Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow importing of aws_iam_role, aws_iam_role_policy, aws_iam_policy and aws_iam_instance_profile. #9398

Closed
wants to merge 5 commits into from

Conversation

tomwilkie
Copy link
Contributor

No description provided.

@stack72
Copy link
Contributor

stack72 commented Oct 27, 2016

HI @tomwilkie

Thanks for the PR here - this is great! If possible, please can you add an import test to each of the resources? This would help us keep the import path code tested for each of the resources

You can find an example of the code here

Thanks again

Paul

@stack72 stack72 added the waiting-response An issue/pull request is waiting for a response from the community label Oct 27, 2016
@tomwilkie
Copy link
Contributor Author

Tests all work:

$ AWS_PROFILE=default make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSIAM'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2016/10/27 14:59:19 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSIAM -timeout 120m
=== RUN   TestAccAWSIAMPolicyDocument
--- PASS: TestAccAWSIAMPolicyDocument (9.82s)
=== RUN   TestAccAWSIAMAccountPasswordPolicy_importBasic
--- PASS: TestAccAWSIAMAccountPasswordPolicy_importBasic (12.79s)
=== RUN   TestAccAWSIAMGroup_importBasic
--- PASS: TestAccAWSIAMGroup_importBasic (10.66s)
=== RUN   TestAccAWSIAMInstanceProfile_importBasic
--- PASS: TestAccAWSIAMInstanceProfile_importBasic (16.36s)
=== RUN   TestAccAWSIAMPolicy_importBasic
--- PASS: TestAccAWSIAMPolicy_importBasic (15.94s)
=== RUN   TestAccAWSIAMRolePolicy_importBasic
--- PASS: TestAccAWSIAMRolePolicy_importBasic (13.58s)
=== RUN   TestAccAWSIAMRole_importBasic
--- PASS: TestAccAWSIAMRole_importBasic (12.66s)
=== RUN   TestAccAWSIAMSamlProvider_importBasic
--- PASS: TestAccAWSIAMSamlProvider_importBasic (12.74s)
=== RUN   TestAccAWSIAMAccountPasswordPolicy_basic
--- PASS: TestAccAWSIAMAccountPasswordPolicy_basic (20.43s)
=== RUN   TestAccAWSIAMGroupPolicy_basic
--- PASS: TestAccAWSIAMGroupPolicy_basic (21.54s)
=== RUN   TestAccAWSIAMGroup_basic
--- PASS: TestAccAWSIAMGroup_basic (19.61s)
=== RUN   TestAccAWSIAMInstanceProfile_basic
--- PASS: TestAccAWSIAMInstanceProfile_basic (13.87s)
=== RUN   TestAccAWSIAMInstanceProfile_namePrefix
--- PASS: TestAccAWSIAMInstanceProfile_namePrefix (14.62s)
=== RUN   TestAccAWSIAMRolePolicy_basic
--- PASS: TestAccAWSIAMRolePolicy_basic (22.20s)
=== RUN   TestAccAWSIAMSamlProvider_basic
--- PASS: TestAccAWSIAMSamlProvider_basic (21.07s)
=== RUN   TestAccAWSIAMServerCertificate_basic
--- PASS: TestAccAWSIAMServerCertificate_basic (12.29s)
=== RUN   TestAccAWSIAMServerCertificate_name_prefix
--- PASS: TestAccAWSIAMServerCertificate_name_prefix (11.39s)
=== RUN   TestAccAWSIAMServerCertificate_disappears
--- PASS: TestAccAWSIAMServerCertificate_disappears (12.21s)
=== RUN   TestAccAWSIAMServerCertificate_file
--- PASS: TestAccAWSIAMServerCertificate_file (20.00s)
=== RUN   TestAccAWSIAMUserPolicy_basic
--- PASS: TestAccAWSIAMUserPolicy_basic (25.25s)
PASS
ok      github.com/hashicorp/terraform/builtin/providers/aws    319.089s

@stack72
Copy link
Contributor

stack72 commented Oct 27, 2016

Thanks @tomwilkie :)

P.

@tomwilkie
Copy link
Contributor Author

As part of making this work, I can to make aws_iam_policy and aws_iam_role read their policy documents back from AWS - and unfortunately AWS seems to strip whitespace from policy documents. This will mean lots of people will see diffs on their IAM resources where previous there was none.

@tomwilkie
Copy link
Contributor Author

I'm not sure whether this is acceptable, so let me know if you can think of any workarounds. One idea would be to strip all whitespace from policy documents when they are read from the .tf files, but I don't know if terraform has machinery to do this yet.

@stack72
Copy link
Contributor

stack72 commented Oct 27, 2016

ok, we had a PR like this merged before and it caused issues everywhere. so we reverted it. I think we are going to have to shelve this PR for a while now while we investigate what the problems are

Paul

@tomwilkie
Copy link
Contributor Author

Do you have a link to said PR?

I think we can work around this.

@tomwilkie
Copy link
Contributor Author

Its seems a DiffSuppressFunc is all thats needed here. I'll add that (and some tests).

@tomwilkie
Copy link
Contributor Author

It seems @jen20 has already written everything we need!

@stack72
Copy link
Contributor

stack72 commented Oct 27, 2016

This is the PR #7617 :)

@tomwilkie
Copy link
Contributor Author

Okay yes I've got a fix for the problems you hit there, just testing now...

@tomwilkie
Copy link
Contributor Author

Okay that fixed the whitespace / heredoc issue - they now work nicely. Just running the tests one last time but I don't see any problems.

@tomwilkie
Copy link
Contributor Author

Yeah that works nicely:

$ AWS_PROFILE=default make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSIAM'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2016/10/27 15:26:18 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSIAM -timeout 120m
=== RUN   TestAccAWSIAMPolicyDocument
--- PASS: TestAccAWSIAMPolicyDocument (8.26s)
=== RUN   TestAccAWSIAMAccountPasswordPolicy_importBasic
--- PASS: TestAccAWSIAMAccountPasswordPolicy_importBasic (13.89s)
=== RUN   TestAccAWSIAMGroup_importBasic
--- PASS: TestAccAWSIAMGroup_importBasic (10.41s)
=== RUN   TestAccAWSIAMInstanceProfile_importBasic
--- PASS: TestAccAWSIAMInstanceProfile_importBasic (15.34s)
=== RUN   TestAccAWSIAMPolicy_importBasic
--- PASS: TestAccAWSIAMPolicy_importBasic (11.74s)
=== RUN   TestAccAWSIAMRolePolicy_importBasic
--- PASS: TestAccAWSIAMRolePolicy_importBasic (13.63s)
=== RUN   TestAccAWSIAMRole_importBasic
--- PASS: TestAccAWSIAMRole_importBasic (11.05s)
=== RUN   TestAccAWSIAMSamlProvider_importBasic
--- PASS: TestAccAWSIAMSamlProvider_importBasic (13.05s)
=== RUN   TestAccAWSIAMAccountPasswordPolicy_basic
--- PASS: TestAccAWSIAMAccountPasswordPolicy_basic (19.46s)
=== RUN   TestAccAWSIAMGroupPolicy_basic
--- PASS: TestAccAWSIAMGroupPolicy_basic (20.82s)
=== RUN   TestAccAWSIAMGroup_basic
--- PASS: TestAccAWSIAMGroup_basic (19.05s)
=== RUN   TestAccAWSIAMInstanceProfile_basic
--- PASS: TestAccAWSIAMInstanceProfile_basic (15.05s)
=== RUN   TestAccAWSIAMInstanceProfile_namePrefix
--- PASS: TestAccAWSIAMInstanceProfile_namePrefix (15.50s)
=== RUN   TestAccAWSIAMRolePolicy_basic
--- PASS: TestAccAWSIAMRolePolicy_basic (23.26s)
=== RUN   TestAccAWSIAMSamlProvider_basic
--- PASS: TestAccAWSIAMSamlProvider_basic (21.46s)
=== RUN   TestAccAWSIAMServerCertificate_basic
--- PASS: TestAccAWSIAMServerCertificate_basic (13.15s)
=== RUN   TestAccAWSIAMServerCertificate_name_prefix
--- PASS: TestAccAWSIAMServerCertificate_name_prefix (11.37s)
=== RUN   TestAccAWSIAMServerCertificate_disappears
--- PASS: TestAccAWSIAMServerCertificate_disappears (11.23s)
=== RUN   TestAccAWSIAMServerCertificate_file
--- PASS: TestAccAWSIAMServerCertificate_file (18.06s)
=== RUN   TestAccAWSIAMUserPolicy_basic
--- PASS: TestAccAWSIAMUserPolicy_basic (22.62s)
PASS
ok      github.com/hashicorp/terraform/builtin/providers/aws    308.438s
$ git branch -v 
* import-iam-objects                      daaae09 Add DiffSuppressFunc to support heredocs for aws_iam_role.assume_role_policy and aws_iam_policy.policy
...

@tomwilkie
Copy link
Contributor Author

ping?

Copy link
Contributor

@stack72 stack72 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @tomwilkie

Sorry this has taken so long - I have left a few questions inline as to why some of the code paths have changed. Let me know your thoughts :)

Want to make sure we don't break any backwards compatibility for this.

Can you tell me if we use a template file and pass the json in or using HEREDOC syntax, will the diffSuppression still work as expected?

Paul


var testAccAwsIamPolicyConfig = `
resource "aws_iam_policy" "test" {
name = "test_policy"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to randomize this - if this fails then the test will fail the following night due to orphaned resources. This should be a func that accepts a random string as a name

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSPolicyDestroy,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should jsut use the same Destroy method as defined in iam_user_test.go testAccCheckAWSUserDestroy

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one destroys aws_iam_policy, whereas the function you refer to destroys aws_iam_user.

resource "aws_iam_role" "role" {
name = "tf_test_role_test"
path = "/"
assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does a heredoc affect how the import works here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does not; would you like me to make this a heredoc?

}

resource "aws_iam_role_policy" "foo" {
name = "tf_test_policy_test"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to randomize the name :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done


var testAccAwsIamRolePolicyConfig = `
resource "aws_iam_role" "role" {
name = "tf_test_role_test"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Randomize the name :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@@ -81,7 +86,29 @@ func resourceAwsIamPolicyRead(d *schema.ResourceData, meta interface{}) error {
return fmt.Errorf("Error reading IAM policy %s: %s", d.Id(), err)
}

return readIamPolicy(d, response.Policy)
getPolicyVersionRequest := &iam.GetPolicyVersionInput{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we looking for a specific policy version? This is a new code path that wasn't in use before

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're looking for the DefaulVersionId from the response to GetPolicy.

return fmt.Errorf("Error reading IAM policy version %s: %s", d.Id(), err)
}

policy, err := url.QueryUnescape(*getPolicyVersionResponse.PolicyVersion.Document)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why queryunescape? What is this doing for us?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@@ -221,7 +248,8 @@ func readIamPolicy(d *schema.ResourceData, policy *iam.Policy) error {
if err := d.Set("arn", *policy.Arn); err != nil {
return err
}
// TODO: set policy

if err := d.Set("arn", *policy.Arn); err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

d.Set doesn't need to have a value dereferenced before being passed - it safely dereferences a pointer if it can :)

@tomwilkie
Copy link
Contributor Author

Thanks for feedback! Will get that addressed ASAP.

@tomwilkie
Copy link
Contributor Author

@stack72 PTAL

@stack72
Copy link
Contributor

stack72 commented Dec 1, 2016

Hi @tomwilkie

Finally getting around to looking at this right now - sorry it took so long!

Paul

@stack72
Copy link
Contributor

stack72 commented Dec 1, 2016

Hi @tomwilkie

I am going to merge this manually - I actually added support for the import of aws_iam_instance_profile recently :) So had some conflicts

% make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSIAM'                           2 ↵ ═ ✚
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2016/12/01 16:28:39 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSIAM -timeout 120m
=== RUN   TestAccAWSIAMPolicyDocument
--- PASS: TestAccAWSIAMPolicyDocument (10.73s)
=== RUN   TestAccAWSIAMAccountPasswordPolicy_importBasic
--- PASS: TestAccAWSIAMAccountPasswordPolicy_importBasic (15.85s)
=== RUN   TestAccAWSIAMGroup_importBasic
--- PASS: TestAccAWSIAMGroup_importBasic (15.13s)
=== RUN   TestAccAWSIAMPolicy_importBasic
--- PASS: TestAccAWSIAMPolicy_importBasic (17.42s)
=== RUN   TestAccAWSIAMRolePolicy_importBasic
--- PASS: TestAccAWSIAMRolePolicy_importBasic (19.67s)
=== RUN   TestAccAWSIAMRole_importBasic
--- PASS: TestAccAWSIAMRole_importBasic (15.99s)
=== RUN   TestAccAWSIAMSamlProvider_importBasic
--- PASS: TestAccAWSIAMSamlProvider_importBasic (16.85s)
=== RUN   TestAccAWSIAMAccountPasswordPolicy_basic
--- PASS: TestAccAWSIAMAccountPasswordPolicy_basic (28.42s)
=== RUN   TestAccAWSIAMGroupPolicy_basic
--- PASS: TestAccAWSIAMGroupPolicy_basic (29.88s)
=== RUN   TestAccAWSIAMGroup_basic
--- PASS: TestAccAWSIAMGroup_basic (26.80s)
=== RUN   TestAccAWSIAMInstanceProfile_importBasic
--- PASS: TestAccAWSIAMInstanceProfile_importBasic (30.84s)
=== RUN   TestAccAWSIAMInstanceProfile_basic
--- PASS: TestAccAWSIAMInstanceProfile_basic (19.44s)
=== RUN   TestAccAWSIAMInstanceProfile_namePrefix
--- PASS: TestAccAWSIAMInstanceProfile_namePrefix (35.54s)
=== RUN   TestAccAWSIAMRolePolicy_basic
--- PASS: TestAccAWSIAMRolePolicy_basic (47.24s)
=== RUN   TestAccAWSIAMSamlProvider_basic
--- PASS: TestAccAWSIAMSamlProvider_basic (35.71s)
=== RUN   TestAccAWSIAMServerCertificate_basic
--- PASS: TestAccAWSIAMServerCertificate_basic (17.18s)
=== RUN   TestAccAWSIAMServerCertificate_name_prefix
--- PASS: TestAccAWSIAMServerCertificate_name_prefix (17.97s)
=== RUN   TestAccAWSIAMServerCertificate_disappears
--- PASS: TestAccAWSIAMServerCertificate_disappears (13.43s)
=== RUN   TestAccAWSIAMServerCertificate_file
--- PASS: TestAccAWSIAMServerCertificate_file (24.96s)
=== RUN   TestAccAWSIAMUserPolicy_basic
--- PASS: TestAccAWSIAMUserPolicy_basic (30.49s)
PASS
ok  	github.com/hashicorp/terraform/builtin/providers/aws	469.579s

@stack72
Copy link
Contributor

stack72 commented Dec 1, 2016

Manually merged to master!

@stack72 stack72 closed this Dec 1, 2016
@tomwilkie
Copy link
Contributor Author

tomwilkie commented Dec 1, 2016 via email

@clearly
Copy link

clearly commented Feb 5, 2017

Totally perplexed : Terraform v0.7.13

% terraform import aws_iam_role.MY_Cool_Role My_Cool_Name_Role

Error importing: 1 error(s) occurred:

  • import aws_iam_role.MY_Cool_Role (id: My_Cool_Name_Role): resource aws_iam_role doesn't support import

@stack72
Copy link
Contributor

stack72 commented Feb 5, 2017

Hi @clearly

You may need to upgrade to a later version to use this feature

Paul

@ghost
Copy link

ghost commented Apr 17, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 17, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement provider/aws waiting-response An issue/pull request is waiting for a response from the community
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants