Skip to content

Commit

Permalink
add block_public_policy
Browse files Browse the repository at this point in the history
  • Loading branch information
@DrFaust92
DrFaust92 committed Oct 29, 2020
1 parent 9a62e61 commit 91e4655
Show file tree
Hide file tree
Showing 2 changed files with 106 additions and 6 deletions.
15 changes: 12 additions & 3 deletions aws/resource_aws_secretsmanager_secret_policy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,10 @@ func resourceAwsSecretsManagerSecretPolicy() *schema.Resource {
ValidateFunc: validation.StringIsJSON,
DiffSuppressFunc: suppressEquivalentAwsPolicyDiffs,
},
"block_public_policy": {
Type: schema.TypeBool,
Optional: true,
},
},
}
}
Expand All @@ -48,6 +52,10 @@ func resourceAwsSecretsManagerSecretPolicyCreate(d *schema.ResourceData, meta in
SecretId: aws.String(d.Get("secret_arn").(string)),
}

if v, ok := d.GetOk("block_public_policy"); ok {
input.BlockPublicPolicy = aws.Bool(v.(bool))
}

log.Printf("[DEBUG] Setting Secrets Manager Secret resource policy; %#v", input)
var res *secretsmanager.PutResourcePolicyOutput

Expand Down Expand Up @@ -109,14 +117,15 @@ func resourceAwsSecretsManagerSecretPolicyRead(d *schema.ResourceData, meta inte
func resourceAwsSecretsManagerSecretPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).secretsmanagerconn

if d.HasChange("policy") {
if d.HasChanges("policy", "block_public_policy") {
policy, err := structure.NormalizeJsonString(d.Get("policy").(string))
if err != nil {
return fmt.Errorf("policy contains an invalid JSON: %s", err)
}
input := &secretsmanager.PutResourcePolicyInput{
ResourcePolicy: aws.String(policy),
SecretId: aws.String(d.Id()),
ResourcePolicy: aws.String(policy),
SecretId: aws.String(d.Id()),
BlockPublicPolicy: aws.Bool(d.Get("block_public_policy").(bool)),
}

log.Printf("[DEBUG] Setting Secrets Manager Secret resource policy; %#v", input)
Expand Down
97 changes: 94 additions & 3 deletions aws/resource_aws_secretsmanager_secret_policy_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,9 +82,10 @@ func TestAccAwsSecretsManagerSecretPolicy_basic(t *testing.T) {
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"block_public_policy"},
},
{
Config: testAccAwsSecretsManagerSecretPolicyUpdatedConfig(rName),
Expand All @@ -98,6 +99,47 @@ func TestAccAwsSecretsManagerSecretPolicy_basic(t *testing.T) {
})
}

func TestAccAwsSecretsManagerSecretPolicy_blockPublicPolicy(t *testing.T) {
var policy secretsmanager.GetResourcePolicyOutput
rName := acctest.RandomWithPrefix("tf-acc-test")
resourceName := "aws_secretsmanager_secret_policy.test"

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t); testAccPreCheckAWSSecretsManager(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAwsSecretsManagerSecretPolicyDestroy,
Steps: []resource.TestStep{
{
Config: testAccAwsSecretsManagerSecretPolicyBlockConfig(rName, true),
Check: resource.ComposeTestCheckFunc(
testAccCheckAwsSecretsManagerSecretPolicyExists(resourceName, &policy),
resource.TestCheckResourceAttr(resourceName, "block_public_policy", "true"),
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"block_public_policy"},
},
{
Config: testAccAwsSecretsManagerSecretPolicyBlockConfig(rName, false),
Check: resource.ComposeTestCheckFunc(
testAccCheckAwsSecretsManagerSecretPolicyExists(resourceName, &policy),
resource.TestCheckResourceAttr(resourceName, "block_public_policy", "false"),
),
},
{
Config: testAccAwsSecretsManagerSecretPolicyBlockConfig(rName, true),
Check: resource.ComposeTestCheckFunc(
testAccCheckAwsSecretsManagerSecretPolicyExists(resourceName, &policy),
resource.TestCheckResourceAttr(resourceName, "block_public_policy", "true"),
),
},
},
})
}

func TestAccAwsSecretsManagerSecretPolicy_disappears(t *testing.T) {
var policy secretsmanager.GetResourcePolicyOutput
rName := acctest.RandomWithPrefix("tf-acc-test")
Expand Down Expand Up @@ -290,3 +332,52 @@ POLICY
}
`, rName)
}

func testAccAwsSecretsManagerSecretPolicyBlockConfig(rName string, block bool) string {
return fmt.Sprintf(`
resource "aws_iam_role" "test" {
name = %[1]q
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_secretsmanager_secret" "test" {
name = %[1]q
}
resource "aws_secretsmanager_secret_policy" "test" {
secret_arn = aws_secretsmanager_secret.test.arn
block_public_policy = %[2]t
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnableAllPermissions",
"Effect": "Allow",
"Principal": {
"AWS": "${aws_iam_role.test.arn}"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}
]
}
POLICY
}
`, rName, block)
}

0 comments on commit 91e4655

Please sign in to comment.