github.com/koding/terraform@v0.6.4-0.20170608090606-5d7e0339779d/builtin/providers/aws/resource_aws_security_group_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "reflect" 6 "regexp" 7 "strings" 8 "testing" 9 10 "github.com/aws/aws-sdk-go/aws" 11 "github.com/aws/aws-sdk-go/aws/awserr" 12 "github.com/aws/aws-sdk-go/service/ec2" 13 "github.com/hashicorp/terraform/helper/acctest" 14 "github.com/hashicorp/terraform/helper/resource" 15 "github.com/hashicorp/terraform/helper/schema" 16 "github.com/hashicorp/terraform/terraform" 17 ) 18 19 func TestProtocolStateFunc(t *testing.T) { 20 cases := []struct { 21 input interface{} 22 expected string 23 }{ 24 { 25 input: "tcp", 26 expected: "tcp", 27 }, 28 { 29 input: 6, 30 expected: "", 31 }, 32 { 33 input: "17", 34 expected: "udp", 35 }, 36 { 37 input: "all", 38 expected: "-1", 39 }, 40 { 41 input: "-1", 42 expected: "-1", 43 }, 44 { 45 input: -1, 46 expected: "", 47 }, 48 { 49 input: "1", 50 expected: "icmp", 51 }, 52 { 53 input: "icmp", 54 expected: "icmp", 55 }, 56 { 57 input: 1, 58 expected: "", 59 }, 60 } 61 for _, c := range cases { 62 result := protocolStateFunc(c.input) 63 if result != c.expected { 64 t.Errorf("Error matching protocol, expected (%s), got (%s)", c.expected, result) 65 } 66 } 67 } 68 69 func TestProtocolForValue(t *testing.T) { 70 cases := []struct { 71 input string 72 expected string 73 }{ 74 { 75 input: "tcp", 76 expected: "tcp", 77 }, 78 { 79 input: "6", 80 expected: "tcp", 81 }, 82 { 83 input: "udp", 84 expected: "udp", 85 }, 86 { 87 input: "17", 88 expected: "udp", 89 }, 90 { 91 input: "all", 92 expected: "-1", 93 }, 94 { 95 input: "-1", 96 expected: "-1", 97 }, 98 { 99 input: "tCp", 100 expected: "tcp", 101 }, 102 { 103 input: "6", 104 expected: "tcp", 105 }, 106 { 107 input: "UDp", 108 expected: "udp", 109 }, 110 { 111 input: "17", 112 expected: "udp", 113 }, 114 { 115 input: "ALL", 116 expected: "-1", 117 }, 118 { 119 input: "icMp", 120 expected: "icmp", 121 }, 122 { 123 input: "1", 124 expected: "icmp", 125 }, 126 } 127 128 for _, c := range cases { 129 result := protocolForValue(c.input) 130 if result != c.expected { 131 t.Errorf("Error matching protocol, expected (%s), got (%s)", c.expected, result) 132 } 133 } 134 } 135 136 func TestResourceAwsSecurityGroupIPPermGather(t *testing.T) { 137 raw := []*ec2.IpPermission{ 138 { 139 IpProtocol: aws.String("tcp"), 140 FromPort: aws.Int64(int64(1)), 141 ToPort: aws.Int64(int64(-1)), 142 IpRanges: []*ec2.IpRange{{CidrIp: aws.String("0.0.0.0/0")}}, 143 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 144 { 145 GroupId: aws.String("sg-11111"), 146 }, 147 }, 148 }, 149 { 150 IpProtocol: aws.String("tcp"), 151 FromPort: aws.Int64(int64(80)), 152 ToPort: aws.Int64(int64(80)), 153 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 154 // VPC 155 { 156 GroupId: aws.String("sg-22222"), 157 }, 158 }, 159 }, 160 { 161 IpProtocol: aws.String("tcp"), 162 FromPort: aws.Int64(int64(443)), 163 ToPort: aws.Int64(int64(443)), 164 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 165 // Classic 166 { 167 UserId: aws.String("12345"), 168 GroupId: aws.String("sg-33333"), 169 GroupName: aws.String("ec2_classic"), 170 }, 171 { 172 UserId: aws.String("amazon-elb"), 173 GroupId: aws.String("sg-d2c979d3"), 174 GroupName: aws.String("amazon-elb-sg"), 175 }, 176 }, 177 }, 178 { 179 IpProtocol: aws.String("-1"), 180 FromPort: aws.Int64(int64(0)), 181 ToPort: aws.Int64(int64(0)), 182 PrefixListIds: []*ec2.PrefixListId{{PrefixListId: aws.String("pl-12345678")}}, 183 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 184 // VPC 185 { 186 GroupId: aws.String("sg-22222"), 187 }, 188 }, 189 }, 190 } 191 192 local := []map[string]interface{}{ 193 { 194 "protocol": "tcp", 195 "from_port": int64(1), 196 "to_port": int64(-1), 197 "cidr_blocks": []string{"0.0.0.0/0"}, 198 "self": true, 199 }, 200 { 201 "protocol": "tcp", 202 "from_port": int64(80), 203 "to_port": int64(80), 204 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 205 "sg-22222", 206 }), 207 }, 208 { 209 "protocol": "tcp", 210 "from_port": int64(443), 211 "to_port": int64(443), 212 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 213 "ec2_classic", 214 "amazon-elb/amazon-elb-sg", 215 }), 216 }, 217 { 218 "protocol": "-1", 219 "from_port": int64(0), 220 "to_port": int64(0), 221 "prefix_list_ids": []string{"pl-12345678"}, 222 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 223 "sg-22222", 224 }), 225 }, 226 } 227 228 out := resourceAwsSecurityGroupIPPermGather("sg-11111", raw, aws.String("12345")) 229 for _, i := range out { 230 // loop and match rules, because the ordering is not guarneteed 231 for _, l := range local { 232 if i["from_port"] == l["from_port"] { 233 234 if i["to_port"] != l["to_port"] { 235 t.Fatalf("to_port does not match") 236 } 237 238 if _, ok := i["cidr_blocks"]; ok { 239 if !reflect.DeepEqual(i["cidr_blocks"], l["cidr_blocks"]) { 240 t.Fatalf("error matching cidr_blocks") 241 } 242 } 243 244 if _, ok := i["security_groups"]; ok { 245 outSet := i["security_groups"].(*schema.Set) 246 localSet := l["security_groups"].(*schema.Set) 247 248 if !outSet.Equal(localSet) { 249 t.Fatalf("Security Group sets are not equal") 250 } 251 } 252 } 253 } 254 } 255 } 256 257 func TestAccAWSSecurityGroup_basic(t *testing.T) { 258 var group ec2.SecurityGroup 259 260 resource.Test(t, resource.TestCase{ 261 PreCheck: func() { testAccPreCheck(t) }, 262 IDRefreshName: "aws_security_group.web", 263 Providers: testAccProviders, 264 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 265 Steps: []resource.TestStep{ 266 { 267 Config: testAccAWSSecurityGroupConfig, 268 Check: resource.ComposeTestCheckFunc( 269 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 270 testAccCheckAWSSecurityGroupAttributes(&group), 271 resource.TestCheckResourceAttr( 272 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 273 resource.TestCheckResourceAttr( 274 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 275 resource.TestCheckResourceAttr( 276 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 277 resource.TestCheckResourceAttr( 278 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 279 resource.TestCheckResourceAttr( 280 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 281 resource.TestCheckResourceAttr( 282 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 283 resource.TestCheckResourceAttr( 284 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 285 ), 286 }, 287 }, 288 }) 289 } 290 291 func TestAccAWSSecurityGroup_ipv6(t *testing.T) { 292 var group ec2.SecurityGroup 293 294 resource.Test(t, resource.TestCase{ 295 PreCheck: func() { testAccPreCheck(t) }, 296 IDRefreshName: "aws_security_group.web", 297 Providers: testAccProviders, 298 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 299 Steps: []resource.TestStep{ 300 { 301 Config: testAccAWSSecurityGroupConfigIpv6, 302 Check: resource.ComposeTestCheckFunc( 303 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 304 resource.TestCheckResourceAttr( 305 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 306 resource.TestCheckResourceAttr( 307 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 308 resource.TestCheckResourceAttr( 309 "aws_security_group.web", "ingress.2293451516.protocol", "tcp"), 310 resource.TestCheckResourceAttr( 311 "aws_security_group.web", "ingress.2293451516.from_port", "80"), 312 resource.TestCheckResourceAttr( 313 "aws_security_group.web", "ingress.2293451516.to_port", "8000"), 314 resource.TestCheckResourceAttr( 315 "aws_security_group.web", "ingress.2293451516.ipv6_cidr_blocks.#", "1"), 316 resource.TestCheckResourceAttr( 317 "aws_security_group.web", "ingress.2293451516.ipv6_cidr_blocks.0", "::/0"), 318 ), 319 }, 320 }, 321 }) 322 } 323 324 func TestAccAWSSecurityGroup_tagsCreatedFirst(t *testing.T) { 325 var group ec2.SecurityGroup 326 327 resource.Test(t, resource.TestCase{ 328 PreCheck: func() { testAccPreCheck(t) }, 329 Providers: testAccProviders, 330 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 331 Steps: []resource.TestStep{ 332 { 333 Config: testAccAWSSecurityGroupConfigForTagsOrdering, 334 ExpectError: regexp.MustCompile("InvalidParameterValue"), 335 Check: resource.ComposeTestCheckFunc( 336 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 337 testAccCheckTags(&group.Tags, "Name", "tf-acc-test"), 338 ), 339 }, 340 }, 341 }) 342 } 343 344 func TestAccAWSSecurityGroup_namePrefix(t *testing.T) { 345 var group ec2.SecurityGroup 346 347 resource.Test(t, resource.TestCase{ 348 PreCheck: func() { testAccPreCheck(t) }, 349 IDRefreshName: "aws_security_group.baz", 350 IDRefreshIgnore: []string{"name_prefix"}, 351 Providers: testAccProviders, 352 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 353 Steps: []resource.TestStep{ 354 { 355 Config: testAccAWSSecurityGroupPrefixNameConfig, 356 Check: resource.ComposeTestCheckFunc( 357 testAccCheckAWSSecurityGroupExists("aws_security_group.baz", &group), 358 testAccCheckAWSSecurityGroupGeneratedNamePrefix( 359 "aws_security_group.baz", "baz-"), 360 ), 361 }, 362 }, 363 }) 364 } 365 366 func TestAccAWSSecurityGroup_self(t *testing.T) { 367 var group ec2.SecurityGroup 368 369 checkSelf := func(s *terraform.State) (err error) { 370 defer func() { 371 if e := recover(); e != nil { 372 err = fmt.Errorf("bad: %#v", group) 373 } 374 }() 375 376 if *group.IpPermissions[0].UserIdGroupPairs[0].GroupId != *group.GroupId { 377 return fmt.Errorf("bad: %#v", group) 378 } 379 380 return nil 381 } 382 383 resource.Test(t, resource.TestCase{ 384 PreCheck: func() { testAccPreCheck(t) }, 385 IDRefreshName: "aws_security_group.web", 386 Providers: testAccProviders, 387 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 388 Steps: []resource.TestStep{ 389 { 390 Config: testAccAWSSecurityGroupConfigSelf, 391 Check: resource.ComposeTestCheckFunc( 392 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 393 resource.TestCheckResourceAttr( 394 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 395 resource.TestCheckResourceAttr( 396 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 397 resource.TestCheckResourceAttr( 398 "aws_security_group.web", "ingress.3971148406.protocol", "tcp"), 399 resource.TestCheckResourceAttr( 400 "aws_security_group.web", "ingress.3971148406.from_port", "80"), 401 resource.TestCheckResourceAttr( 402 "aws_security_group.web", "ingress.3971148406.to_port", "8000"), 403 resource.TestCheckResourceAttr( 404 "aws_security_group.web", "ingress.3971148406.self", "true"), 405 checkSelf, 406 ), 407 }, 408 }, 409 }) 410 } 411 412 func TestAccAWSSecurityGroup_vpc(t *testing.T) { 413 var group ec2.SecurityGroup 414 415 testCheck := func(*terraform.State) error { 416 if *group.VpcId == "" { 417 return fmt.Errorf("should have vpc ID") 418 } 419 420 return nil 421 } 422 423 resource.Test(t, resource.TestCase{ 424 PreCheck: func() { testAccPreCheck(t) }, 425 IDRefreshName: "aws_security_group.web", 426 Providers: testAccProviders, 427 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 428 Steps: []resource.TestStep{ 429 { 430 Config: testAccAWSSecurityGroupConfigVpc, 431 Check: resource.ComposeTestCheckFunc( 432 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 433 testAccCheckAWSSecurityGroupAttributes(&group), 434 resource.TestCheckResourceAttr( 435 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 436 resource.TestCheckResourceAttr( 437 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 438 resource.TestCheckResourceAttr( 439 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 440 resource.TestCheckResourceAttr( 441 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 442 resource.TestCheckResourceAttr( 443 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 444 resource.TestCheckResourceAttr( 445 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 446 resource.TestCheckResourceAttr( 447 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 448 resource.TestCheckResourceAttr( 449 "aws_security_group.web", "egress.3629188364.protocol", "tcp"), 450 resource.TestCheckResourceAttr( 451 "aws_security_group.web", "egress.3629188364.from_port", "80"), 452 resource.TestCheckResourceAttr( 453 "aws_security_group.web", "egress.3629188364.to_port", "8000"), 454 resource.TestCheckResourceAttr( 455 "aws_security_group.web", "egress.3629188364.cidr_blocks.#", "1"), 456 resource.TestCheckResourceAttr( 457 "aws_security_group.web", "egress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 458 testCheck, 459 ), 460 }, 461 }, 462 }) 463 } 464 465 func TestAccAWSSecurityGroup_vpcNegOneIngress(t *testing.T) { 466 var group ec2.SecurityGroup 467 468 testCheck := func(*terraform.State) error { 469 if *group.VpcId == "" { 470 return fmt.Errorf("should have vpc ID") 471 } 472 473 return nil 474 } 475 476 resource.Test(t, resource.TestCase{ 477 PreCheck: func() { testAccPreCheck(t) }, 478 IDRefreshName: "aws_security_group.web", 479 Providers: testAccProviders, 480 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 481 Steps: []resource.TestStep{ 482 { 483 Config: testAccAWSSecurityGroupConfigVpcNegOneIngress, 484 Check: resource.ComposeTestCheckFunc( 485 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 486 testAccCheckAWSSecurityGroupAttributesNegOneProtocol(&group), 487 resource.TestCheckResourceAttr( 488 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 489 resource.TestCheckResourceAttr( 490 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 491 resource.TestCheckResourceAttr( 492 "aws_security_group.web", "ingress.956249133.protocol", "-1"), 493 resource.TestCheckResourceAttr( 494 "aws_security_group.web", "ingress.956249133.from_port", "0"), 495 resource.TestCheckResourceAttr( 496 "aws_security_group.web", "ingress.956249133.to_port", "0"), 497 resource.TestCheckResourceAttr( 498 "aws_security_group.web", "ingress.956249133.cidr_blocks.#", "1"), 499 resource.TestCheckResourceAttr( 500 "aws_security_group.web", "ingress.956249133.cidr_blocks.0", "10.0.0.0/8"), 501 testCheck, 502 ), 503 }, 504 }, 505 }) 506 } 507 func TestAccAWSSecurityGroup_vpcProtoNumIngress(t *testing.T) { 508 var group ec2.SecurityGroup 509 510 testCheck := func(*terraform.State) error { 511 if *group.VpcId == "" { 512 return fmt.Errorf("should have vpc ID") 513 } 514 515 return nil 516 } 517 518 resource.Test(t, resource.TestCase{ 519 PreCheck: func() { testAccPreCheck(t) }, 520 IDRefreshName: "aws_security_group.web", 521 Providers: testAccProviders, 522 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 523 Steps: []resource.TestStep{ 524 { 525 Config: testAccAWSSecurityGroupConfigVpcProtoNumIngress, 526 Check: resource.ComposeTestCheckFunc( 527 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 528 resource.TestCheckResourceAttr( 529 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 530 resource.TestCheckResourceAttr( 531 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 532 resource.TestCheckResourceAttr( 533 "aws_security_group.web", "ingress.2449525218.protocol", "50"), 534 resource.TestCheckResourceAttr( 535 "aws_security_group.web", "ingress.2449525218.from_port", "0"), 536 resource.TestCheckResourceAttr( 537 "aws_security_group.web", "ingress.2449525218.to_port", "0"), 538 resource.TestCheckResourceAttr( 539 "aws_security_group.web", "ingress.2449525218.cidr_blocks.#", "1"), 540 resource.TestCheckResourceAttr( 541 "aws_security_group.web", "ingress.2449525218.cidr_blocks.0", "10.0.0.0/8"), 542 testCheck, 543 ), 544 }, 545 }, 546 }) 547 } 548 func TestAccAWSSecurityGroup_MultiIngress(t *testing.T) { 549 var group ec2.SecurityGroup 550 551 resource.Test(t, resource.TestCase{ 552 PreCheck: func() { testAccPreCheck(t) }, 553 IDRefreshName: "aws_security_group.web", 554 Providers: testAccProviders, 555 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 556 Steps: []resource.TestStep{ 557 { 558 Config: testAccAWSSecurityGroupConfigMultiIngress, 559 Check: resource.ComposeTestCheckFunc( 560 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 561 ), 562 }, 563 }, 564 }) 565 } 566 567 func TestAccAWSSecurityGroup_Change(t *testing.T) { 568 var group ec2.SecurityGroup 569 570 resource.Test(t, resource.TestCase{ 571 PreCheck: func() { testAccPreCheck(t) }, 572 IDRefreshName: "aws_security_group.web", 573 Providers: testAccProviders, 574 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 575 Steps: []resource.TestStep{ 576 { 577 Config: testAccAWSSecurityGroupConfig, 578 Check: resource.ComposeTestCheckFunc( 579 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 580 ), 581 }, 582 { 583 Config: testAccAWSSecurityGroupConfigChange, 584 Check: resource.ComposeTestCheckFunc( 585 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 586 testAccCheckAWSSecurityGroupAttributesChanged(&group), 587 ), 588 }, 589 }, 590 }) 591 } 592 593 func TestAccAWSSecurityGroup_generatedName(t *testing.T) { 594 var group ec2.SecurityGroup 595 596 resource.Test(t, resource.TestCase{ 597 PreCheck: func() { testAccPreCheck(t) }, 598 IDRefreshName: "aws_security_group.web", 599 Providers: testAccProviders, 600 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 601 Steps: []resource.TestStep{ 602 { 603 Config: testAccAWSSecurityGroupConfig_generatedName, 604 Check: resource.ComposeTestCheckFunc( 605 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 606 resource.TestCheckResourceAttr( 607 "aws_security_group.web", "description", "Managed by Terraform"), 608 func(s *terraform.State) error { 609 if group.GroupName == nil { 610 return fmt.Errorf("bad: No SG name") 611 } 612 if !strings.HasPrefix(*group.GroupName, "terraform-") { 613 return fmt.Errorf("No terraform- prefix: %s", *group.GroupName) 614 } 615 return nil 616 }, 617 ), 618 }, 619 }, 620 }) 621 } 622 623 func TestAccAWSSecurityGroup_DefaultEgress_VPC(t *testing.T) { 624 625 // VPC 626 resource.Test(t, resource.TestCase{ 627 PreCheck: func() { testAccPreCheck(t) }, 628 IDRefreshName: "aws_security_group.worker", 629 Providers: testAccProviders, 630 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 631 Steps: []resource.TestStep{ 632 { 633 Config: testAccAWSSecurityGroupConfigDefaultEgress, 634 Check: resource.ComposeTestCheckFunc( 635 testAccCheckAWSSecurityGroupExistsWithoutDefault("aws_security_group.worker"), 636 ), 637 }, 638 }, 639 }) 640 } 641 642 func TestAccAWSSecurityGroup_DefaultEgress_Classic(t *testing.T) { 643 644 // Classic 645 var group ec2.SecurityGroup 646 resource.Test(t, resource.TestCase{ 647 PreCheck: func() { testAccPreCheck(t) }, 648 IDRefreshName: "aws_security_group.web", 649 Providers: testAccProviders, 650 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 651 Steps: []resource.TestStep{ 652 { 653 Config: testAccAWSSecurityGroupConfigClassic, 654 Check: resource.ComposeTestCheckFunc( 655 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 656 ), 657 }, 658 }, 659 }) 660 } 661 662 // Testing drift detection with groups containing the same port and types 663 func TestAccAWSSecurityGroup_drift(t *testing.T) { 664 var group ec2.SecurityGroup 665 resource.Test(t, resource.TestCase{ 666 PreCheck: func() { testAccPreCheck(t) }, 667 Providers: testAccProviders, 668 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 669 Steps: []resource.TestStep{ 670 { 671 Config: testAccAWSSecurityGroupConfig_drift(), 672 Check: resource.ComposeTestCheckFunc( 673 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 674 resource.TestCheckResourceAttr( 675 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 676 resource.TestCheckResourceAttr( 677 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 678 resource.TestCheckResourceAttr( 679 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 680 resource.TestCheckResourceAttr( 681 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 682 resource.TestCheckResourceAttr( 683 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 684 resource.TestCheckResourceAttr( 685 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 686 ), 687 }, 688 }, 689 }) 690 } 691 692 func TestAccAWSSecurityGroup_drift_complex(t *testing.T) { 693 var group ec2.SecurityGroup 694 695 resource.Test(t, resource.TestCase{ 696 PreCheck: func() { testAccPreCheck(t) }, 697 Providers: testAccProviders, 698 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 699 Steps: []resource.TestStep{ 700 { 701 Config: testAccAWSSecurityGroupConfig_drift_complex(), 702 Check: resource.ComposeTestCheckFunc( 703 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 704 resource.TestCheckResourceAttr( 705 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 706 resource.TestCheckResourceAttr( 707 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 708 resource.TestCheckResourceAttr( 709 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 710 resource.TestCheckResourceAttr( 711 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 712 resource.TestCheckResourceAttr( 713 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 714 resource.TestCheckResourceAttr( 715 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 716 ), 717 }, 718 }, 719 }) 720 } 721 722 func TestAccAWSSecurityGroup_invalidCIDRBlock(t *testing.T) { 723 resource.Test(t, resource.TestCase{ 724 PreCheck: func() { testAccPreCheck(t) }, 725 Providers: testAccProviders, 726 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 727 Steps: []resource.TestStep{ 728 { 729 Config: testAccAWSSecurityGroupInvalidIngressCidr, 730 ExpectError: regexp.MustCompile("invalid CIDR address: 1.2.3.4/33"), 731 }, 732 { 733 Config: testAccAWSSecurityGroupInvalidEgressCidr, 734 ExpectError: regexp.MustCompile("invalid CIDR address: 1.2.3.4/33"), 735 }, 736 { 737 Config: testAccAWSSecurityGroupInvalidIPv6IngressCidr, 738 ExpectError: regexp.MustCompile("invalid CIDR address: ::/244"), 739 }, 740 { 741 Config: testAccAWSSecurityGroupInvalidIPv6EgressCidr, 742 ExpectError: regexp.MustCompile("invalid CIDR address: ::/244"), 743 }, 744 }, 745 }) 746 } 747 748 func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error { 749 conn := testAccProvider.Meta().(*AWSClient).ec2conn 750 751 for _, rs := range s.RootModule().Resources { 752 if rs.Type != "aws_security_group" { 753 continue 754 } 755 756 // Retrieve our group 757 req := &ec2.DescribeSecurityGroupsInput{ 758 GroupIds: []*string{aws.String(rs.Primary.ID)}, 759 } 760 resp, err := conn.DescribeSecurityGroups(req) 761 if err == nil { 762 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 763 return fmt.Errorf("Security Group (%s) still exists.", rs.Primary.ID) 764 } 765 766 return nil 767 } 768 769 ec2err, ok := err.(awserr.Error) 770 if !ok { 771 return err 772 } 773 // Confirm error code is what we want 774 if ec2err.Code() != "InvalidGroup.NotFound" { 775 return err 776 } 777 } 778 779 return nil 780 } 781 782 func testAccCheckAWSSecurityGroupGeneratedNamePrefix( 783 resource, prefix string) resource.TestCheckFunc { 784 return func(s *terraform.State) error { 785 r, ok := s.RootModule().Resources[resource] 786 if !ok { 787 return fmt.Errorf("Resource not found") 788 } 789 name, ok := r.Primary.Attributes["name"] 790 if !ok { 791 return fmt.Errorf("Name attr not found: %#v", r.Primary.Attributes) 792 } 793 if !strings.HasPrefix(name, prefix) { 794 return fmt.Errorf("Name: %q, does not have prefix: %q", name, prefix) 795 } 796 return nil 797 } 798 } 799 800 func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroup) resource.TestCheckFunc { 801 return func(s *terraform.State) error { 802 rs, ok := s.RootModule().Resources[n] 803 if !ok { 804 return fmt.Errorf("Not found: %s", n) 805 } 806 807 if rs.Primary.ID == "" { 808 return fmt.Errorf("No Security Group is set") 809 } 810 811 conn := testAccProvider.Meta().(*AWSClient).ec2conn 812 req := &ec2.DescribeSecurityGroupsInput{ 813 GroupIds: []*string{aws.String(rs.Primary.ID)}, 814 } 815 resp, err := conn.DescribeSecurityGroups(req) 816 if err != nil { 817 return err 818 } 819 820 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 821 *group = *resp.SecurityGroups[0] 822 return nil 823 } 824 825 return fmt.Errorf("Security Group not found") 826 } 827 } 828 829 func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 830 return func(s *terraform.State) error { 831 p := &ec2.IpPermission{ 832 FromPort: aws.Int64(80), 833 ToPort: aws.Int64(8000), 834 IpProtocol: aws.String("tcp"), 835 IpRanges: []*ec2.IpRange{{CidrIp: aws.String("10.0.0.0/8")}}, 836 } 837 838 if *group.GroupName != "terraform_acceptance_test_example" { 839 return fmt.Errorf("Bad name: %s", *group.GroupName) 840 } 841 842 if *group.Description != "Used in the terraform acceptance tests" { 843 return fmt.Errorf("Bad description: %s", *group.Description) 844 } 845 846 if len(group.IpPermissions) == 0 { 847 return fmt.Errorf("No IPPerms") 848 } 849 850 // Compare our ingress 851 if !reflect.DeepEqual(group.IpPermissions[0], p) { 852 return fmt.Errorf( 853 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 854 group.IpPermissions[0], 855 p) 856 } 857 858 return nil 859 } 860 } 861 862 func testAccCheckAWSSecurityGroupAttributesNegOneProtocol(group *ec2.SecurityGroup) resource.TestCheckFunc { 863 return func(s *terraform.State) error { 864 p := &ec2.IpPermission{ 865 IpProtocol: aws.String("-1"), 866 IpRanges: []*ec2.IpRange{{CidrIp: aws.String("10.0.0.0/8")}}, 867 } 868 869 if *group.GroupName != "terraform_acceptance_test_example" { 870 return fmt.Errorf("Bad name: %s", *group.GroupName) 871 } 872 873 if *group.Description != "Used in the terraform acceptance tests" { 874 return fmt.Errorf("Bad description: %s", *group.Description) 875 } 876 877 if len(group.IpPermissions) == 0 { 878 return fmt.Errorf("No IPPerms") 879 } 880 881 // Compare our ingress 882 if !reflect.DeepEqual(group.IpPermissions[0], p) { 883 return fmt.Errorf( 884 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 885 group.IpPermissions[0], 886 p) 887 } 888 889 return nil 890 } 891 } 892 893 func TestAccAWSSecurityGroup_tags(t *testing.T) { 894 var group ec2.SecurityGroup 895 896 resource.Test(t, resource.TestCase{ 897 PreCheck: func() { testAccPreCheck(t) }, 898 Providers: testAccProviders, 899 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 900 Steps: []resource.TestStep{ 901 { 902 Config: testAccAWSSecurityGroupConfigTags, 903 Check: resource.ComposeTestCheckFunc( 904 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 905 testAccCheckTags(&group.Tags, "foo", "bar"), 906 ), 907 }, 908 909 { 910 Config: testAccAWSSecurityGroupConfigTagsUpdate, 911 Check: resource.ComposeTestCheckFunc( 912 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 913 testAccCheckTags(&group.Tags, "foo", ""), 914 testAccCheckTags(&group.Tags, "bar", "baz"), 915 testAccCheckTags(&group.Tags, "env", "Production"), 916 ), 917 }, 918 }, 919 }) 920 } 921 922 func TestAccAWSSecurityGroup_CIDRandGroups(t *testing.T) { 923 var group ec2.SecurityGroup 924 925 resource.Test(t, resource.TestCase{ 926 PreCheck: func() { testAccPreCheck(t) }, 927 Providers: testAccProviders, 928 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 929 Steps: []resource.TestStep{ 930 { 931 Config: testAccAWSSecurityGroupCombindCIDRandGroups, 932 Check: resource.ComposeTestCheckFunc( 933 testAccCheckAWSSecurityGroupExists("aws_security_group.mixed", &group), 934 // testAccCheckAWSSecurityGroupAttributes(&group), 935 ), 936 }, 937 }, 938 }) 939 } 940 941 func TestAccAWSSecurityGroup_ingressWithCidrAndSGs(t *testing.T) { 942 var group ec2.SecurityGroup 943 944 resource.Test(t, resource.TestCase{ 945 PreCheck: func() { testAccPreCheck(t) }, 946 Providers: testAccProviders, 947 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 948 Steps: []resource.TestStep{ 949 { 950 Config: testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs, 951 Check: resource.ComposeTestCheckFunc( 952 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 953 testAccCheckAWSSecurityGroupSGandCidrAttributes(&group), 954 resource.TestCheckResourceAttr( 955 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 956 resource.TestCheckResourceAttr( 957 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 958 resource.TestCheckResourceAttr( 959 "aws_security_group.web", "ingress.#", "2"), 960 ), 961 }, 962 }, 963 }) 964 } 965 966 // This test requires an EC2 Classic region 967 func TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic(t *testing.T) { 968 var group ec2.SecurityGroup 969 970 resource.Test(t, resource.TestCase{ 971 PreCheck: func() { testAccPreCheck(t) }, 972 Providers: testAccProviders, 973 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 974 Steps: []resource.TestStep{ 975 { 976 Config: testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs_classic, 977 Check: resource.ComposeTestCheckFunc( 978 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 979 testAccCheckAWSSecurityGroupSGandCidrAttributes(&group), 980 resource.TestCheckResourceAttr( 981 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 982 resource.TestCheckResourceAttr( 983 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 984 resource.TestCheckResourceAttr( 985 "aws_security_group.web", "ingress.#", "2"), 986 ), 987 }, 988 }, 989 }) 990 } 991 992 func TestAccAWSSecurityGroup_egressWithPrefixList(t *testing.T) { 993 var group ec2.SecurityGroup 994 995 resource.Test(t, resource.TestCase{ 996 PreCheck: func() { testAccPreCheck(t) }, 997 Providers: testAccProviders, 998 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 999 Steps: []resource.TestStep{ 1000 { 1001 Config: testAccAWSSecurityGroupConfigPrefixListEgress, 1002 Check: resource.ComposeTestCheckFunc( 1003 testAccCheckAWSSecurityGroupExists("aws_security_group.egress", &group), 1004 testAccCheckAWSSecurityGroupPrefixListAttributes(&group), 1005 resource.TestCheckResourceAttr( 1006 "aws_security_group.egress", "egress.#", "1"), 1007 ), 1008 }, 1009 }, 1010 }) 1011 } 1012 1013 func TestAccAWSSecurityGroup_ipv4andipv6Egress(t *testing.T) { 1014 var group ec2.SecurityGroup 1015 1016 resource.Test(t, resource.TestCase{ 1017 PreCheck: func() { testAccPreCheck(t) }, 1018 Providers: testAccProviders, 1019 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 1020 Steps: []resource.TestStep{ 1021 { 1022 Config: testAccAWSSecurityGroupConfigIpv4andIpv6Egress, 1023 Check: resource.ComposeTestCheckFunc( 1024 testAccCheckAWSSecurityGroupExists("aws_security_group.egress", &group), 1025 resource.TestCheckResourceAttr( 1026 "aws_security_group.egress", "egress.#", "2"), 1027 ), 1028 }, 1029 }, 1030 }) 1031 } 1032 1033 func testAccCheckAWSSecurityGroupSGandCidrAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 1034 return func(s *terraform.State) error { 1035 if *group.GroupName != "terraform_acceptance_test_example" { 1036 return fmt.Errorf("Bad name: %s", *group.GroupName) 1037 } 1038 1039 if *group.Description != "Used in the terraform acceptance tests" { 1040 return fmt.Errorf("Bad description: %s", *group.Description) 1041 } 1042 1043 if len(group.IpPermissions) == 0 { 1044 return fmt.Errorf("No IPPerms") 1045 } 1046 1047 if len(group.IpPermissions) != 2 { 1048 return fmt.Errorf("Expected 2 ingress rules, got %d", len(group.IpPermissions)) 1049 } 1050 1051 for _, p := range group.IpPermissions { 1052 if *p.FromPort == int64(22) { 1053 if len(p.IpRanges) != 1 || p.UserIdGroupPairs != nil { 1054 return fmt.Errorf("Found ip perm of 22, but not the right ipranges / pairs: %s", p) 1055 } 1056 continue 1057 } else if *p.FromPort == int64(80) { 1058 if len(p.IpRanges) != 1 || len(p.UserIdGroupPairs) != 1 { 1059 return fmt.Errorf("Found ip perm of 80, but not the right ipranges / pairs: %s", p) 1060 } 1061 continue 1062 } 1063 return fmt.Errorf("Found a rouge rule") 1064 } 1065 1066 return nil 1067 } 1068 } 1069 1070 func testAccCheckAWSSecurityGroupPrefixListAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 1071 return func(s *terraform.State) error { 1072 if *group.GroupName != "terraform_acceptance_test_prefix_list_egress" { 1073 return fmt.Errorf("Bad name: %s", *group.GroupName) 1074 } 1075 if *group.Description != "Used in the terraform acceptance tests" { 1076 return fmt.Errorf("Bad description: %s", *group.Description) 1077 } 1078 if len(group.IpPermissionsEgress) == 0 { 1079 return fmt.Errorf("No egress IPPerms") 1080 } 1081 if len(group.IpPermissionsEgress) != 1 { 1082 return fmt.Errorf("Expected 1 egress rule, got %d", len(group.IpPermissions)) 1083 } 1084 1085 p := group.IpPermissionsEgress[0] 1086 1087 if len(p.PrefixListIds) != 1 { 1088 return fmt.Errorf("Expected 1 prefix list, got %d", len(p.PrefixListIds)) 1089 } 1090 1091 return nil 1092 } 1093 } 1094 1095 func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroup) resource.TestCheckFunc { 1096 return func(s *terraform.State) error { 1097 p := []*ec2.IpPermission{ 1098 { 1099 FromPort: aws.Int64(80), 1100 ToPort: aws.Int64(9000), 1101 IpProtocol: aws.String("tcp"), 1102 IpRanges: []*ec2.IpRange{{CidrIp: aws.String("10.0.0.0/8")}}, 1103 }, 1104 { 1105 FromPort: aws.Int64(80), 1106 ToPort: aws.Int64(8000), 1107 IpProtocol: aws.String("tcp"), 1108 IpRanges: []*ec2.IpRange{ 1109 { 1110 CidrIp: aws.String("0.0.0.0/0"), 1111 }, 1112 { 1113 CidrIp: aws.String("10.0.0.0/8"), 1114 }, 1115 }, 1116 }, 1117 } 1118 1119 if *group.GroupName != "terraform_acceptance_test_example" { 1120 return fmt.Errorf("Bad name: %s", *group.GroupName) 1121 } 1122 1123 if *group.Description != "Used in the terraform acceptance tests" { 1124 return fmt.Errorf("Bad description: %s", *group.Description) 1125 } 1126 1127 // Compare our ingress 1128 if len(group.IpPermissions) != 2 { 1129 return fmt.Errorf( 1130 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 1131 group.IpPermissions, 1132 p) 1133 } 1134 1135 if *group.IpPermissions[0].ToPort == 8000 { 1136 group.IpPermissions[1], group.IpPermissions[0] = 1137 group.IpPermissions[0], group.IpPermissions[1] 1138 } 1139 1140 if !reflect.DeepEqual(group.IpPermissions, p) { 1141 return fmt.Errorf( 1142 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 1143 group.IpPermissions, 1144 p) 1145 } 1146 1147 return nil 1148 } 1149 } 1150 1151 func testAccCheckAWSSecurityGroupExistsWithoutDefault(n string) resource.TestCheckFunc { 1152 return func(s *terraform.State) error { 1153 rs, ok := s.RootModule().Resources[n] 1154 if !ok { 1155 return fmt.Errorf("Not found: %s", n) 1156 } 1157 1158 if rs.Primary.ID == "" { 1159 return fmt.Errorf("No Security Group is set") 1160 } 1161 1162 conn := testAccProvider.Meta().(*AWSClient).ec2conn 1163 req := &ec2.DescribeSecurityGroupsInput{ 1164 GroupIds: []*string{aws.String(rs.Primary.ID)}, 1165 } 1166 resp, err := conn.DescribeSecurityGroups(req) 1167 if err != nil { 1168 return err 1169 } 1170 1171 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 1172 group := *resp.SecurityGroups[0] 1173 1174 if len(group.IpPermissionsEgress) != 1 { 1175 return fmt.Errorf("Security Group should have only 1 egress rule, got %d", len(group.IpPermissionsEgress)) 1176 } 1177 } 1178 1179 return nil 1180 } 1181 } 1182 1183 func TestAccAWSSecurityGroup_failWithDiffMismatch(t *testing.T) { 1184 var group ec2.SecurityGroup 1185 1186 resource.Test(t, resource.TestCase{ 1187 PreCheck: func() { testAccPreCheck(t) }, 1188 Providers: testAccProviders, 1189 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 1190 Steps: []resource.TestStep{ 1191 { 1192 Config: testAccAWSSecurityGroupConfig_failWithDiffMismatch, 1193 Check: resource.ComposeTestCheckFunc( 1194 testAccCheckAWSSecurityGroupExists("aws_security_group.nat", &group), 1195 ), 1196 }, 1197 }, 1198 }) 1199 } 1200 1201 const testAccAWSSecurityGroupConfigForTagsOrdering = ` 1202 resource "aws_vpc" "foo" { 1203 cidr_block = "10.1.0.0/16" 1204 } 1205 1206 resource "aws_security_group" "web" { 1207 name = "terraform_acceptance_test_example" 1208 description = "Used in the terraform acceptance tests" 1209 vpc_id = "${aws_vpc.foo.id}" 1210 1211 ingress { 1212 protocol = "6" 1213 from_port = 80 1214 to_port = 80000 1215 cidr_blocks = ["10.0.0.0/8"] 1216 } 1217 1218 egress { 1219 protocol = "tcp" 1220 from_port = 80 1221 to_port = 8000 1222 cidr_blocks = ["10.0.0.0/8"] 1223 } 1224 1225 tags { 1226 Name = "tf-acc-test" 1227 } 1228 }` 1229 1230 const testAccAWSSecurityGroupConfigIpv6 = ` 1231 resource "aws_vpc" "foo" { 1232 cidr_block = "10.1.0.0/16" 1233 } 1234 1235 resource "aws_security_group" "web" { 1236 name = "terraform_acceptance_test_example" 1237 description = "Used in the terraform acceptance tests" 1238 vpc_id = "${aws_vpc.foo.id}" 1239 1240 ingress { 1241 protocol = "6" 1242 from_port = 80 1243 to_port = 8000 1244 ipv6_cidr_blocks = ["::/0"] 1245 } 1246 1247 egress { 1248 protocol = "tcp" 1249 from_port = 80 1250 to_port = 8000 1251 ipv6_cidr_blocks = ["::/0"] 1252 } 1253 1254 tags { 1255 Name = "tf-acc-test" 1256 } 1257 } 1258 ` 1259 1260 const testAccAWSSecurityGroupConfig = ` 1261 resource "aws_vpc" "foo" { 1262 cidr_block = "10.1.0.0/16" 1263 } 1264 1265 resource "aws_security_group" "web" { 1266 name = "terraform_acceptance_test_example" 1267 description = "Used in the terraform acceptance tests" 1268 vpc_id = "${aws_vpc.foo.id}" 1269 1270 ingress { 1271 protocol = "6" 1272 from_port = 80 1273 to_port = 8000 1274 cidr_blocks = ["10.0.0.0/8"] 1275 } 1276 1277 egress { 1278 protocol = "tcp" 1279 from_port = 80 1280 to_port = 8000 1281 cidr_blocks = ["10.0.0.0/8"] 1282 } 1283 1284 tags { 1285 Name = "tf-acc-test" 1286 } 1287 } 1288 ` 1289 1290 const testAccAWSSecurityGroupConfigChange = ` 1291 resource "aws_vpc" "foo" { 1292 cidr_block = "10.1.0.0/16" 1293 } 1294 1295 resource "aws_security_group" "web" { 1296 name = "terraform_acceptance_test_example" 1297 description = "Used in the terraform acceptance tests" 1298 vpc_id = "${aws_vpc.foo.id}" 1299 1300 ingress { 1301 protocol = "tcp" 1302 from_port = 80 1303 to_port = 9000 1304 cidr_blocks = ["10.0.0.0/8"] 1305 } 1306 1307 ingress { 1308 protocol = "tcp" 1309 from_port = 80 1310 to_port = 8000 1311 cidr_blocks = ["0.0.0.0/0", "10.0.0.0/8"] 1312 } 1313 1314 egress { 1315 protocol = "tcp" 1316 from_port = 80 1317 to_port = 8000 1318 cidr_blocks = ["10.0.0.0/8"] 1319 } 1320 } 1321 ` 1322 1323 const testAccAWSSecurityGroupConfigSelf = ` 1324 resource "aws_vpc" "foo" { 1325 cidr_block = "10.1.0.0/16" 1326 } 1327 1328 resource "aws_security_group" "web" { 1329 name = "terraform_acceptance_test_example" 1330 description = "Used in the terraform acceptance tests" 1331 vpc_id = "${aws_vpc.foo.id}" 1332 1333 ingress { 1334 protocol = "tcp" 1335 from_port = 80 1336 to_port = 8000 1337 self = true 1338 } 1339 1340 egress { 1341 protocol = "tcp" 1342 from_port = 80 1343 to_port = 8000 1344 cidr_blocks = ["10.0.0.0/8"] 1345 } 1346 } 1347 ` 1348 1349 const testAccAWSSecurityGroupConfigVpc = ` 1350 resource "aws_vpc" "foo" { 1351 cidr_block = "10.1.0.0/16" 1352 } 1353 1354 resource "aws_security_group" "web" { 1355 name = "terraform_acceptance_test_example" 1356 description = "Used in the terraform acceptance tests" 1357 vpc_id = "${aws_vpc.foo.id}" 1358 1359 ingress { 1360 protocol = "tcp" 1361 from_port = 80 1362 to_port = 8000 1363 cidr_blocks = ["10.0.0.0/8"] 1364 } 1365 1366 egress { 1367 protocol = "tcp" 1368 from_port = 80 1369 to_port = 8000 1370 cidr_blocks = ["10.0.0.0/8"] 1371 } 1372 } 1373 ` 1374 1375 const testAccAWSSecurityGroupConfigVpcNegOneIngress = ` 1376 resource "aws_vpc" "foo" { 1377 cidr_block = "10.1.0.0/16" 1378 } 1379 1380 resource "aws_security_group" "web" { 1381 name = "terraform_acceptance_test_example" 1382 description = "Used in the terraform acceptance tests" 1383 vpc_id = "${aws_vpc.foo.id}" 1384 1385 ingress { 1386 protocol = "-1" 1387 from_port = 0 1388 to_port = 0 1389 cidr_blocks = ["10.0.0.0/8"] 1390 } 1391 } 1392 ` 1393 1394 const testAccAWSSecurityGroupConfigVpcProtoNumIngress = ` 1395 resource "aws_vpc" "foo" { 1396 cidr_block = "10.1.0.0/16" 1397 } 1398 1399 resource "aws_security_group" "web" { 1400 name = "terraform_acceptance_test_example" 1401 description = "Used in the terraform acceptance tests" 1402 vpc_id = "${aws_vpc.foo.id}" 1403 1404 ingress { 1405 protocol = "50" 1406 from_port = 0 1407 to_port = 0 1408 cidr_blocks = ["10.0.0.0/8"] 1409 } 1410 } 1411 ` 1412 1413 const testAccAWSSecurityGroupConfigMultiIngress = ` 1414 resource "aws_vpc" "foo" { 1415 cidr_block = "10.1.0.0/16" 1416 } 1417 1418 resource "aws_security_group" "worker" { 1419 name = "terraform_acceptance_test_example_1" 1420 description = "Used in the terraform acceptance tests" 1421 vpc_id = "${aws_vpc.foo.id}" 1422 1423 ingress { 1424 protocol = "tcp" 1425 from_port = 80 1426 to_port = 8000 1427 cidr_blocks = ["10.0.0.0/8"] 1428 } 1429 1430 egress { 1431 protocol = "tcp" 1432 from_port = 80 1433 to_port = 8000 1434 cidr_blocks = ["10.0.0.0/8"] 1435 } 1436 } 1437 1438 resource "aws_security_group" "web" { 1439 name = "terraform_acceptance_test_example_2" 1440 description = "Used in the terraform acceptance tests" 1441 vpc_id = "${aws_vpc.foo.id}" 1442 1443 ingress { 1444 protocol = "tcp" 1445 from_port = 22 1446 to_port = 22 1447 cidr_blocks = ["10.0.0.0/8"] 1448 } 1449 1450 ingress { 1451 protocol = "tcp" 1452 from_port = 800 1453 to_port = 800 1454 cidr_blocks = ["10.0.0.0/8"] 1455 } 1456 1457 ingress { 1458 protocol = "tcp" 1459 from_port = 80 1460 to_port = 8000 1461 security_groups = ["${aws_security_group.worker.id}"] 1462 } 1463 1464 egress { 1465 protocol = "tcp" 1466 from_port = 80 1467 to_port = 8000 1468 cidr_blocks = ["10.0.0.0/8"] 1469 } 1470 } 1471 ` 1472 1473 const testAccAWSSecurityGroupConfigTags = ` 1474 resource "aws_vpc" "foo" { 1475 cidr_block = "10.1.0.0/16" 1476 } 1477 1478 resource "aws_security_group" "foo" { 1479 name = "terraform_acceptance_test_example" 1480 description = "Used in the terraform acceptance tests" 1481 vpc_id = "${aws_vpc.foo.id}" 1482 1483 ingress { 1484 protocol = "tcp" 1485 from_port = 80 1486 to_port = 8000 1487 cidr_blocks = ["10.0.0.0/8"] 1488 } 1489 1490 egress { 1491 protocol = "tcp" 1492 from_port = 80 1493 to_port = 8000 1494 cidr_blocks = ["10.0.0.0/8"] 1495 } 1496 1497 tags { 1498 foo = "bar" 1499 } 1500 } 1501 ` 1502 1503 const testAccAWSSecurityGroupConfigTagsUpdate = ` 1504 resource "aws_vpc" "foo" { 1505 cidr_block = "10.1.0.0/16" 1506 } 1507 1508 resource "aws_security_group" "foo" { 1509 name = "terraform_acceptance_test_example" 1510 description = "Used in the terraform acceptance tests" 1511 vpc_id = "${aws_vpc.foo.id}" 1512 1513 ingress { 1514 protocol = "tcp" 1515 from_port = 80 1516 to_port = 8000 1517 cidr_blocks = ["10.0.0.0/8"] 1518 } 1519 1520 egress { 1521 protocol = "tcp" 1522 from_port = 80 1523 to_port = 8000 1524 cidr_blocks = ["10.0.0.0/8"] 1525 } 1526 1527 tags { 1528 bar = "baz" 1529 env = "Production" 1530 } 1531 } 1532 ` 1533 1534 const testAccAWSSecurityGroupConfig_generatedName = ` 1535 resource "aws_vpc" "foo" { 1536 cidr_block = "10.1.0.0/16" 1537 } 1538 1539 resource "aws_security_group" "web" { 1540 vpc_id = "${aws_vpc.foo.id}" 1541 1542 ingress { 1543 protocol = "tcp" 1544 from_port = 80 1545 to_port = 8000 1546 cidr_blocks = ["10.0.0.0/8"] 1547 } 1548 1549 egress { 1550 protocol = "tcp" 1551 from_port = 80 1552 to_port = 8000 1553 cidr_blocks = ["10.0.0.0/8"] 1554 } 1555 1556 tags { 1557 Name = "tf-acc-test" 1558 } 1559 } 1560 ` 1561 1562 const testAccAWSSecurityGroupConfigDefaultEgress = ` 1563 resource "aws_vpc" "tf_sg_egress_test" { 1564 cidr_block = "10.0.0.0/16" 1565 tags { 1566 Name = "tf_sg_egress_test" 1567 } 1568 } 1569 1570 resource "aws_security_group" "worker" { 1571 name = "terraform_acceptance_test_example_1" 1572 description = "Used in the terraform acceptance tests" 1573 vpc_id = "${aws_vpc.tf_sg_egress_test.id}" 1574 1575 egress { 1576 protocol = "tcp" 1577 from_port = 80 1578 to_port = 8000 1579 cidr_blocks = ["10.0.0.0/8"] 1580 } 1581 } 1582 ` 1583 1584 const testAccAWSSecurityGroupConfigClassic = ` 1585 provider "aws" { 1586 region = "us-east-1" 1587 } 1588 1589 resource "aws_security_group" "web" { 1590 name = "terraform_acceptance_test_example_1" 1591 description = "Used in the terraform acceptance tests" 1592 } 1593 ` 1594 1595 const testAccAWSSecurityGroupPrefixNameConfig = ` 1596 provider "aws" { 1597 region = "us-east-1" 1598 } 1599 1600 resource "aws_security_group" "baz" { 1601 name_prefix = "baz-" 1602 description = "Used in the terraform acceptance tests" 1603 } 1604 ` 1605 1606 func testAccAWSSecurityGroupConfig_drift() string { 1607 return fmt.Sprintf(` 1608 resource "aws_security_group" "web" { 1609 name = "tf_acc_%d" 1610 description = "Used in the terraform acceptance tests" 1611 1612 ingress { 1613 protocol = "tcp" 1614 from_port = 80 1615 to_port = 8000 1616 cidr_blocks = ["10.0.0.0/8"] 1617 } 1618 1619 ingress { 1620 protocol = "tcp" 1621 from_port = 80 1622 to_port = 8000 1623 cidr_blocks = ["206.0.0.0/8"] 1624 } 1625 1626 tags { 1627 Name = "tf-acc-test" 1628 } 1629 } 1630 `, acctest.RandInt()) 1631 } 1632 1633 func testAccAWSSecurityGroupConfig_drift_complex() string { 1634 return fmt.Sprintf(` 1635 resource "aws_vpc" "foo" { 1636 cidr_block = "10.1.0.0/16" 1637 } 1638 1639 resource "aws_security_group" "otherweb" { 1640 name = "tf_acc_%d" 1641 description = "Used in the terraform acceptance tests" 1642 vpc_id = "${aws_vpc.foo.id}" 1643 } 1644 1645 resource "aws_security_group" "web" { 1646 name = "tf_acc_%d" 1647 description = "Used in the terraform acceptance tests" 1648 vpc_id = "${aws_vpc.foo.id}" 1649 1650 ingress { 1651 protocol = "tcp" 1652 from_port = 80 1653 to_port = 8000 1654 cidr_blocks = ["10.0.0.0/8"] 1655 } 1656 1657 ingress { 1658 protocol = "tcp" 1659 from_port = 80 1660 to_port = 8000 1661 cidr_blocks = ["206.0.0.0/8"] 1662 } 1663 1664 ingress { 1665 protocol = "tcp" 1666 from_port = 22 1667 to_port = 22 1668 security_groups = ["${aws_security_group.otherweb.id}"] 1669 } 1670 1671 egress { 1672 protocol = "tcp" 1673 from_port = 80 1674 to_port = 8000 1675 cidr_blocks = ["206.0.0.0/8"] 1676 } 1677 1678 egress { 1679 protocol = "tcp" 1680 from_port = 80 1681 to_port = 8000 1682 cidr_blocks = ["10.0.0.0/8"] 1683 } 1684 1685 egress { 1686 protocol = "tcp" 1687 from_port = 22 1688 to_port = 22 1689 security_groups = ["${aws_security_group.otherweb.id}"] 1690 } 1691 1692 tags { 1693 Name = "tf-acc-test" 1694 } 1695 }`, acctest.RandInt(), acctest.RandInt()) 1696 } 1697 1698 const testAccAWSSecurityGroupInvalidIngressCidr = ` 1699 resource "aws_security_group" "foo" { 1700 name = "testing-foo" 1701 description = "foo-testing" 1702 ingress { 1703 from_port = 0 1704 to_port = 0 1705 protocol = "-1" 1706 cidr_blocks = ["1.2.3.4/33"] 1707 } 1708 }` 1709 1710 const testAccAWSSecurityGroupInvalidEgressCidr = ` 1711 resource "aws_security_group" "foo" { 1712 name = "testing-foo" 1713 description = "foo-testing" 1714 egress { 1715 from_port = 0 1716 to_port = 0 1717 protocol = "-1" 1718 cidr_blocks = ["1.2.3.4/33"] 1719 } 1720 }` 1721 1722 const testAccAWSSecurityGroupInvalidIPv6IngressCidr = ` 1723 resource "aws_security_group" "foo" { 1724 name = "testing-foo" 1725 description = "foo-testing" 1726 ingress { 1727 from_port = 0 1728 to_port = 0 1729 protocol = "-1" 1730 ipv6_cidr_blocks = ["::/244"] 1731 } 1732 }` 1733 1734 const testAccAWSSecurityGroupInvalidIPv6EgressCidr = ` 1735 resource "aws_security_group" "foo" { 1736 name = "testing-foo" 1737 description = "foo-testing" 1738 egress { 1739 from_port = 0 1740 to_port = 0 1741 protocol = "-1" 1742 ipv6_cidr_blocks = ["::/244"] 1743 } 1744 }` 1745 1746 const testAccAWSSecurityGroupCombindCIDRandGroups = ` 1747 resource "aws_vpc" "foo" { 1748 cidr_block = "10.1.0.0/16" 1749 } 1750 1751 resource "aws_security_group" "two" { 1752 name = "tf-test-1" 1753 vpc_id = "${aws_vpc.foo.id}" 1754 tags { 1755 Name = "tf-test-1" 1756 } 1757 } 1758 1759 resource "aws_security_group" "one" { 1760 name = "tf-test-2" 1761 vpc_id = "${aws_vpc.foo.id}" 1762 tags { 1763 Name = "tf-test-w" 1764 } 1765 } 1766 1767 resource "aws_security_group" "three" { 1768 name = "tf-test-3" 1769 vpc_id = "${aws_vpc.foo.id}" 1770 tags { 1771 Name = "tf-test-3" 1772 } 1773 } 1774 1775 resource "aws_security_group" "mixed" { 1776 name = "tf-mix-test" 1777 vpc_id = "${aws_vpc.foo.id}" 1778 1779 ingress { 1780 from_port = 80 1781 to_port = 80 1782 protocol = "tcp" 1783 cidr_blocks = ["10.0.0.0/16", "10.1.0.0/16", "10.7.0.0/16"] 1784 1785 security_groups = [ 1786 "${aws_security_group.one.id}", 1787 "${aws_security_group.two.id}", 1788 "${aws_security_group.three.id}", 1789 ] 1790 } 1791 1792 tags { 1793 Name = "tf-mix-test" 1794 } 1795 } 1796 ` 1797 1798 const testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs = ` 1799 resource "aws_vpc" "foo" { 1800 cidr_block = "10.1.0.0/16" 1801 } 1802 1803 resource "aws_security_group" "other_web" { 1804 name = "tf_other_acc_tests" 1805 description = "Used in the terraform acceptance tests" 1806 vpc_id = "${aws_vpc.foo.id}" 1807 1808 tags { 1809 Name = "tf-acc-test" 1810 } 1811 } 1812 1813 resource "aws_security_group" "web" { 1814 name = "terraform_acceptance_test_example" 1815 description = "Used in the terraform acceptance tests" 1816 vpc_id = "${aws_vpc.foo.id}" 1817 1818 ingress { 1819 protocol = "tcp" 1820 from_port = "22" 1821 to_port = "22" 1822 1823 cidr_blocks = [ 1824 "192.168.0.1/32", 1825 ] 1826 } 1827 1828 ingress { 1829 protocol = "tcp" 1830 from_port = 80 1831 to_port = 8000 1832 cidr_blocks = ["10.0.0.0/8"] 1833 security_groups = ["${aws_security_group.other_web.id}"] 1834 } 1835 1836 egress { 1837 protocol = "tcp" 1838 from_port = 80 1839 to_port = 8000 1840 cidr_blocks = ["10.0.0.0/8"] 1841 } 1842 1843 tags { 1844 Name = "tf-acc-test" 1845 } 1846 } 1847 ` 1848 1849 const testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs_classic = ` 1850 provider "aws" { 1851 region = "us-east-1" 1852 } 1853 1854 resource "aws_security_group" "other_web" { 1855 name = "tf_other_acc_tests" 1856 description = "Used in the terraform acceptance tests" 1857 1858 tags { 1859 Name = "tf-acc-test" 1860 } 1861 } 1862 1863 resource "aws_security_group" "web" { 1864 name = "terraform_acceptance_test_example" 1865 description = "Used in the terraform acceptance tests" 1866 1867 ingress { 1868 protocol = "tcp" 1869 from_port = "22" 1870 to_port = "22" 1871 1872 cidr_blocks = [ 1873 "192.168.0.1/32", 1874 ] 1875 } 1876 1877 ingress { 1878 protocol = "tcp" 1879 from_port = 80 1880 to_port = 8000 1881 cidr_blocks = ["10.0.0.0/8"] 1882 security_groups = ["${aws_security_group.other_web.name}"] 1883 } 1884 1885 tags { 1886 Name = "tf-acc-test" 1887 } 1888 } 1889 ` 1890 1891 // fails to apply in one pass with the error "diffs didn't match during apply" 1892 // GH-2027 1893 const testAccAWSSecurityGroupConfig_failWithDiffMismatch = ` 1894 resource "aws_vpc" "main" { 1895 cidr_block = "10.0.0.0/16" 1896 1897 tags { 1898 Name = "tf-test" 1899 } 1900 } 1901 1902 resource "aws_security_group" "ssh_base" { 1903 name = "test-ssh-base" 1904 vpc_id = "${aws_vpc.main.id}" 1905 } 1906 1907 resource "aws_security_group" "jump" { 1908 name = "test-jump" 1909 vpc_id = "${aws_vpc.main.id}" 1910 } 1911 1912 resource "aws_security_group" "provision" { 1913 name = "test-provision" 1914 vpc_id = "${aws_vpc.main.id}" 1915 } 1916 1917 resource "aws_security_group" "nat" { 1918 vpc_id = "${aws_vpc.main.id}" 1919 name = "nat" 1920 description = "For nat servers " 1921 1922 ingress { 1923 from_port = 22 1924 to_port = 22 1925 protocol = "tcp" 1926 security_groups = ["${aws_security_group.jump.id}"] 1927 } 1928 1929 ingress { 1930 from_port = 22 1931 to_port = 22 1932 protocol = "tcp" 1933 security_groups = ["${aws_security_group.provision.id}"] 1934 } 1935 } 1936 ` 1937 const testAccAWSSecurityGroupConfig_importSelf = ` 1938 resource "aws_vpc" "foo" { 1939 cidr_block = "10.1.0.0/16" 1940 1941 tags { 1942 Name = "tf_sg_import_test" 1943 } 1944 } 1945 1946 resource "aws_security_group" "allow_all" { 1947 name = "allow_all" 1948 description = "Allow all inbound traffic" 1949 vpc_id = "${aws_vpc.foo.id}" 1950 } 1951 1952 resource "aws_security_group_rule" "allow_all" { 1953 type = "ingress" 1954 from_port = 0 1955 to_port = 65535 1956 protocol = "tcp" 1957 cidr_blocks = ["0.0.0.0/0"] 1958 1959 security_group_id = "${aws_security_group.allow_all.id}" 1960 } 1961 1962 resource "aws_security_group_rule" "allow_all-1" { 1963 type = "ingress" 1964 from_port = 65534 1965 to_port = 65535 1966 protocol = "tcp" 1967 1968 self = true 1969 security_group_id = "${aws_security_group.allow_all.id}" 1970 } 1971 ` 1972 1973 const testAccAWSSecurityGroupConfig_importSourceSecurityGroup = ` 1974 resource "aws_vpc" "foo" { 1975 cidr_block = "10.1.0.0/16" 1976 1977 tags { 1978 Name = "tf_sg_import_test" 1979 } 1980 } 1981 1982 resource "aws_security_group" "test_group_1" { 1983 name = "test group 1" 1984 vpc_id = "${aws_vpc.foo.id}" 1985 } 1986 1987 resource "aws_security_group" "test_group_2" { 1988 name = "test group 2" 1989 vpc_id = "${aws_vpc.foo.id}" 1990 } 1991 1992 resource "aws_security_group" "test_group_3" { 1993 name = "test group 3" 1994 vpc_id = "${aws_vpc.foo.id}" 1995 } 1996 1997 resource "aws_security_group_rule" "allow_test_group_2" { 1998 type = "ingress" 1999 from_port = 0 2000 to_port = 0 2001 protocol = "tcp" 2002 2003 source_security_group_id = "${aws_security_group.test_group_1.id}" 2004 security_group_id = "${aws_security_group.test_group_2.id}" 2005 } 2006 2007 resource "aws_security_group_rule" "allow_test_group_3" { 2008 type = "ingress" 2009 from_port = 0 2010 to_port = 0 2011 protocol = "tcp" 2012 2013 source_security_group_id = "${aws_security_group.test_group_1.id}" 2014 security_group_id = "${aws_security_group.test_group_3.id}" 2015 } 2016 ` 2017 2018 const testAccAWSSecurityGroupConfig_importIPRangeAndSecurityGroupWithSameRules = ` 2019 resource "aws_vpc" "foo" { 2020 cidr_block = "10.1.0.0/16" 2021 2022 tags { 2023 Name = "tf_sg_import_test" 2024 } 2025 } 2026 2027 resource "aws_security_group" "test_group_1" { 2028 name = "test group 1" 2029 vpc_id = "${aws_vpc.foo.id}" 2030 } 2031 2032 resource "aws_security_group" "test_group_2" { 2033 name = "test group 2" 2034 vpc_id = "${aws_vpc.foo.id}" 2035 } 2036 2037 resource "aws_security_group_rule" "allow_security_group" { 2038 type = "ingress" 2039 from_port = 0 2040 to_port = 0 2041 protocol = "tcp" 2042 2043 source_security_group_id = "${aws_security_group.test_group_2.id}" 2044 security_group_id = "${aws_security_group.test_group_1.id}" 2045 } 2046 2047 resource "aws_security_group_rule" "allow_cidr_block" { 2048 type = "ingress" 2049 from_port = 0 2050 to_port = 0 2051 protocol = "tcp" 2052 2053 cidr_blocks = ["10.0.0.0/32"] 2054 security_group_id = "${aws_security_group.test_group_1.id}" 2055 } 2056 2057 resource "aws_security_group_rule" "allow_ipv6_cidr_block" { 2058 type = "ingress" 2059 from_port = 0 2060 to_port = 0 2061 protocol = "tcp" 2062 2063 ipv6_cidr_blocks = ["::/0"] 2064 security_group_id = "${aws_security_group.test_group_1.id}" 2065 } 2066 ` 2067 2068 const testAccAWSSecurityGroupConfig_importIPRangesWithSameRules = ` 2069 resource "aws_vpc" "foo" { 2070 cidr_block = "10.1.0.0/16" 2071 2072 tags { 2073 Name = "tf_sg_import_test" 2074 } 2075 } 2076 2077 resource "aws_security_group" "test_group_1" { 2078 name = "test group 1" 2079 vpc_id = "${aws_vpc.foo.id}" 2080 } 2081 2082 resource "aws_security_group_rule" "allow_cidr_block" { 2083 type = "ingress" 2084 from_port = 0 2085 to_port = 0 2086 protocol = "tcp" 2087 2088 cidr_blocks = ["10.0.0.0/32"] 2089 security_group_id = "${aws_security_group.test_group_1.id}" 2090 } 2091 2092 resource "aws_security_group_rule" "allow_ipv6_cidr_block" { 2093 type = "ingress" 2094 from_port = 0 2095 to_port = 0 2096 protocol = "tcp" 2097 2098 ipv6_cidr_blocks = ["::/0"] 2099 security_group_id = "${aws_security_group.test_group_1.id}" 2100 } 2101 ` 2102 2103 const testAccAWSSecurityGroupConfigIpv4andIpv6Egress = ` 2104 resource "aws_vpc" "foo" { 2105 cidr_block = "10.1.0.0/16" 2106 assign_generated_ipv6_cidr_block = true 2107 tags { 2108 Name = "tf_sg_ipv4_and_ipv6_acc_test" 2109 } 2110 } 2111 2112 resource "aws_security_group" "egress" { 2113 name = "terraform_acceptance_test_example" 2114 description = "Used in the terraform acceptance tests" 2115 vpc_id = "${aws_vpc.foo.id}" 2116 ingress { 2117 from_port = 22 2118 to_port = 22 2119 protocol = "6" 2120 cidr_blocks = ["0.0.0.0/0"] 2121 } 2122 egress { 2123 from_port = 0 2124 to_port = 0 2125 protocol = "-1" 2126 cidr_blocks = ["0.0.0.0/0"] 2127 } 2128 egress { 2129 from_port = 0 2130 to_port = 0 2131 protocol = "-1" 2132 ipv6_cidr_blocks = ["::/0"] 2133 } 2134 } 2135 ` 2136 2137 const testAccAWSSecurityGroupConfigPrefixListEgress = ` 2138 resource "aws_vpc" "tf_sg_prefix_list_egress_test" { 2139 cidr_block = "10.0.0.0/16" 2140 tags { 2141 Name = "tf_sg_prefix_list_egress_test" 2142 } 2143 } 2144 2145 resource "aws_route_table" "default" { 2146 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 2147 } 2148 2149 resource "aws_vpc_endpoint" "s3-us-west-2" { 2150 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 2151 service_name = "com.amazonaws.us-west-2.s3" 2152 route_table_ids = ["${aws_route_table.default.id}"] 2153 policy = <<POLICY 2154 { 2155 "Version": "2012-10-17", 2156 "Statement": [ 2157 { 2158 "Sid":"AllowAll", 2159 "Effect":"Allow", 2160 "Principal":"*", 2161 "Action":"*", 2162 "Resource":"*" 2163 } 2164 ] 2165 } 2166 POLICY 2167 } 2168 2169 resource "aws_security_group" "egress" { 2170 name = "terraform_acceptance_test_prefix_list_egress" 2171 description = "Used in the terraform acceptance tests" 2172 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 2173 2174 egress { 2175 protocol = "-1" 2176 from_port = 0 2177 to_port = 0 2178 prefix_list_ids = ["${aws_vpc_endpoint.s3-us-west-2.prefix_list_id}"] 2179 } 2180 } 2181 `