github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/builtin/providers/aws/resource_aws_network_acl_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/aws/aws-sdk-go/aws" 8 "github.com/aws/aws-sdk-go/aws/awserr" 9 "github.com/aws/aws-sdk-go/service/ec2" 10 "github.com/hashicorp/terraform/helper/resource" 11 "github.com/hashicorp/terraform/terraform" 12 ) 13 14 func TestAccAWSNetworkAcl_EgressAndIngressRules(t *testing.T) { 15 var networkAcl ec2.NetworkAcl 16 17 resource.Test(t, resource.TestCase{ 18 PreCheck: func() { testAccPreCheck(t) }, 19 IDRefreshName: "aws_network_acl.bar", 20 Providers: testAccProviders, 21 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 22 Steps: []resource.TestStep{ 23 { 24 Config: testAccAWSNetworkAclEgressNIngressConfig, 25 Check: resource.ComposeAggregateTestCheckFunc( 26 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 27 resource.TestCheckResourceAttr( 28 "aws_network_acl.bar", "ingress.1871939009.protocol", "6"), 29 resource.TestCheckResourceAttr( 30 "aws_network_acl.bar", "ingress.1871939009.rule_no", "1"), 31 resource.TestCheckResourceAttr( 32 "aws_network_acl.bar", "ingress.1871939009.from_port", "80"), 33 resource.TestCheckResourceAttr( 34 "aws_network_acl.bar", "ingress.1871939009.to_port", "80"), 35 resource.TestCheckResourceAttr( 36 "aws_network_acl.bar", "ingress.1871939009.action", "allow"), 37 resource.TestCheckResourceAttr( 38 "aws_network_acl.bar", "ingress.1871939009.cidr_block", "10.3.0.0/18"), 39 resource.TestCheckResourceAttr( 40 "aws_network_acl.bar", "egress.3111164687.protocol", "6"), 41 resource.TestCheckResourceAttr( 42 "aws_network_acl.bar", "egress.3111164687.rule_no", "2"), 43 resource.TestCheckResourceAttr( 44 "aws_network_acl.bar", "egress.3111164687.from_port", "443"), 45 resource.TestCheckResourceAttr( 46 "aws_network_acl.bar", "egress.3111164687.to_port", "443"), 47 resource.TestCheckResourceAttr( 48 "aws_network_acl.bar", "egress.3111164687.cidr_block", "10.3.0.0/18"), 49 resource.TestCheckResourceAttr( 50 "aws_network_acl.bar", "egress.3111164687.action", "allow"), 51 ), 52 }, 53 }, 54 }) 55 } 56 57 func TestAccAWSNetworkAcl_OnlyIngressRules_basic(t *testing.T) { 58 var networkAcl ec2.NetworkAcl 59 60 resource.Test(t, resource.TestCase{ 61 PreCheck: func() { testAccPreCheck(t) }, 62 IDRefreshName: "aws_network_acl.foos", 63 Providers: testAccProviders, 64 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 65 Steps: []resource.TestStep{ 66 { 67 Config: testAccAWSNetworkAclIngressConfig, 68 Check: resource.ComposeAggregateTestCheckFunc( 69 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 70 resource.TestCheckResourceAttr( 71 "aws_network_acl.foos", "ingress.4245812720.protocol", "6"), 72 resource.TestCheckResourceAttr( 73 "aws_network_acl.foos", "ingress.4245812720.rule_no", "2"), 74 resource.TestCheckResourceAttr( 75 "aws_network_acl.foos", "ingress.4245812720.from_port", "443"), 76 resource.TestCheckResourceAttr( 77 "aws_network_acl.foos", "ingress.4245812720.to_port", "443"), 78 resource.TestCheckResourceAttr( 79 "aws_network_acl.foos", "ingress.4245812720.action", "deny"), 80 resource.TestCheckResourceAttr( 81 "aws_network_acl.foos", "ingress.4245812720.cidr_block", "10.2.0.0/18"), 82 ), 83 }, 84 }, 85 }) 86 } 87 88 func TestAccAWSNetworkAcl_OnlyIngressRules_update(t *testing.T) { 89 var networkAcl ec2.NetworkAcl 90 91 resource.Test(t, resource.TestCase{ 92 PreCheck: func() { testAccPreCheck(t) }, 93 IDRefreshName: "aws_network_acl.foos", 94 Providers: testAccProviders, 95 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 96 Steps: []resource.TestStep{ 97 { 98 Config: testAccAWSNetworkAclIngressConfig, 99 Check: resource.ComposeAggregateTestCheckFunc( 100 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 101 testIngressRuleLength(&networkAcl, 2), 102 resource.TestCheckResourceAttr( 103 "aws_network_acl.foos", "ingress.401088754.protocol", "6"), 104 resource.TestCheckResourceAttr( 105 "aws_network_acl.foos", "ingress.401088754.rule_no", "1"), 106 resource.TestCheckResourceAttr( 107 "aws_network_acl.foos", "ingress.401088754.from_port", "0"), 108 resource.TestCheckResourceAttr( 109 "aws_network_acl.foos", "ingress.401088754.to_port", "22"), 110 resource.TestCheckResourceAttr( 111 "aws_network_acl.foos", "ingress.401088754.action", "deny"), 112 resource.TestCheckResourceAttr( 113 "aws_network_acl.foos", "ingress.4245812720.cidr_block", "10.2.0.0/18"), 114 resource.TestCheckResourceAttr( 115 "aws_network_acl.foos", "ingress.4245812720.from_port", "443"), 116 resource.TestCheckResourceAttr( 117 "aws_network_acl.foos", "ingress.4245812720.rule_no", "2"), 118 ), 119 }, 120 { 121 Config: testAccAWSNetworkAclIngressConfigChange, 122 Check: resource.ComposeAggregateTestCheckFunc( 123 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 124 testIngressRuleLength(&networkAcl, 1), 125 resource.TestCheckResourceAttr( 126 "aws_network_acl.foos", "ingress.401088754.protocol", "6"), 127 resource.TestCheckResourceAttr( 128 "aws_network_acl.foos", "ingress.401088754.rule_no", "1"), 129 resource.TestCheckResourceAttr( 130 "aws_network_acl.foos", "ingress.401088754.from_port", "0"), 131 resource.TestCheckResourceAttr( 132 "aws_network_acl.foos", "ingress.401088754.to_port", "22"), 133 resource.TestCheckResourceAttr( 134 "aws_network_acl.foos", "ingress.401088754.action", "deny"), 135 resource.TestCheckResourceAttr( 136 "aws_network_acl.foos", "ingress.401088754.cidr_block", "10.2.0.0/18"), 137 ), 138 }, 139 }, 140 }) 141 } 142 143 func TestAccAWSNetworkAcl_OnlyEgressRules(t *testing.T) { 144 var networkAcl ec2.NetworkAcl 145 146 resource.Test(t, resource.TestCase{ 147 PreCheck: func() { testAccPreCheck(t) }, 148 IDRefreshName: "aws_network_acl.bond", 149 Providers: testAccProviders, 150 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 151 Steps: []resource.TestStep{ 152 { 153 Config: testAccAWSNetworkAclEgressConfig, 154 Check: resource.ComposeTestCheckFunc( 155 testAccCheckAWSNetworkAclExists("aws_network_acl.bond", &networkAcl), 156 testAccCheckTags(&networkAcl.Tags, "foo", "bar"), 157 ), 158 }, 159 }, 160 }) 161 } 162 163 func TestAccAWSNetworkAcl_SubnetChange(t *testing.T) { 164 165 resource.Test(t, resource.TestCase{ 166 PreCheck: func() { testAccPreCheck(t) }, 167 IDRefreshName: "aws_network_acl.bar", 168 Providers: testAccProviders, 169 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 170 Steps: []resource.TestStep{ 171 { 172 Config: testAccAWSNetworkAclSubnetConfig, 173 Check: resource.ComposeTestCheckFunc( 174 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"), 175 ), 176 }, 177 { 178 Config: testAccAWSNetworkAclSubnetConfigChange, 179 Check: resource.ComposeTestCheckFunc( 180 testAccCheckSubnetIsNotAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"), 181 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.new"), 182 ), 183 }, 184 }, 185 }) 186 187 } 188 189 func TestAccAWSNetworkAcl_Subnets(t *testing.T) { 190 var networkAcl ec2.NetworkAcl 191 192 checkACLSubnets := func(acl *ec2.NetworkAcl, count int) resource.TestCheckFunc { 193 return func(*terraform.State) (err error) { 194 if count != len(acl.Associations) { 195 return fmt.Errorf("ACL association count does not match, expected %d, got %d", count, len(acl.Associations)) 196 } 197 198 return nil 199 } 200 } 201 202 resource.Test(t, resource.TestCase{ 203 PreCheck: func() { testAccPreCheck(t) }, 204 IDRefreshName: "aws_network_acl.bar", 205 Providers: testAccProviders, 206 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 207 Steps: []resource.TestStep{ 208 { 209 Config: testAccAWSNetworkAclSubnet_SubnetIds, 210 Check: resource.ComposeTestCheckFunc( 211 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 212 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.one"), 213 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.two"), 214 checkACLSubnets(&networkAcl, 2), 215 ), 216 }, 217 218 { 219 Config: testAccAWSNetworkAclSubnet_SubnetIdsUpdate, 220 Check: resource.ComposeTestCheckFunc( 221 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 222 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.one"), 223 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.three"), 224 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.four"), 225 checkACLSubnets(&networkAcl, 3), 226 ), 227 }, 228 }, 229 }) 230 } 231 232 func TestAccAWSNetworkAcl_ipv6Rules(t *testing.T) { 233 var networkAcl ec2.NetworkAcl 234 235 resource.Test(t, resource.TestCase{ 236 PreCheck: func() { testAccPreCheck(t) }, 237 IDRefreshName: "aws_network_acl.foos", 238 Providers: testAccProviders, 239 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 240 Steps: []resource.TestStep{ 241 { 242 Config: testAccAWSNetworkAclIpv6Config, 243 Check: resource.ComposeTestCheckFunc( 244 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 245 resource.TestCheckResourceAttr( 246 "aws_network_acl.foos", "ingress.#", "1"), 247 resource.TestCheckResourceAttr( 248 "aws_network_acl.foos", "ingress.1976110835.protocol", "6"), 249 resource.TestCheckResourceAttr( 250 "aws_network_acl.foos", "ingress.1976110835.rule_no", "1"), 251 resource.TestCheckResourceAttr( 252 "aws_network_acl.foos", "ingress.1976110835.from_port", "0"), 253 resource.TestCheckResourceAttr( 254 "aws_network_acl.foos", "ingress.1976110835.to_port", "22"), 255 resource.TestCheckResourceAttr( 256 "aws_network_acl.foos", "ingress.1976110835.action", "allow"), 257 resource.TestCheckResourceAttr( 258 "aws_network_acl.foos", "ingress.1976110835.ipv6_cidr_block", "::/0"), 259 ), 260 }, 261 }, 262 }) 263 } 264 265 func TestAccAWSNetworkAcl_ipv6VpcRules(t *testing.T) { 266 var networkAcl ec2.NetworkAcl 267 268 resource.Test(t, resource.TestCase{ 269 PreCheck: func() { testAccPreCheck(t) }, 270 IDRefreshName: "aws_network_acl.foos", 271 Providers: testAccProviders, 272 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 273 Steps: []resource.TestStep{ 274 { 275 Config: testAccAWSNetworkAclIpv6VpcConfig, 276 Check: resource.ComposeTestCheckFunc( 277 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 278 resource.TestCheckResourceAttr( 279 "aws_network_acl.foos", "ingress.#", "1"), 280 resource.TestCheckResourceAttr( 281 "aws_network_acl.foos", "ingress.1296304962.ipv6_cidr_block", "2600:1f16:d1e:9a00::/56"), 282 ), 283 }, 284 }, 285 }) 286 } 287 288 func TestAccAWSNetworkAcl_espProtocol(t *testing.T) { 289 var networkAcl ec2.NetworkAcl 290 291 resource.Test(t, resource.TestCase{ 292 PreCheck: func() { testAccPreCheck(t) }, 293 IDRefreshName: "aws_network_acl.testesp", 294 Providers: testAccProviders, 295 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 296 Steps: []resource.TestStep{ 297 { 298 Config: testAccAWSNetworkAclEsp, 299 Check: resource.ComposeTestCheckFunc( 300 testAccCheckAWSNetworkAclExists("aws_network_acl.testesp", &networkAcl), 301 ), 302 }, 303 }, 304 }) 305 } 306 307 func testAccCheckAWSNetworkAclDestroy(s *terraform.State) error { 308 conn := testAccProvider.Meta().(*AWSClient).ec2conn 309 310 for _, rs := range s.RootModule().Resources { 311 if rs.Type != "aws_network" { 312 continue 313 } 314 315 // Retrieve the network acl 316 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 317 NetworkAclIds: []*string{aws.String(rs.Primary.ID)}, 318 }) 319 if err == nil { 320 if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID { 321 return fmt.Errorf("Network Acl (%s) still exists.", rs.Primary.ID) 322 } 323 324 return nil 325 } 326 327 ec2err, ok := err.(awserr.Error) 328 if !ok { 329 return err 330 } 331 // Confirm error code is what we want 332 if ec2err.Code() != "InvalidNetworkAclID.NotFound" { 333 return err 334 } 335 } 336 337 return nil 338 } 339 340 func testAccCheckAWSNetworkAclExists(n string, networkAcl *ec2.NetworkAcl) resource.TestCheckFunc { 341 return func(s *terraform.State) error { 342 rs, ok := s.RootModule().Resources[n] 343 if !ok { 344 return fmt.Errorf("Not found: %s", n) 345 } 346 347 if rs.Primary.ID == "" { 348 return fmt.Errorf("No Security Group is set") 349 } 350 conn := testAccProvider.Meta().(*AWSClient).ec2conn 351 352 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 353 NetworkAclIds: []*string{aws.String(rs.Primary.ID)}, 354 }) 355 if err != nil { 356 return err 357 } 358 359 if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID { 360 *networkAcl = *resp.NetworkAcls[0] 361 return nil 362 } 363 364 return fmt.Errorf("Network Acls not found") 365 } 366 } 367 368 func testIngressRuleLength(networkAcl *ec2.NetworkAcl, length int) resource.TestCheckFunc { 369 return func(s *terraform.State) error { 370 var ingressEntries []*ec2.NetworkAclEntry 371 for _, e := range networkAcl.Entries { 372 if *e.Egress == false { 373 ingressEntries = append(ingressEntries, e) 374 } 375 } 376 // There is always a default rule (ALL Traffic ... DENY) 377 // so we have to increase the length by 1 378 if len(ingressEntries) != length+1 { 379 return fmt.Errorf("Invalid number of ingress entries found; count = %d", len(ingressEntries)) 380 } 381 return nil 382 } 383 } 384 385 func testAccCheckSubnetIsAssociatedWithAcl(acl string, sub string) resource.TestCheckFunc { 386 return func(s *terraform.State) error { 387 networkAcl := s.RootModule().Resources[acl] 388 subnet := s.RootModule().Resources[sub] 389 390 conn := testAccProvider.Meta().(*AWSClient).ec2conn 391 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 392 NetworkAclIds: []*string{aws.String(networkAcl.Primary.ID)}, 393 Filters: []*ec2.Filter{ 394 { 395 Name: aws.String("association.subnet-id"), 396 Values: []*string{aws.String(subnet.Primary.ID)}, 397 }, 398 }, 399 }) 400 if err != nil { 401 return err 402 } 403 if len(resp.NetworkAcls) > 0 { 404 return nil 405 } 406 407 return fmt.Errorf("Network Acl %s is not associated with subnet %s", acl, sub) 408 } 409 } 410 411 func testAccCheckSubnetIsNotAssociatedWithAcl(acl string, subnet string) resource.TestCheckFunc { 412 return func(s *terraform.State) error { 413 networkAcl := s.RootModule().Resources[acl] 414 subnet := s.RootModule().Resources[subnet] 415 416 conn := testAccProvider.Meta().(*AWSClient).ec2conn 417 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 418 NetworkAclIds: []*string{aws.String(networkAcl.Primary.ID)}, 419 Filters: []*ec2.Filter{ 420 { 421 Name: aws.String("association.subnet-id"), 422 Values: []*string{aws.String(subnet.Primary.ID)}, 423 }, 424 }, 425 }) 426 427 if err != nil { 428 return err 429 } 430 if len(resp.NetworkAcls) > 0 { 431 return fmt.Errorf("Network Acl %s is still associated with subnet %s", acl, subnet) 432 } 433 return nil 434 } 435 } 436 437 const testAccAWSNetworkAclIpv6Config = ` 438 resource "aws_vpc" "foo" { 439 cidr_block = "10.1.0.0/16" 440 tags { 441 Name = "TestAccAWSNetworkAcl_ipv6Rules" 442 } 443 } 444 resource "aws_subnet" "blob" { 445 cidr_block = "10.1.1.0/24" 446 vpc_id = "${aws_vpc.foo.id}" 447 map_public_ip_on_launch = true 448 } 449 resource "aws_network_acl" "foos" { 450 vpc_id = "${aws_vpc.foo.id}" 451 ingress = { 452 protocol = "tcp" 453 rule_no = 1 454 action = "allow" 455 ipv6_cidr_block = "::/0" 456 from_port = 0 457 to_port = 22 458 } 459 460 subnet_ids = ["${aws_subnet.blob.id}"] 461 } 462 ` 463 464 const testAccAWSNetworkAclIpv6VpcConfig = ` 465 provider "aws" { 466 region = "us-east-2" 467 } 468 469 resource "aws_vpc" "foo" { 470 cidr_block = "10.1.0.0/16" 471 assign_generated_ipv6_cidr_block = true 472 473 tags { 474 Name = "TestAccAWSNetworkAcl_ipv6VpcRules" 475 } 476 } 477 478 resource "aws_network_acl" "foos" { 479 vpc_id = "${aws_vpc.foo.id}" 480 ingress = { 481 protocol = "tcp" 482 rule_no = 1 483 action = "allow" 484 ipv6_cidr_block = "2600:1f16:d1e:9a00::/56" 485 from_port = 0 486 to_port = 22 487 } 488 } 489 ` 490 491 const testAccAWSNetworkAclIngressConfig = ` 492 resource "aws_vpc" "foo" { 493 cidr_block = "10.1.0.0/16" 494 tags { 495 Name = "TestAccAWSNetworkAcl_OnlyIngressRules" 496 } 497 } 498 resource "aws_subnet" "blob" { 499 cidr_block = "10.1.1.0/24" 500 vpc_id = "${aws_vpc.foo.id}" 501 map_public_ip_on_launch = true 502 } 503 resource "aws_network_acl" "foos" { 504 vpc_id = "${aws_vpc.foo.id}" 505 ingress = { 506 protocol = "tcp" 507 rule_no = 1 508 action = "deny" 509 cidr_block = "10.2.0.0/18" 510 from_port = 0 511 to_port = 22 512 } 513 ingress = { 514 protocol = "tcp" 515 rule_no = 2 516 action = "deny" 517 cidr_block = "10.2.0.0/18" 518 from_port = 443 519 to_port = 443 520 } 521 522 subnet_ids = ["${aws_subnet.blob.id}"] 523 } 524 ` 525 const testAccAWSNetworkAclIngressConfigChange = ` 526 resource "aws_vpc" "foo" { 527 cidr_block = "10.1.0.0/16" 528 tags { 529 Name = "TestAccAWSNetworkAcl_OnlyIngressRules" 530 } 531 } 532 resource "aws_subnet" "blob" { 533 cidr_block = "10.1.1.0/24" 534 vpc_id = "${aws_vpc.foo.id}" 535 map_public_ip_on_launch = true 536 } 537 resource "aws_network_acl" "foos" { 538 vpc_id = "${aws_vpc.foo.id}" 539 ingress = { 540 protocol = "tcp" 541 rule_no = 1 542 action = "deny" 543 cidr_block = "10.2.0.0/18" 544 from_port = 0 545 to_port = 22 546 } 547 subnet_ids = ["${aws_subnet.blob.id}"] 548 } 549 ` 550 551 const testAccAWSNetworkAclEgressConfig = ` 552 resource "aws_vpc" "foo" { 553 cidr_block = "10.2.0.0/16" 554 tags { 555 Name = "TestAccAWSNetworkAcl_OnlyEgressRules" 556 } 557 } 558 resource "aws_subnet" "blob" { 559 cidr_block = "10.2.0.0/24" 560 vpc_id = "${aws_vpc.foo.id}" 561 map_public_ip_on_launch = true 562 } 563 resource "aws_network_acl" "bond" { 564 vpc_id = "${aws_vpc.foo.id}" 565 egress = { 566 protocol = "tcp" 567 rule_no = 2 568 action = "allow" 569 cidr_block = "10.2.0.0/18" 570 from_port = 443 571 to_port = 443 572 } 573 574 egress = { 575 protocol = "-1" 576 rule_no = 4 577 action = "allow" 578 cidr_block = "0.0.0.0/0" 579 from_port = 0 580 to_port = 0 581 } 582 583 egress = { 584 protocol = "tcp" 585 rule_no = 1 586 action = "allow" 587 cidr_block = "10.2.0.0/18" 588 from_port = 80 589 to_port = 80 590 } 591 592 egress = { 593 protocol = "tcp" 594 rule_no = 3 595 action = "allow" 596 cidr_block = "10.2.0.0/18" 597 from_port = 22 598 to_port = 22 599 } 600 601 tags { 602 foo = "bar" 603 } 604 } 605 ` 606 607 const testAccAWSNetworkAclEgressNIngressConfig = ` 608 resource "aws_vpc" "foo" { 609 cidr_block = "10.3.0.0/16" 610 tags { 611 Name = "TestAccAWSNetworkAcl_EgressAndIngressRules" 612 } 613 } 614 resource "aws_subnet" "blob" { 615 cidr_block = "10.3.0.0/24" 616 vpc_id = "${aws_vpc.foo.id}" 617 map_public_ip_on_launch = true 618 } 619 resource "aws_network_acl" "bar" { 620 vpc_id = "${aws_vpc.foo.id}" 621 egress = { 622 protocol = "tcp" 623 rule_no = 2 624 action = "allow" 625 cidr_block = "10.3.0.0/18" 626 from_port = 443 627 to_port = 443 628 } 629 630 ingress = { 631 protocol = "tcp" 632 rule_no = 1 633 action = "allow" 634 cidr_block = "10.3.0.0/18" 635 from_port = 80 636 to_port = 80 637 } 638 } 639 ` 640 const testAccAWSNetworkAclSubnetConfig = ` 641 resource "aws_vpc" "foo" { 642 cidr_block = "10.1.0.0/16" 643 tags { 644 Name = "TestAccAWSNetworkAcl_SubnetChange" 645 } 646 } 647 resource "aws_subnet" "old" { 648 cidr_block = "10.1.111.0/24" 649 vpc_id = "${aws_vpc.foo.id}" 650 map_public_ip_on_launch = true 651 } 652 resource "aws_subnet" "new" { 653 cidr_block = "10.1.1.0/24" 654 vpc_id = "${aws_vpc.foo.id}" 655 map_public_ip_on_launch = true 656 } 657 resource "aws_network_acl" "roll" { 658 vpc_id = "${aws_vpc.foo.id}" 659 subnet_ids = ["${aws_subnet.new.id}"] 660 } 661 resource "aws_network_acl" "bar" { 662 vpc_id = "${aws_vpc.foo.id}" 663 subnet_ids = ["${aws_subnet.old.id}"] 664 } 665 ` 666 667 const testAccAWSNetworkAclSubnetConfigChange = ` 668 resource "aws_vpc" "foo" { 669 cidr_block = "10.1.0.0/16" 670 tags { 671 Name = "TestAccAWSNetworkAcl_SubnetChange" 672 } 673 } 674 resource "aws_subnet" "old" { 675 cidr_block = "10.1.111.0/24" 676 vpc_id = "${aws_vpc.foo.id}" 677 map_public_ip_on_launch = true 678 } 679 resource "aws_subnet" "new" { 680 cidr_block = "10.1.1.0/24" 681 vpc_id = "${aws_vpc.foo.id}" 682 map_public_ip_on_launch = true 683 } 684 resource "aws_network_acl" "bar" { 685 vpc_id = "${aws_vpc.foo.id}" 686 subnet_ids = ["${aws_subnet.new.id}"] 687 } 688 ` 689 690 const testAccAWSNetworkAclSubnet_SubnetIds = ` 691 resource "aws_vpc" "foo" { 692 cidr_block = "10.1.0.0/16" 693 tags { 694 Name = "TestAccAWSNetworkAcl_Subnets" 695 } 696 } 697 resource "aws_subnet" "one" { 698 cidr_block = "10.1.111.0/24" 699 vpc_id = "${aws_vpc.foo.id}" 700 tags { 701 Name = "acl-subnets-test" 702 } 703 } 704 resource "aws_subnet" "two" { 705 cidr_block = "10.1.1.0/24" 706 vpc_id = "${aws_vpc.foo.id}" 707 tags { 708 Name = "acl-subnets-test" 709 } 710 } 711 resource "aws_network_acl" "bar" { 712 vpc_id = "${aws_vpc.foo.id}" 713 subnet_ids = ["${aws_subnet.one.id}", "${aws_subnet.two.id}"] 714 tags { 715 Name = "acl-subnets-test" 716 } 717 } 718 ` 719 720 const testAccAWSNetworkAclSubnet_SubnetIdsUpdate = ` 721 resource "aws_vpc" "foo" { 722 cidr_block = "10.1.0.0/16" 723 tags { 724 Name = "TestAccAWSNetworkAcl_Subnets" 725 } 726 } 727 resource "aws_subnet" "one" { 728 cidr_block = "10.1.111.0/24" 729 vpc_id = "${aws_vpc.foo.id}" 730 tags { 731 Name = "acl-subnets-test" 732 } 733 } 734 resource "aws_subnet" "two" { 735 cidr_block = "10.1.1.0/24" 736 vpc_id = "${aws_vpc.foo.id}" 737 tags { 738 Name = "acl-subnets-test" 739 } 740 } 741 742 resource "aws_subnet" "three" { 743 cidr_block = "10.1.222.0/24" 744 vpc_id = "${aws_vpc.foo.id}" 745 tags { 746 Name = "acl-subnets-test" 747 } 748 } 749 resource "aws_subnet" "four" { 750 cidr_block = "10.1.4.0/24" 751 vpc_id = "${aws_vpc.foo.id}" 752 tags { 753 Name = "acl-subnets-test" 754 } 755 } 756 resource "aws_network_acl" "bar" { 757 vpc_id = "${aws_vpc.foo.id}" 758 subnet_ids = [ 759 "${aws_subnet.one.id}", 760 "${aws_subnet.three.id}", 761 "${aws_subnet.four.id}", 762 ] 763 tags { 764 Name = "acl-subnets-test" 765 } 766 } 767 ` 768 769 const testAccAWSNetworkAclEsp = ` 770 resource "aws_vpc" "testespvpc" { 771 cidr_block = "10.1.0.0/16" 772 } 773 774 resource "aws_network_acl" "testesp" { 775 vpc_id = "${aws_vpc.testespvpc.id}" 776 777 egress { 778 protocol = "esp" 779 rule_no = 5 780 action = "allow" 781 cidr_block = "10.3.0.0/18" 782 from_port = 0 783 to_port = 0 784 } 785 786 tags { 787 Name = "test_esp" 788 } 789 } 790 `