github.com/cbroglie/terraform@v0.7.0-rc3.0.20170410193827-735dfc416d46/builtin/providers/aws/resource_aws_network_acl_rule_test.go (about)

     1  package aws
     2  
     3  import (
     4  	"fmt"
     5  	"regexp"
     6  	"strconv"
     7  	"testing"
     8  
     9  	"github.com/aws/aws-sdk-go/aws"
    10  	"github.com/aws/aws-sdk-go/aws/awserr"
    11  	"github.com/aws/aws-sdk-go/service/ec2"
    12  	"github.com/hashicorp/terraform/helper/resource"
    13  	"github.com/hashicorp/terraform/terraform"
    14  )
    15  
    16  func TestAccAWSNetworkAclRule_basic(t *testing.T) {
    17  	var networkAcl ec2.NetworkAcl
    18  
    19  	resource.Test(t, resource.TestCase{
    20  		PreCheck:     func() { testAccPreCheck(t) },
    21  		Providers:    testAccProviders,
    22  		CheckDestroy: testAccCheckAWSNetworkAclRuleDestroy,
    23  		Steps: []resource.TestStep{
    24  			{
    25  				Config: testAccAWSNetworkAclRuleBasicConfig,
    26  				Check: resource.ComposeTestCheckFunc(
    27  					testAccCheckAWSNetworkAclRuleExists("aws_network_acl_rule.baz", &networkAcl),
    28  					testAccCheckAWSNetworkAclRuleExists("aws_network_acl_rule.qux", &networkAcl),
    29  					testAccCheckAWSNetworkAclRuleExists("aws_network_acl_rule.wibble", &networkAcl),
    30  				),
    31  			},
    32  		},
    33  	})
    34  }
    35  
    36  func TestAccAWSNetworkAclRule_missingParam(t *testing.T) {
    37  
    38  	resource.Test(t, resource.TestCase{
    39  		PreCheck:     func() { testAccPreCheck(t) },
    40  		Providers:    testAccProviders,
    41  		CheckDestroy: testAccCheckAWSNetworkAclRuleDestroy,
    42  		Steps: []resource.TestStep{
    43  			{
    44  				Config:      testAccAWSNetworkAclRuleMissingParam,
    45  				ExpectError: regexp.MustCompile("Either `cidr_block` or `ipv6_cidr_block` must be defined"),
    46  			},
    47  		},
    48  	})
    49  }
    50  
    51  func TestAccAWSNetworkAclRule_ipv6(t *testing.T) {
    52  	var networkAcl ec2.NetworkAcl
    53  
    54  	resource.Test(t, resource.TestCase{
    55  		PreCheck:     func() { testAccPreCheck(t) },
    56  		Providers:    testAccProviders,
    57  		CheckDestroy: testAccCheckAWSNetworkAclRuleDestroy,
    58  		Steps: []resource.TestStep{
    59  			{
    60  				Config: testAccAWSNetworkAclRuleIpv6Config,
    61  				Check: resource.ComposeTestCheckFunc(
    62  					testAccCheckAWSNetworkAclRuleExists("aws_network_acl_rule.baz", &networkAcl),
    63  				),
    64  			},
    65  		},
    66  	})
    67  }
    68  
    69  func TestAccAWSNetworkAclRule_allProtocol(t *testing.T) {
    70  
    71  	resource.Test(t, resource.TestCase{
    72  		PreCheck:     func() { testAccPreCheck(t) },
    73  		Providers:    testAccProviders,
    74  		CheckDestroy: testAccCheckAWSNetworkAclRuleDestroy,
    75  		Steps: []resource.TestStep{
    76  			{
    77  				Config:             testAccAWSNetworkAclRuleAllProtocolConfig,
    78  				ExpectNonEmptyPlan: false,
    79  			},
    80  			{
    81  				Config:             testAccAWSNetworkAclRuleAllProtocolConfigNoRealUpdate,
    82  				ExpectNonEmptyPlan: false,
    83  			},
    84  		},
    85  	})
    86  }
    87  
    88  func TestResourceAWSNetworkAclRule_validateICMPArgumentValue(t *testing.T) {
    89  	type testCases struct {
    90  		Value    string
    91  		ErrCount int
    92  	}
    93  
    94  	invalidCases := []testCases{
    95  		{
    96  			Value:    "",
    97  			ErrCount: 1,
    98  		},
    99  		{
   100  			Value:    "not-a-number",
   101  			ErrCount: 1,
   102  		},
   103  		{
   104  			Value:    "1.0",
   105  			ErrCount: 1,
   106  		},
   107  	}
   108  
   109  	for _, tc := range invalidCases {
   110  		_, errors := validateICMPArgumentValue(tc.Value, "icmp_type")
   111  		if len(errors) != tc.ErrCount {
   112  			t.Fatalf("Expected %q to trigger a validation error.", tc.Value)
   113  		}
   114  	}
   115  
   116  	validCases := []testCases{
   117  		{
   118  			Value:    "0",
   119  			ErrCount: 0,
   120  		},
   121  		{
   122  			Value:    "-1",
   123  			ErrCount: 0,
   124  		},
   125  		{
   126  			Value:    "1",
   127  			ErrCount: 0,
   128  		},
   129  	}
   130  
   131  	for _, tc := range validCases {
   132  		_, errors := validateICMPArgumentValue(tc.Value, "icmp_type")
   133  		if len(errors) != tc.ErrCount {
   134  			t.Fatalf("Expected %q not to trigger a validation error.", tc.Value)
   135  		}
   136  	}
   137  
   138  }
   139  
   140  func testAccCheckAWSNetworkAclRuleDestroy(s *terraform.State) error {
   141  
   142  	for _, rs := range s.RootModule().Resources {
   143  		conn := testAccProvider.Meta().(*AWSClient).ec2conn
   144  		if rs.Type != "aws_network_acl_rule" {
   145  			continue
   146  		}
   147  
   148  		req := &ec2.DescribeNetworkAclsInput{
   149  			NetworkAclIds: []*string{aws.String(rs.Primary.ID)},
   150  		}
   151  		resp, err := conn.DescribeNetworkAcls(req)
   152  		if err == nil {
   153  			if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID {
   154  				networkAcl := resp.NetworkAcls[0]
   155  				if networkAcl.Entries != nil {
   156  					return fmt.Errorf("Network ACL Entries still exist")
   157  				}
   158  			}
   159  		}
   160  
   161  		ec2err, ok := err.(awserr.Error)
   162  		if !ok {
   163  			return err
   164  		}
   165  		if ec2err.Code() != "InvalidNetworkAclID.NotFound" {
   166  			return err
   167  		}
   168  	}
   169  
   170  	return nil
   171  }
   172  
   173  func testAccCheckAWSNetworkAclRuleExists(n string, networkAcl *ec2.NetworkAcl) resource.TestCheckFunc {
   174  	return func(s *terraform.State) error {
   175  		conn := testAccProvider.Meta().(*AWSClient).ec2conn
   176  		rs, ok := s.RootModule().Resources[n]
   177  		if !ok {
   178  			return fmt.Errorf("Not found: %s", n)
   179  		}
   180  
   181  		if rs.Primary.ID == "" {
   182  			return fmt.Errorf("No Network ACL Id is set")
   183  		}
   184  
   185  		req := &ec2.DescribeNetworkAclsInput{
   186  			NetworkAclIds: []*string{aws.String(rs.Primary.Attributes["network_acl_id"])},
   187  		}
   188  		resp, err := conn.DescribeNetworkAcls(req)
   189  		if err != nil {
   190  			return err
   191  		}
   192  		if len(resp.NetworkAcls) != 1 {
   193  			return fmt.Errorf("Network ACL not found")
   194  		}
   195  		egress, err := strconv.ParseBool(rs.Primary.Attributes["egress"])
   196  		if err != nil {
   197  			return err
   198  		}
   199  		ruleNo, err := strconv.ParseInt(rs.Primary.Attributes["rule_number"], 10, 64)
   200  		if err != nil {
   201  			return err
   202  		}
   203  		for _, e := range resp.NetworkAcls[0].Entries {
   204  			if *e.RuleNumber == ruleNo && *e.Egress == egress {
   205  				return nil
   206  			}
   207  		}
   208  		return fmt.Errorf("Entry not found: %s", resp.NetworkAcls[0])
   209  	}
   210  }
   211  
   212  const testAccAWSNetworkAclRuleBasicConfig = `
   213  provider "aws" {
   214    region = "us-east-1"
   215  }
   216  resource "aws_vpc" "foo" {
   217  	cidr_block = "10.3.0.0/16"
   218  }
   219  resource "aws_network_acl" "bar" {
   220  	vpc_id = "${aws_vpc.foo.id}"
   221  }
   222  resource "aws_network_acl_rule" "baz" {
   223  	network_acl_id = "${aws_network_acl.bar.id}"
   224  	rule_number = 200
   225  	egress = false
   226  	protocol = "tcp"
   227  	rule_action = "allow"
   228  	cidr_block = "0.0.0.0/0"
   229  	from_port = 22
   230  	to_port = 22
   231  }
   232  resource "aws_network_acl_rule" "qux" {
   233  	network_acl_id = "${aws_network_acl.bar.id}"
   234  	rule_number = 300
   235  	protocol = "icmp"
   236  	rule_action = "allow"
   237  	cidr_block = "0.0.0.0/0"
   238  	icmp_type = 0
   239  	icmp_code = -1
   240  }
   241  resource "aws_network_acl_rule" "wibble" {
   242  	network_acl_id = "${aws_network_acl.bar.id}"
   243  	rule_number = 400
   244  	protocol = "icmp"
   245  	rule_action = "allow"
   246  	cidr_block = "0.0.0.0/0"
   247  	icmp_type = -1
   248  	icmp_code = -1
   249  }
   250  `
   251  
   252  const testAccAWSNetworkAclRuleMissingParam = `
   253  provider "aws" {
   254    region = "us-east-1"
   255  }
   256  resource "aws_vpc" "foo" {
   257  	cidr_block = "10.3.0.0/16"
   258  }
   259  resource "aws_network_acl" "bar" {
   260  	vpc_id = "${aws_vpc.foo.id}"
   261  }
   262  resource "aws_network_acl_rule" "baz" {
   263  	network_acl_id = "${aws_network_acl.bar.id}"
   264  	rule_number = 200
   265  	egress = false
   266  	protocol = "tcp"
   267  	rule_action = "allow"
   268  	from_port = 22
   269  	to_port = 22
   270  }
   271  `
   272  
   273  const testAccAWSNetworkAclRuleAllProtocolConfigNoRealUpdate = `
   274  resource "aws_vpc" "foo" {
   275  	cidr_block = "10.3.0.0/16"
   276  }
   277  resource "aws_network_acl" "bar" {
   278  	vpc_id = "${aws_vpc.foo.id}"
   279  }
   280  resource "aws_network_acl_rule" "baz" {
   281  	network_acl_id = "${aws_network_acl.bar.id}"
   282  	rule_number = 150
   283  	egress = false
   284  	protocol = "all"
   285  	rule_action = "allow"
   286  	cidr_block = "0.0.0.0/0"
   287  	from_port = 22
   288  	to_port = 22
   289  }
   290  `
   291  
   292  const testAccAWSNetworkAclRuleAllProtocolConfig = `
   293  resource "aws_vpc" "foo" {
   294  	cidr_block = "10.3.0.0/16"
   295  }
   296  resource "aws_network_acl" "bar" {
   297  	vpc_id = "${aws_vpc.foo.id}"
   298  }
   299  resource "aws_network_acl_rule" "baz" {
   300  	network_acl_id = "${aws_network_acl.bar.id}"
   301  	rule_number = 150
   302  	egress = false
   303  	protocol = "-1"
   304  	rule_action = "allow"
   305  	cidr_block = "0.0.0.0/0"
   306  	from_port = 22
   307  	to_port = 22
   308  }
   309  `
   310  
   311  const testAccAWSNetworkAclRuleIpv6Config = `
   312  resource "aws_vpc" "foo" {
   313  	cidr_block = "10.3.0.0/16"
   314  }
   315  resource "aws_network_acl" "bar" {
   316  	vpc_id = "${aws_vpc.foo.id}"
   317  }
   318  resource "aws_network_acl_rule" "baz" {
   319  	network_acl_id = "${aws_network_acl.bar.id}"
   320  	rule_number = 150
   321  	egress = false
   322  	protocol = "tcp"
   323  	rule_action = "allow"
   324  	ipv6_cidr_block = "::/0"
   325  	from_port = 22
   326  	to_port = 22
   327  }
   328  
   329  `