From 6ee17a8e9ea213a1fd5a8dc57718c34b74a7fd46 Mon Sep 17 00:00:00 2001
From: John Engelman <john.r.engelman@gmail.com>
Date: Sat, 18 Apr 2015 15:58:08 -0500
Subject: [PATCH] Add acceptance tests

---
 .../aws/resource_aws_iam_access_key_test.go   | 117 ++++++++++++++++++
 .../aws/resource_aws_iam_group_policy.go      |   8 +-
 .../aws/resource_aws_iam_group_policy_test.go | 112 +++++++++++++++++
 .../aws/resource_aws_iam_group_test.go        | 106 ++++++++++++++++
 .../aws/resource_aws_iam_role_policy.go       |  10 +-
 .../aws/resource_aws_iam_role_policy_test.go  | 114 +++++++++++++++++
 .../aws/resource_aws_iam_role_test.go         | 106 ++++++++++++++++
 .../aws/resource_aws_iam_user_policy.go       |   8 +-
 .../aws/resource_aws_iam_user_policy_test.go  | 112 +++++++++++++++++
 .../aws/resource_aws_iam_user_test.go         | 106 ++++++++++++++++
 10 files changed, 786 insertions(+), 13 deletions(-)
 create mode 100644 builtin/providers/aws/resource_aws_iam_access_key_test.go
 create mode 100644 builtin/providers/aws/resource_aws_iam_group_policy_test.go
 create mode 100644 builtin/providers/aws/resource_aws_iam_group_test.go
 create mode 100644 builtin/providers/aws/resource_aws_iam_role_policy_test.go
 create mode 100644 builtin/providers/aws/resource_aws_iam_role_test.go
 create mode 100644 builtin/providers/aws/resource_aws_iam_user_policy_test.go
 create mode 100644 builtin/providers/aws/resource_aws_iam_user_test.go

diff --git a/builtin/providers/aws/resource_aws_iam_access_key_test.go b/builtin/providers/aws/resource_aws_iam_access_key_test.go
new file mode 100644
index 000000000..0aacc058d
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_iam_access_key_test.go
@@ -0,0 +1,117 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/awslabs/aws-sdk-go/aws"
+	"github.com/awslabs/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSAccessKey_normal(t *testing.T) {
+	var conf iam.AccessKeyMetadata
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSAccessKeyDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSAccessKeyConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSAccessKeyExists("aws_iam_access_key.a_key", &conf),
+					testAccCheckAWSAccessKeyAttributes(&conf),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckAWSAccessKeyDestroy(s *terraform.State) error {
+	iamconn := testAccProvider.Meta().(*AWSClient).iamconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_access_key" {
+			continue
+		}
+
+		// Try to get access key
+		resp, err := iamconn.ListAccessKeys(&iam.ListAccessKeysInput{
+			UserName: aws.String(rs.Primary.ID),
+		})
+		if err == nil {
+			if len(resp.AccessKeyMetadata) > 0 {
+				return fmt.Errorf("still exist.")
+			}
+			return nil
+		}
+
+		// Verify the error is what we want
+		ec2err, ok := err.(aws.APIError)
+		if !ok {
+			return err
+		}
+		if ec2err.Code != "NoSuchEntity" {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func testAccCheckAWSAccessKeyExists(n string, res *iam.AccessKeyMetadata) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No Role name is set")
+		}
+
+		iamconn := testAccProvider.Meta().(*AWSClient).iamconn
+
+		resp, err := iamconn.ListAccessKeys(&iam.ListAccessKeysInput{
+			UserName: aws.String("testuser"),
+		})
+		if err != nil {
+			return err
+		}
+
+		if len(resp.AccessKeyMetadata) != 1 ||
+			*resp.AccessKeyMetadata[0].UserName != "testuser" {
+			return fmt.Errorf("User not found not found")
+		}
+
+		*res = *resp.AccessKeyMetadata[0]
+
+		return nil
+	}
+}
+
+func testAccCheckAWSAccessKeyAttributes(accessKeyMetadata *iam.AccessKeyMetadata) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		if *accessKeyMetadata.UserName != "testuser" {
+			return fmt.Errorf("Bad username: %s", *accessKeyMetadata.UserName)
+		}
+
+		if *accessKeyMetadata.Status != "Active" {
+			return fmt.Errorf("Bad status: %s", *accessKeyMetadata.Status)
+		}
+
+		return nil
+	}
+}
+
+const testAccAWSAccessKeyConfig = `
+resource "aws_iam_user" "a_user" {
+	name = "testuser"
+}
+
+resource "aws_iam_access_key" "a_key" {
+	user = "${aws_iam_user.a_user.name}"
+}
+`
diff --git a/builtin/providers/aws/resource_aws_iam_group_policy.go b/builtin/providers/aws/resource_aws_iam_group_policy.go
index 1e6c244a5..51190aa5f 100644
--- a/builtin/providers/aws/resource_aws_iam_group_policy.go
+++ b/builtin/providers/aws/resource_aws_iam_group_policy.go
@@ -59,7 +59,7 @@ func resourceAwsIamGroupPolicyPut(d *schema.ResourceData, meta interface{}) erro
 func resourceAwsIamGroupPolicyRead(d *schema.ResourceData, meta interface{}) error {
 	iamconn := meta.(*AWSClient).iamconn
 
-	group, name := resourceAwsIamGroupPolicyParseId(d)
+	group, name := resourceAwsIamGroupPolicyParseId(d.Id())
 
 	request := &iam.GetGroupPolicyInput{
 		PolicyName: aws.String(name),
@@ -89,7 +89,7 @@ func resourceAwsIamGroupPolicyRead(d *schema.ResourceData, meta interface{}) err
 func resourceAwsIamGroupPolicyDelete(d *schema.ResourceData, meta interface{}) error {
 	iamconn := meta.(*AWSClient).iamconn
 
-	group, name := resourceAwsIamGroupPolicyParseId(d)
+	group, name := resourceAwsIamGroupPolicyParseId(d.Id())
 
 	request := &iam.DeleteGroupPolicyInput{
 		PolicyName: aws.String(name),
@@ -102,8 +102,8 @@ func resourceAwsIamGroupPolicyDelete(d *schema.ResourceData, meta interface{}) e
 	return nil
 }
 
-func resourceAwsIamGroupPolicyParseId(d *schema.ResourceData) (groupName, policyName string) {
-	parts := strings.SplitN(d.Id(), ":", 2)
+func resourceAwsIamGroupPolicyParseId(id string) (groupName, policyName string) {
+	parts := strings.SplitN(id, ":", 2)
 	groupName = parts[0]
 	policyName = parts[1]
 	return
diff --git a/builtin/providers/aws/resource_aws_iam_group_policy_test.go b/builtin/providers/aws/resource_aws_iam_group_policy_test.go
new file mode 100644
index 000000000..1778d5216
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_iam_group_policy_test.go
@@ -0,0 +1,112 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/awslabs/aws-sdk-go/aws"
+	"github.com/awslabs/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSIAMGroupPolicy(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckIAMGroupPolicyDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccIAMGroupPolicyConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckIAMGroupPolicy(
+						"aws_iam_group.group",
+						"aws_iam_group_policy.foo",
+					),
+				),
+			},
+			resource.TestStep{
+				Config: testAccIAMGroupPolicyConfigUpdate,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckIAMGroupPolicy(
+						"aws_iam_group.group",
+						"aws_iam_group_policy.bar",
+					),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckIAMGroupPolicyDestroy(s *terraform.State) error {
+	if len(s.RootModule().Resources) > 0 {
+		return fmt.Errorf("Expected all resources to be gone, but found: %#v", s.RootModule().Resources)
+	}
+
+	return nil
+}
+
+func testAccCheckIAMGroupPolicy(
+	iamGroupResource string,
+	iamGroupPolicyResource string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[iamGroupResource]
+		if !ok {
+			return fmt.Errorf("Not Found: %s", iamGroupResource)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No ID is set")
+		}
+
+		policy, ok := s.RootModule().Resources[iamGroupPolicyResource]
+		if !ok {
+			return fmt.Errorf("Not Found: %s", iamGroupPolicyResource)
+		}
+
+		iamconn := testAccProvider.Meta().(*AWSClient).iamconn
+		group, name := resourceAwsIamGroupPolicyParseId(policy.Primary.ID)
+		_, err := iamconn.GetGroupPolicy(&iam.GetGroupPolicyInput{
+			GroupName:  aws.String(group),
+			PolicyName: aws.String(name),
+		})
+
+		if err != nil {
+			return err
+		}
+
+		return nil
+	}
+}
+
+const testAccIAMGroupPolicyConfig = `
+resource "aws_iam_group" "group" {
+	name = "test_group"
+	path = "/"
+}
+
+resource "aws_iam_group_policy" "foo" {
+	name = "foo_policy"
+	group = "${aws_iam_group.group.name}"
+	policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"*\",\"Resource\":\"*\"}}"
+}
+`
+
+const testAccIAMGroupPolicyConfigUpdate = `
+resource "aws_iam_group" "group" {
+	name = "test_group"
+	path = "/"
+}
+
+resource "aws_iam_group_policy" "foo" {
+	name = "foo_policy"
+	group = "${aws_iam_group.group.name}"
+	policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"*\",\"Resource\":\"*\"}}"
+}
+
+resource "aws_iam_group_policy" "bar" {
+	name = "bar_policy"
+	group = "${aws_iam_group.group.name}"
+	policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"*\",\"Resource\":\"*\"}}"
+}
+`
diff --git a/builtin/providers/aws/resource_aws_iam_group_test.go b/builtin/providers/aws/resource_aws_iam_group_test.go
new file mode 100644
index 000000000..b28f152fd
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_iam_group_test.go
@@ -0,0 +1,106 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/awslabs/aws-sdk-go/aws"
+	"github.com/awslabs/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSGroup_normal(t *testing.T) {
+	var conf iam.GetGroupOutput
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSGroupDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSGroupConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSGroupExists("aws_iam_group.group", &conf),
+					testAccCheckAWSGroupAttributes(&conf),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckAWSGroupDestroy(s *terraform.State) error {
+	iamconn := testAccProvider.Meta().(*AWSClient).iamconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_iam_group" {
+			continue
+		}
+
+		// Try to get group
+		_, err := iamconn.GetGroup(&iam.GetGroupInput{
+			GroupName: aws.String(rs.Primary.ID),
+		})
+		if err == nil {
+			return fmt.Errorf("still exist.")
+		}
+
+		// Verify the error is what we want
+		ec2err, ok := err.(aws.APIError)
+		if !ok {
+			return err
+		}
+		if ec2err.Code != "NoSuchEntity" {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func testAccCheckAWSGroupExists(n string, res *iam.GetGroupOutput) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No Group name is set")
+		}
+
+		iamconn := testAccProvider.Meta().(*AWSClient).iamconn
+
+		resp, err := iamconn.GetGroup(&iam.GetGroupInput{
+			GroupName: aws.String(rs.Primary.ID),
+		})
+		if err != nil {
+			return err
+		}
+
+		*res = *resp
+
+		return nil
+	}
+}
+
+func testAccCheckAWSGroupAttributes(group *iam.GetGroupOutput) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		if *group.Group.GroupName != "test-group" {
+			return fmt.Errorf("Bad name: %s", *group.Group.GroupName)
+		}
+
+		if *group.Group.Path != "/" {
+			return fmt.Errorf("Bad path: %s", *group.Group.Path)
+		}
+
+		return nil
+	}
+}
+
+const testAccAWSGroupConfig = `
+resource "aws_iam_group" "group" {
+	name = "test-group"
+	path = "/"
+}
+`
diff --git a/builtin/providers/aws/resource_aws_iam_role_policy.go b/builtin/providers/aws/resource_aws_iam_role_policy.go
index 854803f24..0eb073a9d 100644
--- a/builtin/providers/aws/resource_aws_iam_role_policy.go
+++ b/builtin/providers/aws/resource_aws_iam_role_policy.go
@@ -59,7 +59,7 @@ func resourceAwsIamRolePolicyPut(d *schema.ResourceData, meta interface{}) error
 func resourceAwsIamRolePolicyRead(d *schema.ResourceData, meta interface{}) error {
 	iamconn := meta.(*AWSClient).iamconn
 
-	role, name := resourceAwsIamRolePolicyParseId(d)
+	role, name := resourceAwsIamRolePolicyParseId(d.Id())
 
 	request := &iam.GetRolePolicyInput{
 		PolicyName: aws.String(name),
@@ -89,7 +89,7 @@ func resourceAwsIamRolePolicyRead(d *schema.ResourceData, meta interface{}) erro
 func resourceAwsIamRolePolicyDelete(d *schema.ResourceData, meta interface{}) error {
 	iamconn := meta.(*AWSClient).iamconn
 
-	role, name := resourceAwsIamRolePolicyParseId(d)
+	role, name := resourceAwsIamRolePolicyParseId(d.Id())
 
 	request := &iam.DeleteRolePolicyInput{
 		PolicyName: aws.String(name),
@@ -102,9 +102,9 @@ func resourceAwsIamRolePolicyDelete(d *schema.ResourceData, meta interface{}) er
 	return nil
 }
 
-func resourceAwsIamRolePolicyParseId(d *schema.ResourceData) (userName, policyName string) {
-	parts := strings.SplitN(d.Id(), ":", 2)
-	userName = parts[0]
+func resourceAwsIamRolePolicyParseId(id string) (roleName, policyName string) {
+	parts := strings.SplitN(id, ":", 2)
+	roleName = parts[0]
 	policyName = parts[1]
 	return
 }
diff --git a/builtin/providers/aws/resource_aws_iam_role_policy_test.go b/builtin/providers/aws/resource_aws_iam_role_policy_test.go
new file mode 100644
index 000000000..a43fe94c8
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_iam_role_policy_test.go
@@ -0,0 +1,114 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/awslabs/aws-sdk-go/aws"
+	"github.com/awslabs/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSIAMRolePolicy(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckIAMRolePolicyDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccIAMRolePolicyConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckIAMRolePolicy(
+						"aws_iam_role.role",
+						"aws_iam_role_policy.foo",
+					),
+				),
+			},
+			resource.TestStep{
+				Config: testAccIAMRolePolicyConfigUpdate,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckIAMRolePolicy(
+						"aws_iam_role.role",
+						"aws_iam_role_policy.bar",
+					),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckIAMRolePolicyDestroy(s *terraform.State) error {
+	if len(s.RootModule().Resources) > 0 {
+		return fmt.Errorf("Expected all resources to be gone, but found: %#v", s.RootModule().Resources)
+	}
+
+	return nil
+}
+
+func testAccCheckIAMRolePolicy(
+	iamRoleResource string,
+	iamRolePolicyResource string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[iamRoleResource]
+		if !ok {
+			return fmt.Errorf("Not Found: %s", iamRoleResource)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No ID is set")
+		}
+
+		policy, ok := s.RootModule().Resources[iamRolePolicyResource]
+		if !ok {
+			return fmt.Errorf("Not Found: %s", iamRolePolicyResource)
+		}
+
+		iamconn := testAccProvider.Meta().(*AWSClient).iamconn
+		role, name := resourceAwsIamRolePolicyParseId(policy.Primary.ID)
+		_, err := iamconn.GetRolePolicy(&iam.GetRolePolicyInput{
+			RoleName:   aws.String(role),
+			PolicyName: aws.String(name),
+		})
+
+		if err != nil {
+			return err
+		}
+
+		return nil
+	}
+}
+
+const testAccIAMRolePolicyConfig = `
+resource "aws_iam_role" "role" {
+	name = "test_role"
+	path = "/"
+	assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Effect\":\"Allow\",\"Sid\":\"\"}]}"
+}
+
+resource "aws_iam_role_policy" "foo" {
+	name = "foo_policy"
+	role = "${aws_iam_role.role.name}"
+	policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"*\",\"Resource\":\"*\"}}"
+}
+`
+
+const testAccIAMRolePolicyConfigUpdate = `
+resource "aws_iam_role" "role" {
+	name = "test_role"
+	path = "/"
+	assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Effect\":\"Allow\",\"Sid\":\"\"}]}"
+}
+
+resource "aws_iam_role_policy" "foo" {
+	name = "foo_policy"
+	role = "${aws_iam_role.role.name}"
+	policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"*\",\"Resource\":\"*\"}}"
+}
+
+resource "aws_iam_role_policy" "bar" {
+	name = "bar_policy"
+	role = "${aws_iam_role.role.name}"
+	policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"*\",\"Resource\":\"*\"}}"
+}
+`
diff --git a/builtin/providers/aws/resource_aws_iam_role_test.go b/builtin/providers/aws/resource_aws_iam_role_test.go
new file mode 100644
index 000000000..d7f05fcfc
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_iam_role_test.go
@@ -0,0 +1,106 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/awslabs/aws-sdk-go/aws"
+	"github.com/awslabs/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSRole_normal(t *testing.T) {
+	var conf iam.GetRoleOutput
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSRoleDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSRoleConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSRoleExists("aws_iam_role.role", &conf),
+					testAccCheckAWSRoleAttributes(&conf),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckAWSRoleDestroy(s *terraform.State) error {
+	iamconn := testAccProvider.Meta().(*AWSClient).iamconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_iam_role" {
+			continue
+		}
+
+		// Try to get role
+		_, err := iamconn.GetRole(&iam.GetRoleInput{
+			RoleName: aws.String(rs.Primary.ID),
+		})
+		if err == nil {
+			return fmt.Errorf("still exist.")
+		}
+
+		// Verify the error is what we want
+		ec2err, ok := err.(aws.APIError)
+		if !ok {
+			return err
+		}
+		if ec2err.Code != "NoSuchEntity" {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func testAccCheckAWSRoleExists(n string, res *iam.GetRoleOutput) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No Role name is set")
+		}
+
+		iamconn := testAccProvider.Meta().(*AWSClient).iamconn
+
+		resp, err := iamconn.GetRole(&iam.GetRoleInput{
+			RoleName: aws.String(rs.Primary.ID),
+		})
+		if err != nil {
+			return err
+		}
+
+		*res = *resp
+
+		return nil
+	}
+}
+
+func testAccCheckAWSRoleAttributes(role *iam.GetRoleOutput) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		if *role.Role.RoleName != "test-role" {
+			return fmt.Errorf("Bad name: %s", *role.Role.RoleName)
+		}
+
+		if *role.Role.Path != "/" {
+			return fmt.Errorf("Bad path: %s", *role.Role.Path)
+		}
+		return nil
+	}
+}
+
+const testAccAWSRoleConfig = `
+resource "aws_iam_role" "role" {
+	name   = "test-role"
+	path = "/"
+	assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
+}
+`
diff --git a/builtin/providers/aws/resource_aws_iam_user_policy.go b/builtin/providers/aws/resource_aws_iam_user_policy.go
index 3fb97b29d..96ea6afc0 100644
--- a/builtin/providers/aws/resource_aws_iam_user_policy.go
+++ b/builtin/providers/aws/resource_aws_iam_user_policy.go
@@ -59,7 +59,7 @@ func resourceAwsIamUserPolicyPut(d *schema.ResourceData, meta interface{}) error
 func resourceAwsIamUserPolicyRead(d *schema.ResourceData, meta interface{}) error {
 	iamconn := meta.(*AWSClient).iamconn
 
-	user, name := resourceAwsIamUserPolicyParseId(d)
+	user, name := resourceAwsIamUserPolicyParseId(d.Id())
 
 	request := &iam.GetUserPolicyInput{
 		PolicyName: aws.String(name),
@@ -89,7 +89,7 @@ func resourceAwsIamUserPolicyRead(d *schema.ResourceData, meta interface{}) erro
 func resourceAwsIamUserPolicyDelete(d *schema.ResourceData, meta interface{}) error {
 	iamconn := meta.(*AWSClient).iamconn
 
-	user, name := resourceAwsIamUserPolicyParseId(d)
+	user, name := resourceAwsIamUserPolicyParseId(d.Id())
 
 	request := &iam.DeleteUserPolicyInput{
 		PolicyName: aws.String(name),
@@ -102,8 +102,8 @@ func resourceAwsIamUserPolicyDelete(d *schema.ResourceData, meta interface{}) er
 	return nil
 }
 
-func resourceAwsIamUserPolicyParseId(d *schema.ResourceData) (userName, policyName string) {
-	parts := strings.SplitN(d.Id(), ":", 2)
+func resourceAwsIamUserPolicyParseId(id string) (userName, policyName string) {
+	parts := strings.SplitN(id, ":", 2)
 	userName = parts[0]
 	policyName = parts[1]
 	return
diff --git a/builtin/providers/aws/resource_aws_iam_user_policy_test.go b/builtin/providers/aws/resource_aws_iam_user_policy_test.go
new file mode 100644
index 000000000..2a2147e56
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_iam_user_policy_test.go
@@ -0,0 +1,112 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/awslabs/aws-sdk-go/aws"
+	"github.com/awslabs/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSIAMUserPolicy(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckIAMUserPolicyDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccIAMUserPolicyConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckIAMUserPolicy(
+						"aws_iam_user.user",
+						"aws_iam_user_policy.foo",
+					),
+				),
+			},
+			resource.TestStep{
+				Config: testAccIAMUserPolicyConfigUpdate,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckIAMUserPolicy(
+						"aws_iam_user.user",
+						"aws_iam_user_policy.bar",
+					),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckIAMUserPolicyDestroy(s *terraform.State) error {
+	if len(s.RootModule().Resources) > 0 {
+		return fmt.Errorf("Expected all resources to be gone, but found: %#v", s.RootModule().Resources)
+	}
+
+	return nil
+}
+
+func testAccCheckIAMUserPolicy(
+	iamUserResource string,
+	iamUserPolicyResource string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[iamUserResource]
+		if !ok {
+			return fmt.Errorf("Not Found: %s", iamUserResource)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No ID is set")
+		}
+
+		policy, ok := s.RootModule().Resources[iamUserPolicyResource]
+		if !ok {
+			return fmt.Errorf("Not Found: %s", iamUserPolicyResource)
+		}
+
+		iamconn := testAccProvider.Meta().(*AWSClient).iamconn
+		username, name := resourceAwsIamUserPolicyParseId(policy.Primary.ID)
+		_, err := iamconn.GetUserPolicy(&iam.GetUserPolicyInput{
+			UserName:   aws.String(username),
+			PolicyName: aws.String(name),
+		})
+
+		if err != nil {
+			return err
+		}
+
+		return nil
+	}
+}
+
+const testAccIAMUserPolicyConfig = `
+resource "aws_iam_user" "user" {
+	name = "test_user"
+	path = "/"
+}
+
+resource "aws_iam_user_policy" "foo" {
+	name = "foo_policy"
+	user = "${aws_iam_user.user.name}"
+	policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"*\",\"Resource\":\"*\"}}"
+}
+`
+
+const testAccIAMUserPolicyConfigUpdate = `
+resource "aws_iam_user" "user" {
+	name = "test_user"
+	path = "/"
+}
+
+resource "aws_iam_user_policy" "foo" {
+	name = "foo_policy"
+	user = "${aws_iam_user.user.name}"
+	policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"*\",\"Resource\":\"*\"}}"
+}
+
+resource "aws_iam_user_policy" "bar" {
+	name = "bar_policy"
+	user = "${aws_iam_user.user.name}"
+	policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"*\",\"Resource\":\"*\"}}"
+}
+`
diff --git a/builtin/providers/aws/resource_aws_iam_user_test.go b/builtin/providers/aws/resource_aws_iam_user_test.go
new file mode 100644
index 000000000..513636f98
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_iam_user_test.go
@@ -0,0 +1,106 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/awslabs/aws-sdk-go/aws"
+	"github.com/awslabs/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSUser_normal(t *testing.T) {
+	var conf iam.GetUserOutput
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSUserDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSUserConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSUserExists("aws_iam_user.user", &conf),
+					testAccCheckAWSUserAttributes(&conf),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckAWSUserDestroy(s *terraform.State) error {
+	iamconn := testAccProvider.Meta().(*AWSClient).iamconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_iam_user" {
+			continue
+		}
+
+		// Try to get user
+		_, err := iamconn.GetUser(&iam.GetUserInput{
+			UserName: aws.String(rs.Primary.ID),
+		})
+		if err == nil {
+			return fmt.Errorf("still exist.")
+		}
+
+		// Verify the error is what we want
+		ec2err, ok := err.(aws.APIError)
+		if !ok {
+			return err
+		}
+		if ec2err.Code != "NoSuchEntity" {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func testAccCheckAWSUserExists(n string, res *iam.GetUserOutput) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No User name is set")
+		}
+
+		iamconn := testAccProvider.Meta().(*AWSClient).iamconn
+
+		resp, err := iamconn.GetUser(&iam.GetUserInput{
+			UserName: aws.String(rs.Primary.ID),
+		})
+		if err != nil {
+			return err
+		}
+
+		*res = *resp
+
+		return nil
+	}
+}
+
+func testAccCheckAWSUserAttributes(user *iam.GetUserOutput) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		if *user.User.UserName != "test-user" {
+			return fmt.Errorf("Bad name: %s", *user.User.UserName)
+		}
+
+		if *user.User.Path != "/" {
+			return fmt.Errorf("Bad path: %s", *user.User.Path)
+		}
+
+		return nil
+	}
+}
+
+const testAccAWSUserConfig = `
+resource "aws_iam_user" "user" {
+	name = "test-user"
+	path = "/"
+}
+`