github.com/andresvia/terraform@v0.6.15-0.20160412045437-d51c75946785/builtin/providers/aws/resource_aws_security_group_rule_test.go (about) 1 package aws 2 3 import ( 4 "bytes" 5 "fmt" 6 "log" 7 "testing" 8 9 "github.com/aws/aws-sdk-go/aws" 10 "github.com/aws/aws-sdk-go/aws/awserr" 11 "github.com/aws/aws-sdk-go/service/ec2" 12 "github.com/hashicorp/terraform/helper/acctest" 13 "github.com/hashicorp/terraform/helper/resource" 14 "github.com/hashicorp/terraform/terraform" 15 ) 16 17 func TestIpPermissionIDHash(t *testing.T) { 18 simple := &ec2.IpPermission{ 19 IpProtocol: aws.String("tcp"), 20 FromPort: aws.Int64(int64(80)), 21 ToPort: aws.Int64(int64(8000)), 22 IpRanges: []*ec2.IpRange{ 23 &ec2.IpRange{ 24 CidrIp: aws.String("10.0.0.0/8"), 25 }, 26 }, 27 } 28 29 egress := &ec2.IpPermission{ 30 IpProtocol: aws.String("tcp"), 31 FromPort: aws.Int64(int64(80)), 32 ToPort: aws.Int64(int64(8000)), 33 IpRanges: []*ec2.IpRange{ 34 &ec2.IpRange{ 35 CidrIp: aws.String("10.0.0.0/8"), 36 }, 37 }, 38 } 39 40 egress_all := &ec2.IpPermission{ 41 IpProtocol: aws.String("-1"), 42 IpRanges: []*ec2.IpRange{ 43 &ec2.IpRange{ 44 CidrIp: aws.String("10.0.0.0/8"), 45 }, 46 }, 47 } 48 49 vpc_security_group_source := &ec2.IpPermission{ 50 IpProtocol: aws.String("tcp"), 51 FromPort: aws.Int64(int64(80)), 52 ToPort: aws.Int64(int64(8000)), 53 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 54 &ec2.UserIdGroupPair{ 55 UserId: aws.String("987654321"), 56 GroupId: aws.String("sg-12345678"), 57 }, 58 &ec2.UserIdGroupPair{ 59 UserId: aws.String("123456789"), 60 GroupId: aws.String("sg-987654321"), 61 }, 62 &ec2.UserIdGroupPair{ 63 UserId: aws.String("123456789"), 64 GroupId: aws.String("sg-12345678"), 65 }, 66 }, 67 } 68 69 security_group_source := &ec2.IpPermission{ 70 IpProtocol: aws.String("tcp"), 71 FromPort: aws.Int64(int64(80)), 72 ToPort: aws.Int64(int64(8000)), 73 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 74 &ec2.UserIdGroupPair{ 75 UserId: aws.String("987654321"), 76 GroupName: aws.String("my-security-group"), 77 }, 78 &ec2.UserIdGroupPair{ 79 UserId: aws.String("123456789"), 80 GroupName: aws.String("my-security-group"), 81 }, 82 &ec2.UserIdGroupPair{ 83 UserId: aws.String("123456789"), 84 GroupName: aws.String("my-other-security-group"), 85 }, 86 }, 87 } 88 89 // hardcoded hashes, to detect future change 90 cases := []struct { 91 Input *ec2.IpPermission 92 Type string 93 Output string 94 }{ 95 {simple, "ingress", "sgrule-3403497314"}, 96 {egress, "egress", "sgrule-1173186295"}, 97 {egress_all, "egress", "sgrule-766323498"}, 98 {vpc_security_group_source, "egress", "sgrule-351225364"}, 99 {security_group_source, "egress", "sgrule-2198807188"}, 100 } 101 102 for _, tc := range cases { 103 actual := ipPermissionIDHash("sg-12345", tc.Type, tc.Input) 104 if actual != tc.Output { 105 t.Errorf("input: %s - %s\noutput: %s", tc.Type, tc.Input, actual) 106 } 107 } 108 } 109 110 func TestAccAWSSecurityGroupRule_Ingress_VPC(t *testing.T) { 111 var group ec2.SecurityGroup 112 113 testRuleCount := func(*terraform.State) error { 114 if len(group.IpPermissions) != 1 { 115 return fmt.Errorf("Wrong Security Group rule count, expected %d, got %d", 116 1, len(group.IpPermissions)) 117 } 118 119 rule := group.IpPermissions[0] 120 if *rule.FromPort != int64(80) { 121 return fmt.Errorf("Wrong Security Group port setting, expected %d, got %d", 122 80, int(*rule.FromPort)) 123 } 124 125 return nil 126 } 127 128 resource.Test(t, resource.TestCase{ 129 PreCheck: func() { testAccPreCheck(t) }, 130 Providers: testAccProviders, 131 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 132 Steps: []resource.TestStep{ 133 resource.TestStep{ 134 Config: testAccAWSSecurityGroupRuleIngressConfig, 135 Check: resource.ComposeTestCheckFunc( 136 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 137 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.ingress_1", &group, nil, "ingress"), 138 resource.TestCheckResourceAttr( 139 "aws_security_group_rule.ingress_1", "from_port", "80"), 140 testRuleCount, 141 ), 142 }, 143 }, 144 }) 145 } 146 147 func TestAccAWSSecurityGroupRule_Ingress_Protocol(t *testing.T) { 148 var group ec2.SecurityGroup 149 150 testRuleCount := func(*terraform.State) error { 151 if len(group.IpPermissions) != 1 { 152 return fmt.Errorf("Wrong Security Group rule count, expected %d, got %d", 153 1, len(group.IpPermissions)) 154 } 155 156 rule := group.IpPermissions[0] 157 if *rule.FromPort != int64(80) { 158 return fmt.Errorf("Wrong Security Group port setting, expected %d, got %d", 159 80, int(*rule.FromPort)) 160 } 161 162 return nil 163 } 164 165 resource.Test(t, resource.TestCase{ 166 PreCheck: func() { testAccPreCheck(t) }, 167 Providers: testAccProviders, 168 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 169 Steps: []resource.TestStep{ 170 resource.TestStep{ 171 Config: testAccAWSSecurityGroupRuleIngress_protocolConfig, 172 Check: resource.ComposeTestCheckFunc( 173 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 174 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.ingress_1", &group, nil, "ingress"), 175 resource.TestCheckResourceAttr( 176 "aws_security_group_rule.ingress_1", "from_port", "80"), 177 testRuleCount, 178 ), 179 }, 180 }, 181 }) 182 } 183 184 func TestAccAWSSecurityGroupRule_Ingress_Classic(t *testing.T) { 185 var group ec2.SecurityGroup 186 187 testRuleCount := func(*terraform.State) error { 188 if len(group.IpPermissions) != 1 { 189 return fmt.Errorf("Wrong Security Group rule count, expected %d, got %d", 190 1, len(group.IpPermissions)) 191 } 192 193 rule := group.IpPermissions[0] 194 if *rule.FromPort != int64(80) { 195 return fmt.Errorf("Wrong Security Group port setting, expected %d, got %d", 196 80, int(*rule.FromPort)) 197 } 198 199 return nil 200 } 201 202 resource.Test(t, resource.TestCase{ 203 PreCheck: func() { testAccPreCheck(t) }, 204 Providers: testAccProviders, 205 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 206 Steps: []resource.TestStep{ 207 resource.TestStep{ 208 Config: testAccAWSSecurityGroupRuleIngressClassicConfig, 209 Check: resource.ComposeTestCheckFunc( 210 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 211 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.ingress_1", &group, nil, "ingress"), 212 resource.TestCheckResourceAttr( 213 "aws_security_group_rule.ingress_1", "from_port", "80"), 214 testRuleCount, 215 ), 216 }, 217 }, 218 }) 219 } 220 221 func TestAccAWSSecurityGroupRule_MultiIngress(t *testing.T) { 222 var group ec2.SecurityGroup 223 224 testMultiRuleCount := func(*terraform.State) error { 225 if len(group.IpPermissions) != 2 { 226 return fmt.Errorf("Wrong Security Group rule count, expected %d, got %d", 227 2, len(group.IpPermissions)) 228 } 229 230 var rule *ec2.IpPermission 231 for _, r := range group.IpPermissions { 232 if *r.FromPort == int64(80) { 233 rule = r 234 } 235 } 236 237 if *rule.ToPort != int64(8000) { 238 return fmt.Errorf("Wrong Security Group port 2 setting, expected %d, got %d", 239 8000, int(*rule.ToPort)) 240 } 241 242 return nil 243 } 244 245 resource.Test(t, resource.TestCase{ 246 PreCheck: func() { testAccPreCheck(t) }, 247 Providers: testAccProviders, 248 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 249 Steps: []resource.TestStep{ 250 resource.TestStep{ 251 Config: testAccAWSSecurityGroupRuleConfigMultiIngress, 252 Check: resource.ComposeTestCheckFunc( 253 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 254 testMultiRuleCount, 255 ), 256 }, 257 }, 258 }) 259 } 260 261 func TestAccAWSSecurityGroupRule_Egress(t *testing.T) { 262 var group ec2.SecurityGroup 263 264 resource.Test(t, resource.TestCase{ 265 PreCheck: func() { testAccPreCheck(t) }, 266 Providers: testAccProviders, 267 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 268 Steps: []resource.TestStep{ 269 resource.TestStep{ 270 Config: testAccAWSSecurityGroupRuleEgressConfig, 271 Check: resource.ComposeTestCheckFunc( 272 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 273 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.egress_1", &group, nil, "egress"), 274 ), 275 }, 276 }, 277 }) 278 } 279 280 func TestAccAWSSecurityGroupRule_SelfReference(t *testing.T) { 281 var group ec2.SecurityGroup 282 283 resource.Test(t, resource.TestCase{ 284 PreCheck: func() { testAccPreCheck(t) }, 285 Providers: testAccProviders, 286 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 287 Steps: []resource.TestStep{ 288 resource.TestStep{ 289 Config: testAccAWSSecurityGroupRuleConfigSelfReference, 290 Check: resource.ComposeTestCheckFunc( 291 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 292 ), 293 }, 294 }, 295 }) 296 } 297 298 // testing partial match implementation 299 func TestAccAWSSecurityGroupRule_PartialMatching_basic(t *testing.T) { 300 var group ec2.SecurityGroup 301 302 p := ec2.IpPermission{ 303 FromPort: aws.Int64(80), 304 ToPort: aws.Int64(80), 305 IpProtocol: aws.String("tcp"), 306 IpRanges: []*ec2.IpRange{ 307 &ec2.IpRange{CidrIp: aws.String("10.0.2.0/24")}, 308 &ec2.IpRange{CidrIp: aws.String("10.0.3.0/24")}, 309 &ec2.IpRange{CidrIp: aws.String("10.0.4.0/24")}, 310 }, 311 } 312 313 o := ec2.IpPermission{ 314 FromPort: aws.Int64(80), 315 ToPort: aws.Int64(80), 316 IpProtocol: aws.String("tcp"), 317 IpRanges: []*ec2.IpRange{ 318 &ec2.IpRange{CidrIp: aws.String("10.0.5.0/24")}, 319 }, 320 } 321 322 resource.Test(t, resource.TestCase{ 323 PreCheck: func() { testAccPreCheck(t) }, 324 Providers: testAccProviders, 325 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 326 Steps: []resource.TestStep{ 327 resource.TestStep{ 328 Config: testAccAWSSecurityGroupRulePartialMatching, 329 Check: resource.ComposeTestCheckFunc( 330 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 331 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.ingress", &group, &p, "ingress"), 332 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.other", &group, &o, "ingress"), 333 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.nat_ingress", &group, &o, "ingress"), 334 ), 335 }, 336 }, 337 }) 338 } 339 340 func TestAccAWSSecurityGroupRule_PartialMatching_Source(t *testing.T) { 341 var group ec2.SecurityGroup 342 var nat ec2.SecurityGroup 343 var p ec2.IpPermission 344 345 // This function creates the expected IPPermission with the group id from an 346 // external security group, needed because Security Group IDs are generated on 347 // AWS side and can't be known ahead of time. 348 setupSG := func(*terraform.State) error { 349 if nat.GroupId == nil { 350 return fmt.Errorf("Error: nat group has nil GroupID") 351 } 352 353 p = ec2.IpPermission{ 354 FromPort: aws.Int64(80), 355 ToPort: aws.Int64(80), 356 IpProtocol: aws.String("tcp"), 357 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 358 &ec2.UserIdGroupPair{GroupId: nat.GroupId}, 359 }, 360 } 361 362 return nil 363 } 364 365 resource.Test(t, resource.TestCase{ 366 PreCheck: func() { testAccPreCheck(t) }, 367 Providers: testAccProviders, 368 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 369 Steps: []resource.TestStep{ 370 resource.TestStep{ 371 Config: testAccAWSSecurityGroupRulePartialMatching_Source, 372 Check: resource.ComposeTestCheckFunc( 373 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 374 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.nat", &nat), 375 setupSG, 376 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.source_ingress", &group, &p, "ingress"), 377 ), 378 }, 379 }, 380 }) 381 } 382 383 func TestAccAWSSecurityGroupRule_Issue5310(t *testing.T) { 384 var group ec2.SecurityGroup 385 386 resource.Test(t, resource.TestCase{ 387 PreCheck: func() { testAccPreCheck(t) }, 388 Providers: testAccProviders, 389 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 390 Steps: []resource.TestStep{ 391 resource.TestStep{ 392 Config: testAccAWSSecurityGroupRuleIssue5310, 393 Check: resource.ComposeTestCheckFunc( 394 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.issue_5310", &group), 395 ), 396 }, 397 }, 398 }) 399 } 400 401 func TestAccAWSSecurityGroupRule_Race(t *testing.T) { 402 var group ec2.SecurityGroup 403 404 resource.Test(t, resource.TestCase{ 405 PreCheck: func() { testAccPreCheck(t) }, 406 Providers: testAccProviders, 407 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 408 Steps: []resource.TestStep{ 409 resource.TestStep{ 410 Config: testAccAWSSecurityGroupRuleRace, 411 Check: resource.ComposeTestCheckFunc( 412 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.race", &group), 413 ), 414 }, 415 }, 416 }) 417 } 418 419 func testAccCheckAWSSecurityGroupRuleDestroy(s *terraform.State) error { 420 conn := testAccProvider.Meta().(*AWSClient).ec2conn 421 422 for _, rs := range s.RootModule().Resources { 423 if rs.Type != "aws_security_group" { 424 continue 425 } 426 427 // Retrieve our group 428 req := &ec2.DescribeSecurityGroupsInput{ 429 GroupIds: []*string{aws.String(rs.Primary.ID)}, 430 } 431 resp, err := conn.DescribeSecurityGroups(req) 432 if err == nil { 433 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 434 return fmt.Errorf("Security Group (%s) still exists.", rs.Primary.ID) 435 } 436 437 return nil 438 } 439 440 ec2err, ok := err.(awserr.Error) 441 if !ok { 442 return err 443 } 444 // Confirm error code is what we want 445 if ec2err.Code() != "InvalidGroup.NotFound" { 446 return err 447 } 448 } 449 450 return nil 451 } 452 453 func testAccCheckAWSSecurityGroupRuleExists(n string, group *ec2.SecurityGroup) resource.TestCheckFunc { 454 return func(s *terraform.State) error { 455 rs, ok := s.RootModule().Resources[n] 456 if !ok { 457 return fmt.Errorf("Not found: %s", n) 458 } 459 460 if rs.Primary.ID == "" { 461 return fmt.Errorf("No Security Group is set") 462 } 463 464 conn := testAccProvider.Meta().(*AWSClient).ec2conn 465 req := &ec2.DescribeSecurityGroupsInput{ 466 GroupIds: []*string{aws.String(rs.Primary.ID)}, 467 } 468 resp, err := conn.DescribeSecurityGroups(req) 469 if err != nil { 470 return err 471 } 472 473 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 474 *group = *resp.SecurityGroups[0] 475 return nil 476 } 477 478 return fmt.Errorf("Security Group not found") 479 } 480 } 481 482 func testAccCheckAWSSecurityGroupRuleAttributes(n string, group *ec2.SecurityGroup, p *ec2.IpPermission, ruleType string) resource.TestCheckFunc { 483 return func(s *terraform.State) error { 484 rs, ok := s.RootModule().Resources[n] 485 if !ok { 486 return fmt.Errorf("Security Group Rule Not found: %s", n) 487 } 488 489 if rs.Primary.ID == "" { 490 return fmt.Errorf("No Security Group Rule is set") 491 } 492 493 if p == nil { 494 p = &ec2.IpPermission{ 495 FromPort: aws.Int64(80), 496 ToPort: aws.Int64(8000), 497 IpProtocol: aws.String("tcp"), 498 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 499 } 500 } 501 502 var matchingRule *ec2.IpPermission 503 var rules []*ec2.IpPermission 504 if ruleType == "ingress" { 505 rules = group.IpPermissions 506 } else { 507 rules = group.IpPermissionsEgress 508 } 509 510 if len(rules) == 0 { 511 return fmt.Errorf("No IPPerms") 512 } 513 514 for _, r := range rules { 515 if r.ToPort != nil && *p.ToPort != *r.ToPort { 516 continue 517 } 518 519 if r.FromPort != nil && *p.FromPort != *r.FromPort { 520 continue 521 } 522 523 if r.IpProtocol != nil && *p.IpProtocol != *r.IpProtocol { 524 continue 525 } 526 527 remaining := len(p.IpRanges) 528 for _, ip := range p.IpRanges { 529 for _, rip := range r.IpRanges { 530 if *ip.CidrIp == *rip.CidrIp { 531 remaining-- 532 } 533 } 534 } 535 536 if remaining > 0 { 537 continue 538 } 539 540 remaining = len(p.UserIdGroupPairs) 541 for _, ip := range p.UserIdGroupPairs { 542 for _, rip := range r.UserIdGroupPairs { 543 if *ip.GroupId == *rip.GroupId { 544 remaining-- 545 } 546 } 547 } 548 549 if remaining > 0 { 550 continue 551 } 552 matchingRule = r 553 } 554 555 if matchingRule != nil { 556 log.Printf("[DEBUG] Matching rule found : %s", matchingRule) 557 return nil 558 } 559 560 return fmt.Errorf("Error here\n\tlooking for %s, wasn't found in %s", p, rules) 561 } 562 } 563 564 const testAccAWSSecurityGroupRuleIngressConfig = ` 565 resource "aws_security_group" "web" { 566 name = "terraform_acceptance_test_example" 567 description = "Used in the terraform acceptance tests" 568 569 tags { 570 Name = "tf-acc-test" 571 } 572 } 573 574 resource "aws_security_group_rule" "ingress_1" { 575 type = "ingress" 576 protocol = "tcp" 577 from_port = 80 578 to_port = 8000 579 cidr_blocks = ["10.0.0.0/8"] 580 581 security_group_id = "${aws_security_group.web.id}" 582 } 583 ` 584 585 const testAccAWSSecurityGroupRuleIngress_protocolConfig = ` 586 resource "aws_vpc" "tftest" { 587 cidr_block = "10.0.0.0/16" 588 589 tags { 590 Name = "tf-testing" 591 } 592 } 593 594 resource "aws_security_group" "web" { 595 vpc_id = "${aws_vpc.tftest.id}" 596 597 tags { 598 Name = "tf-acc-test" 599 } 600 } 601 602 resource "aws_security_group_rule" "ingress_1" { 603 type = "ingress" 604 protocol = "6" 605 from_port = 80 606 to_port = 8000 607 cidr_blocks = ["10.0.0.0/8"] 608 609 security_group_id = "${aws_security_group.web.id}" 610 } 611 612 ` 613 614 const testAccAWSSecurityGroupRuleIssue5310 = ` 615 provider "aws" { 616 region = "us-east-1" 617 } 618 619 resource "aws_security_group" "issue_5310" { 620 name = "terraform-test-issue_5310" 621 description = "SG for test of issue 5310" 622 } 623 624 resource "aws_security_group_rule" "issue_5310" { 625 type = "ingress" 626 from_port = 0 627 to_port = 65535 628 protocol = "tcp" 629 security_group_id = "${aws_security_group.issue_5310.id}" 630 self = true 631 } 632 ` 633 634 const testAccAWSSecurityGroupRuleIngressClassicConfig = ` 635 provider "aws" { 636 region = "us-east-1" 637 } 638 639 resource "aws_security_group" "web" { 640 name = "terraform_acceptance_test_example" 641 description = "Used in the terraform acceptance tests" 642 643 tags { 644 Name = "tf-acc-test" 645 } 646 } 647 648 resource "aws_security_group_rule" "ingress_1" { 649 type = "ingress" 650 protocol = "tcp" 651 from_port = 80 652 to_port = 8000 653 cidr_blocks = ["10.0.0.0/8"] 654 655 security_group_id = "${aws_security_group.web.id}" 656 } 657 ` 658 659 const testAccAWSSecurityGroupRuleEgressConfig = ` 660 resource "aws_security_group" "web" { 661 name = "terraform_acceptance_test_example" 662 description = "Used in the terraform acceptance tests" 663 664 tags { 665 Name = "tf-acc-test" 666 } 667 } 668 669 resource "aws_security_group_rule" "egress_1" { 670 type = "egress" 671 protocol = "tcp" 672 from_port = 80 673 to_port = 8000 674 cidr_blocks = ["10.0.0.0/8"] 675 676 security_group_id = "${aws_security_group.web.id}" 677 } 678 ` 679 680 const testAccAWSSecurityGroupRuleConfigMultiIngress = ` 681 resource "aws_security_group" "web" { 682 name = "terraform_acceptance_test_example_2" 683 description = "Used in the terraform acceptance tests" 684 } 685 686 resource "aws_security_group" "worker" { 687 name = "terraform_acceptance_test_example_worker" 688 description = "Used in the terraform acceptance tests" 689 } 690 691 692 resource "aws_security_group_rule" "ingress_1" { 693 type = "ingress" 694 protocol = "tcp" 695 from_port = 22 696 to_port = 22 697 cidr_blocks = ["10.0.0.0/8"] 698 699 security_group_id = "${aws_security_group.web.id}" 700 } 701 702 resource "aws_security_group_rule" "ingress_2" { 703 type = "ingress" 704 protocol = "tcp" 705 from_port = 80 706 to_port = 8000 707 self = true 708 709 security_group_id = "${aws_security_group.web.id}" 710 } 711 ` 712 713 // check for GH-1985 regression 714 const testAccAWSSecurityGroupRuleConfigSelfReference = ` 715 provider "aws" { 716 region = "us-west-2" 717 } 718 719 resource "aws_vpc" "main" { 720 cidr_block = "10.0.0.0/16" 721 tags { 722 Name = "sg-self-test" 723 } 724 } 725 726 resource "aws_security_group" "web" { 727 name = "main" 728 vpc_id = "${aws_vpc.main.id}" 729 tags { 730 Name = "sg-self-test" 731 } 732 } 733 734 resource "aws_security_group_rule" "self" { 735 type = "ingress" 736 protocol = "-1" 737 from_port = 0 738 to_port = 0 739 self = true 740 security_group_id = "${aws_security_group.web.id}" 741 } 742 ` 743 744 const testAccAWSSecurityGroupRulePartialMatching = ` 745 resource "aws_vpc" "default" { 746 cidr_block = "10.0.0.0/16" 747 tags { 748 Name = "tf-sg-rule-bug" 749 } 750 } 751 752 resource "aws_security_group" "web" { 753 name = "tf-other" 754 vpc_id = "${aws_vpc.default.id}" 755 tags { 756 Name = "tf-other-sg" 757 } 758 } 759 760 resource "aws_security_group" "nat" { 761 name = "tf-nat" 762 vpc_id = "${aws_vpc.default.id}" 763 tags { 764 Name = "tf-nat-sg" 765 } 766 } 767 768 resource "aws_security_group_rule" "ingress" { 769 type = "ingress" 770 from_port = 80 771 to_port = 80 772 protocol = "tcp" 773 cidr_blocks = ["10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24"] 774 775 security_group_id = "${aws_security_group.web.id}" 776 } 777 778 resource "aws_security_group_rule" "other" { 779 type = "ingress" 780 from_port = 80 781 to_port = 80 782 protocol = "tcp" 783 cidr_blocks = ["10.0.5.0/24"] 784 785 security_group_id = "${aws_security_group.web.id}" 786 } 787 788 // same a above, but different group, to guard against bad hashing 789 resource "aws_security_group_rule" "nat_ingress" { 790 type = "ingress" 791 from_port = 80 792 to_port = 80 793 protocol = "tcp" 794 cidr_blocks = ["10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24"] 795 796 security_group_id = "${aws_security_group.nat.id}" 797 } 798 ` 799 800 const testAccAWSSecurityGroupRulePartialMatching_Source = ` 801 resource "aws_vpc" "default" { 802 cidr_block = "10.0.0.0/16" 803 tags { 804 Name = "tf-sg-rule-bug" 805 } 806 } 807 808 resource "aws_security_group" "web" { 809 name = "tf-other" 810 vpc_id = "${aws_vpc.default.id}" 811 tags { 812 Name = "tf-other-sg" 813 } 814 } 815 816 resource "aws_security_group" "nat" { 817 name = "tf-nat" 818 vpc_id = "${aws_vpc.default.id}" 819 tags { 820 Name = "tf-nat-sg" 821 } 822 } 823 824 resource "aws_security_group_rule" "source_ingress" { 825 type = "ingress" 826 from_port = 80 827 to_port = 80 828 protocol = "tcp" 829 830 source_security_group_id = "${aws_security_group.nat.id}" 831 security_group_id = "${aws_security_group.web.id}" 832 } 833 834 resource "aws_security_group_rule" "other_ingress" { 835 type = "ingress" 836 from_port = 80 837 to_port = 80 838 protocol = "tcp" 839 cidr_blocks = ["10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24"] 840 841 security_group_id = "${aws_security_group.web.id}" 842 } 843 ` 844 845 var testAccAWSSecurityGroupRuleRace = func() string { 846 var b bytes.Buffer 847 iterations := 50 848 b.WriteString(fmt.Sprintf(` 849 resource "aws_vpc" "default" { 850 cidr_block = "10.0.0.0/16" 851 tags { Name = "tf-sg-rule-race" } 852 } 853 854 resource "aws_security_group" "race" { 855 name = "tf-sg-rule-race-group-%d" 856 vpc_id = "${aws_vpc.default.id}" 857 } 858 `, acctest.RandInt())) 859 for i := 1; i < iterations; i++ { 860 b.WriteString(fmt.Sprintf(` 861 resource "aws_security_group_rule" "ingress%d" { 862 security_group_id = "${aws_security_group.race.id}" 863 type = "ingress" 864 from_port = %d 865 to_port = %d 866 protocol = "tcp" 867 cidr_blocks = ["10.0.0.%d/32"] 868 } 869 870 resource "aws_security_group_rule" "egress%d" { 871 security_group_id = "${aws_security_group.race.id}" 872 type = "egress" 873 from_port = %d 874 to_port = %d 875 protocol = "tcp" 876 cidr_blocks = ["10.0.0.%d/32"] 877 } 878 `, i, i, i, i, i, i, i, i)) 879 } 880 return b.String() 881 }()