From fea8cc3fb7ddb3b91ba3f70ea5fafc157f9dd02e Mon Sep 17 00:00:00 2001 From: Brandon Stevens Date: Fri, 10 Aug 2018 11:06:09 -0500 Subject: [PATCH 1/2] Add Test for Privately Sharing SSM Documents --- aws/resource_aws_ssm_document_test.go | 60 +++++++++++++++++++++++++-- 1 file changed, 57 insertions(+), 3 deletions(-) diff --git a/aws/resource_aws_ssm_document_test.go b/aws/resource_aws_ssm_document_test.go index 5794b62dbd5..f7cfc7e4bb7 100644 --- a/aws/resource_aws_ssm_document_test.go +++ b/aws/resource_aws_ssm_document_test.go @@ -67,7 +67,7 @@ func TestAccAWSSSMDocument_update(t *testing.T) { }) } -func TestAccAWSSSMDocument_permission(t *testing.T) { +func TestAccAWSSSMDocument_permission_public(t *testing.T) { name := acctest.RandString(10) resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -75,7 +75,7 @@ func TestAccAWSSSMDocument_permission(t *testing.T) { CheckDestroy: testAccCheckAWSSSMDocumentDestroy, Steps: []resource.TestStep{ { - Config: testAccAWSSSMDocumentPermissionConfig(name), + Config: testAccAWSSSMDocumentPublicPermissionConfig(name), Check: resource.ComposeTestCheckFunc( testAccCheckAWSSSMDocumentExists("aws_ssm_document.foo"), resource.TestCheckResourceAttr( @@ -88,6 +88,26 @@ func TestAccAWSSSMDocument_permission(t *testing.T) { }) } +func TestAccAWSSSMDocument_permission_private(t *testing.T) { + name := acctest.RandString(10) + ids := "123456789012" + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSSSMDocumentDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSSSMDocumentPrivatePermissionConfig(name, ids), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSSSMDocumentExists("aws_ssm_document.foo"), + resource.TestCheckResourceAttr( + "aws_ssm_document.foo", "permissions.type", "Share"), + ), + }, + }, + }) +} + func TestAccAWSSSMDocument_params(t *testing.T) { name := acctest.RandString(10) resource.Test(t, resource.TestCase{ @@ -371,7 +391,7 @@ DOC `, rName) } -func testAccAWSSSMDocumentPermissionConfig(rName string) string { +func testAccAWSSSMDocumentPublicPermissionConfig(rName string) string { return fmt.Sprintf(` resource "aws_ssm_document" "foo" { name = "test_document-%s" @@ -405,6 +425,40 @@ DOC `, rName) } +func testAccAWSSSMDocumentPrivatePermissionConfig(rName string, rIds string) string { + return fmt.Sprintf(` +resource "aws_ssm_document" "foo" { + name = "test_document-%s" + document_type = "Command" + + permissions = { + type = "Share" + account_ids = "%s" + } + + content = < Date: Fri, 17 Aug 2018 09:11:58 -0500 Subject: [PATCH 2/2] Update SSM Document Deletion to Unshare Before Deleting --- aws/resource_aws_ssm_document.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/aws/resource_aws_ssm_document.go b/aws/resource_aws_ssm_document.go index 73ea866f130..35ec4ce7a8e 100644 --- a/aws/resource_aws_ssm_document.go +++ b/aws/resource_aws_ssm_document.go @@ -448,10 +448,19 @@ func deleteDocumentPermissions(d *schema.ResourceData, meta interface{}) error { log.Printf("[INFO] Removing permissions from document: %s", d.Id()) + permission := d.Get("permissions").(map[string]interface{}) + var accountsToRemove []*string + if permission["account_ids"] != nil { + accountsToRemove = aws.StringSlice([]string{permission["account_ids"].(string)}) + if strings.Contains(permission["account_ids"].(string), ",") { + accountsToRemove = aws.StringSlice(strings.Split(permission["account_ids"].(string), ",")) + } + } + permInput := &ssm.ModifyDocumentPermissionInput{ Name: aws.String(d.Get("name").(string)), PermissionType: aws.String("Share"), - AccountIdsToRemove: aws.StringSlice(strings.Split("all", ",")), + AccountIdsToRemove: accountsToRemove, } _, err := ssmconn.ModifyDocumentPermission(permInput)