Handle empty service account policy (#518)

minio/resource_minio_service_account.go

@@ -72,7 +72,7 @@ func minioCreateServiceAccount(ctx context.Context, d *schema.ResourceData, meta
 	policy := serviceAccountConfig.MinioSAPolicy
 
 	serviceAccount, err := serviceAccountConfig.MinioAdmin.AddServiceAccount(ctx, madmin.AddServiceAccountReq{
-		Policy:     []byte(policy),
+		Policy:     processServiceAccountPolicy(policy),
 		TargetUser: targetUser,
 	})
 	if err != nil {
@@ -114,7 +114,7 @@ func minioUpdateServiceAccount(ctx context.Context, d *schema.ResourceData, meta
 	if serviceAccountServerInfo.AccountStatus != wantedStatus {
 		err := serviceAccountConfig.MinioAdmin.UpdateServiceAccount(ctx, serviceAccountConfig.MinioAccessKey, madmin.UpdateServiceAccountReq{
 			NewStatus: wantedStatus,
-			NewPolicy: []byte(policy),
+			NewPolicy: processServiceAccountPolicy(policy),
 		})
 		if err != nil {
 			return NewResourceError("error to disable service account", d.Id(), err)
@@ -133,7 +133,7 @@ func minioUpdateServiceAccount(ctx context.Context, d *schema.ResourceData, meta
 	if d.HasChange("secret_key") || serviceAccountConfig.MinioSecretKey != wantedSecret {
 		err := serviceAccountConfig.MinioAdmin.UpdateServiceAccount(ctx, d.Id(), madmin.UpdateServiceAccountReq{
 			NewSecretKey: wantedSecret,
-			NewPolicy:    []byte(policy),
+			NewPolicy:    processServiceAccountPolicy(policy),
 		})
 		if err != nil {
 			return NewResourceError("error updating service account Key %s: %s", d.Id(), err)
@@ -144,7 +144,7 @@ func minioUpdateServiceAccount(ctx context.Context, d *schema.ResourceData, meta
 
 	if d.HasChange("policy") {
 		err := serviceAccountConfig.MinioAdmin.UpdateServiceAccount(ctx, d.Id(), madmin.UpdateServiceAccountReq{
-			NewPolicy: []byte(policy),
+			NewPolicy: processServiceAccountPolicy(policy),
 		})
 		if err != nil {
 			return NewResourceError("error updating service account policy %s: %s", d.Id(), err)
@@ -216,3 +216,11 @@ func deleteMinioServiceAccount(ctx context.Context, serviceAccountConfig *S3Mini
 
 	return
 }
+
+func processServiceAccountPolicy(policy string) []byte {
+	if len(policy) == 0 {
+		emptyPolicy := "{\n\"Version\": \"\",\n\"Statement\": null\n}"
+		return []byte(emptyPolicy)
+	}
+	return []byte(policy)
+}

minio/resource_minio_service_account_test.go

@@ -98,6 +98,9 @@ func TestServiceAccount_Policy(t *testing.T) {
 	policy1 := "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:ListAllMyBuckets\"],\"Resource\":[\"arn:aws:s3:::*\"]}]}"
 	policy2 := "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":[\"arn:aws:s3:::*\"]}]}"
 
+	targetUser2 := "test"
+	resourceName2 := "minio_iam_service_account.test_service_account"
+
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:          func() { testAccPreCheck(t) },
 		ProviderFactories: testAccProviders,
@@ -121,6 +124,12 @@ func TestServiceAccount_Policy(t *testing.T) {
 					testAccCheckMinioServiceAccountPolicy(resourceName, policy2),
 				),
 			},
+			{
+				Config: testAccMinioServiceAccountWithUserPolicy(targetUser2),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckMinioServiceAccountExists(resourceName2, &serviceAccount),
+				),
+			},
 		},
 	})
 }
@@ -172,6 +181,41 @@ resource "minio_iam_service_account" "test4" {
 }
 `, rName)
 }
+func testAccMinioServiceAccountWithUserPolicy(rName string) string {
+	return fmt.Sprintf(`
+resource "minio_iam_user" "test_user" {
+  secret = "secret1234"
+  name   = %q
+}
+
+resource "minio_iam_policy" "test_policy" {
+  name   = "state-terraform-s3"
+  policy = <<EOF
+{
+	"Version":"2012-10-17",
+	"Statement": [
+		{
+			"Sid":"ListAllBucket",
+			"Effect": "Allow",
+			"Action": ["s3:PutObject"],
+			"Principal":"*",
+			"Resource": "arn:aws:s3:::test_bucket/*"
+		}
+	]
+}
+EOF
+}
+
+resource "minio_iam_user_policy_attachment" "test_policy_attachment" {
+  user_name   = minio_iam_user.test_user.id
+  policy_name = minio_iam_policy.test_policy.id
+}
+
+resource "minio_iam_service_account" "test_service_account" {
+  target_user   = minio_iam_user.test_user.id
+}
+`, rName)
+}
 
 func testAccCheckMinioServiceAccountExists(n string, res *madmin.InfoServiceAccountResp) resource.TestCheckFunc {
 	return func(s *terraform.State) error {