Merge pull request #12387 from hashicorp/paddy_11763_gcp_iam_diff

provider/google: ignore expanded v collapsed policies in diff
This commit is contained in:
Paddy 2017-03-14 12:48:05 -07:00 committed by GitHub
commit 4f235c870d
2 changed files with 124 additions and 51 deletions

View File

@ -373,6 +373,8 @@ func jsonPolicyDiffSuppress(k, old, new string, d *schema.ResourceData) bool {
log.Printf("[ERROR] Could not unmarshal new policy %s: %v", new, err) log.Printf("[ERROR] Could not unmarshal new policy %s: %v", new, err)
return false return false
} }
oldPolicy.Bindings = mergeBindings(oldPolicy.Bindings)
newPolicy.Bindings = mergeBindings(newPolicy.Bindings)
if newPolicy.Etag != oldPolicy.Etag { if newPolicy.Etag != oldPolicy.Etag {
return false return false
} }

View File

@ -254,53 +254,99 @@ func TestAccGoogleProjectIamPolicy_basic(t *testing.T) {
}) })
} }
func testAccCheckGoogleProjectIamPolicyIsMerged(projectRes, policyRes, pid string) resource.TestCheckFunc { // Test that a non-collapsed IAM policy doesn't perpetually diff
return func(s *terraform.State) error { func TestAccGoogleProjectIamPolicy_expanded(t *testing.T) {
pid := "terraform-" + acctest.RandString(10)
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
Steps: []resource.TestStep{
resource.TestStep{
Config: testAccGoogleProjectAssociatePolicyExpanded(pid, pname, org),
Check: resource.ComposeTestCheckFunc(
testAccCheckGoogleProjectIamPolicyExists("google_project_iam_policy.acceptance", "data.google_iam_policy.expanded", pid),
),
},
},
})
}
func getStatePrimaryResource(s *terraform.State, res, expectedID string) (*terraform.InstanceState, error) {
// Get the project resource // Get the project resource
project, ok := s.RootModule().Resources[projectRes] resource, ok := s.RootModule().Resources[res]
if !ok { if !ok {
return fmt.Errorf("Not found: %s", projectRes) return nil, fmt.Errorf("Not found: %s", res)
} }
// The project ID should match the config's project ID if resource.Primary.Attributes["id"] != expectedID && expectedID != "" {
if project.Primary.ID != pid { return nil, fmt.Errorf("Expected project %q to match ID %q in state", resource.Primary.ID, expectedID)
return fmt.Errorf("Expected project %q to match ID %q in state", pid, project.Primary.ID)
} }
return resource.Primary, nil
}
var projectP, policyP cloudresourcemanager.Policy func getGoogleProjectIamPolicyFromResource(resource *terraform.InstanceState) (cloudresourcemanager.Policy, error) {
// The project should have a policy var p cloudresourcemanager.Policy
ps, ok := project.Primary.Attributes["policy_data"] ps, ok := resource.Attributes["policy_data"]
if !ok { if !ok {
return fmt.Errorf("Project resource %q did not have a 'policy_data' attribute. Attributes were %#v", project.Primary.Attributes["id"], project.Primary.Attributes) return p, fmt.Errorf("Resource %q did not have a 'policy_data' attribute. Attributes were %#v", resource.ID, resource.Attributes)
} }
if err := json.Unmarshal([]byte(ps), &projectP); err != nil { if err := json.Unmarshal([]byte(ps), &p); err != nil {
return fmt.Errorf("Could not unmarshal %s:\n: %v", ps, err) return p, fmt.Errorf("Could not unmarshal %s:\n: %v", ps, err)
} }
return p, nil
}
// The data policy resource should have a policy func getGoogleProjectIamPolicyFromState(s *terraform.State, res, expectedID string) (cloudresourcemanager.Policy, error) {
policy, ok := s.RootModule().Resources[policyRes] project, err := getStatePrimaryResource(s, res, expectedID)
if !ok { if err != nil {
return fmt.Errorf("Not found: %s", policyRes) return cloudresourcemanager.Policy{}, err
} }
ps, ok = policy.Primary.Attributes["policy_data"] return getGoogleProjectIamPolicyFromResource(project)
if !ok { }
return fmt.Errorf("Data policy resource %q did not have a 'policy_data' attribute. Attributes were %#v", policy.Primary.Attributes["id"], project.Primary.Attributes)
func compareBindings(a, b []*cloudresourcemanager.Binding) bool {
a = mergeBindings(a)
b = mergeBindings(b)
sort.Sort(sortableBindings(a))
sort.Sort(sortableBindings(b))
return reflect.DeepEqual(derefBindings(a), derefBindings(b))
}
func testAccCheckGoogleProjectIamPolicyExists(projectRes, policyRes, pid string) resource.TestCheckFunc {
return func(s *terraform.State) error {
projectPolicy, err := getGoogleProjectIamPolicyFromState(s, projectRes, pid)
if err != nil {
return fmt.Errorf("Error retrieving IAM policy for project from state: %s", err)
} }
if err := json.Unmarshal([]byte(ps), &policyP); err != nil { policyPolicy, err := getGoogleProjectIamPolicyFromState(s, policyRes, "")
return err if err != nil {
return fmt.Errorf("Error retrieving IAM policy for data_policy from state: %s", err)
} }
// The bindings in both policies should be identical // The bindings in both policies should be identical
sort.Sort(sortableBindings(projectP.Bindings)) if !compareBindings(projectPolicy.Bindings, policyPolicy.Bindings) {
sort.Sort(sortableBindings(policyP.Bindings)) return fmt.Errorf("Project and data source policies do not match: project policy is %+v, data resource policy is %+v", derefBindings(projectPolicy.Bindings), derefBindings(policyPolicy.Bindings))
if !reflect.DeepEqual(derefBindings(projectP.Bindings), derefBindings(policyP.Bindings)) { }
return fmt.Errorf("Project and data source policies do not match: project policy is %+v, data resource policy is %+v", derefBindings(projectP.Bindings), derefBindings(policyP.Bindings)) return nil
}
}
func testAccCheckGoogleProjectIamPolicyIsMerged(projectRes, policyRes, pid string) resource.TestCheckFunc {
return func(s *terraform.State) error {
err := testAccCheckGoogleProjectIamPolicyExists(projectRes, policyRes, pid)(s)
if err != nil {
return err
}
projectPolicy, err := getGoogleProjectIamPolicyFromState(s, projectRes, pid)
if err != nil {
return fmt.Errorf("Error retrieving IAM policy for project from state: %s", err)
} }
// Merge the project policy in Terraform state with the policy the project had before the config was applied // Merge the project policy in Terraform state with the policy the project had before the config was applied
expected := make([]*cloudresourcemanager.Binding, 0) var expected []*cloudresourcemanager.Binding
expected = append(expected, originalPolicy.Bindings...) expected = append(expected, originalPolicy.Bindings...)
expected = append(expected, projectP.Bindings...) expected = append(expected, projectPolicy.Bindings...)
expectedM := mergeBindings(expected) expected = mergeBindings(expected)
// Retrieve the actual policy from the project // Retrieve the actual policy from the project
c := testAccProvider.Meta().(*Config) c := testAccProvider.Meta().(*Config)
@ -308,13 +354,9 @@ func testAccCheckGoogleProjectIamPolicyIsMerged(projectRes, policyRes, pid strin
if err != nil { if err != nil {
return fmt.Errorf("Failed to retrieve IAM Policy for project %q: %s", pid, err) return fmt.Errorf("Failed to retrieve IAM Policy for project %q: %s", pid, err)
} }
actualM := mergeBindings(actual.Bindings)
sort.Sort(sortableBindings(actualM))
sort.Sort(sortableBindings(expectedM))
// The bindings should match, indicating the policy was successfully applied and merged // The bindings should match, indicating the policy was successfully applied and merged
if !reflect.DeepEqual(derefBindings(actualM), derefBindings(expectedM)) { if !compareBindings(actual.Bindings, expected) {
return fmt.Errorf("Actual and expected project policies do not match: actual policy is %+v, expected policy is %+v", derefBindings(actualM), derefBindings(expectedM)) return fmt.Errorf("Actual and expected project policies do not match: actual policy is %+v, expected policy is %+v", derefBindings(actual.Bindings), derefBindings(expected))
} }
return nil return nil
@ -634,3 +676,32 @@ resource "google_project" "acceptance" {
billing_account = "%s" billing_account = "%s"
}`, pid, name, org, billing) }`, pid, name, org, billing)
} }
func testAccGoogleProjectAssociatePolicyExpanded(pid, name, org string) string {
return fmt.Sprintf(`
resource "google_project" "acceptance" {
project_id = "%s"
name = "%s"
org_id = "%s"
}
resource "google_project_iam_policy" "acceptance" {
project = "${google_project.acceptance.id}"
policy_data = "${data.google_iam_policy.expanded.policy_data}"
authoritative = false
}
data "google_iam_policy" "expanded" {
binding {
role = "roles/viewer"
members = [
"user:paddy@carvers.co",
]
}
binding {
role = "roles/viewer"
members = [
"user:paddy@hashicorp.com",
]
}
}`, pid, name, org)
}