resilien
/
terraform
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

provider/aws: Add per user, role and group policy attachment (supersedes #5816) (#6858) 

* Add per user, role and group policy attachment

* Add docs for new IAM policy attachment resources.

* Make policy attachment resources manage only 1 entity<->policy attachment

* provider/aws: Tidy up IAM Group/User/Role attachments
This commit is contained in:
Clint 2016-05-25 11:03:43 -05:00
parent 03ad32860a
commit 983b6710a5
11 changed files with 1097 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
builtin/providers/aws/provider.go
View File

@ -183,13 +183,16 @@ func Provider() terraform.ResourceProvider {
"aws_iam_group_policy": resourceAwsIamGroupPolicy(),
"aws_iam_group": resourceAwsIamGroup(),
"aws_iam_group_membership": resourceAwsIamGroupMembership(),
"aws_iam_group_policy_attachment": resourceAwsIamGroupPolicyAttachment(),
"aws_iam_instance_profile": resourceAwsIamInstanceProfile(),
"aws_iam_policy": resourceAwsIamPolicy(),
"aws_iam_policy_attachment": resourceAwsIamPolicyAttachment(),
"aws_iam_role_policy_attachment": resourceAwsIamRolePolicyAttachment(),
"aws_iam_role_policy": resourceAwsIamRolePolicy(),
"aws_iam_role": resourceAwsIamRole(),
"aws_iam_saml_provider": resourceAwsIamSamlProvider(),
"aws_iam_server_certificate": resourceAwsIAMServerCertificate(),
"aws_iam_user_policy_attachment": resourceAwsIamUserPolicyAttachment(),
"aws_iam_user_policy": resourceAwsIamUserPolicy(),
"aws_iam_user_ssh_key": resourceAwsIamUserSshKey(),
"aws_iam_user": resourceAwsIamUser(),

124
builtin/providers/aws/resource_aws_iam_group_policy_attachment.go Normal file
View File

@ -0,0 +1,124 @@
package aws
import (
"fmt"
"log"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/helper/schema"
)
func resourceAwsIamGroupPolicyAttachment() *schema.Resource {
return &schema.Resource{
Create: resourceAwsIamGroupPolicyAttachmentCreate,
Read: resourceAwsIamGroupPolicyAttachmentRead,
Delete: resourceAwsIamGroupPolicyAttachmentDelete,
Schema: map[string]*schema.Schema{
"group": &schema.Schema{
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"policy_arn": &schema.Schema{
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
},
}
}
func resourceAwsIamGroupPolicyAttachmentCreate(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).iamconn
group := d.Get("group").(string)
arn := d.Get("policy_arn").(string)
err := attachPolicyToGroup(conn, group, arn)
if err != nil {
return fmt.Errorf("[WARN] Error attaching policy %s to IAM group %s: %v", arn, group, err)
}
d.SetId(resource.PrefixedUniqueId(fmt.Sprintf("%s-", group)))
return resourceAwsIamGroupPolicyAttachmentRead(d, meta)
}
func resourceAwsIamGroupPolicyAttachmentRead(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).iamconn
group := d.Get("group").(string)
arn := d.Get("policy_arn").(string)
_, err := conn.GetGroup(&iam.GetGroupInput{
GroupName: aws.String(group),
})
if err != nil {
if awsErr, ok := err.(awserr.Error); ok {
if awsErr.Code() == "NoSuchEntity" {
log.Printf("[WARN] No such entity found for Policy Attachment (%s)", group)
d.SetId("")
return nil
}
}
return err
}
attachedPolicies, err := conn.ListAttachedGroupPolicies(&iam.ListAttachedGroupPoliciesInput{
GroupName: aws.String(group),
})
if err != nil {
return err
}
var policy string
for _, p := range attachedPolicies.AttachedPolicies {
if *p.PolicyArn == arn {
policy = *p.PolicyArn
}
}
if policy == "" {
log.Printf("[WARN] No such policy found for Group Policy Attachment (%s)", group)
d.SetId("")
}
return nil
}
func resourceAwsIamGroupPolicyAttachmentDelete(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).iamconn
group := d.Get("group").(string)
arn := d.Get("policy_arn").(string)
err := detachPolicyFromGroup(conn, group, arn)
if err != nil {
return fmt.Errorf("[WARN] Error removing policy %s from IAM Group %s: %v", arn, group, err)
}
return nil
}
func attachPolicyToGroup(conn *iam.IAM, group string, arn string) error {
_, err := conn.AttachGroupPolicy(&iam.AttachGroupPolicyInput{
GroupName: aws.String(group),
PolicyArn: aws.String(arn),
})
if err != nil {
return err
}
return nil
}
func detachPolicyFromGroup(conn *iam.IAM, group string, arn string) error {
_, err := conn.DetachGroupPolicy(&iam.DetachGroupPolicyInput{
GroupName: aws.String(group),
PolicyArn: aws.String(arn),
})
if err != nil {
return err
}
return nil
}

192
builtin/providers/aws/resource_aws_iam_group_policy_attachment_test.go Normal file
View File

@ -0,0 +1,192 @@
package aws
import (
"fmt"
"strings"
"testing"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
)
func TestAccAWSIamGroupPolicyAttachment_basic(t *testing.T) {
var out iam.ListAttachedGroupPoliciesOutput
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSGroupPolicyAttachmentDestroy,
Steps: []resource.TestStep{
resource.TestStep{
Config: testAccAWSGroupPolicyAttachConfig,
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSGroupPolicyAttachmentExists("aws_iam_group_policy_attachment.test-attach", 1, &out),
testAccCheckAWSGroupPolicyAttachmentAttributes([]string{"test-policy"}, &out),
),
},
resource.TestStep{
Config: testAccAWSGroupPolicyAttachConfigUpdate,
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSGroupPolicyAttachmentExists("aws_iam_group_policy_attachment.test-attach", 2, &out),
testAccCheckAWSGroupPolicyAttachmentAttributes([]string{"test-policy2", "test-policy3"}, &out),
),
},
},
})
}
func testAccCheckAWSGroupPolicyAttachmentDestroy(s *terraform.State) error {
return nil
}
func testAccCheckAWSGroupPolicyAttachmentExists(n string, c int, out *iam.ListAttachedGroupPoliciesOutput) resource.TestCheckFunc {
return func(s *terraform.State) error {
rs, ok := s.RootModule().Resources[n]
if !ok {
return fmt.Errorf("Not found: %s", n)
}
if rs.Primary.ID == "" {
return fmt.Errorf("No policy name is set")
}
conn := testAccProvider.Meta().(*AWSClient).iamconn
group := rs.Primary.Attributes["group"]
attachedPolicies, err := conn.ListAttachedGroupPolicies(&iam.ListAttachedGroupPoliciesInput{
GroupName: aws.String(group),
})
if err != nil {
return fmt.Errorf("Error: Failed to get attached policies for group %s (%s)", group, n)
}
if c != len(attachedPolicies.AttachedPolicies) {
return fmt.Errorf("Error: Group (%s) has wrong number of policies attached on initial creation", n)
}
*out = *attachedPolicies
return nil
}
}
func testAccCheckAWSGroupPolicyAttachmentAttributes(policies []string, out *iam.ListAttachedGroupPoliciesOutput) resource.TestCheckFunc {
return func(s *terraform.State) error {
matched := 0
for _, p := range policies {
for _, ap := range out.AttachedPolicies {
// *ap.PolicyArn like arn:aws:iam::111111111111:policy/test-policy
parts := strings.Split(*ap.PolicyArn, "/")
if len(parts) == 2 && p == parts[1] {
matched++
}
}
}
if matched != len(policies) || matched != len(out.AttachedPolicies) {
return fmt.Errorf("Error: Number of attached policies was incorrect: expected %d matched policies, matched %d of %d", len(policies), matched, len(out.AttachedPolicies))
}
return nil
}
}
const testAccAWSGroupPolicyAttachConfig = `
resource "aws_iam_group" "group" {
name = "test-group"
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ChangePassword"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_group_policy_attachment" "test-attach" {
group = "${aws_iam_group.group.name}"
policy_arn = "${aws_iam_policy.policy.arn}"
}
`
const testAccAWSGroupPolicyAttachConfigUpdate = `
resource "aws_iam_group" "group" {
name = "test-group"
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ChangePassword"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_policy" "policy2" {
name = "test-policy2"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ChangePassword"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_policy" "policy3" {
name = "test-policy3"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ChangePassword"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_group_policy_attachment" "test-attach" {
group = "${aws_iam_group.group.name}"
policy_arn = "${aws_iam_policy.policy2.arn}"
}
resource "aws_iam_group_policy_attachment" "test-attach2" {
group = "${aws_iam_group.group.name}"
policy_arn = "${aws_iam_policy.policy3.arn}"
}
`

124
builtin/providers/aws/resource_aws_iam_role_policy_attachment.go Normal file
View File

@ -0,0 +1,124 @@
package aws
import (
"fmt"
"log"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/helper/schema"
)
func resourceAwsIamRolePolicyAttachment() *schema.Resource {
return &schema.Resource{
Create: resourceAwsIamRolePolicyAttachmentCreate,
Read: resourceAwsIamRolePolicyAttachmentRead,
Delete: resourceAwsIamRolePolicyAttachmentDelete,
Schema: map[string]*schema.Schema{
"role": &schema.Schema{
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"policy_arn": &schema.Schema{
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
},
}
}
func resourceAwsIamRolePolicyAttachmentCreate(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).iamconn
role := d.Get("role").(string)
arn := d.Get("policy_arn").(string)
err := attachPolicyToRole(conn, role, arn)
if err != nil {
return fmt.Errorf("[WARN] Error attaching policy %s to IAM Role %s: %v", arn, role, err)
}
d.SetId(resource.PrefixedUniqueId(fmt.Sprintf("%s-", role)))
return resourceAwsIamRolePolicyAttachmentRead(d, meta)
}
func resourceAwsIamRolePolicyAttachmentRead(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).iamconn
role := d.Get("role").(string)
arn := d.Get("policy_arn").(string)
_, err := conn.GetRole(&iam.GetRoleInput{
RoleName: aws.String(role),
})
if err != nil {
if awsErr, ok := err.(awserr.Error); ok {
if awsErr.Code() == "NoSuchEntity" {
log.Printf("[WARN] No such entity found for Policy Attachment (%s)", role)
d.SetId("")
return nil
}
}
return err
}
attachedPolicies, err := conn.ListAttachedRolePolicies(&iam.ListAttachedRolePoliciesInput{
RoleName: aws.String(role),
})
if err != nil {
return err
}
var policy string
for _, p := range attachedPolicies.AttachedPolicies {
if *p.PolicyArn == arn {
policy = *p.PolicyArn
}
}
if policy == "" {
log.Printf("[WARN] No such policy found for Role Policy Attachment (%s)", role)
d.SetId("")
}
return nil
}
func resourceAwsIamRolePolicyAttachmentDelete(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).iamconn
role := d.Get("role").(string)
arn := d.Get("policy_arn").(string)
err := detachPolicyFromRole(conn, role, arn)
if err != nil {
return fmt.Errorf("[WARN] Error removing policy %s from IAM Role %s: %v", arn, role, err)
}
return nil
}
func attachPolicyToRole(conn *iam.IAM, role string, arn string) error {
_, err := conn.AttachRolePolicy(&iam.AttachRolePolicyInput{
RoleName: aws.String(role),
PolicyArn: aws.String(arn),
})
if err != nil {
return err
}
return nil
}
func detachPolicyFromRole(conn *iam.IAM, role string, arn string) error {
_, err := conn.DetachRolePolicy(&iam.DetachRolePolicyInput{
RoleName: aws.String(role),
PolicyArn: aws.String(arn),
})
if err != nil {
return err
}
return nil
}

222
builtin/providers/aws/resource_aws_iam_role_policy_attachment_test.go Normal file
View File

@ -0,0 +1,222 @@
package aws
import (
"fmt"
"strings"
"testing"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
)
func TestAccAWSRolePolicyAttachment_basic(t *testing.T) {
var out iam.ListAttachedRolePoliciesOutput
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSRolePolicyAttachmentDestroy,
Steps: []resource.TestStep{
resource.TestStep{
Config: testAccAWSRolePolicyAttachConfig,
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSRolePolicyAttachmentExists("aws_iam_role_policy_attachment.test-attach", 1, &out),
testAccCheckAWSRolePolicyAttachmentAttributes([]string{"test-policy"}, &out),
),
},
resource.TestStep{
Config: testAccAWSRolePolicyAttachConfigUpdate,
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSRolePolicyAttachmentExists("aws_iam_role_policy_attachment.test-attach", 2, &out),
testAccCheckAWSRolePolicyAttachmentAttributes([]string{"test-policy2", "test-policy3"}, &out),
),
},
},
})
}
func testAccCheckAWSRolePolicyAttachmentDestroy(s *terraform.State) error {
return nil
}
func testAccCheckAWSRolePolicyAttachmentExists(n string, c int, out *iam.ListAttachedRolePoliciesOutput) resource.TestCheckFunc {
return func(s *terraform.State) error {
rs, ok := s.RootModule().Resources[n]
if !ok {
return fmt.Errorf("Not found: %s", n)
}
if rs.Primary.ID == "" {
return fmt.Errorf("No policy name is set")
}
conn := testAccProvider.Meta().(*AWSClient).iamconn
role := rs.Primary.Attributes["role"]
attachedPolicies, err := conn.ListAttachedRolePolicies(&iam.ListAttachedRolePoliciesInput{
RoleName: aws.String(role),
})
if err != nil {
return fmt.Errorf("Error: Failed to get attached policies for role %s (%s)", role, n)
}
if c != len(attachedPolicies.AttachedPolicies) {
return fmt.Errorf("Error: Role (%s) has wrong number of policies attached on initial creation", n)
}
*out = *attachedPolicies
return nil
}
}
func testAccCheckAWSRolePolicyAttachmentAttributes(policies []string, out *iam.ListAttachedRolePoliciesOutput) resource.TestCheckFunc {
return func(s *terraform.State) error {
matched := 0
for _, p := range policies {
for _, ap := range out.AttachedPolicies {
// *ap.PolicyArn like arn:aws:iam::111111111111:policy/test-policy
parts := strings.Split(*ap.PolicyArn, "/")
if len(parts) == 2 && p == parts[1] {
matched++
}
}
}
if matched != len(policies) || matched != len(out.AttachedPolicies) {
return fmt.Errorf("Error: Number of attached policies was incorrect: expected %d matched policies, matched %d of %d", len(policies), matched, len(out.AttachedPolicies))
}
return nil
}
}
const testAccAWSRolePolicyAttachConfig = `
resource "aws_iam_role" "role" {
name = "test-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ChangePassword"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "test-attach" {
role = "${aws_iam_role.role.name}"
policy_arn = "${aws_iam_policy.policy.arn}"
}
`
const testAccAWSRolePolicyAttachConfigUpdate = `
resource "aws_iam_role" "role" {
name = "test-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ChangePassword"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_policy" "policy2" {
name = "test-policy2"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ChangePassword"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_policy" "policy3" {
name = "test-policy3"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ChangePassword"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "test-attach" {
role = "${aws_iam_role.role.name}"
policy_arn = "${aws_iam_policy.policy2.arn}"
}
resource "aws_iam_role_policy_attachment" "test-attach2" {
role = "${aws_iam_role.role.name}"
policy_arn = "${aws_iam_policy.policy3.arn}"
}
`

123
builtin/providers/aws/resource_aws_iam_user_policy_attachment.go Normal file
View File

@ -0,0 +1,123 @@
package aws
import (
"fmt"
"log"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/helper/schema"
)
func resourceAwsIamUserPolicyAttachment() *schema.Resource {
return &schema.Resource{
Create: resourceAwsIamUserPolicyAttachmentCreate,
Read: resourceAwsIamUserPolicyAttachmentRead,
Delete: resourceAwsIamUserPolicyAttachmentDelete,
Schema: map[string]*schema.Schema{
"user": &schema.Schema{
Type: schema.TypeString,
ForceNew: true,
Required: true,
},
"policy_arn": &schema.Schema{
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
},
}
}
func resourceAwsIamUserPolicyAttachmentCreate(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).iamconn
user := d.Get("user").(string)
arn := d.Get("policy_arn").(string)
err := attachPolicyToUser(conn, user, arn)
if err != nil {
return fmt.Errorf("[WARN] Error attaching policy %s to IAM User %s: %v", arn, user, err)
}
d.SetId(resource.PrefixedUniqueId(fmt.Sprintf("%s-", user)))
return resourceAwsIamUserPolicyAttachmentRead(d, meta)
}
func resourceAwsIamUserPolicyAttachmentRead(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).iamconn
user := d.Get("user").(string)
arn := d.Get("policy_arn").(string)
_, err := conn.GetUser(&iam.GetUserInput{
UserName: aws.String(user),
})
if err != nil {
if awsErr, ok := err.(awserr.Error); ok {
if awsErr.Code() == "NoSuchEntity" {
log.Printf("[WARN] No such entity found for Policy Attachment (%s)", user)
d.SetId("")
return nil
}
}
return err
}
attachedPolicies, err := conn.ListAttachedUserPolicies(&iam.ListAttachedUserPoliciesInput{
UserName: aws.String(user),
})
if err != nil {
return err
}
var policy string
for _, p := range attachedPolicies.AttachedPolicies {
if *p.PolicyArn == arn {
policy = *p.PolicyArn
}
}
if policy == "" {
log.Printf("[WARN] No such User found for Policy Attachment (%s)", user)
d.SetId("")
}
return nil
}
func resourceAwsIamUserPolicyAttachmentDelete(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).iamconn
user := d.Get("user").(string)
arn := d.Get("policy_arn").(string)
err := detachPolicyFromUser(conn, user, arn)
if err != nil {
return fmt.Errorf("[WARN] Error removing policy %s from IAM User %s: %v", arn, user, err)
}
return nil
}
func attachPolicyToUser(conn *iam.IAM, user string, arn string) error {
_, err := conn.AttachUserPolicy(&iam.AttachUserPolicyInput{
UserName: aws.String(user),
PolicyArn: aws.String(arn),
})
if err != nil {
return err
}
return nil
}
func detachPolicyFromUser(conn *iam.IAM, user string, arn string) error {
_, err := conn.DetachUserPolicy(&iam.DetachUserPolicyInput{
UserName: aws.String(user),
PolicyArn: aws.String(arn),
})
if err != nil {
return err
}
return nil
}

192
builtin/providers/aws/resource_aws_iam_user_policy_attachment_test.go Normal file
View File

@ -0,0 +1,192 @@
package aws
import (
"fmt"
"strings"
"testing"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
)
func TestAccAWSUserPolicyAttachment_basic(t *testing.T) {
var out iam.ListAttachedUserPoliciesOutput
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSUserPolicyAttachmentDestroy,
Steps: []resource.TestStep{
resource.TestStep{
Config: testAccAWSUserPolicyAttachConfig,
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSUserPolicyAttachmentExists("aws_iam_user_policy_attachment.test-attach", 1, &out),
testAccCheckAWSUserPolicyAttachmentAttributes([]string{"test-policy"}, &out),
),
},
resource.TestStep{
Config: testAccAWSUserPolicyAttachConfigUpdate,
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSUserPolicyAttachmentExists("aws_iam_user_policy_attachment.test-attach", 2, &out),
testAccCheckAWSUserPolicyAttachmentAttributes([]string{"test-policy2", "test-policy3"}, &out),
),
},
},
})
}
func testAccCheckAWSUserPolicyAttachmentDestroy(s *terraform.State) error {
return nil
}
func testAccCheckAWSUserPolicyAttachmentExists(n string, c int, out *iam.ListAttachedUserPoliciesOutput) resource.TestCheckFunc {
return func(s *terraform.State) error {
rs, ok := s.RootModule().Resources[n]
if !ok {
return fmt.Errorf("Not found: %s", n)
}
if rs.Primary.ID == "" {
return fmt.Errorf("No policy name is set")
}
conn := testAccProvider.Meta().(*AWSClient).iamconn
user := rs.Primary.Attributes["user"]
attachedPolicies, err := conn.ListAttachedUserPolicies(&iam.ListAttachedUserPoliciesInput{
UserName: aws.String(user),
})
if err != nil {
return fmt.Errorf("Error: Failed to get attached policies for user %s (%s)", user, n)
}
if c != len(attachedPolicies.AttachedPolicies) {
return fmt.Errorf("Error: User (%s) has wrong number of policies attached on initial creation", n)
}
*out = *attachedPolicies
return nil
}
}
func testAccCheckAWSUserPolicyAttachmentAttributes(policies []string, out *iam.ListAttachedUserPoliciesOutput) resource.TestCheckFunc {
return func(s *terraform.State) error {
matched := 0
for _, p := range policies {
for _, ap := range out.AttachedPolicies {
// *ap.PolicyArn like arn:aws:iam::111111111111:policy/test-policy
parts := strings.Split(*ap.PolicyArn, "/")
if len(parts) == 2 && p == parts[1] {
matched++
}
}
}
if matched != len(policies) || matched != len(out.AttachedPolicies) {
return fmt.Errorf("Error: Number of attached policies was incorrect: expected %d matched policies, matched %d of %d", len(policies), matched, len(out.AttachedPolicies))
}
return nil
}
}
const testAccAWSUserPolicyAttachConfig = `
resource "aws_iam_user" "user" {
name = "test-user"
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ChangePassword"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_user_policy_attachment" "test-attach" {
user = "${aws_iam_user.user.name}"
policy_arn = "${aws_iam_policy.policy.arn}"
}
`
const testAccAWSUserPolicyAttachConfigUpdate = `
resource "aws_iam_user" "user" {
name = "test-user"
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ChangePassword"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_policy" "policy2" {
name = "test-policy2"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ChangePassword"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_policy" "policy3" {
name = "test-policy3"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ChangePassword"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_user_policy_attachment" "test-attach" {
user = "${aws_iam_user.user.name}"
policy_arn = "${aws_iam_policy.policy2.arn}"
}
resource "aws_iam_user_policy_attachment" "test-attach2" {
user = "${aws_iam_user.user.name}"
policy_arn = "${aws_iam_policy.policy3.arn}"
}
`

35
website/source/docs/providers/aws/r/iam_group_policy_attachment.markdown Normal file
View File

@ -0,0 +1,35 @@
---
layout: "aws"
page_title: "AWS: aws_iam_group_policy_attachment"
sidebar_current: "docs-aws-resource-iam-group-policy-attachment"
description: |-
Attaches a Managed IAM Policy to an IAM group
---
# aws\_iam\_group\_policy\_attachment
Attaches a Managed IAM Policy to an IAM group
```
resource "aws_iam_group" "group" {
name = "test-group"
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = #omitted
}
resource "aws_iam_group_policy_attachment" "test-attach" {
group = "${aws_iam_group.group.name}"
policy_arn = "${aws_iam_policy.policy.arn}"
}
```
## Argument Reference
The following arguments are supported:
* `group` (Required) - The group the policy should be applied to
* `policy_arn` (Required) - The ARN of the policy you want to apply

35
website/source/docs/providers/aws/r/iam_role_policy_attachment.markdown Normal file
View File

@ -0,0 +1,35 @@
---
layout: "aws"
page_title: "AWS: aws_iam_role_policy_attachment"
sidebar_current: "docs-aws-resource-iam-role-policy-attachment"
description: |-
Attaches a Managed IAM Policy to an IAM role
---
# aws\_iam\_role\_policy\_attachment
Attaches a Managed IAM Policy to an IAM role
```
resource "aws_iam_role" "role" {
name = "test-role"
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = #omitted
}
resource "aws_iam_role_policy_attachment" "test-attach" {
role = "${aws_iam_role.role.name}"
policy_arn = "${aws_iam_policy.policy.arn}"
}
```
## Argument Reference
The following arguments are supported:
* `role` (Required) - The role the policy should be applied to
* `policy_arn` (Required) - The ARN of the policy you want to apply

35
website/source/docs/providers/aws/r/iam_user_policy_attachment.markdown Normal file
View File

@ -0,0 +1,35 @@
---
layout: "aws"
page_title: "AWS: aws_iam_user_policy_attachment"
sidebar_current: "docs-aws-resource-iam-user-policy-attachment"
description: |-
Attaches a Managed IAM Policy to an IAM user
---
# aws\_iam\_user\_policy\_attachment
Attaches a Managed IAM Policy to an IAM user
```
resource "aws_iam_user" "user" {
name = "test-user"
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = #omitted
}
resource "aws_iam_user_policy_attachment" "test-attach" {
user = "${aws_iam_user.user.name}"
policy_arn = "${aws_iam_policy.policy.arn}"
}
```
## Argument Reference
The following arguments are supported:
* `user` (Required) - The user the policy should be applied to
* `policy_arn` (Required) - The ARN of the policy you want to apply

12
website/source/layouts/aws.erb
View File

@ -384,6 +384,10 @@
<a href="/docs/providers/aws/r/iam_group_policy.html">aws_iam_group_policy</a>
</li>
<li<%= sidebar_current("docs-aws-resource-iam-group-policy-attachment") %>>
<a href="/docs/providers/aws/r/iam_group_policy_attachment.html">aws_iam_group_policy_attachment</a>
</li>
<li<%= sidebar_current("docs-aws-resource-iam-group-membership") %>>
<a href="/docs/providers/aws/r/iam_group_membership.html">aws_iam_group_membership</a>
</li>
@ -407,6 +411,10 @@
<a href="/docs/providers/aws/r/iam_role_policy.html">aws_iam_role_policy</a>
</li>
<li<%= sidebar_current("docs-aws-resource-iam-role-policy-attachment") %>>
<a href="/docs/providers/aws/r/iam_role_policy_attachment.html">aws_iam_role_policy_attachment</a>
</li>
<li<%= sidebar_current("docs-aws-resource-iam-saml-provider") %>>
<a href="/docs/providers/aws/r/iam_saml_provider.html">aws_iam_saml_provider</a>
</li>
@ -423,6 +431,10 @@
<a href="/docs/providers/aws/r/iam_user_policy.html">aws_iam_user_policy</a>
</li>
<li<%= sidebar_current("docs-aws-resource-iam-user-policy-attachment") %>>
<a href="/docs/providers/aws/r/iam_user_policy_attachment.html">aws_iam_user_policy_attachment</a>
</li>
<li<%= sidebar_current("docs-aws-resource-iam-user-ssh-key") %>>
<a href="/docs/providers/aws/r/iam_user_ssh_key.html">aws_iam_user_ssh_key</a>
</li>