2015-02-06 16:34:24 +01:00
|
|
|
package aws
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
2015-06-25 16:02:23 +02:00
|
|
|
"regexp"
|
2016-07-07 22:24:17 +02:00
|
|
|
"time"
|
2015-02-06 16:34:24 +01:00
|
|
|
|
2015-06-03 20:36:57 +02:00
|
|
|
"github.com/aws/aws-sdk-go/aws"
|
|
|
|
"github.com/aws/aws-sdk-go/aws/awserr"
|
|
|
|
"github.com/aws/aws-sdk-go/service/iam"
|
2015-02-06 16:34:24 +01:00
|
|
|
|
2016-06-05 01:46:27 +02:00
|
|
|
"github.com/hashicorp/terraform/helper/resource"
|
2015-02-06 16:34:24 +01:00
|
|
|
"github.com/hashicorp/terraform/helper/schema"
|
|
|
|
)
|
|
|
|
|
|
|
|
func resourceAwsIamRole() *schema.Resource {
|
|
|
|
return &schema.Resource{
|
|
|
|
Create: resourceAwsIamRoleCreate,
|
|
|
|
Read: resourceAwsIamRoleRead,
|
2015-11-30 12:26:25 +01:00
|
|
|
Update: resourceAwsIamRoleUpdate,
|
2015-02-06 16:34:24 +01:00
|
|
|
Delete: resourceAwsIamRoleDelete,
|
|
|
|
|
|
|
|
Schema: map[string]*schema.Schema{
|
|
|
|
"arn": &schema.Schema{
|
|
|
|
Type: schema.TypeString,
|
|
|
|
Computed: true,
|
|
|
|
},
|
2016-06-05 01:46:27 +02:00
|
|
|
|
2015-02-06 16:34:24 +01:00
|
|
|
"unique_id": &schema.Schema{
|
|
|
|
Type: schema.TypeString,
|
|
|
|
Computed: true,
|
|
|
|
},
|
2016-06-05 01:46:27 +02:00
|
|
|
|
2015-02-06 16:34:24 +01:00
|
|
|
"name": &schema.Schema{
|
2016-06-05 01:46:27 +02:00
|
|
|
Type: schema.TypeString,
|
|
|
|
Optional: true,
|
|
|
|
Computed: true,
|
|
|
|
ForceNew: true,
|
|
|
|
ConflictsWith: []string{"name_prefix"},
|
2015-06-25 16:02:23 +02:00
|
|
|
ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) {
|
|
|
|
// https://github.com/boto/botocore/blob/2485f5c/botocore/data/iam/2010-05-08/service-2.json#L8329-L8334
|
|
|
|
value := v.(string)
|
|
|
|
if len(value) > 64 {
|
|
|
|
errors = append(errors, fmt.Errorf(
|
|
|
|
"%q cannot be longer than 64 characters", k))
|
|
|
|
}
|
|
|
|
if !regexp.MustCompile("^[\\w+=,.@-]*$").MatchString(value) {
|
|
|
|
errors = append(errors, fmt.Errorf(
|
|
|
|
"%q must match [\\w+=,.@-]", k))
|
|
|
|
}
|
|
|
|
return
|
|
|
|
},
|
2015-02-06 16:34:24 +01:00
|
|
|
},
|
2016-06-05 01:46:27 +02:00
|
|
|
|
|
|
|
"name_prefix": &schema.Schema{
|
|
|
|
Type: schema.TypeString,
|
|
|
|
Optional: true,
|
|
|
|
ForceNew: true,
|
|
|
|
ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) {
|
|
|
|
// https://github.com/boto/botocore/blob/2485f5c/botocore/data/iam/2010-05-08/service-2.json#L8329-L8334
|
|
|
|
value := v.(string)
|
|
|
|
if len(value) > 32 {
|
|
|
|
errors = append(errors, fmt.Errorf(
|
|
|
|
"%q cannot be longer than 32 characters, name is limited to 64", k))
|
|
|
|
}
|
|
|
|
if !regexp.MustCompile("^[\\w+=,.@-]*$").MatchString(value) {
|
|
|
|
errors = append(errors, fmt.Errorf(
|
|
|
|
"%q must match [\\w+=,.@-]", k))
|
|
|
|
}
|
|
|
|
return
|
|
|
|
},
|
|
|
|
},
|
|
|
|
|
2015-02-06 16:34:24 +01:00
|
|
|
"path": &schema.Schema{
|
|
|
|
Type: schema.TypeString,
|
|
|
|
Optional: true,
|
|
|
|
Default: "/",
|
|
|
|
ForceNew: true,
|
|
|
|
},
|
2016-06-05 01:46:27 +02:00
|
|
|
|
2015-02-06 16:34:24 +01:00
|
|
|
"assume_role_policy": &schema.Schema{
|
|
|
|
Type: schema.TypeString,
|
|
|
|
Required: true,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func resourceAwsIamRoleCreate(d *schema.ResourceData, meta interface{}) error {
|
|
|
|
iamconn := meta.(*AWSClient).iamconn
|
2016-06-05 01:46:27 +02:00
|
|
|
|
|
|
|
var name string
|
|
|
|
if v, ok := d.GetOk("name"); ok {
|
|
|
|
name = v.(string)
|
|
|
|
} else if v, ok := d.GetOk("name_prefix"); ok {
|
|
|
|
name = resource.PrefixedUniqueId(v.(string))
|
|
|
|
} else {
|
|
|
|
name = resource.UniqueId()
|
|
|
|
}
|
2015-02-06 16:34:24 +01:00
|
|
|
|
|
|
|
request := &iam.CreateRoleInput{
|
|
|
|
Path: aws.String(d.Get("path").(string)),
|
|
|
|
RoleName: aws.String(name),
|
|
|
|
AssumeRolePolicyDocument: aws.String(d.Get("assume_role_policy").(string)),
|
|
|
|
}
|
|
|
|
|
2016-07-07 22:24:17 +02:00
|
|
|
var createResp *iam.CreateRoleOutput
|
2016-08-18 17:27:17 +02:00
|
|
|
err := resource.Retry(30*time.Second, func() *resource.RetryError {
|
2016-07-07 22:24:17 +02:00
|
|
|
var err error
|
|
|
|
createResp, err = iamconn.CreateRole(request)
|
2016-08-18 17:27:17 +02:00
|
|
|
// IAM roles can take ~30 seconds to propagate in AWS:
|
2016-07-07 22:24:17 +02:00
|
|
|
// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#launch-instance-with-role-console
|
|
|
|
if isAWSErr(err, "MalformedPolicyDocument", "Invalid principal in policy") {
|
|
|
|
return resource.RetryableError(err)
|
|
|
|
}
|
|
|
|
return resource.NonRetryableError(err)
|
|
|
|
})
|
2015-02-06 16:34:24 +01:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Error creating IAM Role %s: %s", name, err)
|
|
|
|
}
|
|
|
|
return resourceAwsIamRoleReadResult(d, createResp.Role)
|
|
|
|
}
|
|
|
|
|
|
|
|
func resourceAwsIamRoleRead(d *schema.ResourceData, meta interface{}) error {
|
|
|
|
iamconn := meta.(*AWSClient).iamconn
|
|
|
|
|
|
|
|
request := &iam.GetRoleInput{
|
|
|
|
RoleName: aws.String(d.Id()),
|
|
|
|
}
|
|
|
|
|
|
|
|
getResp, err := iamconn.GetRole(request)
|
|
|
|
if err != nil {
|
2015-05-20 13:21:23 +02:00
|
|
|
if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" { // XXX test me
|
2015-02-06 16:34:24 +01:00
|
|
|
d.SetId("")
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return fmt.Errorf("Error reading IAM Role %s: %s", d.Id(), err)
|
|
|
|
}
|
|
|
|
return resourceAwsIamRoleReadResult(d, getResp.Role)
|
|
|
|
}
|
2016-06-05 01:46:27 +02:00
|
|
|
|
2015-11-30 12:26:25 +01:00
|
|
|
func resourceAwsIamRoleUpdate(d *schema.ResourceData, meta interface{}) error {
|
|
|
|
iamconn := meta.(*AWSClient).iamconn
|
|
|
|
|
|
|
|
if d.HasChange("assume_role_policy") {
|
|
|
|
assumeRolePolicyInput := &iam.UpdateAssumeRolePolicyInput{
|
|
|
|
RoleName: aws.String(d.Id()),
|
|
|
|
PolicyDocument: aws.String(d.Get("assume_role_policy").(string)),
|
|
|
|
}
|
|
|
|
_, err := iamconn.UpdateAssumeRolePolicy(assumeRolePolicyInput)
|
|
|
|
if err != nil {
|
|
|
|
if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" {
|
|
|
|
d.SetId("")
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return fmt.Errorf("Error Updating IAM Role (%s) Assume Role Policy: %s", d.Id(), err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
2015-02-06 16:34:24 +01:00
|
|
|
|
|
|
|
func resourceAwsIamRoleReadResult(d *schema.ResourceData, role *iam.Role) error {
|
|
|
|
d.SetId(*role.RoleName)
|
|
|
|
if err := d.Set("name", role.RoleName); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2015-08-17 20:27:16 +02:00
|
|
|
if err := d.Set("arn", role.Arn); err != nil {
|
2015-02-06 16:34:24 +01:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err := d.Set("path", role.Path); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2015-08-17 20:27:16 +02:00
|
|
|
if err := d.Set("unique_id", role.RoleId); err != nil {
|
2015-02-06 16:34:24 +01:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func resourceAwsIamRoleDelete(d *schema.ResourceData, meta interface{}) error {
|
|
|
|
iamconn := meta.(*AWSClient).iamconn
|
|
|
|
|
2015-06-01 22:47:14 +02:00
|
|
|
// Roles cannot be destroyed when attached to an existing Instance Profile
|
|
|
|
resp, err := iamconn.ListInstanceProfilesForRole(&iam.ListInstanceProfilesForRoleInput{
|
|
|
|
RoleName: aws.String(d.Id()),
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Error listing Profiles for IAM Role (%s) when trying to delete: %s", d.Id(), err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Loop and remove this Role from any Profiles
|
|
|
|
if len(resp.InstanceProfiles) > 0 {
|
|
|
|
for _, i := range resp.InstanceProfiles {
|
|
|
|
_, err := iamconn.RemoveRoleFromInstanceProfile(&iam.RemoveRoleFromInstanceProfileInput{
|
|
|
|
InstanceProfileName: i.InstanceProfileName,
|
|
|
|
RoleName: aws.String(d.Id()),
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Error deleting IAM Role %s: %s", d.Id(), err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-02-06 16:34:24 +01:00
|
|
|
request := &iam.DeleteRoleInput{
|
|
|
|
RoleName: aws.String(d.Id()),
|
|
|
|
}
|
|
|
|
|
|
|
|
if _, err := iamconn.DeleteRole(request); err != nil {
|
|
|
|
return fmt.Errorf("Error deleting IAM Role %s: %s", d.Id(), err)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|