github.com/minamijoyo/terraform@v0.7.8-0.20161029001309-18b3736ba44b/builtin/providers/aws/resource_aws_default_network_acl_test.go (about)

     1  package aws
     2  
     3  import (
     4  	"fmt"
     5  	"testing"
     6  
     7  	"github.com/aws/aws-sdk-go/aws"
     8  	"github.com/aws/aws-sdk-go/service/ec2"
     9  	"github.com/hashicorp/terraform/helper/resource"
    10  	"github.com/hashicorp/terraform/terraform"
    11  )
    12  
    13  var defaultEgressAcl = &ec2.NetworkAclEntry{
    14  	CidrBlock:  aws.String("0.0.0.0/0"),
    15  	Egress:     aws.Bool(true),
    16  	Protocol:   aws.String("-1"),
    17  	RuleAction: aws.String("allow"),
    18  	RuleNumber: aws.Int64(100),
    19  }
    20  var defaultIngressAcl = &ec2.NetworkAclEntry{
    21  	CidrBlock:  aws.String("0.0.0.0/0"),
    22  	Egress:     aws.Bool(false),
    23  	Protocol:   aws.String("-1"),
    24  	RuleAction: aws.String("allow"),
    25  	RuleNumber: aws.Int64(100),
    26  }
    27  
    28  func TestAccAWSDefaultNetworkAcl_basic(t *testing.T) {
    29  	var networkAcl ec2.NetworkAcl
    30  
    31  	resource.Test(t, resource.TestCase{
    32  		PreCheck:     func() { testAccPreCheck(t) },
    33  		Providers:    testAccProviders,
    34  		CheckDestroy: testAccCheckAWSDefaultNetworkAclDestroy,
    35  		Steps: []resource.TestStep{
    36  			resource.TestStep{
    37  				Config: testAccAWSDefaultNetworkConfig_basic,
    38  				Check: resource.ComposeTestCheckFunc(
    39  					testAccGetWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl),
    40  					testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{}, 0),
    41  				),
    42  			},
    43  		},
    44  	})
    45  }
    46  
    47  func TestAccAWSDefaultNetworkAcl_deny_ingress(t *testing.T) {
    48  	// TestAccAWSDefaultNetworkAcl_deny_ingress will deny all Ingress rules, but
    49  	// not Egress. We then expect there to be 3 rules, 2 AWS defaults and 1
    50  	// additional Egress.
    51  	var networkAcl ec2.NetworkAcl
    52  
    53  	resource.Test(t, resource.TestCase{
    54  		PreCheck:     func() { testAccPreCheck(t) },
    55  		Providers:    testAccProviders,
    56  		CheckDestroy: testAccCheckAWSDefaultNetworkAclDestroy,
    57  		Steps: []resource.TestStep{
    58  			resource.TestStep{
    59  				Config: testAccAWSDefaultNetworkConfig_deny_ingress,
    60  				Check: resource.ComposeTestCheckFunc(
    61  					testAccGetWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl),
    62  					testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{defaultEgressAcl}, 0),
    63  				),
    64  			},
    65  		},
    66  	})
    67  }
    68  
    69  func TestAccAWSDefaultNetworkAcl_SubnetRemoval(t *testing.T) {
    70  	var networkAcl ec2.NetworkAcl
    71  
    72  	resource.Test(t, resource.TestCase{
    73  		PreCheck:     func() { testAccPreCheck(t) },
    74  		Providers:    testAccProviders,
    75  		CheckDestroy: testAccCheckAWSDefaultNetworkAclDestroy,
    76  		Steps: []resource.TestStep{
    77  			resource.TestStep{
    78  				Config: testAccAWSDefaultNetworkConfig_Subnets,
    79  				Check: resource.ComposeTestCheckFunc(
    80  					testAccGetWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl),
    81  					testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{}, 2),
    82  				),
    83  			},
    84  
    85  			// Here the Subnets have been removed from the Default Network ACL Config,
    86  			// but have not been reassigned. The result is that the Subnets are still
    87  			// there, and we have a non-empty plan
    88  			resource.TestStep{
    89  				Config: testAccAWSDefaultNetworkConfig_Subnets_remove,
    90  				Check: resource.ComposeTestCheckFunc(
    91  					testAccGetWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl),
    92  					testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{}, 2),
    93  				),
    94  				ExpectNonEmptyPlan: true,
    95  			},
    96  		},
    97  	})
    98  }
    99  
   100  func TestAccAWSDefaultNetworkAcl_SubnetReassign(t *testing.T) {
   101  	var networkAcl ec2.NetworkAcl
   102  
   103  	resource.Test(t, resource.TestCase{
   104  		PreCheck:     func() { testAccPreCheck(t) },
   105  		Providers:    testAccProviders,
   106  		CheckDestroy: testAccCheckAWSDefaultNetworkAclDestroy,
   107  		Steps: []resource.TestStep{
   108  			resource.TestStep{
   109  				Config: testAccAWSDefaultNetworkConfig_Subnets,
   110  				Check: resource.ComposeTestCheckFunc(
   111  					testAccGetWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl),
   112  					testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{}, 2),
   113  				),
   114  			},
   115  
   116  			// Here we've reassigned the subnets to a different ACL.
   117  			// Without any otherwise association between the `aws_network_acl` and
   118  			// `aws_default_network_acl` resources, we cannot guarantee that the
   119  			// reassignment of the two subnets to the `aws_network_acl` will happen
   120  			// before the update/read on the `aws_default_network_acl` resource.
   121  			// Because of this, there could be a non-empty plan if a READ is done on
   122  			// the default before the reassignment occurs on the other resource.
   123  			//
   124  			// For the sake of testing, here we introduce a depends_on attribute from
   125  			// the default resource to the other acl resource, to ensure the latter's
   126  			// update occurs first, and the former's READ will correctly read zero
   127  			// subnets
   128  			resource.TestStep{
   129  				Config: testAccAWSDefaultNetworkConfig_Subnets_move,
   130  				Check: resource.ComposeTestCheckFunc(
   131  					testAccGetWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl),
   132  					testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{}, 0),
   133  				),
   134  			},
   135  		},
   136  	})
   137  }
   138  
   139  func testAccCheckAWSDefaultNetworkAclDestroy(s *terraform.State) error {
   140  	// We can't destroy this resource; it comes and goes with the VPC itself.
   141  	return nil
   142  }
   143  
   144  func testAccCheckAWSDefaultACLAttributes(acl *ec2.NetworkAcl, rules []*ec2.NetworkAclEntry, subnetCount int) resource.TestCheckFunc {
   145  	return func(s *terraform.State) error {
   146  
   147  		aclEntriesCount := len(acl.Entries)
   148  		ruleCount := len(rules)
   149  
   150  		// Default ACL has 2 hidden rules we can't do anything about
   151  		ruleCount = ruleCount + 2
   152  
   153  		if ruleCount != aclEntriesCount {
   154  			return fmt.Errorf("Expected (%d) Rules, got (%d)", ruleCount, aclEntriesCount)
   155  		}
   156  
   157  		if len(acl.Associations) != subnetCount {
   158  			return fmt.Errorf("Expected (%d) Subnets, got (%d)", subnetCount, len(acl.Associations))
   159  		}
   160  
   161  		return nil
   162  	}
   163  }
   164  
   165  func testAccGetWSDefaultNetworkAcl(n string, networkAcl *ec2.NetworkAcl) resource.TestCheckFunc {
   166  	return func(s *terraform.State) error {
   167  		rs, ok := s.RootModule().Resources[n]
   168  		if !ok {
   169  			return fmt.Errorf("Not found: %s", n)
   170  		}
   171  
   172  		if rs.Primary.ID == "" {
   173  			return fmt.Errorf("No Network ACL is set")
   174  		}
   175  		conn := testAccProvider.Meta().(*AWSClient).ec2conn
   176  
   177  		resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{
   178  			NetworkAclIds: []*string{aws.String(rs.Primary.ID)},
   179  		})
   180  		if err != nil {
   181  			return err
   182  		}
   183  
   184  		if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID {
   185  			*networkAcl = *resp.NetworkAcls[0]
   186  			return nil
   187  		}
   188  
   189  		return fmt.Errorf("Network Acls not found")
   190  	}
   191  }
   192  
   193  const testAccAWSDefaultNetworkConfig_basic = `
   194  resource "aws_vpc" "tftestvpc" {
   195    cidr_block = "10.1.0.0/16"
   196  
   197    tags {
   198      Name = "TestAccAWSDefaultNetworkAcl_basic"
   199    }
   200  }
   201  
   202  resource "aws_default_network_acl" "default" {
   203    default_network_acl_id = "${aws_vpc.tftestvpc.default_network_acl_id}"
   204  
   205    tags {
   206      Name = "TestAccAWSDefaultNetworkAcl_basic"
   207    }
   208  }
   209  `
   210  
   211  const testAccAWSDefaultNetworkConfig_basicDefaultRules = `
   212  resource "aws_vpc" "tftestvpc" {
   213    cidr_block = "10.1.0.0/16"
   214  
   215    tags {
   216      Name = "TestAccAWSDefaultNetworkAcl_basic"
   217    }
   218  }
   219  
   220  resource "aws_default_network_acl" "default" {
   221    default_network_acl_id = "${aws_vpc.tftestvpc.default_network_acl_id}"
   222  
   223    ingress {
   224      protocol   = -1
   225      rule_no    = 100
   226      action     = "allow"
   227      cidr_block = "0.0.0.0/0"
   228      from_port  = 0
   229      to_port    = 0
   230    }
   231  
   232    egress {
   233      protocol   = -1
   234      rule_no    = 100
   235      action     = "allow"
   236      cidr_block = "0.0.0.0/0"
   237      from_port  = 0
   238      to_port    = 0
   239    }
   240  
   241    tags {
   242      Name = "TestAccAWSDefaultNetworkAcl_basic"
   243    }
   244  }
   245  `
   246  
   247  const testAccAWSDefaultNetworkConfig_deny = `
   248  resource "aws_vpc" "tftestvpc" {
   249    cidr_block = "10.1.0.0/16"
   250  
   251    tags {
   252      Name = "TestAccAWSDefaultNetworkAcl_basic"
   253    }
   254  }
   255  
   256  resource "aws_default_network_acl" "default" {
   257    default_network_acl_id = "${aws_vpc.tftestvpc.default_network_acl_id}"
   258  
   259    tags {
   260      Name = "TestAccAWSDefaultNetworkAcl_basic"
   261    }
   262  }
   263  `
   264  
   265  const testAccAWSDefaultNetworkConfig_deny_ingress = `
   266  resource "aws_vpc" "tftestvpc" {
   267    cidr_block = "10.1.0.0/16"
   268  
   269    tags {
   270      Name = "TestAccAWSDefaultNetworkAcl_basic"
   271    }
   272  }
   273  
   274  resource "aws_default_network_acl" "default" {
   275    default_network_acl_id = "${aws_vpc.tftestvpc.default_network_acl_id}"
   276  
   277    egress {
   278      protocol   = -1
   279      rule_no    = 100
   280      action     = "allow"
   281      cidr_block = "0.0.0.0/0"
   282      from_port  = 0
   283      to_port    = 0
   284    }
   285  
   286    tags {
   287      Name = "TestAccAWSDefaultNetworkAcl_basic"
   288    }
   289  }
   290  `
   291  
   292  const testAccAWSDefaultNetworkConfig_Subnets = `
   293  resource "aws_vpc" "foo" {
   294    cidr_block = "10.1.0.0/16"
   295  
   296    tags {
   297      Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval"
   298    }
   299  }
   300  
   301  resource "aws_subnet" "one" {
   302    cidr_block = "10.1.111.0/24"
   303    vpc_id     = "${aws_vpc.foo.id}"
   304  
   305    tags {
   306      Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval"
   307    }
   308  }
   309  
   310  resource "aws_subnet" "two" {
   311    cidr_block = "10.1.1.0/24"
   312    vpc_id     = "${aws_vpc.foo.id}"
   313  
   314    tags {
   315      Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval"
   316    }
   317  }
   318  
   319  resource "aws_network_acl" "bar" {
   320    vpc_id = "${aws_vpc.foo.id}"
   321  
   322    tags {
   323      Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval"
   324    }
   325  }
   326  
   327  resource "aws_default_network_acl" "default" {
   328    default_network_acl_id = "${aws_vpc.foo.default_network_acl_id}"
   329  
   330    subnet_ids = ["${aws_subnet.one.id}", "${aws_subnet.two.id}"]
   331  
   332    tags {
   333      Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval"
   334    }
   335  }
   336  `
   337  
   338  const testAccAWSDefaultNetworkConfig_Subnets_remove = `
   339  resource "aws_vpc" "foo" {
   340    cidr_block = "10.1.0.0/16"
   341  
   342    tags {
   343      Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval"
   344    }
   345  }
   346  
   347  resource "aws_subnet" "one" {
   348    cidr_block = "10.1.111.0/24"
   349    vpc_id     = "${aws_vpc.foo.id}"
   350  
   351    tags {
   352      Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval"
   353    }
   354  }
   355  
   356  resource "aws_subnet" "two" {
   357    cidr_block = "10.1.1.0/24"
   358    vpc_id     = "${aws_vpc.foo.id}"
   359  
   360    tags {
   361      Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval"
   362    }
   363  }
   364  
   365  resource "aws_network_acl" "bar" {
   366    vpc_id = "${aws_vpc.foo.id}"
   367  
   368    tags {
   369      Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval"
   370    }
   371  }
   372  
   373  resource "aws_default_network_acl" "default" {
   374    default_network_acl_id = "${aws_vpc.foo.default_network_acl_id}"
   375  
   376    tags {
   377      Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval"
   378    }
   379  }
   380  `
   381  
   382  const testAccAWSDefaultNetworkConfig_Subnets_move = `
   383  resource "aws_vpc" "foo" {
   384    cidr_block = "10.1.0.0/16"
   385  
   386    tags {
   387      Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval"
   388    }
   389  }
   390  
   391  resource "aws_subnet" "one" {
   392    cidr_block = "10.1.111.0/24"
   393    vpc_id     = "${aws_vpc.foo.id}"
   394  
   395    tags {
   396      Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval"
   397    }
   398  }
   399  
   400  resource "aws_subnet" "two" {
   401    cidr_block = "10.1.1.0/24"
   402    vpc_id     = "${aws_vpc.foo.id}"
   403  
   404    tags {
   405      Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval"
   406    }
   407  }
   408  
   409  resource "aws_network_acl" "bar" {
   410    vpc_id = "${aws_vpc.foo.id}"
   411  
   412    subnet_ids = ["${aws_subnet.one.id}", "${aws_subnet.two.id}"]
   413  
   414    tags {
   415      Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval"
   416    }
   417  }
   418  
   419  resource "aws_default_network_acl" "default" {
   420    default_network_acl_id = "${aws_vpc.foo.default_network_acl_id}"
   421  
   422    depends_on = ["aws_network_acl.bar"]
   423  
   424    tags {
   425      Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval"
   426    }
   427  }
   428  `