-
Notifications
You must be signed in to change notification settings - Fork 9.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #6432 from terraform-providers/f-aws_glacier_vault…
…_lock_policy New Resource: aws_glacier_vault_lock
- Loading branch information
Showing
6 changed files
with
445 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,188 @@ | ||
package aws | ||
|
||
import ( | ||
"fmt" | ||
"log" | ||
"time" | ||
|
||
"github.com/aws/aws-sdk-go/aws" | ||
"github.com/aws/aws-sdk-go/service/glacier" | ||
"github.com/hashicorp/terraform/helper/resource" | ||
"github.com/hashicorp/terraform/helper/schema" | ||
"github.com/hashicorp/terraform/helper/validation" | ||
) | ||
|
||
func resourceAwsGlacierVaultLock() *schema.Resource { | ||
return &schema.Resource{ | ||
Create: resourceAwsGlacierVaultLockCreate, | ||
Read: resourceAwsGlacierVaultLockRead, | ||
// Allow ignore_deletion_error update | ||
Update: schema.Noop, | ||
Delete: resourceAwsGlacierVaultLockDelete, | ||
Importer: &schema.ResourceImporter{ | ||
State: schema.ImportStatePassthrough, | ||
}, | ||
|
||
Schema: map[string]*schema.Schema{ | ||
"complete_lock": { | ||
Type: schema.TypeBool, | ||
Required: true, | ||
ForceNew: true, | ||
}, | ||
"ignore_deletion_error": { | ||
Type: schema.TypeBool, | ||
Optional: true, | ||
Default: false, | ||
}, | ||
"policy": { | ||
Type: schema.TypeString, | ||
Required: true, | ||
ForceNew: true, | ||
DiffSuppressFunc: suppressEquivalentAwsPolicyDiffs, | ||
ValidateFunc: validateIAMPolicyJson, | ||
}, | ||
"vault_name": { | ||
Type: schema.TypeString, | ||
Required: true, | ||
ForceNew: true, | ||
ValidateFunc: validation.NoZeroValues, | ||
}, | ||
}, | ||
} | ||
} | ||
|
||
func resourceAwsGlacierVaultLockCreate(d *schema.ResourceData, meta interface{}) error { | ||
conn := meta.(*AWSClient).glacierconn | ||
vaultName := d.Get("vault_name").(string) | ||
|
||
input := &glacier.InitiateVaultLockInput{ | ||
AccountId: aws.String("-"), | ||
Policy: &glacier.VaultLockPolicy{ | ||
Policy: aws.String(d.Get("policy").(string)), | ||
}, | ||
VaultName: aws.String(vaultName), | ||
} | ||
|
||
log.Printf("[DEBUG] Initiating Glacier Vault Lock: %s", input) | ||
output, err := conn.InitiateVaultLock(input) | ||
if err != nil { | ||
return fmt.Errorf("error initiating Glacier Vault Lock: %s", err) | ||
} | ||
|
||
d.SetId(vaultName) | ||
|
||
if !d.Get("complete_lock").(bool) { | ||
return resourceAwsGlacierVaultLockRead(d, meta) | ||
} | ||
|
||
completeLockInput := &glacier.CompleteVaultLockInput{ | ||
LockId: output.LockId, | ||
VaultName: aws.String(vaultName), | ||
} | ||
|
||
log.Printf("[DEBUG] Completing Glacier Vault (%s) Lock: %s", vaultName, completeLockInput) | ||
if _, err := conn.CompleteVaultLock(completeLockInput); err != nil { | ||
return fmt.Errorf("error completing Glacier Vault (%s) Lock: %s", vaultName, err) | ||
} | ||
|
||
if err := waitForGlacierVaultLockCompletion(conn, vaultName); err != nil { | ||
return fmt.Errorf("error waiting for Glacier Vault Lock (%s) completion: %s", d.Id(), err) | ||
} | ||
|
||
return resourceAwsGlacierVaultLockRead(d, meta) | ||
} | ||
|
||
func resourceAwsGlacierVaultLockRead(d *schema.ResourceData, meta interface{}) error { | ||
conn := meta.(*AWSClient).glacierconn | ||
|
||
input := &glacier.GetVaultLockInput{ | ||
AccountId: aws.String("-"), | ||
VaultName: aws.String(d.Id()), | ||
} | ||
|
||
log.Printf("[DEBUG] Reading Glacier Vault Lock (%s): %s", d.Id(), input) | ||
output, err := conn.GetVaultLock(input) | ||
|
||
if isAWSErr(err, glacier.ErrCodeResourceNotFoundException, "") { | ||
log.Printf("[WARN] Glacier Vault Lock (%s) not found, removing from state", d.Id()) | ||
d.SetId("") | ||
return nil | ||
} | ||
|
||
if err != nil { | ||
return fmt.Errorf("error reading Glacier Vault Lock (%s): %s", d.Id(), err) | ||
} | ||
|
||
if output == nil { | ||
log.Printf("[WARN] Glacier Vault Lock (%s) not found, removing from state", d.Id()) | ||
d.SetId("") | ||
return nil | ||
} | ||
|
||
d.Set("complete_lock", aws.StringValue(output.State) == "Locked") | ||
d.Set("policy", output.Policy) | ||
d.Set("vault_name", d.Id()) | ||
|
||
return nil | ||
} | ||
|
||
func resourceAwsGlacierVaultLockDelete(d *schema.ResourceData, meta interface{}) error { | ||
conn := meta.(*AWSClient).glacierconn | ||
|
||
input := &glacier.AbortVaultLockInput{ | ||
VaultName: aws.String(d.Id()), | ||
} | ||
|
||
log.Printf("[DEBUG] Aborting Glacier Vault Lock (%s): %s", d.Id(), input) | ||
_, err := conn.AbortVaultLock(input) | ||
|
||
if isAWSErr(err, glacier.ErrCodeResourceNotFoundException, "") { | ||
return nil | ||
} | ||
|
||
if err != nil && !d.Get("ignore_deletion_error").(bool) { | ||
return fmt.Errorf("error aborting Glacier Vault Lock (%s): %s", d.Id(), err) | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func glacierVaultLockRefreshFunc(conn *glacier.Glacier, vaultName string) resource.StateRefreshFunc { | ||
return func() (interface{}, string, error) { | ||
input := &glacier.GetVaultLockInput{ | ||
AccountId: aws.String("-"), | ||
VaultName: aws.String(vaultName), | ||
} | ||
|
||
log.Printf("[DEBUG] Reading Glacier Vault Lock (%s): %s", vaultName, input) | ||
output, err := conn.GetVaultLock(input) | ||
|
||
if isAWSErr(err, glacier.ErrCodeResourceNotFoundException, "") { | ||
return nil, "", nil | ||
} | ||
|
||
if err != nil { | ||
return nil, "", fmt.Errorf("error reading Glacier Vault Lock (%s): %s", vaultName, err) | ||
} | ||
|
||
if output == nil { | ||
return nil, "", nil | ||
} | ||
|
||
return output, aws.StringValue(output.State), nil | ||
} | ||
} | ||
|
||
func waitForGlacierVaultLockCompletion(conn *glacier.Glacier, vaultName string) error { | ||
stateConf := &resource.StateChangeConf{ | ||
Pending: []string{"InProgress"}, | ||
Target: []string{"Locked"}, | ||
Refresh: glacierVaultLockRefreshFunc(conn, vaultName), | ||
Timeout: 5 * time.Minute, | ||
} | ||
|
||
log.Printf("[DEBUG] Waiting for Glacier Vault Lock (%s) completion", vaultName) | ||
_, err := stateConf.WaitForState() | ||
|
||
return err | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,173 @@ | ||
package aws | ||
|
||
import ( | ||
"fmt" | ||
"testing" | ||
|
||
"github.com/aws/aws-sdk-go/aws" | ||
"github.com/aws/aws-sdk-go/service/glacier" | ||
"github.com/hashicorp/terraform/helper/acctest" | ||
"github.com/hashicorp/terraform/helper/resource" | ||
"github.com/hashicorp/terraform/terraform" | ||
) | ||
|
||
func TestAccAWSGlacierVaultLock_basic(t *testing.T) { | ||
var vaultLock1 glacier.GetVaultLockOutput | ||
rName := acctest.RandomWithPrefix("tf-acc-test") | ||
glacierVaultResourceName := "aws_glacier_vault.test" | ||
resourceName := "aws_glacier_vault_lock.test" | ||
|
||
resource.ParallelTest(t, resource.TestCase{ | ||
PreCheck: func() { testAccPreCheck(t) }, | ||
Providers: testAccProviders, | ||
CheckDestroy: testAccCheckGlacierVaultLockDestroy, | ||
Steps: []resource.TestStep{ | ||
{ | ||
Config: testAccGlacierVaultLockConfigCompleteLock(rName, false), | ||
Check: resource.ComposeTestCheckFunc( | ||
testAccCheckGlacierVaultLockExists(resourceName, &vaultLock1), | ||
resource.TestCheckResourceAttr(resourceName, "complete_lock", "false"), | ||
resource.TestCheckResourceAttr(resourceName, "ignore_deletion_error", "false"), | ||
resource.TestCheckResourceAttrSet(resourceName, "policy"), | ||
resource.TestCheckResourceAttrPair(resourceName, "vault_name", glacierVaultResourceName, "name"), | ||
), | ||
}, | ||
{ | ||
ResourceName: resourceName, | ||
ImportState: true, | ||
ImportStateVerify: true, | ||
ImportStateVerifyIgnore: []string{"ignore_deletion_error"}, | ||
}, | ||
}, | ||
}) | ||
} | ||
|
||
func TestAccAWSGlacierVaultLock_CompleteLock(t *testing.T) { | ||
var vaultLock1 glacier.GetVaultLockOutput | ||
rName := acctest.RandomWithPrefix("tf-acc-test") | ||
glacierVaultResourceName := "aws_glacier_vault.test" | ||
resourceName := "aws_glacier_vault_lock.test" | ||
|
||
resource.ParallelTest(t, resource.TestCase{ | ||
PreCheck: func() { testAccPreCheck(t) }, | ||
Providers: testAccProviders, | ||
CheckDestroy: testAccCheckGlacierVaultLockDestroy, | ||
Steps: []resource.TestStep{ | ||
{ | ||
Config: testAccGlacierVaultLockConfigCompleteLock(rName, true), | ||
Check: resource.ComposeTestCheckFunc( | ||
testAccCheckGlacierVaultLockExists(resourceName, &vaultLock1), | ||
resource.TestCheckResourceAttr(resourceName, "complete_lock", "true"), | ||
resource.TestCheckResourceAttr(resourceName, "ignore_deletion_error", "true"), | ||
resource.TestCheckResourceAttrSet(resourceName, "policy"), | ||
resource.TestCheckResourceAttrPair(resourceName, "vault_name", glacierVaultResourceName, "name"), | ||
), | ||
}, | ||
{ | ||
ResourceName: resourceName, | ||
ImportState: true, | ||
ImportStateVerify: true, | ||
ImportStateVerifyIgnore: []string{"ignore_deletion_error"}, | ||
}, | ||
}, | ||
}) | ||
} | ||
|
||
func testAccCheckGlacierVaultLockExists(resourceName string, getVaultLockOutput *glacier.GetVaultLockOutput) resource.TestCheckFunc { | ||
return func(s *terraform.State) error { | ||
rs, ok := s.RootModule().Resources[resourceName] | ||
if !ok { | ||
return fmt.Errorf("Not found: %s", resourceName) | ||
} | ||
|
||
if rs.Primary.ID == "" { | ||
return fmt.Errorf("No ID is set") | ||
} | ||
|
||
conn := testAccProvider.Meta().(*AWSClient).glacierconn | ||
|
||
input := &glacier.GetVaultLockInput{ | ||
VaultName: aws.String(rs.Primary.ID), | ||
} | ||
output, err := conn.GetVaultLock(input) | ||
|
||
if err != nil { | ||
return fmt.Errorf("error reading Glacier Vault Lock (%s): %s", rs.Primary.ID, err) | ||
} | ||
|
||
if output == nil { | ||
return fmt.Errorf("error reading Glacier Vault Lock (%s): empty response", rs.Primary.ID) | ||
} | ||
|
||
*getVaultLockOutput = *output | ||
|
||
return nil | ||
} | ||
} | ||
|
||
func testAccCheckGlacierVaultLockDestroy(s *terraform.State) error { | ||
conn := testAccProvider.Meta().(*AWSClient).glacierconn | ||
|
||
for _, rs := range s.RootModule().Resources { | ||
if rs.Type != "aws_glacier_vault_lock" { | ||
continue | ||
} | ||
|
||
input := &glacier.GetVaultLockInput{ | ||
VaultName: aws.String(rs.Primary.ID), | ||
} | ||
output, err := conn.GetVaultLock(input) | ||
|
||
if isAWSErr(err, glacier.ErrCodeResourceNotFoundException, "") { | ||
continue | ||
} | ||
|
||
if err != nil { | ||
return fmt.Errorf("error reading Glacier Vault Lock (%s): %s", rs.Primary.ID, err) | ||
} | ||
|
||
if output != nil { | ||
return fmt.Errorf("Glacier Vault Lock (%s) still exists", rs.Primary.ID) | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func testAccGlacierVaultLockConfigCompleteLock(rName string, completeLock bool) string { | ||
return fmt.Sprintf(` | ||
resource "aws_glacier_vault" "test" { | ||
name = %q | ||
} | ||
data "aws_caller_identity" "current" {} | ||
data "aws_partition" "current" {} | ||
data "aws_iam_policy_document" "test" { | ||
statement { | ||
# Allow for testing purposes | ||
actions = ["glacier:DeleteArchive"] | ||
effect = "Allow" | ||
resources = ["${aws_glacier_vault.test.arn}"] | ||
condition { | ||
test = "NumericLessThanEquals" | ||
variable = "glacier:ArchiveAgeinDays" | ||
values = ["0"] | ||
} | ||
principals { | ||
identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"] | ||
type = "AWS" | ||
} | ||
} | ||
} | ||
resource "aws_glacier_vault_lock" "test" { | ||
complete_lock = %t | ||
ignore_deletion_error = %t | ||
policy = "${data.aws_iam_policy_document.test.json}" | ||
vault_name = "${aws_glacier_vault.test.name}" | ||
} | ||
`, rName, completeLock, completeLock) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.