github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/builtin/providers/aws/resource_aws_waf_web_acl_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/hashicorp/terraform/helper/resource" 8 "github.com/hashicorp/terraform/terraform" 9 10 "github.com/aws/aws-sdk-go/aws" 11 "github.com/aws/aws-sdk-go/aws/awserr" 12 "github.com/aws/aws-sdk-go/service/waf" 13 "github.com/hashicorp/terraform/helper/acctest" 14 ) 15 16 func TestAccAWSWafWebAcl_basic(t *testing.T) { 17 var v waf.WebACL 18 wafAclName := fmt.Sprintf("wafacl%s", acctest.RandString(5)) 19 20 resource.Test(t, resource.TestCase{ 21 PreCheck: func() { testAccPreCheck(t) }, 22 Providers: testAccProviders, 23 CheckDestroy: testAccCheckAWSWafWebAclDestroy, 24 Steps: []resource.TestStep{ 25 resource.TestStep{ 26 Config: testAccAWSWafWebAclConfig(wafAclName), 27 Check: resource.ComposeTestCheckFunc( 28 testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &v), 29 resource.TestCheckResourceAttr( 30 "aws_waf_web_acl.waf_acl", "default_action.#", "1"), 31 resource.TestCheckResourceAttr( 32 "aws_waf_web_acl.waf_acl", "default_action.4234791575.type", "ALLOW"), 33 resource.TestCheckResourceAttr( 34 "aws_waf_web_acl.waf_acl", "name", wafAclName), 35 resource.TestCheckResourceAttr( 36 "aws_waf_web_acl.waf_acl", "rules.#", "1"), 37 resource.TestCheckResourceAttr( 38 "aws_waf_web_acl.waf_acl", "metric_name", wafAclName), 39 ), 40 }, 41 }, 42 }) 43 } 44 45 func TestAccAWSWafWebAcl_changeNameForceNew(t *testing.T) { 46 var before, after waf.WebACL 47 wafAclName := fmt.Sprintf("wafacl%s", acctest.RandString(5)) 48 wafAclNewName := fmt.Sprintf("wafacl%s", acctest.RandString(5)) 49 50 resource.Test(t, resource.TestCase{ 51 PreCheck: func() { testAccPreCheck(t) }, 52 Providers: testAccProviders, 53 CheckDestroy: testAccCheckAWSWafWebAclDestroy, 54 Steps: []resource.TestStep{ 55 { 56 Config: testAccAWSWafWebAclConfig(wafAclName), 57 Check: resource.ComposeTestCheckFunc( 58 testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &before), 59 resource.TestCheckResourceAttr( 60 "aws_waf_web_acl.waf_acl", "default_action.#", "1"), 61 resource.TestCheckResourceAttr( 62 "aws_waf_web_acl.waf_acl", "default_action.4234791575.type", "ALLOW"), 63 resource.TestCheckResourceAttr( 64 "aws_waf_web_acl.waf_acl", "name", wafAclName), 65 resource.TestCheckResourceAttr( 66 "aws_waf_web_acl.waf_acl", "rules.#", "1"), 67 resource.TestCheckResourceAttr( 68 "aws_waf_web_acl.waf_acl", "metric_name", wafAclName), 69 ), 70 }, 71 { 72 Config: testAccAWSWafWebAclConfigChangeName(wafAclNewName), 73 Check: resource.ComposeTestCheckFunc( 74 testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &after), 75 resource.TestCheckResourceAttr( 76 "aws_waf_web_acl.waf_acl", "default_action.#", "1"), 77 resource.TestCheckResourceAttr( 78 "aws_waf_web_acl.waf_acl", "default_action.4234791575.type", "ALLOW"), 79 resource.TestCheckResourceAttr( 80 "aws_waf_web_acl.waf_acl", "name", wafAclNewName), 81 resource.TestCheckResourceAttr( 82 "aws_waf_web_acl.waf_acl", "rules.#", "1"), 83 resource.TestCheckResourceAttr( 84 "aws_waf_web_acl.waf_acl", "metric_name", wafAclNewName), 85 ), 86 }, 87 }, 88 }) 89 } 90 91 func TestAccAWSWafWebAcl_changeDefaultAction(t *testing.T) { 92 var before, after waf.WebACL 93 wafAclName := fmt.Sprintf("wafacl%s", acctest.RandString(5)) 94 wafAclNewName := fmt.Sprintf("wafacl%s", acctest.RandString(5)) 95 96 resource.Test(t, resource.TestCase{ 97 PreCheck: func() { testAccPreCheck(t) }, 98 Providers: testAccProviders, 99 CheckDestroy: testAccCheckAWSWafWebAclDestroy, 100 Steps: []resource.TestStep{ 101 { 102 Config: testAccAWSWafWebAclConfig(wafAclName), 103 Check: resource.ComposeTestCheckFunc( 104 testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &before), 105 resource.TestCheckResourceAttr( 106 "aws_waf_web_acl.waf_acl", "default_action.#", "1"), 107 resource.TestCheckResourceAttr( 108 "aws_waf_web_acl.waf_acl", "default_action.4234791575.type", "ALLOW"), 109 resource.TestCheckResourceAttr( 110 "aws_waf_web_acl.waf_acl", "name", wafAclName), 111 resource.TestCheckResourceAttr( 112 "aws_waf_web_acl.waf_acl", "rules.#", "1"), 113 resource.TestCheckResourceAttr( 114 "aws_waf_web_acl.waf_acl", "metric_name", wafAclName), 115 ), 116 }, 117 { 118 Config: testAccAWSWafWebAclConfigDefaultAction(wafAclNewName), 119 Check: resource.ComposeTestCheckFunc( 120 testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &after), 121 resource.TestCheckResourceAttr( 122 "aws_waf_web_acl.waf_acl", "default_action.#", "1"), 123 resource.TestCheckResourceAttr( 124 "aws_waf_web_acl.waf_acl", "default_action.2267395054.type", "BLOCK"), 125 resource.TestCheckResourceAttr( 126 "aws_waf_web_acl.waf_acl", "name", wafAclNewName), 127 resource.TestCheckResourceAttr( 128 "aws_waf_web_acl.waf_acl", "rules.#", "1"), 129 resource.TestCheckResourceAttr( 130 "aws_waf_web_acl.waf_acl", "metric_name", wafAclNewName), 131 ), 132 }, 133 }, 134 }) 135 } 136 137 func TestAccAWSWafWebAcl_disappears(t *testing.T) { 138 var v waf.WebACL 139 wafAclName := fmt.Sprintf("wafacl%s", acctest.RandString(5)) 140 141 resource.Test(t, resource.TestCase{ 142 PreCheck: func() { testAccPreCheck(t) }, 143 Providers: testAccProviders, 144 CheckDestroy: testAccCheckAWSWafWebAclDestroy, 145 Steps: []resource.TestStep{ 146 { 147 Config: testAccAWSWafWebAclConfig(wafAclName), 148 Check: resource.ComposeTestCheckFunc( 149 testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &v), 150 testAccCheckAWSWafWebAclDisappears(&v), 151 ), 152 ExpectNonEmptyPlan: true, 153 }, 154 }, 155 }) 156 } 157 158 func testAccCheckAWSWafWebAclDisappears(v *waf.WebACL) resource.TestCheckFunc { 159 return func(s *terraform.State) error { 160 conn := testAccProvider.Meta().(*AWSClient).wafconn 161 162 wr := newWafRetryer(conn, "global") 163 _, err := wr.RetryWithToken(func(token *string) (interface{}, error) { 164 req := &waf.UpdateWebACLInput{ 165 ChangeToken: token, 166 WebACLId: v.WebACLId, 167 } 168 169 for _, ActivatedRule := range v.Rules { 170 WebACLUpdate := &waf.WebACLUpdate{ 171 Action: aws.String("DELETE"), 172 ActivatedRule: &waf.ActivatedRule{ 173 Priority: ActivatedRule.Priority, 174 RuleId: ActivatedRule.RuleId, 175 Action: ActivatedRule.Action, 176 }, 177 } 178 req.Updates = append(req.Updates, WebACLUpdate) 179 } 180 181 return conn.UpdateWebACL(req) 182 }) 183 if err != nil { 184 return fmt.Errorf("Error Updating WAF ACL: %s", err) 185 } 186 187 _, err = wr.RetryWithToken(func(token *string) (interface{}, error) { 188 opts := &waf.DeleteWebACLInput{ 189 ChangeToken: token, 190 WebACLId: v.WebACLId, 191 } 192 return conn.DeleteWebACL(opts) 193 }) 194 if err != nil { 195 return fmt.Errorf("Error Deleting WAF ACL: %s", err) 196 } 197 return nil 198 } 199 } 200 201 func testAccCheckAWSWafWebAclDestroy(s *terraform.State) error { 202 for _, rs := range s.RootModule().Resources { 203 if rs.Type != "aws_waf_web_acl" { 204 continue 205 } 206 207 conn := testAccProvider.Meta().(*AWSClient).wafconn 208 resp, err := conn.GetWebACL( 209 &waf.GetWebACLInput{ 210 WebACLId: aws.String(rs.Primary.ID), 211 }) 212 213 if err == nil { 214 if *resp.WebACL.WebACLId == rs.Primary.ID { 215 return fmt.Errorf("WebACL %s still exists", rs.Primary.ID) 216 } 217 } 218 219 // Return nil if the WebACL is already destroyed 220 if awsErr, ok := err.(awserr.Error); ok { 221 if awsErr.Code() == "WAFNonexistentItemException" { 222 return nil 223 } 224 } 225 226 return err 227 } 228 229 return nil 230 } 231 232 func testAccCheckAWSWafWebAclExists(n string, v *waf.WebACL) resource.TestCheckFunc { 233 return func(s *terraform.State) error { 234 rs, ok := s.RootModule().Resources[n] 235 if !ok { 236 return fmt.Errorf("Not found: %s", n) 237 } 238 239 if rs.Primary.ID == "" { 240 return fmt.Errorf("No WebACL ID is set") 241 } 242 243 conn := testAccProvider.Meta().(*AWSClient).wafconn 244 resp, err := conn.GetWebACL(&waf.GetWebACLInput{ 245 WebACLId: aws.String(rs.Primary.ID), 246 }) 247 248 if err != nil { 249 return err 250 } 251 252 if *resp.WebACL.WebACLId == rs.Primary.ID { 253 *v = *resp.WebACL 254 return nil 255 } 256 257 return fmt.Errorf("WebACL (%s) not found", rs.Primary.ID) 258 } 259 } 260 261 func testAccAWSWafWebAclConfig(name string) string { 262 return fmt.Sprintf(`resource "aws_waf_ipset" "ipset" { 263 name = "%s" 264 ip_set_descriptors { 265 type = "IPV4" 266 value = "192.0.7.0/24" 267 } 268 } 269 270 resource "aws_waf_rule" "wafrule" { 271 depends_on = ["aws_waf_ipset.ipset"] 272 name = "%s" 273 metric_name = "%s" 274 predicates { 275 data_id = "${aws_waf_ipset.ipset.id}" 276 negated = false 277 type = "IPMatch" 278 } 279 } 280 resource "aws_waf_web_acl" "waf_acl" { 281 depends_on = ["aws_waf_ipset.ipset", "aws_waf_rule.wafrule"] 282 name = "%s" 283 metric_name = "%s" 284 default_action { 285 type = "ALLOW" 286 } 287 rules { 288 action { 289 type = "BLOCK" 290 } 291 priority = 1 292 rule_id = "${aws_waf_rule.wafrule.id}" 293 } 294 }`, name, name, name, name, name) 295 } 296 297 func testAccAWSWafWebAclConfigChangeName(name string) string { 298 return fmt.Sprintf(`resource "aws_waf_ipset" "ipset" { 299 name = "%s" 300 ip_set_descriptors { 301 type = "IPV4" 302 value = "192.0.7.0/24" 303 } 304 } 305 306 resource "aws_waf_rule" "wafrule" { 307 depends_on = ["aws_waf_ipset.ipset"] 308 name = "%s" 309 metric_name = "%s" 310 predicates { 311 data_id = "${aws_waf_ipset.ipset.id}" 312 negated = false 313 type = "IPMatch" 314 } 315 } 316 resource "aws_waf_web_acl" "waf_acl" { 317 depends_on = ["aws_waf_ipset.ipset", "aws_waf_rule.wafrule"] 318 name = "%s" 319 metric_name = "%s" 320 default_action { 321 type = "ALLOW" 322 } 323 rules { 324 action { 325 type = "BLOCK" 326 } 327 priority = 1 328 rule_id = "${aws_waf_rule.wafrule.id}" 329 } 330 }`, name, name, name, name, name) 331 } 332 333 func testAccAWSWafWebAclConfigDefaultAction(name string) string { 334 return fmt.Sprintf(`resource "aws_waf_ipset" "ipset" { 335 name = "%s" 336 ip_set_descriptors { 337 type = "IPV4" 338 value = "192.0.7.0/24" 339 } 340 } 341 342 resource "aws_waf_rule" "wafrule" { 343 depends_on = ["aws_waf_ipset.ipset"] 344 name = "%s" 345 metric_name = "%s" 346 predicates { 347 data_id = "${aws_waf_ipset.ipset.id}" 348 negated = false 349 type = "IPMatch" 350 } 351 } 352 resource "aws_waf_web_acl" "waf_acl" { 353 depends_on = ["aws_waf_ipset.ipset", "aws_waf_rule.wafrule"] 354 name = "%s" 355 metric_name = "%s" 356 default_action { 357 type = "BLOCK" 358 } 359 rules { 360 action { 361 type = "BLOCK" 362 } 363 priority = 1 364 rule_id = "${aws_waf_rule.wafrule.id}" 365 } 366 }`, name, name, name, name, name) 367 }