internal/verify: handle policy parsing errors of state content #39842
Commits on Oct 22, 2024
-
internal/verify: handle policy parsing errors of state content
Plugin SDK V2 based resources can set malformed policy content in state despite a failed update. In these cases, parsing the old content will fail. Surfacing this error during read operations causes a persistent plan-time validation error, so return the new content read directly from the remote resource instead. Example of a plan-time validation error when this is not handled gracefully: ``` │ Error: while setting policy (), encountered: while checking equivalency of existing policy ({"Statement":[{"Action":["ec2:Describe*"],"Condition":{"ForAnyValue:StringLike":["aws:Mult iFactorAuthAge"]},"Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"}) and new policy ({"Statement":[{"Action":["ec2:Describe*"],"Effect":"Allow","Resource":"*"}],"Version":"2012 -10-17"}), encountered: parsing policy 1: parsing statement 1: 1 error(s) decoding: │ │ * '[0].Condition[ForAnyValue:StringLike]' expected a map, got 'slice' ``` -
r/aws_iam_policy(test): add malformed condition case
This test verifies that when a malformed `Condition` key is provided and stored in state despite a failed update, the user is not left in an unrecoverable situation. Before the changes to `internal/verify`: ```console make testacc PKG=iam TESTS=TestAccIAMPolicy_malformedCondition make: Verifying source code with gofmt... ==> Checking that code complies with gofmt requirements... TF_ACC=1 go1.23.2 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMPolicy_malformedCondition' -timeout 360m 2024/10/22 14:34:52 Initializing Terraform AWS Provider... policy_test.go:366: Step 3/3 error: Error running pre-apply plan: exit status 1 Error: while setting policy (), encountered: while checking equivalency of existing policy ({"Statement":[{"Action":["s3:ListBucket"],"Condition":{"StringLike":["demo-prefix/"]},"Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"}) and new policy ({"Statement":[{"Action":["s3:ListBucket"],"Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"}), encountered: parsing policy 1: parsing statement 1: 1 error(s) decoding: * '[0].Condition[StringLike]' expected a map, got 'slice' with aws_iam_policy.test, on terraform_plugin_test.tf line 12, in resource "aws_iam_policy" "test": 12: resource "aws_iam_policy" "test" { --- FAIL: TestAccIAMPolicy_malformedCondition (14.38s) FAIL FAIL github.com/hashicorp/terraform-provider-aws/internal/service/iam 20.852s ``` After: ```console % make testacc PKG=iam TESTS=TestAccIAMPolicy_malformedCondition make: Verifying source code with gofmt... ==> Checking that code complies with gofmt requirements... TF_ACC=1 go1.23.2 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMPolicy_malformedCondition' -timeout 360m 2024/10/22 14:33:06 Initializing Terraform AWS Provider... --- PASS: TestAccIAMPolicy_malformedCondition (21.43s) PASS ok github.com/hashicorp/terraform-provider-aws/internal/service/iam 27.884s ``` All tests: ```console % make testacc PKG=iam TESTS=TestAccIAMPolicy_ make: Verifying source code with gofmt... ==> Checking that code complies with gofmt requirements... TF_ACC=1 go1.23.2 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMPolicy_' -timeout 360m 2024/10/22 14:47:49 Initializing Terraform AWS Provider... --- PASS: TestAccIAMPolicy_policyDuplicateKeys (3.93s) === CONT TestAccIAMPolicy_whitespace --- PASS: TestAccIAMPolicy_disappears (33.95s) === CONT TestAccIAMPolicy_description --- PASS: TestAccIAMPolicy_path (39.26s) === CONT TestAccIAMPolicy_basic --- PASS: TestAccIAMPolicy_namePrefix (40.36s) === CONT TestAccIAMPolicy_tags_DefaultTags_emptyProviderOnlyTag --- PASS: TestAccIAMPolicy_tags_DefaultTags_nullOverlappingResourceTag (47.05s) === CONT TestAccIAMPolicy_tags_ComputedTag_OnUpdate_Replace --- PASS: TestAccIAMPolicy_tags_DefaultTags_nullNonOverlappingResourceTag (47.31s) === CONT TestAccIAMPolicy_tags_IgnoreTags_Overlap_DefaultTag --- PASS: TestAccIAMPolicy_tags_DefaultTags_emptyResourceTag (48.16s) === CONT TestAccIAMPolicy_tags_DefaultTags_updateToProviderOnly --- PASS: TestAccIAMPolicy_tags_ComputedTag_OnCreate (48.91s) === CONT TestAccIAMPolicy_tags_DefaultTags_updateToResourceOnly --- PASS: TestAccIAMPolicy_tags_EmptyMap (60.04s) === CONT TestAccIAMPolicy_tags_null --- PASS: TestAccIAMPolicy_malformedCondition (66.86s) === CONT TestAccIAMPolicy_tags_ComputedTag_OnUpdate_Add --- PASS: TestAccIAMPolicy_policy (69.03s) === CONT TestAccIAMPolicy_tags_DefaultTags_overlapping --- PASS: TestAccIAMPolicy_tags_EmptyTag_OnUpdate_Replace (71.84s) --- PASS: TestAccIAMPolicy_description (40.11s) --- PASS: TestAccIAMPolicy_tags_AddOnUpdate (76.91s) --- PASS: TestAccIAMPolicy_basic (37.69s) --- PASS: TestAccIAMPolicy_whitespace (76.92s) --- PASS: TestAccIAMPolicy_tags_DefaultTags_emptyProviderOnlyTag (45.17s) --- PASS: TestAccIAMPolicy_tags_EmptyTag_OnCreate (85.62s) --- PASS: TestAccIAMPolicy_tags_IgnoreTags_Overlap_ResourceTag (100.60s) --- PASS: TestAccIAMPolicy_tags_null (42.53s) --- PASS: TestAccIAMPolicy_tags_EmptyTag_OnUpdate_Add (103.00s) --- PASS: TestAccIAMPolicy_tags_DefaultTags_updateToProviderOnly (56.55s) --- PASS: TestAccIAMPolicy_tags_DefaultTags_updateToResourceOnly (56.36s) --- PASS: TestAccIAMPolicy_tags_ComputedTag_OnUpdate_Replace (58.95s) --- PASS: TestAccIAMPolicy_tags_DefaultTags_nonOverlapping (107.66s) --- PASS: TestAccIAMPolicy_tags_IgnoreTags_Overlap_DefaultTag (64.80s) --- PASS: TestAccIAMPolicy_tags_ComputedTag_OnUpdate_Add (48.12s) --- PASS: TestAccIAMPolicy_tags (119.83s) --- PASS: TestAccIAMPolicy_tags_DefaultTags_providerOnly (120.47s) --- PASS: TestAccIAMPolicy_tags_DefaultTags_overlapping (59.19s) --- PASS: TestAccIAMPolicy_diffs (133.46s) PASS ok github.com/hashicorp/terraform-provider-aws/internal/service/iam 139.894s ``` -
-
internal/verify(test): add malformed old content test case
Before: ```console % go test -count=1 ./internal/verify/... --- FAIL: TestSecondJSONUnlessEquivalent (0.00s) json_test.go:405: unexpected error with test case malformed old: parsing policy 1: parsing statement 1: 1 error(s) decoding: * '[0].Condition[StringLike]' expected a map, got 'slice' FAIL FAIL github.com/hashicorp/terraform-provider-aws/internal/verify 0.702s ``` After: ```console % go test -count=1 ./internal/verify/... ok github.com/hashicorp/terraform-provider-aws/internal/verify 0.383s ```
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.