Permit leading whitespace in IAM policies by normalizing before check… #5887
Conversation
bflad
added
enhancement
There was a problem hiding this comment.
This is passing all related acceptance testing except for one:
$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSIAM\(Role\|User\)?Policy_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccAWSIAM\(Role\|User\)?Policy_ -timeout 120m
=== RUN TestAccAWSIAMRolePolicy_importBasic
--- PASS: TestAccAWSIAMRolePolicy_importBasic (10.30s)
=== RUN TestAccAWSIAMUserPolicy_importBasic
--- PASS: TestAccAWSIAMUserPolicy_importBasic (8.33s)
=== RUN TestAccAWSIAMPolicy_basic
--- PASS: TestAccAWSIAMPolicy_basic (8.74s)
=== RUN TestAccAWSIAMPolicy_description
--- PASS: TestAccAWSIAMPolicy_description (8.91s)
=== RUN TestAccAWSIAMPolicy_namePrefix
--- PASS: TestAccAWSIAMPolicy_namePrefix (8.16s)
=== RUN TestAccAWSIAMPolicy_path
--- PASS: TestAccAWSIAMPolicy_path (9.15s)
=== RUN TestAccAWSIAMPolicy_policy
--- PASS: TestAccAWSIAMPolicy_policy (13.76s)
=== RUN TestAccAWSIAMRolePolicy_basic
--- PASS: TestAccAWSIAMRolePolicy_basic (15.34s)
=== RUN TestAccAWSIAMRolePolicy_namePrefix
--- PASS: TestAccAWSIAMRolePolicy_namePrefix (13.46s)
=== RUN TestAccAWSIAMRolePolicy_generatedName
--- PASS: TestAccAWSIAMRolePolicy_generatedName (14.88s)
=== RUN TestAccAWSIAMRolePolicy_invalidJSON
--- FAIL: TestAccAWSIAMRolePolicy_invalidJSON (4.51s)
testing.go:520: Step 0, expected error:
Error applying: 1 error occurred:
* aws_iam_role_policy.foo: 1 error occurred:
* aws_iam_role_policy.foo: Error putting IAM role policy tf_test_policy_6ujbe3zmes: MalformedPolicyDocument: The policy failed legacy parsing
status code: 400, request id: a6aba47e-baba-11e8-a156-0f77be764b45
To match:
invalid JSON
=== RUN TestAccAWSIAMUserPolicy_basic
--- PASS: TestAccAWSIAMUserPolicy_basic (13.47s)
=== RUN TestAccAWSIAMUserPolicy_namePrefix
--- PASS: TestAccAWSIAMUserPolicy_namePrefix (13.49s)
=== RUN TestAccAWSIAMUserPolicy_generatedName
--- PASS: TestAccAWSIAMUserPolicy_generatedName (14.34s)
=== RUN TestAccAWSIAMUserPolicy_multiplePolicies
--- PASS: TestAccAWSIAMUserPolicy_multiplePolicies (25.58s)
FAIL
FAIL github.com/terraform-providers/terraform-provider-aws/aws 183.132s
Presumably this breaks a certain scenario where the validation error used to be caught during plan time and now returning an error during apply. Do you mind taking a look at that error?
bflad
added
the
waiting-response
ghost
added
size/M
|
Sorry @bflad , this is my first PR here. I didn't know those tests existed. So, the old validation code would reject the test policy (https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_iam_role_policy_test.go#L434-L443) as invalid JSON because that policy starts with whitespace. We no longer care about whitespace, so validation passes because it is in fact valid JSON, but the test policy contains a second issue which is that the Statement is not an array, and that doesn't match the IAM policy spec. I've modified the test policy to consist of an otherwise-valid schema but with with an invalid character so that it's no longer valid JSON. This now passes: Let me know if you'd like me to dig deeper in this PR and validate the schema. However, |
ghost
added
size/S
|
@bflad Rebased on master, acceptance tests are now passing. |
bflad
removed
the
waiting-response
|
@bflad Sorry to ping you - is there anything else I need to do to get this merged? I don't know the workflow on this repo. |
|
@bflad can you merge this? It's a pretty awkward UX right now |
| @@ -479,13 +479,15 @@ resource "aws_iam_role_policy" "foo" { | |||
| name = "tf_test_policy_%s" | |||
| role = "${aws_iam_role.role.name}" | |||
| policy = <<EOF | |||
| { | |||
| x{ | |||
There was a problem hiding this comment.
Yes. That resource is intended to trigger the "invalid JSON" path. Before this patch, it was triggered by the indentation, which is now considered valid. In retrospect, instead of "x" I should have put something ilke "this_json_is_intentionally_invalid_for_testing".
I haven't touched this code in ~6 months but I will try to find time this week to rebase, verify tests still pass, and make this intent clearer.
|
@MikeSchuette any updates? |
|
Could this get merged? |
|
Pull request #21306 has significantly refactored the AWS Provider codebase. As a result, most PRs opened prior to the refactor now have merge conflicts that must be resolved before proceeding. Specifically, PR #21306 relocated the code for all AWS resources and data sources from a single We recognize that many pull requests have been open for some time without yet being addressed by our maintainers. Therefore, we want to make it clear that resolving these conflicts in no way affects the prioritization of a particular pull request. Once a pull request has been prioritized for review, the necessary changes will be made by a maintainer -- either directly or in collaboration with the pull request author. For a more complete description of this refactor, including examples of how old filepaths and function names correspond to their new counterparts: please refer to issue #20000. For a quick guide on how to amend your pull request to resolve the merge conflicts resulting from this refactor and bring it in line with our new code patterns: please refer to our Service Package Refactor Pull Request Guide. |
|
Superseded by #22067. |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Fixes #1873
Changes proposed in this pull request:
Output from acceptance testing: