terraform-provider-google/google/resource_google_project_iam_member_test.go

package google

import (
	"fmt"
	"testing"

	"github.com/hashicorp/terraform/helper/acctest"
	"github.com/hashicorp/terraform/helper/resource"
	"google.golang.org/api/cloudresourcemanager/v1"
)

// Test that an IAM binding can be applied to a project
func TestAccGoogleProjectIamMember_basic(t *testing.T) {
	t.Parallel()

	org := getTestOrgFromEnv(t)
	pid := "terraform-" + acctest.RandString(10)
	resource.Test(t, resource.TestCase{
		PreCheck:  func() { testAccPreCheck(t) },
		Providers: testAccProviders,
		Steps: []resource.TestStep{
			// Create a new project
			{
				Config: testAccGoogleProject_create(pid, pname, org),
				Check: resource.ComposeTestCheckFunc(
					testAccGoogleProjectExistingPolicy(pid),
				),
			},
			// Apply an IAM binding
			{
				Config: testAccGoogleProjectAssociateMemberBasic(pid, pname, org),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckGoogleProjectIamBindingExists("google_project_iam_member.acceptance", &cloudresourcemanager.Binding{
						Role:    "roles/compute.instanceAdmin",
						Members: []string{"user:admin@hashicorptest.com"},
					}, pid),
				),
			},
		},
	})
}

// Test that multiple IAM bindings can be applied to a project
func TestAccGoogleProjectIamMember_multiple(t *testing.T) {
	t.Parallel()

	org := getTestOrgFromEnv(t)
	skipIfEnvNotSet(t, "GOOGLE_ORG")

	pid := "terraform-" + acctest.RandString(10)
	resource.Test(t, resource.TestCase{
		PreCheck:  func() { testAccPreCheck(t) },
		Providers: testAccProviders,
		Steps: []resource.TestStep{
			// Create a new project
			{
				Config: testAccGoogleProject_create(pid, pname, org),
				Check: resource.ComposeTestCheckFunc(
					testAccGoogleProjectExistingPolicy(pid),
				),
			},
			// Apply an IAM binding
			{
				Config: testAccGoogleProjectAssociateMemberBasic(pid, pname, org),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckGoogleProjectIamBindingExists("google_project_iam_member.acceptance", &cloudresourcemanager.Binding{
						Role:    "roles/compute.instanceAdmin",
						Members: []string{"user:admin@hashicorptest.com"},
					}, pid),
				),
			},
			// Apply another IAM binding
			{
				Config: testAccGoogleProjectAssociateMemberMultiple(pid, pname, org),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckGoogleProjectIamBindingExists("google_project_iam_member.multiple", &cloudresourcemanager.Binding{
						Role:    "roles/compute.instanceAdmin",
						Members: []string{"user:admin@hashicorptest.com", "user:paddy@hashicorp.com"},
					}, pid),
				),
			},
		},
	})
}

// Test that an IAM binding can be removed from a project
func TestAccGoogleProjectIamMember_remove(t *testing.T) {
	t.Parallel()

	org := getTestOrgFromEnv(t)
	skipIfEnvNotSet(t, "GOOGLE_ORG")

	pid := "terraform-" + acctest.RandString(10)
	resource.Test(t, resource.TestCase{
		PreCheck:  func() { testAccPreCheck(t) },
		Providers: testAccProviders,
		Steps: []resource.TestStep{
			// Create a new project
			{
				Config: testAccGoogleProject_create(pid, pname, org),
				Check: resource.ComposeTestCheckFunc(
					testAccGoogleProjectExistingPolicy(pid),
				),
			},
			// Apply multiple IAM bindings
			{
				Config: testAccGoogleProjectAssociateMemberMultiple(pid, pname, org),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckGoogleProjectIamBindingExists("google_project_iam_member.acceptance", &cloudresourcemanager.Binding{
						Role:    "roles/compute.instanceAdmin",
						Members: []string{"user:admin@hashicorptest.com", "user:paddy@hashicorp.com"},
					}, pid),
				),
			},
			// Remove the bindings
			{
				Config: testAccGoogleProject_create(pid, pname, org),
				Check: resource.ComposeTestCheckFunc(
					testAccGoogleProjectExistingPolicy(pid),
				),
			},
		},
	})
}

func testAccGoogleProjectAssociateMemberBasic(pid, name, org string) string {
	return fmt.Sprintf(`
resource "google_project" "acceptance" {
  project_id = "%s"
  name       = "%s"
  org_id     = "%s"
}

resource "google_project_iam_member" "acceptance" {
  project = "${google_project.acceptance.project_id}"
  member  = "user:admin@hashicorptest.com"
  role    = "roles/compute.instanceAdmin"
}
`, pid, name, org)
}

func testAccGoogleProjectAssociateMemberMultiple(pid, name, org string) string {
	return fmt.Sprintf(`
resource "google_project" "acceptance" {
  project_id = "%s"
  name       = "%s"
  org_id     = "%s"
}

resource "google_project_iam_member" "acceptance" {
  project = "${google_project.acceptance.project_id}"
  member  = "user:admin@hashicorptest.com"
  role    = "roles/compute.instanceAdmin"
}

resource "google_project_iam_member" "multiple" {
  project = "${google_project.acceptance.project_id}"
  member  = "user:paddy@hashicorp.com"
  role    = "roles/compute.instanceAdmin"
}
`, pid, name, org)
}
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`package google`

			`import (`
			`"fmt"`
			`"testing"`

			`"github.com/hashicorp/terraform/helper/acctest"`
			`"github.com/hashicorp/terraform/helper/resource"`
			`"google.golang.org/api/cloudresourcemanager/v1"`
			`)`

			`// Test that an IAM binding can be applied to a project`
			`func TestAccGoogleProjectIamMember_basic(t *testing.T) {`
Revert "Revert "Add t.Parallel to all acceptance tests (#558)"" This reverts commit 8ab9d96d25b07b7a9c84571798c85ee0e77b22da and revives the original commit that adds t.Parallel to all acceptance tests. It turns out test failures were unrelated to this change (rather, they were related to quota issues). 2017-10-12 22:07:29 +00:00			`t.Parallel()`

Get test org and billing account in a consistent way (#766) 2017-11-20 23:45:51 +00:00			`org := getTestOrgFromEnv(t)`
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`pid := "terraform-" + acctest.RandString(10)`
			`resource.Test(t, resource.TestCase{`
			`PreCheck: func() { testAccPreCheck(t) },`
			`Providers: testAccProviders,`
			`Steps: []resource.TestStep{`
			`// Create a new project`
Excise unnecessary type declarations. Some struct types can be inferred instead of being repeated, so let's take advantage of that. 2017-07-27 20:39:23 +00:00			`{`
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`Config: testAccGoogleProject_create(pid, pname, org),`
			`Check: resource.ComposeTestCheckFunc(`
			`testAccGoogleProjectExistingPolicy(pid),`
			`),`
			`},`
			`// Apply an IAM binding`
Excise unnecessary type declarations. Some struct types can be inferred instead of being repeated, so let's take advantage of that. 2017-07-27 20:39:23 +00:00			`{`
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`Config: testAccGoogleProjectAssociateMemberBasic(pid, pname, org),`
			`Check: resource.ComposeTestCheckFunc(`
			`testAccCheckGoogleProjectIamBindingExists("google_project_iam_member.acceptance", &cloudresourcemanager.Binding{`
			`Role: "roles/compute.instanceAdmin",`
			`Members: []string{"user:admin@hashicorptest.com"},`
			`}, pid),`
			`),`
			`},`
			`},`
			`})`
			`}`

			`// Test that multiple IAM bindings can be applied to a project`
			`func TestAccGoogleProjectIamMember_multiple(t *testing.T) {`
Revert "Revert "Add t.Parallel to all acceptance tests (#558)"" This reverts commit 8ab9d96d25b07b7a9c84571798c85ee0e77b22da and revives the original commit that adds t.Parallel to all acceptance tests. It turns out test failures were unrelated to this change (rather, they were related to quota issues). 2017-10-12 22:07:29 +00:00			`t.Parallel()`

Get test org and billing account in a consistent way (#766) 2017-11-20 23:45:51 +00:00			`org := getTestOrgFromEnv(t)`
Refactor project iam binding and member resources to improve reusability (#744) * Refactor project iam binding and member resources to improve reusability * Use default mask when updating project iam policy * Add a doc comment for the ResourceIamUpdater interface 2017-11-21 01:01:39 +00:00			`skipIfEnvNotSet(t, "GOOGLE_ORG")`

Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`pid := "terraform-" + acctest.RandString(10)`
			`resource.Test(t, resource.TestCase{`
			`PreCheck: func() { testAccPreCheck(t) },`
			`Providers: testAccProviders,`
			`Steps: []resource.TestStep{`
			`// Create a new project`
Excise unnecessary type declarations. Some struct types can be inferred instead of being repeated, so let's take advantage of that. 2017-07-27 20:39:23 +00:00			`{`
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`Config: testAccGoogleProject_create(pid, pname, org),`
			`Check: resource.ComposeTestCheckFunc(`
			`testAccGoogleProjectExistingPolicy(pid),`
			`),`
			`},`
			`// Apply an IAM binding`
Excise unnecessary type declarations. Some struct types can be inferred instead of being repeated, so let's take advantage of that. 2017-07-27 20:39:23 +00:00			`{`
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`Config: testAccGoogleProjectAssociateMemberBasic(pid, pname, org),`
			`Check: resource.ComposeTestCheckFunc(`
			`testAccCheckGoogleProjectIamBindingExists("google_project_iam_member.acceptance", &cloudresourcemanager.Binding{`
			`Role: "roles/compute.instanceAdmin",`
			`Members: []string{"user:admin@hashicorptest.com"},`
			`}, pid),`
			`),`
			`},`
			`// Apply another IAM binding`
Excise unnecessary type declarations. Some struct types can be inferred instead of being repeated, so let's take advantage of that. 2017-07-27 20:39:23 +00:00			`{`
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`Config: testAccGoogleProjectAssociateMemberMultiple(pid, pname, org),`
			`Check: resource.ComposeTestCheckFunc(`
			`testAccCheckGoogleProjectIamBindingExists("google_project_iam_member.multiple", &cloudresourcemanager.Binding{`
			`Role: "roles/compute.instanceAdmin",`
			`Members: []string{"user:admin@hashicorptest.com", "user:paddy@hashicorp.com"},`
			`}, pid),`
			`),`
			`},`
			`},`
			`})`
			`}`

			`// Test that an IAM binding can be removed from a project`
			`func TestAccGoogleProjectIamMember_remove(t *testing.T) {`
Revert "Revert "Add t.Parallel to all acceptance tests (#558)"" This reverts commit 8ab9d96d25b07b7a9c84571798c85ee0e77b22da and revives the original commit that adds t.Parallel to all acceptance tests. It turns out test failures were unrelated to this change (rather, they were related to quota issues). 2017-10-12 22:07:29 +00:00			`t.Parallel()`

Get test org and billing account in a consistent way (#766) 2017-11-20 23:45:51 +00:00			`org := getTestOrgFromEnv(t)`
Refactor project iam binding and member resources to improve reusability (#744) * Refactor project iam binding and member resources to improve reusability * Use default mask when updating project iam policy * Add a doc comment for the ResourceIamUpdater interface 2017-11-21 01:01:39 +00:00			`skipIfEnvNotSet(t, "GOOGLE_ORG")`

Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`pid := "terraform-" + acctest.RandString(10)`
			`resource.Test(t, resource.TestCase{`
			`PreCheck: func() { testAccPreCheck(t) },`
			`Providers: testAccProviders,`
			`Steps: []resource.TestStep{`
			`// Create a new project`
Excise unnecessary type declarations. Some struct types can be inferred instead of being repeated, so let's take advantage of that. 2017-07-27 20:39:23 +00:00			`{`
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`Config: testAccGoogleProject_create(pid, pname, org),`
			`Check: resource.ComposeTestCheckFunc(`
			`testAccGoogleProjectExistingPolicy(pid),`
			`),`
			`},`
			`// Apply multiple IAM bindings`
Excise unnecessary type declarations. Some struct types can be inferred instead of being repeated, so let's take advantage of that. 2017-07-27 20:39:23 +00:00			`{`
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`Config: testAccGoogleProjectAssociateMemberMultiple(pid, pname, org),`
			`Check: resource.ComposeTestCheckFunc(`
			`testAccCheckGoogleProjectIamBindingExists("google_project_iam_member.acceptance", &cloudresourcemanager.Binding{`
			`Role: "roles/compute.instanceAdmin",`
			`Members: []string{"user:admin@hashicorptest.com", "user:paddy@hashicorp.com"},`
			`}, pid),`
			`),`
			`},`
			`// Remove the bindings`
Excise unnecessary type declarations. Some struct types can be inferred instead of being repeated, so let's take advantage of that. 2017-07-27 20:39:23 +00:00			`{`
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`Config: testAccGoogleProject_create(pid, pname, org),`
			`Check: resource.ComposeTestCheckFunc(`
			`testAccGoogleProjectExistingPolicy(pid),`
			`),`
			`},`
			`},`
			`})`
			`}`

			`func testAccGoogleProjectAssociateMemberBasic(pid, name, org string) string {`
			return fmt.Sprintf(`
			`resource "google_project" "acceptance" {`
Terraform fmt on our test configs. 2017-07-25 19:17:20 +00:00			`project_id = "%s"`
			`name = "%s"`
			`org_id = "%s"`
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`}`
Terraform fmt on our test configs. 2017-07-25 19:17:20 +00:00
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`resource "google_project_iam_member" "acceptance" {`
Terraform fmt on our test configs. 2017-07-25 19:17:20 +00:00			`project = "${google_project.acceptance.project_id}"`
			`member = "user:admin@hashicorptest.com"`
			`role = "roles/compute.instanceAdmin"`
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`}`
			`, pid, name, org)
			`}`

			`func testAccGoogleProjectAssociateMemberMultiple(pid, name, org string) string {`
			return fmt.Sprintf(`
			`resource "google_project" "acceptance" {`
Terraform fmt on our test configs. 2017-07-25 19:17:20 +00:00			`project_id = "%s"`
			`name = "%s"`
			`org_id = "%s"`
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`}`
Terraform fmt on our test configs. 2017-07-25 19:17:20 +00:00
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`resource "google_project_iam_member" "acceptance" {`
Terraform fmt on our test configs. 2017-07-25 19:17:20 +00:00			`project = "${google_project.acceptance.project_id}"`
			`member = "user:admin@hashicorptest.com"`
			`role = "roles/compute.instanceAdmin"`
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`}`
Terraform fmt on our test configs. 2017-07-25 19:17:20 +00:00
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`resource "google_project_iam_member" "multiple" {`
Terraform fmt on our test configs. 2017-07-25 19:17:20 +00:00			`project = "${google_project.acceptance.project_id}"`
			`member = "user:paddy@hashicorp.com"`
			`role = "roles/compute.instanceAdmin"`
Add the google_project_iam_member resource. Adds the google_project_iam_member resource, which just ensures that a single member has a single role. google_project_iam_member should not be used to grant permissions to a role controlled by google_project_iam_binding or to a policy controlled by google_project_iam_policy, as they'll fight for control. 2017-07-04 03:59:26 +00:00			`}`
			`, pid, name, org)
			`}`