(rs.Primary.ID)
request := &iam.GetRolePolicyInput{
PolicyName: aws.String(name),