Skip to content

Commit

Permalink
Saved work
Browse files Browse the repository at this point in the history
  • Loading branch information
Ninir committed Apr 3, 2017
1 parent b8b1097 commit a700c64
Show file tree
Hide file tree
Showing 6 changed files with 840 additions and 69 deletions.
1 change: 1 addition & 0 deletions builtin/providers/aws/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,7 @@ func Provider() terraform.ResourceProvider {
"aws_config_configuration_recorder_status": resourceAwsConfigConfigurationRecorderStatus(),
"aws_config_delivery_channel": resourceAwsConfigDeliveryChannel(),
"aws_cognito_identity_pool": resourceAwsCognitoIdentityPool(),
"aws_cognito_identity_pool_roles_attachment": resourceAwsCognitoIdentityPoolRolesAttachment(),
"aws_autoscaling_lifecycle_hook": resourceAwsAutoscalingLifecycleHook(),
"aws_cloudwatch_metric_alarm": resourceAwsCloudWatchMetricAlarm(),
"aws_codedeploy_app": resourceAwsCodeDeployApp(),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,95 +19,164 @@ func resourceAwsCognitoIdentityPoolRolesAttachment() *schema.Resource {
return &schema.Resource{
Create: resourceAwsCognitoIdentityPoolRolesAttachmentCreate,
Read: resourceAwsCognitoIdentityPoolRolesAttachmentRead,
Update: resourceAwsCognitoIdentityPoolRolesAttachmentUpdate,
Delete: resourceAwsCognitoIdentityPoolRolesAttachmentDelete,
Importer: &schema.ResourceImporter{
State: schema.ImportStatePassthrough,
},

Schema: map[string]*schema.Schema{
"identity_pool_id": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
Type: schema.TypeString,
Required: true,
ForceNew: true,
},

"role_mappings": {
Type: schema.TypeSet,
Optional: true,
Type: schema.TypeList,
Optional: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"ambiguous_role_resolution": {
Type: schema.TypeString,
},
"rules_configuration": {
"role_mapping": {
Type: schema.TypeSet,
MaxItems: 1,
Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"rules": {
Type: schema.TypeList,
MaxItems: 25,
"key": {
Type: schema.TypeString,
Required: true,
},
"value": {
Type: schema.TypeSet,
MaxItems: 1,
Required: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"claim": {
Type: schema.TypeString,
Required: true,
"ambiguous_role_resolution": {
Type: schema.TypeString,
ValidateFunc: validateCognitoRoleMappingsAmbiguousRoleResolution,
Optional: true, // Required if Type equals Token or Rules.
},
"match_type": {
Type: schema.TypeString,
Required: true,
"rules_configuration": {
Type: schema.TypeSet,
MaxItems: 1,
Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"rules": {
Type: schema.TypeList,
Required: true,
MaxItems: 25,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"claim": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateCognitoRoleMappingsRulesClaim,
},
"match_type": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateCognitoRoleMappingsRulesMatchType,
},
"role_arn": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateArn,
},
"value": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateCognitoRoleMappingsRulesValue,
},
},
},
},
},
},
},
"role_arn": {
Type: schema.TypeString,
Required: true,
},
"value": {
Type: schema.TypeString,
Required: true,
"type": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateCognitoRoleMappingsType,
},
},
},
},
},
},
},
"type": {
Type: schema.TypeString,
Required: true,
},
},
},
},

"roles": {
Type: schema.TypeMap,
Required: true,
ForceNew: true,
Type: schema.TypeMap,
Required: true,
ForceNew: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"authenticated": {
Type: schema.TypeString,
ValidateFunc: validateArn,
Optional: true, // Required if unauthenticated isn't defined.
},
"unauthenticated": {
Type: schema.TypeString,
ValidateFunc: validateArn,
Optional: true, // Required if authenticated isn't defined.
},
},
},
},
},
}
}

func resourceAwsCognitoIdentityPoolRolesAttachmentCreate(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).cognitoconn
log.Print("[DEBUG] Setting Roles to Cognito Identity Pool")
log.Print("[DEBUG] Creating Cognito Identity Pool Roles Association")

// Validates role keys to be either authenticated or unauthenticated,
// since ValidateFunc validates only the value not the key.
if errors := validateCognitoRoles(d.Get("roles").(map[string]interface{}), "roles"); len(errors) > 0 {
return fmt.Errorf("Error validating Roles: %v", errors)
}

params := &cognitoidentity.SetIdentityPoolRolesInput{
IdentityPoolId: aws.String(d.Get("identity_pool_id").(string)),
Roles: expandCognitoIdentityPoolRoles(d.Get("roles").(map[string]interface{})),
Roles: expandCognitoIdentityPoolRoles(d.Get("roles").(map[string]interface{})),
}

if v, ok := d.GetOk("role_mappings"); ok {
params.RoleMappings = expandCognitoIdentityPoolRoleMappingsAttachment(v.(*schema.Set))
errors := make([]error, 0)

// Validating that each role_mapping ambiguous_role_resolution
// is defined when "type" equals Token or Rules.
rms := v.([]interface{})[0].(map[string]interface{})
for _, r := range rms["role_mapping"].(*schema.Set).List() {
rm := r.(map[string]interface{})
roleMapping := rm["value"].(*schema.Set).List()

if err := validateCognitoRoleMappingsAmbiguousRoleResolutionAgainstType(roleMapping[0].(map[string]interface{})); len(err) > 0 {
errors = append(errors, fmt.Errorf("Role Mapping %q: %v", rm["key"].(string), err))
}
}

if len(errors) > 0 {
return fmt.Errorf("Error validating ambiguous role resolution: %v", errors)
}

params.RoleMappings = expandCognitoIdentityPoolRoleMappingsAttachment(v.([]interface{}))
}

_, err := conn.SetIdentityPoolRoles(params)
if err != nil {
return fmt.Errorf("Error creating Cognito Identity Pool: %s", err)
return fmt.Errorf("Error creating Cognito Identity Pool Roles Association: %s", err)
}

// TODO - Better handle the roles & role mappings
d.SetId(generateID(d.Get("identity_pool_id").(string), "", ""))
d.SetId(d.Get("identity_pool_id").(string))

return resourceAwsCognitoIdentityPoolRolesAttachmentRead(d, meta)
}
Expand All @@ -127,23 +196,81 @@ func resourceAwsCognitoIdentityPoolRolesAttachmentRead(d *schema.ResourceData, m
return err
}


if err := d.Set("roles", flattenCognitoIdentityPoolRoles(ip.Roles)); err != nil {
return fmt.Errorf("[DEBUG] Error setting roles error: %#v", err)
}

if err := d.Set("role_mappings", flattenCognitoIdentityPoolRoleMappingsAttachment(ip.RoleMappings)); err != nil {
return fmt.Errorf("[DEBUG] Error setting role mappings error: %#v", err)
}

return nil
}

func resourceAwsCognitoIdentityPoolRolesAttachmentUpdate(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).cognitoconn
log.Printf("[DEBUG] Updating Cognito Identity Pool Roles Association: %s", d.Id())

// Validates role keys to be either authenticated or unauthenticated,
// since ValidateFunc validates only the value not the key.
if errors := validateCognitoRoles(d.Get("roles").(map[string]interface{}), "roles"); len(errors) > 0 {
return fmt.Errorf("Error validating Roles: %v", errors)
}

params := &cognitoidentity.SetIdentityPoolRolesInput{
IdentityPoolId: aws.String(d.Get("identity_pool_id").(string)),
Roles: expandCognitoIdentityPoolRoles(d.Get("roles").(map[string]interface{})),
}

if d.HasChange("role_mappings") {
v, ok := d.GetOk("role_mappings")
var mappings []interface{}

if ok {
errors := make([]error, 0)

// Validating that each role_mapping ambiguous_role_resolution
// is defined when "type" equals Token or Rules.
rms := v.([]interface{})[0].(map[string]interface{})
for _, r := range rms["role_mapping"].(*schema.Set).List() {
rm := r.(map[string]interface{})
roleMapping := rm["value"].(*schema.Set).List()

if err := validateCognitoRoleMappingsAmbiguousRoleResolutionAgainstType(roleMapping[0].(map[string]interface{})); len(err) > 0 {
errors = append(errors, fmt.Errorf("Role Mapping %q: %v", rm["key"].(string), err))
}
}

if len(errors) > 0 {
return fmt.Errorf("Error validating ambiguous role resolution: %v", errors)
}
mappings = v.([]interface{})
} else {
mappings = []interface{}{}
}

params.RoleMappings = expandCognitoIdentityPoolRoleMappingsAttachment(mappings)
}

_, err := conn.SetIdentityPoolRoles(params)
if err != nil {
return fmt.Errorf("Error updating Cognito Identity Pool Roles Association: %s", err)
}

d.SetId(d.Get("identity_pool_id").(string))

return resourceAwsCognitoIdentityPoolRolesAttachmentRead(d, meta)
}

func resourceAwsCognitoIdentityPoolRolesAttachmentDelete(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).cognitoconn
log.Printf("[DEBUG] Deleting Cognito Identity Pool Roles Association: %s", d.Id())

return resource.Retry(5*time.Minute, func() *resource.RetryError {
_, err := conn.SetIdentityPoolRoles(&cognitoidentity.SetIdentityPoolRolesInput{
IdentityPoolId: aws.String(d.Id()),
Roles: expandCognitoIdentityPoolRoles(d.Get("roles").(map[string]interface{})),
RoleMappings: expandCognitoIdentityPoolRoleMappingsAttachment(schema.NewSet(schema.HashString, []interface{}{})),
IdentityPoolId: aws.String(d.Get("identity_pool_id").(string)),
Roles: expandCognitoIdentityPoolRoles(make(map[string]interface{})),
RoleMappings: expandCognitoIdentityPoolRoleMappingsAttachment([]interface{}{}),
})

if err == nil {
Expand All @@ -154,11 +281,35 @@ func resourceAwsCognitoIdentityPoolRolesAttachmentDelete(d *schema.ResourceData,
})
}

func generateID(identityPoolID, roleMappings, roles string) string {
func cognitoRoleMappingHash(v interface{}) int {
var buf bytes.Buffer
m := v.(map[string]interface{})
buf.WriteString(fmt.Sprintf("%s-", m["key"].(string)))

return hashcode.String(buf.String())
}

func cognitoRoleMappingValueHash(v interface{}) int {
var buf bytes.Buffer
buf.WriteString(fmt.Sprintf("%s-", identityPoolID))
buf.WriteString(fmt.Sprintf("%s-", roleMappings))
buf.WriteString(fmt.Sprintf("%s-", roles))
m := v.(map[string]interface{})
buf.WriteString(fmt.Sprintf("%s-", m["type"].(string)))
if d, ok := m["ambiguous_role_resolution"]; ok {
buf.WriteString(fmt.Sprintf("%s-", d.(string)))
}

return hashcode.String(buf.String())
}

func cognitoRoleMappingRulesConfigurationHash(v interface{}) int {
var buf bytes.Buffer
m := v.(map[string]interface{})
for _, rule := range m["rules"].([]interface{}) {
r := rule.(map[string]interface{})
buf.WriteString(fmt.Sprintf("%s-", r["claim"].(string)))
buf.WriteString(fmt.Sprintf("%s-", r["match_type"].(string)))
buf.WriteString(fmt.Sprintf("%s-", r["role_arn"].(string)))
buf.WriteString(fmt.Sprintf("%s-", r["value"].(string)))
}

return fmt.Sprintf("cira-%d", hashcode.String(buf.String()))
return hashcode.String(buf.String())
}
Loading

0 comments on commit a700c64

Please sign in to comment.