Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

service/iam: iam_principal_policy_simulation data source #25569

Merged

Conversation

apparentlymart
Copy link
Contributor

@apparentlymart apparentlymart commented Jun 25, 2022

This data source wraps the IAM policy simulation API. This was previously an API action with little utility in Terraform, but with the introduction of preconditions and postconditions in Terraform v1.2.3 it can be potentially useful as a way for a configuration to either pre-verify that it seems to be running with credentials that confer sufficient access or to self-check a policy it declares itself to get earlier warning if the policy seems insufficient for its intended purpose.

Unfortunately the IAM policy simulator is pretty low-level and requires the caller to figure out all of the relevant details of how a real AWS service would make requests to IAM at runtime in order to construct a fully-realistic simulation, but thankfully in practice it seems like authors could make do with relatively-simple "naive" simulations unless they know they are using more complex IAM policy features, such as custom conditions or interpolations. I included some hopefully-realistic examples in the documentation.

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Output from acceptance testing:

=== RUN   TestAccIAMPrincipalPolicySimulationDataSource
=== PAUSE TestAccIAMPrincipalPolicySimulationDataSource
=== CONT  TestAccIAMPrincipalPolicySimulationDataSource
--- PASS: TestAccIAMPrincipalPolicySimulationDataSource (23.77s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/iam        26.721s

@github-actions github-actions bot added documentation Introduces or discusses updates to documentation. provider Pertains to the provider itself, rather than any interaction with AWS. service/iam Issues and PRs that pertain to the iam service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. needs-triage Waiting for first response or review from a maintainer. size/XL Managed by automation to categorize the size of a PR. labels Jun 25, 2022
@apparentlymart apparentlymart force-pushed the f-simulate-principal-policy branch 8 times, most recently from d54973c to 4de5795 Compare June 25, 2022 01:41
This data source wraps the IAM policy simulation API. This was previously
a data source with little utility in Terraform, but with the introduction
of preconditions and postconditions in Terraform v1.2.3 it can be
potentially useful as a way for a configuration to either pre-verify that
it seems to be running with credentials that confer sufficient access or
to self-check a policy it declares itself to get earlier warning if the
policy seems insufficient for its intended purpose.

Unfortunately the IAM policy simulator is pretty low-level and requires
the caller to figure out all of the relevant details of how a real AWS
service would make requests to IAM at runtime in order to construct
a fully-realistic simulation, but thankfully in practice it seems like
authors could make do with relatively-simple "naive" simulations unless
they know they are using more complex IAM policy features, such as custom
conditions or interpolations.
@apparentlymart apparentlymart force-pushed the f-simulate-principal-policy branch from 4de5795 to 0031038 Compare June 27, 2022 15:00
@ewbankkit ewbankkit removed the needs-triage Waiting for first response or review from a maintainer. label Jun 27, 2022
@github-actions github-actions bot added generators Relates to code generators. and removed provider Pertains to the provider itself, rather than any interaction with AWS. labels Jun 5, 2023
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccIAMPrincipalPolicySimulationDataSource' PKG=iam
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/iam/... -v -count 1 -parallel 20  -run=TestAccIAMPrincipalPolicySimulationDataSource -timeout 180m
=== RUN   TestAccIAMPrincipalPolicySimulationDataSource_basic
=== PAUSE TestAccIAMPrincipalPolicySimulationDataSource_basic
=== CONT  TestAccIAMPrincipalPolicySimulationDataSource_basic
--- PASS: TestAccIAMPrincipalPolicySimulationDataSource_basic (27.03s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/iam	32.824s

@ewbankkit
Copy link
Contributor

@apparentlymart Thanks for the contribution 🎉 👏.

@ewbankkit ewbankkit merged commit 44b2c4b into hashicorp:main Jun 5, 2023
@github-actions github-actions bot added this to the v5.2.0 milestone Jun 5, 2023
@github-actions
Copy link

github-actions bot commented Jun 9, 2023

This functionality has been released in v5.2.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 10, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
documentation Introduces or discusses updates to documentation. generators Relates to code generators. service/iam Issues and PRs that pertain to the iam service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants