github.com/gabrielperezs/terraform@v0.7.0-rc2.0.20160715084931-f7da2612946f/builtin/providers/aws/resource_aws_security_group_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "reflect" 6 "strings" 7 "testing" 8 9 "github.com/aws/aws-sdk-go/aws" 10 "github.com/aws/aws-sdk-go/aws/awserr" 11 "github.com/aws/aws-sdk-go/service/ec2" 12 "github.com/hashicorp/terraform/helper/acctest" 13 "github.com/hashicorp/terraform/helper/resource" 14 "github.com/hashicorp/terraform/helper/schema" 15 "github.com/hashicorp/terraform/terraform" 16 ) 17 18 func TestProtocolStateFunc(t *testing.T) { 19 cases := []struct { 20 input interface{} 21 expected string 22 }{ 23 { 24 input: "tcp", 25 expected: "tcp", 26 }, 27 { 28 input: 6, 29 expected: "", 30 }, 31 { 32 input: "17", 33 expected: "udp", 34 }, 35 { 36 input: "all", 37 expected: "-1", 38 }, 39 { 40 input: "-1", 41 expected: "-1", 42 }, 43 { 44 input: -1, 45 expected: "", 46 }, 47 { 48 input: "1", 49 expected: "icmp", 50 }, 51 { 52 input: "icmp", 53 expected: "icmp", 54 }, 55 { 56 input: 1, 57 expected: "", 58 }, 59 } 60 for _, c := range cases { 61 result := protocolStateFunc(c.input) 62 if result != c.expected { 63 t.Errorf("Error matching protocol, expected (%s), got (%s)", c.expected, result) 64 } 65 } 66 } 67 68 func TestProtocolForValue(t *testing.T) { 69 cases := []struct { 70 input string 71 expected string 72 }{ 73 { 74 input: "tcp", 75 expected: "tcp", 76 }, 77 { 78 input: "6", 79 expected: "tcp", 80 }, 81 { 82 input: "udp", 83 expected: "udp", 84 }, 85 { 86 input: "17", 87 expected: "udp", 88 }, 89 { 90 input: "all", 91 expected: "-1", 92 }, 93 { 94 input: "-1", 95 expected: "-1", 96 }, 97 { 98 input: "tCp", 99 expected: "tcp", 100 }, 101 { 102 input: "6", 103 expected: "tcp", 104 }, 105 { 106 input: "UDp", 107 expected: "udp", 108 }, 109 { 110 input: "17", 111 expected: "udp", 112 }, 113 { 114 input: "ALL", 115 expected: "-1", 116 }, 117 { 118 input: "icMp", 119 expected: "icmp", 120 }, 121 { 122 input: "1", 123 expected: "icmp", 124 }, 125 } 126 127 for _, c := range cases { 128 result := protocolForValue(c.input) 129 if result != c.expected { 130 t.Errorf("Error matching protocol, expected (%s), got (%s)", c.expected, result) 131 } 132 } 133 } 134 135 func TestResourceAwsSecurityGroupIPPermGather(t *testing.T) { 136 raw := []*ec2.IpPermission{ 137 &ec2.IpPermission{ 138 IpProtocol: aws.String("tcp"), 139 FromPort: aws.Int64(int64(1)), 140 ToPort: aws.Int64(int64(-1)), 141 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("0.0.0.0/0")}}, 142 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 143 &ec2.UserIdGroupPair{ 144 GroupId: aws.String("sg-11111"), 145 }, 146 }, 147 }, 148 &ec2.IpPermission{ 149 IpProtocol: aws.String("tcp"), 150 FromPort: aws.Int64(int64(80)), 151 ToPort: aws.Int64(int64(80)), 152 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 153 // VPC 154 &ec2.UserIdGroupPair{ 155 GroupId: aws.String("sg-22222"), 156 }, 157 }, 158 }, 159 &ec2.IpPermission{ 160 IpProtocol: aws.String("tcp"), 161 FromPort: aws.Int64(int64(443)), 162 ToPort: aws.Int64(int64(443)), 163 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 164 // Classic 165 &ec2.UserIdGroupPair{ 166 UserId: aws.String("12345"), 167 GroupId: aws.String("sg-33333"), 168 GroupName: aws.String("ec2_classic"), 169 }, 170 &ec2.UserIdGroupPair{ 171 UserId: aws.String("amazon-elb"), 172 GroupId: aws.String("sg-d2c979d3"), 173 GroupName: aws.String("amazon-elb-sg"), 174 }, 175 }, 176 }, 177 &ec2.IpPermission{ 178 IpProtocol: aws.String("-1"), 179 FromPort: aws.Int64(int64(0)), 180 ToPort: aws.Int64(int64(0)), 181 PrefixListIds: []*ec2.PrefixListId{&ec2.PrefixListId{PrefixListId: aws.String("pl-12345678")}}, 182 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 183 // VPC 184 &ec2.UserIdGroupPair{ 185 GroupId: aws.String("sg-22222"), 186 }, 187 }, 188 }, 189 } 190 191 local := []map[string]interface{}{ 192 map[string]interface{}{ 193 "protocol": "tcp", 194 "from_port": int64(1), 195 "to_port": int64(-1), 196 "cidr_blocks": []string{"0.0.0.0/0"}, 197 "self": true, 198 }, 199 map[string]interface{}{ 200 "protocol": "tcp", 201 "from_port": int64(80), 202 "to_port": int64(80), 203 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 204 "sg-22222", 205 }), 206 }, 207 map[string]interface{}{ 208 "protocol": "tcp", 209 "from_port": int64(443), 210 "to_port": int64(443), 211 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 212 "ec2_classic", 213 "amazon-elb/amazon-elb-sg", 214 }), 215 }, 216 map[string]interface{}{ 217 "protocol": "-1", 218 "from_port": int64(0), 219 "to_port": int64(0), 220 "prefix_list_ids": []string{"pl-12345678"}, 221 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 222 "sg-22222", 223 }), 224 }, 225 } 226 227 out := resourceAwsSecurityGroupIPPermGather("sg-11111", raw, aws.String("12345")) 228 for _, i := range out { 229 // loop and match rules, because the ordering is not guarneteed 230 for _, l := range local { 231 if i["from_port"] == l["from_port"] { 232 233 if i["to_port"] != l["to_port"] { 234 t.Fatalf("to_port does not match") 235 } 236 237 if _, ok := i["cidr_blocks"]; ok { 238 if !reflect.DeepEqual(i["cidr_blocks"], l["cidr_blocks"]) { 239 t.Fatalf("error matching cidr_blocks") 240 } 241 } 242 243 if _, ok := i["security_groups"]; ok { 244 outSet := i["security_groups"].(*schema.Set) 245 localSet := l["security_groups"].(*schema.Set) 246 247 if !outSet.Equal(localSet) { 248 t.Fatalf("Security Group sets are not equal") 249 } 250 } 251 } 252 } 253 } 254 } 255 256 func TestAccAWSSecurityGroup_basic(t *testing.T) { 257 var group ec2.SecurityGroup 258 259 resource.Test(t, resource.TestCase{ 260 PreCheck: func() { testAccPreCheck(t) }, 261 IDRefreshName: "aws_security_group.web", 262 Providers: testAccProviders, 263 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 264 Steps: []resource.TestStep{ 265 resource.TestStep{ 266 Config: testAccAWSSecurityGroupConfig, 267 Check: resource.ComposeTestCheckFunc( 268 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 269 testAccCheckAWSSecurityGroupAttributes(&group), 270 resource.TestCheckResourceAttr( 271 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 272 resource.TestCheckResourceAttr( 273 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 274 resource.TestCheckResourceAttr( 275 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 276 resource.TestCheckResourceAttr( 277 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 278 resource.TestCheckResourceAttr( 279 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 280 resource.TestCheckResourceAttr( 281 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 282 resource.TestCheckResourceAttr( 283 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 284 ), 285 }, 286 }, 287 }) 288 } 289 290 func TestAccAWSSecurityGroup_namePrefix(t *testing.T) { 291 var group ec2.SecurityGroup 292 293 resource.Test(t, resource.TestCase{ 294 PreCheck: func() { testAccPreCheck(t) }, 295 IDRefreshName: "aws_security_group.baz", 296 IDRefreshIgnore: []string{"name_prefix"}, 297 Providers: testAccProviders, 298 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 299 Steps: []resource.TestStep{ 300 resource.TestStep{ 301 Config: testAccAWSSecurityGroupPrefixNameConfig, 302 Check: resource.ComposeTestCheckFunc( 303 testAccCheckAWSSecurityGroupExists("aws_security_group.baz", &group), 304 testAccCheckAWSSecurityGroupGeneratedNamePrefix( 305 "aws_security_group.baz", "baz-"), 306 ), 307 }, 308 }, 309 }) 310 } 311 312 func TestAccAWSSecurityGroup_self(t *testing.T) { 313 var group ec2.SecurityGroup 314 315 checkSelf := func(s *terraform.State) (err error) { 316 defer func() { 317 if e := recover(); e != nil { 318 err = fmt.Errorf("bad: %#v", group) 319 } 320 }() 321 322 if *group.IpPermissions[0].UserIdGroupPairs[0].GroupId != *group.GroupId { 323 return fmt.Errorf("bad: %#v", group) 324 } 325 326 return nil 327 } 328 329 resource.Test(t, resource.TestCase{ 330 PreCheck: func() { testAccPreCheck(t) }, 331 IDRefreshName: "aws_security_group.web", 332 Providers: testAccProviders, 333 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 334 Steps: []resource.TestStep{ 335 resource.TestStep{ 336 Config: testAccAWSSecurityGroupConfigSelf, 337 Check: resource.ComposeTestCheckFunc( 338 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 339 resource.TestCheckResourceAttr( 340 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 341 resource.TestCheckResourceAttr( 342 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 343 resource.TestCheckResourceAttr( 344 "aws_security_group.web", "ingress.3971148406.protocol", "tcp"), 345 resource.TestCheckResourceAttr( 346 "aws_security_group.web", "ingress.3971148406.from_port", "80"), 347 resource.TestCheckResourceAttr( 348 "aws_security_group.web", "ingress.3971148406.to_port", "8000"), 349 resource.TestCheckResourceAttr( 350 "aws_security_group.web", "ingress.3971148406.self", "true"), 351 checkSelf, 352 ), 353 }, 354 }, 355 }) 356 } 357 358 func TestAccAWSSecurityGroup_vpc(t *testing.T) { 359 var group ec2.SecurityGroup 360 361 testCheck := func(*terraform.State) error { 362 if *group.VpcId == "" { 363 return fmt.Errorf("should have vpc ID") 364 } 365 366 return nil 367 } 368 369 resource.Test(t, resource.TestCase{ 370 PreCheck: func() { testAccPreCheck(t) }, 371 IDRefreshName: "aws_security_group.web", 372 Providers: testAccProviders, 373 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 374 Steps: []resource.TestStep{ 375 resource.TestStep{ 376 Config: testAccAWSSecurityGroupConfigVpc, 377 Check: resource.ComposeTestCheckFunc( 378 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 379 testAccCheckAWSSecurityGroupAttributes(&group), 380 resource.TestCheckResourceAttr( 381 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 382 resource.TestCheckResourceAttr( 383 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 384 resource.TestCheckResourceAttr( 385 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 386 resource.TestCheckResourceAttr( 387 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 388 resource.TestCheckResourceAttr( 389 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 390 resource.TestCheckResourceAttr( 391 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 392 resource.TestCheckResourceAttr( 393 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 394 resource.TestCheckResourceAttr( 395 "aws_security_group.web", "egress.3629188364.protocol", "tcp"), 396 resource.TestCheckResourceAttr( 397 "aws_security_group.web", "egress.3629188364.from_port", "80"), 398 resource.TestCheckResourceAttr( 399 "aws_security_group.web", "egress.3629188364.to_port", "8000"), 400 resource.TestCheckResourceAttr( 401 "aws_security_group.web", "egress.3629188364.cidr_blocks.#", "1"), 402 resource.TestCheckResourceAttr( 403 "aws_security_group.web", "egress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 404 testCheck, 405 ), 406 }, 407 }, 408 }) 409 } 410 411 func TestAccAWSSecurityGroup_vpcNegOneIngress(t *testing.T) { 412 var group ec2.SecurityGroup 413 414 testCheck := func(*terraform.State) error { 415 if *group.VpcId == "" { 416 return fmt.Errorf("should have vpc ID") 417 } 418 419 return nil 420 } 421 422 resource.Test(t, resource.TestCase{ 423 PreCheck: func() { testAccPreCheck(t) }, 424 IDRefreshName: "aws_security_group.web", 425 Providers: testAccProviders, 426 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 427 Steps: []resource.TestStep{ 428 resource.TestStep{ 429 Config: testAccAWSSecurityGroupConfigVpcNegOneIngress, 430 Check: resource.ComposeTestCheckFunc( 431 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 432 testAccCheckAWSSecurityGroupAttributesNegOneProtocol(&group), 433 resource.TestCheckResourceAttr( 434 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 435 resource.TestCheckResourceAttr( 436 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 437 resource.TestCheckResourceAttr( 438 "aws_security_group.web", "ingress.956249133.protocol", "-1"), 439 resource.TestCheckResourceAttr( 440 "aws_security_group.web", "ingress.956249133.from_port", "0"), 441 resource.TestCheckResourceAttr( 442 "aws_security_group.web", "ingress.956249133.to_port", "0"), 443 resource.TestCheckResourceAttr( 444 "aws_security_group.web", "ingress.956249133.cidr_blocks.#", "1"), 445 resource.TestCheckResourceAttr( 446 "aws_security_group.web", "ingress.956249133.cidr_blocks.0", "10.0.0.0/8"), 447 testCheck, 448 ), 449 }, 450 }, 451 }) 452 } 453 func TestAccAWSSecurityGroup_MultiIngress(t *testing.T) { 454 var group ec2.SecurityGroup 455 456 resource.Test(t, resource.TestCase{ 457 PreCheck: func() { testAccPreCheck(t) }, 458 IDRefreshName: "aws_security_group.web", 459 Providers: testAccProviders, 460 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 461 Steps: []resource.TestStep{ 462 resource.TestStep{ 463 Config: testAccAWSSecurityGroupConfigMultiIngress, 464 Check: resource.ComposeTestCheckFunc( 465 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 466 ), 467 }, 468 }, 469 }) 470 } 471 472 func TestAccAWSSecurityGroup_Change(t *testing.T) { 473 var group ec2.SecurityGroup 474 475 resource.Test(t, resource.TestCase{ 476 PreCheck: func() { testAccPreCheck(t) }, 477 IDRefreshName: "aws_security_group.web", 478 Providers: testAccProviders, 479 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 480 Steps: []resource.TestStep{ 481 resource.TestStep{ 482 Config: testAccAWSSecurityGroupConfig, 483 Check: resource.ComposeTestCheckFunc( 484 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 485 ), 486 }, 487 resource.TestStep{ 488 Config: testAccAWSSecurityGroupConfigChange, 489 Check: resource.ComposeTestCheckFunc( 490 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 491 testAccCheckAWSSecurityGroupAttributesChanged(&group), 492 ), 493 }, 494 }, 495 }) 496 } 497 498 func TestAccAWSSecurityGroup_generatedName(t *testing.T) { 499 var group ec2.SecurityGroup 500 501 resource.Test(t, resource.TestCase{ 502 PreCheck: func() { testAccPreCheck(t) }, 503 IDRefreshName: "aws_security_group.web", 504 Providers: testAccProviders, 505 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 506 Steps: []resource.TestStep{ 507 resource.TestStep{ 508 Config: testAccAWSSecurityGroupConfig_generatedName, 509 Check: resource.ComposeTestCheckFunc( 510 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 511 resource.TestCheckResourceAttr( 512 "aws_security_group.web", "description", "Managed by Terraform"), 513 func(s *terraform.State) error { 514 if group.GroupName == nil { 515 return fmt.Errorf("bad: No SG name") 516 } 517 if !strings.HasPrefix(*group.GroupName, "terraform-") { 518 return fmt.Errorf("No terraform- prefix: %s", *group.GroupName) 519 } 520 return nil 521 }, 522 ), 523 }, 524 }, 525 }) 526 } 527 528 func TestAccAWSSecurityGroup_DefaultEgress_VPC(t *testing.T) { 529 530 // VPC 531 resource.Test(t, resource.TestCase{ 532 PreCheck: func() { testAccPreCheck(t) }, 533 IDRefreshName: "aws_security_group.worker", 534 Providers: testAccProviders, 535 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 536 Steps: []resource.TestStep{ 537 resource.TestStep{ 538 Config: testAccAWSSecurityGroupConfigDefaultEgress, 539 Check: resource.ComposeTestCheckFunc( 540 testAccCheckAWSSecurityGroupExistsWithoutDefault("aws_security_group.worker"), 541 ), 542 }, 543 }, 544 }) 545 } 546 547 func TestAccAWSSecurityGroup_DefaultEgress_Classic(t *testing.T) { 548 549 // Classic 550 var group ec2.SecurityGroup 551 resource.Test(t, resource.TestCase{ 552 PreCheck: func() { testAccPreCheck(t) }, 553 IDRefreshName: "aws_security_group.web", 554 Providers: testAccProviders, 555 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 556 Steps: []resource.TestStep{ 557 resource.TestStep{ 558 Config: testAccAWSSecurityGroupConfigClassic, 559 Check: resource.ComposeTestCheckFunc( 560 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 561 ), 562 }, 563 }, 564 }) 565 } 566 567 // Testing drift detection with groups containing the same port and types 568 func TestAccAWSSecurityGroup_drift(t *testing.T) { 569 var group ec2.SecurityGroup 570 resource.Test(t, resource.TestCase{ 571 PreCheck: func() { testAccPreCheck(t) }, 572 Providers: testAccProviders, 573 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 574 Steps: []resource.TestStep{ 575 resource.TestStep{ 576 Config: testAccAWSSecurityGroupConfig_drift(), 577 Check: resource.ComposeTestCheckFunc( 578 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 579 resource.TestCheckResourceAttr( 580 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 581 resource.TestCheckResourceAttr( 582 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 583 resource.TestCheckResourceAttr( 584 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 585 resource.TestCheckResourceAttr( 586 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 587 resource.TestCheckResourceAttr( 588 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 589 resource.TestCheckResourceAttr( 590 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 591 ), 592 }, 593 }, 594 }) 595 } 596 597 func TestAccAWSSecurityGroup_drift_complex(t *testing.T) { 598 var group ec2.SecurityGroup 599 600 resource.Test(t, resource.TestCase{ 601 PreCheck: func() { testAccPreCheck(t) }, 602 Providers: testAccProviders, 603 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 604 Steps: []resource.TestStep{ 605 resource.TestStep{ 606 Config: testAccAWSSecurityGroupConfig_drift_complex(), 607 Check: resource.ComposeTestCheckFunc( 608 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 609 resource.TestCheckResourceAttr( 610 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 611 resource.TestCheckResourceAttr( 612 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 613 resource.TestCheckResourceAttr( 614 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 615 resource.TestCheckResourceAttr( 616 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 617 resource.TestCheckResourceAttr( 618 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 619 resource.TestCheckResourceAttr( 620 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 621 ), 622 }, 623 }, 624 }) 625 } 626 627 func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error { 628 conn := testAccProvider.Meta().(*AWSClient).ec2conn 629 630 for _, rs := range s.RootModule().Resources { 631 if rs.Type != "aws_security_group" { 632 continue 633 } 634 635 // Retrieve our group 636 req := &ec2.DescribeSecurityGroupsInput{ 637 GroupIds: []*string{aws.String(rs.Primary.ID)}, 638 } 639 resp, err := conn.DescribeSecurityGroups(req) 640 if err == nil { 641 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 642 return fmt.Errorf("Security Group (%s) still exists.", rs.Primary.ID) 643 } 644 645 return nil 646 } 647 648 ec2err, ok := err.(awserr.Error) 649 if !ok { 650 return err 651 } 652 // Confirm error code is what we want 653 if ec2err.Code() != "InvalidGroup.NotFound" { 654 return err 655 } 656 } 657 658 return nil 659 } 660 661 func testAccCheckAWSSecurityGroupGeneratedNamePrefix( 662 resource, prefix string) resource.TestCheckFunc { 663 return func(s *terraform.State) error { 664 r, ok := s.RootModule().Resources[resource] 665 if !ok { 666 return fmt.Errorf("Resource not found") 667 } 668 name, ok := r.Primary.Attributes["name"] 669 if !ok { 670 return fmt.Errorf("Name attr not found: %#v", r.Primary.Attributes) 671 } 672 if !strings.HasPrefix(name, prefix) { 673 return fmt.Errorf("Name: %q, does not have prefix: %q", name, prefix) 674 } 675 return nil 676 } 677 } 678 679 func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroup) resource.TestCheckFunc { 680 return func(s *terraform.State) error { 681 rs, ok := s.RootModule().Resources[n] 682 if !ok { 683 return fmt.Errorf("Not found: %s", n) 684 } 685 686 if rs.Primary.ID == "" { 687 return fmt.Errorf("No Security Group is set") 688 } 689 690 conn := testAccProvider.Meta().(*AWSClient).ec2conn 691 req := &ec2.DescribeSecurityGroupsInput{ 692 GroupIds: []*string{aws.String(rs.Primary.ID)}, 693 } 694 resp, err := conn.DescribeSecurityGroups(req) 695 if err != nil { 696 return err 697 } 698 699 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 700 *group = *resp.SecurityGroups[0] 701 return nil 702 } 703 704 return fmt.Errorf("Security Group not found") 705 } 706 } 707 708 func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 709 return func(s *terraform.State) error { 710 p := &ec2.IpPermission{ 711 FromPort: aws.Int64(80), 712 ToPort: aws.Int64(8000), 713 IpProtocol: aws.String("tcp"), 714 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 715 } 716 717 if *group.GroupName != "terraform_acceptance_test_example" { 718 return fmt.Errorf("Bad name: %s", *group.GroupName) 719 } 720 721 if *group.Description != "Used in the terraform acceptance tests" { 722 return fmt.Errorf("Bad description: %s", *group.Description) 723 } 724 725 if len(group.IpPermissions) == 0 { 726 return fmt.Errorf("No IPPerms") 727 } 728 729 // Compare our ingress 730 if !reflect.DeepEqual(group.IpPermissions[0], p) { 731 return fmt.Errorf( 732 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 733 group.IpPermissions[0], 734 p) 735 } 736 737 return nil 738 } 739 } 740 741 func testAccCheckAWSSecurityGroupAttributesNegOneProtocol(group *ec2.SecurityGroup) resource.TestCheckFunc { 742 return func(s *terraform.State) error { 743 p := &ec2.IpPermission{ 744 IpProtocol: aws.String("-1"), 745 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 746 } 747 748 if *group.GroupName != "terraform_acceptance_test_example" { 749 return fmt.Errorf("Bad name: %s", *group.GroupName) 750 } 751 752 if *group.Description != "Used in the terraform acceptance tests" { 753 return fmt.Errorf("Bad description: %s", *group.Description) 754 } 755 756 if len(group.IpPermissions) == 0 { 757 return fmt.Errorf("No IPPerms") 758 } 759 760 // Compare our ingress 761 if !reflect.DeepEqual(group.IpPermissions[0], p) { 762 return fmt.Errorf( 763 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 764 group.IpPermissions[0], 765 p) 766 } 767 768 return nil 769 } 770 } 771 772 func TestAccAWSSecurityGroup_tags(t *testing.T) { 773 var group ec2.SecurityGroup 774 775 resource.Test(t, resource.TestCase{ 776 PreCheck: func() { testAccPreCheck(t) }, 777 Providers: testAccProviders, 778 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 779 Steps: []resource.TestStep{ 780 resource.TestStep{ 781 Config: testAccAWSSecurityGroupConfigTags, 782 Check: resource.ComposeTestCheckFunc( 783 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 784 testAccCheckTags(&group.Tags, "foo", "bar"), 785 ), 786 }, 787 788 resource.TestStep{ 789 Config: testAccAWSSecurityGroupConfigTagsUpdate, 790 Check: resource.ComposeTestCheckFunc( 791 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 792 testAccCheckTags(&group.Tags, "foo", ""), 793 testAccCheckTags(&group.Tags, "bar", "baz"), 794 ), 795 }, 796 }, 797 }) 798 } 799 800 func TestAccAWSSecurityGroup_CIDRandGroups(t *testing.T) { 801 var group ec2.SecurityGroup 802 803 resource.Test(t, resource.TestCase{ 804 PreCheck: func() { testAccPreCheck(t) }, 805 Providers: testAccProviders, 806 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 807 Steps: []resource.TestStep{ 808 resource.TestStep{ 809 Config: testAccAWSSecurityGroupCombindCIDRandGroups, 810 Check: resource.ComposeTestCheckFunc( 811 testAccCheckAWSSecurityGroupExists("aws_security_group.mixed", &group), 812 // testAccCheckAWSSecurityGroupAttributes(&group), 813 ), 814 }, 815 }, 816 }) 817 } 818 819 func TestAccAWSSecurityGroup_ingressWithCidrAndSGs(t *testing.T) { 820 var group ec2.SecurityGroup 821 822 resource.Test(t, resource.TestCase{ 823 PreCheck: func() { testAccPreCheck(t) }, 824 Providers: testAccProviders, 825 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 826 Steps: []resource.TestStep{ 827 resource.TestStep{ 828 Config: testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs, 829 Check: resource.ComposeTestCheckFunc( 830 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 831 testAccCheckAWSSecurityGroupSGandCidrAttributes(&group), 832 resource.TestCheckResourceAttr( 833 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 834 resource.TestCheckResourceAttr( 835 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 836 resource.TestCheckResourceAttr( 837 "aws_security_group.web", "ingress.#", "2"), 838 ), 839 }, 840 }, 841 }) 842 } 843 844 // This test requires an EC2 Classic region 845 func TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic(t *testing.T) { 846 var group ec2.SecurityGroup 847 848 resource.Test(t, resource.TestCase{ 849 PreCheck: func() { testAccPreCheck(t) }, 850 Providers: testAccProviders, 851 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 852 Steps: []resource.TestStep{ 853 resource.TestStep{ 854 Config: testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs_classic, 855 Check: resource.ComposeTestCheckFunc( 856 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 857 testAccCheckAWSSecurityGroupSGandCidrAttributes(&group), 858 resource.TestCheckResourceAttr( 859 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 860 resource.TestCheckResourceAttr( 861 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 862 resource.TestCheckResourceAttr( 863 "aws_security_group.web", "ingress.#", "2"), 864 ), 865 }, 866 }, 867 }) 868 } 869 870 func TestAccAWSSecurityGroup_egressWithPrefixList(t *testing.T) { 871 var group ec2.SecurityGroup 872 873 resource.Test(t, resource.TestCase{ 874 PreCheck: func() { testAccPreCheck(t) }, 875 Providers: testAccProviders, 876 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 877 Steps: []resource.TestStep{ 878 resource.TestStep{ 879 Config: testAccAWSSecurityGroupConfigPrefixListEgress, 880 Check: resource.ComposeTestCheckFunc( 881 testAccCheckAWSSecurityGroupExists("aws_security_group.egress", &group), 882 testAccCheckAWSSecurityGroupPrefixListAttributes(&group), 883 resource.TestCheckResourceAttr( 884 "aws_security_group.egress", "egress.#", "1"), 885 ), 886 }, 887 }, 888 }) 889 } 890 891 func testAccCheckAWSSecurityGroupSGandCidrAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 892 return func(s *terraform.State) error { 893 if *group.GroupName != "terraform_acceptance_test_example" { 894 return fmt.Errorf("Bad name: %s", *group.GroupName) 895 } 896 897 if *group.Description != "Used in the terraform acceptance tests" { 898 return fmt.Errorf("Bad description: %s", *group.Description) 899 } 900 901 if len(group.IpPermissions) == 0 { 902 return fmt.Errorf("No IPPerms") 903 } 904 905 if len(group.IpPermissions) != 2 { 906 return fmt.Errorf("Expected 2 ingress rules, got %d", len(group.IpPermissions)) 907 } 908 909 for _, p := range group.IpPermissions { 910 if *p.FromPort == int64(22) { 911 if len(p.IpRanges) != 1 || p.UserIdGroupPairs != nil { 912 return fmt.Errorf("Found ip perm of 22, but not the right ipranges / pairs: %s", p) 913 } 914 continue 915 } else if *p.FromPort == int64(80) { 916 if len(p.IpRanges) != 1 || len(p.UserIdGroupPairs) != 1 { 917 return fmt.Errorf("Found ip perm of 80, but not the right ipranges / pairs: %s", p) 918 } 919 continue 920 } 921 return fmt.Errorf("Found a rouge rule") 922 } 923 924 return nil 925 } 926 } 927 928 func testAccCheckAWSSecurityGroupPrefixListAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 929 return func(s *terraform.State) error { 930 if *group.GroupName != "terraform_acceptance_test_prefix_list_egress" { 931 return fmt.Errorf("Bad name: %s", *group.GroupName) 932 } 933 if *group.Description != "Used in the terraform acceptance tests" { 934 return fmt.Errorf("Bad description: %s", *group.Description) 935 } 936 if len(group.IpPermissionsEgress) == 0 { 937 return fmt.Errorf("No egress IPPerms") 938 } 939 if len(group.IpPermissionsEgress) != 1 { 940 return fmt.Errorf("Expected 1 egress rule, got %d", len(group.IpPermissions)) 941 } 942 943 p := group.IpPermissionsEgress[0] 944 945 if len(p.PrefixListIds) != 1 { 946 return fmt.Errorf("Expected 1 prefix list, got %d", len(p.PrefixListIds)) 947 } 948 949 return nil 950 } 951 } 952 953 func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroup) resource.TestCheckFunc { 954 return func(s *terraform.State) error { 955 p := []*ec2.IpPermission{ 956 &ec2.IpPermission{ 957 FromPort: aws.Int64(80), 958 ToPort: aws.Int64(9000), 959 IpProtocol: aws.String("tcp"), 960 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 961 }, 962 &ec2.IpPermission{ 963 FromPort: aws.Int64(80), 964 ToPort: aws.Int64(8000), 965 IpProtocol: aws.String("tcp"), 966 IpRanges: []*ec2.IpRange{ 967 &ec2.IpRange{ 968 CidrIp: aws.String("0.0.0.0/0"), 969 }, 970 &ec2.IpRange{ 971 CidrIp: aws.String("10.0.0.0/8"), 972 }, 973 }, 974 }, 975 } 976 977 if *group.GroupName != "terraform_acceptance_test_example" { 978 return fmt.Errorf("Bad name: %s", *group.GroupName) 979 } 980 981 if *group.Description != "Used in the terraform acceptance tests" { 982 return fmt.Errorf("Bad description: %s", *group.Description) 983 } 984 985 // Compare our ingress 986 if len(group.IpPermissions) != 2 { 987 return fmt.Errorf( 988 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 989 group.IpPermissions, 990 p) 991 } 992 993 if *group.IpPermissions[0].ToPort == 8000 { 994 group.IpPermissions[1], group.IpPermissions[0] = 995 group.IpPermissions[0], group.IpPermissions[1] 996 } 997 998 if !reflect.DeepEqual(group.IpPermissions, p) { 999 return fmt.Errorf( 1000 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 1001 group.IpPermissions, 1002 p) 1003 } 1004 1005 return nil 1006 } 1007 } 1008 1009 func testAccCheckAWSSecurityGroupExistsWithoutDefault(n string) resource.TestCheckFunc { 1010 return func(s *terraform.State) error { 1011 rs, ok := s.RootModule().Resources[n] 1012 if !ok { 1013 return fmt.Errorf("Not found: %s", n) 1014 } 1015 1016 if rs.Primary.ID == "" { 1017 return fmt.Errorf("No Security Group is set") 1018 } 1019 1020 conn := testAccProvider.Meta().(*AWSClient).ec2conn 1021 req := &ec2.DescribeSecurityGroupsInput{ 1022 GroupIds: []*string{aws.String(rs.Primary.ID)}, 1023 } 1024 resp, err := conn.DescribeSecurityGroups(req) 1025 if err != nil { 1026 return err 1027 } 1028 1029 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 1030 group := *resp.SecurityGroups[0] 1031 1032 if len(group.IpPermissionsEgress) != 1 { 1033 return fmt.Errorf("Security Group should have only 1 egress rule, got %d", len(group.IpPermissionsEgress)) 1034 } 1035 } 1036 1037 return nil 1038 } 1039 } 1040 1041 func TestAccAWSSecurityGroup_failWithDiffMismatch(t *testing.T) { 1042 var group ec2.SecurityGroup 1043 1044 resource.Test(t, resource.TestCase{ 1045 PreCheck: func() { testAccPreCheck(t) }, 1046 Providers: testAccProviders, 1047 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 1048 Steps: []resource.TestStep{ 1049 resource.TestStep{ 1050 Config: testAccAWSSecurityGroupConfig_failWithDiffMismatch, 1051 Check: resource.ComposeTestCheckFunc( 1052 testAccCheckAWSSecurityGroupExists("aws_security_group.nat", &group), 1053 ), 1054 }, 1055 }, 1056 }) 1057 } 1058 1059 const testAccAWSSecurityGroupConfig = ` 1060 resource "aws_vpc" "foo" { 1061 cidr_block = "10.1.0.0/16" 1062 } 1063 1064 resource "aws_security_group" "web" { 1065 name = "terraform_acceptance_test_example" 1066 description = "Used in the terraform acceptance tests" 1067 vpc_id = "${aws_vpc.foo.id}" 1068 1069 ingress { 1070 protocol = "6" 1071 from_port = 80 1072 to_port = 8000 1073 cidr_blocks = ["10.0.0.0/8"] 1074 } 1075 1076 egress { 1077 protocol = "tcp" 1078 from_port = 80 1079 to_port = 8000 1080 cidr_blocks = ["10.0.0.0/8"] 1081 } 1082 1083 tags { 1084 Name = "tf-acc-test" 1085 } 1086 } 1087 ` 1088 1089 const testAccAWSSecurityGroupConfigChange = ` 1090 resource "aws_vpc" "foo" { 1091 cidr_block = "10.1.0.0/16" 1092 } 1093 1094 resource "aws_security_group" "web" { 1095 name = "terraform_acceptance_test_example" 1096 description = "Used in the terraform acceptance tests" 1097 vpc_id = "${aws_vpc.foo.id}" 1098 1099 ingress { 1100 protocol = "tcp" 1101 from_port = 80 1102 to_port = 9000 1103 cidr_blocks = ["10.0.0.0/8"] 1104 } 1105 1106 ingress { 1107 protocol = "tcp" 1108 from_port = 80 1109 to_port = 8000 1110 cidr_blocks = ["0.0.0.0/0", "10.0.0.0/8"] 1111 } 1112 1113 egress { 1114 protocol = "tcp" 1115 from_port = 80 1116 to_port = 8000 1117 cidr_blocks = ["10.0.0.0/8"] 1118 } 1119 } 1120 ` 1121 1122 const testAccAWSSecurityGroupConfigSelf = ` 1123 resource "aws_vpc" "foo" { 1124 cidr_block = "10.1.0.0/16" 1125 } 1126 1127 resource "aws_security_group" "web" { 1128 name = "terraform_acceptance_test_example" 1129 description = "Used in the terraform acceptance tests" 1130 vpc_id = "${aws_vpc.foo.id}" 1131 1132 ingress { 1133 protocol = "tcp" 1134 from_port = 80 1135 to_port = 8000 1136 self = true 1137 } 1138 1139 egress { 1140 protocol = "tcp" 1141 from_port = 80 1142 to_port = 8000 1143 cidr_blocks = ["10.0.0.0/8"] 1144 } 1145 } 1146 ` 1147 1148 const testAccAWSSecurityGroupConfigVpc = ` 1149 resource "aws_vpc" "foo" { 1150 cidr_block = "10.1.0.0/16" 1151 } 1152 1153 resource "aws_security_group" "web" { 1154 name = "terraform_acceptance_test_example" 1155 description = "Used in the terraform acceptance tests" 1156 vpc_id = "${aws_vpc.foo.id}" 1157 1158 ingress { 1159 protocol = "tcp" 1160 from_port = 80 1161 to_port = 8000 1162 cidr_blocks = ["10.0.0.0/8"] 1163 } 1164 1165 egress { 1166 protocol = "tcp" 1167 from_port = 80 1168 to_port = 8000 1169 cidr_blocks = ["10.0.0.0/8"] 1170 } 1171 } 1172 ` 1173 1174 const testAccAWSSecurityGroupConfigVpcNegOneIngress = ` 1175 resource "aws_vpc" "foo" { 1176 cidr_block = "10.1.0.0/16" 1177 } 1178 1179 resource "aws_security_group" "web" { 1180 name = "terraform_acceptance_test_example" 1181 description = "Used in the terraform acceptance tests" 1182 vpc_id = "${aws_vpc.foo.id}" 1183 1184 ingress { 1185 protocol = "-1" 1186 from_port = 0 1187 to_port = 0 1188 cidr_blocks = ["10.0.0.0/8"] 1189 } 1190 } 1191 ` 1192 const testAccAWSSecurityGroupConfigMultiIngress = ` 1193 resource "aws_vpc" "foo" { 1194 cidr_block = "10.1.0.0/16" 1195 } 1196 1197 resource "aws_security_group" "worker" { 1198 name = "terraform_acceptance_test_example_1" 1199 description = "Used in the terraform acceptance tests" 1200 vpc_id = "${aws_vpc.foo.id}" 1201 1202 ingress { 1203 protocol = "tcp" 1204 from_port = 80 1205 to_port = 8000 1206 cidr_blocks = ["10.0.0.0/8"] 1207 } 1208 1209 egress { 1210 protocol = "tcp" 1211 from_port = 80 1212 to_port = 8000 1213 cidr_blocks = ["10.0.0.0/8"] 1214 } 1215 } 1216 1217 resource "aws_security_group" "web" { 1218 name = "terraform_acceptance_test_example_2" 1219 description = "Used in the terraform acceptance tests" 1220 vpc_id = "${aws_vpc.foo.id}" 1221 1222 ingress { 1223 protocol = "tcp" 1224 from_port = 22 1225 to_port = 22 1226 cidr_blocks = ["10.0.0.0/8"] 1227 } 1228 1229 ingress { 1230 protocol = "tcp" 1231 from_port = 800 1232 to_port = 800 1233 cidr_blocks = ["10.0.0.0/8"] 1234 } 1235 1236 ingress { 1237 protocol = "tcp" 1238 from_port = 80 1239 to_port = 8000 1240 security_groups = ["${aws_security_group.worker.id}"] 1241 } 1242 1243 egress { 1244 protocol = "tcp" 1245 from_port = 80 1246 to_port = 8000 1247 cidr_blocks = ["10.0.0.0/8"] 1248 } 1249 } 1250 ` 1251 1252 const testAccAWSSecurityGroupConfigTags = ` 1253 resource "aws_vpc" "foo" { 1254 cidr_block = "10.1.0.0/16" 1255 } 1256 1257 resource "aws_security_group" "foo" { 1258 name = "terraform_acceptance_test_example" 1259 description = "Used in the terraform acceptance tests" 1260 vpc_id = "${aws_vpc.foo.id}" 1261 1262 ingress { 1263 protocol = "tcp" 1264 from_port = 80 1265 to_port = 8000 1266 cidr_blocks = ["10.0.0.0/8"] 1267 } 1268 1269 egress { 1270 protocol = "tcp" 1271 from_port = 80 1272 to_port = 8000 1273 cidr_blocks = ["10.0.0.0/8"] 1274 } 1275 1276 tags { 1277 foo = "bar" 1278 } 1279 } 1280 ` 1281 1282 const testAccAWSSecurityGroupConfigTagsUpdate = ` 1283 resource "aws_vpc" "foo" { 1284 cidr_block = "10.1.0.0/16" 1285 } 1286 1287 resource "aws_security_group" "foo" { 1288 name = "terraform_acceptance_test_example" 1289 description = "Used in the terraform acceptance tests" 1290 vpc_id = "${aws_vpc.foo.id}" 1291 1292 ingress { 1293 protocol = "tcp" 1294 from_port = 80 1295 to_port = 8000 1296 cidr_blocks = ["10.0.0.0/8"] 1297 } 1298 1299 egress { 1300 protocol = "tcp" 1301 from_port = 80 1302 to_port = 8000 1303 cidr_blocks = ["10.0.0.0/8"] 1304 } 1305 1306 tags { 1307 bar = "baz" 1308 } 1309 } 1310 ` 1311 1312 const testAccAWSSecurityGroupConfig_generatedName = ` 1313 resource "aws_vpc" "foo" { 1314 cidr_block = "10.1.0.0/16" 1315 } 1316 1317 resource "aws_security_group" "web" { 1318 vpc_id = "${aws_vpc.foo.id}" 1319 1320 ingress { 1321 protocol = "tcp" 1322 from_port = 80 1323 to_port = 8000 1324 cidr_blocks = ["10.0.0.0/8"] 1325 } 1326 1327 egress { 1328 protocol = "tcp" 1329 from_port = 80 1330 to_port = 8000 1331 cidr_blocks = ["10.0.0.0/8"] 1332 } 1333 1334 tags { 1335 Name = "tf-acc-test" 1336 } 1337 } 1338 ` 1339 1340 const testAccAWSSecurityGroupConfigDefaultEgress = ` 1341 resource "aws_vpc" "tf_sg_egress_test" { 1342 cidr_block = "10.0.0.0/16" 1343 tags { 1344 Name = "tf_sg_egress_test" 1345 } 1346 } 1347 1348 resource "aws_security_group" "worker" { 1349 name = "terraform_acceptance_test_example_1" 1350 description = "Used in the terraform acceptance tests" 1351 vpc_id = "${aws_vpc.tf_sg_egress_test.id}" 1352 1353 egress { 1354 protocol = "tcp" 1355 from_port = 80 1356 to_port = 8000 1357 cidr_blocks = ["10.0.0.0/8"] 1358 } 1359 } 1360 ` 1361 1362 const testAccAWSSecurityGroupConfigClassic = ` 1363 provider "aws" { 1364 region = "us-east-1" 1365 } 1366 1367 resource "aws_security_group" "web" { 1368 name = "terraform_acceptance_test_example_1" 1369 description = "Used in the terraform acceptance tests" 1370 } 1371 ` 1372 1373 const testAccAWSSecurityGroupPrefixNameConfig = ` 1374 provider "aws" { 1375 region = "us-east-1" 1376 } 1377 1378 resource "aws_security_group" "baz" { 1379 name_prefix = "baz-" 1380 description = "Used in the terraform acceptance tests" 1381 } 1382 ` 1383 1384 func testAccAWSSecurityGroupConfig_drift() string { 1385 return fmt.Sprintf(` 1386 resource "aws_security_group" "web" { 1387 name = "tf_acc_%d" 1388 description = "Used in the terraform acceptance tests" 1389 1390 ingress { 1391 protocol = "tcp" 1392 from_port = 80 1393 to_port = 8000 1394 cidr_blocks = ["10.0.0.0/8"] 1395 } 1396 1397 ingress { 1398 protocol = "tcp" 1399 from_port = 80 1400 to_port = 8000 1401 cidr_blocks = ["206.0.0.0/8"] 1402 } 1403 1404 tags { 1405 Name = "tf-acc-test" 1406 } 1407 } 1408 `, acctest.RandInt()) 1409 } 1410 1411 func testAccAWSSecurityGroupConfig_drift_complex() string { 1412 return fmt.Sprintf(` 1413 resource "aws_vpc" "foo" { 1414 cidr_block = "10.1.0.0/16" 1415 } 1416 1417 resource "aws_security_group" "otherweb" { 1418 name = "tf_acc_%d" 1419 description = "Used in the terraform acceptance tests" 1420 vpc_id = "${aws_vpc.foo.id}" 1421 } 1422 1423 resource "aws_security_group" "web" { 1424 name = "tf_acc_%d" 1425 description = "Used in the terraform acceptance tests" 1426 vpc_id = "${aws_vpc.foo.id}" 1427 1428 ingress { 1429 protocol = "tcp" 1430 from_port = 80 1431 to_port = 8000 1432 cidr_blocks = ["10.0.0.0/8"] 1433 } 1434 1435 ingress { 1436 protocol = "tcp" 1437 from_port = 80 1438 to_port = 8000 1439 cidr_blocks = ["206.0.0.0/8"] 1440 } 1441 1442 ingress { 1443 protocol = "tcp" 1444 from_port = 22 1445 to_port = 22 1446 security_groups = ["${aws_security_group.otherweb.id}"] 1447 } 1448 1449 egress { 1450 protocol = "tcp" 1451 from_port = 80 1452 to_port = 8000 1453 cidr_blocks = ["206.0.0.0/8"] 1454 } 1455 1456 egress { 1457 protocol = "tcp" 1458 from_port = 80 1459 to_port = 8000 1460 cidr_blocks = ["10.0.0.0/8"] 1461 } 1462 1463 egress { 1464 protocol = "tcp" 1465 from_port = 22 1466 to_port = 22 1467 security_groups = ["${aws_security_group.otherweb.id}"] 1468 } 1469 1470 tags { 1471 Name = "tf-acc-test" 1472 } 1473 }`, acctest.RandInt(), acctest.RandInt()) 1474 } 1475 1476 const testAccAWSSecurityGroupCombindCIDRandGroups = ` 1477 resource "aws_vpc" "foo" { 1478 cidr_block = "10.1.0.0/16" 1479 } 1480 1481 resource "aws_security_group" "two" { 1482 name = "tf-test-1" 1483 vpc_id = "${aws_vpc.foo.id}" 1484 tags { 1485 Name = "tf-test-1" 1486 } 1487 } 1488 1489 resource "aws_security_group" "one" { 1490 name = "tf-test-2" 1491 vpc_id = "${aws_vpc.foo.id}" 1492 tags { 1493 Name = "tf-test-w" 1494 } 1495 } 1496 1497 resource "aws_security_group" "three" { 1498 name = "tf-test-3" 1499 vpc_id = "${aws_vpc.foo.id}" 1500 tags { 1501 Name = "tf-test-3" 1502 } 1503 } 1504 1505 resource "aws_security_group" "mixed" { 1506 name = "tf-mix-test" 1507 vpc_id = "${aws_vpc.foo.id}" 1508 1509 ingress { 1510 from_port = 80 1511 to_port = 80 1512 protocol = "tcp" 1513 cidr_blocks = ["10.0.0.0/16", "10.1.0.0/16", "10.7.0.0/16"] 1514 1515 security_groups = [ 1516 "${aws_security_group.one.id}", 1517 "${aws_security_group.two.id}", 1518 "${aws_security_group.three.id}", 1519 ] 1520 } 1521 1522 tags { 1523 Name = "tf-mix-test" 1524 } 1525 } 1526 ` 1527 1528 const testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs = ` 1529 resource "aws_vpc" "foo" { 1530 cidr_block = "10.1.0.0/16" 1531 } 1532 1533 resource "aws_security_group" "other_web" { 1534 name = "tf_other_acc_tests" 1535 description = "Used in the terraform acceptance tests" 1536 vpc_id = "${aws_vpc.foo.id}" 1537 1538 tags { 1539 Name = "tf-acc-test" 1540 } 1541 } 1542 1543 resource "aws_security_group" "web" { 1544 name = "terraform_acceptance_test_example" 1545 description = "Used in the terraform acceptance tests" 1546 vpc_id = "${aws_vpc.foo.id}" 1547 1548 ingress { 1549 protocol = "tcp" 1550 from_port = "22" 1551 to_port = "22" 1552 1553 cidr_blocks = [ 1554 "192.168.0.1/32", 1555 ] 1556 } 1557 1558 ingress { 1559 protocol = "tcp" 1560 from_port = 80 1561 to_port = 8000 1562 cidr_blocks = ["10.0.0.0/8"] 1563 security_groups = ["${aws_security_group.other_web.id}"] 1564 } 1565 1566 egress { 1567 protocol = "tcp" 1568 from_port = 80 1569 to_port = 8000 1570 cidr_blocks = ["10.0.0.0/8"] 1571 } 1572 1573 tags { 1574 Name = "tf-acc-test" 1575 } 1576 } 1577 ` 1578 1579 const testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs_classic = ` 1580 provider "aws" { 1581 region = "us-east-1" 1582 } 1583 1584 resource "aws_security_group" "other_web" { 1585 name = "tf_other_acc_tests" 1586 description = "Used in the terraform acceptance tests" 1587 1588 tags { 1589 Name = "tf-acc-test" 1590 } 1591 } 1592 1593 resource "aws_security_group" "web" { 1594 name = "terraform_acceptance_test_example" 1595 description = "Used in the terraform acceptance tests" 1596 1597 ingress { 1598 protocol = "tcp" 1599 from_port = "22" 1600 to_port = "22" 1601 1602 cidr_blocks = [ 1603 "192.168.0.1/32", 1604 ] 1605 } 1606 1607 ingress { 1608 protocol = "tcp" 1609 from_port = 80 1610 to_port = 8000 1611 cidr_blocks = ["10.0.0.0/8"] 1612 security_groups = ["${aws_security_group.other_web.name}"] 1613 } 1614 1615 tags { 1616 Name = "tf-acc-test" 1617 } 1618 } 1619 ` 1620 1621 // fails to apply in one pass with the error "diffs didn't match during apply" 1622 // GH-2027 1623 const testAccAWSSecurityGroupConfig_failWithDiffMismatch = ` 1624 resource "aws_vpc" "main" { 1625 cidr_block = "10.0.0.0/16" 1626 1627 tags { 1628 Name = "tf-test" 1629 } 1630 } 1631 1632 resource "aws_security_group" "ssh_base" { 1633 name = "test-ssh-base" 1634 vpc_id = "${aws_vpc.main.id}" 1635 } 1636 1637 resource "aws_security_group" "jump" { 1638 name = "test-jump" 1639 vpc_id = "${aws_vpc.main.id}" 1640 } 1641 1642 resource "aws_security_group" "provision" { 1643 name = "test-provision" 1644 vpc_id = "${aws_vpc.main.id}" 1645 } 1646 1647 resource "aws_security_group" "nat" { 1648 vpc_id = "${aws_vpc.main.id}" 1649 name = "nat" 1650 description = "For nat servers " 1651 1652 ingress { 1653 from_port = 22 1654 to_port = 22 1655 protocol = "tcp" 1656 security_groups = ["${aws_security_group.jump.id}"] 1657 } 1658 1659 ingress { 1660 from_port = 22 1661 to_port = 22 1662 protocol = "tcp" 1663 security_groups = ["${aws_security_group.provision.id}"] 1664 } 1665 } 1666 ` 1667 const testAccAWSSecurityGroupConfig_importSelf = ` 1668 resource "aws_vpc" "foo" { 1669 cidr_block = "10.1.0.0/16" 1670 1671 tags { 1672 Name = "tf_sg_import_test" 1673 } 1674 } 1675 1676 resource "aws_security_group" "allow_all" { 1677 name = "allow_all" 1678 description = "Allow all inbound traffic" 1679 vpc_id = "${aws_vpc.foo.id}" 1680 } 1681 1682 resource "aws_security_group_rule" "allow_all" { 1683 type = "ingress" 1684 from_port = 0 1685 to_port = 65535 1686 protocol = "tcp" 1687 cidr_blocks = ["0.0.0.0/0"] 1688 1689 security_group_id = "${aws_security_group.allow_all.id}" 1690 } 1691 1692 resource "aws_security_group_rule" "allow_all-1" { 1693 type = "ingress" 1694 from_port = 65534 1695 to_port = 65535 1696 protocol = "tcp" 1697 1698 self = true 1699 security_group_id = "${aws_security_group.allow_all.id}" 1700 } 1701 ` 1702 1703 const testAccAWSSecurityGroupConfigPrefixListEgress = ` 1704 resource "aws_vpc" "tf_sg_prefix_list_egress_test" { 1705 cidr_block = "10.0.0.0/16" 1706 tags { 1707 Name = "tf_sg_prefix_list_egress_test" 1708 } 1709 } 1710 1711 resource "aws_route_table" "default" { 1712 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 1713 } 1714 1715 resource "aws_vpc_endpoint" "s3-us-west-2" { 1716 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 1717 service_name = "com.amazonaws.us-west-2.s3" 1718 route_table_ids = ["${aws_route_table.default.id}"] 1719 policy = <<POLICY 1720 { 1721 "Version": "2012-10-17", 1722 "Statement": [ 1723 { 1724 "Sid":"AllowAll", 1725 "Effect":"Allow", 1726 "Principal":"*", 1727 "Action":"*", 1728 "Resource":"*" 1729 } 1730 ] 1731 } 1732 POLICY 1733 } 1734 1735 resource "aws_security_group" "egress" { 1736 name = "terraform_acceptance_test_prefix_list_egress" 1737 description = "Used in the terraform acceptance tests" 1738 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 1739 1740 egress { 1741 protocol = "-1" 1742 from_port = 0 1743 to_port = 0 1744 prefix_list_ids = ["${aws_vpc_endpoint.s3-us-west-2.prefix_list_id}"] 1745 } 1746 } 1747 `