github.com/keshavdv/terraform@v0.7.0-rc2.0.20160711232630-d69256dcb425/builtin/providers/aws/resource_aws_security_group.go (about)

     1  package aws
     2  
     3  import (
     4  	"bytes"
     5  	"fmt"
     6  	"log"
     7  	"sort"
     8  	"strconv"
     9  	"strings"
    10  	"time"
    11  
    12  	"github.com/aws/aws-sdk-go/aws"
    13  	"github.com/aws/aws-sdk-go/aws/awserr"
    14  	"github.com/aws/aws-sdk-go/service/ec2"
    15  	"github.com/hashicorp/terraform/helper/hashcode"
    16  	"github.com/hashicorp/terraform/helper/resource"
    17  	"github.com/hashicorp/terraform/helper/schema"
    18  )
    19  
    20  func resourceAwsSecurityGroup() *schema.Resource {
    21  	return &schema.Resource{
    22  		Create: resourceAwsSecurityGroupCreate,
    23  		Read:   resourceAwsSecurityGroupRead,
    24  		Update: resourceAwsSecurityGroupUpdate,
    25  		Delete: resourceAwsSecurityGroupDelete,
    26  		Importer: &schema.ResourceImporter{
    27  			State: resourceAwsSecurityGroupImportState,
    28  		},
    29  
    30  		Schema: map[string]*schema.Schema{
    31  			"name": &schema.Schema{
    32  				Type:          schema.TypeString,
    33  				Optional:      true,
    34  				Computed:      true,
    35  				ForceNew:      true,
    36  				ConflictsWith: []string{"name_prefix"},
    37  				ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) {
    38  					value := v.(string)
    39  					if len(value) > 255 {
    40  						errors = append(errors, fmt.Errorf(
    41  							"%q cannot be longer than 255 characters", k))
    42  					}
    43  					return
    44  				},
    45  			},
    46  
    47  			"name_prefix": &schema.Schema{
    48  				Type:     schema.TypeString,
    49  				Optional: true,
    50  				ForceNew: true,
    51  				ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) {
    52  					value := v.(string)
    53  					if len(value) > 100 {
    54  						errors = append(errors, fmt.Errorf(
    55  							"%q cannot be longer than 100 characters, name is limited to 255", k))
    56  					}
    57  					return
    58  				},
    59  			},
    60  
    61  			"description": &schema.Schema{
    62  				Type:     schema.TypeString,
    63  				Optional: true,
    64  				ForceNew: true,
    65  				Default:  "Managed by Terraform",
    66  				ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) {
    67  					value := v.(string)
    68  					if len(value) > 255 {
    69  						errors = append(errors, fmt.Errorf(
    70  							"%q cannot be longer than 255 characters", k))
    71  					}
    72  					return
    73  				},
    74  			},
    75  
    76  			"vpc_id": &schema.Schema{
    77  				Type:     schema.TypeString,
    78  				Optional: true,
    79  				ForceNew: true,
    80  				Computed: true,
    81  			},
    82  
    83  			"ingress": &schema.Schema{
    84  				Type:     schema.TypeSet,
    85  				Optional: true,
    86  				Computed: true,
    87  				Elem: &schema.Resource{
    88  					Schema: map[string]*schema.Schema{
    89  						"from_port": &schema.Schema{
    90  							Type:     schema.TypeInt,
    91  							Required: true,
    92  						},
    93  
    94  						"to_port": &schema.Schema{
    95  							Type:     schema.TypeInt,
    96  							Required: true,
    97  						},
    98  
    99  						"protocol": &schema.Schema{
   100  							Type:      schema.TypeString,
   101  							Required:  true,
   102  							StateFunc: protocolStateFunc,
   103  						},
   104  
   105  						"cidr_blocks": &schema.Schema{
   106  							Type:     schema.TypeList,
   107  							Optional: true,
   108  							Elem:     &schema.Schema{Type: schema.TypeString},
   109  						},
   110  
   111  						"security_groups": &schema.Schema{
   112  							Type:     schema.TypeSet,
   113  							Optional: true,
   114  							Elem:     &schema.Schema{Type: schema.TypeString},
   115  							Set:      schema.HashString,
   116  						},
   117  
   118  						"self": &schema.Schema{
   119  							Type:     schema.TypeBool,
   120  							Optional: true,
   121  							Default:  false,
   122  						},
   123  					},
   124  				},
   125  				Set: resourceAwsSecurityGroupRuleHash,
   126  			},
   127  
   128  			"egress": &schema.Schema{
   129  				Type:     schema.TypeSet,
   130  				Optional: true,
   131  				Computed: true,
   132  				Elem: &schema.Resource{
   133  					Schema: map[string]*schema.Schema{
   134  						"from_port": &schema.Schema{
   135  							Type:     schema.TypeInt,
   136  							Required: true,
   137  						},
   138  
   139  						"to_port": &schema.Schema{
   140  							Type:     schema.TypeInt,
   141  							Required: true,
   142  						},
   143  
   144  						"protocol": &schema.Schema{
   145  							Type:      schema.TypeString,
   146  							Required:  true,
   147  							StateFunc: protocolStateFunc,
   148  						},
   149  
   150  						"cidr_blocks": &schema.Schema{
   151  							Type:     schema.TypeList,
   152  							Optional: true,
   153  							Elem:     &schema.Schema{Type: schema.TypeString},
   154  						},
   155  
   156  						"prefix_list_ids": &schema.Schema{
   157  							Type:     schema.TypeList,
   158  							Optional: true,
   159  							Elem:     &schema.Schema{Type: schema.TypeString},
   160  						},
   161  
   162  						"security_groups": &schema.Schema{
   163  							Type:     schema.TypeSet,
   164  							Optional: true,
   165  							Elem:     &schema.Schema{Type: schema.TypeString},
   166  							Set:      schema.HashString,
   167  						},
   168  
   169  						"self": &schema.Schema{
   170  							Type:     schema.TypeBool,
   171  							Optional: true,
   172  							Default:  false,
   173  						},
   174  					},
   175  				},
   176  				Set: resourceAwsSecurityGroupRuleHash,
   177  			},
   178  
   179  			"owner_id": &schema.Schema{
   180  				Type:     schema.TypeString,
   181  				Computed: true,
   182  			},
   183  
   184  			"tags": tagsSchema(),
   185  		},
   186  	}
   187  }
   188  
   189  func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) error {
   190  	conn := meta.(*AWSClient).ec2conn
   191  
   192  	securityGroupOpts := &ec2.CreateSecurityGroupInput{}
   193  
   194  	if v, ok := d.GetOk("vpc_id"); ok {
   195  		securityGroupOpts.VpcId = aws.String(v.(string))
   196  	}
   197  
   198  	if v := d.Get("description"); v != nil {
   199  		securityGroupOpts.Description = aws.String(v.(string))
   200  	}
   201  
   202  	var groupName string
   203  	if v, ok := d.GetOk("name"); ok {
   204  		groupName = v.(string)
   205  	} else if v, ok := d.GetOk("name_prefix"); ok {
   206  		groupName = resource.PrefixedUniqueId(v.(string))
   207  	} else {
   208  		groupName = resource.UniqueId()
   209  	}
   210  	securityGroupOpts.GroupName = aws.String(groupName)
   211  
   212  	var err error
   213  	log.Printf(
   214  		"[DEBUG] Security Group create configuration: %#v", securityGroupOpts)
   215  	createResp, err := conn.CreateSecurityGroup(securityGroupOpts)
   216  	if err != nil {
   217  		return fmt.Errorf("Error creating Security Group: %s", err)
   218  	}
   219  
   220  	d.SetId(*createResp.GroupId)
   221  
   222  	log.Printf("[INFO] Security Group ID: %s", d.Id())
   223  
   224  	// Wait for the security group to truly exist
   225  	log.Printf(
   226  		"[DEBUG] Waiting for Security Group (%s) to exist",
   227  		d.Id())
   228  	stateConf := &resource.StateChangeConf{
   229  		Pending: []string{""},
   230  		Target:  []string{"exists"},
   231  		Refresh: SGStateRefreshFunc(conn, d.Id()),
   232  		Timeout: 1 * time.Minute,
   233  	}
   234  
   235  	resp, err := stateConf.WaitForState()
   236  	if err != nil {
   237  		return fmt.Errorf(
   238  			"Error waiting for Security Group (%s) to become available: %s",
   239  			d.Id(), err)
   240  	}
   241  
   242  	// AWS defaults all Security Groups to have an ALLOW ALL egress rule. Here we
   243  	// revoke that rule, so users don't unknowingly have/use it.
   244  	group := resp.(*ec2.SecurityGroup)
   245  	if group.VpcId != nil && *group.VpcId != "" {
   246  		log.Printf("[DEBUG] Revoking default egress rule for Security Group for %s", d.Id())
   247  
   248  		req := &ec2.RevokeSecurityGroupEgressInput{
   249  			GroupId: createResp.GroupId,
   250  			IpPermissions: []*ec2.IpPermission{
   251  				&ec2.IpPermission{
   252  					FromPort: aws.Int64(int64(0)),
   253  					ToPort:   aws.Int64(int64(0)),
   254  					IpRanges: []*ec2.IpRange{
   255  						&ec2.IpRange{
   256  							CidrIp: aws.String("0.0.0.0/0"),
   257  						},
   258  					},
   259  					IpProtocol: aws.String("-1"),
   260  				},
   261  			},
   262  		}
   263  
   264  		if _, err = conn.RevokeSecurityGroupEgress(req); err != nil {
   265  			return fmt.Errorf(
   266  				"Error revoking default egress rule for Security Group (%s): %s",
   267  				d.Id(), err)
   268  		}
   269  
   270  	}
   271  
   272  	return resourceAwsSecurityGroupUpdate(d, meta)
   273  }
   274  
   275  func resourceAwsSecurityGroupRead(d *schema.ResourceData, meta interface{}) error {
   276  	conn := meta.(*AWSClient).ec2conn
   277  
   278  	sgRaw, _, err := SGStateRefreshFunc(conn, d.Id())()
   279  	if err != nil {
   280  		return err
   281  	}
   282  	if sgRaw == nil {
   283  		d.SetId("")
   284  		return nil
   285  	}
   286  
   287  	sg := sgRaw.(*ec2.SecurityGroup)
   288  
   289  	remoteIngressRules := resourceAwsSecurityGroupIPPermGather(d.Id(), sg.IpPermissions, sg.OwnerId)
   290  	remoteEgressRules := resourceAwsSecurityGroupIPPermGather(d.Id(), sg.IpPermissionsEgress, sg.OwnerId)
   291  
   292  	localIngressRules := d.Get("ingress").(*schema.Set).List()
   293  	localEgressRules := d.Get("egress").(*schema.Set).List()
   294  
   295  	// Loop through the local state of rules, doing a match against the remote
   296  	// ruleSet we built above.
   297  	ingressRules := matchRules("ingress", localIngressRules, remoteIngressRules)
   298  	egressRules := matchRules("egress", localEgressRules, remoteEgressRules)
   299  
   300  	d.Set("description", sg.Description)
   301  	d.Set("name", sg.GroupName)
   302  	d.Set("vpc_id", sg.VpcId)
   303  	d.Set("owner_id", sg.OwnerId)
   304  
   305  	if err := d.Set("ingress", ingressRules); err != nil {
   306  		log.Printf("[WARN] Error setting Ingress rule set for (%s): %s", d.Id(), err)
   307  	}
   308  
   309  	if err := d.Set("egress", egressRules); err != nil {
   310  		log.Printf("[WARN] Error setting Egress rule set for (%s): %s", d.Id(), err)
   311  	}
   312  
   313  	d.Set("tags", tagsToMap(sg.Tags))
   314  	return nil
   315  }
   316  
   317  func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) error {
   318  	conn := meta.(*AWSClient).ec2conn
   319  
   320  	sgRaw, _, err := SGStateRefreshFunc(conn, d.Id())()
   321  	if err != nil {
   322  		return err
   323  	}
   324  	if sgRaw == nil {
   325  		d.SetId("")
   326  		return nil
   327  	}
   328  
   329  	group := sgRaw.(*ec2.SecurityGroup)
   330  
   331  	err = resourceAwsSecurityGroupUpdateRules(d, "ingress", meta, group)
   332  	if err != nil {
   333  		return err
   334  	}
   335  
   336  	if d.Get("vpc_id") != nil {
   337  		err = resourceAwsSecurityGroupUpdateRules(d, "egress", meta, group)
   338  		if err != nil {
   339  			return err
   340  		}
   341  	}
   342  
   343  	if err := setTags(conn, d); err != nil {
   344  		return err
   345  	}
   346  
   347  	d.SetPartial("tags")
   348  
   349  	return resourceAwsSecurityGroupRead(d, meta)
   350  }
   351  
   352  func resourceAwsSecurityGroupDelete(d *schema.ResourceData, meta interface{}) error {
   353  	conn := meta.(*AWSClient).ec2conn
   354  
   355  	log.Printf("[DEBUG] Security Group destroy: %v", d.Id())
   356  
   357  	return resource.Retry(5*time.Minute, func() *resource.RetryError {
   358  		_, err := conn.DeleteSecurityGroup(&ec2.DeleteSecurityGroupInput{
   359  			GroupId: aws.String(d.Id()),
   360  		})
   361  		if err != nil {
   362  			ec2err, ok := err.(awserr.Error)
   363  			if !ok {
   364  				return resource.RetryableError(err)
   365  			}
   366  
   367  			switch ec2err.Code() {
   368  			case "InvalidGroup.NotFound":
   369  				return nil
   370  			case "DependencyViolation":
   371  				// If it is a dependency violation, we want to retry
   372  				return resource.RetryableError(err)
   373  			default:
   374  				// Any other error, we want to quit the retry loop immediately
   375  				return resource.NonRetryableError(err)
   376  			}
   377  		}
   378  
   379  		return nil
   380  	})
   381  }
   382  
   383  func resourceAwsSecurityGroupRuleHash(v interface{}) int {
   384  	var buf bytes.Buffer
   385  	m := v.(map[string]interface{})
   386  	buf.WriteString(fmt.Sprintf("%d-", m["from_port"].(int)))
   387  	buf.WriteString(fmt.Sprintf("%d-", m["to_port"].(int)))
   388  	p := protocolForValue(m["protocol"].(string))
   389  	buf.WriteString(fmt.Sprintf("%s-", p))
   390  	buf.WriteString(fmt.Sprintf("%t-", m["self"].(bool)))
   391  
   392  	// We need to make sure to sort the strings below so that we always
   393  	// generate the same hash code no matter what is in the set.
   394  	if v, ok := m["cidr_blocks"]; ok {
   395  		vs := v.([]interface{})
   396  		s := make([]string, len(vs))
   397  		for i, raw := range vs {
   398  			s[i] = raw.(string)
   399  		}
   400  		sort.Strings(s)
   401  
   402  		for _, v := range s {
   403  			buf.WriteString(fmt.Sprintf("%s-", v))
   404  		}
   405  	}
   406  	if v, ok := m["prefix_list_ids"]; ok {
   407  		vs := v.([]interface{})
   408  		s := make([]string, len(vs))
   409  		for i, raw := range vs {
   410  			s[i] = raw.(string)
   411  		}
   412  		sort.Strings(s)
   413  
   414  		for _, v := range s {
   415  			buf.WriteString(fmt.Sprintf("%s-", v))
   416  		}
   417  	}
   418  	if v, ok := m["security_groups"]; ok {
   419  		vs := v.(*schema.Set).List()
   420  		s := make([]string, len(vs))
   421  		for i, raw := range vs {
   422  			s[i] = raw.(string)
   423  		}
   424  		sort.Strings(s)
   425  
   426  		for _, v := range s {
   427  			buf.WriteString(fmt.Sprintf("%s-", v))
   428  		}
   429  	}
   430  
   431  	return hashcode.String(buf.String())
   432  }
   433  
   434  func resourceAwsSecurityGroupIPPermGather(groupId string, permissions []*ec2.IpPermission, ownerId *string) []map[string]interface{} {
   435  	ruleMap := make(map[string]map[string]interface{})
   436  	for _, perm := range permissions {
   437  		var fromPort, toPort int64
   438  		if v := perm.FromPort; v != nil {
   439  			fromPort = *v
   440  		}
   441  		if v := perm.ToPort; v != nil {
   442  			toPort = *v
   443  		}
   444  
   445  		k := fmt.Sprintf("%s-%d-%d", *perm.IpProtocol, fromPort, toPort)
   446  		m, ok := ruleMap[k]
   447  		if !ok {
   448  			m = make(map[string]interface{})
   449  			ruleMap[k] = m
   450  		}
   451  
   452  		m["from_port"] = fromPort
   453  		m["to_port"] = toPort
   454  		m["protocol"] = *perm.IpProtocol
   455  
   456  		if len(perm.IpRanges) > 0 {
   457  			raw, ok := m["cidr_blocks"]
   458  			if !ok {
   459  				raw = make([]string, 0, len(perm.IpRanges))
   460  			}
   461  			list := raw.([]string)
   462  
   463  			for _, ip := range perm.IpRanges {
   464  				list = append(list, *ip.CidrIp)
   465  			}
   466  
   467  			m["cidr_blocks"] = list
   468  		}
   469  
   470  		if len(perm.PrefixListIds) > 0 {
   471  			raw, ok := m["prefix_list_ids"]
   472  			if !ok {
   473  				raw = make([]string, 0, len(perm.PrefixListIds))
   474  			}
   475  			list := raw.([]string)
   476  
   477  			for _, pl := range perm.PrefixListIds {
   478  				list = append(list, *pl.PrefixListId)
   479  			}
   480  
   481  			m["prefix_list_ids"] = list
   482  		}
   483  
   484  		groups := flattenSecurityGroups(perm.UserIdGroupPairs, ownerId)
   485  		for i, g := range groups {
   486  			if *g.GroupId == groupId {
   487  				groups[i], groups = groups[len(groups)-1], groups[:len(groups)-1]
   488  				m["self"] = true
   489  			}
   490  		}
   491  
   492  		if len(groups) > 0 {
   493  			raw, ok := m["security_groups"]
   494  			if !ok {
   495  				raw = schema.NewSet(schema.HashString, nil)
   496  			}
   497  			list := raw.(*schema.Set)
   498  
   499  			for _, g := range groups {
   500  				if g.GroupName != nil {
   501  					list.Add(*g.GroupName)
   502  				} else {
   503  					list.Add(*g.GroupId)
   504  				}
   505  			}
   506  
   507  			m["security_groups"] = list
   508  		}
   509  	}
   510  	rules := make([]map[string]interface{}, 0, len(ruleMap))
   511  	for _, m := range ruleMap {
   512  		rules = append(rules, m)
   513  	}
   514  
   515  	return rules
   516  }
   517  
   518  func resourceAwsSecurityGroupUpdateRules(
   519  	d *schema.ResourceData, ruleset string,
   520  	meta interface{}, group *ec2.SecurityGroup) error {
   521  
   522  	if d.HasChange(ruleset) {
   523  		o, n := d.GetChange(ruleset)
   524  		if o == nil {
   525  			o = new(schema.Set)
   526  		}
   527  		if n == nil {
   528  			n = new(schema.Set)
   529  		}
   530  
   531  		os := o.(*schema.Set)
   532  		ns := n.(*schema.Set)
   533  
   534  		remove, err := expandIPPerms(group, os.Difference(ns).List())
   535  		if err != nil {
   536  			return err
   537  		}
   538  		add, err := expandIPPerms(group, ns.Difference(os).List())
   539  		if err != nil {
   540  			return err
   541  		}
   542  
   543  		// TODO: We need to handle partial state better in the in-between
   544  		// in this update.
   545  
   546  		// TODO: It'd be nicer to authorize before removing, but then we have
   547  		// to deal with complicated unrolling to get individual CIDR blocks
   548  		// to avoid authorizing already authorized sources. Removing before
   549  		// adding is easier here, and Terraform should be fast enough to
   550  		// not have service issues.
   551  
   552  		if len(remove) > 0 || len(add) > 0 {
   553  			conn := meta.(*AWSClient).ec2conn
   554  
   555  			var err error
   556  			if len(remove) > 0 {
   557  				log.Printf("[DEBUG] Revoking security group %#v %s rule: %#v",
   558  					group, ruleset, remove)
   559  
   560  				if ruleset == "egress" {
   561  					req := &ec2.RevokeSecurityGroupEgressInput{
   562  						GroupId:       group.GroupId,
   563  						IpPermissions: remove,
   564  					}
   565  					_, err = conn.RevokeSecurityGroupEgress(req)
   566  				} else {
   567  					req := &ec2.RevokeSecurityGroupIngressInput{
   568  						GroupId:       group.GroupId,
   569  						IpPermissions: remove,
   570  					}
   571  					if group.VpcId == nil || *group.VpcId == "" {
   572  						req.GroupId = nil
   573  						req.GroupName = group.GroupName
   574  					}
   575  					_, err = conn.RevokeSecurityGroupIngress(req)
   576  				}
   577  
   578  				if err != nil {
   579  					return fmt.Errorf(
   580  						"Error revoking security group %s rules: %s",
   581  						ruleset, err)
   582  				}
   583  			}
   584  
   585  			if len(add) > 0 {
   586  				log.Printf("[DEBUG] Authorizing security group %#v %s rule: %#v",
   587  					group, ruleset, add)
   588  				// Authorize the new rules
   589  				if ruleset == "egress" {
   590  					req := &ec2.AuthorizeSecurityGroupEgressInput{
   591  						GroupId:       group.GroupId,
   592  						IpPermissions: add,
   593  					}
   594  					_, err = conn.AuthorizeSecurityGroupEgress(req)
   595  				} else {
   596  					req := &ec2.AuthorizeSecurityGroupIngressInput{
   597  						GroupId:       group.GroupId,
   598  						IpPermissions: add,
   599  					}
   600  					if group.VpcId == nil || *group.VpcId == "" {
   601  						req.GroupId = nil
   602  						req.GroupName = group.GroupName
   603  					}
   604  
   605  					_, err = conn.AuthorizeSecurityGroupIngress(req)
   606  				}
   607  
   608  				if err != nil {
   609  					return fmt.Errorf(
   610  						"Error authorizing security group %s rules: %s",
   611  						ruleset, err)
   612  				}
   613  			}
   614  		}
   615  	}
   616  	return nil
   617  }
   618  
   619  // SGStateRefreshFunc returns a resource.StateRefreshFunc that is used to watch
   620  // a security group.
   621  func SGStateRefreshFunc(conn *ec2.EC2, id string) resource.StateRefreshFunc {
   622  	return func() (interface{}, string, error) {
   623  		req := &ec2.DescribeSecurityGroupsInput{
   624  			GroupIds: []*string{aws.String(id)},
   625  		}
   626  		resp, err := conn.DescribeSecurityGroups(req)
   627  		if err != nil {
   628  			if ec2err, ok := err.(awserr.Error); ok {
   629  				if ec2err.Code() == "InvalidSecurityGroupID.NotFound" ||
   630  					ec2err.Code() == "InvalidGroup.NotFound" {
   631  					resp = nil
   632  					err = nil
   633  				}
   634  			}
   635  
   636  			if err != nil {
   637  				log.Printf("Error on SGStateRefresh: %s", err)
   638  				return nil, "", err
   639  			}
   640  		}
   641  
   642  		if resp == nil {
   643  			return nil, "", nil
   644  		}
   645  
   646  		group := resp.SecurityGroups[0]
   647  		return group, "exists", nil
   648  	}
   649  }
   650  
   651  // matchRules receives the group id, type of rules, and the local / remote maps
   652  // of rules. We iterate through the local set of rules trying to find a matching
   653  // remote rule, which may be structured differently because of how AWS
   654  // aggregates the rules under the to, from, and type.
   655  //
   656  //
   657  // Matching rules are written to state, with their elements removed from the
   658  // remote set
   659  //
   660  // If no match is found, we'll write the remote rule to state and let the graph
   661  // sort things out
   662  func matchRules(rType string, local []interface{}, remote []map[string]interface{}) []map[string]interface{} {
   663  	// For each local ip or security_group, we need to match against the remote
   664  	// ruleSet until all ips or security_groups are found
   665  
   666  	// saves represents the rules that have been identified to be saved to state,
   667  	// in the appropriate d.Set("{ingress,egress}") call.
   668  	var saves []map[string]interface{}
   669  	for _, raw := range local {
   670  		l := raw.(map[string]interface{})
   671  
   672  		var selfVal bool
   673  		if v, ok := l["self"]; ok {
   674  			selfVal = v.(bool)
   675  		}
   676  
   677  		// matching against self is required to detect rules that only include self
   678  		// as the rule. resourceAwsSecurityGroupIPPermGather parses the group out
   679  		// and replaces it with self if it's ID is found
   680  		localHash := idHash(rType, l["protocol"].(string), int64(l["to_port"].(int)), int64(l["from_port"].(int)), selfVal)
   681  
   682  		// loop remote rules, looking for a matching hash
   683  		for _, r := range remote {
   684  			var remoteSelfVal bool
   685  			if v, ok := r["self"]; ok {
   686  				remoteSelfVal = v.(bool)
   687  			}
   688  
   689  			// hash this remote rule and compare it for a match consideration with the
   690  			// local rule we're examining
   691  			rHash := idHash(rType, r["protocol"].(string), r["to_port"].(int64), r["from_port"].(int64), remoteSelfVal)
   692  			if rHash == localHash {
   693  				var numExpectedCidrs, numExpectedPrefixLists, numExpectedSGs, numRemoteCidrs, numRemotePrefixLists, numRemoteSGs int
   694  				var matchingCidrs []string
   695  				var matchingSGs []string
   696  				var matchingPrefixLists []string
   697  
   698  				// grab the local/remote cidr and sg groups, capturing the expected and
   699  				// actual counts
   700  				lcRaw, ok := l["cidr_blocks"]
   701  				if ok {
   702  					numExpectedCidrs = len(l["cidr_blocks"].([]interface{}))
   703  				}
   704  				lpRaw, ok := l["prefix_list_ids"]
   705  				if ok {
   706  					numExpectedPrefixLists = len(l["prefix_list_ids"].([]interface{}))
   707  				}
   708  				lsRaw, ok := l["security_groups"]
   709  				if ok {
   710  					numExpectedSGs = len(l["security_groups"].(*schema.Set).List())
   711  				}
   712  
   713  				rcRaw, ok := r["cidr_blocks"]
   714  				if ok {
   715  					numRemoteCidrs = len(r["cidr_blocks"].([]string))
   716  				}
   717  				rpRaw, ok := r["prefix_list_ids"]
   718  				if ok {
   719  					numRemotePrefixLists = len(r["prefix_list_ids"].([]string))
   720  				}
   721  
   722  				rsRaw, ok := r["security_groups"]
   723  				if ok {
   724  					numRemoteSGs = len(r["security_groups"].(*schema.Set).List())
   725  				}
   726  
   727  				// check some early failures
   728  				if numExpectedCidrs > numRemoteCidrs {
   729  					log.Printf("[DEBUG] Local rule has more CIDR blocks, continuing (%d/%d)", numExpectedCidrs, numRemoteCidrs)
   730  					continue
   731  				}
   732  				if numExpectedPrefixLists > numRemotePrefixLists {
   733  					log.Printf("[DEBUG] Local rule has more prefix lists, continuing (%d/%d)", numExpectedPrefixLists, numRemotePrefixLists)
   734  					continue
   735  				}
   736  				if numExpectedSGs > numRemoteSGs {
   737  					log.Printf("[DEBUG] Local rule has more Security Groups, continuing (%d/%d)", numExpectedSGs, numRemoteSGs)
   738  					continue
   739  				}
   740  
   741  				// match CIDRs by converting both to sets, and using Set methods
   742  				var localCidrs []interface{}
   743  				if lcRaw != nil {
   744  					localCidrs = lcRaw.([]interface{})
   745  				}
   746  				localCidrSet := schema.NewSet(schema.HashString, localCidrs)
   747  
   748  				// remote cidrs are presented as a slice of strings, so we need to
   749  				// reformat them into a slice of interfaces to be used in creating the
   750  				// remote cidr set
   751  				var remoteCidrs []string
   752  				if rcRaw != nil {
   753  					remoteCidrs = rcRaw.([]string)
   754  				}
   755  				// convert remote cidrs to a set, for easy comparisions
   756  				var list []interface{}
   757  				for _, s := range remoteCidrs {
   758  					list = append(list, s)
   759  				}
   760  				remoteCidrSet := schema.NewSet(schema.HashString, list)
   761  
   762  				// Build up a list of local cidrs that are found in the remote set
   763  				for _, s := range localCidrSet.List() {
   764  					if remoteCidrSet.Contains(s) {
   765  						matchingCidrs = append(matchingCidrs, s.(string))
   766  					}
   767  				}
   768  
   769  				// match prefix lists by converting both to sets, and using Set methods
   770  				var localPrefixLists []interface{}
   771  				if lpRaw != nil {
   772  					localPrefixLists = lpRaw.([]interface{})
   773  				}
   774  				localPrefixListsSet := schema.NewSet(schema.HashString, localPrefixLists)
   775  
   776  				// remote prefix lists are presented as a slice of strings, so we need to
   777  				// reformat them into a slice of interfaces to be used in creating the
   778  				// remote prefix list set
   779  				var remotePrefixLists []string
   780  				if rpRaw != nil {
   781  					remotePrefixLists = rpRaw.([]string)
   782  				}
   783  				// convert remote prefix lists to a set, for easy comparison
   784  				list = nil
   785  				for _, s := range remotePrefixLists {
   786  					list = append(list, s)
   787  				}
   788  				remotePrefixListsSet := schema.NewSet(schema.HashString, list)
   789  
   790  				// Build up a list of local prefix lists that are found in the remote set
   791  				for _, s := range localPrefixListsSet.List() {
   792  					if remotePrefixListsSet.Contains(s) {
   793  						matchingPrefixLists = append(matchingPrefixLists, s.(string))
   794  					}
   795  				}
   796  
   797  				// match SGs. Both local and remote are already sets
   798  				var localSGSet *schema.Set
   799  				if lsRaw == nil {
   800  					localSGSet = schema.NewSet(schema.HashString, nil)
   801  				} else {
   802  					localSGSet = lsRaw.(*schema.Set)
   803  				}
   804  
   805  				var remoteSGSet *schema.Set
   806  				if rsRaw == nil {
   807  					remoteSGSet = schema.NewSet(schema.HashString, nil)
   808  				} else {
   809  					remoteSGSet = rsRaw.(*schema.Set)
   810  				}
   811  
   812  				// Build up a list of local security groups that are found in the remote set
   813  				for _, s := range localSGSet.List() {
   814  					if remoteSGSet.Contains(s) {
   815  						matchingSGs = append(matchingSGs, s.(string))
   816  					}
   817  				}
   818  
   819  				// compare equalities for matches.
   820  				// If we found the number of cidrs and number of sgs, we declare a
   821  				// match, and then remove those elements from the remote rule, so that
   822  				// this remote rule can still be considered by other local rules
   823  				if numExpectedCidrs == len(matchingCidrs) {
   824  					if numExpectedPrefixLists == len(matchingPrefixLists) {
   825  						if numExpectedSGs == len(matchingSGs) {
   826  							// confirm that self references match
   827  							var lSelf bool
   828  							var rSelf bool
   829  							if _, ok := l["self"]; ok {
   830  								lSelf = l["self"].(bool)
   831  							}
   832  							if _, ok := r["self"]; ok {
   833  								rSelf = r["self"].(bool)
   834  							}
   835  							if rSelf == lSelf {
   836  								delete(r, "self")
   837  								// pop local cidrs from remote
   838  								diffCidr := remoteCidrSet.Difference(localCidrSet)
   839  								var newCidr []string
   840  								for _, cRaw := range diffCidr.List() {
   841  									newCidr = append(newCidr, cRaw.(string))
   842  								}
   843  
   844  								// reassigning
   845  								if len(newCidr) > 0 {
   846  									r["cidr_blocks"] = newCidr
   847  								} else {
   848  									delete(r, "cidr_blocks")
   849  								}
   850  
   851  								// pop local prefix lists from remote
   852  								diffPrefixLists := remotePrefixListsSet.Difference(localPrefixListsSet)
   853  								var newPrefixLists []string
   854  								for _, pRaw := range diffPrefixLists.List() {
   855  									newPrefixLists = append(newPrefixLists, pRaw.(string))
   856  								}
   857  
   858  								// reassigning
   859  								if len(newPrefixLists) > 0 {
   860  									r["prefix_list_ids"] = newPrefixLists
   861  								} else {
   862  									delete(r, "prefix_list_ids")
   863  								}
   864  
   865  								// pop local sgs from remote
   866  								diffSGs := remoteSGSet.Difference(localSGSet)
   867  								if len(diffSGs.List()) > 0 {
   868  									r["security_groups"] = diffSGs
   869  								} else {
   870  									delete(r, "security_groups")
   871  								}
   872  
   873  								saves = append(saves, l)
   874  							}
   875  						}
   876  					}
   877  				}
   878  			}
   879  		}
   880  	}
   881  
   882  	// Here we catch any remote rules that have not been stripped of all self,
   883  	// cidrs, and security groups. We'll add remote rules here that have not been
   884  	// matched locally, and let the graph sort things out. This will happen when
   885  	// rules are added externally to Terraform
   886  	for _, r := range remote {
   887  		var lenCidr, lenPrefixLists, lenSGs int
   888  		if rCidrs, ok := r["cidr_blocks"]; ok {
   889  			lenCidr = len(rCidrs.([]string))
   890  		}
   891  		if rPrefixLists, ok := r["prefix_list_ids"]; ok {
   892  			lenPrefixLists = len(rPrefixLists.([]string))
   893  		}
   894  		if rawSGs, ok := r["security_groups"]; ok {
   895  			lenSGs = len(rawSGs.(*schema.Set).List())
   896  		}
   897  
   898  		if _, ok := r["self"]; ok {
   899  			if r["self"].(bool) == true {
   900  				lenSGs++
   901  			}
   902  		}
   903  
   904  		if lenSGs+lenCidr+lenPrefixLists > 0 {
   905  			log.Printf("[DEBUG] Found a remote Rule that wasn't empty: (%#v)", r)
   906  			saves = append(saves, r)
   907  		}
   908  	}
   909  
   910  	return saves
   911  }
   912  
   913  // Creates a unique hash for the type, ports, and protocol, used as a key in
   914  // maps
   915  func idHash(rType, protocol string, toPort, fromPort int64, self bool) string {
   916  	var buf bytes.Buffer
   917  	buf.WriteString(fmt.Sprintf("%s-", rType))
   918  	buf.WriteString(fmt.Sprintf("%d-", toPort))
   919  	buf.WriteString(fmt.Sprintf("%d-", fromPort))
   920  	buf.WriteString(fmt.Sprintf("%s-", strings.ToLower(protocol)))
   921  	buf.WriteString(fmt.Sprintf("%t-", self))
   922  
   923  	return fmt.Sprintf("rule-%d", hashcode.String(buf.String()))
   924  }
   925  
   926  // protocolStateFunc ensures we only store a string in any protocol field
   927  func protocolStateFunc(v interface{}) string {
   928  	switch v.(type) {
   929  	case string:
   930  		p := protocolForValue(v.(string))
   931  		return p
   932  	default:
   933  		log.Printf("[WARN] Non String value given for Protocol: %#v", v)
   934  		return ""
   935  	}
   936  }
   937  
   938  // protocolForValue converts a valid Internet Protocol number into it's name
   939  // representation. If a name is given, it validates that it's a proper protocol
   940  // name. Names/numbers are as defined at
   941  // https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
   942  func protocolForValue(v string) string {
   943  	// special case -1
   944  	protocol := strings.ToLower(v)
   945  	if protocol == "-1" || protocol == "all" {
   946  		return "-1"
   947  	}
   948  	// if it's a name like tcp, return that
   949  	if _, ok := protocolIntegers()[protocol]; ok {
   950  		return protocol
   951  	}
   952  	// convert to int, look for that value
   953  	p, err := strconv.Atoi(protocol)
   954  	if err != nil {
   955  		// we were unable to convert to int, suggesting a string name, but it wasn't
   956  		// found above
   957  		log.Printf("[WARN] Unable to determine valid protocol: %s", err)
   958  		return protocol
   959  	}
   960  
   961  	for k, v := range protocolIntegers() {
   962  		if p == v {
   963  			// guard against protocolIntegers sometime in the future not having lower
   964  			// case ids in the map
   965  			return strings.ToLower(k)
   966  		}
   967  	}
   968  
   969  	// fall through
   970  	log.Printf("[WARN] Unable to determine valid protocol: no matching protocols found")
   971  	return protocol
   972  }