Skip to content

Commit 6bfbebe

Browse files
anGie44anGie44
committed
update tests with iam policy doc and account
1 parent dd6065a commit 6bfbebe

2 files changed

Lines changed: 42 additions & 117 deletions

File tree

aws/resource_aws_networkfirewall_resource_policy.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -33,10 +33,10 @@ func resourceAwsNetworkFirewallResourcePolicy() *schema.Resource {
3333
DiffSuppressFunc: suppressEquivalentJsonDiffs,
3434
},
3535
"resource_arn": {
36-
Type: schema.TypeString,
37-
Required: true,
38-
ForceNew: true,
39-
ValidateFunc: validateArn,
36+
Type: schema.TypeString,
37+
Required: true,
38+
ForceNew: true,
39+
//ValidateFunc: validateArn,
4040
},
4141
},
4242
}

aws/resource_aws_networkfirewall_resource_policy_test.go

Lines changed: 38 additions & 113 deletions
Original file line numberDiff line numberDiff line change
@@ -10,26 +10,24 @@ import (
1010
"github.com/hashicorp/aws-sdk-go-base/tfawserr"
1111
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
1212
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
13-
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
1413
"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
1514
"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/networkfirewall/finder"
1615
)
1716

1817
func TestAccAwsNetworkFirewallResourcePolicy_firewallPolicy(t *testing.T) {
19-
var providers []*schema.Provider
2018
rName := acctest.RandomWithPrefix("tf-acc-test")
2119
resourceName := "aws_networkfirewall_resource_policy.test"
2220

2321
resource.ParallelTest(t, resource.TestCase{
24-
PreCheck: func() { testAccPreCheck(t) },
25-
ProviderFactories: testAccProviderFactoriesAlternate(&providers),
26-
CheckDestroy: testAccCheckAwsNetworkFirewallResourcePolicyDestroy,
22+
PreCheck: func() { testAccPreCheck(t) },
23+
Providers: testAccProviders,
24+
CheckDestroy: testAccCheckAwsNetworkFirewallResourcePolicyDestroy,
2725
Steps: []resource.TestStep{
2826
{
2927
Config: testAccNetworkFirewallResourcePolicy_firewallPolicy(rName),
3028
Check: resource.ComposeTestCheckFunc(
3129
testAccCheckAwsNetworkFirewallResourcePolicyExists(resourceName),
32-
resource.TestCheckResourceAttrPair(resourceName, "resource_arn", "aws_iam_user.test", "arn"),
30+
resource.TestCheckResourceAttr(resourceName, "resource_arn", fmt.Sprintf("arn:%s:iam::%s:root", testAccGetPartition(), testAccGetAccountID())),
3331
resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`\"Action\":[\"network\-firewall:ListFirewallPolicies\"]`)),
3432
),
3533
},
@@ -62,7 +60,7 @@ func TestAccAwsNetworkFirewallResourcePolicy_ruleGroup(t *testing.T) {
6260
Config: testAccNetworkFirewallResourcePolicy_ruleGroup(rName),
6361
Check: resource.ComposeTestCheckFunc(
6462
testAccCheckAwsNetworkFirewallResourcePolicyExists(resourceName),
65-
resource.TestCheckResourceAttrPair(resourceName, "resource_arn", "aws_iam_user.test", "arn"),
63+
resource.TestCheckResourceAttr(resourceName, "resource_arn", fmt.Sprintf("arn:%s:iam::%s:root", testAccGetPartition(), testAccGetAccountID())),
6664
resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`\"Action\":[\"network\-firewall:ListRuleGroups\"]`)),
6765
),
6866
},
@@ -152,106 +150,60 @@ func testAccCheckAwsNetworkFirewallResourcePolicyExists(n string) resource.TestC
152150

153151
func testAccNetworkFirewallResourcePolicyFirewallPolicyBaseConfig(rName string) string {
154152
return composeConfig(
155-
testAccAlternateAccountProviderConfig(),
156153
fmt.Sprintf(`
157-
data "aws_caller_identity" "alternate" {
158-
provider = "awsalternate"
159-
}
154+
data "aws_partition" "current" {}
155+
156+
data "aws_caller_identity" "current" {}
160157
161158
resource "aws_networkfirewall_firewall_policy" "test" {
162-
name = %[1]q
159+
name = %q
163160
firewall_policy {
164161
stateless_fragment_default_actions = ["aws:drop"]
165162
stateless_default_actions = ["aws:pass"]
166163
}
167164
}
168165
169-
resource "aws_ram_resource_share" "test" {
170-
name = %[1]q
171-
allow_external_principals = true
172-
173-
tags = {
174-
Name = %[1]q
175-
}
176-
}
177-
178-
resource "aws_ram_resource_association" "test" {
179-
resource_arn = aws_networkfirewall_firewall_policy.test.arn
180-
resource_share_arn = aws_ram_resource_share.test.id
166+
resource "aws_networkfirewall_resource_policy" "test" {
167+
resource_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
168+
policy = data.aws_iam_policy_document.test.json
181169
}
182170
`, rName))
183171
}
184172

185173
func testAccNetworkFirewallResourcePolicy_firewallPolicy(rName string) string {
186174
return composeConfig(
187175
testAccNetworkFirewallResourcePolicyFirewallPolicyBaseConfig(rName), `
188-
resource "aws_networkfirewall_resource_policy" "test" {
189-
resource_arn = data.aws_caller_identity.alternate.arn
190-
policy = <<POLICY
191-
{
192-
"Version": "2012-10-17",
193-
"Statement": [
194-
{
195-
"Effect": "Allow",
196-
"Principal": "*",
197-
"Action": "network-firewall:ListFirewallPolicies",
198-
"Resource": "${aws_networkfirewall_firewall_policy.test.arn}"
199-
}
200-
]
201-
}
202-
POLICY
203-
204-
depends_on = [aws_ram_resource_association.test]
176+
data "aws_iam_policy_document" "test" {
177+
statement {
178+
actions = ["network-firewall:ListFirewallPolicies"]
179+
resources = ["${aws_networkfirewall_firewall_policy.test.arn}"]
180+
}
205181
}
206182
`)
207183
}
208184

209185
func testAccNetworkFirewallResourcePolicy_firewallPolicy_updatePolicy(rName string) string {
210186
return composeConfig(
211187
testAccNetworkFirewallResourcePolicyFirewallPolicyBaseConfig(rName), `
212-
resource "aws_networkfirewall_resource_policy" "test" {
213-
resource_arn = data.aws_caller_identity.alternate.arn
214-
policy = <<POLICY
215-
{
216-
"Version": "2012-10-17",
217-
"Statement": [
218-
{
219-
"Effect": "Allow",
220-
"Principal": "*",
221-
"Action": [
222-
"network-firewall:ListFirewallPolicies",
223-
"network-firewall:AssociateFirewallPolicy"
224-
],
225-
"Resource": "${aws_networkfirewall_firewall_policy.test.arn}"
226-
}
227-
]
228-
}
229-
POLICY
188+
data "aws_iam_policy_document" "test" {
189+
statement {
190+
actions = ["network-firewall:ListFirewallPolicies", "AssociateFirewallPolicy"]
191+
resources = ["${aws_networkfirewall_firewall_policy.test.arn}"]
192+
}
230193
}
231-
depends_on = [aws_ram_resource_association.test]
232194
`)
233195
}
234196

235197
func testAccNetworkFirewallResourcePolicyRuleGroupBaseConfig(rName string) string {
236198
return composeConfig(
237-
testAccAlternateAccountProviderConfig(),
238199
fmt.Sprintf(`
239-
data "aws_caller_identity" "alternate" {
240-
provider = "awsalternate"
241-
}
200+
data "aws_partition" "current" {}
242201
243-
resource "aws_ram_resource_share" "test" {
244-
name = %[1]q
245-
allow_external_principals = true
246-
247-
tags = {
248-
Name = %[1]q
249-
}
250-
}
202+
data "aws_caller_identity" "current" {}
251203
252204
resource "aws_networkfirewall_rule_group" "test" {
253205
capacity = 100
254-
name = %[1]q
206+
name = %q
255207
type = "STATEFUL"
256208
rule_group {
257209
rules_source {
@@ -264,60 +216,33 @@ resource "aws_networkfirewall_rule_group" "test" {
264216
}
265217
}
266218
267-
resource "aws_ram_resource_association" "test" {
268-
resource_arn = aws_networkfirewall_rule_group.test.arn
269-
resource_share_arn = aws_ram_resource_share.test.id
219+
resource "aws_networkfirewall_resource_policy" "test" {
220+
resource_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
221+
policy = data.aws_iam_policy_document.test.json
270222
}
271223
`, rName))
272224
}
273225

274226
func testAccNetworkFirewallResourcePolicy_ruleGroup(rName string) string {
275227
return composeConfig(
276228
testAccNetworkFirewallResourcePolicyRuleGroupBaseConfig(rName), `
277-
resource "aws_networkfirewall_resource_policy" "test" {
278-
resource_arn = data.aws_caller_identity.alternate.arn
279-
policy = <<POLICY
280-
{
281-
"Version": "2012-10-17",
282-
"Statement": [
283-
{
284-
"Effect": "Allow",
285-
"Principal": "*",
286-
"Action": "network-firewall:ListRuleGroups",
287-
"Resource": "${aws_networkfirewall_rule_group.test.arn}"
288-
}
289-
]
290-
}
291-
POLICY
292-
293-
depends_on = [aws_ram_resource_association.test]
229+
data "aws_iam_policy_document" "test" {
230+
statement {
231+
actions = ["network-firewall:ListRuleGroups"]
232+
resources = ["${aws_networkfirewall_rule_group.test.arn}"]
233+
}
294234
}
295235
`)
296236
}
297237

298238
func testAccNetworkFirewallResourcePolicy_ruleGroup_updatePolicy(rName string) string {
299239
return composeConfig(
300240
testAccNetworkFirewallResourcePolicyRuleGroupBaseConfig(rName), `
301-
resource "aws_networkfirewall_resource_policy" "test" {
302-
resource_arn = data.aws_caller_identity.alternate.arn
303-
policy = <<POLICY
304-
{
305-
"Version": "2012-10-17",
306-
"Statement": [
307-
{
308-
"Effect": "Allow",
309-
"Principal": "*",
310-
"Action": [
311-
"network-firewall:ListRuleGroups",
312-
"network-firewall:CreateFirewallPolicy"
313-
],
314-
"Resource": "${aws_networkfirewall_rule_group.test.arn}"
315-
}
316-
]
317-
}
318-
POLICY
319-
320-
depends_on = [aws_ram_resource_association.test]
241+
data "aws_iam_policy_document" "test" {
242+
statement {
243+
actions = ["network-firewall:ListRuleGroups", "network-firewall:CreateFirewallPolicy"]
244+
resources = ["${aws_networkfirewall_rule_group.test.arn}"]
245+
}
321246
}
322247
`)
323248
}

0 commit comments

Comments
 (0)