Merge pull request #6699 from terraform-providers/f-aws_iam_policy_do…

…cument-version-v2 data-source/aws_iam_policy_document: Add version argument
hashicorp · Dec 4, 2018 · 3500ba4 · 3500ba4
2 parents 712affd + f82ebd4
commit 3500ba4
Show file tree

Hide file tree

Showing 3 changed files with 205 additions and 57 deletions.
diff --git a/aws/data_source_aws_iam_policy_document.go b/aws/data_source_aws_iam_policy_document.go
@@ -85,6 +85,15 @@ func dataSourceAwsIamPolicyDocument() *schema.Resource {
 					},
 				},
 			},
+			"version": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Default:  "2012-10-17",
+				ValidateFunc: validation.StringInSlice([]string{
+					"2008-10-17",
+					"2012-10-17",
+				}, false),
+			},
 			"json": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -104,9 +113,9 @@ func dataSourceAwsIamPolicyDocumentRead(d *schema.ResourceData, meta interface{}
 	}
 
 	// process the current document
-	doc := &IAMPolicyDoc{}
-
-	doc.Version = "2012-10-17"
+	doc := &IAMPolicyDoc{
+		Version: d.Get("version").(string),
+	}
 
 	if policyID, hasPolicyID := d.GetOk("policy_id"); hasPolicyID {
 		doc.Id = policyID.(string)
@@ -141,26 +150,46 @@ func dataSourceAwsIamPolicyDocumentRead(d *schema.ResourceData, meta interface{}
 			}
 
 			if resources := cfgStmt["resources"].(*schema.Set).List(); len(resources) > 0 {
-				stmt.Resources = dataSourceAwsIamPolicyDocumentReplaceVarsInList(
-					iamPolicyDecodeConfigStringList(resources),
+				var err error
+				stmt.Resources, err = dataSourceAwsIamPolicyDocumentReplaceVarsInList(
+					iamPolicyDecodeConfigStringList(resources), doc.Version,
 				)
+				if err != nil {
+					return fmt.Errorf("error reading resources: %s", err)
+				}
 			}
-			if resources := cfgStmt["not_resources"].(*schema.Set).List(); len(resources) > 0 {
-				stmt.NotResources = dataSourceAwsIamPolicyDocumentReplaceVarsInList(
-					iamPolicyDecodeConfigStringList(resources),
+			if notResources := cfgStmt["not_resources"].(*schema.Set).List(); len(notResources) > 0 {
+				var err error
+				stmt.NotResources, err = dataSourceAwsIamPolicyDocumentReplaceVarsInList(
+					iamPolicyDecodeConfigStringList(notResources), doc.Version,
 				)
+				if err != nil {
+					return fmt.Errorf("error reading not_resources: %s", err)
+				}
 			}
 
 			if principals := cfgStmt["principals"].(*schema.Set).List(); len(principals) > 0 {
-				stmt.Principals = dataSourceAwsIamPolicyDocumentMakePrincipals(principals)
+				var err error
+				stmt.Principals, err = dataSourceAwsIamPolicyDocumentMakePrincipals(principals, doc.Version)
+				if err != nil {
+					return fmt.Errorf("error reading principals: %s", err)
+				}
 			}
 
-			if principals := cfgStmt["not_principals"].(*schema.Set).List(); len(principals) > 0 {
-				stmt.NotPrincipals = dataSourceAwsIamPolicyDocumentMakePrincipals(principals)
+			if notPrincipals := cfgStmt["not_principals"].(*schema.Set).List(); len(notPrincipals) > 0 {
+				var err error
+				stmt.NotPrincipals, err = dataSourceAwsIamPolicyDocumentMakePrincipals(notPrincipals, doc.Version)
+				if err != nil {
+					return fmt.Errorf("error reading not_principals: %s", err)
+				}
 			}
 
 			if conditions := cfgStmt["condition"].(*schema.Set).List(); len(conditions) > 0 {
-				stmt.Conditions = dataSourceAwsIamPolicyDocumentMakeConditions(conditions)
+				var err error
+				stmt.Conditions, err = dataSourceAwsIamPolicyDocumentMakeConditions(conditions, doc.Version)
+				if err != nil {
+					return fmt.Errorf("error reading condition: %s", err)
+				}
 			}
 
 			stmts[i] = stmt
@@ -196,52 +225,66 @@ func dataSourceAwsIamPolicyDocumentRead(d *schema.ResourceData, meta interface{}
 	return nil
 }
 
-func dataSourceAwsIamPolicyDocumentReplaceVarsInList(in interface{}) interface{} {
+func dataSourceAwsIamPolicyDocumentReplaceVarsInList(in interface{}, version string) (interface{}, error) {
 	switch v := in.(type) {
 	case string:
-		return dataSourceAwsIamPolicyDocumentVarReplacer.Replace(v)
+		if version == "2008-10-17" && strings.Contains(v, "&{") {
+			return nil, fmt.Errorf("found &{ sequence in (%s), which is not supported in document version 2008-10-17", v)
+		}
+		return dataSourceAwsIamPolicyDocumentVarReplacer.Replace(v), nil
 	case []string:
 		out := make([]string, len(v))
 		for i, item := range v {
+			if version == "2008-10-17" && strings.Contains(item, "&{") {
+				return nil, fmt.Errorf("found &{ sequence in (%s), which is not supported in document version 2008-10-17", item)
+			}
 			out[i] = dataSourceAwsIamPolicyDocumentVarReplacer.Replace(item)
 		}
-		return out
+		return out, nil
 	default:
 		panic("dataSourceAwsIamPolicyDocumentReplaceVarsInList: input not string nor []string")
 	}
 }
 
-func dataSourceAwsIamPolicyDocumentMakeConditions(in []interface{}) IAMPolicyStatementConditionSet {
+func dataSourceAwsIamPolicyDocumentMakeConditions(in []interface{}, version string) (IAMPolicyStatementConditionSet, error) {
 	out := make([]IAMPolicyStatementCondition, len(in))
 	for i, itemI := range in {
+		var err error
 		item := itemI.(map[string]interface{})
 		out[i] = IAMPolicyStatementCondition{
 			Test:     item["test"].(string),
 			Variable: item["variable"].(string),
-			Values: dataSourceAwsIamPolicyDocumentReplaceVarsInList(
-				iamPolicyDecodeConfigStringList(
-					item["values"].(*schema.Set).List(),
-				),
-			),
+		}
+		out[i].Values, err = dataSourceAwsIamPolicyDocumentReplaceVarsInList(
+			iamPolicyDecodeConfigStringList(
+				item["values"].(*schema.Set).List(),
+			), version,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("error reading values: %s", err)
 		}
 	}
-	return IAMPolicyStatementConditionSet(out)
+	return IAMPolicyStatementConditionSet(out), nil
 }
 
-func dataSourceAwsIamPolicyDocumentMakePrincipals(in []interface{}) IAMPolicyStatementPrincipalSet {
+func dataSourceAwsIamPolicyDocumentMakePrincipals(in []interface{}, version string) (IAMPolicyStatementPrincipalSet, error) {
 	out := make([]IAMPolicyStatementPrincipal, len(in))
 	for i, itemI := range in {
+		var err error
 		item := itemI.(map[string]interface{})
 		out[i] = IAMPolicyStatementPrincipal{
 			Type: item["type"].(string),
-			Identifiers: dataSourceAwsIamPolicyDocumentReplaceVarsInList(
-				iamPolicyDecodeConfigStringList(
-					item["identifiers"].(*schema.Set).List(),
-				),
-			),
+		}
+		out[i].Identifiers, err = dataSourceAwsIamPolicyDocumentReplaceVarsInList(
+			iamPolicyDecodeConfigStringList(
+				item["identifiers"].(*schema.Set).List(),
+			), version,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("error reading identifiers: %s", err)
 		}
 	}
-	return IAMPolicyStatementPrincipalSet(out)
+	return IAMPolicyStatementPrincipalSet(out), nil
 }
 
 func dataSourceAwsIamPolicyPrincipalSchema() *schema.Schema {