forked from hashicorp/terraform
/
resource_aws_iam_role_policy.go
110 lines (89 loc) · 2.75 KB
/
resource_aws_iam_role_policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
package aws
import (
"fmt"
"net/url"
"strings"
"github.com/awslabs/aws-sdk-go/aws"
"github.com/awslabs/aws-sdk-go/service/iam"
"github.com/hashicorp/terraform/helper/schema"
)
func resourceAwsIamRolePolicy() *schema.Resource {
return &schema.Resource{
// PutRolePolicy API is idempotent, so these can be the same.
Create: resourceAwsIamRolePolicyPut,
Update: resourceAwsIamRolePolicyPut,
Read: resourceAwsIamRolePolicyRead,
Delete: resourceAwsIamRolePolicyDelete,
Schema: map[string]*schema.Schema{
"policy": &schema.Schema{
Type: schema.TypeString,
Required: true,
},
"name": &schema.Schema{
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"role": &schema.Schema{
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
},
}
}
func resourceAwsIamRolePolicyPut(d *schema.ResourceData, meta interface{}) error {
iamconn := meta.(*AWSClient).iamconn
request := &iam.PutRolePolicyInput{
RoleName: aws.String(d.Get("role").(string)),
PolicyName: aws.String(d.Get("name").(string)),
PolicyDocument: aws.String(d.Get("policy").(string)),
}
if _, err := iamconn.PutRolePolicy(request); err != nil {
return fmt.Errorf("Error putting IAM role policy %s: %s", *request.PolicyName, err)
}
d.SetId(fmt.Sprintf("%s:%s", *request.RoleName, *request.PolicyName))
return nil
}
func resourceAwsIamRolePolicyRead(d *schema.ResourceData, meta interface{}) error {
iamconn := meta.(*AWSClient).iamconn
role, name := resourceAwsIamRolePolicyParseId(d.Id())
request := &iam.GetRolePolicyInput{
PolicyName: aws.String(name),
RoleName: aws.String(role),
}
getResp, err := iamconn.GetRolePolicy(request)
if err != nil {
if iamerr, ok := err.(aws.APIError); ok && iamerr.Code == "NoSuchEntity" { // XXX test me
d.SetId("")
return nil
}
return fmt.Errorf("Error reading IAM policy %s from role %s: %s", name, role, err)
}
if getResp.PolicyDocument == nil {
return fmt.Errorf("GetRolePolicy returned a nil policy document")
}
policy, err := url.QueryUnescape(*getResp.PolicyDocument)
if err != nil {
return err
}
return d.Set("policy", policy)
}
func resourceAwsIamRolePolicyDelete(d *schema.ResourceData, meta interface{}) error {
iamconn := meta.(*AWSClient).iamconn
role, name := resourceAwsIamRolePolicyParseId(d.Id())
request := &iam.DeleteRolePolicyInput{
PolicyName: aws.String(name),
RoleName: aws.String(role),
}
if _, err := iamconn.DeleteRolePolicy(request); err != nil {
return fmt.Errorf("Error deleting IAM role policy %s: %s", d.Id(), err)
}
return nil
}
func resourceAwsIamRolePolicyParseId(id string) (roleName, policyName string) {
parts := strings.SplitN(id, ":", 2)
roleName = parts[0]
policyName = parts[1]
return
}