Saved work

hashicorp · Mar 24, 2017 · b66a057 · b66a057
1 parent af69ead
commit b66a057
Show file tree

Hide file tree

Showing 4 changed files with 256 additions and 29 deletions.
diff --git a/builtin/providers/aws/resource_aws_cognito_identity_pool_roles_attachment.go b/builtin/providers/aws/resource_aws_cognito_identity_pool_roles_attachment.go
@@ -26,18 +26,20 @@ func resourceAwsCognitoIdentityPoolRolesAttachment() *schema.Resource {
 
 		Schema: map[string]*schema.Schema{
 			"identity_pool_id": {
-				Type:         schema.TypeString,
-				Required:     true,
-				ForceNew:     true,
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
 			},
 
 			"role_mappings": {
-				Type:         schema.TypeSet,
-				Optional:     true,
+				Type:     schema.TypeSet,
+				Optional: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"ambiguous_role_resolution": {
-							Type:     schema.TypeString,
+							Type:         schema.TypeString,
+							ValidateFunc: validateCognitoRoleMappingsAmbiguousRoleResolution,
+							Optional:     true, // Required if Type equals Token or Rules.
 						},
 						"rules_configuration": {
 							Type:     schema.TypeSet,
@@ -46,24 +48,29 @@ func resourceAwsCognitoIdentityPoolRolesAttachment() *schema.Resource {
 								Schema: map[string]*schema.Schema{
 									"rules": {
 										Type:     schema.TypeList,
+										Required: true,
 										MaxItems: 25,
 										Elem: &schema.Resource{
 											Schema: map[string]*schema.Schema{
 												"claim": {
-													Type: schema.TypeString,
-													Required: true,
+													Type:         schema.TypeString,
+													Required:     true,
+													ValidateFunc: validateCognitoRoleMappingsRulesClaim,
 												},
 												"match_type": {
-													Type: schema.TypeString,
-													Required: true,
+													Type:         schema.TypeString,
+													Required:     true,
+													ValidateFunc: validateCognitoRoleMappingsRulesMatchType,
 												},
 												"role_arn": {
-													Type: schema.TypeString,
-													Required: true,
+													Type:         schema.TypeString,
+													Required:     true,
+													ValidateFunc: validateArn,
 												},
 												"value": {
-													Type: schema.TypeString,
-													Required: true,
+													Type:         schema.TypeString,
+													Required:     true,
+													ValidateFunc: validateCognitoRoleMappingsRulesValue,
 												},
 											},
 										},
@@ -72,17 +79,18 @@ func resourceAwsCognitoIdentityPoolRolesAttachment() *schema.Resource {
 							},
 						},
 						"type": {
-							Type:     schema.TypeString,
-							Required: true,
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validateCognitoRoleMappingsType,
 						},
 					},
 				},
 			},
 
 			"roles": {
-				Type:         schema.TypeMap,
-				Required:     true,
-				ForceNew:     true,
+				Type:     schema.TypeMap,
+				Required: true,
+				ForceNew: true,
 			},
 		},
 	}
@@ -94,7 +102,7 @@ func resourceAwsCognitoIdentityPoolRolesAttachmentCreate(d *schema.ResourceData,
 
 	params := &cognitoidentity.SetIdentityPoolRolesInput{
 		IdentityPoolId: aws.String(d.Get("identity_pool_id").(string)),
-		Roles: expandCognitoIdentityPoolRoles(d.Get("roles").(map[string]interface{})),
+		Roles:          expandCognitoIdentityPoolRoles(d.Get("roles").(map[string]interface{})),
 	}
 
 	if v, ok := d.GetOk("role_mappings"); ok {
@@ -127,7 +135,6 @@ func resourceAwsCognitoIdentityPoolRolesAttachmentRead(d *schema.ResourceData, m
 		return err
 	}
 
-
 	if err := d.Set("roles", flattenCognitoIdentityPoolRoles(ip.Roles)); err != nil {
 		return fmt.Errorf("[DEBUG] Error setting roles error: %#v", err)
 	}
@@ -142,8 +149,8 @@ func resourceAwsCognitoIdentityPoolRolesAttachmentDelete(d *schema.ResourceData,
 	return resource.Retry(5*time.Minute, func() *resource.RetryError {
 		_, err := conn.SetIdentityPoolRoles(&cognitoidentity.SetIdentityPoolRolesInput{
 			IdentityPoolId: aws.String(d.Id()),
-			Roles: expandCognitoIdentityPoolRoles(d.Get("roles").(map[string]interface{})),
-			RoleMappings: expandCognitoIdentityPoolRoleMappingsAttachment(schema.NewSet(schema.HashString, []interface{}{})),
+			Roles:          expandCognitoIdentityPoolRoles(d.Get("roles").(map[string]interface{})),
+			RoleMappings:   expandCognitoIdentityPoolRoleMappingsAttachment(schema.NewSet(schema.HashString, []interface{}{})),
 		})
 
 		if err == nil {

diff --git a/builtin/providers/aws/resource_aws_cognito_identity_pool_roles_attachment_test.go b/builtin/providers/aws/resource_aws_cognito_identity_pool_roles_attachment_test.go
@@ -89,7 +89,7 @@ func testAccCheckAWSCognitoIdentityPoolRolesAttachmentDestroy(s *terraform.State
 	return nil
 }
 
-func testAccAWSCognitoIdentityPoolConfig_basic(name string) string {
+func testAccAWSCognitoIdentityPoolRolesAttachmentConfig_basic(name string) string {
 	return fmt.Sprintf(`
 resource "aws_cognito_identity_pool" "main" {
   identity_pool_name               = "identity pool %s"

diff --git a/builtin/providers/aws/validators.go b/builtin/providers/aws/validators.go
@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/aws/aws-sdk-go/service/apigateway"
+	"github.com/aws/aws-sdk-go/service/cognitoidentity"
 	"github.com/aws/aws-sdk-go/service/s3"
 	"github.com/hashicorp/terraform/helper/schema"
 )
@@ -1093,7 +1094,7 @@ func validateCognitoSamlProviderArns(v interface{}, k string) (ws []string, erro
 func validateCognitoSupportedLoginProviders(v interface{}, k string) (ws []string, errors []error) {
 	value := v.(string)
 	if len(value) < 1 {
-		errors = append(errors, fmt.Errorf("%q cannot be less than 1 character", k))
+		errors = append(errors, fmt.Errorf("%q cannot be less than 1 caracter", k))
 	}
 
 	if len(value) > 128 {
@@ -1110,7 +1111,7 @@ func validateCognitoSupportedLoginProviders(v interface{}, k string) (ws []strin
 func validateCognitoIdentityProvidersClientId(v interface{}, k string) (ws []string, errors []error) {
 	value := v.(string)
 	if len(value) < 1 {
-		errors = append(errors, fmt.Errorf("%q cannot be less than 1 character", k))
+		errors = append(errors, fmt.Errorf("%q cannot be less than 1 caracter", k))
 	}
 
 	if len(value) > 128 {
@@ -1127,7 +1128,7 @@ func validateCognitoIdentityProvidersClientId(v interface{}, k string) (ws []str
 func validateCognitoIdentityProvidersProviderName(v interface{}, k string) (ws []string, errors []error) {
 	value := v.(string)
 	if len(value) < 1 {
-		errors = append(errors, fmt.Errorf("%q cannot be less than 1 character", k))
+		errors = append(errors, fmt.Errorf("%q cannot be less than 1 caracter", k))
 	}
 
 	if len(value) > 128 {
@@ -1140,3 +1141,92 @@ func validateCognitoIdentityProvidersProviderName(v interface{}, k string) (ws [
 
 	return
 }
+
+// If Type equals "Token" or "Rules", ambiguous_role_resolution must be defined.
+// This should be removed as soon as we can have a ValidateFuncAgainst callable on the schema.
+func validateCognitoRoleMappingsAmbiguousRoleResolutionAgainstType(v map[string]interface{}) (errors []error) {
+	t := v["type"].(string)
+	isRequired := t == cognitoidentity.RoleMappingTypeToken || t == cognitoidentity.RoleMappingTypeRules
+
+	if _, ok := v["ambiguous_role_resolution"]; !ok && isRequired {
+		errors = append(errors, fmt.Errorf("Cognito Ambiguous Role Resolution must be defined when \"type\" equals Token or Rules"))
+	}
+
+	return
+}
+
+func validateCognitoRoleMappingsAmbiguousRoleResolution(v interface{}, k string) (ws []string, errors []error) {
+	validValues := []string{
+		cognitoidentity.AmbiguousRoleResolutionTypeAuthenticatedRole,
+		cognitoidentity.AmbiguousRoleResolutionTypeDeny,
+	}
+	value := v.(string)
+	for _, s := range validValues {
+		if value == s {
+			return
+		}
+	}
+	errors = append(errors, fmt.Errorf(
+		"%q contains an invalid value %q. Valid values are %q.",
+		k, value, validValues))
+	return
+}
+
+func validateCognitoRoleMappingsRulesClaim(v interface{}, k string) (ws []string, errors []error) {
+	value := v.(string)
+
+	if !regexp.MustCompile("^[\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}]+$").MatchString(value) {
+		errors = append(errors, fmt.Errorf("%q must contain only alphanumeric caracters, dots, underscores, colons, slashes and hyphens", k))
+	}
+
+	return
+}
+
+func validateCognitoRoleMappingsRulesMatchType(v interface{}, k string) (ws []string, errors []error) {
+	validValues := []string{
+		cognitoidentity.MappingRuleMatchTypeEquals,
+		cognitoidentity.MappingRuleMatchTypeContains,
+		cognitoidentity.MappingRuleMatchTypeStartsWith,
+		cognitoidentity.MappingRuleMatchTypeNotEqual,
+	}
+	value := v.(string)
+	for _, s := range validValues {
+		if value == s {
+			return
+		}
+	}
+	errors = append(errors, fmt.Errorf(
+		"%q contains an invalid value %q. Valid values are %q.",
+		k, value, validValues))
+	return
+}
+
+func validateCognitoRoleMappingsRulesValue(v interface{}, k string) (ws []string, errors []error) {
+	value := v.(string)
+	if len(value) < 1 {
+		errors = append(errors, fmt.Errorf("%q cannot be less than 1 caracter", k))
+	}
+
+	if len(value) > 128 {
+		errors = append(errors, fmt.Errorf("%q cannot be longer than 1 caracters", k))
+	}
+
+	return
+}
+
+func validateCognitoRoleMappingsType(v interface{}, k string) (ws []string, errors []error) {
+	validValues := []string{
+		cognitoidentity.RoleMappingTypeToken,
+		cognitoidentity.RoleMappingTypeRules,
+	}
+	value := v.(string)
+	for _, s := range validValues {
+		if value == s {
+			return
+		}
+	}
+	errors = append(errors, fmt.Errorf(
+		"%q contains an invalid value %q. Valid values are %q.",
+		k, value, validValues))
+	return
+}