From 779d356a2e38a27b309661b03f52a93e6d611e36 Mon Sep 17 00:00:00 2001 From: Artem Usenko Date: Fri, 22 Sep 2023 14:19:08 +0300 Subject: [PATCH] Handle empty service account policy (#518) --- minio/resource_minio_service_account.go | 16 +++++-- minio/resource_minio_service_account_test.go | 44 ++++++++++++++++++++ 2 files changed, 56 insertions(+), 4 deletions(-) diff --git a/minio/resource_minio_service_account.go b/minio/resource_minio_service_account.go index 8b1251d9..b7ccb8ed 100644 --- a/minio/resource_minio_service_account.go +++ b/minio/resource_minio_service_account.go @@ -72,7 +72,7 @@ func minioCreateServiceAccount(ctx context.Context, d *schema.ResourceData, meta policy := serviceAccountConfig.MinioSAPolicy serviceAccount, err := serviceAccountConfig.MinioAdmin.AddServiceAccount(ctx, madmin.AddServiceAccountReq{ - Policy: []byte(policy), + Policy: processServiceAccountPolicy(policy), TargetUser: targetUser, }) if err != nil { @@ -114,7 +114,7 @@ func minioUpdateServiceAccount(ctx context.Context, d *schema.ResourceData, meta if serviceAccountServerInfo.AccountStatus != wantedStatus { err := serviceAccountConfig.MinioAdmin.UpdateServiceAccount(ctx, serviceAccountConfig.MinioAccessKey, madmin.UpdateServiceAccountReq{ NewStatus: wantedStatus, - NewPolicy: []byte(policy), + NewPolicy: processServiceAccountPolicy(policy), }) if err != nil { return NewResourceError("error to disable service account", d.Id(), err) @@ -133,7 +133,7 @@ func minioUpdateServiceAccount(ctx context.Context, d *schema.ResourceData, meta if d.HasChange("secret_key") || serviceAccountConfig.MinioSecretKey != wantedSecret { err := serviceAccountConfig.MinioAdmin.UpdateServiceAccount(ctx, d.Id(), madmin.UpdateServiceAccountReq{ NewSecretKey: wantedSecret, - NewPolicy: []byte(policy), + NewPolicy: processServiceAccountPolicy(policy), }) if err != nil { return NewResourceError("error updating service account Key %s: %s", d.Id(), err) @@ -144,7 +144,7 @@ func minioUpdateServiceAccount(ctx context.Context, d *schema.ResourceData, meta if d.HasChange("policy") { err := serviceAccountConfig.MinioAdmin.UpdateServiceAccount(ctx, d.Id(), madmin.UpdateServiceAccountReq{ - NewPolicy: []byte(policy), + NewPolicy: processServiceAccountPolicy(policy), }) if err != nil { return NewResourceError("error updating service account policy %s: %s", d.Id(), err) @@ -216,3 +216,11 @@ func deleteMinioServiceAccount(ctx context.Context, serviceAccountConfig *S3Mini return } + +func processServiceAccountPolicy(policy string) []byte { + if len(policy) == 0 { + emptyPolicy := "{\n\"Version\": \"\",\n\"Statement\": null\n}" + return []byte(emptyPolicy) + } + return []byte(policy) +} diff --git a/minio/resource_minio_service_account_test.go b/minio/resource_minio_service_account_test.go index 51cc6033..7a014f81 100644 --- a/minio/resource_minio_service_account_test.go +++ b/minio/resource_minio_service_account_test.go @@ -98,6 +98,9 @@ func TestServiceAccount_Policy(t *testing.T) { policy1 := "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:ListAllMyBuckets\"],\"Resource\":[\"arn:aws:s3:::*\"]}]}" policy2 := "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":[\"arn:aws:s3:::*\"]}]}" + targetUser2 := "test" + resourceName2 := "minio_iam_service_account.test_service_account" + resource.ParallelTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, ProviderFactories: testAccProviders, @@ -121,6 +124,12 @@ func TestServiceAccount_Policy(t *testing.T) { testAccCheckMinioServiceAccountPolicy(resourceName, policy2), ), }, + { + Config: testAccMinioServiceAccountWithUserPolicy(targetUser2), + Check: resource.ComposeTestCheckFunc( + testAccCheckMinioServiceAccountExists(resourceName2, &serviceAccount), + ), + }, }, }) } @@ -172,6 +181,41 @@ resource "minio_iam_service_account" "test4" { } `, rName) } +func testAccMinioServiceAccountWithUserPolicy(rName string) string { + return fmt.Sprintf(` +resource "minio_iam_user" "test_user" { + secret = "secret1234" + name = %q +} + +resource "minio_iam_policy" "test_policy" { + name = "state-terraform-s3" + policy = <