aminueza · felladrin · Jul 27, 2023 · Jul 27, 2023
diff --git a/minio/resource_minio_iam_group_policy_attachment.go b/minio/resource_minio_iam_group_policy_attachment.go
@@ -10,6 +10,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/id"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/minio/madmin-go"
 )
 
 func resourceMinioIAMGroupPolicyAttachment() *schema.Resource {
@@ -43,10 +44,17 @@ func minioCreateGroupPolicyAttachment(ctx context.Context, d *schema.ResourceDat
 	var groupName = d.Get("group_name").(string)
 	var policyName = d.Get("policy_name").(string)
 
-	log.Printf("[DEBUG] Attaching policy %s to group: %s", policyName, groupName)
-	err := minioAdmin.SetPolicy(ctx, policyName, groupName, true)
+	policies, err := minioReadGroupPolicies(ctx, minioAdmin, groupName)
 	if err != nil {
-		return NewResourceError("unable to attach group policy", groupName+" "+policyName, err)
+		return err
+	}
+	if !Contains(policies, policyName) {
+		log.Printf("[DEBUG] Attaching policy %s to group: %s", policyName, groupName)
+		policies = append(policies, policyName)
+		err := minioAdmin.SetPolicy(ctx, strings.Join(policies, ","), groupName, true)
+		if err != nil {
+			return NewResourceError("unable to attach group policy", groupName+" "+policyName, err)
+		}
 	}
 
 	d.SetId(id.PrefixedUniqueId(fmt.Sprintf("%s-", groupName)))
@@ -58,19 +66,19 @@ func minioReadGroupPolicyAttachment(ctx context.Context, d *schema.ResourceData,
 	minioAdmin := meta.(*S3MinioClient).S3Admin
 
 	var groupName = d.Get("group_name").(string)
+	var policyName = d.Get("policy_name").(string)
 
-	groupInfo, errGroup := minioAdmin.GetGroupDescription(ctx, groupName)
-	if errGroup != nil {
-		return NewResourceError("failed to load group infos", groupName, errGroup)
+	policies, err := minioReadGroupPolicies(ctx, minioAdmin, groupName)
+	if err != nil {
+		return err
 	}
-
-	if groupInfo.Policy == "" {
+	if !Contains(policies, policyName) {
 		log.Printf("[WARN] No such policy by name (%s) found, removing from state", d.Id())
 		d.SetId("")
 		return nil
 	}
 
-	if err := d.Set("policy_name", string(groupInfo.Policy)); err != nil {
+	if err := d.Set("policy_name", policyName); err != nil {
 		return NewResourceError("failed to load group infos", groupName, err)
 	}
 
@@ -81,8 +89,19 @@ func minioDeleteGroupPolicyAttachment(ctx context.Context, d *schema.ResourceDat
 	minioAdmin := meta.(*S3MinioClient).S3Admin
 
 	var groupName = d.Get("group_name").(string)
+	var policyName = d.Get("policy_name").(string)
+
+	policies, err := minioReadGroupPolicies(ctx, minioAdmin, groupName)
+	if err != nil {
+		return err
+	}
 
-	errIam := minioAdmin.SetPolicy(ctx, "", groupName, true)
+	newPolicies, found := Filter(policies, policyName)
+	if !found {
+		return nil
+	}
+
+	errIam := minioAdmin.SetPolicy(ctx, strings.Join(newPolicies, ","), groupName, true)
 	if errIam != nil {
 		return NewResourceError("unable to delete user policy", groupName, errIam)
 	}
@@ -110,3 +129,11 @@ func minioImportGroupPolicyAttachment(ctx context.Context, d *schema.ResourceDat
 	d.SetId(id.PrefixedUniqueId(fmt.Sprintf("%s-", groupName)))
 	return []*schema.ResourceData{d}, nil
 }
+
+func minioReadGroupPolicies(ctx context.Context, minioAdmin *madmin.AdminClient, groupName string) ([]string, diag.Diagnostics) {
+	groupInfo, errGroup := minioAdmin.GetGroupDescription(ctx, groupName)
+	if errGroup != nil {
+		return nil, NewResourceError("failed to load group infos", groupName, errGroup)
+	}
+	return strings.Split(groupInfo.Policy, ","), nil
+}
diff --git a/minio/resource_minio_iam_user_policy_attachment.go b/minio/resource_minio_iam_user_policy_attachment.go
@@ -43,9 +43,17 @@ func minioCreateUserPolicyAttachment(ctx context.Context, d *schema.ResourceData
 	var userName = d.Get("user_name").(string)
 	var policyName = d.Get("policy_name").(string)
 	minioAdmin := meta.(*S3MinioClient).S3Admin
-	err := minioAdmin.SetPolicy(ctx, policyName, userName, false)
+
+	policies, err := minioReadUserPolicies(ctx, minioAdmin, userName)
 	if err != nil {
-		return NewResourceError("unable to Set User policy", userName+" "+policyName, err)
+		return err
+	}
+	if !Contains(policies, policyName) {
+		policies = append(policies, policyName)
+		err := minioAdmin.SetPolicy(ctx, strings.Join(policies, ","), userName, false)
+		if err != nil {
+			return NewResourceError("unable to Set User policy", userName+" "+policyName, err)
+		}
 	}
 
 	d.SetId(id.PrefixedUniqueId(fmt.Sprintf("%s-", userName)))
@@ -56,28 +64,20 @@ func minioCreateUserPolicyAttachment(ctx context.Context, d *schema.ResourceData
 func minioReadUserPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	minioAdmin := meta.(*S3MinioClient).S3Admin
 	var userName = d.Get("user_name").(string)
-	var isLDAPUser = LDAPUserDistinguishedNamePattern.MatchString(userName)
-
-	log.Printf("[DEBUG] UserPolicyAttachment: is user '%s' an LDAP user? %t", userName, isLDAPUser)
+	var policyName = d.Get("policy_name").(string)
 
-	userInfo, errUser := minioAdmin.GetUserInfo(ctx, userName)
+	policies, errUser := minioReadUserPolicies(ctx, minioAdmin, userName)
 	if errUser != nil {
-		errUserResponse, errUserIsResponse := errUser.(madmin.ErrorResponse)
-
-		log.Printf("[DEBUG] UserPolicyAttachment: got an error, errUserIsResponse=%t, errUserResponse.Code=%s", errUserIsResponse, errUserResponse.Code)
-
-		if !isLDAPUser || !errUserIsResponse || !strings.EqualFold(errUserResponse.Code, "XMinioAdminNoSuchUser") {
-			return NewResourceError("failed to load user Infos", userName, errUser)
-		}
+		return errUser
 	}
 
-	if userInfo.PolicyName == "" {
+	if !Contains(policies, policyName) {
 		log.Printf("[WARN] No such policy by name (%s) found, removing from state", d.Id())
 		d.SetId("")
 		return nil
 	}
 
-	if err := d.Set("policy_name", string(userInfo.PolicyName)); err != nil {
+	if err := d.Set("policy_name", policyName); err != nil {
 		return diag.FromErr(err)
 	}
 
@@ -86,9 +86,21 @@ func minioReadUserPolicyAttachment(ctx context.Context, d *schema.ResourceData,
 
 func minioDeleteUserPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	minioAdmin := meta.(*S3MinioClient).S3Admin
+
 	var userName = d.Get("user_name").(string)
+	var policyName = d.Get("policy_name").(string)
+
+	policies, err := minioReadUserPolicies(ctx, minioAdmin, userName)
+	if err != nil {
+		return err
+	}
 
-	errIam := minioAdmin.SetPolicy(ctx, "", userName, false)
+	newPolicies, found := Filter(policies, policyName)
+	if !found {
+		return nil
+	}
+
+	errIam := minioAdmin.SetPolicy(ctx, strings.Join(newPolicies, ","), userName, false)
 	if errIam != nil {
 		return NewResourceError("unable to delete user policy", userName, errIam)
 	}
@@ -116,3 +128,21 @@ func minioImportUserPolicyAttachment(ctx context.Context, d *schema.ResourceData
 	d.SetId(id.PrefixedUniqueId(fmt.Sprintf("%s-", userName)))
 	return []*schema.ResourceData{d}, nil
 }
+
+func minioReadUserPolicies(ctx context.Context, minioAdmin *madmin.AdminClient, userName string) ([]string, diag.Diagnostics) {
+	var isLDAPUser = LDAPUserDistinguishedNamePattern.MatchString(userName)
+
+	log.Printf("[DEBUG] UserPolicyAttachment: is user '%s' an LDAP user? %t", userName, isLDAPUser)
+
+	userInfo, errUser := minioAdmin.GetUserInfo(ctx, userName)
+	if errUser != nil {
+		errUserResponse, errUserIsResponse := errUser.(madmin.ErrorResponse)
+
+		log.Printf("[DEBUG] UserPolicyAttachment: got an error, errUserIsResponse=%t, errUserResponse.Code=%s", errUserIsResponse, errUserResponse.Code)
+
+		if !isLDAPUser || !errUserIsResponse || !strings.EqualFold(errUserResponse.Code, "XMinioAdminNoSuchUser") {
+			return nil, NewResourceError("failed to load user Infos", userName, errUser)
+		}
+	}
+	return strings.Split(userInfo.PolicyName, ","), nil
+}
diff --git a/minio/utils.go b/minio/utils.go
@@ -62,6 +62,16 @@ func Contains(slice []string, item string) bool {
 	return ok
 }
 
+func Filter(slice []string, item string) ([]string, bool) {
+	var out []string
+	for _, s := range slice {
+		if s != item {
+			out = append(out, s)
+		}
+	}
+	return out, len(out) != len(slice)
+}
+
 // HashcodeString hashes a string to a unique hashcode.
 //
 // crc32 returns a `uint32`, but for our use we need