github.com/chalford/terraform@v0.3.7-0.20150113080010-a78c69a8c81f/builtin/providers/aws/resource_aws_network_acl_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/hashicorp/terraform/terraform" 8 "github.com/mitchellh/goamz/ec2" 9 // "github.com/hashicorp/terraform/helper/hashcode" 10 "github.com/hashicorp/terraform/helper/resource" 11 // "github.com/hashicorp/terraform/helper/schema" 12 ) 13 14 func TestAccAWSNetworkAclsWithEgressAndIngressRules(t *testing.T) { 15 var networkAcl ec2.NetworkAcl 16 17 resource.Test(t, resource.TestCase{ 18 PreCheck: func() { testAccPreCheck(t) }, 19 Providers: testAccProviders, 20 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 21 Steps: []resource.TestStep{ 22 resource.TestStep{ 23 Config: testAccAWSNetworkAclEgressNIngressConfig, 24 Check: resource.ComposeTestCheckFunc( 25 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 26 resource.TestCheckResourceAttr( 27 "aws_network_acl.bar", "ingress.580214135.protocol", "tcp"), 28 resource.TestCheckResourceAttr( 29 "aws_network_acl.bar", "ingress.580214135.rule_no", "1"), 30 resource.TestCheckResourceAttr( 31 "aws_network_acl.bar", "ingress.580214135.from_port", "80"), 32 resource.TestCheckResourceAttr( 33 "aws_network_acl.bar", "ingress.580214135.to_port", "80"), 34 resource.TestCheckResourceAttr( 35 "aws_network_acl.bar", "ingress.580214135.action", "allow"), 36 resource.TestCheckResourceAttr( 37 "aws_network_acl.bar", "ingress.580214135.cidr_block", "10.3.10.3/18"), 38 resource.TestCheckResourceAttr( 39 "aws_network_acl.bar", "egress.1730430240.protocol", "tcp"), 40 resource.TestCheckResourceAttr( 41 "aws_network_acl.bar", "egress.1730430240.rule_no", "2"), 42 resource.TestCheckResourceAttr( 43 "aws_network_acl.bar", "egress.1730430240.from_port", "443"), 44 resource.TestCheckResourceAttr( 45 "aws_network_acl.bar", "egress.1730430240.to_port", "443"), 46 resource.TestCheckResourceAttr( 47 "aws_network_acl.bar", "egress.1730430240.cidr_block", "10.3.2.3/18"), 48 resource.TestCheckResourceAttr( 49 "aws_network_acl.bar", "egress.1730430240.action", "allow"), 50 ), 51 }, 52 }, 53 }) 54 } 55 56 func TestAccAWSNetworkAclsOnlyIngressRules(t *testing.T) { 57 var networkAcl ec2.NetworkAcl 58 59 resource.Test(t, resource.TestCase{ 60 PreCheck: func() { testAccPreCheck(t) }, 61 Providers: testAccProviders, 62 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 63 Steps: []resource.TestStep{ 64 resource.TestStep{ 65 Config: testAccAWSNetworkAclIngressConfig, 66 Check: resource.ComposeTestCheckFunc( 67 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 68 // testAccCheckSubnetAssociation("aws_network_acl.foos", "aws_subnet.blob"), 69 resource.TestCheckResourceAttr( 70 "aws_network_acl.foos", "ingress.3697634361.protocol", "tcp"), 71 resource.TestCheckResourceAttr( 72 "aws_network_acl.foos", "ingress.3697634361.rule_no", "1"), 73 resource.TestCheckResourceAttr( 74 "aws_network_acl.foos", "ingress.3697634361.from_port", "0"), 75 resource.TestCheckResourceAttr( 76 "aws_network_acl.foos", "ingress.3697634361.to_port", "22"), 77 resource.TestCheckResourceAttr( 78 "aws_network_acl.foos", "ingress.3697634361.action", "deny"), 79 resource.TestCheckResourceAttr( 80 "aws_network_acl.foos", "ingress.3697634361.cidr_block", "10.2.2.3/18"), 81 ), 82 }, 83 }, 84 }) 85 } 86 87 func TestAccAWSNetworkAclsOnlyIngressRulesChange(t *testing.T) { 88 var networkAcl ec2.NetworkAcl 89 90 resource.Test(t, resource.TestCase{ 91 PreCheck: func() { testAccPreCheck(t) }, 92 Providers: testAccProviders, 93 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 94 Steps: []resource.TestStep{ 95 resource.TestStep{ 96 Config: testAccAWSNetworkAclIngressConfig, 97 Check: resource.ComposeTestCheckFunc( 98 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 99 testIngressRuleLength(&networkAcl, 2), 100 resource.TestCheckResourceAttr( 101 "aws_network_acl.foos", "ingress.3697634361.protocol", "tcp"), 102 resource.TestCheckResourceAttr( 103 "aws_network_acl.foos", "ingress.3697634361.rule_no", "1"), 104 resource.TestCheckResourceAttr( 105 "aws_network_acl.foos", "ingress.3697634361.from_port", "0"), 106 resource.TestCheckResourceAttr( 107 "aws_network_acl.foos", "ingress.3697634361.to_port", "22"), 108 resource.TestCheckResourceAttr( 109 "aws_network_acl.foos", "ingress.3697634361.action", "deny"), 110 resource.TestCheckResourceAttr( 111 "aws_network_acl.foos", "ingress.3697634361.cidr_block", "10.2.2.3/18"), 112 resource.TestCheckResourceAttr( 113 "aws_network_acl.foos", "ingress.2438803013.from_port", "443"), 114 resource.TestCheckResourceAttr( 115 "aws_network_acl.foos", "ingress.2438803013.rule_no", "2"), 116 ), 117 }, 118 resource.TestStep{ 119 Config: testAccAWSNetworkAclIngressConfigChange, 120 Check: resource.ComposeTestCheckFunc( 121 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 122 testIngressRuleLength(&networkAcl, 1), 123 resource.TestCheckResourceAttr( 124 "aws_network_acl.foos", "ingress.3697634361.protocol", "tcp"), 125 resource.TestCheckResourceAttr( 126 "aws_network_acl.foos", "ingress.3697634361.rule_no", "1"), 127 resource.TestCheckResourceAttr( 128 "aws_network_acl.foos", "ingress.3697634361.from_port", "0"), 129 resource.TestCheckResourceAttr( 130 "aws_network_acl.foos", "ingress.3697634361.to_port", "22"), 131 resource.TestCheckResourceAttr( 132 "aws_network_acl.foos", "ingress.3697634361.action", "deny"), 133 resource.TestCheckResourceAttr( 134 "aws_network_acl.foos", "ingress.3697634361.cidr_block", "10.2.2.3/18"), 135 ), 136 }, 137 }, 138 }) 139 } 140 141 func TestAccAWSNetworkAclsOnlyEgressRules(t *testing.T) { 142 var networkAcl ec2.NetworkAcl 143 144 resource.Test(t, resource.TestCase{ 145 PreCheck: func() { testAccPreCheck(t) }, 146 Providers: testAccProviders, 147 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 148 Steps: []resource.TestStep{ 149 resource.TestStep{ 150 Config: testAccAWSNetworkAclEgressConfig, 151 Check: resource.ComposeTestCheckFunc( 152 testAccCheckAWSNetworkAclExists("aws_network_acl.bond", &networkAcl), 153 testAccCheckTags(&networkAcl.Tags, "foo", "bar"), 154 ), 155 }, 156 }, 157 }) 158 } 159 160 func TestAccNetworkAcl_SubnetChange(t *testing.T) { 161 162 resource.Test(t, resource.TestCase{ 163 PreCheck: func() { testAccPreCheck(t) }, 164 Providers: testAccProviders, 165 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 166 Steps: []resource.TestStep{ 167 resource.TestStep{ 168 Config: testAccAWSNetworkAclSubnetConfig, 169 Check: resource.ComposeTestCheckFunc( 170 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"), 171 ), 172 }, 173 resource.TestStep{ 174 Config: testAccAWSNetworkAclSubnetConfigChange, 175 Check: resource.ComposeTestCheckFunc( 176 testAccCheckSubnetIsNotAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"), 177 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.new"), 178 ), 179 }, 180 }, 181 }) 182 183 } 184 185 func testAccCheckAWSNetworkAclDestroy(s *terraform.State) error { 186 conn := testAccProvider.Meta().(*AWSClient).ec2conn 187 188 for _, rs := range s.RootModule().Resources { 189 if rs.Type != "aws_network" { 190 continue 191 } 192 193 // Retrieve the network acl 194 resp, err := conn.NetworkAcls([]string{rs.Primary.ID}, ec2.NewFilter()) 195 if err == nil { 196 if len(resp.NetworkAcls) > 0 && resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID { 197 return fmt.Errorf("Network Acl (%s) still exists.", rs.Primary.ID) 198 } 199 200 return nil 201 } 202 203 ec2err, ok := err.(*ec2.Error) 204 if !ok { 205 return err 206 } 207 // Confirm error code is what we want 208 if ec2err.Code != "InvalidNetworkAclID.NotFound" { 209 return err 210 } 211 } 212 213 return nil 214 } 215 216 func testAccCheckAWSNetworkAclExists(n string, networkAcl *ec2.NetworkAcl) resource.TestCheckFunc { 217 return func(s *terraform.State) error { 218 rs, ok := s.RootModule().Resources[n] 219 if !ok { 220 return fmt.Errorf("Not found: %s", n) 221 } 222 223 if rs.Primary.ID == "" { 224 return fmt.Errorf("No Security Group is set") 225 } 226 conn := testAccProvider.Meta().(*AWSClient).ec2conn 227 228 resp, err := conn.NetworkAcls([]string{rs.Primary.ID}, nil) 229 if err != nil { 230 return err 231 } 232 233 if len(resp.NetworkAcls) > 0 && resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID { 234 *networkAcl = resp.NetworkAcls[0] 235 return nil 236 } 237 238 return fmt.Errorf("Network Acls not found") 239 } 240 } 241 242 func testIngressRuleLength(networkAcl *ec2.NetworkAcl, length int) resource.TestCheckFunc { 243 return func(s *terraform.State) error { 244 var ingressEntries []ec2.NetworkAclEntry 245 for _, e := range networkAcl.EntrySet { 246 if e.Egress == false { 247 ingressEntries = append(ingressEntries, e) 248 } 249 } 250 // There is always a default rule (ALL Traffic ... DENY) 251 // so we have to increase the lenght by 1 252 if len(ingressEntries) != length+1 { 253 return fmt.Errorf("Invalid number of ingress entries found; count = %d", len(ingressEntries)) 254 } 255 return nil 256 } 257 } 258 259 func testAccCheckSubnetIsAssociatedWithAcl(acl string, sub string) resource.TestCheckFunc { 260 return func(s *terraform.State) error { 261 networkAcl := s.RootModule().Resources[acl] 262 subnet := s.RootModule().Resources[sub] 263 264 conn := testAccProvider.Meta().(*AWSClient).ec2conn 265 filter := ec2.NewFilter() 266 filter.Add("association.subnet-id", subnet.Primary.ID) 267 resp, err := conn.NetworkAcls([]string{networkAcl.Primary.ID}, filter) 268 269 if err != nil { 270 return err 271 } 272 if len(resp.NetworkAcls) > 0 { 273 return nil 274 } 275 276 r, _ := conn.NetworkAcls([]string{}, ec2.NewFilter()) 277 fmt.Printf("\n\nall acls\n %#v\n\n", r.NetworkAcls) 278 conn.NetworkAcls([]string{}, filter) 279 280 return fmt.Errorf("Network Acl %s is not associated with subnet %s", acl, sub) 281 } 282 } 283 284 func testAccCheckSubnetIsNotAssociatedWithAcl(acl string, subnet string) resource.TestCheckFunc { 285 return func(s *terraform.State) error { 286 networkAcl := s.RootModule().Resources[acl] 287 subnet := s.RootModule().Resources[subnet] 288 289 conn := testAccProvider.Meta().(*AWSClient).ec2conn 290 filter := ec2.NewFilter() 291 filter.Add("association.subnet-id", subnet.Primary.ID) 292 resp, err := conn.NetworkAcls([]string{networkAcl.Primary.ID}, filter) 293 294 if err != nil { 295 return err 296 } 297 if len(resp.NetworkAcls) > 0 { 298 return fmt.Errorf("Network Acl %s is still associated with subnet %s", acl, subnet) 299 } 300 return nil 301 } 302 } 303 304 const testAccAWSNetworkAclIngressConfig = ` 305 resource "aws_vpc" "foo" { 306 cidr_block = "10.1.0.0/16" 307 } 308 resource "aws_subnet" "blob" { 309 cidr_block = "10.1.1.0/24" 310 vpc_id = "${aws_vpc.foo.id}" 311 map_public_ip_on_launch = true 312 } 313 resource "aws_network_acl" "foos" { 314 vpc_id = "${aws_vpc.foo.id}" 315 ingress = { 316 protocol = "tcp" 317 rule_no = 1 318 action = "deny" 319 cidr_block = "10.2.2.3/18" 320 from_port = 0 321 to_port = 22 322 } 323 ingress = { 324 protocol = "tcp" 325 rule_no = 2 326 action = "deny" 327 cidr_block = "10.2.2.3/18" 328 from_port = 443 329 to_port = 443 330 } 331 subnet_id = "${aws_subnet.blob.id}" 332 } 333 ` 334 const testAccAWSNetworkAclIngressConfigChange = ` 335 resource "aws_vpc" "foo" { 336 cidr_block = "10.1.0.0/16" 337 } 338 resource "aws_subnet" "blob" { 339 cidr_block = "10.1.1.0/24" 340 vpc_id = "${aws_vpc.foo.id}" 341 map_public_ip_on_launch = true 342 } 343 resource "aws_network_acl" "foos" { 344 vpc_id = "${aws_vpc.foo.id}" 345 ingress = { 346 protocol = "tcp" 347 rule_no = 1 348 action = "deny" 349 cidr_block = "10.2.2.3/18" 350 from_port = 0 351 to_port = 22 352 } 353 subnet_id = "${aws_subnet.blob.id}" 354 } 355 ` 356 357 const testAccAWSNetworkAclEgressConfig = ` 358 resource "aws_vpc" "foo" { 359 cidr_block = "10.2.0.0/16" 360 } 361 resource "aws_subnet" "blob" { 362 cidr_block = "10.2.0.0/24" 363 vpc_id = "${aws_vpc.foo.id}" 364 map_public_ip_on_launch = true 365 } 366 resource "aws_network_acl" "bond" { 367 vpc_id = "${aws_vpc.foo.id}" 368 egress = { 369 protocol = "tcp" 370 rule_no = 2 371 action = "allow" 372 cidr_block = "10.2.2.3/18" 373 from_port = 443 374 to_port = 443 375 } 376 377 egress = { 378 protocol = "tcp" 379 rule_no = 1 380 action = "allow" 381 cidr_block = "10.2.10.3/18" 382 from_port = 80 383 to_port = 80 384 } 385 386 egress = { 387 protocol = "tcp" 388 rule_no = 3 389 action = "allow" 390 cidr_block = "10.2.10.3/18" 391 from_port = 22 392 to_port = 22 393 } 394 395 tags { 396 foo = "bar" 397 } 398 } 399 ` 400 401 const testAccAWSNetworkAclEgressNIngressConfig = ` 402 resource "aws_vpc" "foo" { 403 cidr_block = "10.3.0.0/16" 404 } 405 resource "aws_subnet" "blob" { 406 cidr_block = "10.3.0.0/24" 407 vpc_id = "${aws_vpc.foo.id}" 408 map_public_ip_on_launch = true 409 } 410 resource "aws_network_acl" "bar" { 411 vpc_id = "${aws_vpc.foo.id}" 412 egress = { 413 protocol = "tcp" 414 rule_no = 2 415 action = "allow" 416 cidr_block = "10.3.2.3/18" 417 from_port = 443 418 to_port = 443 419 } 420 421 ingress = { 422 protocol = "tcp" 423 rule_no = 1 424 action = "allow" 425 cidr_block = "10.3.10.3/18" 426 from_port = 80 427 to_port = 80 428 } 429 } 430 ` 431 const testAccAWSNetworkAclSubnetConfig = ` 432 resource "aws_vpc" "foo" { 433 cidr_block = "10.1.0.0/16" 434 } 435 resource "aws_subnet" "old" { 436 cidr_block = "10.1.111.0/24" 437 vpc_id = "${aws_vpc.foo.id}" 438 map_public_ip_on_launch = true 439 } 440 resource "aws_subnet" "new" { 441 cidr_block = "10.1.1.0/24" 442 vpc_id = "${aws_vpc.foo.id}" 443 map_public_ip_on_launch = true 444 } 445 resource "aws_network_acl" "roll" { 446 vpc_id = "${aws_vpc.foo.id}" 447 subnet_id = "${aws_subnet.new.id}" 448 } 449 resource "aws_network_acl" "bar" { 450 vpc_id = "${aws_vpc.foo.id}" 451 subnet_id = "${aws_subnet.old.id}" 452 } 453 ` 454 455 const testAccAWSNetworkAclSubnetConfigChange = ` 456 resource "aws_vpc" "foo" { 457 cidr_block = "10.1.0.0/16" 458 } 459 resource "aws_subnet" "old" { 460 cidr_block = "10.1.111.0/24" 461 vpc_id = "${aws_vpc.foo.id}" 462 map_public_ip_on_launch = true 463 } 464 resource "aws_subnet" "new" { 465 cidr_block = "10.1.1.0/24" 466 vpc_id = "${aws_vpc.foo.id}" 467 map_public_ip_on_launch = true 468 } 469 resource "aws_network_acl" "bar" { 470 vpc_id = "${aws_vpc.foo.id}" 471 subnet_id = "${aws_subnet.new.id}" 472 } 473 `