github.com/alexissmirnov/terraform@v0.4.3-0.20150423153700-1ef9731a2f14/builtin/providers/aws/resource_aws_security_group_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "reflect" 6 "strings" 7 "testing" 8 9 "github.com/awslabs/aws-sdk-go/aws" 10 "github.com/awslabs/aws-sdk-go/service/ec2" 11 "github.com/hashicorp/terraform/helper/resource" 12 "github.com/hashicorp/terraform/terraform" 13 ) 14 15 func TestAccAWSSecurityGroup_normal(t *testing.T) { 16 var group ec2.SecurityGroup 17 18 resource.Test(t, resource.TestCase{ 19 PreCheck: func() { testAccPreCheck(t) }, 20 Providers: testAccProviders, 21 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 22 Steps: []resource.TestStep{ 23 resource.TestStep{ 24 Config: testAccAWSSecurityGroupConfig, 25 Check: resource.ComposeTestCheckFunc( 26 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 27 testAccCheckAWSSecurityGroupAttributes(&group), 28 resource.TestCheckResourceAttr( 29 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 30 resource.TestCheckResourceAttr( 31 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 32 resource.TestCheckResourceAttr( 33 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 34 resource.TestCheckResourceAttr( 35 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 36 resource.TestCheckResourceAttr( 37 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 38 resource.TestCheckResourceAttr( 39 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 40 resource.TestCheckResourceAttr( 41 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 42 ), 43 }, 44 }, 45 }) 46 } 47 48 func TestAccAWSSecurityGroup_self(t *testing.T) { 49 var group ec2.SecurityGroup 50 51 checkSelf := func(s *terraform.State) (err error) { 52 defer func() { 53 if e := recover(); e != nil { 54 err = fmt.Errorf("bad: %#v", group) 55 } 56 }() 57 58 if *group.IPPermissions[0].UserIDGroupPairs[0].GroupID != *group.GroupID { 59 return fmt.Errorf("bad: %#v", group) 60 } 61 62 return nil 63 } 64 65 resource.Test(t, resource.TestCase{ 66 PreCheck: func() { testAccPreCheck(t) }, 67 Providers: testAccProviders, 68 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 69 Steps: []resource.TestStep{ 70 resource.TestStep{ 71 Config: testAccAWSSecurityGroupConfigSelf, 72 Check: resource.ComposeTestCheckFunc( 73 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 74 resource.TestCheckResourceAttr( 75 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 76 resource.TestCheckResourceAttr( 77 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 78 resource.TestCheckResourceAttr( 79 "aws_security_group.web", "ingress.3971148406.protocol", "tcp"), 80 resource.TestCheckResourceAttr( 81 "aws_security_group.web", "ingress.3971148406.from_port", "80"), 82 resource.TestCheckResourceAttr( 83 "aws_security_group.web", "ingress.3971148406.to_port", "8000"), 84 resource.TestCheckResourceAttr( 85 "aws_security_group.web", "ingress.3971148406.self", "true"), 86 checkSelf, 87 ), 88 }, 89 }, 90 }) 91 } 92 93 func TestAccAWSSecurityGroup_vpc(t *testing.T) { 94 var group ec2.SecurityGroup 95 96 testCheck := func(*terraform.State) error { 97 if *group.VPCID == "" { 98 return fmt.Errorf("should have vpc ID") 99 } 100 101 return nil 102 } 103 104 resource.Test(t, resource.TestCase{ 105 PreCheck: func() { testAccPreCheck(t) }, 106 Providers: testAccProviders, 107 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 108 Steps: []resource.TestStep{ 109 resource.TestStep{ 110 Config: testAccAWSSecurityGroupConfigVpc, 111 Check: resource.ComposeTestCheckFunc( 112 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 113 testAccCheckAWSSecurityGroupAttributes(&group), 114 resource.TestCheckResourceAttr( 115 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 116 resource.TestCheckResourceAttr( 117 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 118 resource.TestCheckResourceAttr( 119 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 120 resource.TestCheckResourceAttr( 121 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 122 resource.TestCheckResourceAttr( 123 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 124 resource.TestCheckResourceAttr( 125 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 126 resource.TestCheckResourceAttr( 127 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 128 resource.TestCheckResourceAttr( 129 "aws_security_group.web", "egress.3629188364.protocol", "tcp"), 130 resource.TestCheckResourceAttr( 131 "aws_security_group.web", "egress.3629188364.from_port", "80"), 132 resource.TestCheckResourceAttr( 133 "aws_security_group.web", "egress.3629188364.to_port", "8000"), 134 resource.TestCheckResourceAttr( 135 "aws_security_group.web", "egress.3629188364.cidr_blocks.#", "1"), 136 resource.TestCheckResourceAttr( 137 "aws_security_group.web", "egress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 138 testCheck, 139 ), 140 }, 141 }, 142 }) 143 } 144 145 func TestAccAWSSecurityGroup_MultiIngress(t *testing.T) { 146 var group ec2.SecurityGroup 147 148 resource.Test(t, resource.TestCase{ 149 PreCheck: func() { testAccPreCheck(t) }, 150 Providers: testAccProviders, 151 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 152 Steps: []resource.TestStep{ 153 resource.TestStep{ 154 Config: testAccAWSSecurityGroupConfigMultiIngress, 155 Check: resource.ComposeTestCheckFunc( 156 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 157 ), 158 }, 159 }, 160 }) 161 } 162 163 func TestAccAWSSecurityGroup_Change(t *testing.T) { 164 var group ec2.SecurityGroup 165 166 resource.Test(t, resource.TestCase{ 167 PreCheck: func() { testAccPreCheck(t) }, 168 Providers: testAccProviders, 169 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 170 Steps: []resource.TestStep{ 171 resource.TestStep{ 172 Config: testAccAWSSecurityGroupConfig, 173 Check: resource.ComposeTestCheckFunc( 174 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 175 ), 176 }, 177 resource.TestStep{ 178 Config: testAccAWSSecurityGroupConfigChange, 179 Check: resource.ComposeTestCheckFunc( 180 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 181 testAccCheckAWSSecurityGroupAttributesChanged(&group), 182 ), 183 }, 184 }, 185 }) 186 } 187 188 func TestAccAWSSecurityGroup_generatedName(t *testing.T) { 189 var group ec2.SecurityGroup 190 191 resource.Test(t, resource.TestCase{ 192 PreCheck: func() { testAccPreCheck(t) }, 193 Providers: testAccProviders, 194 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 195 Steps: []resource.TestStep{ 196 resource.TestStep{ 197 Config: testAccAWSSecurityGroupConfig_generatedName, 198 Check: resource.ComposeTestCheckFunc( 199 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 200 resource.TestCheckResourceAttr( 201 "aws_security_group.web", "description", "Managed by Terraform"), 202 func(s *terraform.State) error { 203 if group.GroupName == nil { 204 return fmt.Errorf("bad: No SG name") 205 } 206 if !strings.HasPrefix(*group.GroupName, "terraform-") { 207 return fmt.Errorf("No terraform- prefix: %s", *group.GroupName) 208 } 209 return nil 210 }, 211 ), 212 }, 213 }, 214 }) 215 } 216 217 func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error { 218 conn := testAccProvider.Meta().(*AWSClient).ec2conn 219 220 for _, rs := range s.RootModule().Resources { 221 if rs.Type != "aws_security_group" { 222 continue 223 } 224 225 // Retrieve our group 226 req := &ec2.DescribeSecurityGroupsInput{ 227 GroupIDs: []*string{aws.String(rs.Primary.ID)}, 228 } 229 resp, err := conn.DescribeSecurityGroups(req) 230 if err == nil { 231 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupID == rs.Primary.ID { 232 return fmt.Errorf("Security Group (%s) still exists.", rs.Primary.ID) 233 } 234 235 return nil 236 } 237 238 ec2err, ok := err.(aws.APIError) 239 if !ok { 240 return err 241 } 242 // Confirm error code is what we want 243 if ec2err.Code != "InvalidGroup.NotFound" { 244 return err 245 } 246 } 247 248 return nil 249 } 250 251 func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroup) resource.TestCheckFunc { 252 return func(s *terraform.State) error { 253 rs, ok := s.RootModule().Resources[n] 254 if !ok { 255 return fmt.Errorf("Not found: %s", n) 256 } 257 258 if rs.Primary.ID == "" { 259 return fmt.Errorf("No Security Group is set") 260 } 261 262 conn := testAccProvider.Meta().(*AWSClient).ec2conn 263 req := &ec2.DescribeSecurityGroupsInput{ 264 GroupIDs: []*string{aws.String(rs.Primary.ID)}, 265 } 266 resp, err := conn.DescribeSecurityGroups(req) 267 if err != nil { 268 return err 269 } 270 271 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupID == rs.Primary.ID { 272 *group = *resp.SecurityGroups[0] 273 return nil 274 } 275 276 return fmt.Errorf("Security Group not found") 277 } 278 } 279 280 func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 281 return func(s *terraform.State) error { 282 p := &ec2.IPPermission{ 283 FromPort: aws.Long(80), 284 ToPort: aws.Long(8000), 285 IPProtocol: aws.String("tcp"), 286 IPRanges: []*ec2.IPRange{&ec2.IPRange{CIDRIP: aws.String("10.0.0.0/8")}}, 287 } 288 289 if *group.GroupName != "terraform_acceptance_test_example" { 290 return fmt.Errorf("Bad name: %s", *group.GroupName) 291 } 292 293 if *group.Description != "Used in the terraform acceptance tests" { 294 return fmt.Errorf("Bad description: %s", *group.Description) 295 } 296 297 if len(group.IPPermissions) == 0 { 298 return fmt.Errorf("No IPPerms") 299 } 300 301 // Compare our ingress 302 if !reflect.DeepEqual(group.IPPermissions[0], p) { 303 return fmt.Errorf( 304 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 305 group.IPPermissions[0], 306 p) 307 } 308 309 return nil 310 } 311 } 312 313 func TestAccAWSSecurityGroup_tags(t *testing.T) { 314 var group ec2.SecurityGroup 315 316 resource.Test(t, resource.TestCase{ 317 PreCheck: func() { testAccPreCheck(t) }, 318 Providers: testAccProviders, 319 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 320 Steps: []resource.TestStep{ 321 resource.TestStep{ 322 Config: testAccAWSSecurityGroupConfigTags, 323 Check: resource.ComposeTestCheckFunc( 324 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 325 testAccCheckTagsSDK(&group.Tags, "foo", "bar"), 326 ), 327 }, 328 329 resource.TestStep{ 330 Config: testAccAWSSecurityGroupConfigTagsUpdate, 331 Check: resource.ComposeTestCheckFunc( 332 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 333 testAccCheckTagsSDK(&group.Tags, "foo", ""), 334 testAccCheckTagsSDK(&group.Tags, "bar", "baz"), 335 ), 336 }, 337 }, 338 }) 339 } 340 341 func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroup) resource.TestCheckFunc { 342 return func(s *terraform.State) error { 343 p := []*ec2.IPPermission{ 344 &ec2.IPPermission{ 345 FromPort: aws.Long(80), 346 ToPort: aws.Long(9000), 347 IPProtocol: aws.String("tcp"), 348 IPRanges: []*ec2.IPRange{&ec2.IPRange{CIDRIP: aws.String("10.0.0.0/8")}}, 349 }, 350 &ec2.IPPermission{ 351 FromPort: aws.Long(80), 352 ToPort: aws.Long(8000), 353 IPProtocol: aws.String("tcp"), 354 IPRanges: []*ec2.IPRange{ 355 &ec2.IPRange{ 356 CIDRIP: aws.String("0.0.0.0/0"), 357 }, 358 &ec2.IPRange{ 359 CIDRIP: aws.String("10.0.0.0/8"), 360 }, 361 }, 362 }, 363 } 364 365 if *group.GroupName != "terraform_acceptance_test_example" { 366 return fmt.Errorf("Bad name: %s", *group.GroupName) 367 } 368 369 if *group.Description != "Used in the terraform acceptance tests" { 370 return fmt.Errorf("Bad description: %s", *group.Description) 371 } 372 373 // Compare our ingress 374 if len(group.IPPermissions) != 2 { 375 return fmt.Errorf( 376 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 377 group.IPPermissions, 378 p) 379 } 380 381 if *group.IPPermissions[0].ToPort == 8000 { 382 group.IPPermissions[1], group.IPPermissions[0] = 383 group.IPPermissions[0], group.IPPermissions[1] 384 } 385 386 if !reflect.DeepEqual(group.IPPermissions, p) { 387 return fmt.Errorf( 388 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 389 group.IPPermissions, 390 p) 391 } 392 393 return nil 394 } 395 } 396 397 const testAccAWSSecurityGroupConfig = ` 398 resource "aws_security_group" "web" { 399 name = "terraform_acceptance_test_example" 400 description = "Used in the terraform acceptance tests" 401 402 ingress { 403 protocol = "tcp" 404 from_port = 80 405 to_port = 8000 406 cidr_blocks = ["10.0.0.0/8"] 407 } 408 409 tags { 410 Name = "tf-acc-test" 411 } 412 } 413 ` 414 415 const testAccAWSSecurityGroupConfigChange = ` 416 resource "aws_security_group" "web" { 417 name = "terraform_acceptance_test_example" 418 description = "Used in the terraform acceptance tests" 419 420 ingress { 421 protocol = "tcp" 422 from_port = 80 423 to_port = 9000 424 cidr_blocks = ["10.0.0.0/8"] 425 } 426 427 ingress { 428 protocol = "tcp" 429 from_port = 80 430 to_port = 8000 431 cidr_blocks = ["0.0.0.0/0", "10.0.0.0/8"] 432 } 433 } 434 ` 435 436 const testAccAWSSecurityGroupConfigSelf = ` 437 resource "aws_security_group" "web" { 438 name = "terraform_acceptance_test_example" 439 description = "Used in the terraform acceptance tests" 440 441 ingress { 442 protocol = "tcp" 443 from_port = 80 444 to_port = 8000 445 self = true 446 } 447 } 448 ` 449 450 const testAccAWSSecurityGroupConfigVpc = ` 451 resource "aws_vpc" "foo" { 452 cidr_block = "10.1.0.0/16" 453 } 454 455 resource "aws_security_group" "web" { 456 name = "terraform_acceptance_test_example" 457 description = "Used in the terraform acceptance tests" 458 vpc_id = "${aws_vpc.foo.id}" 459 460 ingress { 461 protocol = "tcp" 462 from_port = 80 463 to_port = 8000 464 cidr_blocks = ["10.0.0.0/8"] 465 } 466 467 egress { 468 protocol = "tcp" 469 from_port = 80 470 to_port = 8000 471 cidr_blocks = ["10.0.0.0/8"] 472 } 473 } 474 ` 475 476 const testAccAWSSecurityGroupConfigMultiIngress = ` 477 resource "aws_security_group" "worker" { 478 name = "terraform_acceptance_test_example_1" 479 description = "Used in the terraform acceptance tests" 480 481 ingress { 482 protocol = "tcp" 483 from_port = 80 484 to_port = 8000 485 cidr_blocks = ["10.0.0.0/8"] 486 } 487 } 488 489 resource "aws_security_group" "web" { 490 name = "terraform_acceptance_test_example_2" 491 description = "Used in the terraform acceptance tests" 492 493 ingress { 494 protocol = "tcp" 495 from_port = 22 496 to_port = 22 497 cidr_blocks = ["10.0.0.0/8"] 498 } 499 500 ingress { 501 protocol = "tcp" 502 from_port = 800 503 to_port = 800 504 cidr_blocks = ["10.0.0.0/8"] 505 } 506 507 ingress { 508 protocol = "tcp" 509 from_port = 80 510 to_port = 8000 511 security_groups = ["${aws_security_group.worker.id}"] 512 } 513 } 514 ` 515 516 const testAccAWSSecurityGroupConfigTags = ` 517 resource "aws_security_group" "foo" { 518 name = "terraform_acceptance_test_example" 519 description = "Used in the terraform acceptance tests" 520 521 ingress { 522 protocol = "tcp" 523 from_port = 80 524 to_port = 8000 525 cidr_blocks = ["10.0.0.0/8"] 526 } 527 528 tags { 529 foo = "bar" 530 } 531 } 532 ` 533 534 const testAccAWSSecurityGroupConfigTagsUpdate = ` 535 resource "aws_security_group" "foo" { 536 name = "terraform_acceptance_test_example" 537 description = "Used in the terraform acceptance tests" 538 539 ingress { 540 protocol = "tcp" 541 from_port = 80 542 to_port = 8000 543 cidr_blocks = ["10.0.0.0/8"] 544 } 545 546 tags { 547 bar = "baz" 548 } 549 } 550 ` 551 552 const testAccAWSSecurityGroupConfig_generatedName = ` 553 resource "aws_security_group" "web" { 554 ingress { 555 protocol = "tcp" 556 from_port = 80 557 to_port = 8000 558 cidr_blocks = ["10.0.0.0/8"] 559 } 560 561 tags { 562 Name = "tf-acc-test" 563 } 564 } 565 `