From faa640dfe8ad8ee2c318c7dd6efa5cb6b4e2993a Mon Sep 17 00:00:00 2001
From: Paddy <paddy@hashicorp.com>
Date: Mon, 6 Feb 2017 22:09:53 -0800
Subject: [PATCH] Add a test that would have caught backwards incompatibility.

Add a test that would have caught the backwards incompatibility where
project IAM bindings aren't merged, but are overwritten.
---
 .../google/resource_google_project_test.go    | 69 +++++++++++++++++++
 1 file changed, 69 insertions(+)

diff --git a/builtin/providers/google/resource_google_project_test.go b/builtin/providers/google/resource_google_project_test.go
index aa3c03c58..03bdeee01 100644
--- a/builtin/providers/google/resource_google_project_test.go
+++ b/builtin/providers/google/resource_google_project_test.go
@@ -48,6 +48,34 @@ func TestAccGoogleProject_create(t *testing.T) {
 	})
 }
 
+// Test that a Project resource merges the IAM policies that already
+// exist, and won't lock people out.
+func TestAccGoogleProject_merge(t *testing.T) {
+	pid := "terraform-" + acctest.RandString(10)
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			// when policy_data is set, merge
+			{
+				Config: testAccGoogleProject_toMerge(pid, pname, org),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleProjectExists("google_project.acceptance", pid),
+					testAccCheckGoogleProjectHasMoreBindingsThan(pid, 1),
+				),
+			},
+			// when policy_data is unset, restore to what it was
+			{
+				Config: testAccGoogleProject_mergeEmpty(pid, pname, org),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleProjectExists("google_project.acceptance", pid),
+					testAccCheckGoogleProjectHasMoreBindingsThan(pid, 0),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckGoogleProjectExists(r, pid string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[r]
@@ -67,6 +95,19 @@ func testAccCheckGoogleProjectExists(r, pid string) resource.TestCheckFunc {
 	}
 }
 
+func testAccCheckGoogleProjectHasMoreBindingsThan(pid string, count int) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		policy, err := getProjectIamPolicy(pid, testAccProvider.Meta().(*Config))
+		if err != nil {
+			return err
+		}
+		if len(policy.Bindings) <= count {
+			return fmt.Errorf("Expected more than %d bindings, got %d: %#v", count, len(policy.Bindings), policy.Bindings)
+		}
+		return nil
+	}
+}
+
 func testAccGoogleProjectImportExisting(pid string) string {
 	return fmt.Sprintf(`
 resource "google_project" "acceptance" {
@@ -98,3 +139,31 @@ data "google_iam_policy" "admin" {
   }
 }`, pid)
 }
+
+func testAccGoogleProject_toMerge(pid, name, org string) string {
+	return fmt.Sprintf(`
+resource "google_project" "acceptance" {
+    project_id = "%s"
+    name = "%s"
+    org_id = "%s"
+    policy_data = "${data.google_iam_policy.acceptance.policy_data}"
+}
+
+data "google_iam_policy" "acceptance" {
+    binding {
+        role = "roles/storage.objectViewer"
+	members = [
+	  "user:evanbrown@google.com",
+	]
+    }
+}`, pid, name, org)
+}
+
+func testAccGoogleProject_mergeEmpty(pid, name, org string) string {
+	return fmt.Sprintf(`
+resource "google_project" "acceptance" {
+    project_id = "%s"
+    name = "%s"
+    org_id = "%s"
+}`, pid, name, org)
+}