github.com/armen/terraform@v0.5.2-0.20150529052519-caa8117a08f1/builtin/providers/aws/resource_aws_security_group_rule_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "reflect" 6 "testing" 7 8 "github.com/awslabs/aws-sdk-go/aws" 9 "github.com/awslabs/aws-sdk-go/aws/awserr" 10 "github.com/awslabs/aws-sdk-go/service/ec2" 11 "github.com/hashicorp/terraform/helper/resource" 12 "github.com/hashicorp/terraform/terraform" 13 ) 14 15 func TestIpPermissionIDHash(t *testing.T) { 16 simple := &ec2.IPPermission{ 17 IPProtocol: aws.String("tcp"), 18 FromPort: aws.Long(int64(80)), 19 ToPort: aws.Long(int64(8000)), 20 IPRanges: []*ec2.IPRange{ 21 &ec2.IPRange{ 22 CIDRIP: aws.String("10.0.0.0/8"), 23 }, 24 }, 25 } 26 27 egress := &ec2.IPPermission{ 28 IPProtocol: aws.String("tcp"), 29 FromPort: aws.Long(int64(80)), 30 ToPort: aws.Long(int64(8000)), 31 IPRanges: []*ec2.IPRange{ 32 &ec2.IPRange{ 33 CIDRIP: aws.String("10.0.0.0/8"), 34 }, 35 }, 36 } 37 38 egress_all := &ec2.IPPermission{ 39 IPProtocol: aws.String("-1"), 40 IPRanges: []*ec2.IPRange{ 41 &ec2.IPRange{ 42 CIDRIP: aws.String("10.0.0.0/8"), 43 }, 44 }, 45 } 46 47 // hardcoded hashes, to detect future change 48 cases := []struct { 49 Input *ec2.IPPermission 50 Type string 51 Output string 52 }{ 53 {simple, "ingress", "sg-82613597"}, 54 {egress, "egress", "sg-363054720"}, 55 {egress_all, "egress", "sg-857124156"}, 56 } 57 58 for _, tc := range cases { 59 actual := ipPermissionIDHash(tc.Type, tc.Input) 60 if actual != tc.Output { 61 t.Fatalf("input: %s - %#v\noutput: %s", tc.Type, tc.Input, actual) 62 } 63 } 64 } 65 66 func TestAccAWSSecurityGroupRule_Ingress(t *testing.T) { 67 var group ec2.SecurityGroup 68 69 testRuleCount := func(*terraform.State) error { 70 if len(group.IPPermissions) != 1 { 71 return fmt.Errorf("Wrong Security Group rule count, expected %d, got %d", 72 1, len(group.IPPermissions)) 73 } 74 75 rule := group.IPPermissions[0] 76 if *rule.FromPort != int64(80) { 77 return fmt.Errorf("Wrong Security Group port setting, expected %d, got %d", 78 80, int(*rule.FromPort)) 79 } 80 81 return nil 82 } 83 84 resource.Test(t, resource.TestCase{ 85 PreCheck: func() { testAccPreCheck(t) }, 86 Providers: testAccProviders, 87 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 88 Steps: []resource.TestStep{ 89 resource.TestStep{ 90 Config: testAccAWSSecurityGroupRuleIngressConfig, 91 Check: resource.ComposeTestCheckFunc( 92 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 93 testAccCheckAWSSecurityGroupRuleAttributes(&group, "ingress"), 94 resource.TestCheckResourceAttr( 95 "aws_security_group_rule.ingress_1", "from_port", "80"), 96 testRuleCount, 97 ), 98 }, 99 }, 100 }) 101 } 102 103 func TestAccAWSSecurityGroupRule_IngressClassic(t *testing.T) { 104 var group ec2.SecurityGroup 105 106 testRuleCount := func(*terraform.State) error { 107 if len(group.IPPermissions) != 1 { 108 return fmt.Errorf("Wrong Security Group rule count, expected %d, got %d", 109 1, len(group.IPPermissions)) 110 } 111 112 rule := group.IPPermissions[0] 113 if *rule.FromPort != int64(80) { 114 return fmt.Errorf("Wrong Security Group port setting, expected %d, got %d", 115 80, int(*rule.FromPort)) 116 } 117 118 return nil 119 } 120 121 resource.Test(t, resource.TestCase{ 122 PreCheck: func() { testAccPreCheck(t) }, 123 Providers: testAccProviders, 124 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 125 Steps: []resource.TestStep{ 126 resource.TestStep{ 127 Config: testAccAWSSecurityGroupRuleIngressClassicConfig, 128 Check: resource.ComposeTestCheckFunc( 129 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 130 testAccCheckAWSSecurityGroupRuleAttributes(&group, "ingress"), 131 resource.TestCheckResourceAttr( 132 "aws_security_group_rule.ingress_1", "from_port", "80"), 133 testRuleCount, 134 ), 135 }, 136 }, 137 }) 138 } 139 140 func TestAccAWSSecurityGroupRule_MultiIngress(t *testing.T) { 141 var group ec2.SecurityGroup 142 143 testMultiRuleCount := func(*terraform.State) error { 144 if len(group.IPPermissions) != 3 { 145 return fmt.Errorf("Wrong Security Group rule count, expected %d, got %d", 146 3, len(group.IPPermissions)) 147 } 148 149 var rule *ec2.IPPermission 150 for _, r := range group.IPPermissions { 151 if *r.FromPort == int64(80) { 152 rule = r 153 } 154 } 155 156 if *rule.ToPort != int64(8000) { 157 return fmt.Errorf("Wrong Security Group port 2 setting, expected %d, got %d", 158 8000, int(*rule.ToPort)) 159 } 160 161 return nil 162 } 163 164 resource.Test(t, resource.TestCase{ 165 PreCheck: func() { testAccPreCheck(t) }, 166 Providers: testAccProviders, 167 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 168 Steps: []resource.TestStep{ 169 resource.TestStep{ 170 Config: testAccAWSSecurityGroupRuleConfigMultiIngress, 171 Check: resource.ComposeTestCheckFunc( 172 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 173 testMultiRuleCount, 174 ), 175 }, 176 }, 177 }) 178 } 179 180 func TestAccAWSSecurityGroupRule_Egress(t *testing.T) { 181 var group ec2.SecurityGroup 182 183 resource.Test(t, resource.TestCase{ 184 PreCheck: func() { testAccPreCheck(t) }, 185 Providers: testAccProviders, 186 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 187 Steps: []resource.TestStep{ 188 resource.TestStep{ 189 Config: testAccAWSSecurityGroupRuleEgressConfig, 190 Check: resource.ComposeTestCheckFunc( 191 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 192 testAccCheckAWSSecurityGroupRuleAttributes(&group, "egress"), 193 ), 194 }, 195 }, 196 }) 197 } 198 199 func testAccCheckAWSSecurityGroupRuleDestroy(s *terraform.State) error { 200 conn := testAccProvider.Meta().(*AWSClient).ec2conn 201 202 for _, rs := range s.RootModule().Resources { 203 if rs.Type != "aws_security_group" { 204 continue 205 } 206 207 // Retrieve our group 208 req := &ec2.DescribeSecurityGroupsInput{ 209 GroupIDs: []*string{aws.String(rs.Primary.ID)}, 210 } 211 resp, err := conn.DescribeSecurityGroups(req) 212 if err == nil { 213 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupID == rs.Primary.ID { 214 return fmt.Errorf("Security Group (%s) still exists.", rs.Primary.ID) 215 } 216 217 return nil 218 } 219 220 ec2err, ok := err.(awserr.Error) 221 if !ok { 222 return err 223 } 224 // Confirm error code is what we want 225 if ec2err.Code() != "InvalidGroup.NotFound" { 226 return err 227 } 228 } 229 230 return nil 231 } 232 233 func testAccCheckAWSSecurityGroupRuleExists(n string, group *ec2.SecurityGroup) resource.TestCheckFunc { 234 return func(s *terraform.State) error { 235 rs, ok := s.RootModule().Resources[n] 236 if !ok { 237 return fmt.Errorf("Not found: %s", n) 238 } 239 240 if rs.Primary.ID == "" { 241 return fmt.Errorf("No Security Group is set") 242 } 243 244 conn := testAccProvider.Meta().(*AWSClient).ec2conn 245 req := &ec2.DescribeSecurityGroupsInput{ 246 GroupIDs: []*string{aws.String(rs.Primary.ID)}, 247 } 248 resp, err := conn.DescribeSecurityGroups(req) 249 if err != nil { 250 return err 251 } 252 253 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupID == rs.Primary.ID { 254 *group = *resp.SecurityGroups[0] 255 return nil 256 } 257 258 return fmt.Errorf("Security Group not found") 259 } 260 } 261 262 func testAccCheckAWSSecurityGroupRuleAttributes(group *ec2.SecurityGroup, ruleType string) resource.TestCheckFunc { 263 return func(s *terraform.State) error { 264 p := &ec2.IPPermission{ 265 FromPort: aws.Long(80), 266 ToPort: aws.Long(8000), 267 IPProtocol: aws.String("tcp"), 268 IPRanges: []*ec2.IPRange{&ec2.IPRange{CIDRIP: aws.String("10.0.0.0/8")}}, 269 } 270 var rules []*ec2.IPPermission 271 if ruleType == "ingress" { 272 rules = group.IPPermissions 273 } else { 274 rules = group.IPPermissionsEgress 275 } 276 277 if len(rules) == 0 { 278 return fmt.Errorf("No IPPerms") 279 } 280 281 // Compare our ingress 282 if !reflect.DeepEqual(rules[0], p) { 283 return fmt.Errorf( 284 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 285 rules[0], 286 p) 287 } 288 289 return nil 290 } 291 } 292 293 const testAccAWSSecurityGroupRuleIngressConfig = ` 294 resource "aws_security_group" "web" { 295 name = "terraform_acceptance_test_example" 296 description = "Used in the terraform acceptance tests" 297 298 tags { 299 Name = "tf-acc-test" 300 } 301 } 302 303 resource "aws_security_group_rule" "ingress_1" { 304 type = "ingress" 305 protocol = "tcp" 306 from_port = 80 307 to_port = 8000 308 cidr_blocks = ["10.0.0.0/8"] 309 310 security_group_id = "${aws_security_group.web.id}" 311 } 312 ` 313 314 const testAccAWSSecurityGroupRuleIngressClassicConfig = ` 315 provider "aws" { 316 region = "us-east-1" 317 } 318 319 resource "aws_security_group" "web" { 320 name = "terraform_acceptance_test_example" 321 description = "Used in the terraform acceptance tests" 322 323 tags { 324 Name = "tf-acc-test" 325 } 326 } 327 328 resource "aws_security_group_rule" "ingress_1" { 329 type = "ingress" 330 protocol = "tcp" 331 from_port = 80 332 to_port = 8000 333 cidr_blocks = ["10.0.0.0/8"] 334 335 security_group_id = "${aws_security_group.web.id}" 336 } 337 ` 338 339 const testAccAWSSecurityGroupRuleEgressConfig = ` 340 resource "aws_security_group" "web" { 341 name = "terraform_acceptance_test_example" 342 description = "Used in the terraform acceptance tests" 343 344 tags { 345 Name = "tf-acc-test" 346 } 347 } 348 349 resource "aws_security_group_rule" "egress_1" { 350 type = "egress" 351 protocol = "tcp" 352 from_port = 80 353 to_port = 8000 354 cidr_blocks = ["10.0.0.0/8"] 355 356 security_group_id = "${aws_security_group.web.id}" 357 } 358 ` 359 360 const testAccAWSSecurityGroupRuleConfigMultiIngress = ` 361 resource "aws_security_group" "web" { 362 name = "terraform_acceptance_test_example_2" 363 description = "Used in the terraform acceptance tests" 364 } 365 366 resource "aws_security_group" "worker" { 367 name = "terraform_acceptance_test_example_worker" 368 description = "Used in the terraform acceptance tests" 369 } 370 371 372 resource "aws_security_group_rule" "ingress_1" { 373 type = "ingress" 374 protocol = "tcp" 375 from_port = 22 376 to_port = 22 377 cidr_blocks = ["10.0.0.0/8"] 378 379 security_group_id = "${aws_security_group.web.id}" 380 source_security_group_id = "${aws_security_group.worker.id}" 381 } 382 383 resource "aws_security_group_rule" "ingress_2" { 384 type = "ingress" 385 protocol = "tcp" 386 from_port = 80 387 to_port = 8000 388 self = true 389 390 security_group_id = "${aws_security_group.web.id}" 391 } 392 `