github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/builtin/providers/aws/resource_aws_default_network_acl_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/aws/aws-sdk-go/aws" 8 "github.com/aws/aws-sdk-go/service/ec2" 9 "github.com/hashicorp/terraform/helper/resource" 10 "github.com/hashicorp/terraform/terraform" 11 ) 12 13 var defaultEgressAcl = &ec2.NetworkAclEntry{ 14 CidrBlock: aws.String("0.0.0.0/0"), 15 Egress: aws.Bool(true), 16 Protocol: aws.String("-1"), 17 RuleAction: aws.String("allow"), 18 RuleNumber: aws.Int64(100), 19 } 20 var defaultIngressAcl = &ec2.NetworkAclEntry{ 21 CidrBlock: aws.String("0.0.0.0/0"), 22 Egress: aws.Bool(false), 23 Protocol: aws.String("-1"), 24 RuleAction: aws.String("allow"), 25 RuleNumber: aws.Int64(100), 26 } 27 28 func TestAccAWSDefaultNetworkAcl_basic(t *testing.T) { 29 var networkAcl ec2.NetworkAcl 30 31 resource.Test(t, resource.TestCase{ 32 PreCheck: func() { testAccPreCheck(t) }, 33 Providers: testAccProviders, 34 CheckDestroy: testAccCheckAWSDefaultNetworkAclDestroy, 35 Steps: []resource.TestStep{ 36 resource.TestStep{ 37 Config: testAccAWSDefaultNetworkConfig_basic, 38 Check: resource.ComposeTestCheckFunc( 39 testAccGetAWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl), 40 testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{}, 0, 2), 41 ), 42 }, 43 }, 44 }) 45 } 46 47 func TestAccAWSDefaultNetworkAcl_basicIpv6Vpc(t *testing.T) { 48 var networkAcl ec2.NetworkAcl 49 50 resource.Test(t, resource.TestCase{ 51 PreCheck: func() { testAccPreCheck(t) }, 52 Providers: testAccProviders, 53 CheckDestroy: testAccCheckAWSDefaultNetworkAclDestroy, 54 Steps: []resource.TestStep{ 55 resource.TestStep{ 56 Config: testAccAWSDefaultNetworkConfig_basicIpv6Vpc, 57 Check: resource.ComposeTestCheckFunc( 58 testAccGetAWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl), 59 testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{}, 0, 4), 60 ), 61 }, 62 }, 63 }) 64 } 65 66 func TestAccAWSDefaultNetworkAcl_deny_ingress(t *testing.T) { 67 // TestAccAWSDefaultNetworkAcl_deny_ingress will deny all Ingress rules, but 68 // not Egress. We then expect there to be 3 rules, 2 AWS defaults and 1 69 // additional Egress. 70 var networkAcl ec2.NetworkAcl 71 72 resource.Test(t, resource.TestCase{ 73 PreCheck: func() { testAccPreCheck(t) }, 74 Providers: testAccProviders, 75 CheckDestroy: testAccCheckAWSDefaultNetworkAclDestroy, 76 Steps: []resource.TestStep{ 77 resource.TestStep{ 78 Config: testAccAWSDefaultNetworkConfig_deny_ingress, 79 Check: resource.ComposeTestCheckFunc( 80 testAccGetAWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl), 81 testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{defaultEgressAcl}, 0, 2), 82 ), 83 }, 84 }, 85 }) 86 } 87 88 func TestAccAWSDefaultNetworkAcl_SubnetRemoval(t *testing.T) { 89 var networkAcl ec2.NetworkAcl 90 91 resource.Test(t, resource.TestCase{ 92 PreCheck: func() { testAccPreCheck(t) }, 93 Providers: testAccProviders, 94 CheckDestroy: testAccCheckAWSDefaultNetworkAclDestroy, 95 Steps: []resource.TestStep{ 96 resource.TestStep{ 97 Config: testAccAWSDefaultNetworkConfig_Subnets, 98 Check: resource.ComposeTestCheckFunc( 99 testAccGetAWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl), 100 testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{}, 2, 2), 101 ), 102 }, 103 104 // Here the Subnets have been removed from the Default Network ACL Config, 105 // but have not been reassigned. The result is that the Subnets are still 106 // there, and we have a non-empty plan 107 resource.TestStep{ 108 Config: testAccAWSDefaultNetworkConfig_Subnets_remove, 109 Check: resource.ComposeTestCheckFunc( 110 testAccGetAWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl), 111 testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{}, 2, 2), 112 ), 113 ExpectNonEmptyPlan: true, 114 }, 115 }, 116 }) 117 } 118 119 func TestAccAWSDefaultNetworkAcl_SubnetReassign(t *testing.T) { 120 var networkAcl ec2.NetworkAcl 121 122 resource.Test(t, resource.TestCase{ 123 PreCheck: func() { testAccPreCheck(t) }, 124 Providers: testAccProviders, 125 CheckDestroy: testAccCheckAWSDefaultNetworkAclDestroy, 126 Steps: []resource.TestStep{ 127 resource.TestStep{ 128 Config: testAccAWSDefaultNetworkConfig_Subnets, 129 Check: resource.ComposeTestCheckFunc( 130 testAccGetAWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl), 131 testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{}, 2, 2), 132 ), 133 }, 134 135 // Here we've reassigned the subnets to a different ACL. 136 // Without any otherwise association between the `aws_network_acl` and 137 // `aws_default_network_acl` resources, we cannot guarantee that the 138 // reassignment of the two subnets to the `aws_network_acl` will happen 139 // before the update/read on the `aws_default_network_acl` resource. 140 // Because of this, there could be a non-empty plan if a READ is done on 141 // the default before the reassignment occurs on the other resource. 142 // 143 // For the sake of testing, here we introduce a depends_on attribute from 144 // the default resource to the other acl resource, to ensure the latter's 145 // update occurs first, and the former's READ will correctly read zero 146 // subnets 147 resource.TestStep{ 148 Config: testAccAWSDefaultNetworkConfig_Subnets_move, 149 Check: resource.ComposeTestCheckFunc( 150 testAccGetAWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl), 151 testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{}, 0, 2), 152 ), 153 }, 154 }, 155 }) 156 } 157 158 func testAccCheckAWSDefaultNetworkAclDestroy(s *terraform.State) error { 159 // We can't destroy this resource; it comes and goes with the VPC itself. 160 return nil 161 } 162 163 func testAccCheckAWSDefaultACLAttributes(acl *ec2.NetworkAcl, rules []*ec2.NetworkAclEntry, subnetCount int, hiddenRuleCount int) resource.TestCheckFunc { 164 return func(s *terraform.State) error { 165 166 aclEntriesCount := len(acl.Entries) 167 ruleCount := len(rules) 168 169 // Default ACL has hidden rules we can't do anything about 170 ruleCount = ruleCount + hiddenRuleCount 171 172 if ruleCount != aclEntriesCount { 173 return fmt.Errorf("Expected (%d) Rules, got (%d)", ruleCount, aclEntriesCount) 174 } 175 176 if len(acl.Associations) != subnetCount { 177 return fmt.Errorf("Expected (%d) Subnets, got (%d)", subnetCount, len(acl.Associations)) 178 } 179 180 return nil 181 } 182 } 183 184 func testAccGetAWSDefaultNetworkAcl(n string, networkAcl *ec2.NetworkAcl) resource.TestCheckFunc { 185 return func(s *terraform.State) error { 186 rs, ok := s.RootModule().Resources[n] 187 if !ok { 188 return fmt.Errorf("Not found: %s", n) 189 } 190 191 if rs.Primary.ID == "" { 192 return fmt.Errorf("No Network ACL is set") 193 } 194 conn := testAccProvider.Meta().(*AWSClient).ec2conn 195 196 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 197 NetworkAclIds: []*string{aws.String(rs.Primary.ID)}, 198 }) 199 if err != nil { 200 return err 201 } 202 203 if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID { 204 *networkAcl = *resp.NetworkAcls[0] 205 return nil 206 } 207 208 return fmt.Errorf("Network Acls not found") 209 } 210 } 211 212 const testAccAWSDefaultNetworkConfig_basic = ` 213 resource "aws_vpc" "tftestvpc" { 214 cidr_block = "10.1.0.0/16" 215 216 tags { 217 Name = "TestAccAWSDefaultNetworkAcl_basic" 218 } 219 } 220 221 resource "aws_default_network_acl" "default" { 222 default_network_acl_id = "${aws_vpc.tftestvpc.default_network_acl_id}" 223 224 tags { 225 Name = "TestAccAWSDefaultNetworkAcl_basic" 226 } 227 } 228 ` 229 230 const testAccAWSDefaultNetworkConfig_basicDefaultRules = ` 231 resource "aws_vpc" "tftestvpc" { 232 cidr_block = "10.1.0.0/16" 233 234 tags { 235 Name = "TestAccAWSDefaultNetworkAcl_basic" 236 } 237 } 238 239 resource "aws_default_network_acl" "default" { 240 default_network_acl_id = "${aws_vpc.tftestvpc.default_network_acl_id}" 241 242 ingress { 243 protocol = -1 244 rule_no = 100 245 action = "allow" 246 cidr_block = "0.0.0.0/0" 247 from_port = 0 248 to_port = 0 249 } 250 251 egress { 252 protocol = -1 253 rule_no = 100 254 action = "allow" 255 cidr_block = "0.0.0.0/0" 256 from_port = 0 257 to_port = 0 258 } 259 260 tags { 261 Name = "TestAccAWSDefaultNetworkAcl_basic" 262 } 263 } 264 ` 265 266 const testAccAWSDefaultNetworkConfig_deny = ` 267 resource "aws_vpc" "tftestvpc" { 268 cidr_block = "10.1.0.0/16" 269 270 tags { 271 Name = "TestAccAWSDefaultNetworkAcl_basic" 272 } 273 } 274 275 resource "aws_default_network_acl" "default" { 276 default_network_acl_id = "${aws_vpc.tftestvpc.default_network_acl_id}" 277 278 tags { 279 Name = "TestAccAWSDefaultNetworkAcl_basic" 280 } 281 } 282 ` 283 284 const testAccAWSDefaultNetworkConfig_deny_ingress = ` 285 resource "aws_vpc" "tftestvpc" { 286 cidr_block = "10.1.0.0/16" 287 288 tags { 289 Name = "TestAccAWSDefaultNetworkAcl_basic" 290 } 291 } 292 293 resource "aws_default_network_acl" "default" { 294 default_network_acl_id = "${aws_vpc.tftestvpc.default_network_acl_id}" 295 296 egress { 297 protocol = -1 298 rule_no = 100 299 action = "allow" 300 cidr_block = "0.0.0.0/0" 301 from_port = 0 302 to_port = 0 303 } 304 305 tags { 306 Name = "TestAccAWSDefaultNetworkAcl_basic" 307 } 308 } 309 ` 310 311 const testAccAWSDefaultNetworkConfig_Subnets = ` 312 resource "aws_vpc" "foo" { 313 cidr_block = "10.1.0.0/16" 314 315 tags { 316 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 317 } 318 } 319 320 resource "aws_subnet" "one" { 321 cidr_block = "10.1.111.0/24" 322 vpc_id = "${aws_vpc.foo.id}" 323 324 tags { 325 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 326 } 327 } 328 329 resource "aws_subnet" "two" { 330 cidr_block = "10.1.1.0/24" 331 vpc_id = "${aws_vpc.foo.id}" 332 333 tags { 334 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 335 } 336 } 337 338 resource "aws_network_acl" "bar" { 339 vpc_id = "${aws_vpc.foo.id}" 340 341 tags { 342 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 343 } 344 } 345 346 resource "aws_default_network_acl" "default" { 347 default_network_acl_id = "${aws_vpc.foo.default_network_acl_id}" 348 349 subnet_ids = ["${aws_subnet.one.id}", "${aws_subnet.two.id}"] 350 351 tags { 352 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 353 } 354 } 355 ` 356 357 const testAccAWSDefaultNetworkConfig_Subnets_remove = ` 358 resource "aws_vpc" "foo" { 359 cidr_block = "10.1.0.0/16" 360 361 tags { 362 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 363 } 364 } 365 366 resource "aws_subnet" "one" { 367 cidr_block = "10.1.111.0/24" 368 vpc_id = "${aws_vpc.foo.id}" 369 370 tags { 371 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 372 } 373 } 374 375 resource "aws_subnet" "two" { 376 cidr_block = "10.1.1.0/24" 377 vpc_id = "${aws_vpc.foo.id}" 378 379 tags { 380 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 381 } 382 } 383 384 resource "aws_network_acl" "bar" { 385 vpc_id = "${aws_vpc.foo.id}" 386 387 tags { 388 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 389 } 390 } 391 392 resource "aws_default_network_acl" "default" { 393 default_network_acl_id = "${aws_vpc.foo.default_network_acl_id}" 394 395 tags { 396 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 397 } 398 } 399 ` 400 401 const testAccAWSDefaultNetworkConfig_Subnets_move = ` 402 resource "aws_vpc" "foo" { 403 cidr_block = "10.1.0.0/16" 404 405 tags { 406 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 407 } 408 } 409 410 resource "aws_subnet" "one" { 411 cidr_block = "10.1.111.0/24" 412 vpc_id = "${aws_vpc.foo.id}" 413 414 tags { 415 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 416 } 417 } 418 419 resource "aws_subnet" "two" { 420 cidr_block = "10.1.1.0/24" 421 vpc_id = "${aws_vpc.foo.id}" 422 423 tags { 424 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 425 } 426 } 427 428 resource "aws_network_acl" "bar" { 429 vpc_id = "${aws_vpc.foo.id}" 430 431 subnet_ids = ["${aws_subnet.one.id}", "${aws_subnet.two.id}"] 432 433 tags { 434 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 435 } 436 } 437 438 resource "aws_default_network_acl" "default" { 439 default_network_acl_id = "${aws_vpc.foo.default_network_acl_id}" 440 441 depends_on = ["aws_network_acl.bar"] 442 443 tags { 444 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 445 } 446 } 447 ` 448 449 const testAccAWSDefaultNetworkConfig_basicIpv6Vpc = ` 450 provider "aws" { 451 region = "us-east-2" 452 } 453 454 resource "aws_vpc" "tftestvpc" { 455 cidr_block = "10.1.0.0/16" 456 assign_generated_ipv6_cidr_block = true 457 458 tags { 459 Name = "TestAccAWSDefaultNetworkAcl_basicIpv6Vpc" 460 } 461 } 462 463 resource "aws_default_network_acl" "default" { 464 default_network_acl_id = "${aws_vpc.tftestvpc.default_network_acl_id}" 465 466 tags { 467 Name = "TestAccAWSDefaultNetworkAcl_basicIpv6Vpc" 468 } 469 } 470 `