update tests with iam policy doc and account

hashicorp · Nov 21, 2020 · 6bfbebe · 6bfbebe
1 parent dd6065a
commit 6bfbebe
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 117 deletions.
diff --git a/aws/resource_aws_networkfirewall_resource_policy.go b/aws/resource_aws_networkfirewall_resource_policy.go
@@ -33,10 +33,10 @@ func resourceAwsNetworkFirewallResourcePolicy() *schema.Resource {
 				DiffSuppressFunc: suppressEquivalentJsonDiffs,
 			},
 			"resource_arn": {
-				Type:         schema.TypeString,
-				Required:     true,
-				ForceNew:     true,
-				ValidateFunc: validateArn,
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+				//ValidateFunc: validateArn,
 			},
 		},
 	}

diff --git a/aws/resource_aws_networkfirewall_resource_policy_test.go b/aws/resource_aws_networkfirewall_resource_policy_test.go
@@ -10,26 +10,24 @@ import (
 	"github.com/hashicorp/aws-sdk-go-base/tfawserr"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 	"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/networkfirewall/finder"
 )
 
 func TestAccAwsNetworkFirewallResourcePolicy_firewallPolicy(t *testing.T) {
-	var providers []*schema.Provider
 	rName := acctest.RandomWithPrefix("tf-acc-test")
 	resourceName := "aws_networkfirewall_resource_policy.test"
 
 	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:          func() { testAccPreCheck(t) },
-		ProviderFactories: testAccProviderFactoriesAlternate(&providers),
-		CheckDestroy:      testAccCheckAwsNetworkFirewallResourcePolicyDestroy,
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAwsNetworkFirewallResourcePolicyDestroy,
 		Steps: []resource.TestStep{
 			{
 				Config: testAccNetworkFirewallResourcePolicy_firewallPolicy(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAwsNetworkFirewallResourcePolicyExists(resourceName),
-					resource.TestCheckResourceAttrPair(resourceName, "resource_arn", "aws_iam_user.test", "arn"),
+					resource.TestCheckResourceAttr(resourceName, "resource_arn", fmt.Sprintf("arn:%s:iam::%s:root", testAccGetPartition(), testAccGetAccountID())),
 					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`\"Action\":[\"network\-firewall:ListFirewallPolicies\"]`)),
 				),
 			},
@@ -62,7 +60,7 @@ func TestAccAwsNetworkFirewallResourcePolicy_ruleGroup(t *testing.T) {
 				Config: testAccNetworkFirewallResourcePolicy_ruleGroup(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAwsNetworkFirewallResourcePolicyExists(resourceName),
-					resource.TestCheckResourceAttrPair(resourceName, "resource_arn", "aws_iam_user.test", "arn"),
+					resource.TestCheckResourceAttr(resourceName, "resource_arn", fmt.Sprintf("arn:%s:iam::%s:root", testAccGetPartition(), testAccGetAccountID())),
 					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`\"Action\":[\"network\-firewall:ListRuleGroups\"]`)),
 				),
 			},
@@ -152,106 +150,60 @@ func testAccCheckAwsNetworkFirewallResourcePolicyExists(n string) resource.TestC
 
 func testAccNetworkFirewallResourcePolicyFirewallPolicyBaseConfig(rName string) string {
 	return composeConfig(
-		testAccAlternateAccountProviderConfig(),
 		fmt.Sprintf(`
-data "aws_caller_identity" "alternate" {
-  provider = "awsalternate"
-}
+data "aws_partition" "current" {}
+
+data "aws_caller_identity" "current" {}
 
 resource "aws_networkfirewall_firewall_policy" "test" {
-  name = %[1]q
+  name = %q
   firewall_policy {
     stateless_fragment_default_actions = ["aws:drop"]
     stateless_default_actions          = ["aws:pass"]
   }
 }
 
-resource "aws_ram_resource_share" "test" {
-  name                      = %[1]q
-  allow_external_principals = true
-
-  tags = {
-    Name = %[1]q
-  }
-}
-
-resource "aws_ram_resource_association" "test" {
-  resource_arn       = aws_networkfirewall_firewall_policy.test.arn
-  resource_share_arn = aws_ram_resource_share.test.id
+resource "aws_networkfirewall_resource_policy" "test" {
+  resource_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+  policy       = data.aws_iam_policy_document.test.json
 }
 `, rName))
 }
 
 func testAccNetworkFirewallResourcePolicy_firewallPolicy(rName string) string {
 	return composeConfig(
 		testAccNetworkFirewallResourcePolicyFirewallPolicyBaseConfig(rName), `
-resource "aws_networkfirewall_resource_policy" "test" {
-  resource_arn = data.aws_caller_identity.alternate.arn
-  policy       = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": "network-firewall:ListFirewallPolicies",
-      "Resource": "${aws_networkfirewall_firewall_policy.test.arn}"
-    }
-  ]
-}
-POLICY
-
-  depends_on = [aws_ram_resource_association.test]
+data "aws_iam_policy_document" "test" {
+  statement {
+    actions   = ["network-firewall:ListFirewallPolicies"]
+    resources = ["${aws_networkfirewall_firewall_policy.test.arn}"]
+  }
 }
 `)
 }
 
 func testAccNetworkFirewallResourcePolicy_firewallPolicy_updatePolicy(rName string) string {
 	return composeConfig(
 		testAccNetworkFirewallResourcePolicyFirewallPolicyBaseConfig(rName), `
-resource "aws_networkfirewall_resource_policy" "test" {
-  resource_arn = data.aws_caller_identity.alternate.arn
-  policy       = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": [
-        "network-firewall:ListFirewallPolicies",
-        "network-firewall:AssociateFirewallPolicy"
-      ],
-      "Resource": "${aws_networkfirewall_firewall_policy.test.arn}"
-    }
-  ]
-}
-POLICY
+data "aws_iam_policy_document" "test" {
+  statement {
+    actions   = ["network-firewall:ListFirewallPolicies", "AssociateFirewallPolicy"]
+    resources = ["${aws_networkfirewall_firewall_policy.test.arn}"]
+  }
 }
-  depends_on = [aws_ram_resource_association.test]
 `)
 }
 
 func testAccNetworkFirewallResourcePolicyRuleGroupBaseConfig(rName string) string {
 	return composeConfig(
-		testAccAlternateAccountProviderConfig(),
 		fmt.Sprintf(`
-data "aws_caller_identity" "alternate" {
-  provider = "awsalternate"
-}
+data "aws_partition" "current" {}
 
-resource "aws_ram_resource_share" "test" {
-  name                      = %[1]q
-  allow_external_principals = true
-
-  tags = {
-    Name = %[1]q
-  }
-}
+data "aws_caller_identity" "current" {}
 
 resource "aws_networkfirewall_rule_group" "test" {
   capacity = 100
-  name     = %[1]q
+  name     = %q
   type     = "STATEFUL"
   rule_group {
     rules_source {
@@ -264,60 +216,33 @@ resource "aws_networkfirewall_rule_group" "test" {
   }
 }
 
-resource "aws_ram_resource_association" "test" {
-  resource_arn       = aws_networkfirewall_rule_group.test.arn
-  resource_share_arn = aws_ram_resource_share.test.id
+resource "aws_networkfirewall_resource_policy" "test" {
+  resource_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+  policy       = data.aws_iam_policy_document.test.json
 }
 `, rName))
 }
 
 func testAccNetworkFirewallResourcePolicy_ruleGroup(rName string) string {
 	return composeConfig(
 		testAccNetworkFirewallResourcePolicyRuleGroupBaseConfig(rName), `
-resource "aws_networkfirewall_resource_policy" "test" {
-  resource_arn = data.aws_caller_identity.alternate.arn
-  policy       = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": "network-firewall:ListRuleGroups",
-      "Resource": "${aws_networkfirewall_rule_group.test.arn}"
-    }
-  ]
-}
-POLICY
-
-  depends_on = [aws_ram_resource_association.test]
+data "aws_iam_policy_document" "test" {
+  statement {
+    actions   = ["network-firewall:ListRuleGroups"]
+    resources = ["${aws_networkfirewall_rule_group.test.arn}"]
+  }
 }
 `)
 }
 
 func testAccNetworkFirewallResourcePolicy_ruleGroup_updatePolicy(rName string) string {
 	return composeConfig(
 		testAccNetworkFirewallResourcePolicyRuleGroupBaseConfig(rName), `
-resource "aws_networkfirewall_resource_policy" "test" {
-  resource_arn = data.aws_caller_identity.alternate.arn
-  policy       = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": [
-        "network-firewall:ListRuleGroups",
-        "network-firewall:CreateFirewallPolicy"
-      ],
-      "Resource": "${aws_networkfirewall_rule_group.test.arn}"
-    }
-  ]
-}
-POLICY
-
-  depends_on = [aws_ram_resource_association.test]
+data "aws_iam_policy_document" "test" {
+  statement {
+    actions   = ["network-firewall:ListRuleGroups", "network-firewall:CreateFirewallPolicy"]
+    resources = ["${aws_networkfirewall_rule_group.test.arn}"]
+  }
 }
 `)
 }