github.com/keshavdv/terraform@v0.7.0-rc2.0.20160711232630-d69256dcb425/builtin/providers/aws/resource_aws_security_group.go (about) 1 package aws 2 3 import ( 4 "bytes" 5 "fmt" 6 "log" 7 "sort" 8 "strconv" 9 "strings" 10 "time" 11 12 "github.com/aws/aws-sdk-go/aws" 13 "github.com/aws/aws-sdk-go/aws/awserr" 14 "github.com/aws/aws-sdk-go/service/ec2" 15 "github.com/hashicorp/terraform/helper/hashcode" 16 "github.com/hashicorp/terraform/helper/resource" 17 "github.com/hashicorp/terraform/helper/schema" 18 ) 19 20 func resourceAwsSecurityGroup() *schema.Resource { 21 return &schema.Resource{ 22 Create: resourceAwsSecurityGroupCreate, 23 Read: resourceAwsSecurityGroupRead, 24 Update: resourceAwsSecurityGroupUpdate, 25 Delete: resourceAwsSecurityGroupDelete, 26 Importer: &schema.ResourceImporter{ 27 State: resourceAwsSecurityGroupImportState, 28 }, 29 30 Schema: map[string]*schema.Schema{ 31 "name": &schema.Schema{ 32 Type: schema.TypeString, 33 Optional: true, 34 Computed: true, 35 ForceNew: true, 36 ConflictsWith: []string{"name_prefix"}, 37 ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) { 38 value := v.(string) 39 if len(value) > 255 { 40 errors = append(errors, fmt.Errorf( 41 "%q cannot be longer than 255 characters", k)) 42 } 43 return 44 }, 45 }, 46 47 "name_prefix": &schema.Schema{ 48 Type: schema.TypeString, 49 Optional: true, 50 ForceNew: true, 51 ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) { 52 value := v.(string) 53 if len(value) > 100 { 54 errors = append(errors, fmt.Errorf( 55 "%q cannot be longer than 100 characters, name is limited to 255", k)) 56 } 57 return 58 }, 59 }, 60 61 "description": &schema.Schema{ 62 Type: schema.TypeString, 63 Optional: true, 64 ForceNew: true, 65 Default: "Managed by Terraform", 66 ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) { 67 value := v.(string) 68 if len(value) > 255 { 69 errors = append(errors, fmt.Errorf( 70 "%q cannot be longer than 255 characters", k)) 71 } 72 return 73 }, 74 }, 75 76 "vpc_id": &schema.Schema{ 77 Type: schema.TypeString, 78 Optional: true, 79 ForceNew: true, 80 Computed: true, 81 }, 82 83 "ingress": &schema.Schema{ 84 Type: schema.TypeSet, 85 Optional: true, 86 Computed: true, 87 Elem: &schema.Resource{ 88 Schema: map[string]*schema.Schema{ 89 "from_port": &schema.Schema{ 90 Type: schema.TypeInt, 91 Required: true, 92 }, 93 94 "to_port": &schema.Schema{ 95 Type: schema.TypeInt, 96 Required: true, 97 }, 98 99 "protocol": &schema.Schema{ 100 Type: schema.TypeString, 101 Required: true, 102 StateFunc: protocolStateFunc, 103 }, 104 105 "cidr_blocks": &schema.Schema{ 106 Type: schema.TypeList, 107 Optional: true, 108 Elem: &schema.Schema{Type: schema.TypeString}, 109 }, 110 111 "security_groups": &schema.Schema{ 112 Type: schema.TypeSet, 113 Optional: true, 114 Elem: &schema.Schema{Type: schema.TypeString}, 115 Set: schema.HashString, 116 }, 117 118 "self": &schema.Schema{ 119 Type: schema.TypeBool, 120 Optional: true, 121 Default: false, 122 }, 123 }, 124 }, 125 Set: resourceAwsSecurityGroupRuleHash, 126 }, 127 128 "egress": &schema.Schema{ 129 Type: schema.TypeSet, 130 Optional: true, 131 Computed: true, 132 Elem: &schema.Resource{ 133 Schema: map[string]*schema.Schema{ 134 "from_port": &schema.Schema{ 135 Type: schema.TypeInt, 136 Required: true, 137 }, 138 139 "to_port": &schema.Schema{ 140 Type: schema.TypeInt, 141 Required: true, 142 }, 143 144 "protocol": &schema.Schema{ 145 Type: schema.TypeString, 146 Required: true, 147 StateFunc: protocolStateFunc, 148 }, 149 150 "cidr_blocks": &schema.Schema{ 151 Type: schema.TypeList, 152 Optional: true, 153 Elem: &schema.Schema{Type: schema.TypeString}, 154 }, 155 156 "prefix_list_ids": &schema.Schema{ 157 Type: schema.TypeList, 158 Optional: true, 159 Elem: &schema.Schema{Type: schema.TypeString}, 160 }, 161 162 "security_groups": &schema.Schema{ 163 Type: schema.TypeSet, 164 Optional: true, 165 Elem: &schema.Schema{Type: schema.TypeString}, 166 Set: schema.HashString, 167 }, 168 169 "self": &schema.Schema{ 170 Type: schema.TypeBool, 171 Optional: true, 172 Default: false, 173 }, 174 }, 175 }, 176 Set: resourceAwsSecurityGroupRuleHash, 177 }, 178 179 "owner_id": &schema.Schema{ 180 Type: schema.TypeString, 181 Computed: true, 182 }, 183 184 "tags": tagsSchema(), 185 }, 186 } 187 } 188 189 func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) error { 190 conn := meta.(*AWSClient).ec2conn 191 192 securityGroupOpts := &ec2.CreateSecurityGroupInput{} 193 194 if v, ok := d.GetOk("vpc_id"); ok { 195 securityGroupOpts.VpcId = aws.String(v.(string)) 196 } 197 198 if v := d.Get("description"); v != nil { 199 securityGroupOpts.Description = aws.String(v.(string)) 200 } 201 202 var groupName string 203 if v, ok := d.GetOk("name"); ok { 204 groupName = v.(string) 205 } else if v, ok := d.GetOk("name_prefix"); ok { 206 groupName = resource.PrefixedUniqueId(v.(string)) 207 } else { 208 groupName = resource.UniqueId() 209 } 210 securityGroupOpts.GroupName = aws.String(groupName) 211 212 var err error 213 log.Printf( 214 "[DEBUG] Security Group create configuration: %#v", securityGroupOpts) 215 createResp, err := conn.CreateSecurityGroup(securityGroupOpts) 216 if err != nil { 217 return fmt.Errorf("Error creating Security Group: %s", err) 218 } 219 220 d.SetId(*createResp.GroupId) 221 222 log.Printf("[INFO] Security Group ID: %s", d.Id()) 223 224 // Wait for the security group to truly exist 225 log.Printf( 226 "[DEBUG] Waiting for Security Group (%s) to exist", 227 d.Id()) 228 stateConf := &resource.StateChangeConf{ 229 Pending: []string{""}, 230 Target: []string{"exists"}, 231 Refresh: SGStateRefreshFunc(conn, d.Id()), 232 Timeout: 1 * time.Minute, 233 } 234 235 resp, err := stateConf.WaitForState() 236 if err != nil { 237 return fmt.Errorf( 238 "Error waiting for Security Group (%s) to become available: %s", 239 d.Id(), err) 240 } 241 242 // AWS defaults all Security Groups to have an ALLOW ALL egress rule. Here we 243 // revoke that rule, so users don't unknowingly have/use it. 244 group := resp.(*ec2.SecurityGroup) 245 if group.VpcId != nil && *group.VpcId != "" { 246 log.Printf("[DEBUG] Revoking default egress rule for Security Group for %s", d.Id()) 247 248 req := &ec2.RevokeSecurityGroupEgressInput{ 249 GroupId: createResp.GroupId, 250 IpPermissions: []*ec2.IpPermission{ 251 &ec2.IpPermission{ 252 FromPort: aws.Int64(int64(0)), 253 ToPort: aws.Int64(int64(0)), 254 IpRanges: []*ec2.IpRange{ 255 &ec2.IpRange{ 256 CidrIp: aws.String("0.0.0.0/0"), 257 }, 258 }, 259 IpProtocol: aws.String("-1"), 260 }, 261 }, 262 } 263 264 if _, err = conn.RevokeSecurityGroupEgress(req); err != nil { 265 return fmt.Errorf( 266 "Error revoking default egress rule for Security Group (%s): %s", 267 d.Id(), err) 268 } 269 270 } 271 272 return resourceAwsSecurityGroupUpdate(d, meta) 273 } 274 275 func resourceAwsSecurityGroupRead(d *schema.ResourceData, meta interface{}) error { 276 conn := meta.(*AWSClient).ec2conn 277 278 sgRaw, _, err := SGStateRefreshFunc(conn, d.Id())() 279 if err != nil { 280 return err 281 } 282 if sgRaw == nil { 283 d.SetId("") 284 return nil 285 } 286 287 sg := sgRaw.(*ec2.SecurityGroup) 288 289 remoteIngressRules := resourceAwsSecurityGroupIPPermGather(d.Id(), sg.IpPermissions, sg.OwnerId) 290 remoteEgressRules := resourceAwsSecurityGroupIPPermGather(d.Id(), sg.IpPermissionsEgress, sg.OwnerId) 291 292 localIngressRules := d.Get("ingress").(*schema.Set).List() 293 localEgressRules := d.Get("egress").(*schema.Set).List() 294 295 // Loop through the local state of rules, doing a match against the remote 296 // ruleSet we built above. 297 ingressRules := matchRules("ingress", localIngressRules, remoteIngressRules) 298 egressRules := matchRules("egress", localEgressRules, remoteEgressRules) 299 300 d.Set("description", sg.Description) 301 d.Set("name", sg.GroupName) 302 d.Set("vpc_id", sg.VpcId) 303 d.Set("owner_id", sg.OwnerId) 304 305 if err := d.Set("ingress", ingressRules); err != nil { 306 log.Printf("[WARN] Error setting Ingress rule set for (%s): %s", d.Id(), err) 307 } 308 309 if err := d.Set("egress", egressRules); err != nil { 310 log.Printf("[WARN] Error setting Egress rule set for (%s): %s", d.Id(), err) 311 } 312 313 d.Set("tags", tagsToMap(sg.Tags)) 314 return nil 315 } 316 317 func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) error { 318 conn := meta.(*AWSClient).ec2conn 319 320 sgRaw, _, err := SGStateRefreshFunc(conn, d.Id())() 321 if err != nil { 322 return err 323 } 324 if sgRaw == nil { 325 d.SetId("") 326 return nil 327 } 328 329 group := sgRaw.(*ec2.SecurityGroup) 330 331 err = resourceAwsSecurityGroupUpdateRules(d, "ingress", meta, group) 332 if err != nil { 333 return err 334 } 335 336 if d.Get("vpc_id") != nil { 337 err = resourceAwsSecurityGroupUpdateRules(d, "egress", meta, group) 338 if err != nil { 339 return err 340 } 341 } 342 343 if err := setTags(conn, d); err != nil { 344 return err 345 } 346 347 d.SetPartial("tags") 348 349 return resourceAwsSecurityGroupRead(d, meta) 350 } 351 352 func resourceAwsSecurityGroupDelete(d *schema.ResourceData, meta interface{}) error { 353 conn := meta.(*AWSClient).ec2conn 354 355 log.Printf("[DEBUG] Security Group destroy: %v", d.Id()) 356 357 return resource.Retry(5*time.Minute, func() *resource.RetryError { 358 _, err := conn.DeleteSecurityGroup(&ec2.DeleteSecurityGroupInput{ 359 GroupId: aws.String(d.Id()), 360 }) 361 if err != nil { 362 ec2err, ok := err.(awserr.Error) 363 if !ok { 364 return resource.RetryableError(err) 365 } 366 367 switch ec2err.Code() { 368 case "InvalidGroup.NotFound": 369 return nil 370 case "DependencyViolation": 371 // If it is a dependency violation, we want to retry 372 return resource.RetryableError(err) 373 default: 374 // Any other error, we want to quit the retry loop immediately 375 return resource.NonRetryableError(err) 376 } 377 } 378 379 return nil 380 }) 381 } 382 383 func resourceAwsSecurityGroupRuleHash(v interface{}) int { 384 var buf bytes.Buffer 385 m := v.(map[string]interface{}) 386 buf.WriteString(fmt.Sprintf("%d-", m["from_port"].(int))) 387 buf.WriteString(fmt.Sprintf("%d-", m["to_port"].(int))) 388 p := protocolForValue(m["protocol"].(string)) 389 buf.WriteString(fmt.Sprintf("%s-", p)) 390 buf.WriteString(fmt.Sprintf("%t-", m["self"].(bool))) 391 392 // We need to make sure to sort the strings below so that we always 393 // generate the same hash code no matter what is in the set. 394 if v, ok := m["cidr_blocks"]; ok { 395 vs := v.([]interface{}) 396 s := make([]string, len(vs)) 397 for i, raw := range vs { 398 s[i] = raw.(string) 399 } 400 sort.Strings(s) 401 402 for _, v := range s { 403 buf.WriteString(fmt.Sprintf("%s-", v)) 404 } 405 } 406 if v, ok := m["prefix_list_ids"]; ok { 407 vs := v.([]interface{}) 408 s := make([]string, len(vs)) 409 for i, raw := range vs { 410 s[i] = raw.(string) 411 } 412 sort.Strings(s) 413 414 for _, v := range s { 415 buf.WriteString(fmt.Sprintf("%s-", v)) 416 } 417 } 418 if v, ok := m["security_groups"]; ok { 419 vs := v.(*schema.Set).List() 420 s := make([]string, len(vs)) 421 for i, raw := range vs { 422 s[i] = raw.(string) 423 } 424 sort.Strings(s) 425 426 for _, v := range s { 427 buf.WriteString(fmt.Sprintf("%s-", v)) 428 } 429 } 430 431 return hashcode.String(buf.String()) 432 } 433 434 func resourceAwsSecurityGroupIPPermGather(groupId string, permissions []*ec2.IpPermission, ownerId *string) []map[string]interface{} { 435 ruleMap := make(map[string]map[string]interface{}) 436 for _, perm := range permissions { 437 var fromPort, toPort int64 438 if v := perm.FromPort; v != nil { 439 fromPort = *v 440 } 441 if v := perm.ToPort; v != nil { 442 toPort = *v 443 } 444 445 k := fmt.Sprintf("%s-%d-%d", *perm.IpProtocol, fromPort, toPort) 446 m, ok := ruleMap[k] 447 if !ok { 448 m = make(map[string]interface{}) 449 ruleMap[k] = m 450 } 451 452 m["from_port"] = fromPort 453 m["to_port"] = toPort 454 m["protocol"] = *perm.IpProtocol 455 456 if len(perm.IpRanges) > 0 { 457 raw, ok := m["cidr_blocks"] 458 if !ok { 459 raw = make([]string, 0, len(perm.IpRanges)) 460 } 461 list := raw.([]string) 462 463 for _, ip := range perm.IpRanges { 464 list = append(list, *ip.CidrIp) 465 } 466 467 m["cidr_blocks"] = list 468 } 469 470 if len(perm.PrefixListIds) > 0 { 471 raw, ok := m["prefix_list_ids"] 472 if !ok { 473 raw = make([]string, 0, len(perm.PrefixListIds)) 474 } 475 list := raw.([]string) 476 477 for _, pl := range perm.PrefixListIds { 478 list = append(list, *pl.PrefixListId) 479 } 480 481 m["prefix_list_ids"] = list 482 } 483 484 groups := flattenSecurityGroups(perm.UserIdGroupPairs, ownerId) 485 for i, g := range groups { 486 if *g.GroupId == groupId { 487 groups[i], groups = groups[len(groups)-1], groups[:len(groups)-1] 488 m["self"] = true 489 } 490 } 491 492 if len(groups) > 0 { 493 raw, ok := m["security_groups"] 494 if !ok { 495 raw = schema.NewSet(schema.HashString, nil) 496 } 497 list := raw.(*schema.Set) 498 499 for _, g := range groups { 500 if g.GroupName != nil { 501 list.Add(*g.GroupName) 502 } else { 503 list.Add(*g.GroupId) 504 } 505 } 506 507 m["security_groups"] = list 508 } 509 } 510 rules := make([]map[string]interface{}, 0, len(ruleMap)) 511 for _, m := range ruleMap { 512 rules = append(rules, m) 513 } 514 515 return rules 516 } 517 518 func resourceAwsSecurityGroupUpdateRules( 519 d *schema.ResourceData, ruleset string, 520 meta interface{}, group *ec2.SecurityGroup) error { 521 522 if d.HasChange(ruleset) { 523 o, n := d.GetChange(ruleset) 524 if o == nil { 525 o = new(schema.Set) 526 } 527 if n == nil { 528 n = new(schema.Set) 529 } 530 531 os := o.(*schema.Set) 532 ns := n.(*schema.Set) 533 534 remove, err := expandIPPerms(group, os.Difference(ns).List()) 535 if err != nil { 536 return err 537 } 538 add, err := expandIPPerms(group, ns.Difference(os).List()) 539 if err != nil { 540 return err 541 } 542 543 // TODO: We need to handle partial state better in the in-between 544 // in this update. 545 546 // TODO: It'd be nicer to authorize before removing, but then we have 547 // to deal with complicated unrolling to get individual CIDR blocks 548 // to avoid authorizing already authorized sources. Removing before 549 // adding is easier here, and Terraform should be fast enough to 550 // not have service issues. 551 552 if len(remove) > 0 || len(add) > 0 { 553 conn := meta.(*AWSClient).ec2conn 554 555 var err error 556 if len(remove) > 0 { 557 log.Printf("[DEBUG] Revoking security group %#v %s rule: %#v", 558 group, ruleset, remove) 559 560 if ruleset == "egress" { 561 req := &ec2.RevokeSecurityGroupEgressInput{ 562 GroupId: group.GroupId, 563 IpPermissions: remove, 564 } 565 _, err = conn.RevokeSecurityGroupEgress(req) 566 } else { 567 req := &ec2.RevokeSecurityGroupIngressInput{ 568 GroupId: group.GroupId, 569 IpPermissions: remove, 570 } 571 if group.VpcId == nil || *group.VpcId == "" { 572 req.GroupId = nil 573 req.GroupName = group.GroupName 574 } 575 _, err = conn.RevokeSecurityGroupIngress(req) 576 } 577 578 if err != nil { 579 return fmt.Errorf( 580 "Error revoking security group %s rules: %s", 581 ruleset, err) 582 } 583 } 584 585 if len(add) > 0 { 586 log.Printf("[DEBUG] Authorizing security group %#v %s rule: %#v", 587 group, ruleset, add) 588 // Authorize the new rules 589 if ruleset == "egress" { 590 req := &ec2.AuthorizeSecurityGroupEgressInput{ 591 GroupId: group.GroupId, 592 IpPermissions: add, 593 } 594 _, err = conn.AuthorizeSecurityGroupEgress(req) 595 } else { 596 req := &ec2.AuthorizeSecurityGroupIngressInput{ 597 GroupId: group.GroupId, 598 IpPermissions: add, 599 } 600 if group.VpcId == nil || *group.VpcId == "" { 601 req.GroupId = nil 602 req.GroupName = group.GroupName 603 } 604 605 _, err = conn.AuthorizeSecurityGroupIngress(req) 606 } 607 608 if err != nil { 609 return fmt.Errorf( 610 "Error authorizing security group %s rules: %s", 611 ruleset, err) 612 } 613 } 614 } 615 } 616 return nil 617 } 618 619 // SGStateRefreshFunc returns a resource.StateRefreshFunc that is used to watch 620 // a security group. 621 func SGStateRefreshFunc(conn *ec2.EC2, id string) resource.StateRefreshFunc { 622 return func() (interface{}, string, error) { 623 req := &ec2.DescribeSecurityGroupsInput{ 624 GroupIds: []*string{aws.String(id)}, 625 } 626 resp, err := conn.DescribeSecurityGroups(req) 627 if err != nil { 628 if ec2err, ok := err.(awserr.Error); ok { 629 if ec2err.Code() == "InvalidSecurityGroupID.NotFound" || 630 ec2err.Code() == "InvalidGroup.NotFound" { 631 resp = nil 632 err = nil 633 } 634 } 635 636 if err != nil { 637 log.Printf("Error on SGStateRefresh: %s", err) 638 return nil, "", err 639 } 640 } 641 642 if resp == nil { 643 return nil, "", nil 644 } 645 646 group := resp.SecurityGroups[0] 647 return group, "exists", nil 648 } 649 } 650 651 // matchRules receives the group id, type of rules, and the local / remote maps 652 // of rules. We iterate through the local set of rules trying to find a matching 653 // remote rule, which may be structured differently because of how AWS 654 // aggregates the rules under the to, from, and type. 655 // 656 // 657 // Matching rules are written to state, with their elements removed from the 658 // remote set 659 // 660 // If no match is found, we'll write the remote rule to state and let the graph 661 // sort things out 662 func matchRules(rType string, local []interface{}, remote []map[string]interface{}) []map[string]interface{} { 663 // For each local ip or security_group, we need to match against the remote 664 // ruleSet until all ips or security_groups are found 665 666 // saves represents the rules that have been identified to be saved to state, 667 // in the appropriate d.Set("{ingress,egress}") call. 668 var saves []map[string]interface{} 669 for _, raw := range local { 670 l := raw.(map[string]interface{}) 671 672 var selfVal bool 673 if v, ok := l["self"]; ok { 674 selfVal = v.(bool) 675 } 676 677 // matching against self is required to detect rules that only include self 678 // as the rule. resourceAwsSecurityGroupIPPermGather parses the group out 679 // and replaces it with self if it's ID is found 680 localHash := idHash(rType, l["protocol"].(string), int64(l["to_port"].(int)), int64(l["from_port"].(int)), selfVal) 681 682 // loop remote rules, looking for a matching hash 683 for _, r := range remote { 684 var remoteSelfVal bool 685 if v, ok := r["self"]; ok { 686 remoteSelfVal = v.(bool) 687 } 688 689 // hash this remote rule and compare it for a match consideration with the 690 // local rule we're examining 691 rHash := idHash(rType, r["protocol"].(string), r["to_port"].(int64), r["from_port"].(int64), remoteSelfVal) 692 if rHash == localHash { 693 var numExpectedCidrs, numExpectedPrefixLists, numExpectedSGs, numRemoteCidrs, numRemotePrefixLists, numRemoteSGs int 694 var matchingCidrs []string 695 var matchingSGs []string 696 var matchingPrefixLists []string 697 698 // grab the local/remote cidr and sg groups, capturing the expected and 699 // actual counts 700 lcRaw, ok := l["cidr_blocks"] 701 if ok { 702 numExpectedCidrs = len(l["cidr_blocks"].([]interface{})) 703 } 704 lpRaw, ok := l["prefix_list_ids"] 705 if ok { 706 numExpectedPrefixLists = len(l["prefix_list_ids"].([]interface{})) 707 } 708 lsRaw, ok := l["security_groups"] 709 if ok { 710 numExpectedSGs = len(l["security_groups"].(*schema.Set).List()) 711 } 712 713 rcRaw, ok := r["cidr_blocks"] 714 if ok { 715 numRemoteCidrs = len(r["cidr_blocks"].([]string)) 716 } 717 rpRaw, ok := r["prefix_list_ids"] 718 if ok { 719 numRemotePrefixLists = len(r["prefix_list_ids"].([]string)) 720 } 721 722 rsRaw, ok := r["security_groups"] 723 if ok { 724 numRemoteSGs = len(r["security_groups"].(*schema.Set).List()) 725 } 726 727 // check some early failures 728 if numExpectedCidrs > numRemoteCidrs { 729 log.Printf("[DEBUG] Local rule has more CIDR blocks, continuing (%d/%d)", numExpectedCidrs, numRemoteCidrs) 730 continue 731 } 732 if numExpectedPrefixLists > numRemotePrefixLists { 733 log.Printf("[DEBUG] Local rule has more prefix lists, continuing (%d/%d)", numExpectedPrefixLists, numRemotePrefixLists) 734 continue 735 } 736 if numExpectedSGs > numRemoteSGs { 737 log.Printf("[DEBUG] Local rule has more Security Groups, continuing (%d/%d)", numExpectedSGs, numRemoteSGs) 738 continue 739 } 740 741 // match CIDRs by converting both to sets, and using Set methods 742 var localCidrs []interface{} 743 if lcRaw != nil { 744 localCidrs = lcRaw.([]interface{}) 745 } 746 localCidrSet := schema.NewSet(schema.HashString, localCidrs) 747 748 // remote cidrs are presented as a slice of strings, so we need to 749 // reformat them into a slice of interfaces to be used in creating the 750 // remote cidr set 751 var remoteCidrs []string 752 if rcRaw != nil { 753 remoteCidrs = rcRaw.([]string) 754 } 755 // convert remote cidrs to a set, for easy comparisions 756 var list []interface{} 757 for _, s := range remoteCidrs { 758 list = append(list, s) 759 } 760 remoteCidrSet := schema.NewSet(schema.HashString, list) 761 762 // Build up a list of local cidrs that are found in the remote set 763 for _, s := range localCidrSet.List() { 764 if remoteCidrSet.Contains(s) { 765 matchingCidrs = append(matchingCidrs, s.(string)) 766 } 767 } 768 769 // match prefix lists by converting both to sets, and using Set methods 770 var localPrefixLists []interface{} 771 if lpRaw != nil { 772 localPrefixLists = lpRaw.([]interface{}) 773 } 774 localPrefixListsSet := schema.NewSet(schema.HashString, localPrefixLists) 775 776 // remote prefix lists are presented as a slice of strings, so we need to 777 // reformat them into a slice of interfaces to be used in creating the 778 // remote prefix list set 779 var remotePrefixLists []string 780 if rpRaw != nil { 781 remotePrefixLists = rpRaw.([]string) 782 } 783 // convert remote prefix lists to a set, for easy comparison 784 list = nil 785 for _, s := range remotePrefixLists { 786 list = append(list, s) 787 } 788 remotePrefixListsSet := schema.NewSet(schema.HashString, list) 789 790 // Build up a list of local prefix lists that are found in the remote set 791 for _, s := range localPrefixListsSet.List() { 792 if remotePrefixListsSet.Contains(s) { 793 matchingPrefixLists = append(matchingPrefixLists, s.(string)) 794 } 795 } 796 797 // match SGs. Both local and remote are already sets 798 var localSGSet *schema.Set 799 if lsRaw == nil { 800 localSGSet = schema.NewSet(schema.HashString, nil) 801 } else { 802 localSGSet = lsRaw.(*schema.Set) 803 } 804 805 var remoteSGSet *schema.Set 806 if rsRaw == nil { 807 remoteSGSet = schema.NewSet(schema.HashString, nil) 808 } else { 809 remoteSGSet = rsRaw.(*schema.Set) 810 } 811 812 // Build up a list of local security groups that are found in the remote set 813 for _, s := range localSGSet.List() { 814 if remoteSGSet.Contains(s) { 815 matchingSGs = append(matchingSGs, s.(string)) 816 } 817 } 818 819 // compare equalities for matches. 820 // If we found the number of cidrs and number of sgs, we declare a 821 // match, and then remove those elements from the remote rule, so that 822 // this remote rule can still be considered by other local rules 823 if numExpectedCidrs == len(matchingCidrs) { 824 if numExpectedPrefixLists == len(matchingPrefixLists) { 825 if numExpectedSGs == len(matchingSGs) { 826 // confirm that self references match 827 var lSelf bool 828 var rSelf bool 829 if _, ok := l["self"]; ok { 830 lSelf = l["self"].(bool) 831 } 832 if _, ok := r["self"]; ok { 833 rSelf = r["self"].(bool) 834 } 835 if rSelf == lSelf { 836 delete(r, "self") 837 // pop local cidrs from remote 838 diffCidr := remoteCidrSet.Difference(localCidrSet) 839 var newCidr []string 840 for _, cRaw := range diffCidr.List() { 841 newCidr = append(newCidr, cRaw.(string)) 842 } 843 844 // reassigning 845 if len(newCidr) > 0 { 846 r["cidr_blocks"] = newCidr 847 } else { 848 delete(r, "cidr_blocks") 849 } 850 851 // pop local prefix lists from remote 852 diffPrefixLists := remotePrefixListsSet.Difference(localPrefixListsSet) 853 var newPrefixLists []string 854 for _, pRaw := range diffPrefixLists.List() { 855 newPrefixLists = append(newPrefixLists, pRaw.(string)) 856 } 857 858 // reassigning 859 if len(newPrefixLists) > 0 { 860 r["prefix_list_ids"] = newPrefixLists 861 } else { 862 delete(r, "prefix_list_ids") 863 } 864 865 // pop local sgs from remote 866 diffSGs := remoteSGSet.Difference(localSGSet) 867 if len(diffSGs.List()) > 0 { 868 r["security_groups"] = diffSGs 869 } else { 870 delete(r, "security_groups") 871 } 872 873 saves = append(saves, l) 874 } 875 } 876 } 877 } 878 } 879 } 880 } 881 882 // Here we catch any remote rules that have not been stripped of all self, 883 // cidrs, and security groups. We'll add remote rules here that have not been 884 // matched locally, and let the graph sort things out. This will happen when 885 // rules are added externally to Terraform 886 for _, r := range remote { 887 var lenCidr, lenPrefixLists, lenSGs int 888 if rCidrs, ok := r["cidr_blocks"]; ok { 889 lenCidr = len(rCidrs.([]string)) 890 } 891 if rPrefixLists, ok := r["prefix_list_ids"]; ok { 892 lenPrefixLists = len(rPrefixLists.([]string)) 893 } 894 if rawSGs, ok := r["security_groups"]; ok { 895 lenSGs = len(rawSGs.(*schema.Set).List()) 896 } 897 898 if _, ok := r["self"]; ok { 899 if r["self"].(bool) == true { 900 lenSGs++ 901 } 902 } 903 904 if lenSGs+lenCidr+lenPrefixLists > 0 { 905 log.Printf("[DEBUG] Found a remote Rule that wasn't empty: (%#v)", r) 906 saves = append(saves, r) 907 } 908 } 909 910 return saves 911 } 912 913 // Creates a unique hash for the type, ports, and protocol, used as a key in 914 // maps 915 func idHash(rType, protocol string, toPort, fromPort int64, self bool) string { 916 var buf bytes.Buffer 917 buf.WriteString(fmt.Sprintf("%s-", rType)) 918 buf.WriteString(fmt.Sprintf("%d-", toPort)) 919 buf.WriteString(fmt.Sprintf("%d-", fromPort)) 920 buf.WriteString(fmt.Sprintf("%s-", strings.ToLower(protocol))) 921 buf.WriteString(fmt.Sprintf("%t-", self)) 922 923 return fmt.Sprintf("rule-%d", hashcode.String(buf.String())) 924 } 925 926 // protocolStateFunc ensures we only store a string in any protocol field 927 func protocolStateFunc(v interface{}) string { 928 switch v.(type) { 929 case string: 930 p := protocolForValue(v.(string)) 931 return p 932 default: 933 log.Printf("[WARN] Non String value given for Protocol: %#v", v) 934 return "" 935 } 936 } 937 938 // protocolForValue converts a valid Internet Protocol number into it's name 939 // representation. If a name is given, it validates that it's a proper protocol 940 // name. Names/numbers are as defined at 941 // https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml 942 func protocolForValue(v string) string { 943 // special case -1 944 protocol := strings.ToLower(v) 945 if protocol == "-1" || protocol == "all" { 946 return "-1" 947 } 948 // if it's a name like tcp, return that 949 if _, ok := protocolIntegers()[protocol]; ok { 950 return protocol 951 } 952 // convert to int, look for that value 953 p, err := strconv.Atoi(protocol) 954 if err != nil { 955 // we were unable to convert to int, suggesting a string name, but it wasn't 956 // found above 957 log.Printf("[WARN] Unable to determine valid protocol: %s", err) 958 return protocol 959 } 960 961 for k, v := range protocolIntegers() { 962 if p == v { 963 // guard against protocolIntegers sometime in the future not having lower 964 // case ids in the map 965 return strings.ToLower(k) 966 } 967 } 968 969 // fall through 970 log.Printf("[WARN] Unable to determine valid protocol: no matching protocols found") 971 return protocol 972 }