github.com/markdia/terraform@v0.5.1-0.20150508012022-f1ae920aa970/builtin/providers/aws/resource_aws_network_acl_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/awslabs/aws-sdk-go/aws" 8 "github.com/awslabs/aws-sdk-go/service/ec2" 9 "github.com/hashicorp/terraform/helper/resource" 10 "github.com/hashicorp/terraform/terraform" 11 ) 12 13 func TestAccAWSNetworkAcl_EgressAndIngressRules(t *testing.T) { 14 var networkAcl ec2.NetworkACL 15 16 resource.Test(t, resource.TestCase{ 17 PreCheck: func() { testAccPreCheck(t) }, 18 Providers: testAccProviders, 19 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 20 Steps: []resource.TestStep{ 21 resource.TestStep{ 22 Config: testAccAWSNetworkAclEgressNIngressConfig, 23 Check: resource.ComposeTestCheckFunc( 24 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 25 resource.TestCheckResourceAttr( 26 "aws_network_acl.bar", "ingress.1216169466.protocol", "6"), 27 resource.TestCheckResourceAttr( 28 "aws_network_acl.bar", "ingress.1216169466.rule_no", "1"), 29 resource.TestCheckResourceAttr( 30 "aws_network_acl.bar", "ingress.1216169466.from_port", "80"), 31 resource.TestCheckResourceAttr( 32 "aws_network_acl.bar", "ingress.1216169466.to_port", "80"), 33 resource.TestCheckResourceAttr( 34 "aws_network_acl.bar", "ingress.1216169466.action", "allow"), 35 resource.TestCheckResourceAttr( 36 "aws_network_acl.bar", "ingress.1216169466.cidr_block", "10.3.0.0/18"), 37 resource.TestCheckResourceAttr( 38 "aws_network_acl.bar", "egress.2634340476.protocol", "6"), 39 resource.TestCheckResourceAttr( 40 "aws_network_acl.bar", "egress.2634340476.rule_no", "2"), 41 resource.TestCheckResourceAttr( 42 "aws_network_acl.bar", "egress.2634340476.from_port", "443"), 43 resource.TestCheckResourceAttr( 44 "aws_network_acl.bar", "egress.2634340476.to_port", "443"), 45 resource.TestCheckResourceAttr( 46 "aws_network_acl.bar", "egress.2634340476.cidr_block", "10.3.0.0/18"), 47 resource.TestCheckResourceAttr( 48 "aws_network_acl.bar", "egress.2634340476.action", "allow"), 49 ), 50 }, 51 }, 52 }) 53 } 54 55 func TestAccAWSNetworkAcl_OnlyIngressRules(t *testing.T) { 56 var networkAcl ec2.NetworkACL 57 58 resource.Test(t, resource.TestCase{ 59 PreCheck: func() { testAccPreCheck(t) }, 60 Providers: testAccProviders, 61 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 62 Steps: []resource.TestStep{ 63 resource.TestStep{ 64 Config: testAccAWSNetworkAclIngressConfig, 65 Check: resource.ComposeTestCheckFunc( 66 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 67 // testAccCheckSubnetAssociation("aws_network_acl.foos", "aws_subnet.blob"), 68 resource.TestCheckResourceAttr( 69 "aws_network_acl.foos", "ingress.3264550475.protocol", "6"), 70 resource.TestCheckResourceAttr( 71 "aws_network_acl.foos", "ingress.3264550475.rule_no", "2"), 72 resource.TestCheckResourceAttr( 73 "aws_network_acl.foos", "ingress.3264550475.from_port", "443"), 74 resource.TestCheckResourceAttr( 75 "aws_network_acl.foos", "ingress.3264550475.to_port", "443"), 76 resource.TestCheckResourceAttr( 77 "aws_network_acl.foos", "ingress.3264550475.action", "deny"), 78 resource.TestCheckResourceAttr( 79 "aws_network_acl.foos", "ingress.3264550475.cidr_block", "10.2.0.0/18"), 80 ), 81 }, 82 }, 83 }) 84 } 85 86 func TestAccAWSNetworkAcl_OnlyIngressRulesChange(t *testing.T) { 87 var networkAcl ec2.NetworkACL 88 89 resource.Test(t, resource.TestCase{ 90 PreCheck: func() { testAccPreCheck(t) }, 91 Providers: testAccProviders, 92 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 93 Steps: []resource.TestStep{ 94 resource.TestStep{ 95 Config: testAccAWSNetworkAclIngressConfig, 96 Check: resource.ComposeTestCheckFunc( 97 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 98 testIngressRuleLength(&networkAcl, 2), 99 resource.TestCheckResourceAttr( 100 "aws_network_acl.foos", "ingress.2824900805.protocol", "6"), 101 resource.TestCheckResourceAttr( 102 "aws_network_acl.foos", "ingress.2824900805.rule_no", "1"), 103 resource.TestCheckResourceAttr( 104 "aws_network_acl.foos", "ingress.2824900805.from_port", "0"), 105 resource.TestCheckResourceAttr( 106 "aws_network_acl.foos", "ingress.2824900805.to_port", "22"), 107 resource.TestCheckResourceAttr( 108 "aws_network_acl.foos", "ingress.2824900805.action", "deny"), 109 resource.TestCheckResourceAttr( 110 "aws_network_acl.foos", "ingress.2824900805.cidr_block", "10.2.0.0/18"), 111 resource.TestCheckResourceAttr( 112 "aws_network_acl.foos", "ingress.3264550475.from_port", "443"), 113 resource.TestCheckResourceAttr( 114 "aws_network_acl.foos", "ingress.3264550475.rule_no", "2"), 115 ), 116 }, 117 resource.TestStep{ 118 Config: testAccAWSNetworkAclIngressConfigChange, 119 Check: resource.ComposeTestCheckFunc( 120 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 121 testIngressRuleLength(&networkAcl, 1), 122 resource.TestCheckResourceAttr( 123 "aws_network_acl.foos", "ingress.2824900805.protocol", "6"), 124 resource.TestCheckResourceAttr( 125 "aws_network_acl.foos", "ingress.2824900805.rule_no", "1"), 126 resource.TestCheckResourceAttr( 127 "aws_network_acl.foos", "ingress.2824900805.from_port", "0"), 128 resource.TestCheckResourceAttr( 129 "aws_network_acl.foos", "ingress.2824900805.to_port", "22"), 130 resource.TestCheckResourceAttr( 131 "aws_network_acl.foos", "ingress.2824900805.action", "deny"), 132 resource.TestCheckResourceAttr( 133 "aws_network_acl.foos", "ingress.2824900805.cidr_block", "10.2.0.0/18"), 134 ), 135 }, 136 }, 137 }) 138 } 139 140 func TestAccAWSNetworkAcl_OnlyEgressRules(t *testing.T) { 141 var networkAcl ec2.NetworkACL 142 143 resource.Test(t, resource.TestCase{ 144 PreCheck: func() { testAccPreCheck(t) }, 145 Providers: testAccProviders, 146 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 147 Steps: []resource.TestStep{ 148 resource.TestStep{ 149 Config: testAccAWSNetworkAclEgressConfig, 150 Check: resource.ComposeTestCheckFunc( 151 testAccCheckAWSNetworkAclExists("aws_network_acl.bond", &networkAcl), 152 testAccCheckTagsSDK(&networkAcl.Tags, "foo", "bar"), 153 ), 154 }, 155 }, 156 }) 157 } 158 159 func TestAccAWSNetworkAcl_SubnetChange(t *testing.T) { 160 161 resource.Test(t, resource.TestCase{ 162 PreCheck: func() { testAccPreCheck(t) }, 163 Providers: testAccProviders, 164 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 165 Steps: []resource.TestStep{ 166 resource.TestStep{ 167 Config: testAccAWSNetworkAclSubnetConfig, 168 Check: resource.ComposeTestCheckFunc( 169 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"), 170 ), 171 }, 172 resource.TestStep{ 173 Config: testAccAWSNetworkAclSubnetConfigChange, 174 Check: resource.ComposeTestCheckFunc( 175 testAccCheckSubnetIsNotAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"), 176 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.new"), 177 ), 178 }, 179 }, 180 }) 181 182 } 183 184 func testAccCheckAWSNetworkAclDestroy(s *terraform.State) error { 185 conn := testAccProvider.Meta().(*AWSClient).ec2conn 186 187 for _, rs := range s.RootModule().Resources { 188 if rs.Type != "aws_network" { 189 continue 190 } 191 192 // Retrieve the network acl 193 resp, err := conn.DescribeNetworkACLs(&ec2.DescribeNetworkACLsInput{ 194 NetworkACLIDs: []*string{aws.String(rs.Primary.ID)}, 195 }) 196 if err == nil { 197 if len(resp.NetworkACLs) > 0 && *resp.NetworkACLs[0].NetworkACLID == rs.Primary.ID { 198 return fmt.Errorf("Network Acl (%s) still exists.", rs.Primary.ID) 199 } 200 201 return nil 202 } 203 204 ec2err, ok := err.(aws.APIError) 205 if !ok { 206 return err 207 } 208 // Confirm error code is what we want 209 if ec2err.Code != "InvalidNetworkAclID.NotFound" { 210 return err 211 } 212 } 213 214 return nil 215 } 216 217 func testAccCheckAWSNetworkAclExists(n string, networkAcl *ec2.NetworkACL) resource.TestCheckFunc { 218 return func(s *terraform.State) error { 219 rs, ok := s.RootModule().Resources[n] 220 if !ok { 221 return fmt.Errorf("Not found: %s", n) 222 } 223 224 if rs.Primary.ID == "" { 225 return fmt.Errorf("No Security Group is set") 226 } 227 conn := testAccProvider.Meta().(*AWSClient).ec2conn 228 229 resp, err := conn.DescribeNetworkACLs(&ec2.DescribeNetworkACLsInput{ 230 NetworkACLIDs: []*string{aws.String(rs.Primary.ID)}, 231 }) 232 if err != nil { 233 return err 234 } 235 236 if len(resp.NetworkACLs) > 0 && *resp.NetworkACLs[0].NetworkACLID == rs.Primary.ID { 237 *networkAcl = *resp.NetworkACLs[0] 238 return nil 239 } 240 241 return fmt.Errorf("Network Acls not found") 242 } 243 } 244 245 func testIngressRuleLength(networkAcl *ec2.NetworkACL, length int) resource.TestCheckFunc { 246 return func(s *terraform.State) error { 247 var ingressEntries []*ec2.NetworkACLEntry 248 for _, e := range networkAcl.Entries { 249 if *e.Egress == false { 250 ingressEntries = append(ingressEntries, e) 251 } 252 } 253 // There is always a default rule (ALL Traffic ... DENY) 254 // so we have to increase the lenght by 1 255 if len(ingressEntries) != length+1 { 256 return fmt.Errorf("Invalid number of ingress entries found; count = %d", len(ingressEntries)) 257 } 258 return nil 259 } 260 } 261 262 func testAccCheckSubnetIsAssociatedWithAcl(acl string, sub string) resource.TestCheckFunc { 263 return func(s *terraform.State) error { 264 networkAcl := s.RootModule().Resources[acl] 265 subnet := s.RootModule().Resources[sub] 266 267 conn := testAccProvider.Meta().(*AWSClient).ec2conn 268 resp, err := conn.DescribeNetworkACLs(&ec2.DescribeNetworkACLsInput{ 269 NetworkACLIDs: []*string{aws.String(networkAcl.Primary.ID)}, 270 Filters: []*ec2.Filter{ 271 &ec2.Filter{ 272 Name: aws.String("association.subnet-id"), 273 Values: []*string{aws.String(subnet.Primary.ID)}, 274 }, 275 }, 276 }) 277 if err != nil { 278 return err 279 } 280 if len(resp.NetworkACLs) > 0 { 281 return nil 282 } 283 284 // r, _ := conn.NetworkACLs([]string{}, ec2.NewFilter()) 285 // fmt.Printf("\n\nall acls\n %#v\n\n", r.NetworkAcls) 286 // conn.NetworkAcls([]string{}, filter) 287 288 return fmt.Errorf("Network Acl %s is not associated with subnet %s", acl, sub) 289 } 290 } 291 292 func testAccCheckSubnetIsNotAssociatedWithAcl(acl string, subnet string) resource.TestCheckFunc { 293 return func(s *terraform.State) error { 294 networkAcl := s.RootModule().Resources[acl] 295 subnet := s.RootModule().Resources[subnet] 296 297 conn := testAccProvider.Meta().(*AWSClient).ec2conn 298 resp, err := conn.DescribeNetworkACLs(&ec2.DescribeNetworkACLsInput{ 299 NetworkACLIDs: []*string{aws.String(networkAcl.Primary.ID)}, 300 Filters: []*ec2.Filter{ 301 &ec2.Filter{ 302 Name: aws.String("association.subnet-id"), 303 Values: []*string{aws.String(subnet.Primary.ID)}, 304 }, 305 }, 306 }) 307 308 if err != nil { 309 return err 310 } 311 if len(resp.NetworkACLs) > 0 { 312 return fmt.Errorf("Network Acl %s is still associated with subnet %s", acl, subnet) 313 } 314 return nil 315 } 316 } 317 318 const testAccAWSNetworkAclIngressConfig = ` 319 resource "aws_vpc" "foo" { 320 cidr_block = "10.1.0.0/16" 321 } 322 resource "aws_subnet" "blob" { 323 cidr_block = "10.1.1.0/24" 324 vpc_id = "${aws_vpc.foo.id}" 325 map_public_ip_on_launch = true 326 } 327 resource "aws_network_acl" "foos" { 328 vpc_id = "${aws_vpc.foo.id}" 329 ingress = { 330 protocol = "tcp" 331 rule_no = 1 332 action = "deny" 333 cidr_block = "10.2.0.0/18" 334 from_port = 0 335 to_port = 22 336 } 337 ingress = { 338 protocol = "tcp" 339 rule_no = 2 340 action = "deny" 341 cidr_block = "10.2.0.0/18" 342 from_port = 443 343 to_port = 443 344 } 345 subnet_id = "${aws_subnet.blob.id}" 346 } 347 ` 348 const testAccAWSNetworkAclIngressConfigChange = ` 349 resource "aws_vpc" "foo" { 350 cidr_block = "10.1.0.0/16" 351 } 352 resource "aws_subnet" "blob" { 353 cidr_block = "10.1.1.0/24" 354 vpc_id = "${aws_vpc.foo.id}" 355 map_public_ip_on_launch = true 356 } 357 resource "aws_network_acl" "foos" { 358 vpc_id = "${aws_vpc.foo.id}" 359 ingress = { 360 protocol = "tcp" 361 rule_no = 1 362 action = "deny" 363 cidr_block = "10.2.0.0/18" 364 from_port = 0 365 to_port = 22 366 } 367 subnet_id = "${aws_subnet.blob.id}" 368 } 369 ` 370 371 const testAccAWSNetworkAclEgressConfig = ` 372 resource "aws_vpc" "foo" { 373 cidr_block = "10.2.0.0/16" 374 } 375 resource "aws_subnet" "blob" { 376 cidr_block = "10.2.0.0/24" 377 vpc_id = "${aws_vpc.foo.id}" 378 map_public_ip_on_launch = true 379 } 380 resource "aws_network_acl" "bond" { 381 vpc_id = "${aws_vpc.foo.id}" 382 egress = { 383 protocol = "tcp" 384 rule_no = 2 385 action = "allow" 386 cidr_block = "10.2.0.0/18" 387 from_port = 443 388 to_port = 443 389 } 390 391 egress = { 392 protocol = "-1" 393 rule_no = 4 394 action = "allow" 395 cidr_block = "0.0.0.0/0" 396 from_port = 0 397 to_port = 0 398 } 399 400 egress = { 401 protocol = "tcp" 402 rule_no = 1 403 action = "allow" 404 cidr_block = "10.2.0.0/18" 405 from_port = 80 406 to_port = 80 407 } 408 409 egress = { 410 protocol = "tcp" 411 rule_no = 3 412 action = "allow" 413 cidr_block = "10.2.0.0/18" 414 from_port = 22 415 to_port = 22 416 } 417 418 tags { 419 foo = "bar" 420 } 421 } 422 ` 423 424 const testAccAWSNetworkAclEgressNIngressConfig = ` 425 resource "aws_vpc" "foo" { 426 cidr_block = "10.3.0.0/16" 427 } 428 resource "aws_subnet" "blob" { 429 cidr_block = "10.3.0.0/24" 430 vpc_id = "${aws_vpc.foo.id}" 431 map_public_ip_on_launch = true 432 } 433 resource "aws_network_acl" "bar" { 434 vpc_id = "${aws_vpc.foo.id}" 435 egress = { 436 protocol = "tcp" 437 rule_no = 2 438 action = "allow" 439 cidr_block = "10.3.0.0/18" 440 from_port = 443 441 to_port = 443 442 } 443 444 ingress = { 445 protocol = "tcp" 446 rule_no = 1 447 action = "allow" 448 cidr_block = "10.3.0.0/18" 449 from_port = 80 450 to_port = 80 451 } 452 } 453 ` 454 const testAccAWSNetworkAclSubnetConfig = ` 455 resource "aws_vpc" "foo" { 456 cidr_block = "10.1.0.0/16" 457 } 458 resource "aws_subnet" "old" { 459 cidr_block = "10.1.111.0/24" 460 vpc_id = "${aws_vpc.foo.id}" 461 map_public_ip_on_launch = true 462 } 463 resource "aws_subnet" "new" { 464 cidr_block = "10.1.1.0/24" 465 vpc_id = "${aws_vpc.foo.id}" 466 map_public_ip_on_launch = true 467 } 468 resource "aws_network_acl" "roll" { 469 vpc_id = "${aws_vpc.foo.id}" 470 subnet_id = "${aws_subnet.new.id}" 471 } 472 resource "aws_network_acl" "bar" { 473 vpc_id = "${aws_vpc.foo.id}" 474 subnet_id = "${aws_subnet.old.id}" 475 } 476 ` 477 478 const testAccAWSNetworkAclSubnetConfigChange = ` 479 resource "aws_vpc" "foo" { 480 cidr_block = "10.1.0.0/16" 481 } 482 resource "aws_subnet" "old" { 483 cidr_block = "10.1.111.0/24" 484 vpc_id = "${aws_vpc.foo.id}" 485 map_public_ip_on_launch = true 486 } 487 resource "aws_subnet" "new" { 488 cidr_block = "10.1.1.0/24" 489 vpc_id = "${aws_vpc.foo.id}" 490 map_public_ip_on_launch = true 491 } 492 resource "aws_network_acl" "bar" { 493 vpc_id = "${aws_vpc.foo.id}" 494 subnet_id = "${aws_subnet.new.id}" 495 } 496 `