forked from aliyun/terraform-provider-alicloud
-
Notifications
You must be signed in to change notification settings - Fork 0
/
resource_alicloud_ram_group.go
193 lines (171 loc) · 5.65 KB
/
resource_alicloud_ram_group.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
package alicloud
import (
"fmt"
"time"
"github.com/denverdino/aliyungo/ram"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/helper/schema"
"github.com/terraform-providers/terraform-provider-alicloud/alicloud/connectivity"
)
func resourceAlicloudRamGroup() *schema.Resource {
return &schema.Resource{
Create: resourceAlicloudRamGroupCreate,
Read: resourceAlicloudRamGroupRead,
Update: resourceAlicloudRamGroupUpdate,
Delete: resourceAlicloudRamGroupDelete,
Importer: &schema.ResourceImporter{
State: schema.ImportStatePassthrough,
},
Schema: map[string]*schema.Schema{
"name": &schema.Schema{
Type: schema.TypeString,
Required: true,
ValidateFunc: validateRamGroupName,
},
"comments": &schema.Schema{
Type: schema.TypeString,
Optional: true,
ValidateFunc: validateComment,
},
"force": &schema.Schema{
Type: schema.TypeBool,
Optional: true,
Default: false,
},
},
}
}
func resourceAlicloudRamGroupCreate(d *schema.ResourceData, meta interface{}) error {
client := meta.(*connectivity.AliyunClient)
args := ram.GroupRequest{
Group: ram.Group{
GroupName: d.Get("name").(string),
},
}
raw, err := client.WithRamClient(func(ramClient ram.RamClientInterface) (interface{}, error) {
return ramClient.CreateGroup(args)
})
if err != nil {
return fmt.Errorf("CreateGroup got an error: %#v", err)
}
response, _ := raw.(ram.GroupResponse)
d.SetId(response.Group.GroupName)
return resourceAlicloudRamGroupUpdate(d, meta)
}
func resourceAlicloudRamGroupUpdate(d *schema.ResourceData, meta interface{}) error {
client := meta.(*connectivity.AliyunClient)
d.Partial(true)
args := ram.GroupUpdateRequest{
GroupName: d.Id(),
}
attributeUpdate := false
if d.HasChange("name") && !d.IsNewResource() {
ov, nv := d.GetChange("name")
args.GroupName = ov.(string)
args.NewGroupName = nv.(string)
d.SetPartial("name")
attributeUpdate = true
}
if d.HasChange("comments") {
d.SetPartial("comments")
args.NewComments = d.Get("comments").(string)
attributeUpdate = true
}
if attributeUpdate {
_, err := client.WithRamClient(func(ramClient ram.RamClientInterface) (interface{}, error) {
return ramClient.UpdateGroup(args)
})
if err != nil {
return fmt.Errorf("UpdateGroup got an error: %v", err)
}
}
d.Partial(false)
return resourceAlicloudRamGroupRead(d, meta)
}
func resourceAlicloudRamGroupRead(d *schema.ResourceData, meta interface{}) error {
client := meta.(*connectivity.AliyunClient)
args := ram.GroupQueryRequest{
GroupName: d.Id(),
}
raw, err := client.WithRamClient(func(ramClient ram.RamClientInterface) (interface{}, error) {
return ramClient.GetGroup(args)
})
if err != nil {
if RamEntityNotExist(err) {
d.SetId("")
}
return fmt.Errorf("GetGroup got an error: %#v", err)
}
response, _ := raw.(ram.GroupResponse)
group := response.Group
d.Set("name", group.GroupName)
d.Set("comments", group.Comments)
return nil
}
func resourceAlicloudRamGroupDelete(d *schema.ResourceData, meta interface{}) error {
client := meta.(*connectivity.AliyunClient)
args := ram.GroupQueryRequest{
GroupName: d.Id(),
}
if d.Get("force").(bool) {
// list and delete users which in this group
raw, err := client.WithRamClient(func(ramClient ram.RamClientInterface) (interface{}, error) {
return ramClient.ListUsersForGroup(args)
})
if err != nil {
return fmt.Errorf("Error while listing users for group %s: %#v", d.Id(), err)
}
listUserResp, _ := raw.(ram.ListUserResponse)
users := listUserResp.Users.User
if len(users) > 0 {
for _, v := range users {
_, err := client.WithRamClient(func(ramClient ram.RamClientInterface) (interface{}, error) {
return ramClient.RemoveUserFromGroup(ram.UserRelateGroupRequest{
UserName: v.UserName,
GroupName: args.GroupName,
})
})
if err != nil && !RamEntityNotExist(err) {
return fmt.Errorf("Error while deleting user %s from group %s: %#v", v.UserName, d.Id(), err)
}
}
}
// list and detach policies which attach this group
raw, err = client.WithRamClient(func(ramClient ram.RamClientInterface) (interface{}, error) {
return ramClient.ListPoliciesForGroup(args)
})
if err != nil {
return fmt.Errorf("Error while listing policies for group %s: %#v", d.Id(), err)
}
listPolicyResp, _ := raw.(ram.PolicyListResponse)
policies := listPolicyResp.Policies.Policy
if len(policies) > 0 {
for _, v := range policies {
_, err := client.WithRamClient(func(ramClient ram.RamClientInterface) (interface{}, error) {
return ramClient.DetachPolicyFromGroup(ram.AttachPolicyToGroupRequest{
PolicyRequest: ram.PolicyRequest{
PolicyType: ram.Type(v.PolicyType),
PolicyName: v.PolicyName,
},
GroupName: args.GroupName,
})
})
if err != nil && !RamEntityNotExist(err) {
return fmt.Errorf("Error while detaching policy %s from group %s: %#v", v.PolicyName, d.Id(), err)
}
}
}
}
return resource.Retry(5*time.Minute, func() *resource.RetryError {
_, err := client.WithRamClient(func(ramClient ram.RamClientInterface) (interface{}, error) {
return ramClient.DeleteGroup(args)
})
if err != nil {
if IsExceptedError(err, DeleteConflictGroupUser) || IsExceptedError(err, DeleteConflictGroupPolicy) {
return resource.RetryableError(fmt.Errorf("The group can not has any user member or any attached policy while deleting the group.- you can set force with true to force delete the group."))
}
return resource.NonRetryableError(fmt.Errorf("Error deleting group %s: %#v, you can set force with true to force delete the group.", d.Id(), err))
}
return nil
})
}