From 417fa7e99b01fbe1444d5c97627c2c334ff16cd1 Mon Sep 17 00:00:00 2001 From: Dan Cohen Date: Fri, 18 Dec 2020 17:30:09 +0000 Subject: [PATCH 01/19] implement the event bus policy resource --- aws/provider.go | 1 + ...esource_aws_cloudwatch_event_bus_policy.go | 172 ++++++++++++++++++ ...ce_aws_cloudwatch_event_bus_policy_test.go | 102 +++++++++++ 3 files changed, 275 insertions(+) create mode 100644 aws/resource_aws_cloudwatch_event_bus_policy.go create mode 100644 aws/resource_aws_cloudwatch_event_bus_policy_test.go diff --git a/aws/provider.go b/aws/provider.go index 90a10131846..9d2b36f8c3c 100644 --- a/aws/provider.go +++ b/aws/provider.go @@ -549,6 +549,7 @@ func Provider() *schema.Provider { "aws_cloudfront_realtime_log_config": resourceAwsCloudFrontRealtimeLogConfig(), "aws_cloudtrail": resourceAwsCloudTrail(), "aws_cloudwatch_event_bus": resourceAwsCloudWatchEventBus(), + "aws_cloudwatch_event_bus_policy": resourceAwsCloudWatchEventBusPolicy(), "aws_cloudwatch_event_permission": resourceAwsCloudWatchEventPermission(), "aws_cloudwatch_event_rule": resourceAwsCloudWatchEventRule(), "aws_cloudwatch_event_target": resourceAwsCloudWatchEventTarget(), diff --git a/aws/resource_aws_cloudwatch_event_bus_policy.go b/aws/resource_aws_cloudwatch_event_bus_policy.go new file mode 100644 index 00000000000..9b8c859ab70 --- /dev/null +++ b/aws/resource_aws_cloudwatch_event_bus_policy.go @@ -0,0 +1,172 @@ +package aws + +import ( + "fmt" + "log" + + "github.com/aws/aws-sdk-go/aws" + events "github.com/aws/aws-sdk-go/service/cloudwatchevents" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + tfevents "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/cloudwatchevents" + iamwaiter "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/iam/waiter" +) + +func resourceAwsCloudWatchEventBusPolicy() *schema.Resource { + return &schema.Resource{ + Create: resourceAwsCloudWatchEventBusPolicyCreate, + Read: resourceAwsCloudWatchEventBusPolicyRead, + Update: resourceAwsCloudWatchEventBusPolicyUpdate, + Delete: resourceAwsCloudWatchEventBusPolicyDelete, + Importer: &schema.ResourceImporter{ + State: schema.ImportStatePassthrough, + }, + + Schema: map[string]*schema.Schema{ + "event_bus_name": { + Type: schema.TypeString, + Optional: true, + ForceNew: true, + ValidateFunc: validateCloudWatchEventBusName, + Default: tfevents.DefaultEventBusName, + }, + "policy": { + Type: schema.TypeString, + Required: true, + }, + }, + } +} + +func resourceAwsCloudWatchEventBusPolicyCreate(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).cloudwatcheventsconn + + eventBusName := d.Get("event_bus_name").(string) + policy := d.Get("policy").(string) + + input := events.PutPermissionInput{ + EventBusName: aws.String(eventBusName), + Policy: aws.String(policy), + } + + log.Printf("[DEBUG] Creating CloudWatch Events policy: %s", input) + _, err := conn.PutPermission(&input) + if err != nil { + return fmt.Errorf("Creating CloudWatch Events policy failed: %w", err) + } + + d.SetId(eventBusName) + + return resourceAwsCloudWatchEventBusPolicyRead(d, meta) +} + +// See also: https://docs.aws.amazon.com/AmazonCloudWatchEvents/latest/APIReference/API_DescribeEventBus.html +func resourceAwsCloudWatchEventBusPolicyRead(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).cloudwatcheventsconn + + eventBusName := d.Id() + + input := events.DescribeEventBusInput{ + Name: aws.String(eventBusName), + } + var output *events.DescribeEventBusOutput + var policy *string + + // Especially with concurrent PutPermission calls there can be a slight delay + err := resource.Retry(iamwaiter.PropagationTimeout, func() *resource.RetryError { + log.Printf("[DEBUG] Reading CloudWatch Events bus: %s", input) + output, err := conn.DescribeEventBus(&input) + if err != nil { + return resource.NonRetryableError(fmt.Errorf("reading CloudWatch Events permission (%s) failed: %w", d.Id(), err)) + } + + policy, err = getEventBusPolicy(output) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + + if isResourceTimeoutError(err) { + output, err = conn.DescribeEventBus(&input) + if output != nil { + policy, err = getEventBusPolicy(output) + } + } + + if isResourceNotFoundError(err) { + log.Printf("[WARN] Policy on {%s} EventBus not found, removing from state", d.Id()) + d.SetId("") + return nil + } + if err != nil { + return fmt.Errorf("error reading policy from CloudWatch EventBus (%s): %w", d.Id(), err) + } + + busName := aws.StringValue(output.Name) + if busName == "" { + busName = tfevents.DefaultEventBusName + } + d.Set("event_bus_name", busName) + + d.Set("policy", policy) + + return nil +} + +func getEventBusPolicy(output *events.DescribeEventBusOutput) (*string, error) { + if output == nil || output.Policy == nil { + return nil, &resource.NotFoundError{ + Message: fmt.Sprintf("Policy for CloudWatch EventBus %s not found", *output.Name), + LastResponse: output, + } + } + + return output.Policy, nil +} + +func resourceAwsCloudWatchEventBusPolicyUpdate(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).cloudwatcheventsconn + + eventBusName := d.Id() + + input := events.PutPermissionInput{ + EventBusName: aws.String(eventBusName), + Policy: aws.String(d.Get("policy").(string)), + } + + log.Printf("[DEBUG] Update CloudWatch EventBus policy: %s", input) + _, err := conn.PutPermission(&input) + if isAWSErr(err, events.ErrCodeResourceNotFoundException, "") { + log.Printf("[WARN] CloudWatch EventBus %q not found, removing from state", d.Id()) + d.SetId("") + return nil + } + if err != nil { + return fmt.Errorf("error updating policy for CloudWatch EventBus (%s): %w", d.Id(), err) + } + + return resourceAwsCloudWatchEventBusPolicyRead(d, meta) +} + +func resourceAwsCloudWatchEventBusPolicyDelete(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).cloudwatcheventsconn + + eventBusName := d.Id() + removeAllPermissions := true + + input := events.RemovePermissionInput{ + EventBusName: aws.String(eventBusName), + RemoveAllPermissions: &removeAllPermissions, + } + + log.Printf("[DEBUG] Delete CloudWatch EventBus Policy: %s", input) + _, err := conn.RemovePermission(&input) + if isAWSErr(err, events.ErrCodeResourceNotFoundException, "") { + return nil + } + if err != nil { + return fmt.Errorf("error deleting policy for CloudWatch EventBus (%s): %w", d.Id(), err) + } + return nil +} diff --git a/aws/resource_aws_cloudwatch_event_bus_policy_test.go b/aws/resource_aws_cloudwatch_event_bus_policy_test.go new file mode 100644 index 00000000000..fa2229d3658 --- /dev/null +++ b/aws/resource_aws_cloudwatch_event_bus_policy_test.go @@ -0,0 +1,102 @@ +package aws + +import ( + "fmt" + "testing" + + "github.com/aws/aws-sdk-go/aws" + events "github.com/aws/aws-sdk-go/service/cloudwatchevents" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" +) + +func TestAccAWSCloudwatchEventBusPolicy_basic(t *testing.T) { + resourceName := "aws_cloudwatch_event_bus_policy.test" + rstring := acctest.RandString(5) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSCloudWatchEventBusDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSCloudwatchEventBusPolicyConfig(rstring), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccCheckAWSCloudwatchEventBusPolicyExists(pr string) resource.TestCheckFunc { + return func(state *terraform.State) error { + eventBusResource, ok := state.RootModule().Resources[pr] + if !ok { + return fmt.Errorf("Not found: %s", pr) + } + + if eventBusResource.Primary.ID == "" { + return fmt.Errorf("No ID is set") + } + + eventBusName := eventBusResource.Primary.ID + + input := &events.DescribeEventBusInput{ + Name: aws.String(eventBusName), + } + + cloudWatchEventsConnection := testAccProvider.Meta().(*AWSClient).cloudwatcheventsconn + describedEventBus, err := cloudWatchEventsConnection.DescribeEventBus(input) + + if err != nil { + return fmt.Errorf("Reading CloudWatch Events bus policy for '%s' failed: %w", pr, err) + } + if describedEventBus.Policy == nil { + return fmt.Errorf("Not found: %s", pr) + } + + return nil + } +} + +func testAccAWSCloudwatchEventBusPolicyConfig(name string) string { + return fmt.Sprintf(` +resource "aws_cloudwatch_event_bus" "test" { + name = %[1]q +} + +data "aws_iam_policy_document" "access" { + statement { + sid = "test-resource-policy" + + effect = "Allow" + + principals { + identifiers = ["ecs.amazonaws.com"] + type = "Service" + } + + actions = [ + "events:PutEvents", + "events:PutRule" + ] + + resources = [ + aws_cloudwatch_event_bus.test.arn, + ] + } +} + +resource "aws_cloudwatch_event_bus_policy" "test" { + policy = data.aws_iam_policy_document.access.json + event_bus_name = aws_cloudwatch_event_bus.test.name +} +`, name) +} From 77d2d67dc7b611d6362cce0d1a83429a2bd4a5cf Mon Sep 17 00:00:00 2001 From: Dan Cohen Date: Mon, 21 Dec 2020 14:26:01 +0000 Subject: [PATCH 02/19] wip --- ...esource_aws_cloudwatch_event_bus_policy.go | 22 +++++++++++++++---- ...ce_aws_cloudwatch_event_bus_policy_test.go | 2 +- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/aws/resource_aws_cloudwatch_event_bus_policy.go b/aws/resource_aws_cloudwatch_event_bus_policy.go index 9b8c859ab70..87e97b8fb08 100644 --- a/aws/resource_aws_cloudwatch_event_bus_policy.go +++ b/aws/resource_aws_cloudwatch_event_bus_policy.go @@ -1,6 +1,7 @@ package aws import ( + "encoding/json" "fmt" "log" @@ -19,7 +20,10 @@ func resourceAwsCloudWatchEventBusPolicy() *schema.Resource { Update: resourceAwsCloudWatchEventBusPolicyUpdate, Delete: resourceAwsCloudWatchEventBusPolicyDelete, Importer: &schema.ResourceImporter{ - State: schema.ImportStatePassthrough, + State: func(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { + d.Set("event_bus_name", d.Id()) + return []*schema.ResourceData{d}, nil + }, }, Schema: map[string]*schema.Schema{ @@ -70,12 +74,13 @@ func resourceAwsCloudWatchEventBusPolicyRead(d *schema.ResourceData, meta interf Name: aws.String(eventBusName), } var output *events.DescribeEventBusOutput + var err error var policy *string // Especially with concurrent PutPermission calls there can be a slight delay - err := resource.Retry(iamwaiter.PropagationTimeout, func() *resource.RetryError { + err = resource.Retry(iamwaiter.PropagationTimeout, func() *resource.RetryError { log.Printf("[DEBUG] Reading CloudWatch Events bus: %s", input) - output, err := conn.DescribeEventBus(&input) + output, err = conn.DescribeEventBus(&input) if err != nil { return resource.NonRetryableError(fmt.Errorf("reading CloudWatch Events permission (%s) failed: %w", d.Id(), err)) } @@ -109,7 +114,16 @@ func resourceAwsCloudWatchEventBusPolicyRead(d *schema.ResourceData, meta interf } d.Set("event_bus_name", busName) - d.Set("policy", policy) + log.Printf("[WARN] about to unmarshal json") + policyBytes := []byte(*policy) + log.Printf("[WARN] converted policy into byte array") + var policyObject interface{} + if err := json.Unmarshal(policyBytes, &policyObject); err != nil { + return fmt.Errorf("error parsing json from policy for CloudWatch EventBus (%s): %w", d.Id(), err) + } + marshalled, _ := json.Marshal(policyObject) + log.Printf("[WARN] finished unmarshalling json") + d.Set("policy", string(marshalled)) return nil } diff --git a/aws/resource_aws_cloudwatch_event_bus_policy_test.go b/aws/resource_aws_cloudwatch_event_bus_policy_test.go index fa2229d3658..d609471e15f 100644 --- a/aws/resource_aws_cloudwatch_event_bus_policy_test.go +++ b/aws/resource_aws_cloudwatch_event_bus_policy_test.go @@ -58,7 +58,7 @@ func testAccCheckAWSCloudwatchEventBusPolicyExists(pr string) resource.TestCheck if err != nil { return fmt.Errorf("Reading CloudWatch Events bus policy for '%s' failed: %w", pr, err) } - if describedEventBus.Policy == nil { + if describedEventBus.Policy == nil || len(*describedEventBus.Policy) == 0 { return fmt.Errorf("Not found: %s", pr) } From 3223e423246549391a23de8c33cf313eb24cc69e Mon Sep 17 00:00:00 2001 From: Dan Cohen Date: Tue, 22 Dec 2020 12:19:01 +0000 Subject: [PATCH 03/19] remove the unnecessary json marshal & unmarshal --- aws/resource_aws_cloudwatch_event_bus_policy.go | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/aws/resource_aws_cloudwatch_event_bus_policy.go b/aws/resource_aws_cloudwatch_event_bus_policy.go index 87e97b8fb08..bc0e34779bf 100644 --- a/aws/resource_aws_cloudwatch_event_bus_policy.go +++ b/aws/resource_aws_cloudwatch_event_bus_policy.go @@ -114,16 +114,7 @@ func resourceAwsCloudWatchEventBusPolicyRead(d *schema.ResourceData, meta interf } d.Set("event_bus_name", busName) - log.Printf("[WARN] about to unmarshal json") - policyBytes := []byte(*policy) - log.Printf("[WARN] converted policy into byte array") - var policyObject interface{} - if err := json.Unmarshal(policyBytes, &policyObject); err != nil { - return fmt.Errorf("error parsing json from policy for CloudWatch EventBus (%s): %w", d.Id(), err) - } - marshalled, _ := json.Marshal(policyObject) - log.Printf("[WARN] finished unmarshalling json") - d.Set("policy", string(marshalled)) + d.Set("policy", policy) return nil } From 86a43bf40d98a8d8c30871a5623442a59c33e123 Mon Sep 17 00:00:00 2001 From: Dan Cohen Date: Tue, 22 Dec 2020 14:32:37 +0000 Subject: [PATCH 04/19] set up proper validation and equality comparison for the policy --- aws/resource_aws_cloudwatch_event_bus_policy.go | 8 +++++--- aws/resource_aws_cloudwatch_event_bus_policy_test.go | 8 ++------ 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/aws/resource_aws_cloudwatch_event_bus_policy.go b/aws/resource_aws_cloudwatch_event_bus_policy.go index bc0e34779bf..53feea3118a 100644 --- a/aws/resource_aws_cloudwatch_event_bus_policy.go +++ b/aws/resource_aws_cloudwatch_event_bus_policy.go @@ -1,7 +1,6 @@ package aws import ( - "encoding/json" "fmt" "log" @@ -9,6 +8,7 @@ import ( events "github.com/aws/aws-sdk-go/service/cloudwatchevents" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" tfevents "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/cloudwatchevents" iamwaiter "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/iam/waiter" ) @@ -35,8 +35,10 @@ func resourceAwsCloudWatchEventBusPolicy() *schema.Resource { Default: tfevents.DefaultEventBusName, }, "policy": { - Type: schema.TypeString, - Required: true, + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringIsJSON, + DiffSuppressFunc: suppressEquivalentAwsPolicyDiffs, }, }, } diff --git a/aws/resource_aws_cloudwatch_event_bus_policy_test.go b/aws/resource_aws_cloudwatch_event_bus_policy_test.go index d609471e15f..8f95810d175 100644 --- a/aws/resource_aws_cloudwatch_event_bus_policy_test.go +++ b/aws/resource_aws_cloudwatch_event_bus_policy_test.go @@ -74,20 +74,16 @@ resource "aws_cloudwatch_event_bus" "test" { data "aws_iam_policy_document" "access" { statement { - sid = "test-resource-policy" - + sid = "test-resource-policy" effect = "Allow" - principals { identifiers = ["ecs.amazonaws.com"] type = "Service" } - actions = [ "events:PutEvents", "events:PutRule" ] - resources = [ aws_cloudwatch_event_bus.test.arn, ] @@ -95,7 +91,7 @@ data "aws_iam_policy_document" "access" { } resource "aws_cloudwatch_event_bus_policy" "test" { - policy = data.aws_iam_policy_document.access.json + policy = data.aws_iam_policy_document.access.json event_bus_name = aws_cloudwatch_event_bus.test.name } `, name) From 770f2f2ff43b9c74f2079a29a120b7eb04d96bf1 Mon Sep 17 00:00:00 2001 From: Dan Cohen Date: Tue, 22 Dec 2020 14:44:57 +0000 Subject: [PATCH 05/19] fix linting --- aws/resource_aws_cloudwatch_event_bus_policy_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/resource_aws_cloudwatch_event_bus_policy_test.go b/aws/resource_aws_cloudwatch_event_bus_policy_test.go index 8f95810d175..d607c7fc956 100644 --- a/aws/resource_aws_cloudwatch_event_bus_policy_test.go +++ b/aws/resource_aws_cloudwatch_event_bus_policy_test.go @@ -74,7 +74,7 @@ resource "aws_cloudwatch_event_bus" "test" { data "aws_iam_policy_document" "access" { statement { - sid = "test-resource-policy" + sid = "test-resource-policy" effect = "Allow" principals { identifiers = ["ecs.amazonaws.com"] From 037e0464daa292ba246546158bfb3f0b91401e2d Mon Sep 17 00:00:00 2001 From: Dan Cohen Date: Tue, 22 Dec 2020 14:55:34 +0000 Subject: [PATCH 06/19] add the documentation --- .../cloudwatch_event_bus_policy.html.markdown | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 website/docs/r/cloudwatch_event_bus_policy.html.markdown diff --git a/website/docs/r/cloudwatch_event_bus_policy.html.markdown b/website/docs/r/cloudwatch_event_bus_policy.html.markdown new file mode 100644 index 00000000000..ed9cd103c73 --- /dev/null +++ b/website/docs/r/cloudwatch_event_bus_policy.html.markdown @@ -0,0 +1,41 @@ +--- +subcategory: "EventBridge (CloudWatch Events)" +layout: "aws" +page_title: "AWS: aws_cloudwatch_event_bus_policy" +description: |- + Provides a resource to create an EventBridge policy to support cross-account events. +--- + +# Resource: aws_cloudwatch_event_permission + +Provides a resource to create an EventBridge resource policy to support cross-account events. + +~> **Note:** EventBridge was formerly known as CloudWatch Events. The functionality is identical. + +~> **Note:** The cloudwatch eventbus policy resource is incompatible with the cloudwatch event permissions resource and will overwrite them. + +## Example Usage + +### Account Access + +```hcl +resource "aws_cloudwatch_event_bus_policy" "test" { + policy = data.aws_iam_policy_document.access.json + event_bus_name = aws_cloudwatch_event_bus.test.name +} +``` + +## Argument Reference + +The following arguments are supported: + +* `policy` - (Required) The text of the policy. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy). +* `event_bus_name` - (Optional) The event bus to set the permissions on. If you omit this, the permissions are set on the `default` event bus. + +## Import + +EventBridge permissions can be imported using the `event_bus_name`, e.g. + +```shell +$ terraform import aws_cloudwatch_event_bus_policy.DevAccountAccess example-event-bus +``` From d03d52199471b1ed5bbb78b2485bee5440861616 Mon Sep 17 00:00:00 2001 From: Dan Cohen Date: Sun, 13 Jun 2021 13:35:23 +0100 Subject: [PATCH 07/19] Update aws/resource_aws_cloudwatch_event_bus_policy.go update according to suggestion Co-authored-by: Heitor Lessa --- aws/resource_aws_cloudwatch_event_bus_policy.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/resource_aws_cloudwatch_event_bus_policy.go b/aws/resource_aws_cloudwatch_event_bus_policy.go index 53feea3118a..b618d07d285 100644 --- a/aws/resource_aws_cloudwatch_event_bus_policy.go +++ b/aws/resource_aws_cloudwatch_event_bus_policy.go @@ -31,7 +31,7 @@ func resourceAwsCloudWatchEventBusPolicy() *schema.Resource { Type: schema.TypeString, Optional: true, ForceNew: true, - ValidateFunc: validateCloudWatchEventBusName, + ValidateFunc: validateCloudWatchEventBusNameOrARN, Default: tfevents.DefaultEventBusName, }, "policy": { From 80a746570bb89485bafa86e16adfbff660d9f21e Mon Sep 17 00:00:00 2001 From: Nayo Akinyele Date: Tue, 15 Jun 2021 12:08:08 +0100 Subject: [PATCH 08/19] Add test for AWSCloudWatchEventBusPolicy_Disappears --- ...ce_aws_cloudwatch_event_bus_policy_test.go | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/aws/resource_aws_cloudwatch_event_bus_policy_test.go b/aws/resource_aws_cloudwatch_event_bus_policy_test.go index d607c7fc956..1bb8c1f0128 100644 --- a/aws/resource_aws_cloudwatch_event_bus_policy_test.go +++ b/aws/resource_aws_cloudwatch_event_bus_policy_test.go @@ -1,14 +1,17 @@ package aws import ( + // "encoding/json" "fmt" "testing" + // "time" "github.com/aws/aws-sdk-go/aws" events "github.com/aws/aws-sdk-go/service/cloudwatchevents" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" + // tfevents "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/cloudwatchevents" ) func TestAccAWSCloudwatchEventBusPolicy_basic(t *testing.T) { @@ -96,3 +99,25 @@ resource "aws_cloudwatch_event_bus_policy" "test" { } `, name) } + +func TestAccAWSCloudWatchEventBusPolicy_Disappears(t *testing.T) { + resourceName := "aws_cloudwatch_event_bus_policy.test" + busName := acctest.RandomWithPrefix("tf-acc-test-bus") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ErrorCheck: testAccErrorCheck(t, events.EndpointsID), + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSCloudWatchEventBusDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSCloudwatchEventBusPolicyConfig(busName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName), + testAccCheckResourceDisappears(testAccProvider, resourceAwsCloudWatchEventBusPolicy(), resourceName), + ), + ExpectNonEmptyPlan: true, + }, + }, + }) +} From 42c30754145d2a5a1bfb2a3eb5e765a5e9caa782 Mon Sep 17 00:00:00 2001 From: Nayo Akinyele Date: Tue, 15 Jun 2021 14:47:11 +0100 Subject: [PATCH 09/19] Change order of test execution in AWSCloudWatchEventBusPolicy --- ...ce_aws_cloudwatch_event_bus_policy_test.go | 47 +++++++++---------- 1 file changed, 22 insertions(+), 25 deletions(-) diff --git a/aws/resource_aws_cloudwatch_event_bus_policy_test.go b/aws/resource_aws_cloudwatch_event_bus_policy_test.go index 1bb8c1f0128..32851bb9774 100644 --- a/aws/resource_aws_cloudwatch_event_bus_policy_test.go +++ b/aws/resource_aws_cloudwatch_event_bus_policy_test.go @@ -1,17 +1,14 @@ package aws import ( - // "encoding/json" "fmt" "testing" - // "time" "github.com/aws/aws-sdk-go/aws" events "github.com/aws/aws-sdk-go/service/cloudwatchevents" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" - // tfevents "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/cloudwatchevents" ) func TestAccAWSCloudwatchEventBusPolicy_basic(t *testing.T) { @@ -38,6 +35,28 @@ func TestAccAWSCloudwatchEventBusPolicy_basic(t *testing.T) { }) } +func TestAccAWSCloudWatchEventBusPolicy_disappears(t *testing.T) { + resourceName := "aws_cloudwatch_event_bus_policy.test" + rstring := acctest.RandString(5) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ErrorCheck: testAccErrorCheck(t, events.EndpointsID), + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSCloudWatchEventBusDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSCloudwatchEventBusPolicyConfig(rstring), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName), + testAccCheckResourceDisappears(testAccProvider, resourceAwsCloudWatchEventBusPolicy(), resourceName), + ), + ExpectNonEmptyPlan: true, + }, + }, + }) +} + func testAccCheckAWSCloudwatchEventBusPolicyExists(pr string) resource.TestCheckFunc { return func(state *terraform.State) error { eventBusResource, ok := state.RootModule().Resources[pr] @@ -99,25 +118,3 @@ resource "aws_cloudwatch_event_bus_policy" "test" { } `, name) } - -func TestAccAWSCloudWatchEventBusPolicy_Disappears(t *testing.T) { - resourceName := "aws_cloudwatch_event_bus_policy.test" - busName := acctest.RandomWithPrefix("tf-acc-test-bus") - - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ErrorCheck: testAccErrorCheck(t, events.EndpointsID), - Providers: testAccProviders, - CheckDestroy: testAccCheckAWSCloudWatchEventBusDestroy, - Steps: []resource.TestStep{ - { - Config: testAccAWSCloudwatchEventBusPolicyConfig(busName), - Check: resource.ComposeTestCheckFunc( - testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName), - testAccCheckResourceDisappears(testAccProvider, resourceAwsCloudWatchEventBusPolicy(), resourceName), - ), - ExpectNonEmptyPlan: true, - }, - }, - }) -} From 33b32a908e8d5bf3e9d25f4a900f396d7ca6994d Mon Sep 17 00:00:00 2001 From: Nayo Akinyele Date: Wed, 16 Jun 2021 14:38:15 +0100 Subject: [PATCH 10/19] Improve cloudwatch_event_bus_policy docs with practical examples --- .../cloudwatch_event_bus_policy.html.markdown | 57 ++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/website/docs/r/cloudwatch_event_bus_policy.html.markdown b/website/docs/r/cloudwatch_event_bus_policy.html.markdown index ed9cd103c73..150290784bd 100644 --- a/website/docs/r/cloudwatch_event_bus_policy.html.markdown +++ b/website/docs/r/cloudwatch_event_bus_policy.html.markdown @@ -6,7 +6,7 @@ description: |- Provides a resource to create an EventBridge policy to support cross-account events. --- -# Resource: aws_cloudwatch_event_permission +# Resource: aws_cloudwatch_event_bus_policy Provides a resource to create an EventBridge resource policy to support cross-account events. @@ -19,6 +19,61 @@ Provides a resource to create an EventBridge resource policy to support cross-ac ### Account Access ```hcl +data "aws_iam_policy_document" "test" { + statement { + sid = "DevAccountAccess" + effect = "Allow" + actions = [ + "events:PutEvents", + ] + resources = [ + "arn:aws:events:eu-west-1:111111111111:event-bus/default" + ] + + principals { + type = "AWS" + identifiers = ["123456789012"] + } + } +} + +resource "aws_cloudwatch_event_bus_policy" "test" { + policy = data.aws_iam_policy_document.access.json + event_bus_name = aws_cloudwatch_event_bus.test.name +} +``` + +### Organization Access + +```hcl +data "aws_iam_policy_document" "test" { + statement { + sid = "OrganizationAccess" + effect = "Allow" + actions = [ + "events:DescribeRule", + "events:ListRules", + "events:ListTargetsByRule", + "events:ListTagsForResource", + ] + resources = [ + "arn:aws:events:eu-west-1:11111111111111:rule/*", + "arn:aws:events:eu-west-1:111111111111:event-bus/default" + ] + + principals { + type = "AWS" + identifiers = ["*"] + } + + condition { + test = "StringEquals" + variable = "aws:PrincipalOrgID" + values = aws_organizations_organization.example.id + } + } +} + resource "aws_cloudwatch_event_bus_policy" "test" { policy = data.aws_iam_policy_document.access.json event_bus_name = aws_cloudwatch_event_bus.test.name From f768a0fa80efecbb0e4e937e5628a1737f9fae94 Mon Sep 17 00:00:00 2001 From: FrancescoFucile-CAZ Date: Wed, 16 Jun 2021 16:56:19 +0100 Subject: [PATCH 11/19] chek policy consistency on "basic" test. --- ...ce_aws_cloudwatch_event_bus_policy_test.go | 50 ++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/aws/resource_aws_cloudwatch_event_bus_policy_test.go b/aws/resource_aws_cloudwatch_event_bus_policy_test.go index 32851bb9774..1c49b190e81 100644 --- a/aws/resource_aws_cloudwatch_event_bus_policy_test.go +++ b/aws/resource_aws_cloudwatch_event_bus_policy_test.go @@ -1,7 +1,9 @@ package aws import ( + "encoding/json" "fmt" + "reflect" "testing" "github.com/aws/aws-sdk-go/aws" @@ -23,7 +25,8 @@ func TestAccAWSCloudwatchEventBusPolicy_basic(t *testing.T) { { Config: testAccAWSCloudwatchEventBusPolicyConfig(rstring), Check: resource.ComposeTestCheckFunc( - testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName), + testAccAWSCloudWatchEventBusPolicyDocument(resourceName), + // testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName), ), }, { @@ -88,6 +91,51 @@ func testAccCheckAWSCloudwatchEventBusPolicyExists(pr string) resource.TestCheck } } +func testAccAWSCloudWatchEventBusPolicyDocument(pr string) resource.TestCheckFunc { + return func(state *terraform.State) error { + eventBusPolicyResource, ok := state.RootModule().Resources[pr] + if !ok { + return fmt.Errorf("Not found: %s", pr) + } + + if eventBusPolicyResource.Primary.ID == "" { + return fmt.Errorf("No ID is set") + } + + eventBusName := eventBusPolicyResource.Primary.ID + fmt.Printf("policy from state (struct): %+v\n", eventBusPolicyResource.Primary.Attributes["policy"]) + + var policyFromState map[string]interface{} + err := json.Unmarshal([]byte(eventBusPolicyResource.Primary.Attributes["policy"]), &policyFromState) + fmt.Printf("policy from state (map): %+v\n", policyFromState) + + input := &events.DescribeEventBusInput{ + Name: aws.String(eventBusName), + } + + cloudWatchEventsConnection := testAccProvider.Meta().(*AWSClient).cloudwatcheventsconn + describedEventBus, err := cloudWatchEventsConnection.DescribeEventBus(input) + + var policyFromSdk map[string]interface{} + err = json.Unmarshal([]byte(*describedEventBus.Policy), &policyFromSdk) + + fmt.Printf("output from SDK: %+v\n", policyFromSdk) + + if err != nil { + return fmt.Errorf("Reading CloudWatch Events bus policy for '%s' failed: %w", pr, err) + } + if describedEventBus.Policy == nil || len(*describedEventBus.Policy) == 0 { + return fmt.Errorf("Not found: %s", pr) + } + + if !reflect.DeepEqual(policyFromSdk, policyFromState) { + return fmt.Errorf("Policy on state doesn't match generated policy") + } + + return nil + } +} + func testAccAWSCloudwatchEventBusPolicyConfig(name string) string { return fmt.Sprintf(` resource "aws_cloudwatch_event_bus" "test" { From 9b35502f8c5b3c53c4ea652c67024ec45185ba01 Mon Sep 17 00:00:00 2001 From: FrancescoFucile-CAZ Date: Wed, 16 Jun 2021 17:08:26 +0100 Subject: [PATCH 12/19] polish "basic" test. --- ...rce_aws_cloudwatch_event_bus_policy_test.go | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/aws/resource_aws_cloudwatch_event_bus_policy_test.go b/aws/resource_aws_cloudwatch_event_bus_policy_test.go index 1c49b190e81..def6b086d39 100644 --- a/aws/resource_aws_cloudwatch_event_bus_policy_test.go +++ b/aws/resource_aws_cloudwatch_event_bus_policy_test.go @@ -26,7 +26,7 @@ func TestAccAWSCloudwatchEventBusPolicy_basic(t *testing.T) { Config: testAccAWSCloudwatchEventBusPolicyConfig(rstring), Check: resource.ComposeTestCheckFunc( testAccAWSCloudWatchEventBusPolicyDocument(resourceName), - // testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName), + testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName), ), }, { @@ -102,12 +102,10 @@ func testAccAWSCloudWatchEventBusPolicyDocument(pr string) resource.TestCheckFun return fmt.Errorf("No ID is set") } - eventBusName := eventBusPolicyResource.Primary.ID - fmt.Printf("policy from state (struct): %+v\n", eventBusPolicyResource.Primary.Attributes["policy"]) - var policyFromState map[string]interface{} err := json.Unmarshal([]byte(eventBusPolicyResource.Primary.Attributes["policy"]), &policyFromState) - fmt.Printf("policy from state (map): %+v\n", policyFromState) + + eventBusName := eventBusPolicyResource.Primary.ID input := &events.DescribeEventBusInput{ Name: aws.String(eventBusName), @@ -116,10 +114,8 @@ func testAccAWSCloudWatchEventBusPolicyDocument(pr string) resource.TestCheckFun cloudWatchEventsConnection := testAccProvider.Meta().(*AWSClient).cloudwatcheventsconn describedEventBus, err := cloudWatchEventsConnection.DescribeEventBus(input) - var policyFromSdk map[string]interface{} - err = json.Unmarshal([]byte(*describedEventBus.Policy), &policyFromSdk) - - fmt.Printf("output from SDK: %+v\n", policyFromSdk) + var describedEventBusPolicy map[string]interface{} + err = json.Unmarshal([]byte(*describedEventBus.Policy), &describedEventBusPolicy) if err != nil { return fmt.Errorf("Reading CloudWatch Events bus policy for '%s' failed: %w", pr, err) @@ -128,8 +124,8 @@ func testAccAWSCloudWatchEventBusPolicyDocument(pr string) resource.TestCheckFun return fmt.Errorf("Not found: %s", pr) } - if !reflect.DeepEqual(policyFromSdk, policyFromState) { - return fmt.Errorf("Policy on state doesn't match generated policy") + if !reflect.DeepEqual(describedEventBusPolicy, policyFromState) { + return fmt.Errorf("CloudWatch Events bus policy mismatch for '%s'", pr) } return nil From d2a7bb3868a75849af9cba30f1d9d665a74f835e Mon Sep 17 00:00:00 2001 From: FrancescoFucile-CAZ Date: Thu, 17 Jun 2021 11:46:21 +0100 Subject: [PATCH 13/19] add test for "update". --- ...ce_aws_cloudwatch_event_bus_policy_test.go | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/aws/resource_aws_cloudwatch_event_bus_policy_test.go b/aws/resource_aws_cloudwatch_event_bus_policy_test.go index def6b086d39..d4df55f68bf 100644 --- a/aws/resource_aws_cloudwatch_event_bus_policy_test.go +++ b/aws/resource_aws_cloudwatch_event_bus_policy_test.go @@ -38,6 +38,38 @@ func TestAccAWSCloudwatchEventBusPolicy_basic(t *testing.T) { }) } +func TestAccAWSCloudwatchEventBusPolicy_update(t *testing.T) { + resourceName := "aws_cloudwatch_event_bus_policy.test" + rstring := acctest.RandString(5) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSCloudWatchEventBusDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSCloudwatchEventBusPolicyConfig(rstring), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName), + testAccAWSCloudWatchEventBusPolicyDocument(resourceName), + ), + }, + { + Config: testAccAWSCloudwatchEventBusPolicyConfigUpdated(rstring), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName), + testAccAWSCloudWatchEventBusPolicyDocument(resourceName), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func TestAccAWSCloudWatchEventBusPolicy_disappears(t *testing.T) { resourceName := "aws_cloudwatch_event_bus_policy.test" rstring := acctest.RandString(5) @@ -162,3 +194,47 @@ resource "aws_cloudwatch_event_bus_policy" "test" { } `, name) } + +func testAccAWSCloudwatchEventBusPolicyConfigUpdated(name string) string { + return fmt.Sprintf(` +resource "aws_cloudwatch_event_bus" "test" { + name = %[1]q +} + +data "aws_iam_policy_document" "access" { + statement { + sid = "test-resource-policy-1" + effect = "Allow" + principals { + identifiers = ["ecs.amazonaws.com"] + type = "Service" + } + actions = [ + "events:PutEvents", + ] + resources = [ + aws_cloudwatch_event_bus.test.arn, + ] + } + statement { + sid = "test-resource-policy-2" + effect = "Allow" + principals { + identifiers = ["ecs.amazonaws.com"] + type = "Service" + } + actions = [ + "events:PutRule" + ] + resources = [ + aws_cloudwatch_event_bus.test.arn, + ] + } +} + +resource "aws_cloudwatch_event_bus_policy" "test" { + policy = data.aws_iam_policy_document.access.json + event_bus_name = aws_cloudwatch_event_bus.test.name +} +`, name) +} From d3e9ec01ecc9d34f9d7ebc7447c6a34b3450c0bb Mon Sep 17 00:00:00 2001 From: FrancescoFucile-CAZ Date: Thu, 17 Jun 2021 14:34:17 +0100 Subject: [PATCH 14/19] merge "update" test with "basic" test. --- ...ce_aws_cloudwatch_event_bus_policy_test.go | 29 ++----------------- 1 file changed, 2 insertions(+), 27 deletions(-) diff --git a/aws/resource_aws_cloudwatch_event_bus_policy_test.go b/aws/resource_aws_cloudwatch_event_bus_policy_test.go index d4df55f68bf..fb4d2dd680c 100644 --- a/aws/resource_aws_cloudwatch_event_bus_policy_test.go +++ b/aws/resource_aws_cloudwatch_event_bus_policy_test.go @@ -17,31 +17,6 @@ func TestAccAWSCloudwatchEventBusPolicy_basic(t *testing.T) { resourceName := "aws_cloudwatch_event_bus_policy.test" rstring := acctest.RandString(5) - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testAccCheckAWSCloudWatchEventBusDestroy, - Steps: []resource.TestStep{ - { - Config: testAccAWSCloudwatchEventBusPolicyConfig(rstring), - Check: resource.ComposeTestCheckFunc( - testAccAWSCloudWatchEventBusPolicyDocument(resourceName), - testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName), - ), - }, - { - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, - }, - }, - }) -} - -func TestAccAWSCloudwatchEventBusPolicy_update(t *testing.T) { - resourceName := "aws_cloudwatch_event_bus_policy.test" - rstring := acctest.RandString(5) - resource.ParallelTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, @@ -55,7 +30,7 @@ func TestAccAWSCloudwatchEventBusPolicy_update(t *testing.T) { ), }, { - Config: testAccAWSCloudwatchEventBusPolicyConfigUpdated(rstring), + Config: testAccAWSCloudwatchEventBusPolicyConfigUpdate(rstring), Check: resource.ComposeTestCheckFunc( testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName), testAccAWSCloudWatchEventBusPolicyDocument(resourceName), @@ -195,7 +170,7 @@ resource "aws_cloudwatch_event_bus_policy" "test" { `, name) } -func testAccAWSCloudwatchEventBusPolicyConfigUpdated(name string) string { +func testAccAWSCloudwatchEventBusPolicyConfigUpdate(name string) string { return fmt.Sprintf(` resource "aws_cloudwatch_event_bus" "test" { name = %[1]q From 31730bf34b64d0314eb03f2e68740c707abb1562 Mon Sep 17 00:00:00 2001 From: FrancescoFucile-CAZ Date: Thu, 17 Jun 2021 14:40:45 +0100 Subject: [PATCH 15/19] ducoment example for policy with multiple statements. --- .../cloudwatch_event_bus_policy.html.markdown | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/website/docs/r/cloudwatch_event_bus_policy.html.markdown b/website/docs/r/cloudwatch_event_bus_policy.html.markdown index 150290784bd..2ba904fda18 100644 --- a/website/docs/r/cloudwatch_event_bus_policy.html.markdown +++ b/website/docs/r/cloudwatch_event_bus_policy.html.markdown @@ -80,6 +80,60 @@ resource "aws_cloudwatch_event_bus_policy" "test" { } ``` +### Multiple Statements + +```hcl +data "aws_iam_policy_document" "test" { + + statement { + sid = "DevAccountAccess" + effect = "Allow" + actions = [ + "events:PutEvents", + ] + resources = [ + "arn:aws:events:eu-west-1:111111111111:event-bus/default" + ] + + principals { + type = "AWS" + identifiers = ["123456789012"] + } + } + + statement { + sid = "OrganizationAccess" + effect = "Allow" + actions = [ + "events:DescribeRule", + "events:ListRules", + "events:ListTargetsByRule", + "events:ListTagsForResource", + ] + resources = [ + "arn:aws:events:eu-west-1:11111111111111:rule/*", + "arn:aws:events:eu-west-1:111111111111:event-bus/default" + ] + + principals { + type = "AWS" + identifiers = ["*"] + } + + condition { + test = "StringEquals" + variable = "aws:PrincipalOrgID" + values = aws_organizations_organization.example.id + } + } +} + +resource "aws_cloudwatch_event_bus_policy" "test" { + policy = data.aws_iam_policy_document.access.json + event_bus_name = aws_cloudwatch_event_bus.test.name +} +``` + ## Argument Reference The following arguments are supported: From 9800bb06c1d22ff3d9135038da9208c9ba4c13f0 Mon Sep 17 00:00:00 2001 From: FrancescoFucile-CAZ Date: Thu, 17 Jun 2021 15:08:52 +0100 Subject: [PATCH 16/19] rename "eventBusPolicyResourcePolicyDocument". --- aws/resource_aws_cloudwatch_event_bus_policy_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/aws/resource_aws_cloudwatch_event_bus_policy_test.go b/aws/resource_aws_cloudwatch_event_bus_policy_test.go index fb4d2dd680c..7f3963a10ad 100644 --- a/aws/resource_aws_cloudwatch_event_bus_policy_test.go +++ b/aws/resource_aws_cloudwatch_event_bus_policy_test.go @@ -109,8 +109,8 @@ func testAccAWSCloudWatchEventBusPolicyDocument(pr string) resource.TestCheckFun return fmt.Errorf("No ID is set") } - var policyFromState map[string]interface{} - err := json.Unmarshal([]byte(eventBusPolicyResource.Primary.Attributes["policy"]), &policyFromState) + var eventBusPolicyResourcePolicyDocument map[string]interface{} + err := json.Unmarshal([]byte(eventBusPolicyResource.Primary.Attributes["policy"]), &eventBusPolicyResourcePolicyDocument) eventBusName := eventBusPolicyResource.Primary.ID @@ -131,7 +131,7 @@ func testAccAWSCloudWatchEventBusPolicyDocument(pr string) resource.TestCheckFun return fmt.Errorf("Not found: %s", pr) } - if !reflect.DeepEqual(describedEventBusPolicy, policyFromState) { + if !reflect.DeepEqual(describedEventBusPolicy, eventBusPolicyResourcePolicyDocument) { return fmt.Errorf("CloudWatch Events bus policy mismatch for '%s'", pr) } From e05b408b3af0f92ad4b6b83a851474a930b3ed71 Mon Sep 17 00:00:00 2001 From: FrancescoFucile-CAZ Date: Thu, 17 Jun 2021 18:42:26 +0100 Subject: [PATCH 17/19] Add missing error checks to tests. Enforce consistency for tests names. Fix linting for TF configuration defined in tests. Add "attributes reference" paragraph in resource docs. --- ...source_aws_cloudwatch_event_bus_policy_test.go | 15 +++++++++++---- .../r/cloudwatch_event_bus_policy.html.markdown | 10 ++++++++-- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/aws/resource_aws_cloudwatch_event_bus_policy_test.go b/aws/resource_aws_cloudwatch_event_bus_policy_test.go index 7f3963a10ad..20e26be7641 100644 --- a/aws/resource_aws_cloudwatch_event_bus_policy_test.go +++ b/aws/resource_aws_cloudwatch_event_bus_policy_test.go @@ -19,6 +19,7 @@ func TestAccAWSCloudwatchEventBusPolicy_basic(t *testing.T) { resource.ParallelTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, + ErrorCheck: testAccErrorCheck(t, events.EndpointsID), Providers: testAccProviders, CheckDestroy: testAccCheckAWSCloudWatchEventBusDestroy, Steps: []resource.TestStep{ @@ -26,14 +27,14 @@ func TestAccAWSCloudwatchEventBusPolicy_basic(t *testing.T) { Config: testAccAWSCloudwatchEventBusPolicyConfig(rstring), Check: resource.ComposeTestCheckFunc( testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName), - testAccAWSCloudWatchEventBusPolicyDocument(resourceName), + testAccAWSCloudwatchEventBusPolicyDocument(resourceName), ), }, { Config: testAccAWSCloudwatchEventBusPolicyConfigUpdate(rstring), Check: resource.ComposeTestCheckFunc( testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName), - testAccAWSCloudWatchEventBusPolicyDocument(resourceName), + testAccAWSCloudwatchEventBusPolicyDocument(resourceName), ), }, { @@ -45,7 +46,7 @@ func TestAccAWSCloudwatchEventBusPolicy_basic(t *testing.T) { }) } -func TestAccAWSCloudWatchEventBusPolicy_disappears(t *testing.T) { +func TestAccAWSCloudwatchEventBusPolicy_disappears(t *testing.T) { resourceName := "aws_cloudwatch_event_bus_policy.test" rstring := acctest.RandString(5) @@ -98,7 +99,7 @@ func testAccCheckAWSCloudwatchEventBusPolicyExists(pr string) resource.TestCheck } } -func testAccAWSCloudWatchEventBusPolicyDocument(pr string) resource.TestCheckFunc { +func testAccAWSCloudwatchEventBusPolicyDocument(pr string) resource.TestCheckFunc { return func(state *terraform.State) error { eventBusPolicyResource, ok := state.RootModule().Resources[pr] if !ok { @@ -111,6 +112,9 @@ func testAccAWSCloudWatchEventBusPolicyDocument(pr string) resource.TestCheckFun var eventBusPolicyResourcePolicyDocument map[string]interface{} err := json.Unmarshal([]byte(eventBusPolicyResource.Primary.Attributes["policy"]), &eventBusPolicyResourcePolicyDocument) + if err != nil { + return fmt.Errorf("Parsing CloudWatch Events bus policy for '%s' failed: %w", pr, err) + } eventBusName := eventBusPolicyResource.Primary.ID @@ -120,6 +124,9 @@ func testAccAWSCloudWatchEventBusPolicyDocument(pr string) resource.TestCheckFun cloudWatchEventsConnection := testAccProvider.Meta().(*AWSClient).cloudwatcheventsconn describedEventBus, err := cloudWatchEventsConnection.DescribeEventBus(input) + if err != nil { + return fmt.Errorf("Reading CloudWatch Events bus policy for '%s' failed: %w", pr, err) + } var describedEventBusPolicy map[string]interface{} err = json.Unmarshal([]byte(*describedEventBus.Policy), &describedEventBusPolicy) diff --git a/website/docs/r/cloudwatch_event_bus_policy.html.markdown b/website/docs/r/cloudwatch_event_bus_policy.html.markdown index 2ba904fda18..d49b0b6aa31 100644 --- a/website/docs/r/cloudwatch_event_bus_policy.html.markdown +++ b/website/docs/r/cloudwatch_event_bus_policy.html.markdown @@ -84,7 +84,7 @@ resource "aws_cloudwatch_event_bus_policy" "test" { ```hcl data "aws_iam_policy_document" "test" { - + statement { sid = "DevAccountAccess" effect = "Allow" @@ -100,7 +100,7 @@ data "aws_iam_policy_document" "test" { identifiers = ["123456789012"] } } - + statement { sid = "OrganizationAccess" effect = "Allow" @@ -141,6 +141,12 @@ The following arguments are supported: * `policy` - (Required) The text of the policy. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy). * `event_bus_name` - (Optional) The event bus to set the permissions on. If you omit this, the permissions are set on the `default` event bus. +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +* `id` - The name of the EventBrige event bus. + ## Import EventBridge permissions can be imported using the `event_bus_name`, e.g. From 37d6933a739461430eb787558af0c3763ba6cc98 Mon Sep 17 00:00:00 2001 From: FrancescoFucile-CAZ Date: Fri, 18 Jun 2021 09:43:03 +0100 Subject: [PATCH 18/19] fix typo in documentation. --- website/docs/r/cloudwatch_event_bus_policy.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/r/cloudwatch_event_bus_policy.html.markdown b/website/docs/r/cloudwatch_event_bus_policy.html.markdown index d49b0b6aa31..8118baae00e 100644 --- a/website/docs/r/cloudwatch_event_bus_policy.html.markdown +++ b/website/docs/r/cloudwatch_event_bus_policy.html.markdown @@ -145,7 +145,7 @@ The following arguments are supported: In addition to all arguments above, the following attributes are exported: -* `id` - The name of the EventBrige event bus. +* `id` - The name of the EventBridge event bus. ## Import From 01f604ccae82f5f2bf7d0669cd538e0874a442bd Mon Sep 17 00:00:00 2001 From: FrancescoFucile-CAZ Date: Mon, 21 Jun 2021 14:48:25 +0100 Subject: [PATCH 19/19] Fix documentation examples. --- .../cloudwatch_event_bus_policy.html.markdown | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/website/docs/r/cloudwatch_event_bus_policy.html.markdown b/website/docs/r/cloudwatch_event_bus_policy.html.markdown index 8118baae00e..045043f8b89 100644 --- a/website/docs/r/cloudwatch_event_bus_policy.html.markdown +++ b/website/docs/r/cloudwatch_event_bus_policy.html.markdown @@ -27,7 +27,7 @@ data "aws_iam_policy_document" "test" { "events:PutEvents", ] resources = [ - "arn:aws:events:eu-west-1:111111111111:event-bus/default" + "arn:aws:events:eu-west-1:123456789012:event-bus/default" ] principals { @@ -38,7 +38,7 @@ data "aws_iam_policy_document" "test" { } resource "aws_cloudwatch_event_bus_policy" "test" { - policy = data.aws_iam_policy_document.access.json + policy = data.aws_iam_policy_document.test.json event_bus_name = aws_cloudwatch_event_bus.test.name } ``` @@ -57,8 +57,8 @@ data "aws_iam_policy_document" "test" { "events:ListTagsForResource", ] resources = [ - "arn:aws:events:eu-west-1:11111111111111:rule/*", - "arn:aws:events:eu-west-1:111111111111:event-bus/default" + "arn:aws:events:eu-west-1:123456789012:rule/*", + "arn:aws:events:eu-west-1:123456789012:event-bus/default" ] principals { @@ -75,7 +75,7 @@ data "aws_iam_policy_document" "test" { } resource "aws_cloudwatch_event_bus_policy" "test" { - policy = data.aws_iam_policy_document.access.json + policy = data.aws_iam_policy_document.test.json event_bus_name = aws_cloudwatch_event_bus.test.name } ``` @@ -92,7 +92,7 @@ data "aws_iam_policy_document" "test" { "events:PutEvents", ] resources = [ - "arn:aws:events:eu-west-1:111111111111:event-bus/default" + "arn:aws:events:eu-west-1:123456789012:event-bus/default" ] principals { @@ -111,8 +111,8 @@ data "aws_iam_policy_document" "test" { "events:ListTagsForResource", ] resources = [ - "arn:aws:events:eu-west-1:11111111111111:rule/*", - "arn:aws:events:eu-west-1:111111111111:event-bus/default" + "arn:aws:events:eu-west-1:123456789012:rule/*", + "arn:aws:events:eu-west-1:123456789012:event-bus/default" ] principals { @@ -129,7 +129,7 @@ data "aws_iam_policy_document" "test" { } resource "aws_cloudwatch_event_bus_policy" "test" { - policy = data.aws_iam_policy_document.access.json + policy = data.aws_iam_policy_document.test.json event_bus_name = aws_cloudwatch_event_bus.test.name } ```