diff --git a/google/resource_google_folder_iam_policy_test.go b/google/resource_google_folder_iam_policy_test.go index 38d7311288b..e6da63abffd 100644 --- a/google/resource_google_folder_iam_policy_test.go +++ b/google/resource_google_folder_iam_policy_test.go @@ -2,7 +2,6 @@ package google import ( "fmt" - "reflect" "testing" "github.com/hashicorp/terraform/helper/acctest" @@ -18,32 +17,37 @@ func TestAccFolderIamPolicy_basic(t *testing.T) { org := getTestOrgFromEnv(t) parent := "organizations/" + org - policy1 := &resourceManagerV2Beta1.Policy{ - Bindings: []*resourceManagerV2Beta1.Binding{ + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckGoogleFolderIamPolicyDestroy, + Steps: []resource.TestStep{ { - Role: "roles/viewer", - Members: []string{ - "user:admin@hashicorptest.com", - }, + Config: testAccFolderIamPolicy_basic(folderDisplayName, parent, "roles/viewer", "user:admin@hashicorptest.com"), }, - }, - } - policy2 := &resourceManagerV2Beta1.Policy{ - Bindings: []*resourceManagerV2Beta1.Binding{ { - Role: "roles/editor", - Members: []string{ - "user:admin@hashicorptest.com", - }, + ResourceName: "google_folder_iam_policy.test", + ImportState: true, + ImportStateVerify: true, }, { - Role: "roles/viewer", - Members: []string{ - "user:admin@hashicorptest.com", - }, + Config: testAccFolderIamPolicy_basic2(folderDisplayName, parent, "roles/editor", "user:admin@hashicorptest.com", "roles/viewer", "user:admin@hashicorptest.com"), + }, + { + ResourceName: "google_folder_iam_policy.test", + ImportState: true, + ImportStateVerify: true, }, }, - } + }) +} + +func TestAccFolderIamPolicy_auditConfigs(t *testing.T) { + t.Parallel() + + folderDisplayName := "tf-test-" + acctest.RandString(10) + org := getTestOrgFromEnv(t) + parent := "organizations/" + org resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -51,12 +55,12 @@ func TestAccFolderIamPolicy_basic(t *testing.T) { CheckDestroy: testAccCheckGoogleFolderIamPolicyDestroy, Steps: []resource.TestStep{ { - Config: testAccFolderIamPolicy_basic(folderDisplayName, parent, "roles/viewer", "user:admin@hashicorptest.com"), - Check: testAccCheckGoogleFolderIamPolicy("google_folder_iam_policy.test", policy1), + Config: testAccFolderIamPolicy_auditConfigs(folderDisplayName, parent, "roles/viewer", "user:admin@hashicorptest.com"), }, { - Config: testAccFolderIamPolicy_basic2(folderDisplayName, parent, "roles/editor", "user:admin@hashicorptest.com", "roles/viewer", "user:admin@hashicorptest.com"), - Check: testAccCheckGoogleFolderIamPolicy("google_folder_iam_policy.test", policy2), + ResourceName: "google_folder_iam_policy.test", + ImportState: true, + ImportStateVerify: true, }, }, }) @@ -80,40 +84,6 @@ func testAccCheckGoogleFolderIamPolicyDestroy(s *terraform.State) error { return nil } -func testAccCheckGoogleFolderIamPolicy(n string, policy *resourceManagerV2Beta1.Policy) resource.TestCheckFunc { - return func(s *terraform.State) error { - rs, ok := s.RootModule().Resources[n] - if !ok { - return fmt.Errorf("Not found: %s", n) - } - - if rs.Primary.ID == "" { - return fmt.Errorf("No ID is set") - } - - config := testAccProvider.Meta().(*Config) - - p, err := config.clientResourceManagerV2Beta1.Folders.GetIamPolicy(rs.Primary.ID, &resourceManagerV2Beta1.GetIamPolicyRequest{}).Do() - if err != nil { - return err - } - - if !reflect.DeepEqual(p.Bindings, policy.Bindings) { - return fmt.Errorf("Incorrect iam policy bindings. Expected '%v', got '%v'", policy.Bindings, p.Bindings) - } - - if _, ok = rs.Primary.Attributes["etag"]; !ok { - return fmt.Errorf("Etag should be set.") - } - - if rs.Primary.Attributes["etag"] != p.Etag { - return fmt.Errorf("Incorrect etag value. Expected '%s', got '%s'", p.Etag, rs.Primary.Attributes["etag"]) - } - - return nil - } -} - // Confirm that a folder has an IAM policy with at least 1 binding func testAccFolderExistingPolicy(org, fname string) resource.TestCheckFunc { return func(s *terraform.State) error { @@ -176,3 +146,46 @@ resource "google_folder_iam_policy" "test" { } `, folder, parent, role, member, role2, member2) } + +func testAccFolderIamPolicy_auditConfigs(folder, parent, role, member string) string { + return fmt.Sprintf(` +resource "google_folder" "permissiontest" { + display_name = "%s" + parent = "%s" +} + +data "google_iam_policy" "test" { + binding { + role = "%s" + members = ["%s"] + } + audit_config { + service = "cloudkms.googleapis.com" + audit_log_configs { + log_type = "DATA_READ" + exempted_members = ["%s"] + } + + audit_log_configs { + log_type = "DATA_WRITE" + } + } + audit_config { + service = "cloudsql.googleapis.com" + audit_log_configs { + log_type = "DATA_READ" + exempted_members = ["%s"] + } + + audit_log_configs { + log_type = "DATA_WRITE" + } + } +} + +resource "google_folder_iam_policy" "test" { + folder = "${google_folder.permissiontest.name}" + policy_data = "${data.google_iam_policy.test.policy_data}" +} +`, folder, parent, role, member, member, member) +} diff --git a/google/resource_iam_policy.go b/google/resource_iam_policy.go index 8d985d15372..b294e9fc22e 100644 --- a/google/resource_iam_policy.go +++ b/google/resource_iam_policy.go @@ -6,6 +6,7 @@ import ( "encoding/json" "errors" "fmt" + "google.golang.org/api/cloudresourcemanager/v1" ) @@ -139,7 +140,8 @@ func setIamPolicyData(d *schema.ResourceData, updater ResourceIamUpdater) error func marshalIamPolicy(policy *cloudresourcemanager.Policy) string { pdBytes, _ := json.Marshal(&cloudresourcemanager.Policy{ - Bindings: policy.Bindings, + AuditConfigs: policy.AuditConfigs, + Bindings: policy.Bindings, }) return string(pdBytes) }