-
Notifications
You must be signed in to change notification settings - Fork 9.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2243 from bflad/aws_cloudwatch_logs_resource_policy
New Resource: aws_cloudwatch_log_resource_policy
- Loading branch information
Showing
6 changed files
with
354 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,118 @@ | ||
package aws | ||
|
||
import ( | ||
"fmt" | ||
"log" | ||
|
||
"github.com/aws/aws-sdk-go/aws" | ||
"github.com/aws/aws-sdk-go/service/cloudwatchlogs" | ||
"github.com/hashicorp/terraform/helper/schema" | ||
) | ||
|
||
func resourceAwsCloudWatchLogResourcePolicy() *schema.Resource { | ||
return &schema.Resource{ | ||
Create: resourceAwsCloudWatchLogResourcePolicyPut, | ||
Read: resourceAwsCloudWatchLogResourcePolicyRead, | ||
Update: resourceAwsCloudWatchLogResourcePolicyPut, | ||
Delete: resourceAwsCloudWatchLogResourcePolicyDelete, | ||
|
||
Importer: &schema.ResourceImporter{ | ||
State: func(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { | ||
d.Set("policy_name", d.Id()) | ||
return []*schema.ResourceData{d}, nil | ||
}, | ||
}, | ||
|
||
Schema: map[string]*schema.Schema{ | ||
"policy_name": { | ||
Type: schema.TypeString, | ||
Required: true, | ||
ForceNew: true, | ||
}, | ||
"policy_document": { | ||
Type: schema.TypeString, | ||
Required: true, | ||
ValidateFunc: validateCloudWatchLogResourcePolicyDocument, | ||
DiffSuppressFunc: suppressEquivalentAwsPolicyDiffs, | ||
}, | ||
}, | ||
} | ||
} | ||
|
||
func resourceAwsCloudWatchLogResourcePolicyPut(d *schema.ResourceData, meta interface{}) error { | ||
conn := meta.(*AWSClient).cloudwatchlogsconn | ||
|
||
policyName := d.Get("policy_name").(string) | ||
|
||
input := &cloudwatchlogs.PutResourcePolicyInput{ | ||
PolicyDocument: aws.String(d.Get("policy_document").(string)), | ||
PolicyName: aws.String(policyName), | ||
} | ||
|
||
log.Printf("[DEBUG] Writing CloudWatch log resource policy: %#v", input) | ||
_, err := conn.PutResourcePolicy(input) | ||
|
||
if err != nil { | ||
return fmt.Errorf("Writing CloudWatch log resource policy failed: %s", err.Error()) | ||
} | ||
|
||
d.SetId(policyName) | ||
return resourceAwsCloudWatchLogResourcePolicyRead(d, meta) | ||
} | ||
|
||
func resourceAwsCloudWatchLogResourcePolicyRead(d *schema.ResourceData, meta interface{}) error { | ||
conn := meta.(*AWSClient).cloudwatchlogsconn | ||
policyName := d.Get("policy_name").(string) | ||
resourcePolicy, exists, err := lookupCloudWatchLogResourcePolicy(conn, policyName, nil) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
if !exists { | ||
d.SetId("") | ||
return nil | ||
} | ||
|
||
d.SetId(policyName) | ||
d.Set("policy_document", *resourcePolicy.PolicyDocument) | ||
|
||
return nil | ||
} | ||
|
||
func resourceAwsCloudWatchLogResourcePolicyDelete(d *schema.ResourceData, meta interface{}) error { | ||
conn := meta.(*AWSClient).cloudwatchlogsconn | ||
input := cloudwatchlogs.DeleteResourcePolicyInput{ | ||
PolicyName: aws.String(d.Id()), | ||
} | ||
|
||
log.Printf("[DEBUG] Deleting CloudWatch log resource policy: %#v", input) | ||
_, err := conn.DeleteResourcePolicy(&input) | ||
if err != nil { | ||
return fmt.Errorf("Deleting CloudWatch log resource policy '%s' failed: %s", *input.PolicyName, err.Error()) | ||
} | ||
return nil | ||
} | ||
|
||
func lookupCloudWatchLogResourcePolicy(conn *cloudwatchlogs.CloudWatchLogs, | ||
name string, nextToken *string) (*cloudwatchlogs.ResourcePolicy, bool, error) { | ||
input := &cloudwatchlogs.DescribeResourcePoliciesInput{ | ||
NextToken: nextToken, | ||
} | ||
log.Printf("[DEBUG] Reading CloudWatch log resource policies: %#v", input) | ||
resp, err := conn.DescribeResourcePolicies(input) | ||
if err != nil { | ||
return nil, true, err | ||
} | ||
|
||
for _, resourcePolicy := range resp.ResourcePolicies { | ||
if *resourcePolicy.PolicyName == name { | ||
return resourcePolicy, true, nil | ||
} | ||
} | ||
|
||
if resp.NextToken != nil { | ||
return lookupCloudWatchLogResourcePolicy(conn, name, resp.NextToken) | ||
} | ||
|
||
return nil, false, nil | ||
} |
160 changes: 160 additions & 0 deletions
160
aws/resource_aws_cloudwatch_log_resource_policy_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,160 @@ | ||
package aws | ||
|
||
import ( | ||
"fmt" | ||
"testing" | ||
|
||
"github.com/aws/aws-sdk-go/service/cloudwatchlogs" | ||
|
||
"github.com/hashicorp/terraform/helper/acctest" | ||
"github.com/hashicorp/terraform/helper/resource" | ||
"github.com/hashicorp/terraform/terraform" | ||
) | ||
|
||
func TestAccAWSCloudWatchLogResourcePolicy_Basic(t *testing.T) { | ||
name := acctest.RandString(5) | ||
var resourcePolicy cloudwatchlogs.ResourcePolicy | ||
resource.Test(t, resource.TestCase{ | ||
PreCheck: func() { testAccPreCheck(t) }, | ||
Providers: testAccProviders, | ||
CheckDestroy: testAccCheckCloudWatchLogResourcePolicyDestroy, | ||
Steps: []resource.TestStep{ | ||
resource.TestStep{ | ||
Config: testAccCheckAWSCloudWatchLogResourcePolicyResourceConfigBasic1(name), | ||
Check: resource.ComposeTestCheckFunc( | ||
testAccCheckCloudWatchLogResourcePolicy("aws_cloudwatch_log_resource_policy.test", &resourcePolicy), | ||
resource.TestCheckResourceAttr("aws_cloudwatch_log_resource_policy.test", "policy_name", name), | ||
resource.TestCheckResourceAttr("aws_cloudwatch_log_resource_policy.test", "policy_document", "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"route53.amazonaws.com\"},\"Action\":[\"logs:PutLogEvents\",\"logs:CreateLogStream\"],\"Resource\":\"arn:aws:logs:*:*:log-group:/aws/route53/*\"}]}"), | ||
), | ||
}, | ||
resource.TestStep{ | ||
Config: testAccCheckAWSCloudWatchLogResourcePolicyResourceConfigBasic2(name), | ||
Check: resource.ComposeTestCheckFunc( | ||
testAccCheckCloudWatchLogResourcePolicy("aws_cloudwatch_log_resource_policy.test", &resourcePolicy), | ||
resource.TestCheckResourceAttr("aws_cloudwatch_log_resource_policy.test", "policy_name", name), | ||
resource.TestCheckResourceAttr("aws_cloudwatch_log_resource_policy.test", "policy_document", "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"route53.amazonaws.com\"},\"Action\":[\"logs:PutLogEvents\",\"logs:CreateLogStream\"],\"Resource\":\"arn:aws:logs:*:*:log-group:/aws/route53/example.com\"}]}"), | ||
), | ||
}, | ||
}, | ||
}) | ||
} | ||
|
||
func TestAccAWSCloudWatchLogResourcePolicy_Import(t *testing.T) { | ||
resourceName := "aws_cloudwatch_log_resource_policy.test" | ||
|
||
name := acctest.RandString(5) | ||
|
||
resource.Test(t, resource.TestCase{ | ||
PreCheck: func() { testAccPreCheck(t) }, | ||
Providers: testAccProviders, | ||
CheckDestroy: testAccCheckCloudWatchLogResourcePolicyDestroy, | ||
Steps: []resource.TestStep{ | ||
resource.TestStep{ | ||
Config: testAccCheckAWSCloudWatchLogResourcePolicyResourceConfigBasic1(name), | ||
}, | ||
|
||
resource.TestStep{ | ||
ResourceName: resourceName, | ||
ImportState: true, | ||
ImportStateVerify: true, | ||
}, | ||
}, | ||
}) | ||
} | ||
|
||
func testAccCheckCloudWatchLogResourcePolicy(pr string, resourcePolicy *cloudwatchlogs.ResourcePolicy) resource.TestCheckFunc { | ||
return func(s *terraform.State) error { | ||
conn := testAccProvider.Meta().(*AWSClient).cloudwatchlogsconn | ||
rs, ok := s.RootModule().Resources[pr] | ||
if !ok { | ||
return fmt.Errorf("Not found: %s", pr) | ||
} | ||
|
||
if rs.Primary.ID == "" { | ||
return fmt.Errorf("No ID is set") | ||
} | ||
|
||
policy, exists, err := lookupCloudWatchLogResourcePolicy(conn, rs.Primary.ID, nil) | ||
if err != nil { | ||
return err | ||
} | ||
if !exists { | ||
return fmt.Errorf("Resource policy does not exist: %q", rs.Primary.ID) | ||
} | ||
|
||
*resourcePolicy = *policy | ||
|
||
return nil | ||
} | ||
} | ||
|
||
func testAccCheckCloudWatchLogResourcePolicyDestroy(s *terraform.State) error { | ||
conn := testAccProvider.Meta().(*AWSClient).cloudwatchlogsconn | ||
|
||
for _, rs := range s.RootModule().Resources { | ||
if rs.Type != "aws_cloudwatch_log_resource_policy" { | ||
continue | ||
} | ||
|
||
_, exists, err := lookupCloudWatchLogResourcePolicy(conn, rs.Primary.ID, nil) | ||
if err != nil { | ||
return nil | ||
} | ||
|
||
if exists { | ||
return fmt.Errorf("Resource policy exists: %q", rs.Primary.ID) | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func testAccCheckAWSCloudWatchLogResourcePolicyResourceConfigBasic1(name string) string { | ||
return fmt.Sprintf(` | ||
data "aws_iam_policy_document" "test" { | ||
statement { | ||
actions = [ | ||
"logs:CreateLogStream", | ||
"logs:PutLogEvents", | ||
] | ||
resources = ["arn:aws:logs:*:*:log-group:/aws/route53/*"] | ||
principals { | ||
identifiers = ["route53.amazonaws.com"] | ||
type = "Service" | ||
} | ||
} | ||
} | ||
resource "aws_cloudwatch_log_resource_policy" "test" { | ||
policy_name = "%s" | ||
policy_document = "${data.aws_iam_policy_document.test.json}" | ||
} | ||
`, name) | ||
} | ||
|
||
func testAccCheckAWSCloudWatchLogResourcePolicyResourceConfigBasic2(name string) string { | ||
return fmt.Sprintf(` | ||
data "aws_iam_policy_document" "test" { | ||
statement { | ||
actions = [ | ||
"logs:CreateLogStream", | ||
"logs:PutLogEvents", | ||
] | ||
resources = ["arn:aws:logs:*:*:log-group:/aws/route53/example.com"] | ||
principals { | ||
identifiers = ["route53.amazonaws.com"] | ||
type = "Service" | ||
} | ||
} | ||
} | ||
resource "aws_cloudwatch_log_resource_policy" "test" { | ||
policy_name = "%s" | ||
policy_document = "${data.aws_iam_policy_document.test.json}" | ||
} | ||
`, name) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
59 changes: 59 additions & 0 deletions
59
website/docs/r/cloudwatch_log_resource_policy.html.markdown
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
--- | ||
layout: "aws" | ||
page_title: "AWS: aws_cloudwatch_log_resource_policy" | ||
sidebar_current: "docs-aws-resource-cloudwatch-log-resource-policy" | ||
description: |- | ||
Provides a resource to manage a CloudWatch log resource policy | ||
--- | ||
|
||
# aws_cloudwatch_log_resource_policy | ||
|
||
Provides a resource to manage a CloudWatch log resource policy. | ||
|
||
## Example Usage | ||
|
||
### Route53 Query Logging | ||
|
||
```hcl | ||
data "aws_iam_policy_document" "route53-query-logging-policy" { | ||
statement { | ||
actions = [ | ||
"logs:CreateLogStream", | ||
"logs:PutLogEvents", | ||
] | ||
resources = ["arn:aws:logs:*:*:log-group:/aws/route53/*"] | ||
principals { | ||
identifiers = ["route53.amazonaws.com"] | ||
type = "Service" | ||
} | ||
} | ||
} | ||
resource "aws_cloudwatch_log_resource_policy" "route53-query-logging-policy" { | ||
policy_document = "${data.aws_iam_policy_document.route53-query-logging-policy.json}" | ||
policy_name = "route53-query-logging-policy" | ||
} | ||
``` | ||
|
||
## Argument Reference | ||
|
||
The following arguments are supported: | ||
|
||
* `policy_document` - (Required) Details of the resource policy, including the identity of the principal that is enabled to put logs to this account. This is formatted as a JSON string. Maximum length of 5120 characters. | ||
* `policy_name` - (Required) Name of the resource policy. | ||
|
||
## Attributes Reference | ||
|
||
The following additional attributes are exported: | ||
|
||
* `id` - The name of the CloudWatch log resource policy | ||
|
||
## Import | ||
|
||
CloudWatch log resource policies can be imported using the policy name, e.g. | ||
|
||
``` | ||
$ terraform import aws_cloudwatch_log_resource_policy.MyPolicy MyPolicy | ||
``` |