set auditconfigs in state for iam policy resources (#4447)

Signed-off-by: Modular Magician <[email protected]>
hashicorp · Sep 13, 2019 · f491302 · f491302
1 parent 5c2c12f
commit f491302
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 59 deletions.
diff --git a/google/resource_google_folder_iam_policy_test.go b/google/resource_google_folder_iam_policy_test.go
@@ -2,7 +2,6 @@ package google
 
 import (
 	"fmt"
-	"reflect"
 	"testing"
 
 	"github.com/hashicorp/terraform/helper/acctest"
@@ -18,45 +17,50 @@ func TestAccFolderIamPolicy_basic(t *testing.T) {
 	org := getTestOrgFromEnv(t)
 	parent := "organizations/" + org
 
-	policy1 := &resourceManagerV2Beta1.Policy{
-		Bindings: []*resourceManagerV2Beta1.Binding{
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckGoogleFolderIamPolicyDestroy,
+		Steps: []resource.TestStep{
 			{
-				Role: "roles/viewer",
-				Members: []string{
-					"user:[email protected]",
-				},
+				Config: testAccFolderIamPolicy_basic(folderDisplayName, parent, "roles/viewer", "user:[email protected]"),
 			},
-		},
-	}
-	policy2 := &resourceManagerV2Beta1.Policy{
-		Bindings: []*resourceManagerV2Beta1.Binding{
 			{
-				Role: "roles/editor",
-				Members: []string{
-					"user:[email protected]",
-				},
+				ResourceName:      "google_folder_iam_policy.test",
+				ImportState:       true,
+				ImportStateVerify: true,
 			},
 			{
-				Role: "roles/viewer",
-				Members: []string{
-					"user:[email protected]",
-				},
+				Config: testAccFolderIamPolicy_basic2(folderDisplayName, parent, "roles/editor", "user:[email protected]", "roles/viewer", "user:[email protected]"),
+			},
+			{
+				ResourceName:      "google_folder_iam_policy.test",
+				ImportState:       true,
+				ImportStateVerify: true,
 			},
 		},
-	}
+	})
+}
+
+func TestAccFolderIamPolicy_auditConfigs(t *testing.T) {
+	t.Parallel()
+
+	folderDisplayName := "tf-test-" + acctest.RandString(10)
+	org := getTestOrgFromEnv(t)
+	parent := "organizations/" + org
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
 		Providers:    testAccProviders,
 		CheckDestroy: testAccCheckGoogleFolderIamPolicyDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccFolderIamPolicy_basic(folderDisplayName, parent, "roles/viewer", "user:[email protected]"),
-				Check:  testAccCheckGoogleFolderIamPolicy("google_folder_iam_policy.test", policy1),
+				Config: testAccFolderIamPolicy_auditConfigs(folderDisplayName, parent, "roles/viewer", "user:[email protected]"),
 			},
 			{
-				Config: testAccFolderIamPolicy_basic2(folderDisplayName, parent, "roles/editor", "user:[email protected]", "roles/viewer", "user:[email protected]"),
-				Check:  testAccCheckGoogleFolderIamPolicy("google_folder_iam_policy.test", policy2),
+				ResourceName:      "google_folder_iam_policy.test",
+				ImportState:       true,
+				ImportStateVerify: true,
 			},
 		},
 	})
@@ -80,40 +84,6 @@ func testAccCheckGoogleFolderIamPolicyDestroy(s *terraform.State) error {
 	return nil
 }
 
-func testAccCheckGoogleFolderIamPolicy(n string, policy *resourceManagerV2Beta1.Policy) resource.TestCheckFunc {
-	return func(s *terraform.State) error {
-		rs, ok := s.RootModule().Resources[n]
-		if !ok {
-			return fmt.Errorf("Not found: %s", n)
-		}
-
-		if rs.Primary.ID == "" {
-			return fmt.Errorf("No ID is set")
-		}
-
-		config := testAccProvider.Meta().(*Config)
-
-		p, err := config.clientResourceManagerV2Beta1.Folders.GetIamPolicy(rs.Primary.ID, &resourceManagerV2Beta1.GetIamPolicyRequest{}).Do()
-		if err != nil {
-			return err
-		}
-
-		if !reflect.DeepEqual(p.Bindings, policy.Bindings) {
-			return fmt.Errorf("Incorrect iam policy bindings. Expected '%v', got '%v'", policy.Bindings, p.Bindings)
-		}
-
-		if _, ok = rs.Primary.Attributes["etag"]; !ok {
-			return fmt.Errorf("Etag should be set.")
-		}
-
-		if rs.Primary.Attributes["etag"] != p.Etag {
-			return fmt.Errorf("Incorrect etag value. Expected '%s', got '%s'", p.Etag, rs.Primary.Attributes["etag"])
-		}
-
-		return nil
-	}
-}
-
 // Confirm that a folder has an IAM policy with at least 1 binding
 func testAccFolderExistingPolicy(org, fname string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
@@ -176,3 +146,46 @@ resource "google_folder_iam_policy" "test" {
 }
 `, folder, parent, role, member, role2, member2)
 }
+
+func testAccFolderIamPolicy_auditConfigs(folder, parent, role, member string) string {
+	return fmt.Sprintf(`
+resource "google_folder" "permissiontest" {
+  display_name = "%s"
+  parent = "%s"
+}
+
+data "google_iam_policy" "test" {
+  binding {
+    role = "%s"
+    members = ["%s"]
+  }
+  audit_config {
+    service = "cloudkms.googleapis.com"
+    audit_log_configs {
+      log_type = "DATA_READ"
+      exempted_members = ["%s"]
+    }
+
+    audit_log_configs {
+      log_type = "DATA_WRITE"
+    }
+  }
+  audit_config {
+    service = "cloudsql.googleapis.com"
+    audit_log_configs {
+      log_type = "DATA_READ"
+      exempted_members = ["%s"]
+    }
+
+    audit_log_configs {
+      log_type = "DATA_WRITE"
+    }
+  }
+}
+
+resource "google_folder_iam_policy" "test" {
+  folder = "${google_folder.permissiontest.name}"
+  policy_data = "${data.google_iam_policy.test.policy_data}"
+}
+`, folder, parent, role, member, member, member)
+}
diff --git a/google/resource_iam_policy.go b/google/resource_iam_policy.go
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+
 	"google.golang.org/api/cloudresourcemanager/v1"
 )
 
@@ -139,7 +140,8 @@ func setIamPolicyData(d *schema.ResourceData, updater ResourceIamUpdater) error
 
 func marshalIamPolicy(policy *cloudresourcemanager.Policy) string {
 	pdBytes, _ := json.Marshal(&cloudresourcemanager.Policy{
-		Bindings: policy.Bindings,
+		AuditConfigs: policy.AuditConfigs,
+		Bindings:     policy.Bindings,
 	})
 	return string(pdBytes)
 }