github.com/cbroglie/terraform@v0.7.0-rc3.0.20170410193827-735dfc416d46/builtin/providers/aws/resource_aws_network_acl_rule_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "regexp" 6 "strconv" 7 "testing" 8 9 "github.com/aws/aws-sdk-go/aws" 10 "github.com/aws/aws-sdk-go/aws/awserr" 11 "github.com/aws/aws-sdk-go/service/ec2" 12 "github.com/hashicorp/terraform/helper/resource" 13 "github.com/hashicorp/terraform/terraform" 14 ) 15 16 func TestAccAWSNetworkAclRule_basic(t *testing.T) { 17 var networkAcl ec2.NetworkAcl 18 19 resource.Test(t, resource.TestCase{ 20 PreCheck: func() { testAccPreCheck(t) }, 21 Providers: testAccProviders, 22 CheckDestroy: testAccCheckAWSNetworkAclRuleDestroy, 23 Steps: []resource.TestStep{ 24 { 25 Config: testAccAWSNetworkAclRuleBasicConfig, 26 Check: resource.ComposeTestCheckFunc( 27 testAccCheckAWSNetworkAclRuleExists("aws_network_acl_rule.baz", &networkAcl), 28 testAccCheckAWSNetworkAclRuleExists("aws_network_acl_rule.qux", &networkAcl), 29 testAccCheckAWSNetworkAclRuleExists("aws_network_acl_rule.wibble", &networkAcl), 30 ), 31 }, 32 }, 33 }) 34 } 35 36 func TestAccAWSNetworkAclRule_missingParam(t *testing.T) { 37 38 resource.Test(t, resource.TestCase{ 39 PreCheck: func() { testAccPreCheck(t) }, 40 Providers: testAccProviders, 41 CheckDestroy: testAccCheckAWSNetworkAclRuleDestroy, 42 Steps: []resource.TestStep{ 43 { 44 Config: testAccAWSNetworkAclRuleMissingParam, 45 ExpectError: regexp.MustCompile("Either `cidr_block` or `ipv6_cidr_block` must be defined"), 46 }, 47 }, 48 }) 49 } 50 51 func TestAccAWSNetworkAclRule_ipv6(t *testing.T) { 52 var networkAcl ec2.NetworkAcl 53 54 resource.Test(t, resource.TestCase{ 55 PreCheck: func() { testAccPreCheck(t) }, 56 Providers: testAccProviders, 57 CheckDestroy: testAccCheckAWSNetworkAclRuleDestroy, 58 Steps: []resource.TestStep{ 59 { 60 Config: testAccAWSNetworkAclRuleIpv6Config, 61 Check: resource.ComposeTestCheckFunc( 62 testAccCheckAWSNetworkAclRuleExists("aws_network_acl_rule.baz", &networkAcl), 63 ), 64 }, 65 }, 66 }) 67 } 68 69 func TestAccAWSNetworkAclRule_allProtocol(t *testing.T) { 70 71 resource.Test(t, resource.TestCase{ 72 PreCheck: func() { testAccPreCheck(t) }, 73 Providers: testAccProviders, 74 CheckDestroy: testAccCheckAWSNetworkAclRuleDestroy, 75 Steps: []resource.TestStep{ 76 { 77 Config: testAccAWSNetworkAclRuleAllProtocolConfig, 78 ExpectNonEmptyPlan: false, 79 }, 80 { 81 Config: testAccAWSNetworkAclRuleAllProtocolConfigNoRealUpdate, 82 ExpectNonEmptyPlan: false, 83 }, 84 }, 85 }) 86 } 87 88 func TestResourceAWSNetworkAclRule_validateICMPArgumentValue(t *testing.T) { 89 type testCases struct { 90 Value string 91 ErrCount int 92 } 93 94 invalidCases := []testCases{ 95 { 96 Value: "", 97 ErrCount: 1, 98 }, 99 { 100 Value: "not-a-number", 101 ErrCount: 1, 102 }, 103 { 104 Value: "1.0", 105 ErrCount: 1, 106 }, 107 } 108 109 for _, tc := range invalidCases { 110 _, errors := validateICMPArgumentValue(tc.Value, "icmp_type") 111 if len(errors) != tc.ErrCount { 112 t.Fatalf("Expected %q to trigger a validation error.", tc.Value) 113 } 114 } 115 116 validCases := []testCases{ 117 { 118 Value: "0", 119 ErrCount: 0, 120 }, 121 { 122 Value: "-1", 123 ErrCount: 0, 124 }, 125 { 126 Value: "1", 127 ErrCount: 0, 128 }, 129 } 130 131 for _, tc := range validCases { 132 _, errors := validateICMPArgumentValue(tc.Value, "icmp_type") 133 if len(errors) != tc.ErrCount { 134 t.Fatalf("Expected %q not to trigger a validation error.", tc.Value) 135 } 136 } 137 138 } 139 140 func testAccCheckAWSNetworkAclRuleDestroy(s *terraform.State) error { 141 142 for _, rs := range s.RootModule().Resources { 143 conn := testAccProvider.Meta().(*AWSClient).ec2conn 144 if rs.Type != "aws_network_acl_rule" { 145 continue 146 } 147 148 req := &ec2.DescribeNetworkAclsInput{ 149 NetworkAclIds: []*string{aws.String(rs.Primary.ID)}, 150 } 151 resp, err := conn.DescribeNetworkAcls(req) 152 if err == nil { 153 if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID { 154 networkAcl := resp.NetworkAcls[0] 155 if networkAcl.Entries != nil { 156 return fmt.Errorf("Network ACL Entries still exist") 157 } 158 } 159 } 160 161 ec2err, ok := err.(awserr.Error) 162 if !ok { 163 return err 164 } 165 if ec2err.Code() != "InvalidNetworkAclID.NotFound" { 166 return err 167 } 168 } 169 170 return nil 171 } 172 173 func testAccCheckAWSNetworkAclRuleExists(n string, networkAcl *ec2.NetworkAcl) resource.TestCheckFunc { 174 return func(s *terraform.State) error { 175 conn := testAccProvider.Meta().(*AWSClient).ec2conn 176 rs, ok := s.RootModule().Resources[n] 177 if !ok { 178 return fmt.Errorf("Not found: %s", n) 179 } 180 181 if rs.Primary.ID == "" { 182 return fmt.Errorf("No Network ACL Id is set") 183 } 184 185 req := &ec2.DescribeNetworkAclsInput{ 186 NetworkAclIds: []*string{aws.String(rs.Primary.Attributes["network_acl_id"])}, 187 } 188 resp, err := conn.DescribeNetworkAcls(req) 189 if err != nil { 190 return err 191 } 192 if len(resp.NetworkAcls) != 1 { 193 return fmt.Errorf("Network ACL not found") 194 } 195 egress, err := strconv.ParseBool(rs.Primary.Attributes["egress"]) 196 if err != nil { 197 return err 198 } 199 ruleNo, err := strconv.ParseInt(rs.Primary.Attributes["rule_number"], 10, 64) 200 if err != nil { 201 return err 202 } 203 for _, e := range resp.NetworkAcls[0].Entries { 204 if *e.RuleNumber == ruleNo && *e.Egress == egress { 205 return nil 206 } 207 } 208 return fmt.Errorf("Entry not found: %s", resp.NetworkAcls[0]) 209 } 210 } 211 212 const testAccAWSNetworkAclRuleBasicConfig = ` 213 provider "aws" { 214 region = "us-east-1" 215 } 216 resource "aws_vpc" "foo" { 217 cidr_block = "10.3.0.0/16" 218 } 219 resource "aws_network_acl" "bar" { 220 vpc_id = "${aws_vpc.foo.id}" 221 } 222 resource "aws_network_acl_rule" "baz" { 223 network_acl_id = "${aws_network_acl.bar.id}" 224 rule_number = 200 225 egress = false 226 protocol = "tcp" 227 rule_action = "allow" 228 cidr_block = "0.0.0.0/0" 229 from_port = 22 230 to_port = 22 231 } 232 resource "aws_network_acl_rule" "qux" { 233 network_acl_id = "${aws_network_acl.bar.id}" 234 rule_number = 300 235 protocol = "icmp" 236 rule_action = "allow" 237 cidr_block = "0.0.0.0/0" 238 icmp_type = 0 239 icmp_code = -1 240 } 241 resource "aws_network_acl_rule" "wibble" { 242 network_acl_id = "${aws_network_acl.bar.id}" 243 rule_number = 400 244 protocol = "icmp" 245 rule_action = "allow" 246 cidr_block = "0.0.0.0/0" 247 icmp_type = -1 248 icmp_code = -1 249 } 250 ` 251 252 const testAccAWSNetworkAclRuleMissingParam = ` 253 provider "aws" { 254 region = "us-east-1" 255 } 256 resource "aws_vpc" "foo" { 257 cidr_block = "10.3.0.0/16" 258 } 259 resource "aws_network_acl" "bar" { 260 vpc_id = "${aws_vpc.foo.id}" 261 } 262 resource "aws_network_acl_rule" "baz" { 263 network_acl_id = "${aws_network_acl.bar.id}" 264 rule_number = 200 265 egress = false 266 protocol = "tcp" 267 rule_action = "allow" 268 from_port = 22 269 to_port = 22 270 } 271 ` 272 273 const testAccAWSNetworkAclRuleAllProtocolConfigNoRealUpdate = ` 274 resource "aws_vpc" "foo" { 275 cidr_block = "10.3.0.0/16" 276 } 277 resource "aws_network_acl" "bar" { 278 vpc_id = "${aws_vpc.foo.id}" 279 } 280 resource "aws_network_acl_rule" "baz" { 281 network_acl_id = "${aws_network_acl.bar.id}" 282 rule_number = 150 283 egress = false 284 protocol = "all" 285 rule_action = "allow" 286 cidr_block = "0.0.0.0/0" 287 from_port = 22 288 to_port = 22 289 } 290 ` 291 292 const testAccAWSNetworkAclRuleAllProtocolConfig = ` 293 resource "aws_vpc" "foo" { 294 cidr_block = "10.3.0.0/16" 295 } 296 resource "aws_network_acl" "bar" { 297 vpc_id = "${aws_vpc.foo.id}" 298 } 299 resource "aws_network_acl_rule" "baz" { 300 network_acl_id = "${aws_network_acl.bar.id}" 301 rule_number = 150 302 egress = false 303 protocol = "-1" 304 rule_action = "allow" 305 cidr_block = "0.0.0.0/0" 306 from_port = 22 307 to_port = 22 308 } 309 ` 310 311 const testAccAWSNetworkAclRuleIpv6Config = ` 312 resource "aws_vpc" "foo" { 313 cidr_block = "10.3.0.0/16" 314 } 315 resource "aws_network_acl" "bar" { 316 vpc_id = "${aws_vpc.foo.id}" 317 } 318 resource "aws_network_acl_rule" "baz" { 319 network_acl_id = "${aws_network_acl.bar.id}" 320 rule_number = 150 321 egress = false 322 protocol = "tcp" 323 rule_action = "allow" 324 ipv6_cidr_block = "::/0" 325 from_port = 22 326 to_port = 22 327 } 328 329 `