Allow importing of aws_iam_role, aws_iam_role_policy, aws_iam_policy and aws_iam_instance_profile

builtin/providers/aws/import_aws_iam_instance_profile_test.go

@@ -0,0 +1,28 @@
+package aws
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/resource"
+)
+
+func TestAccAWSIAMInstanceProfile_importBasic(t *testing.T) {
+	resourceName := "aws_iam_instance_profile.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSInstanceProfileDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAwsIamInstanceProfileConfig,
+			},
+
+			resource.TestStep{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}

builtin/providers/aws/import_aws_iam_policy_test.go

@@ -0,0 +1,88 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/iam"
+
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func testAccAwsIamPolicyConfig(suffix string) string {
+	return fmt.Sprintf(`
+resource "aws_iam_policy" "test_%[1]s" {
+    name = "test_policy_%[1]s"
+    path = "/"
+    description = "My test policy"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "ec2:Describe*"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+`, suffix)
+}
+
+func TestAccAWSIAMPolicy_importBasic(t *testing.T) {
+	suffix := randomString(10)
+	resourceName := fmt.Sprintf("aws_iam_policy.test_%s", suffix)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSPolicyDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAwsIamPolicyConfig(suffix),
+			},
+
+			resource.TestStep{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccCheckAWSPolicyDestroy(s *terraform.State) error {
+	iamconn := testAccProvider.Meta().(*AWSClient).iamconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_iam_policy" {
+			continue
+		}
+
+		// Try to get group
+		_, err := iamconn.GetPolicy(&iam.GetPolicyInput{
+			PolicyArn: aws.String(rs.Primary.ID),
+		})
+		if err == nil {
+			return fmt.Errorf("still exist.")
+		}
+
+		// Verify the error is what we want
+		ec2err, ok := err.(awserr.Error)
+		if !ok {
+			return err
+		}
+		if ec2err.Code() != "NoSuchEntity" {
+			return err
+		}
+	}
+
+	return nil
+}

builtin/providers/aws/import_aws_iam_role_policy_test.go

@@ -0,0 +1,55 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/resource"
+)
+
+func testAccAwsIamRolePolicyConfig(suffix string) string {
+	return fmt.Sprintf(`
+resource "aws_iam_role" "role_%[1]s" {
+	name = "tf_test_role_test_%[1]s"
+	path = "/"
+	assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
+}
+
+resource "aws_iam_role_policy" "foo_%[1]s" {
+	name = "tf_test_policy_test_%[1]s"
+	role = "${aws_iam_role.role_%[1]s.name}"
+	policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Effect": "Allow",
+    "Action": "*",
+    "Resource": "*"
+  }
+}
+EOF
+}
+`, suffix)
+}
+
+func TestAccAWSIAMRolePolicy_importBasic(t *testing.T) {
+	suffix := randomString(10)
+	resourceName := fmt.Sprintf("aws_iam_role_policy.foo_%s", suffix)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckIAMRolePolicyDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAwsIamRolePolicyConfig(suffix),
+			},
+
+			resource.TestStep{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}

builtin/providers/aws/import_aws_iam_role_test.go

@@ -0,0 +1,28 @@
+package aws
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/resource"
+)
+
+func TestAccAWSIAMRole_importBasic(t *testing.T) {
+	resourceName := "aws_iam_role.role"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSRoleDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSRoleConfig,
+			},
+
+			resource.TestStep{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}

builtin/providers/aws/resource_aws_iam_policy.go

@@ -2,7 +2,11 @@ package aws
 
 import (
 	"fmt"
+<<<<<<< HEAD
 	"regexp"
+=======
+	"net/url"
+>>>>>>> 9c051a5... Tests for importing various iam resources
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
@@ -18,6 +22,9 @@ func resourceAwsIamPolicy() *schema.Resource {
 		Read:   resourceAwsIamPolicyRead,
 		Update: resourceAwsIamPolicyUpdate,
 		Delete: resourceAwsIamPolicyDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
 
 		Schema: map[string]*schema.Schema{
 			"description": &schema.Schema{
@@ -32,9 +39,15 @@ func resourceAwsIamPolicy() *schema.Resource {
 				ForceNew: true,
 			},
 			"policy": &schema.Schema{
+<<<<<<< HEAD
 				Type:         schema.TypeString,
 				Required:     true,
 				ValidateFunc: validateJsonString,
+=======
+				Type:             schema.TypeString,
+				Required:         true,
+				DiffSuppressFunc: suppressEquivalentAwsPolicyDiffs,
+>>>>>>> daaae09... Add DiffSuppressFunc to support heredocs for aws_iam_role.assume_role_policy and aws_iam_policy.policy
 			},
 			"name": &schema.Schema{
 				Type:          schema.TypeString,
@@ -112,11 +125,11 @@ func resourceAwsIamPolicyCreate(d *schema.ResourceData, meta interface{}) error
 func resourceAwsIamPolicyRead(d *schema.ResourceData, meta interface{}) error {
 	iamconn := meta.(*AWSClient).iamconn
 
-	request := &iam.GetPolicyInput{
+	getPolicyRequest := &iam.GetPolicyInput{
 		PolicyArn: aws.String(d.Id()),
 	}
 
-	response, err := iamconn.GetPolicy(request)
+	getPolicyResponse, err := iamconn.GetPolicy(getPolicyRequest)
 	if err != nil {
 		if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" {
 			d.SetId("")
@@ -125,7 +138,29 @@ func resourceAwsIamPolicyRead(d *schema.ResourceData, meta interface{}) error {
 		return fmt.Errorf("Error reading IAM policy %s: %s", d.Id(), err)
 	}
 
-	return readIamPolicy(d, response.Policy)
+	getPolicyVersionRequest := &iam.GetPolicyVersionInput{
+		PolicyArn: aws.String(d.Id()),
+		VersionId: getPolicyResponse.Policy.DefaultVersionId,
+	}
+
+	getPolicyVersionResponse, err := iamconn.GetPolicyVersion(getPolicyVersionRequest)
+	if err != nil {
+		if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" {
+			d.SetId("")
+			return nil
+		}
+		return fmt.Errorf("Error reading IAM policy version %s: %s", d.Id(), err)
+	}
+
+	policy, err := url.QueryUnescape(*getPolicyVersionResponse.PolicyVersion.Document)
+	if err != nil {
+		return err
+	}
+	if err := d.Set("policy", policy); err != nil {
+		return err
+	}
+
+	return readIamPolicy(d, getPolicyResponse.Policy)
 }
 
 func resourceAwsIamPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
@@ -252,20 +287,18 @@ func readIamPolicy(d *schema.ResourceData, policy *iam.Policy) error {
 	d.SetId(*policy.Arn)
 	if policy.Description != nil {
 		// the description isn't present in the response to CreatePolicy.
-		if err := d.Set("description", *policy.Description); err != nil {
+		if err := d.Set("description", policy.Description); err != nil {
 			return err
 		}
 	}
-	if err := d.Set("path", *policy.Path); err != nil {
+	if err := d.Set("path", policy.Path); err != nil {
 		return err
 	}
-	if err := d.Set("name", *policy.PolicyName); err != nil {
+	if err := d.Set("name", policy.PolicyName); err != nil {
 		return err
 	}
-	if err := d.Set("arn", *policy.Arn); err != nil {
+	if err := d.Set("arn", policy.Arn); err != nil {
 		return err
 	}
-	// TODO: set policy
-
 	return nil
 }

builtin/providers/aws/resource_aws_iam_role.go

@@ -2,6 +2,7 @@ package aws
 
 import (
 	"fmt"
+	"net/url"
 	"regexp"
 	"time"
 
@@ -19,6 +20,9 @@ func resourceAwsIamRole() *schema.Resource {
 		Read:   resourceAwsIamRoleRead,
 		Update: resourceAwsIamRoleUpdate,
 		Delete: resourceAwsIamRoleDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
 
 		Schema: map[string]*schema.Schema{
 			"arn": {
@@ -78,9 +82,16 @@ func resourceAwsIamRole() *schema.Resource {
 				ForceNew: true,
 			},
 
+<<<<<<< HEAD
 			"assume_role_policy": {
 				Type:     schema.TypeString,
 				Required: true,
+=======
+			"assume_role_policy": &schema.Schema{
+				Type:             schema.TypeString,
+				Required:         true,
+				DiffSuppressFunc: suppressEquivalentAwsPolicyDiffs,
+>>>>>>> daaae09... Add DiffSuppressFunc to support heredocs for aws_iam_role.assume_role_policy and aws_iam_policy.policy
 			},
 
 			"create_date": {
@@ -179,7 +190,15 @@ func resourceAwsIamRoleReadResult(d *schema.ResourceData, role *iam.Role) error
 	if err := d.Set("unique_id", role.RoleId); err != nil {
 		return err
 	}
+<<<<<<< HEAD
 	if err := d.Set("create_date", role.CreateDate.Format(time.RFC3339)); err != nil {
+=======
+	assumRolePolicy, err := url.QueryUnescape(*role.AssumeRolePolicyDocument)
+	if err != nil {
+		return err
+	}
+	if err := d.Set("assume_role_policy", assumRolePolicy); err != nil {
+>>>>>>> 9c051a5... Tests for importing various iam resources
 		return err
 	}
 	return nil

builtin/providers/aws/resource_aws_iam_role_policy.go

@@ -21,6 +21,9 @@ func resourceAwsIamRolePolicy() *schema.Resource {
 
 		Read:   resourceAwsIamRolePolicyRead,
 		Delete: resourceAwsIamRolePolicyDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
 
 		Schema: map[string]*schema.Schema{
 			"policy": &schema.Schema{
@@ -74,14 +77,16 @@ func resourceAwsIamRolePolicyPut(d *schema.ResourceData, meta interface{}) error
 func resourceAwsIamRolePolicyRead(d *schema.ResourceData, meta interface{}) error {
 	iamconn := meta.(*AWSClient).iamconn
 
-	role, name := resourceAwsIamRolePolicyParseId(d.Id())
+	role, name, err := resourceAwsIamRolePolicyParseId(d.Id())
+	if err != nil {
+		return err
+	}
 
 	request := &iam.GetRolePolicyInput{
 		PolicyName: aws.String(name),
 		RoleName:   aws.String(role),
 	}
 
-	var err error
 	getResp, err := iamconn.GetRolePolicy(request)
 	if err != nil {
 		if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" { // XXX test me
@@ -99,13 +104,22 @@ func resourceAwsIamRolePolicyRead(d *schema.ResourceData, meta interface{}) erro
 	if err != nil {
 		return err
 	}
-	return d.Set("policy", policy)
+	if err := d.Set("policy", policy); err != nil {
+		return err
+	}
+	if err := d.Set("name", name); err != nil {
+		return err
+	}
+	return d.Set("role", role)
 }
 
 func resourceAwsIamRolePolicyDelete(d *schema.ResourceData, meta interface{}) error {
 	iamconn := meta.(*AWSClient).iamconn
 
-	role, name := resourceAwsIamRolePolicyParseId(d.Id())
+	role, name, err := resourceAwsIamRolePolicyParseId(d.Id())
+	if err != nil {
+		return err
+	}
 
 	request := &iam.DeleteRolePolicyInput{
 		PolicyName: aws.String(name),
@@ -118,8 +132,13 @@ func resourceAwsIamRolePolicyDelete(d *schema.ResourceData, meta interface{}) er
 	return nil
 }
 
-func resourceAwsIamRolePolicyParseId(id string) (roleName, policyName string) {
+func resourceAwsIamRolePolicyParseId(id string) (roleName, policyName string, err error) {
 	parts := strings.SplitN(id, ":", 2)
+	if len(parts) != 2 {
+		err = fmt.Errorf("role_policy id must be of the for <role name>:<policy name>")
+		return
+	}
+
 	roleName = parts[0]
 	policyName = parts[1]
 	return

builtin/providers/aws/resource_aws_iam_role_policy_test.go

@@ -52,14 +52,16 @@ func testAccCheckIAMRolePolicyDestroy(s *terraform.State) error {
 			continue
 		}
 
-		role, name := resourceAwsIamRolePolicyParseId(rs.Primary.ID)
+		role, name, err := resourceAwsIamRolePolicyParseId(rs.Primary.ID)
+		if err != nil {
+			return err
+		}
 
 		request := &iam.GetRolePolicyInput{
 			PolicyName: aws.String(name),
 			RoleName:   aws.String(role),
 		}
 
-		var err error
 		getResp, err := iamconn.GetRolePolicy(request)
 		if err != nil {
 			if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" {
@@ -96,12 +98,15 @@ func testAccCheckIAMRolePolicy(
 		}
 
 		iamconn := testAccProvider.Meta().(*AWSClient).iamconn
-		role, name := resourceAwsIamRolePolicyParseId(policy.Primary.ID)
-		_, err := iamconn.GetRolePolicy(&iam.GetRolePolicyInput{
+		role, name, err := resourceAwsIamRolePolicyParseId(policy.Primary.ID)
+		if err != nil {
+			return err
+		}
+
+		_, err = iamconn.GetRolePolicy(&iam.GetRolePolicyInput{
 			RoleName:   aws.String(role),
 			PolicyName: aws.String(name),
 		})
-
 		if err != nil {
 			return err
 		}

builtin/providers/aws/resource_aws_iam_role_test.go

@@ -168,17 +168,37 @@ func testAccCheckAWSRoleAttributes(role *iam.GetRoleOutput) resource.TestCheckFu
 
 const testAccAWSRoleConfig = `
 resource "aws_iam_role" "role" {
+<<<<<<< HEAD
   name   = "test-role"
   path = "/"
   assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
+=======
+	name   = "test-role"
+	path = "/"
+<<<<<<< HEAD
+	assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
+>>>>>>> 9c051a5... Tests for importing various iam resources
+=======
+	assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
+>>>>>>> daaae09... Add DiffSuppressFunc to support heredocs for aws_iam_role.assume_role_policy and aws_iam_policy.policy
 }
 `
 
 const testAccAWSRolePrefixNameConfig = `
 resource "aws_iam_role" "role" {
+<<<<<<< HEAD
   name_prefix = "test-role-"
   path = "/"
   assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
+=======
+    name_prefix = "test-role-"
+    path = "/"
+<<<<<<< HEAD
+    assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
+>>>>>>> 9c051a5... Tests for importing various iam resources
+=======
+    assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
+>>>>>>> daaae09... Add DiffSuppressFunc to support heredocs for aws_iam_role.assume_role_policy and aws_iam_policy.policy
 }
 `
 

builtin/providers/aws/resource_aws_iam_user_policy_test.go

@@ -47,7 +47,7 @@ func testAccCheckIAMUserPolicyDestroy(s *terraform.State) error {
 			continue
 		}
 
-		role, name := resourceAwsIamRolePolicyParseId(rs.Primary.ID)
+		role, name := resourceAwsIamUserPolicyParseId(rs.Primary.ID)
 
 		request := &iam.GetRolePolicyInput{
 			PolicyName: aws.String(name),