Merge pull request #6432 from terraform-providers/f-aws_glacier_vault…

…_lock_policy New Resource: aws_glacier_vault_lock
hashicorp · Nov 12, 2018 · 36310a2 · 36310a2
2 parents fcf1069 + 3e6c082
commit 36310a2
Show file tree

Hide file tree

Showing 6 changed files with 445 additions and 2 deletions.
diff --git a/aws/provider.go b/aws/provider.go
@@ -444,6 +444,7 @@ func Provider() terraform.ResourceProvider {
 			"aws_gamelift_build":                               resourceAwsGameliftBuild(),
 			"aws_gamelift_fleet":                               resourceAwsGameliftFleet(),
 			"aws_glacier_vault":                                resourceAwsGlacierVault(),
+			"aws_glacier_vault_lock":                           resourceAwsGlacierVaultLock(),
 			"aws_glue_catalog_database":                        resourceAwsGlueCatalogDatabase(),
 			"aws_glue_catalog_table":                           resourceAwsGlueCatalogTable(),
 			"aws_glue_classifier":                              resourceAwsGlueClassifier(),

diff --git a/aws/resource_aws_glacier_vault_lock.go b/aws/resource_aws_glacier_vault_lock.go
@@ -0,0 +1,188 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/glacier"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/helper/schema"
+	"github.com/hashicorp/terraform/helper/validation"
+)
+
+func resourceAwsGlacierVaultLock() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsGlacierVaultLockCreate,
+		Read:   resourceAwsGlacierVaultLockRead,
+		// Allow ignore_deletion_error update
+		Update: schema.Noop,
+		Delete: resourceAwsGlacierVaultLockDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"complete_lock": {
+				Type:     schema.TypeBool,
+				Required: true,
+				ForceNew: true,
+			},
+			"ignore_deletion_error": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+			"policy": {
+				Type:             schema.TypeString,
+				Required:         true,
+				ForceNew:         true,
+				DiffSuppressFunc: suppressEquivalentAwsPolicyDiffs,
+				ValidateFunc:     validateIAMPolicyJson,
+			},
+			"vault_name": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validation.NoZeroValues,
+			},
+		},
+	}
+}
+
+func resourceAwsGlacierVaultLockCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).glacierconn
+	vaultName := d.Get("vault_name").(string)
+
+	input := &glacier.InitiateVaultLockInput{
+		AccountId: aws.String("-"),
+		Policy: &glacier.VaultLockPolicy{
+			Policy: aws.String(d.Get("policy").(string)),
+		},
+		VaultName: aws.String(vaultName),
+	}
+
+	log.Printf("[DEBUG] Initiating Glacier Vault Lock: %s", input)
+	output, err := conn.InitiateVaultLock(input)
+	if err != nil {
+		return fmt.Errorf("error initiating Glacier Vault Lock: %s", err)
+	}
+
+	d.SetId(vaultName)
+
+	if !d.Get("complete_lock").(bool) {
+		return resourceAwsGlacierVaultLockRead(d, meta)
+	}
+
+	completeLockInput := &glacier.CompleteVaultLockInput{
+		LockId:    output.LockId,
+		VaultName: aws.String(vaultName),
+	}
+
+	log.Printf("[DEBUG] Completing Glacier Vault (%s) Lock: %s", vaultName, completeLockInput)
+	if _, err := conn.CompleteVaultLock(completeLockInput); err != nil {
+		return fmt.Errorf("error completing Glacier Vault (%s) Lock: %s", vaultName, err)
+	}
+
+	if err := waitForGlacierVaultLockCompletion(conn, vaultName); err != nil {
+		return fmt.Errorf("error waiting for Glacier Vault Lock (%s) completion: %s", d.Id(), err)
+	}
+
+	return resourceAwsGlacierVaultLockRead(d, meta)
+}
+
+func resourceAwsGlacierVaultLockRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).glacierconn
+
+	input := &glacier.GetVaultLockInput{
+		AccountId: aws.String("-"),
+		VaultName: aws.String(d.Id()),
+	}
+
+	log.Printf("[DEBUG] Reading Glacier Vault Lock (%s): %s", d.Id(), input)
+	output, err := conn.GetVaultLock(input)
+
+	if isAWSErr(err, glacier.ErrCodeResourceNotFoundException, "") {
+		log.Printf("[WARN] Glacier Vault Lock (%s) not found, removing from state", d.Id())
+		d.SetId("")
+		return nil
+	}
+
+	if err != nil {
+		return fmt.Errorf("error reading Glacier Vault Lock (%s): %s", d.Id(), err)
+	}
+
+	if output == nil {
+		log.Printf("[WARN] Glacier Vault Lock (%s) not found, removing from state", d.Id())
+		d.SetId("")
+		return nil
+	}
+
+	d.Set("complete_lock", aws.StringValue(output.State) == "Locked")
+	d.Set("policy", output.Policy)
+	d.Set("vault_name", d.Id())
+
+	return nil
+}
+
+func resourceAwsGlacierVaultLockDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).glacierconn
+
+	input := &glacier.AbortVaultLockInput{
+		VaultName: aws.String(d.Id()),
+	}
+
+	log.Printf("[DEBUG] Aborting Glacier Vault Lock (%s): %s", d.Id(), input)
+	_, err := conn.AbortVaultLock(input)
+
+	if isAWSErr(err, glacier.ErrCodeResourceNotFoundException, "") {
+		return nil
+	}
+
+	if err != nil && !d.Get("ignore_deletion_error").(bool) {
+		return fmt.Errorf("error aborting Glacier Vault Lock (%s): %s", d.Id(), err)
+	}
+
+	return nil
+}
+
+func glacierVaultLockRefreshFunc(conn *glacier.Glacier, vaultName string) resource.StateRefreshFunc {
+	return func() (interface{}, string, error) {
+		input := &glacier.GetVaultLockInput{
+			AccountId: aws.String("-"),
+			VaultName: aws.String(vaultName),
+		}
+
+		log.Printf("[DEBUG] Reading Glacier Vault Lock (%s): %s", vaultName, input)
+		output, err := conn.GetVaultLock(input)
+
+		if isAWSErr(err, glacier.ErrCodeResourceNotFoundException, "") {
+			return nil, "", nil
+		}
+
+		if err != nil {
+			return nil, "", fmt.Errorf("error reading Glacier Vault Lock (%s): %s", vaultName, err)
+		}
+
+		if output == nil {
+			return nil, "", nil
+		}
+
+		return output, aws.StringValue(output.State), nil
+	}
+}
+
+func waitForGlacierVaultLockCompletion(conn *glacier.Glacier, vaultName string) error {
+	stateConf := &resource.StateChangeConf{
+		Pending: []string{"InProgress"},
+		Target:  []string{"Locked"},
+		Refresh: glacierVaultLockRefreshFunc(conn, vaultName),
+		Timeout: 5 * time.Minute,
+	}
+
+	log.Printf("[DEBUG] Waiting for Glacier Vault Lock (%s) completion", vaultName)
+	_, err := stateConf.WaitForState()
+
+	return err
+}
diff --git a/aws/resource_aws_glacier_vault_lock_test.go b/aws/resource_aws_glacier_vault_lock_test.go
@@ -0,0 +1,173 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/glacier"
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSGlacierVaultLock_basic(t *testing.T) {
+	var vaultLock1 glacier.GetVaultLockOutput
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	glacierVaultResourceName := "aws_glacier_vault.test"
+	resourceName := "aws_glacier_vault_lock.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckGlacierVaultLockDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccGlacierVaultLockConfigCompleteLock(rName, false),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGlacierVaultLockExists(resourceName, &vaultLock1),
+					resource.TestCheckResourceAttr(resourceName, "complete_lock", "false"),
+					resource.TestCheckResourceAttr(resourceName, "ignore_deletion_error", "false"),
+					resource.TestCheckResourceAttrSet(resourceName, "policy"),
+					resource.TestCheckResourceAttrPair(resourceName, "vault_name", glacierVaultResourceName, "name"),
+				),
+			},
+			{
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"ignore_deletion_error"},
+			},
+		},
+	})
+}
+
+func TestAccAWSGlacierVaultLock_CompleteLock(t *testing.T) {
+	var vaultLock1 glacier.GetVaultLockOutput
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	glacierVaultResourceName := "aws_glacier_vault.test"
+	resourceName := "aws_glacier_vault_lock.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckGlacierVaultLockDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccGlacierVaultLockConfigCompleteLock(rName, true),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGlacierVaultLockExists(resourceName, &vaultLock1),
+					resource.TestCheckResourceAttr(resourceName, "complete_lock", "true"),
+					resource.TestCheckResourceAttr(resourceName, "ignore_deletion_error", "true"),
+					resource.TestCheckResourceAttrSet(resourceName, "policy"),
+					resource.TestCheckResourceAttrPair(resourceName, "vault_name", glacierVaultResourceName, "name"),
+				),
+			},
+			{
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"ignore_deletion_error"},
+			},
+		},
+	})
+}
+
+func testAccCheckGlacierVaultLockExists(resourceName string, getVaultLockOutput *glacier.GetVaultLockOutput) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[resourceName]
+		if !ok {
+			return fmt.Errorf("Not found: %s", resourceName)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No ID is set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).glacierconn
+
+		input := &glacier.GetVaultLockInput{
+			VaultName: aws.String(rs.Primary.ID),
+		}
+		output, err := conn.GetVaultLock(input)
+
+		if err != nil {
+			return fmt.Errorf("error reading Glacier Vault Lock (%s): %s", rs.Primary.ID, err)
+		}
+
+		if output == nil {
+			return fmt.Errorf("error reading Glacier Vault Lock (%s): empty response", rs.Primary.ID)
+		}
+
+		*getVaultLockOutput = *output
+
+		return nil
+	}
+}
+
+func testAccCheckGlacierVaultLockDestroy(s *terraform.State) error {
+	conn := testAccProvider.Meta().(*AWSClient).glacierconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_glacier_vault_lock" {
+			continue
+		}
+
+		input := &glacier.GetVaultLockInput{
+			VaultName: aws.String(rs.Primary.ID),
+		}
+		output, err := conn.GetVaultLock(input)
+
+		if isAWSErr(err, glacier.ErrCodeResourceNotFoundException, "") {
+			continue
+		}
+
+		if err != nil {
+			return fmt.Errorf("error reading Glacier Vault Lock (%s): %s", rs.Primary.ID, err)
+		}
+
+		if output != nil {
+			return fmt.Errorf("Glacier Vault Lock (%s) still exists", rs.Primary.ID)
+		}
+	}
+
+	return nil
+}
+
+func testAccGlacierVaultLockConfigCompleteLock(rName string, completeLock bool) string {
+	return fmt.Sprintf(`
+resource "aws_glacier_vault" "test" {
+  name = %q
+}
+
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+
+data "aws_iam_policy_document" "test" {
+  statement {
+    # Allow for testing purposes
+    actions   = ["glacier:DeleteArchive"]
+    effect    = "Allow"
+    resources = ["${aws_glacier_vault.test.arn}"]
+
+    condition {
+      test     = "NumericLessThanEquals"
+      variable = "glacier:ArchiveAgeinDays"
+      values   = ["0"]
+    }
+
+    principals {
+      identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"]
+      type        = "AWS"
+    }
+  }
+}
+
+resource "aws_glacier_vault_lock" "test" {
+  complete_lock         = %t
+  ignore_deletion_error = %t
+  policy                = "${data.aws_iam_policy_document.test.json}"
+  vault_name            = "${aws_glacier_vault.test.name}"
+}
+`, rName, completeLock, completeLock)
+}
diff --git a/website/aws.erb b/website/aws.erb
@@ -1298,9 +1298,12 @@
                 <li<%= sidebar_current("docs-aws-resource-glacier") %>>
                     <a href="#">Glacier Resources</a>
                     <ul class="nav nav-visible">
-                        <li<%= sidebar_current("docs-aws-resource-glacier-vault") %>>
+                        <li<%= sidebar_current("docs-aws-resource-glacier-vault-x") %>>
                             <a href="/docs/providers/aws/r/glacier_vault.html">aws_glacier_vault</a>
                         </li>
+                        <li<%= sidebar_current("docs-aws-resource-glacier-vault-lock") %>>
+                            <a href="/docs/providers/aws/r/glacier_vault_lock.html">aws_glacier_vault_lock</a>
+                        </li>
                     </ul>
                  </li>
 

diff --git a/website/docs/r/glacier_vault.html.markdown b/website/docs/r/glacier_vault.html.markdown
@@ -1,7 +1,7 @@
 ---
 layout: "aws"
 page_title: "AWS: aws_glacier_vault"
-sidebar_current: "docs-aws-resource-glacier-vault"
+sidebar_current: "docs-aws-resource-glacier-vault-x"
 description: |-
   Provides a Glacier Vault.
 ---