Merge pull request #12387 from hashicorp/paddy_11763_gcp_iam_diff
provider/google: ignore expanded v collapsed policies in diff
This commit is contained in:
Paddy
GitHub
commit
4f235c870d
|
|
@ -373,6 +373,8 @@ func jsonPolicyDiffSuppress(k, old, new string, d *schema.ResourceData) bool {
|
||||||
log.Printf("[ERROR] Could not unmarshal new policy %s: %v", new, err)
|
log.Printf("[ERROR] Could not unmarshal new policy %s: %v", new, err)
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
oldPolicy.Bindings = mergeBindings(oldPolicy.Bindings)
|
||||||
|
newPolicy.Bindings = mergeBindings(newPolicy.Bindings)
|
||||||
if newPolicy.Etag != oldPolicy.Etag {
|
if newPolicy.Etag != oldPolicy.Etag {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -254,53 +254,99 @@ func TestAccGoogleProjectIamPolicy_basic(t *testing.T) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
func testAccCheckGoogleProjectIamPolicyIsMerged(projectRes, policyRes, pid string) resource.TestCheckFunc {
|
// Test that a non-collapsed IAM policy doesn't perpetually diff
|
||||||
return func(s *terraform.State) error {
|
func TestAccGoogleProjectIamPolicy_expanded(t *testing.T) {
|
||||||
|
pid := "terraform-" + acctest.RandString(10)
|
||||||
|
resource.Test(t, resource.TestCase{
|
||||||
|
PreCheck: func() { testAccPreCheck(t) },
|
||||||
|
Providers: testAccProviders,
|
||||||
|
Steps: []resource.TestStep{
|
||||||
|
resource.TestStep{
|
||||||
|
Config: testAccGoogleProjectAssociatePolicyExpanded(pid, pname, org),
|
||||||
|
Check: resource.ComposeTestCheckFunc(
|
||||||
|
testAccCheckGoogleProjectIamPolicyExists("google_project_iam_policy.acceptance", "data.google_iam_policy.expanded", pid),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func getStatePrimaryResource(s *terraform.State, res, expectedID string) (*terraform.InstanceState, error) {
|
||||||
// Get the project resource
|
// Get the project resource
|
||||||
project, ok := s.RootModule().Resources[projectRes]
|
resource, ok := s.RootModule().Resources[res]
|
||||||
if !ok {
|
if !ok {
|
||||||
return fmt.Errorf("Not found: %s", projectRes)
|
return nil, fmt.Errorf("Not found: %s", res)
|
||||||
}
|
}
|
||||||
// The project ID should match the config's project ID
|
if resource.Primary.Attributes["id"] != expectedID && expectedID != "" {
|
||||||
if project.Primary.ID != pid {
|
return nil, fmt.Errorf("Expected project %q to match ID %q in state", resource.Primary.ID, expectedID)
|
||||||
return fmt.Errorf("Expected project %q to match ID %q in state", pid, project.Primary.ID)
|
|
||||||
}
|
}
|
||||||
|
return resource.Primary, nil
|
||||||
|
}
|
||||||
|
|
||||||
var projectP, policyP cloudresourcemanager.Policy
|
func getGoogleProjectIamPolicyFromResource(resource *terraform.InstanceState) (cloudresourcemanager.Policy, error) {
|
||||||
// The project should have a policy
|
var p cloudresourcemanager.Policy
|
||||||
ps, ok := project.Primary.Attributes["policy_data"]
|
ps, ok := resource.Attributes["policy_data"]
|
||||||
if !ok {
|
if !ok {
|
||||||
return fmt.Errorf("Project resource %q did not have a 'policy_data' attribute. Attributes were %#v", project.Primary.Attributes["id"], project.Primary.Attributes)
|
return p, fmt.Errorf("Resource %q did not have a 'policy_data' attribute. Attributes were %#v", resource.ID, resource.Attributes)
|
||||||
}
|
}
|
||||||
if err := json.Unmarshal([]byte(ps), &projectP); err != nil {
|
if err := json.Unmarshal([]byte(ps), &p); err != nil {
|
||||||
return fmt.Errorf("Could not unmarshal %s:\n: %v", ps, err)
|
return p, fmt.Errorf("Could not unmarshal %s:\n: %v", ps, err)
|
||||||
}
|
}
|
||||||
|
return p, nil
|
||||||
|
}
|
||||||
|
|
||||||
// The data policy resource should have a policy
|
func getGoogleProjectIamPolicyFromState(s *terraform.State, res, expectedID string) (cloudresourcemanager.Policy, error) {
|
||||||
policy, ok := s.RootModule().Resources[policyRes]
|
project, err := getStatePrimaryResource(s, res, expectedID)
|
||||||
if !ok {
|
if err != nil {
|
||||||
return fmt.Errorf("Not found: %s", policyRes)
|
return cloudresourcemanager.Policy{}, err
|
||||||
}
|
}
|
||||||
ps, ok = policy.Primary.Attributes["policy_data"]
|
return getGoogleProjectIamPolicyFromResource(project)
|
||||||
if !ok {
|
}
|
||||||
return fmt.Errorf("Data policy resource %q did not have a 'policy_data' attribute. Attributes were %#v", policy.Primary.Attributes["id"], project.Primary.Attributes)
|
|
||||||
|
func compareBindings(a, b []*cloudresourcemanager.Binding) bool {
|
||||||
|
a = mergeBindings(a)
|
||||||
|
b = mergeBindings(b)
|
||||||
|
sort.Sort(sortableBindings(a))
|
||||||
|
sort.Sort(sortableBindings(b))
|
||||||
|
return reflect.DeepEqual(derefBindings(a), derefBindings(b))
|
||||||
|
}
|
||||||
|
|
||||||
|
func testAccCheckGoogleProjectIamPolicyExists(projectRes, policyRes, pid string) resource.TestCheckFunc {
|
||||||
|
return func(s *terraform.State) error {
|
||||||
|
projectPolicy, err := getGoogleProjectIamPolicyFromState(s, projectRes, pid)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Error retrieving IAM policy for project from state: %s", err)
|
||||||
}
|
}
|
||||||
if err := json.Unmarshal([]byte(ps), &policyP); err != nil {
|
policyPolicy, err := getGoogleProjectIamPolicyFromState(s, policyRes, "")
|
||||||
return err
|
if err != nil {
|
||||||
|
return fmt.Errorf("Error retrieving IAM policy for data_policy from state: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// The bindings in both policies should be identical
|
// The bindings in both policies should be identical
|
||||||
sort.Sort(sortableBindings(projectP.Bindings))
|
if !compareBindings(projectPolicy.Bindings, policyPolicy.Bindings) {
|
||||||
sort.Sort(sortableBindings(policyP.Bindings))
|
return fmt.Errorf("Project and data source policies do not match: project policy is %+v, data resource policy is %+v", derefBindings(projectPolicy.Bindings), derefBindings(policyPolicy.Bindings))
|
||||||
if !reflect.DeepEqual(derefBindings(projectP.Bindings), derefBindings(policyP.Bindings)) {
|
}
|
||||||
return fmt.Errorf("Project and data source policies do not match: project policy is %+v, data resource policy is %+v", derefBindings(projectP.Bindings), derefBindings(policyP.Bindings))
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func testAccCheckGoogleProjectIamPolicyIsMerged(projectRes, policyRes, pid string) resource.TestCheckFunc {
|
||||||
|
return func(s *terraform.State) error {
|
||||||
|
err := testAccCheckGoogleProjectIamPolicyExists(projectRes, policyRes, pid)(s)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
projectPolicy, err := getGoogleProjectIamPolicyFromState(s, projectRes, pid)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Error retrieving IAM policy for project from state: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Merge the project policy in Terraform state with the policy the project had before the config was applied
|
// Merge the project policy in Terraform state with the policy the project had before the config was applied
|
||||||
expected := make([]*cloudresourcemanager.Binding, 0)
|
var expected []*cloudresourcemanager.Binding
|
||||||
expected = append(expected, originalPolicy.Bindings...)
|
expected = append(expected, originalPolicy.Bindings...)
|
||||||
expected = append(expected, projectP.Bindings...)
|
expected = append(expected, projectPolicy.Bindings...)
|
||||||
expectedM := mergeBindings(expected)
|
expected = mergeBindings(expected)
|
||||||
|
|
||||||
// Retrieve the actual policy from the project
|
// Retrieve the actual policy from the project
|
||||||
c := testAccProvider.Meta().(*Config)
|
c := testAccProvider.Meta().(*Config)
|
||||||
|
|
@ -308,13 +354,9 @@ func testAccCheckGoogleProjectIamPolicyIsMerged(projectRes, policyRes, pid strin
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("Failed to retrieve IAM Policy for project %q: %s", pid, err)
|
return fmt.Errorf("Failed to retrieve IAM Policy for project %q: %s", pid, err)
|
||||||
}
|
}
|
||||||
actualM := mergeBindings(actual.Bindings)
|
|
||||||
|
|
||||||
sort.Sort(sortableBindings(actualM))
|
|
||||||
sort.Sort(sortableBindings(expectedM))
|
|
||||||
// The bindings should match, indicating the policy was successfully applied and merged
|
// The bindings should match, indicating the policy was successfully applied and merged
|
||||||
if !reflect.DeepEqual(derefBindings(actualM), derefBindings(expectedM)) {
|
if !compareBindings(actual.Bindings, expected) {
|
||||||
return fmt.Errorf("Actual and expected project policies do not match: actual policy is %+v, expected policy is %+v", derefBindings(actualM), derefBindings(expectedM))
|
return fmt.Errorf("Actual and expected project policies do not match: actual policy is %+v, expected policy is %+v", derefBindings(actual.Bindings), derefBindings(expected))
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
|
|
@ -634,3 +676,32 @@ resource "google_project" "acceptance" {
|
||||||
billing_account = "%s"
|
billing_account = "%s"
|
||||||
}`, pid, name, org, billing)
|
}`, pid, name, org, billing)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func testAccGoogleProjectAssociatePolicyExpanded(pid, name, org string) string {
|
||||||
|
return fmt.Sprintf(`
|
||||||
|
resource "google_project" "acceptance" {
|
||||||
|
project_id = "%s"
|
||||||
|
name = "%s"
|
||||||
|
org_id = "%s"
|
||||||
|
}
|
||||||
|
resource "google_project_iam_policy" "acceptance" {
|
||||||
|
project = "${google_project.acceptance.id}"
|
||||||
|
policy_data = "${data.google_iam_policy.expanded.policy_data}"
|
||||||
|
authoritative = false
|
||||||
|
}
|
||||||
|
data "google_iam_policy" "expanded" {
|
||||||
|
binding {
|
||||||
|
role = "roles/viewer"
|
||||||
|
members = [
|
||||||
|
"user:paddy@carvers.co",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
binding {
|
||||||
|
role = "roles/viewer"
|
||||||
|
members = [
|
||||||
|
"user:paddy@hashicorp.com",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}`, pid, name, org)
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue