provider/aws: Add diff suppression & validation for OpenID URL

This commit is contained in:
Radek Simko 2017-04-06 10:26:32 +01:00
parent 3640bdd6e1
commit 668a09aa00
No known key found for this signature in database
GPG Key ID: 6823F3DCCE01BB19
5 changed files with 73 additions and 4 deletions

View File

@ -4,6 +4,7 @@ import (
"bytes" "bytes"
"encoding/json" "encoding/json"
"log" "log"
"net/url"
"strings" "strings"
"github.com/hashicorp/terraform/helper/schema" "github.com/hashicorp/terraform/helper/schema"
@ -58,3 +59,19 @@ func suppressEquivalentJsonDiffs(k, old, new string, d *schema.ResourceData) boo
return jsonBytesEqual(ob.Bytes(), nb.Bytes()) return jsonBytesEqual(ob.Bytes(), nb.Bytes())
} }
func suppressOpenIdURL(k, old, new string, d *schema.ResourceData) bool {
oldUrl, err := url.Parse(old)
if err != nil {
return false
}
newUrl, err := url.Parse(new)
if err != nil {
return false
}
oldUrl.Scheme = "https"
return oldUrl.String() == newUrl.String()
}

View File

@ -309,6 +309,7 @@ func Provider() terraform.ResourceProvider {
"aws_iam_group_membership": resourceAwsIamGroupMembership(), "aws_iam_group_membership": resourceAwsIamGroupMembership(),
"aws_iam_group_policy_attachment": resourceAwsIamGroupPolicyAttachment(), "aws_iam_group_policy_attachment": resourceAwsIamGroupPolicyAttachment(),
"aws_iam_instance_profile": resourceAwsIamInstanceProfile(), "aws_iam_instance_profile": resourceAwsIamInstanceProfile(),
"aws_iam_openid_connect_provider": resourceAwsIamOpenIDConnectProvider(),
"aws_iam_policy": resourceAwsIamPolicy(), "aws_iam_policy": resourceAwsIamPolicy(),
"aws_iam_policy_attachment": resourceAwsIamPolicyAttachment(), "aws_iam_policy_attachment": resourceAwsIamPolicyAttachment(),
"aws_iam_role_policy_attachment": resourceAwsIamRolePolicyAttachment(), "aws_iam_role_policy_attachment": resourceAwsIamRolePolicyAttachment(),

View File

@ -27,6 +27,8 @@ func resourceAwsIamOpenIDConnectProvider() *schema.Resource {
Computed: false, Computed: false,
Required: true, Required: true,
ForceNew: true, ForceNew: true,
ValidateFunc: validateOpenIdURL,
DiffSuppressFunc: suppressOpenIdURL,
}, },
"client-id-list": &schema.Schema{ "client-id-list": &schema.Schema{
Elem: &schema.Schema{Type: schema.TypeString}, Elem: &schema.Schema{Type: schema.TypeString},

View File

@ -3,6 +3,7 @@ package aws
import ( import (
"fmt" "fmt"
"net" "net"
"net/url"
"regexp" "regexp"
"strings" "strings"
"time" "time"
@ -1170,3 +1171,19 @@ func validateAwsAlbTargetGroupNamePrefix(v interface{}, k string) (ws []string,
} }
return return
} }
func validateOpenIdURL(v interface{}, k string) (ws []string, errors []error) {
value := v.(string)
u, err := url.Parse(value)
if err != nil {
errors = append(errors, fmt.Errorf("%q has to be a valid URL", k))
return
}
if u.Scheme != "https" {
errors = append(errors, fmt.Errorf("%q has to use HTTPS scheme (i.e. begin with https://)", k))
}
if len(u.Query()) > 0 {
errors = append(errors, fmt.Errorf("%q cannot contain query parameters per the OIDC standard", k))
}
return
}

View File

@ -1913,3 +1913,35 @@ func TestValidateDbOptionGroupNamePrefix(t *testing.T) {
} }
} }
} }
func TestValidateOpenIdURL(t *testing.T) {
cases := []struct {
Value string
ErrCount int
}{
{
Value: "http://wrong.scheme.com",
ErrCount: 1,
},
{
Value: "ftp://wrong.scheme.co.uk",
ErrCount: 1,
},
{
Value: "%@invalidUrl",
ErrCount: 1,
},
{
Value: "https://example.com/?query=param",
ErrCount: 1,
},
}
for _, tc := range cases {
_, errors := validateOpenIdURL(tc.Value, "url")
if len(errors) != tc.ErrCount {
t.Fatalf("Expected %d of OpenID URL validation errors, got %d", tc.ErrCount, len(errors))
}
}
}