github.com/minamijoyo/terraform@v0.7.8-0.20161029001309-18b3736ba44b/builtin/providers/aws/resource_aws_default_network_acl_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/aws/aws-sdk-go/aws" 8 "github.com/aws/aws-sdk-go/service/ec2" 9 "github.com/hashicorp/terraform/helper/resource" 10 "github.com/hashicorp/terraform/terraform" 11 ) 12 13 var defaultEgressAcl = &ec2.NetworkAclEntry{ 14 CidrBlock: aws.String("0.0.0.0/0"), 15 Egress: aws.Bool(true), 16 Protocol: aws.String("-1"), 17 RuleAction: aws.String("allow"), 18 RuleNumber: aws.Int64(100), 19 } 20 var defaultIngressAcl = &ec2.NetworkAclEntry{ 21 CidrBlock: aws.String("0.0.0.0/0"), 22 Egress: aws.Bool(false), 23 Protocol: aws.String("-1"), 24 RuleAction: aws.String("allow"), 25 RuleNumber: aws.Int64(100), 26 } 27 28 func TestAccAWSDefaultNetworkAcl_basic(t *testing.T) { 29 var networkAcl ec2.NetworkAcl 30 31 resource.Test(t, resource.TestCase{ 32 PreCheck: func() { testAccPreCheck(t) }, 33 Providers: testAccProviders, 34 CheckDestroy: testAccCheckAWSDefaultNetworkAclDestroy, 35 Steps: []resource.TestStep{ 36 resource.TestStep{ 37 Config: testAccAWSDefaultNetworkConfig_basic, 38 Check: resource.ComposeTestCheckFunc( 39 testAccGetWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl), 40 testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{}, 0), 41 ), 42 }, 43 }, 44 }) 45 } 46 47 func TestAccAWSDefaultNetworkAcl_deny_ingress(t *testing.T) { 48 // TestAccAWSDefaultNetworkAcl_deny_ingress will deny all Ingress rules, but 49 // not Egress. We then expect there to be 3 rules, 2 AWS defaults and 1 50 // additional Egress. 51 var networkAcl ec2.NetworkAcl 52 53 resource.Test(t, resource.TestCase{ 54 PreCheck: func() { testAccPreCheck(t) }, 55 Providers: testAccProviders, 56 CheckDestroy: testAccCheckAWSDefaultNetworkAclDestroy, 57 Steps: []resource.TestStep{ 58 resource.TestStep{ 59 Config: testAccAWSDefaultNetworkConfig_deny_ingress, 60 Check: resource.ComposeTestCheckFunc( 61 testAccGetWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl), 62 testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{defaultEgressAcl}, 0), 63 ), 64 }, 65 }, 66 }) 67 } 68 69 func TestAccAWSDefaultNetworkAcl_SubnetRemoval(t *testing.T) { 70 var networkAcl ec2.NetworkAcl 71 72 resource.Test(t, resource.TestCase{ 73 PreCheck: func() { testAccPreCheck(t) }, 74 Providers: testAccProviders, 75 CheckDestroy: testAccCheckAWSDefaultNetworkAclDestroy, 76 Steps: []resource.TestStep{ 77 resource.TestStep{ 78 Config: testAccAWSDefaultNetworkConfig_Subnets, 79 Check: resource.ComposeTestCheckFunc( 80 testAccGetWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl), 81 testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{}, 2), 82 ), 83 }, 84 85 // Here the Subnets have been removed from the Default Network ACL Config, 86 // but have not been reassigned. The result is that the Subnets are still 87 // there, and we have a non-empty plan 88 resource.TestStep{ 89 Config: testAccAWSDefaultNetworkConfig_Subnets_remove, 90 Check: resource.ComposeTestCheckFunc( 91 testAccGetWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl), 92 testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{}, 2), 93 ), 94 ExpectNonEmptyPlan: true, 95 }, 96 }, 97 }) 98 } 99 100 func TestAccAWSDefaultNetworkAcl_SubnetReassign(t *testing.T) { 101 var networkAcl ec2.NetworkAcl 102 103 resource.Test(t, resource.TestCase{ 104 PreCheck: func() { testAccPreCheck(t) }, 105 Providers: testAccProviders, 106 CheckDestroy: testAccCheckAWSDefaultNetworkAclDestroy, 107 Steps: []resource.TestStep{ 108 resource.TestStep{ 109 Config: testAccAWSDefaultNetworkConfig_Subnets, 110 Check: resource.ComposeTestCheckFunc( 111 testAccGetWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl), 112 testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{}, 2), 113 ), 114 }, 115 116 // Here we've reassigned the subnets to a different ACL. 117 // Without any otherwise association between the `aws_network_acl` and 118 // `aws_default_network_acl` resources, we cannot guarantee that the 119 // reassignment of the two subnets to the `aws_network_acl` will happen 120 // before the update/read on the `aws_default_network_acl` resource. 121 // Because of this, there could be a non-empty plan if a READ is done on 122 // the default before the reassignment occurs on the other resource. 123 // 124 // For the sake of testing, here we introduce a depends_on attribute from 125 // the default resource to the other acl resource, to ensure the latter's 126 // update occurs first, and the former's READ will correctly read zero 127 // subnets 128 resource.TestStep{ 129 Config: testAccAWSDefaultNetworkConfig_Subnets_move, 130 Check: resource.ComposeTestCheckFunc( 131 testAccGetWSDefaultNetworkAcl("aws_default_network_acl.default", &networkAcl), 132 testAccCheckAWSDefaultACLAttributes(&networkAcl, []*ec2.NetworkAclEntry{}, 0), 133 ), 134 }, 135 }, 136 }) 137 } 138 139 func testAccCheckAWSDefaultNetworkAclDestroy(s *terraform.State) error { 140 // We can't destroy this resource; it comes and goes with the VPC itself. 141 return nil 142 } 143 144 func testAccCheckAWSDefaultACLAttributes(acl *ec2.NetworkAcl, rules []*ec2.NetworkAclEntry, subnetCount int) resource.TestCheckFunc { 145 return func(s *terraform.State) error { 146 147 aclEntriesCount := len(acl.Entries) 148 ruleCount := len(rules) 149 150 // Default ACL has 2 hidden rules we can't do anything about 151 ruleCount = ruleCount + 2 152 153 if ruleCount != aclEntriesCount { 154 return fmt.Errorf("Expected (%d) Rules, got (%d)", ruleCount, aclEntriesCount) 155 } 156 157 if len(acl.Associations) != subnetCount { 158 return fmt.Errorf("Expected (%d) Subnets, got (%d)", subnetCount, len(acl.Associations)) 159 } 160 161 return nil 162 } 163 } 164 165 func testAccGetWSDefaultNetworkAcl(n string, networkAcl *ec2.NetworkAcl) resource.TestCheckFunc { 166 return func(s *terraform.State) error { 167 rs, ok := s.RootModule().Resources[n] 168 if !ok { 169 return fmt.Errorf("Not found: %s", n) 170 } 171 172 if rs.Primary.ID == "" { 173 return fmt.Errorf("No Network ACL is set") 174 } 175 conn := testAccProvider.Meta().(*AWSClient).ec2conn 176 177 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 178 NetworkAclIds: []*string{aws.String(rs.Primary.ID)}, 179 }) 180 if err != nil { 181 return err 182 } 183 184 if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID { 185 *networkAcl = *resp.NetworkAcls[0] 186 return nil 187 } 188 189 return fmt.Errorf("Network Acls not found") 190 } 191 } 192 193 const testAccAWSDefaultNetworkConfig_basic = ` 194 resource "aws_vpc" "tftestvpc" { 195 cidr_block = "10.1.0.0/16" 196 197 tags { 198 Name = "TestAccAWSDefaultNetworkAcl_basic" 199 } 200 } 201 202 resource "aws_default_network_acl" "default" { 203 default_network_acl_id = "${aws_vpc.tftestvpc.default_network_acl_id}" 204 205 tags { 206 Name = "TestAccAWSDefaultNetworkAcl_basic" 207 } 208 } 209 ` 210 211 const testAccAWSDefaultNetworkConfig_basicDefaultRules = ` 212 resource "aws_vpc" "tftestvpc" { 213 cidr_block = "10.1.0.0/16" 214 215 tags { 216 Name = "TestAccAWSDefaultNetworkAcl_basic" 217 } 218 } 219 220 resource "aws_default_network_acl" "default" { 221 default_network_acl_id = "${aws_vpc.tftestvpc.default_network_acl_id}" 222 223 ingress { 224 protocol = -1 225 rule_no = 100 226 action = "allow" 227 cidr_block = "0.0.0.0/0" 228 from_port = 0 229 to_port = 0 230 } 231 232 egress { 233 protocol = -1 234 rule_no = 100 235 action = "allow" 236 cidr_block = "0.0.0.0/0" 237 from_port = 0 238 to_port = 0 239 } 240 241 tags { 242 Name = "TestAccAWSDefaultNetworkAcl_basic" 243 } 244 } 245 ` 246 247 const testAccAWSDefaultNetworkConfig_deny = ` 248 resource "aws_vpc" "tftestvpc" { 249 cidr_block = "10.1.0.0/16" 250 251 tags { 252 Name = "TestAccAWSDefaultNetworkAcl_basic" 253 } 254 } 255 256 resource "aws_default_network_acl" "default" { 257 default_network_acl_id = "${aws_vpc.tftestvpc.default_network_acl_id}" 258 259 tags { 260 Name = "TestAccAWSDefaultNetworkAcl_basic" 261 } 262 } 263 ` 264 265 const testAccAWSDefaultNetworkConfig_deny_ingress = ` 266 resource "aws_vpc" "tftestvpc" { 267 cidr_block = "10.1.0.0/16" 268 269 tags { 270 Name = "TestAccAWSDefaultNetworkAcl_basic" 271 } 272 } 273 274 resource "aws_default_network_acl" "default" { 275 default_network_acl_id = "${aws_vpc.tftestvpc.default_network_acl_id}" 276 277 egress { 278 protocol = -1 279 rule_no = 100 280 action = "allow" 281 cidr_block = "0.0.0.0/0" 282 from_port = 0 283 to_port = 0 284 } 285 286 tags { 287 Name = "TestAccAWSDefaultNetworkAcl_basic" 288 } 289 } 290 ` 291 292 const testAccAWSDefaultNetworkConfig_Subnets = ` 293 resource "aws_vpc" "foo" { 294 cidr_block = "10.1.0.0/16" 295 296 tags { 297 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 298 } 299 } 300 301 resource "aws_subnet" "one" { 302 cidr_block = "10.1.111.0/24" 303 vpc_id = "${aws_vpc.foo.id}" 304 305 tags { 306 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 307 } 308 } 309 310 resource "aws_subnet" "two" { 311 cidr_block = "10.1.1.0/24" 312 vpc_id = "${aws_vpc.foo.id}" 313 314 tags { 315 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 316 } 317 } 318 319 resource "aws_network_acl" "bar" { 320 vpc_id = "${aws_vpc.foo.id}" 321 322 tags { 323 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 324 } 325 } 326 327 resource "aws_default_network_acl" "default" { 328 default_network_acl_id = "${aws_vpc.foo.default_network_acl_id}" 329 330 subnet_ids = ["${aws_subnet.one.id}", "${aws_subnet.two.id}"] 331 332 tags { 333 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 334 } 335 } 336 ` 337 338 const testAccAWSDefaultNetworkConfig_Subnets_remove = ` 339 resource "aws_vpc" "foo" { 340 cidr_block = "10.1.0.0/16" 341 342 tags { 343 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 344 } 345 } 346 347 resource "aws_subnet" "one" { 348 cidr_block = "10.1.111.0/24" 349 vpc_id = "${aws_vpc.foo.id}" 350 351 tags { 352 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 353 } 354 } 355 356 resource "aws_subnet" "two" { 357 cidr_block = "10.1.1.0/24" 358 vpc_id = "${aws_vpc.foo.id}" 359 360 tags { 361 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 362 } 363 } 364 365 resource "aws_network_acl" "bar" { 366 vpc_id = "${aws_vpc.foo.id}" 367 368 tags { 369 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 370 } 371 } 372 373 resource "aws_default_network_acl" "default" { 374 default_network_acl_id = "${aws_vpc.foo.default_network_acl_id}" 375 376 tags { 377 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 378 } 379 } 380 ` 381 382 const testAccAWSDefaultNetworkConfig_Subnets_move = ` 383 resource "aws_vpc" "foo" { 384 cidr_block = "10.1.0.0/16" 385 386 tags { 387 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 388 } 389 } 390 391 resource "aws_subnet" "one" { 392 cidr_block = "10.1.111.0/24" 393 vpc_id = "${aws_vpc.foo.id}" 394 395 tags { 396 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 397 } 398 } 399 400 resource "aws_subnet" "two" { 401 cidr_block = "10.1.1.0/24" 402 vpc_id = "${aws_vpc.foo.id}" 403 404 tags { 405 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 406 } 407 } 408 409 resource "aws_network_acl" "bar" { 410 vpc_id = "${aws_vpc.foo.id}" 411 412 subnet_ids = ["${aws_subnet.one.id}", "${aws_subnet.two.id}"] 413 414 tags { 415 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 416 } 417 } 418 419 resource "aws_default_network_acl" "default" { 420 default_network_acl_id = "${aws_vpc.foo.default_network_acl_id}" 421 422 depends_on = ["aws_network_acl.bar"] 423 424 tags { 425 Name = "TestAccAWSDefaultNetworkAcl_SubnetRemoval" 426 } 427 } 428 `