diff --git a/util/util.go b/util/util.go index 8d93ee383..5eb193687 100644 --- a/util/util.go +++ b/util/util.go @@ -20,12 +20,12 @@ func JsonDiffSuppress(k, old, new string, d *schema.ResourceData) bool { var oldJSON, newJSON interface{} err := json.Unmarshal([]byte(old), &oldJSON) if err != nil { - log.Printf("[ERROR] Version of %q in state is not valid JSON: %s", k, err) + log.Printf("[WARN] Version of %q in state is not valid JSON: %s", k, err) return false } err = json.Unmarshal([]byte(new), &newJSON) if err != nil { - log.Printf("[ERROR] Version of %q in config is not valid JSON: %s", k, err) + log.Printf("[WARN] Version of %q in config is not valid JSON: %s", k, err) return true } return reflect.DeepEqual(oldJSON, newJSON) diff --git a/vault/resource_aws_secret_backend_role.go b/vault/resource_aws_secret_backend_role.go index 2b72c0816..8fb88f197 100644 --- a/vault/resource_aws_secret_backend_role.go +++ b/vault/resource_aws_secret_backend_role.go @@ -48,6 +48,7 @@ func awsSecretBackendRoleResource() *schema.Resource { Type: schema.TypeString, Optional: true, Description: "IAM policy the role should use in JSON format.", + ValidateFunc: ValidateDataJSON, DiffSuppressFunc: util.JsonDiffSuppress, }, "credential_type": { @@ -96,26 +97,18 @@ func awsSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error { policyARNsIfc, ok := d.GetOk("policy_arns") var policyARNs []interface{} - if !ok { - policyARN := d.Get("policy_arn") - if policyARN != "" { - policyARNs = append(policyARNs, policyARN) - } - } else { + if ok { policyARNs = policyARNsIfc.(*schema.Set).List() } - policy, ok := d.GetOk("policy_document") - if !ok { - policy = d.Get("policy") - } + policyDocument := d.Get("policy_document") roleARNs := d.Get("role_arns").(*schema.Set).List() iamGroups := d.Get("iam_groups").(*schema.Set).List() - if policy == "" && len(policyARNs) == 0 && len(roleARNs) == 0 && len(iamGroups) == 0 { - return fmt.Errorf("at least one of `policy`, `policy_arns`, `role_arns` or `iam_groups` must be set") + if policyDocument == "" && len(policyARNs) == 0 && len(roleARNs) == 0 && len(iamGroups) == 0 { + return fmt.Errorf("at least one of: `policy_document`, `policy_arns`, `role_arns` or `iam_groups` must be set") } credentialType := d.Get("credential_type").(string) @@ -123,8 +116,8 @@ func awsSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error { data := map[string]interface{}{ "credential_type": credentialType, } - if policy != "" { - data["policy_document"] = policy + if policyDocument != "" { + data["policy_document"] = policyDocument } if len(policyARNs) != 0 { data["policy_arns"] = policyARNs @@ -188,16 +181,12 @@ func awsSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error { if _, ok := d.GetOk("policy_document"); ok { d.Set("policy_document", secret.Data["policy_document"]) - } else if _, ok := d.GetOk("policy"); ok { - d.Set("policy", secret.Data["policy_document"]) } else if v, ok := secret.Data["policy_document"]; ok { d.Set("policy_document", v) } if _, ok := d.GetOk("policy_arns"); ok { d.Set("policy_arns", secret.Data["policy_arns"]) - } else if _, ok := d.GetOk("policy_arn"); ok { - d.Set("policy_arn", secret.Data["policy_arns"]) } else if v, ok := secret.Data["policy_arns"]; ok { d.Set("policy_arns", v) } diff --git a/vault/resource_aws_secret_backend_role_test.go b/vault/resource_aws_secret_backend_role_test.go index de162143f..ab74b5f6c 100644 --- a/vault/resource_aws_secret_backend_role_test.go +++ b/vault/resource_aws_secret_backend_role_test.go @@ -12,12 +12,14 @@ import ( "github.com/hashicorp/terraform-provider-vault/util" ) -const testAccAWSSecretBackendRolePolicyInline_basic = `{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "iam:*","Resource": "*"}]}` -const testAccAWSSecretBackendRolePolicyInline_updated = `{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "ec2:*","Resource": "*"}]}` -const testAccAWSSecretBackendRolePolicyArn_basic = "arn:aws:iam::123456789123:policy/foo" -const testAccAWSSecretBackendRolePolicyArn_updated = "arn:aws:iam::123456789123:policy/bar" -const testAccAWSSecretBackendRoleRoleArn_basic = "arn:aws:iam::123456789123:role/foo" -const testAccAWSSecretBackendRoleRoleArn_updated = "arn:aws:iam::123456789123:role/bar" +const ( + testAccAWSSecretBackendRolePolicyInline_basic = `{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "iam:*","Resource": "*"}]}` + testAccAWSSecretBackendRolePolicyInline_updated = `{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "ec2:*","Resource": "*"}]}` + testAccAWSSecretBackendRolePolicyArn_basic = "arn:aws:iam::123456789123:policy/foo" + testAccAWSSecretBackendRolePolicyArn_updated = "arn:aws:iam::123456789123:policy/bar" + testAccAWSSecretBackendRoleRoleArn_basic = "arn:aws:iam::123456789123:role/foo" + testAccAWSSecretBackendRoleRoleArn_updated = "arn:aws:iam::123456789123:role/bar" +) func TestAccAWSSecretBackendRole_basic(t *testing.T) { backend := acctest.RandomWithPrefix("tf-test-aws") @@ -37,14 +39,18 @@ func TestAccAWSSecretBackendRole_basic(t *testing.T) { resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_groups.#", "0"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "name", fmt.Sprintf("%s-policy-arn", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "backend", backend), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "policy_arns.#", "1"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "name", fmt.Sprintf("%s-policy-inline-and-arns", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "backend", backend), util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_document", testAccAWSSecretBackendRolePolicyInline_basic), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.#", "1"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "name", fmt.Sprintf("%s-role-arns", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "backend", backend), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "role_arns.#", "1"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "role_arns.0", testAccAWSSecretBackendRoleRoleArn_basic), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "policy_arns.#", "0"), ), }, { @@ -54,21 +60,26 @@ func TestAccAWSSecretBackendRole_basic(t *testing.T) { resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "default_sts_ttl", "3600"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "max_sts_ttl", "21600"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "backend", backend), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "policy_arns.#", "0"), util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline", "policy_document", testAccAWSSecretBackendRolePolicyInline_updated), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_groups.#", "2"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "name", fmt.Sprintf("%s-policy-arn", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "backend", backend), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "policy_arns.#", "1"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_updated), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "iam_groups.#", "2"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "name", fmt.Sprintf("%s-policy-inline-and-arns", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "backend", backend), util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_document", testAccAWSSecretBackendRolePolicyInline_updated), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.#", "1"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_updated), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "iam_groups.#", "2"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "name", fmt.Sprintf("%s-role-arns", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "backend", backend), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "role_arns.#", "1"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "role_arns.0", testAccAWSSecretBackendRoleRoleArn_updated), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "iam_groups.#", "2"), + resource.TestCheckNoResourceAttr("vault_aws_secret_backend_role.test_role_arns", "policy_arns.#"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_groups", "name", fmt.Sprintf("%s-role-groups", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_groups", "backend", backend), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_groups", "iam_groups.#", "2"), @@ -83,14 +94,17 @@ func TestAccAWSSecretBackendRole_basic(t *testing.T) { resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_groups.#", "0"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "name", fmt.Sprintf("%s-policy-arn", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "backend", backend), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "policy_arns.#", "1"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "name", fmt.Sprintf("%s-policy-inline-and-arns", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "backend", backend), util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_document", testAccAWSSecretBackendRolePolicyInline_basic), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.#", "1"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "name", fmt.Sprintf("%s-role-arns", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "backend", backend), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "role_arns.0", testAccAWSSecretBackendRoleRoleArn_basic), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "policy_arns.#", "0"), ), }, }, @@ -114,14 +128,17 @@ func TestAccAWSSecretBackendRole_import(t *testing.T) { util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline", "policy_document", testAccAWSSecretBackendRolePolicyInline_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "name", fmt.Sprintf("%s-policy-arn", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "backend", backend), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "policy_arns.#", "1"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "name", fmt.Sprintf("%s-policy-inline-and-arns", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "backend", backend), util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_document", testAccAWSSecretBackendRolePolicyInline_basic), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.#", "1"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "name", fmt.Sprintf("%s-role-arns", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "backend", backend), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "role_arns.0", testAccAWSSecretBackendRoleRoleArn_basic), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "policy_arns.#", "0"), ), }, { @@ -165,14 +182,17 @@ func TestAccAWSSecretBackendRole_nested(t *testing.T) { util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline", "policy_document", testAccAWSSecretBackendRolePolicyInline_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "name", fmt.Sprintf("%s-policy-arn", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "backend", backend), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "policy_arns.#", "1"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "name", fmt.Sprintf("%s-policy-inline-and-arns", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "backend", backend), util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_document", testAccAWSSecretBackendRolePolicyInline_basic), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.#", "1"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "name", fmt.Sprintf("%s-role-arns", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "backend", backend), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "role_arns.0", testAccAWSSecretBackendRoleRoleArn_basic), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "policy_arns.#", "0"), ), }, { @@ -186,17 +206,20 @@ func TestAccAWSSecretBackendRole_nested(t *testing.T) { util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline", "policy_document", testAccAWSSecretBackendRolePolicyInline_updated), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "name", fmt.Sprintf("%s-policy-arn", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "backend", backend), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "policy_arns.#", "1"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_updated), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "iam_groups.#", "2"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "name", fmt.Sprintf("%s-policy-inline-and-arns", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "backend", backend), util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_document", testAccAWSSecretBackendRolePolicyInline_updated), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.#", "1"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_updated), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "iam_groups.#", "2"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "name", fmt.Sprintf("%s-role-arns", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "backend", backend), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "role_arns.0", testAccAWSSecretBackendRoleRoleArn_updated), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "iam_groups.#", "2"), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "policy_arns.#", "0"), ), }, },