Skip to content

Commit

Permalink
Merge pull request #10624 from hashicorp/pr-9891
Browse files Browse the repository at this point in the history
provider/aws: Add aws_snapshot_create_volume_permission resource (contd. #9891)
  • Loading branch information
catsby authored Dec 9, 2016
2 parents e2fc12c + c54dba6 commit 5f765d9
Show file tree
Hide file tree
Showing 5 changed files with 289 additions and 1 deletion.
1 change: 1 addition & 0 deletions builtin/providers/aws/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -352,6 +352,7 @@ func Provider() terraform.ResourceProvider {
"aws_spot_fleet_request": resourceAwsSpotFleetRequest(),
"aws_sqs_queue": resourceAwsSqsQueue(),
"aws_sqs_queue_policy": resourceAwsSqsQueuePolicy(),
"aws_snapshot_create_volume_permission": resourceAwsSnapshotCreateVolumePermission(),
"aws_sns_topic": resourceAwsSnsTopic(),
"aws_sns_topic_policy": resourceAwsSnsTopicPolicy(),
"aws_sns_topic_subscription": resourceAwsSnsTopicSubscription(),
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
package aws

import (
"fmt"
"time"

"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/ec2"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/helper/schema"
)

func resourceAwsSnapshotCreateVolumePermission() *schema.Resource {
return &schema.Resource{
Exists: resourceAwsSnapshotCreateVolumePermissionExists,
Create: resourceAwsSnapshotCreateVolumePermissionCreate,
Read: resourceAwsSnapshotCreateVolumePermissionRead,
Delete: resourceAwsSnapshotCreateVolumePermissionDelete,

Schema: map[string]*schema.Schema{
"snapshot_id": &schema.Schema{
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"account_id": &schema.Schema{
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
},
}
}

func resourceAwsSnapshotCreateVolumePermissionExists(d *schema.ResourceData, meta interface{}) (bool, error) {
conn := meta.(*AWSClient).ec2conn

snapshot_id := d.Get("snapshot_id").(string)
account_id := d.Get("account_id").(string)
return hasCreateVolumePermission(conn, snapshot_id, account_id)
}

func resourceAwsSnapshotCreateVolumePermissionCreate(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).ec2conn

snapshot_id := d.Get("snapshot_id").(string)
account_id := d.Get("account_id").(string)

_, err := conn.ModifySnapshotAttribute(&ec2.ModifySnapshotAttributeInput{
SnapshotId: aws.String(snapshot_id),
Attribute: aws.String("createVolumePermission"),
CreateVolumePermission: &ec2.CreateVolumePermissionModifications{
Add: []*ec2.CreateVolumePermission{
&ec2.CreateVolumePermission{UserId: aws.String(account_id)},
},
},
})
if err != nil {
return fmt.Errorf("Error adding snapshot createVolumePermission: %s", err)
}

d.SetId(fmt.Sprintf("%s-%s", snapshot_id, account_id))

// Wait for the account to appear in the permission list
stateConf := &resource.StateChangeConf{
Pending: []string{"denied"},
Target: []string{"granted"},
Refresh: resourceAwsSnapshotCreateVolumePermissionStateRefreshFunc(conn, snapshot_id, account_id),
Timeout: 5 * time.Minute,
Delay: 10 * time.Second,
MinTimeout: 10 * time.Second,
}
if _, err := stateConf.WaitForState(); err != nil {
return fmt.Errorf(
"Error waiting for snapshot createVolumePermission (%s) to be added: %s",
d.Id(), err)
}

return nil
}

func resourceAwsSnapshotCreateVolumePermissionRead(d *schema.ResourceData, meta interface{}) error {
return nil
}

func resourceAwsSnapshotCreateVolumePermissionDelete(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).ec2conn

snapshot_id := d.Get("snapshot_id").(string)
account_id := d.Get("account_id").(string)

_, err := conn.ModifySnapshotAttribute(&ec2.ModifySnapshotAttributeInput{
SnapshotId: aws.String(snapshot_id),
Attribute: aws.String("createVolumePermission"),
CreateVolumePermission: &ec2.CreateVolumePermissionModifications{
Remove: []*ec2.CreateVolumePermission{
&ec2.CreateVolumePermission{UserId: aws.String(account_id)},
},
},
})
if err != nil {
return fmt.Errorf("Error removing snapshot createVolumePermission: %s", err)
}

// Wait for the account to disappear from the permission list
stateConf := &resource.StateChangeConf{
Pending: []string{"granted"},
Target: []string{"denied"},
Refresh: resourceAwsSnapshotCreateVolumePermissionStateRefreshFunc(conn, snapshot_id, account_id),
Timeout: 5 * time.Minute,
Delay: 10 * time.Second,
MinTimeout: 10 * time.Second,
}
if _, err := stateConf.WaitForState(); err != nil {
return fmt.Errorf(
"Error waiting for snapshot createVolumePermission (%s) to be removed: %s",
d.Id(), err)
}

return nil
}

func hasCreateVolumePermission(conn *ec2.EC2, snapshot_id string, account_id string) (bool, error) {
_, state, err := resourceAwsSnapshotCreateVolumePermissionStateRefreshFunc(conn, snapshot_id, account_id)()
if err != nil {
return false, err
}
if state == "granted" {
return true, nil
} else {
return false, nil
}
}

func resourceAwsSnapshotCreateVolumePermissionStateRefreshFunc(conn *ec2.EC2, snapshot_id string, account_id string) resource.StateRefreshFunc {
return func() (interface{}, string, error) {
attrs, err := conn.DescribeSnapshotAttribute(&ec2.DescribeSnapshotAttributeInput{
SnapshotId: aws.String(snapshot_id),
Attribute: aws.String("createVolumePermission"),
})
if err != nil {
return nil, "", fmt.Errorf("Error refreshing snapshot createVolumePermission state: %s", err)
}

for _, vp := range attrs.CreateVolumePermissions {
if *vp.UserId == account_id {
return attrs, "granted", nil
}
}
return attrs, "denied", nil
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
package aws

import (
"fmt"
"testing"

"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
)

func TestAccAWSSnapshotCreateVolumePermission_Basic(t *testing.T) {
var snapshotId, accountId string

resource.Test(t, resource.TestCase{
Providers: testAccProviders,
Steps: []resource.TestStep{
// Scaffold everything
resource.TestStep{
Config: testAccAWSSnapshotCreateVolumePermissionConfig(true),
Check: resource.ComposeTestCheckFunc(
testCheckResourceGetAttr("aws_ebs_snapshot.example_snapshot", "id", &snapshotId),
testCheckResourceGetAttr("data.aws_caller_identity.current", "account_id", &accountId),
testAccAWSSnapshotCreateVolumePermissionExists(&accountId, &snapshotId),
),
},
// Drop just create volume permission to test destruction
resource.TestStep{
Config: testAccAWSSnapshotCreateVolumePermissionConfig(false),
Check: resource.ComposeTestCheckFunc(
testAccAWSSnapshotCreateVolumePermissionDestroyed(&accountId, &snapshotId),
),
},
},
})
}

func testAccAWSSnapshotCreateVolumePermissionExists(accountId, snapshotId *string) resource.TestCheckFunc {
return func(s *terraform.State) error {
conn := testAccProvider.Meta().(*AWSClient).ec2conn
if has, err := hasCreateVolumePermission(conn, *snapshotId, *accountId); err != nil {
return err
} else if !has {
return fmt.Errorf("create volume permission does not exist for '%s' on '%s'", *accountId, *snapshotId)
}
return nil
}
}

func testAccAWSSnapshotCreateVolumePermissionDestroyed(accountId, snapshotId *string) resource.TestCheckFunc {
return func(s *terraform.State) error {
conn := testAccProvider.Meta().(*AWSClient).ec2conn
if has, err := hasCreateVolumePermission(conn, *snapshotId, *accountId); err != nil {
return err
} else if has {
return fmt.Errorf("create volume permission still exists for '%s' on '%s'", *accountId, *snapshotId)
}
return nil
}
}

func testAccAWSSnapshotCreateVolumePermissionConfig(includeCreateVolumePermission bool) string {
base := `
data "aws_caller_identity" "current" {}
resource "aws_ebs_volume" "example" {
availability_zone = "us-west-2a"
size = 40
tags {
Name = "ebs_snap_perm"
}
}
resource "aws_ebs_snapshot" "example_snapshot" {
volume_id = "${aws_ebs_volume.example.id}"
}
`

if !includeCreateVolumePermission {
return base
}

return base + fmt.Sprintf(`
resource "aws_snapshot_create_volume_permission" "self-test" {
snapshot_id = "${aws_ebs_snapshot.example_snapshot.id}"
account_id = "${data.aws_caller_identity.current.account_id}"
}
`)
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
layout: "aws"
page_title: "AWS: aws_snapshot_create_volume_permission"
sidebar_current: "docs-aws-resource-snapshot-create-volume-permission"
description: |-
Adds create volume permission to an EBS Snapshot
---

# aws\_snapshot\_create\_volume\_permission

Adds permission to create volumes off of a given EBS Snapshot.

## Example Usage

```
resource "aws_snapshot_create_volume_permission" "example_perm" {
snapshot_id = "${aws_ebs_snapshot.example_snapshot.id}"
account_id = "12345678"
}
resource "aws_ebs_volume" "example" {
availability_zone = "us-west-2a"
size = 40
}
resource "aws_ebs_snapshot" "example_snapshot" {
volume_id = "${aws_ebs_volume.example.id}"
}
```

## Argument Reference

The following arguments are supported:

* `snapshot_id` - (required) A snapshot ID
* `account_id` - (required) An AWS Account ID to add create volume permissions

## Attributes Reference

The following attributes are exported:

* `id` - A combination of "`snapshot_id`-`account_id`".
6 changes: 5 additions & 1 deletion website/source/layouts/aws.erb
Original file line number Diff line number Diff line change
Expand Up @@ -266,7 +266,7 @@
</li>


<li<%= sidebar_current(/^docs-aws-resource-(alb|ami|app|autoscaling|ebs|elb|eip|instance|launch|lb|proxy|spot|volume|placement|key-pair|elb_attachment|load-balancer)/) %>>
<li<%= sidebar_current(/^docs-aws-resource-(alb|ami|app|autoscaling|ebs|elb|eip|instance|launch|lb|proxy|snapshot|spot|volume|placement|key-pair|elb_attachment|load-balancer)/) %>>
<a href="#">EC2 Resources</a>
<ul class="nav nav-visible">

Expand Down Expand Up @@ -330,6 +330,10 @@
<a href="/docs/providers/aws/r/autoscaling_schedule.html">aws_autoscaling_schedule</a>
</li>

<li<%= sidebar_current("docs-aws-resource-snapshot-create-volume-permission") %>>
<a href="/docs/providers/aws/r/snapshot_create_volume_permission.html">aws_snapshot_create_volume_permission</a>
</li>

<li<%= sidebar_current("docs-aws-resource-ebs-snapshot") %>>
<a href="/docs/providers/aws/r/ebs_snapshot.html">aws_ebs_snapshot</a>
</li>
Expand Down

0 comments on commit 5f765d9

Please sign in to comment.