terraform/builtin/providers/aws/resource_aws_iam_role_polic...

package aws

import (
	"fmt"
	"net/url"
	"strings"

	"github.com/awslabs/aws-sdk-go/aws"
	"github.com/awslabs/aws-sdk-go/service/iam"

	"github.com/hashicorp/terraform/helper/schema"
)

func resourceAwsIamRolePolicy() *schema.Resource {
	return &schema.Resource{
		// PutRolePolicy API is idempotent, so these can be the same.
		Create: resourceAwsIamRolePolicyPut,
		Update: resourceAwsIamRolePolicyPut,

		Read:   resourceAwsIamRolePolicyRead,
		Delete: resourceAwsIamRolePolicyDelete,

		Schema: map[string]*schema.Schema{
			"policy": &schema.Schema{
				Type:     schema.TypeString,
				Required: true,
			},
			"name": &schema.Schema{
				Type:     schema.TypeString,
				Required: true,
				ForceNew: true,
			},
			"role": &schema.Schema{
				Type:     schema.TypeString,
				Required: true,
				ForceNew: true,
			},
		},
	}
}

func resourceAwsIamRolePolicyPut(d *schema.ResourceData, meta interface{}) error {
	iamconn := meta.(*AWSClient).iamconn

	request := &iam.PutRolePolicyInput{
		RoleName:       aws.String(d.Get("role").(string)),
		PolicyName:     aws.String(d.Get("name").(string)),
		PolicyDocument: aws.String(d.Get("policy").(string)),
	}

	if _, err := iamconn.PutRolePolicy(request); err != nil {
		return fmt.Errorf("Error putting IAM role policy %s: %s", *request.PolicyName, err)
	}

	d.SetId(fmt.Sprintf("%s:%s", *request.RoleName, *request.PolicyName))
	return nil
}

func resourceAwsIamRolePolicyRead(d *schema.ResourceData, meta interface{}) error {
	iamconn := meta.(*AWSClient).iamconn

	role, name := resourceAwsIamRolePolicyParseId(d.Id())

	request := &iam.GetRolePolicyInput{
		PolicyName: aws.String(name),
		RoleName:   aws.String(role),
	}

	getResp, err := iamconn.GetRolePolicy(request)
	if err != nil {
		if iamerr, ok := err.(aws.APIError); ok && iamerr.Code == "NoSuchEntity" { // XXX test me
			d.SetId("")
			return nil
		}
		return fmt.Errorf("Error reading IAM policy %s from role %s: %s", name, role, err)
	}

	if getResp.PolicyDocument == nil {
		return fmt.Errorf("GetRolePolicy returned a nil policy document")
	}

	policy, err := url.QueryUnescape(*getResp.PolicyDocument)
	if err != nil {
		return err
	}
	return d.Set("policy", policy)
}

func resourceAwsIamRolePolicyDelete(d *schema.ResourceData, meta interface{}) error {
	iamconn := meta.(*AWSClient).iamconn

	role, name := resourceAwsIamRolePolicyParseId(d.Id())

	request := &iam.DeleteRolePolicyInput{
		PolicyName: aws.String(name),
		RoleName:   aws.String(role),
	}

	if _, err := iamconn.DeleteRolePolicy(request); err != nil {
		return fmt.Errorf("Error deleting IAM role policy %s: %s", d.Id(), err)
	}
	return nil
}

func resourceAwsIamRolePolicyParseId(id string) (roleName, policyName string) {
	parts := strings.SplitN(id, ":", 2)
	roleName = parts[0]
	policyName = parts[1]
	return
}
Implement AWS IAM resources - Users - Groups - Roles - Inline policies for the above three - Instance profiles - Managed policies - Access keys This is most of the data types provided by IAM. There are a few things missing, but the functionality here is probably sufficient for 95% of the cases. Makes a dent in #28. 2015-02-06 16:34:24 +01:00			`package aws`

			`import (`
			`"fmt"`
			`"net/url"`
			`"strings"`

			`"github.com/awslabs/aws-sdk-go/aws"`
			`"github.com/awslabs/aws-sdk-go/service/iam"`

			`"github.com/hashicorp/terraform/helper/schema"`
			`)`

			`func resourceAwsIamRolePolicy() *schema.Resource {`
			`return &schema.Resource{`
			`// PutRolePolicy API is idempotent, so these can be the same.`
			`Create: resourceAwsIamRolePolicyPut,`
			`Update: resourceAwsIamRolePolicyPut,`

			`Read: resourceAwsIamRolePolicyRead,`
			`Delete: resourceAwsIamRolePolicyDelete,`

			`Schema: map[string]*schema.Schema{`
			`"policy": &schema.Schema{`
			`Type: schema.TypeString,`
			`Required: true,`
			`},`
			`"name": &schema.Schema{`
			`Type: schema.TypeString,`
			`Required: true,`
			`ForceNew: true,`
			`},`
			`"role": &schema.Schema{`
			`Type: schema.TypeString,`
			`Required: true,`
			`ForceNew: true,`
			`},`
			`},`
			`}`
			`}`

			`func resourceAwsIamRolePolicyPut(d *schema.ResourceData, meta interface{}) error {`
			`iamconn := meta.(*AWSClient).iamconn`

			`request := &iam.PutRolePolicyInput{`
			`RoleName: aws.String(d.Get("role").(string)),`
			`PolicyName: aws.String(d.Get("name").(string)),`
			`PolicyDocument: aws.String(d.Get("policy").(string)),`
			`}`

			`if _, err := iamconn.PutRolePolicy(request); err != nil {`
			`return fmt.Errorf("Error putting IAM role policy %s: %s", *request.PolicyName, err)`
			`}`

			`d.SetId(fmt.Sprintf("%s:%s", request.RoleName, request.PolicyName))`
			`return nil`
			`}`

			`func resourceAwsIamRolePolicyRead(d *schema.ResourceData, meta interface{}) error {`
			`iamconn := meta.(*AWSClient).iamconn`

Add acceptance tests 2015-04-18 22:58:08 +02:00			`role, name := resourceAwsIamRolePolicyParseId(d.Id())`
Implement AWS IAM resources - Users - Groups - Roles - Inline policies for the above three - Instance profiles - Managed policies - Access keys This is most of the data types provided by IAM. There are a few things missing, but the functionality here is probably sufficient for 95% of the cases. Makes a dent in #28. 2015-02-06 16:34:24 +01:00
			`request := &iam.GetRolePolicyInput{`
			`PolicyName: aws.String(name),`
			`RoleName: aws.String(role),`
			`}`

			`getResp, err := iamconn.GetRolePolicy(request)`
			`if err != nil {`
			`if iamerr, ok := err.(aws.APIError); ok && iamerr.Code == "NoSuchEntity" { // XXX test me`
			`d.SetId("")`
			`return nil`
			`}`
			`return fmt.Errorf("Error reading IAM policy %s from role %s: %s", name, role, err)`
			`}`

			`if getResp.PolicyDocument == nil {`
			`return fmt.Errorf("GetRolePolicy returned a nil policy document")`
			`}`

			`policy, err := url.QueryUnescape(*getResp.PolicyDocument)`
			`if err != nil {`
			`return err`
			`}`
			`return d.Set("policy", policy)`
			`}`

			`func resourceAwsIamRolePolicyDelete(d *schema.ResourceData, meta interface{}) error {`
			`iamconn := meta.(*AWSClient).iamconn`

Add acceptance tests 2015-04-18 22:58:08 +02:00			`role, name := resourceAwsIamRolePolicyParseId(d.Id())`
Implement AWS IAM resources - Users - Groups - Roles - Inline policies for the above three - Instance profiles - Managed policies - Access keys This is most of the data types provided by IAM. There are a few things missing, but the functionality here is probably sufficient for 95% of the cases. Makes a dent in #28. 2015-02-06 16:34:24 +01:00
			`request := &iam.DeleteRolePolicyInput{`
			`PolicyName: aws.String(name),`
			`RoleName: aws.String(role),`
			`}`

			`if _, err := iamconn.DeleteRolePolicy(request); err != nil {`
			`return fmt.Errorf("Error deleting IAM role policy %s: %s", d.Id(), err)`
			`}`
			`return nil`
			`}`

Add acceptance tests 2015-04-18 22:58:08 +02:00			`func resourceAwsIamRolePolicyParseId(id string) (roleName, policyName string) {`
			`parts := strings.SplitN(id, ":", 2)`
			`roleName = parts[0]`
Implement AWS IAM resources - Users - Groups - Roles - Inline policies for the above three - Instance profiles - Managed policies - Access keys This is most of the data types provided by IAM. There are a few things missing, but the functionality here is probably sufficient for 95% of the cases. Makes a dent in #28. 2015-02-06 16:34:24 +01:00			`policyName = parts[1]`
			`return`
			`}`