Merge pull request #8675 from hashicorp/b-aws-kms-key-policy

provider/aws: Support Policy DiffSuppression in `aws_kms_key` policy
2016-09-12 09:50:09 +01:00 · 2016-09-12 09:50:09 +01:00 · 6cf1fdf980
parent 04e675c663 806c000dbb
commit 6cf1fdf980
3 changed files with 67 additions and 10 deletions
--- a/builtin/providers/aws/import_aws_kms_key_test.go
+++ b/builtin/providers/aws/import_aws_kms_key_test.go
@ -6,7 +6,7 @@ import (
 	"github.com/hashicorp/terraform/helper/resource"
 )

-func TestAccAWSKMSKey_importBasic(t *testing.T) {
+func TestAccAWSKmsKey_importBasic(t *testing.T) {
 	resourceName := "aws_kms_key.foo"

 	resource.Test(t, resource.TestCase{
--- a/builtin/providers/aws/resource_aws_kms_key.go
+++ b/builtin/providers/aws/resource_aws_kms_key.go
@ -52,10 +52,10 @@ func resourceAwsKmsKey() *schema.Resource {
 				},
 			},
 			"policy": &schema.Schema{
-				Type:      schema.TypeString,
-				Optional:  true,
-				Computed:  true,
-				StateFunc: normalizeJson,
+				Type:             schema.TypeString,
+				Optional:         true,
+				Computed:         true,
+				DiffSuppressFunc: suppressEquivalentAwsPolicyDiffs,
 			},
 			"is_enabled": &schema.Schema{
 				Type:     schema.TypeBool,
--- a/builtin/providers/aws/resource_aws_kms_key_test.go
+++ b/builtin/providers/aws/resource_aws_kms_key_test.go
@ -9,6 +9,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/kms"
 	"github.com/hashicorp/terraform/helper/resource"
 	"github.com/hashicorp/terraform/terraform"
+	"github.com/jen20/awspolicyequivalence"
 )

 func TestAccAWSKmsKey_basic(t *testing.T) {
@ -19,13 +20,13 @@ func TestAccAWSKmsKey_basic(t *testing.T) {
 		Providers:    testAccProviders,
 		CheckDestroy: testAccCheckAWSKmsKeyDestroy,
 		Steps: []resource.TestStep{
-			resource.TestStep{
+			{
 				Config: testAccAWSKmsKey,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &keyBefore),
 				),
 			},
-			resource.TestStep{
+			{
 				Config: testAccAWSKmsKey_removedPolicy,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &keyAfter),
@ -35,6 +36,26 @@ func TestAccAWSKmsKey_basic(t *testing.T) {
 	})
 }

+func TestAccAWSKmsKey_policy(t *testing.T) {
+	var key kms.KeyMetadata
+	expectedPolicyText := `{"Version":"2012-10-17","Id":"kms-tf-1","Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":"*"},"Action":"kms:*","Resource":"*"}]}`
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSKmsKeyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSKmsKey,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &key),
+					testAccCheckAWSKmsKeyHasPolicy("aws_kms_key.foo", expectedPolicyText),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAWSKmsKey_isEnabled(t *testing.T) {
 	var key1, key2, key3 kms.KeyMetadata

@ -43,7 +64,7 @@ func TestAccAWSKmsKey_isEnabled(t *testing.T) {
 		Providers:    testAccProviders,
 		CheckDestroy: testAccCheckAWSKmsKeyDestroy,
 		Steps: []resource.TestStep{
-			resource.TestStep{
+			{
 				Config: testAccAWSKmsKey_enabledRotation,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key1),
@ -52,7 +73,7 @@ func TestAccAWSKmsKey_isEnabled(t *testing.T) {
 					resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "true"),
 				),
 			},
-			resource.TestStep{
+			{
 				Config: testAccAWSKmsKey_disabled,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key2),
@ -61,7 +82,7 @@ func TestAccAWSKmsKey_isEnabled(t *testing.T) {
 					resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "false"),
 				),
 			},
-			resource.TestStep{
+			{
 				Config: testAccAWSKmsKey_enabled,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key3),
@ -74,6 +95,42 @@ func TestAccAWSKmsKey_isEnabled(t *testing.T) {
 	})
 }

+func testAccCheckAWSKmsKeyHasPolicy(name string, expectedPolicyText string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[name]
+		if !ok {
+			return fmt.Errorf("Not found: %s", name)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No KMS Key ID is set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).kmsconn
+
+		out, err := conn.GetKeyPolicy(&kms.GetKeyPolicyInput{
+			KeyId:      aws.String(rs.Primary.ID),
+			PolicyName: aws.String("default"),
+		})
+		if err != nil {
+			return err
+		}
+
+		actualPolicyText := *out.Policy
+
+		equivalent, err := awspolicy.PoliciesAreEquivalent(actualPolicyText, expectedPolicyText)
+		if err != nil {
+			return fmt.Errorf("Error testing policy equivalence: %s", err)
+		}
+		if !equivalent {
+			return fmt.Errorf("Non-equivalent policy error:\n\nexpected: %s\n\n     got: %s\n",
+				expectedPolicyText, actualPolicyText)
+		}
+
+		return nil
+	}
+}
+
 func testAccCheckAWSKmsKeyDestroy(s *terraform.State) error {
 	conn := testAccProvider.Meta().(*AWSClient).kmsconn