github.com/erriapo/terraform@v0.6.12-0.20160203182612-0340ea72354f/builtin/providers/aws/resource_aws_security_group_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "reflect" 6 "strings" 7 "testing" 8 9 "github.com/aws/aws-sdk-go/aws" 10 "github.com/aws/aws-sdk-go/aws/awserr" 11 "github.com/aws/aws-sdk-go/service/ec2" 12 "github.com/hashicorp/terraform/helper/resource" 13 "github.com/hashicorp/terraform/helper/schema" 14 "github.com/hashicorp/terraform/terraform" 15 ) 16 17 func TestResourceAwsSecurityGroupIPPermGather(t *testing.T) { 18 raw := []*ec2.IpPermission{ 19 &ec2.IpPermission{ 20 IpProtocol: aws.String("tcp"), 21 FromPort: aws.Int64(int64(1)), 22 ToPort: aws.Int64(int64(-1)), 23 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("0.0.0.0/0")}}, 24 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 25 &ec2.UserIdGroupPair{ 26 GroupId: aws.String("sg-22222"), 27 }, 28 }, 29 }, 30 &ec2.IpPermission{ 31 IpProtocol: aws.String("tcp"), 32 FromPort: aws.Int64(int64(80)), 33 ToPort: aws.Int64(int64(80)), 34 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 35 &ec2.UserIdGroupPair{ 36 GroupId: aws.String("foo"), 37 }, 38 }, 39 }, 40 } 41 42 local := []map[string]interface{}{ 43 map[string]interface{}{ 44 "protocol": "tcp", 45 "from_port": int64(1), 46 "to_port": int64(-1), 47 "cidr_blocks": []string{"0.0.0.0/0"}, 48 "self": true, 49 }, 50 map[string]interface{}{ 51 "protocol": "tcp", 52 "from_port": int64(80), 53 "to_port": int64(80), 54 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 55 "foo", 56 }), 57 }, 58 } 59 60 out := resourceAwsSecurityGroupIPPermGather("sg-22222", raw) 61 for _, i := range out { 62 // loop and match rules, because the ordering is not guarneteed 63 for _, l := range local { 64 if i["from_port"] == l["from_port"] { 65 66 if i["to_port"] != l["to_port"] { 67 t.Fatalf("to_port does not match") 68 } 69 70 if _, ok := i["cidr_blocks"]; ok { 71 if !reflect.DeepEqual(i["cidr_blocks"], l["cidr_blocks"]) { 72 t.Fatalf("error matching cidr_blocks") 73 } 74 } 75 76 if _, ok := i["security_groups"]; ok { 77 outSet := i["security_groups"].(*schema.Set) 78 localSet := l["security_groups"].(*schema.Set) 79 80 if !outSet.Equal(localSet) { 81 t.Fatalf("Security Group sets are not equal") 82 } 83 } 84 } 85 } 86 } 87 } 88 89 func TestAccAWSSecurityGroup_basic(t *testing.T) { 90 var group ec2.SecurityGroup 91 92 resource.Test(t, resource.TestCase{ 93 PreCheck: func() { testAccPreCheck(t) }, 94 Providers: testAccProviders, 95 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 96 Steps: []resource.TestStep{ 97 resource.TestStep{ 98 Config: testAccAWSSecurityGroupConfig, 99 Check: resource.ComposeTestCheckFunc( 100 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 101 testAccCheckAWSSecurityGroupAttributes(&group), 102 resource.TestCheckResourceAttr( 103 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 104 resource.TestCheckResourceAttr( 105 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 106 resource.TestCheckResourceAttr( 107 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 108 resource.TestCheckResourceAttr( 109 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 110 resource.TestCheckResourceAttr( 111 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 112 resource.TestCheckResourceAttr( 113 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 114 resource.TestCheckResourceAttr( 115 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 116 ), 117 }, 118 }, 119 }) 120 } 121 122 func TestAccAWSSecurityGroup_namePrefix(t *testing.T) { 123 var group ec2.SecurityGroup 124 125 resource.Test(t, resource.TestCase{ 126 PreCheck: func() { testAccPreCheck(t) }, 127 Providers: testAccProviders, 128 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 129 Steps: []resource.TestStep{ 130 resource.TestStep{ 131 Config: testAccAWSSecurityGroupPrefixNameConfig, 132 Check: resource.ComposeTestCheckFunc( 133 testAccCheckAWSSecurityGroupExists("aws_security_group.baz", &group), 134 testAccCheckAWSSecurityGroupGeneratedNamePrefix( 135 "aws_security_group.baz", "baz-"), 136 ), 137 }, 138 }, 139 }) 140 } 141 142 func TestAccAWSSecurityGroup_self(t *testing.T) { 143 var group ec2.SecurityGroup 144 145 checkSelf := func(s *terraform.State) (err error) { 146 defer func() { 147 if e := recover(); e != nil { 148 err = fmt.Errorf("bad: %#v", group) 149 } 150 }() 151 152 if *group.IpPermissions[0].UserIdGroupPairs[0].GroupId != *group.GroupId { 153 return fmt.Errorf("bad: %#v", group) 154 } 155 156 return nil 157 } 158 159 resource.Test(t, resource.TestCase{ 160 PreCheck: func() { testAccPreCheck(t) }, 161 Providers: testAccProviders, 162 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 163 Steps: []resource.TestStep{ 164 resource.TestStep{ 165 Config: testAccAWSSecurityGroupConfigSelf, 166 Check: resource.ComposeTestCheckFunc( 167 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 168 resource.TestCheckResourceAttr( 169 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 170 resource.TestCheckResourceAttr( 171 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 172 resource.TestCheckResourceAttr( 173 "aws_security_group.web", "ingress.3971148406.protocol", "tcp"), 174 resource.TestCheckResourceAttr( 175 "aws_security_group.web", "ingress.3971148406.from_port", "80"), 176 resource.TestCheckResourceAttr( 177 "aws_security_group.web", "ingress.3971148406.to_port", "8000"), 178 resource.TestCheckResourceAttr( 179 "aws_security_group.web", "ingress.3971148406.self", "true"), 180 checkSelf, 181 ), 182 }, 183 }, 184 }) 185 } 186 187 func TestAccAWSSecurityGroup_vpc(t *testing.T) { 188 var group ec2.SecurityGroup 189 190 testCheck := func(*terraform.State) error { 191 if *group.VpcId == "" { 192 return fmt.Errorf("should have vpc ID") 193 } 194 195 return nil 196 } 197 198 resource.Test(t, resource.TestCase{ 199 PreCheck: func() { testAccPreCheck(t) }, 200 Providers: testAccProviders, 201 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 202 Steps: []resource.TestStep{ 203 resource.TestStep{ 204 Config: testAccAWSSecurityGroupConfigVpc, 205 Check: resource.ComposeTestCheckFunc( 206 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 207 testAccCheckAWSSecurityGroupAttributes(&group), 208 resource.TestCheckResourceAttr( 209 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 210 resource.TestCheckResourceAttr( 211 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 212 resource.TestCheckResourceAttr( 213 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 214 resource.TestCheckResourceAttr( 215 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 216 resource.TestCheckResourceAttr( 217 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 218 resource.TestCheckResourceAttr( 219 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 220 resource.TestCheckResourceAttr( 221 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 222 resource.TestCheckResourceAttr( 223 "aws_security_group.web", "egress.3629188364.protocol", "tcp"), 224 resource.TestCheckResourceAttr( 225 "aws_security_group.web", "egress.3629188364.from_port", "80"), 226 resource.TestCheckResourceAttr( 227 "aws_security_group.web", "egress.3629188364.to_port", "8000"), 228 resource.TestCheckResourceAttr( 229 "aws_security_group.web", "egress.3629188364.cidr_blocks.#", "1"), 230 resource.TestCheckResourceAttr( 231 "aws_security_group.web", "egress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 232 testCheck, 233 ), 234 }, 235 }, 236 }) 237 } 238 239 func TestAccAWSSecurityGroup_vpcNegOneIngress(t *testing.T) { 240 var group ec2.SecurityGroup 241 242 testCheck := func(*terraform.State) error { 243 if *group.VpcId == "" { 244 return fmt.Errorf("should have vpc ID") 245 } 246 247 return nil 248 } 249 250 resource.Test(t, resource.TestCase{ 251 PreCheck: func() { testAccPreCheck(t) }, 252 Providers: testAccProviders, 253 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 254 Steps: []resource.TestStep{ 255 resource.TestStep{ 256 Config: testAccAWSSecurityGroupConfigVpcNegOneIngress, 257 Check: resource.ComposeTestCheckFunc( 258 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 259 testAccCheckAWSSecurityGroupAttributesNegOneProtocol(&group), 260 resource.TestCheckResourceAttr( 261 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 262 resource.TestCheckResourceAttr( 263 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 264 resource.TestCheckResourceAttr( 265 "aws_security_group.web", "ingress.956249133.protocol", "-1"), 266 resource.TestCheckResourceAttr( 267 "aws_security_group.web", "ingress.956249133.from_port", "0"), 268 resource.TestCheckResourceAttr( 269 "aws_security_group.web", "ingress.956249133.to_port", "0"), 270 resource.TestCheckResourceAttr( 271 "aws_security_group.web", "ingress.956249133.cidr_blocks.#", "1"), 272 resource.TestCheckResourceAttr( 273 "aws_security_group.web", "ingress.956249133.cidr_blocks.0", "10.0.0.0/8"), 274 testCheck, 275 ), 276 }, 277 }, 278 }) 279 } 280 func TestAccAWSSecurityGroup_MultiIngress(t *testing.T) { 281 var group ec2.SecurityGroup 282 283 resource.Test(t, resource.TestCase{ 284 PreCheck: func() { testAccPreCheck(t) }, 285 Providers: testAccProviders, 286 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 287 Steps: []resource.TestStep{ 288 resource.TestStep{ 289 Config: testAccAWSSecurityGroupConfigMultiIngress, 290 Check: resource.ComposeTestCheckFunc( 291 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 292 ), 293 }, 294 }, 295 }) 296 } 297 298 func TestAccAWSSecurityGroup_Change(t *testing.T) { 299 var group ec2.SecurityGroup 300 301 resource.Test(t, resource.TestCase{ 302 PreCheck: func() { testAccPreCheck(t) }, 303 Providers: testAccProviders, 304 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 305 Steps: []resource.TestStep{ 306 resource.TestStep{ 307 Config: testAccAWSSecurityGroupConfig, 308 Check: resource.ComposeTestCheckFunc( 309 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 310 ), 311 }, 312 resource.TestStep{ 313 Config: testAccAWSSecurityGroupConfigChange, 314 Check: resource.ComposeTestCheckFunc( 315 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 316 testAccCheckAWSSecurityGroupAttributesChanged(&group), 317 ), 318 }, 319 }, 320 }) 321 } 322 323 func TestAccAWSSecurityGroup_generatedName(t *testing.T) { 324 var group ec2.SecurityGroup 325 326 resource.Test(t, resource.TestCase{ 327 PreCheck: func() { testAccPreCheck(t) }, 328 Providers: testAccProviders, 329 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 330 Steps: []resource.TestStep{ 331 resource.TestStep{ 332 Config: testAccAWSSecurityGroupConfig_generatedName, 333 Check: resource.ComposeTestCheckFunc( 334 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 335 resource.TestCheckResourceAttr( 336 "aws_security_group.web", "description", "Managed by Terraform"), 337 func(s *terraform.State) error { 338 if group.GroupName == nil { 339 return fmt.Errorf("bad: No SG name") 340 } 341 if !strings.HasPrefix(*group.GroupName, "terraform-") { 342 return fmt.Errorf("No terraform- prefix: %s", *group.GroupName) 343 } 344 return nil 345 }, 346 ), 347 }, 348 }, 349 }) 350 } 351 352 func TestAccAWSSecurityGroup_DefaultEgress(t *testing.T) { 353 354 // VPC 355 resource.Test(t, resource.TestCase{ 356 PreCheck: func() { testAccPreCheck(t) }, 357 Providers: testAccProviders, 358 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 359 Steps: []resource.TestStep{ 360 resource.TestStep{ 361 Config: testAccAWSSecurityGroupConfigDefaultEgress, 362 Check: resource.ComposeTestCheckFunc( 363 testAccCheckAWSSecurityGroupExistsWithoutDefault("aws_security_group.worker"), 364 ), 365 }, 366 }, 367 }) 368 369 // Classic 370 var group ec2.SecurityGroup 371 resource.Test(t, resource.TestCase{ 372 PreCheck: func() { testAccPreCheck(t) }, 373 Providers: testAccProviders, 374 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 375 Steps: []resource.TestStep{ 376 resource.TestStep{ 377 Config: testAccAWSSecurityGroupConfigClassic, 378 Check: resource.ComposeTestCheckFunc( 379 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 380 ), 381 }, 382 }, 383 }) 384 } 385 386 func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error { 387 conn := testAccProvider.Meta().(*AWSClient).ec2conn 388 389 for _, rs := range s.RootModule().Resources { 390 if rs.Type != "aws_security_group" { 391 continue 392 } 393 394 // Retrieve our group 395 req := &ec2.DescribeSecurityGroupsInput{ 396 GroupIds: []*string{aws.String(rs.Primary.ID)}, 397 } 398 resp, err := conn.DescribeSecurityGroups(req) 399 if err == nil { 400 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 401 return fmt.Errorf("Security Group (%s) still exists.", rs.Primary.ID) 402 } 403 404 return nil 405 } 406 407 ec2err, ok := err.(awserr.Error) 408 if !ok { 409 return err 410 } 411 // Confirm error code is what we want 412 if ec2err.Code() != "InvalidGroup.NotFound" { 413 return err 414 } 415 } 416 417 return nil 418 } 419 420 func testAccCheckAWSSecurityGroupGeneratedNamePrefix( 421 resource, prefix string) resource.TestCheckFunc { 422 return func(s *terraform.State) error { 423 r, ok := s.RootModule().Resources[resource] 424 if !ok { 425 return fmt.Errorf("Resource not found") 426 } 427 name, ok := r.Primary.Attributes["name"] 428 if !ok { 429 return fmt.Errorf("Name attr not found: %#v", r.Primary.Attributes) 430 } 431 if !strings.HasPrefix(name, prefix) { 432 return fmt.Errorf("Name: %q, does not have prefix: %q", name, prefix) 433 } 434 return nil 435 } 436 } 437 438 func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroup) resource.TestCheckFunc { 439 return func(s *terraform.State) error { 440 rs, ok := s.RootModule().Resources[n] 441 if !ok { 442 return fmt.Errorf("Not found: %s", n) 443 } 444 445 if rs.Primary.ID == "" { 446 return fmt.Errorf("No Security Group is set") 447 } 448 449 conn := testAccProvider.Meta().(*AWSClient).ec2conn 450 req := &ec2.DescribeSecurityGroupsInput{ 451 GroupIds: []*string{aws.String(rs.Primary.ID)}, 452 } 453 resp, err := conn.DescribeSecurityGroups(req) 454 if err != nil { 455 return err 456 } 457 458 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 459 *group = *resp.SecurityGroups[0] 460 return nil 461 } 462 463 return fmt.Errorf("Security Group not found") 464 } 465 } 466 467 func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 468 return func(s *terraform.State) error { 469 p := &ec2.IpPermission{ 470 FromPort: aws.Int64(80), 471 ToPort: aws.Int64(8000), 472 IpProtocol: aws.String("tcp"), 473 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 474 } 475 476 if *group.GroupName != "terraform_acceptance_test_example" { 477 return fmt.Errorf("Bad name: %s", *group.GroupName) 478 } 479 480 if *group.Description != "Used in the terraform acceptance tests" { 481 return fmt.Errorf("Bad description: %s", *group.Description) 482 } 483 484 if len(group.IpPermissions) == 0 { 485 return fmt.Errorf("No IPPerms") 486 } 487 488 // Compare our ingress 489 if !reflect.DeepEqual(group.IpPermissions[0], p) { 490 return fmt.Errorf( 491 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 492 group.IpPermissions[0], 493 p) 494 } 495 496 return nil 497 } 498 } 499 500 func testAccCheckAWSSecurityGroupAttributesNegOneProtocol(group *ec2.SecurityGroup) resource.TestCheckFunc { 501 return func(s *terraform.State) error { 502 p := &ec2.IpPermission{ 503 IpProtocol: aws.String("-1"), 504 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 505 } 506 507 if *group.GroupName != "terraform_acceptance_test_example" { 508 return fmt.Errorf("Bad name: %s", *group.GroupName) 509 } 510 511 if *group.Description != "Used in the terraform acceptance tests" { 512 return fmt.Errorf("Bad description: %s", *group.Description) 513 } 514 515 if len(group.IpPermissions) == 0 { 516 return fmt.Errorf("No IPPerms") 517 } 518 519 // Compare our ingress 520 if !reflect.DeepEqual(group.IpPermissions[0], p) { 521 return fmt.Errorf( 522 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 523 group.IpPermissions[0], 524 p) 525 } 526 527 return nil 528 } 529 } 530 531 func TestAccAWSSecurityGroup_tags(t *testing.T) { 532 var group ec2.SecurityGroup 533 534 resource.Test(t, resource.TestCase{ 535 PreCheck: func() { testAccPreCheck(t) }, 536 Providers: testAccProviders, 537 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 538 Steps: []resource.TestStep{ 539 resource.TestStep{ 540 Config: testAccAWSSecurityGroupConfigTags, 541 Check: resource.ComposeTestCheckFunc( 542 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 543 testAccCheckTags(&group.Tags, "foo", "bar"), 544 ), 545 }, 546 547 resource.TestStep{ 548 Config: testAccAWSSecurityGroupConfigTagsUpdate, 549 Check: resource.ComposeTestCheckFunc( 550 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 551 testAccCheckTags(&group.Tags, "foo", ""), 552 testAccCheckTags(&group.Tags, "bar", "baz"), 553 ), 554 }, 555 }, 556 }) 557 } 558 559 func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroup) resource.TestCheckFunc { 560 return func(s *terraform.State) error { 561 p := []*ec2.IpPermission{ 562 &ec2.IpPermission{ 563 FromPort: aws.Int64(80), 564 ToPort: aws.Int64(9000), 565 IpProtocol: aws.String("tcp"), 566 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 567 }, 568 &ec2.IpPermission{ 569 FromPort: aws.Int64(80), 570 ToPort: aws.Int64(8000), 571 IpProtocol: aws.String("tcp"), 572 IpRanges: []*ec2.IpRange{ 573 &ec2.IpRange{ 574 CidrIp: aws.String("0.0.0.0/0"), 575 }, 576 &ec2.IpRange{ 577 CidrIp: aws.String("10.0.0.0/8"), 578 }, 579 }, 580 }, 581 } 582 583 if *group.GroupName != "terraform_acceptance_test_example" { 584 return fmt.Errorf("Bad name: %s", *group.GroupName) 585 } 586 587 if *group.Description != "Used in the terraform acceptance tests" { 588 return fmt.Errorf("Bad description: %s", *group.Description) 589 } 590 591 // Compare our ingress 592 if len(group.IpPermissions) != 2 { 593 return fmt.Errorf( 594 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 595 group.IpPermissions, 596 p) 597 } 598 599 if *group.IpPermissions[0].ToPort == 8000 { 600 group.IpPermissions[1], group.IpPermissions[0] = 601 group.IpPermissions[0], group.IpPermissions[1] 602 } 603 604 if !reflect.DeepEqual(group.IpPermissions, p) { 605 return fmt.Errorf( 606 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 607 group.IpPermissions, 608 p) 609 } 610 611 return nil 612 } 613 } 614 615 func testAccCheckAWSSecurityGroupExistsWithoutDefault(n string) resource.TestCheckFunc { 616 return func(s *terraform.State) error { 617 rs, ok := s.RootModule().Resources[n] 618 if !ok { 619 return fmt.Errorf("Not found: %s", n) 620 } 621 622 if rs.Primary.ID == "" { 623 return fmt.Errorf("No Security Group is set") 624 } 625 626 conn := testAccProvider.Meta().(*AWSClient).ec2conn 627 req := &ec2.DescribeSecurityGroupsInput{ 628 GroupIds: []*string{aws.String(rs.Primary.ID)}, 629 } 630 resp, err := conn.DescribeSecurityGroups(req) 631 if err != nil { 632 return err 633 } 634 635 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 636 group := *resp.SecurityGroups[0] 637 638 if len(group.IpPermissionsEgress) != 1 { 639 return fmt.Errorf("Security Group should have only 1 egress rule, got %d", len(group.IpPermissionsEgress)) 640 } 641 } 642 643 return nil 644 } 645 } 646 647 const testAccAWSSecurityGroupConfig = ` 648 resource "aws_security_group" "web" { 649 name = "terraform_acceptance_test_example" 650 description = "Used in the terraform acceptance tests" 651 652 ingress { 653 protocol = "tcp" 654 from_port = 80 655 to_port = 8000 656 cidr_blocks = ["10.0.0.0/8"] 657 } 658 659 egress { 660 protocol = "tcp" 661 from_port = 80 662 to_port = 8000 663 cidr_blocks = ["10.0.0.0/8"] 664 } 665 666 tags { 667 Name = "tf-acc-test" 668 } 669 } 670 ` 671 672 const testAccAWSSecurityGroupConfigChange = ` 673 resource "aws_security_group" "web" { 674 name = "terraform_acceptance_test_example" 675 description = "Used in the terraform acceptance tests" 676 677 ingress { 678 protocol = "tcp" 679 from_port = 80 680 to_port = 9000 681 cidr_blocks = ["10.0.0.0/8"] 682 } 683 684 ingress { 685 protocol = "tcp" 686 from_port = 80 687 to_port = 8000 688 cidr_blocks = ["0.0.0.0/0", "10.0.0.0/8"] 689 } 690 691 egress { 692 protocol = "tcp" 693 from_port = 80 694 to_port = 8000 695 cidr_blocks = ["10.0.0.0/8"] 696 } 697 } 698 ` 699 700 const testAccAWSSecurityGroupConfigSelf = ` 701 resource "aws_security_group" "web" { 702 name = "terraform_acceptance_test_example" 703 description = "Used in the terraform acceptance tests" 704 705 ingress { 706 protocol = "tcp" 707 from_port = 80 708 to_port = 8000 709 self = true 710 } 711 712 egress { 713 protocol = "tcp" 714 from_port = 80 715 to_port = 8000 716 cidr_blocks = ["10.0.0.0/8"] 717 } 718 } 719 ` 720 721 const testAccAWSSecurityGroupConfigVpc = ` 722 resource "aws_vpc" "foo" { 723 cidr_block = "10.1.0.0/16" 724 } 725 726 resource "aws_security_group" "web" { 727 name = "terraform_acceptance_test_example" 728 description = "Used in the terraform acceptance tests" 729 vpc_id = "${aws_vpc.foo.id}" 730 731 ingress { 732 protocol = "tcp" 733 from_port = 80 734 to_port = 8000 735 cidr_blocks = ["10.0.0.0/8"] 736 } 737 738 egress { 739 protocol = "tcp" 740 from_port = 80 741 to_port = 8000 742 cidr_blocks = ["10.0.0.0/8"] 743 } 744 } 745 ` 746 747 const testAccAWSSecurityGroupConfigVpcNegOneIngress = ` 748 resource "aws_vpc" "foo" { 749 cidr_block = "10.1.0.0/16" 750 } 751 752 resource "aws_security_group" "web" { 753 name = "terraform_acceptance_test_example" 754 description = "Used in the terraform acceptance tests" 755 vpc_id = "${aws_vpc.foo.id}" 756 757 ingress { 758 protocol = "-1" 759 from_port = 0 760 to_port = 0 761 cidr_blocks = ["10.0.0.0/8"] 762 } 763 } 764 ` 765 const testAccAWSSecurityGroupConfigMultiIngress = ` 766 resource "aws_security_group" "worker" { 767 name = "terraform_acceptance_test_example_1" 768 description = "Used in the terraform acceptance tests" 769 770 ingress { 771 protocol = "tcp" 772 from_port = 80 773 to_port = 8000 774 cidr_blocks = ["10.0.0.0/8"] 775 } 776 777 egress { 778 protocol = "tcp" 779 from_port = 80 780 to_port = 8000 781 cidr_blocks = ["10.0.0.0/8"] 782 } 783 } 784 785 resource "aws_security_group" "web" { 786 name = "terraform_acceptance_test_example_2" 787 description = "Used in the terraform acceptance tests" 788 789 ingress { 790 protocol = "tcp" 791 from_port = 22 792 to_port = 22 793 cidr_blocks = ["10.0.0.0/8"] 794 } 795 796 ingress { 797 protocol = "tcp" 798 from_port = 800 799 to_port = 800 800 cidr_blocks = ["10.0.0.0/8"] 801 } 802 803 ingress { 804 protocol = "tcp" 805 from_port = 80 806 to_port = 8000 807 security_groups = ["${aws_security_group.worker.id}"] 808 } 809 810 egress { 811 protocol = "tcp" 812 from_port = 80 813 to_port = 8000 814 cidr_blocks = ["10.0.0.0/8"] 815 } 816 } 817 ` 818 819 const testAccAWSSecurityGroupConfigTags = ` 820 resource "aws_security_group" "foo" { 821 name = "terraform_acceptance_test_example" 822 description = "Used in the terraform acceptance tests" 823 824 ingress { 825 protocol = "tcp" 826 from_port = 80 827 to_port = 8000 828 cidr_blocks = ["10.0.0.0/8"] 829 } 830 831 egress { 832 protocol = "tcp" 833 from_port = 80 834 to_port = 8000 835 cidr_blocks = ["10.0.0.0/8"] 836 } 837 838 tags { 839 foo = "bar" 840 } 841 } 842 ` 843 844 const testAccAWSSecurityGroupConfigTagsUpdate = ` 845 resource "aws_security_group" "foo" { 846 name = "terraform_acceptance_test_example" 847 description = "Used in the terraform acceptance tests" 848 849 ingress { 850 protocol = "tcp" 851 from_port = 80 852 to_port = 8000 853 cidr_blocks = ["10.0.0.0/8"] 854 } 855 856 egress { 857 protocol = "tcp" 858 from_port = 80 859 to_port = 8000 860 cidr_blocks = ["10.0.0.0/8"] 861 } 862 863 tags { 864 bar = "baz" 865 } 866 } 867 ` 868 869 const testAccAWSSecurityGroupConfig_generatedName = ` 870 resource "aws_security_group" "web" { 871 ingress { 872 protocol = "tcp" 873 from_port = 80 874 to_port = 8000 875 cidr_blocks = ["10.0.0.0/8"] 876 } 877 878 egress { 879 protocol = "tcp" 880 from_port = 80 881 to_port = 8000 882 cidr_blocks = ["10.0.0.0/8"] 883 } 884 885 tags { 886 Name = "tf-acc-test" 887 } 888 } 889 ` 890 891 const testAccAWSSecurityGroupConfigDefaultEgress = ` 892 resource "aws_vpc" "tf_sg_egress_test" { 893 cidr_block = "10.0.0.0/16" 894 tags { 895 Name = "tf_sg_egress_test" 896 } 897 } 898 899 resource "aws_security_group" "worker" { 900 name = "terraform_acceptance_test_example_1" 901 description = "Used in the terraform acceptance tests" 902 vpc_id = "${aws_vpc.tf_sg_egress_test.id}" 903 904 egress { 905 protocol = "tcp" 906 from_port = 80 907 to_port = 8000 908 cidr_blocks = ["10.0.0.0/8"] 909 } 910 } 911 ` 912 913 const testAccAWSSecurityGroupConfigClassic = ` 914 provider "aws" { 915 region = "us-east-1" 916 } 917 918 resource "aws_security_group" "web" { 919 name = "terraform_acceptance_test_example_1" 920 description = "Used in the terraform acceptance tests" 921 } 922 ` 923 924 const testAccAWSSecurityGroupPrefixNameConfig = ` 925 provider "aws" { 926 region = "us-east-1" 927 } 928 929 resource "aws_security_group" "baz" { 930 name_prefix = "baz-" 931 description = "Used in the terraform acceptance tests" 932 } 933 `