github.com/minamijoyo/terraform@v0.7.8-0.20161029001309-18b3736ba44b/builtin/providers/aws/resource_aws_security_group_rule_test.go (about) 1 package aws 2 3 import ( 4 "bytes" 5 "fmt" 6 "log" 7 "testing" 8 9 "github.com/aws/aws-sdk-go/aws" 10 "github.com/aws/aws-sdk-go/aws/awserr" 11 "github.com/aws/aws-sdk-go/service/ec2" 12 "github.com/hashicorp/terraform/helper/acctest" 13 "github.com/hashicorp/terraform/helper/resource" 14 "github.com/hashicorp/terraform/terraform" 15 ) 16 17 func TestIpPermissionIDHash(t *testing.T) { 18 simple := &ec2.IpPermission{ 19 IpProtocol: aws.String("tcp"), 20 FromPort: aws.Int64(int64(80)), 21 ToPort: aws.Int64(int64(8000)), 22 IpRanges: []*ec2.IpRange{ 23 &ec2.IpRange{ 24 CidrIp: aws.String("10.0.0.0/8"), 25 }, 26 }, 27 } 28 29 egress := &ec2.IpPermission{ 30 IpProtocol: aws.String("tcp"), 31 FromPort: aws.Int64(int64(80)), 32 ToPort: aws.Int64(int64(8000)), 33 IpRanges: []*ec2.IpRange{ 34 &ec2.IpRange{ 35 CidrIp: aws.String("10.0.0.0/8"), 36 }, 37 }, 38 } 39 40 egress_all := &ec2.IpPermission{ 41 IpProtocol: aws.String("-1"), 42 IpRanges: []*ec2.IpRange{ 43 &ec2.IpRange{ 44 CidrIp: aws.String("10.0.0.0/8"), 45 }, 46 }, 47 } 48 49 vpc_security_group_source := &ec2.IpPermission{ 50 IpProtocol: aws.String("tcp"), 51 FromPort: aws.Int64(int64(80)), 52 ToPort: aws.Int64(int64(8000)), 53 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 54 &ec2.UserIdGroupPair{ 55 UserId: aws.String("987654321"), 56 GroupId: aws.String("sg-12345678"), 57 }, 58 &ec2.UserIdGroupPair{ 59 UserId: aws.String("123456789"), 60 GroupId: aws.String("sg-987654321"), 61 }, 62 &ec2.UserIdGroupPair{ 63 UserId: aws.String("123456789"), 64 GroupId: aws.String("sg-12345678"), 65 }, 66 }, 67 } 68 69 security_group_source := &ec2.IpPermission{ 70 IpProtocol: aws.String("tcp"), 71 FromPort: aws.Int64(int64(80)), 72 ToPort: aws.Int64(int64(8000)), 73 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 74 &ec2.UserIdGroupPair{ 75 UserId: aws.String("987654321"), 76 GroupName: aws.String("my-security-group"), 77 }, 78 &ec2.UserIdGroupPair{ 79 UserId: aws.String("123456789"), 80 GroupName: aws.String("my-security-group"), 81 }, 82 &ec2.UserIdGroupPair{ 83 UserId: aws.String("123456789"), 84 GroupName: aws.String("my-other-security-group"), 85 }, 86 }, 87 } 88 89 // hardcoded hashes, to detect future change 90 cases := []struct { 91 Input *ec2.IpPermission 92 Type string 93 Output string 94 }{ 95 {simple, "ingress", "sgrule-3403497314"}, 96 {egress, "egress", "sgrule-1173186295"}, 97 {egress_all, "egress", "sgrule-766323498"}, 98 {vpc_security_group_source, "egress", "sgrule-351225364"}, 99 {security_group_source, "egress", "sgrule-2198807188"}, 100 } 101 102 for _, tc := range cases { 103 actual := ipPermissionIDHash("sg-12345", tc.Type, tc.Input) 104 if actual != tc.Output { 105 t.Errorf("input: %s - %s\noutput: %s", tc.Type, tc.Input, actual) 106 } 107 } 108 } 109 110 func TestAccAWSSecurityGroupRule_Ingress_VPC(t *testing.T) { 111 var group ec2.SecurityGroup 112 113 testRuleCount := func(*terraform.State) error { 114 if len(group.IpPermissions) != 1 { 115 return fmt.Errorf("Wrong Security Group rule count, expected %d, got %d", 116 1, len(group.IpPermissions)) 117 } 118 119 rule := group.IpPermissions[0] 120 if *rule.FromPort != int64(80) { 121 return fmt.Errorf("Wrong Security Group port setting, expected %d, got %d", 122 80, int(*rule.FromPort)) 123 } 124 125 return nil 126 } 127 128 resource.Test(t, resource.TestCase{ 129 PreCheck: func() { testAccPreCheck(t) }, 130 Providers: testAccProviders, 131 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 132 Steps: []resource.TestStep{ 133 resource.TestStep{ 134 Config: testAccAWSSecurityGroupRuleIngressConfig, 135 Check: resource.ComposeTestCheckFunc( 136 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 137 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.ingress_1", &group, nil, "ingress"), 138 resource.TestCheckResourceAttr( 139 "aws_security_group_rule.ingress_1", "from_port", "80"), 140 testRuleCount, 141 ), 142 }, 143 }, 144 }) 145 } 146 147 func TestAccAWSSecurityGroupRule_Ingress_Protocol(t *testing.T) { 148 var group ec2.SecurityGroup 149 150 testRuleCount := func(*terraform.State) error { 151 if len(group.IpPermissions) != 1 { 152 return fmt.Errorf("Wrong Security Group rule count, expected %d, got %d", 153 1, len(group.IpPermissions)) 154 } 155 156 rule := group.IpPermissions[0] 157 if *rule.FromPort != int64(80) { 158 return fmt.Errorf("Wrong Security Group port setting, expected %d, got %d", 159 80, int(*rule.FromPort)) 160 } 161 162 return nil 163 } 164 165 resource.Test(t, resource.TestCase{ 166 PreCheck: func() { testAccPreCheck(t) }, 167 Providers: testAccProviders, 168 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 169 Steps: []resource.TestStep{ 170 resource.TestStep{ 171 Config: testAccAWSSecurityGroupRuleIngress_protocolConfig, 172 Check: resource.ComposeTestCheckFunc( 173 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 174 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.ingress_1", &group, nil, "ingress"), 175 resource.TestCheckResourceAttr( 176 "aws_security_group_rule.ingress_1", "from_port", "80"), 177 testRuleCount, 178 ), 179 }, 180 }, 181 }) 182 } 183 184 func TestAccAWSSecurityGroupRule_Ingress_Classic(t *testing.T) { 185 var group ec2.SecurityGroup 186 187 testRuleCount := func(*terraform.State) error { 188 if len(group.IpPermissions) != 1 { 189 return fmt.Errorf("Wrong Security Group rule count, expected %d, got %d", 190 1, len(group.IpPermissions)) 191 } 192 193 rule := group.IpPermissions[0] 194 if *rule.FromPort != int64(80) { 195 return fmt.Errorf("Wrong Security Group port setting, expected %d, got %d", 196 80, int(*rule.FromPort)) 197 } 198 199 return nil 200 } 201 202 resource.Test(t, resource.TestCase{ 203 PreCheck: func() { testAccPreCheck(t) }, 204 Providers: testAccProviders, 205 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 206 Steps: []resource.TestStep{ 207 resource.TestStep{ 208 Config: testAccAWSSecurityGroupRuleIngressClassicConfig, 209 Check: resource.ComposeTestCheckFunc( 210 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 211 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.ingress_1", &group, nil, "ingress"), 212 resource.TestCheckResourceAttr( 213 "aws_security_group_rule.ingress_1", "from_port", "80"), 214 testRuleCount, 215 ), 216 }, 217 }, 218 }) 219 } 220 221 func TestAccAWSSecurityGroupRule_MultiIngress(t *testing.T) { 222 var group ec2.SecurityGroup 223 224 testMultiRuleCount := func(*terraform.State) error { 225 if len(group.IpPermissions) != 2 { 226 return fmt.Errorf("Wrong Security Group rule count, expected %d, got %d", 227 2, len(group.IpPermissions)) 228 } 229 230 var rule *ec2.IpPermission 231 for _, r := range group.IpPermissions { 232 if *r.FromPort == int64(80) { 233 rule = r 234 } 235 } 236 237 if *rule.ToPort != int64(8000) { 238 return fmt.Errorf("Wrong Security Group port 2 setting, expected %d, got %d", 239 8000, int(*rule.ToPort)) 240 } 241 242 return nil 243 } 244 245 resource.Test(t, resource.TestCase{ 246 PreCheck: func() { testAccPreCheck(t) }, 247 Providers: testAccProviders, 248 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 249 Steps: []resource.TestStep{ 250 resource.TestStep{ 251 Config: testAccAWSSecurityGroupRuleConfigMultiIngress, 252 Check: resource.ComposeTestCheckFunc( 253 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 254 testMultiRuleCount, 255 ), 256 }, 257 }, 258 }) 259 } 260 261 func TestAccAWSSecurityGroupRule_Egress(t *testing.T) { 262 var group ec2.SecurityGroup 263 264 resource.Test(t, resource.TestCase{ 265 PreCheck: func() { testAccPreCheck(t) }, 266 Providers: testAccProviders, 267 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 268 Steps: []resource.TestStep{ 269 resource.TestStep{ 270 Config: testAccAWSSecurityGroupRuleEgressConfig, 271 Check: resource.ComposeTestCheckFunc( 272 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 273 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.egress_1", &group, nil, "egress"), 274 ), 275 }, 276 }, 277 }) 278 } 279 280 func TestAccAWSSecurityGroupRule_SelfReference(t *testing.T) { 281 var group ec2.SecurityGroup 282 283 resource.Test(t, resource.TestCase{ 284 PreCheck: func() { testAccPreCheck(t) }, 285 Providers: testAccProviders, 286 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 287 Steps: []resource.TestStep{ 288 resource.TestStep{ 289 Config: testAccAWSSecurityGroupRuleConfigSelfReference, 290 Check: resource.ComposeTestCheckFunc( 291 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 292 ), 293 }, 294 }, 295 }) 296 } 297 298 // testing partial match implementation 299 func TestAccAWSSecurityGroupRule_PartialMatching_basic(t *testing.T) { 300 var group ec2.SecurityGroup 301 302 p := ec2.IpPermission{ 303 FromPort: aws.Int64(80), 304 ToPort: aws.Int64(80), 305 IpProtocol: aws.String("tcp"), 306 IpRanges: []*ec2.IpRange{ 307 &ec2.IpRange{CidrIp: aws.String("10.0.2.0/24")}, 308 &ec2.IpRange{CidrIp: aws.String("10.0.3.0/24")}, 309 &ec2.IpRange{CidrIp: aws.String("10.0.4.0/24")}, 310 }, 311 } 312 313 o := ec2.IpPermission{ 314 FromPort: aws.Int64(80), 315 ToPort: aws.Int64(80), 316 IpProtocol: aws.String("tcp"), 317 IpRanges: []*ec2.IpRange{ 318 &ec2.IpRange{CidrIp: aws.String("10.0.5.0/24")}, 319 }, 320 } 321 322 resource.Test(t, resource.TestCase{ 323 PreCheck: func() { testAccPreCheck(t) }, 324 Providers: testAccProviders, 325 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 326 Steps: []resource.TestStep{ 327 resource.TestStep{ 328 Config: testAccAWSSecurityGroupRulePartialMatching, 329 Check: resource.ComposeTestCheckFunc( 330 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 331 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.ingress", &group, &p, "ingress"), 332 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.other", &group, &o, "ingress"), 333 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.nat_ingress", &group, &o, "ingress"), 334 ), 335 }, 336 }, 337 }) 338 } 339 340 func TestAccAWSSecurityGroupRule_PartialMatching_Source(t *testing.T) { 341 var group ec2.SecurityGroup 342 var nat ec2.SecurityGroup 343 var p ec2.IpPermission 344 345 // This function creates the expected IPPermission with the group id from an 346 // external security group, needed because Security Group IDs are generated on 347 // AWS side and can't be known ahead of time. 348 setupSG := func(*terraform.State) error { 349 if nat.GroupId == nil { 350 return fmt.Errorf("Error: nat group has nil GroupID") 351 } 352 353 p = ec2.IpPermission{ 354 FromPort: aws.Int64(80), 355 ToPort: aws.Int64(80), 356 IpProtocol: aws.String("tcp"), 357 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 358 &ec2.UserIdGroupPair{GroupId: nat.GroupId}, 359 }, 360 } 361 362 return nil 363 } 364 365 resource.Test(t, resource.TestCase{ 366 PreCheck: func() { testAccPreCheck(t) }, 367 Providers: testAccProviders, 368 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 369 Steps: []resource.TestStep{ 370 resource.TestStep{ 371 Config: testAccAWSSecurityGroupRulePartialMatching_Source, 372 Check: resource.ComposeTestCheckFunc( 373 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 374 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.nat", &nat), 375 setupSG, 376 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.source_ingress", &group, &p, "ingress"), 377 ), 378 }, 379 }, 380 }) 381 } 382 383 func TestAccAWSSecurityGroupRule_Issue5310(t *testing.T) { 384 var group ec2.SecurityGroup 385 386 resource.Test(t, resource.TestCase{ 387 PreCheck: func() { testAccPreCheck(t) }, 388 Providers: testAccProviders, 389 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 390 Steps: []resource.TestStep{ 391 resource.TestStep{ 392 Config: testAccAWSSecurityGroupRuleIssue5310, 393 Check: resource.ComposeTestCheckFunc( 394 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.issue_5310", &group), 395 ), 396 }, 397 }, 398 }) 399 } 400 401 func TestAccAWSSecurityGroupRule_Race(t *testing.T) { 402 var group ec2.SecurityGroup 403 404 resource.Test(t, resource.TestCase{ 405 PreCheck: func() { testAccPreCheck(t) }, 406 Providers: testAccProviders, 407 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 408 Steps: []resource.TestStep{ 409 resource.TestStep{ 410 Config: testAccAWSSecurityGroupRuleRace, 411 Check: resource.ComposeTestCheckFunc( 412 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.race", &group), 413 ), 414 }, 415 }, 416 }) 417 } 418 419 func TestAccAWSSecurityGroupRule_SelfSource(t *testing.T) { 420 var group ec2.SecurityGroup 421 422 resource.Test(t, resource.TestCase{ 423 PreCheck: func() { testAccPreCheck(t) }, 424 Providers: testAccProviders, 425 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 426 Steps: []resource.TestStep{ 427 resource.TestStep{ 428 Config: testAccAWSSecurityGroupRuleSelfInSource, 429 Check: resource.ComposeTestCheckFunc( 430 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group), 431 ), 432 }, 433 }, 434 }) 435 } 436 437 func TestAccAWSSecurityGroupRule_PrefixListEgress(t *testing.T) { 438 var group ec2.SecurityGroup 439 var endpoint ec2.VpcEndpoint 440 var p ec2.IpPermission 441 442 // This function creates the expected IPPermission with the prefix list ID from 443 // the VPC Endpoint created in the test 444 setupSG := func(*terraform.State) error { 445 conn := testAccProvider.Meta().(*AWSClient).ec2conn 446 prefixListInput := &ec2.DescribePrefixListsInput{ 447 Filters: []*ec2.Filter{ 448 {Name: aws.String("prefix-list-name"), Values: []*string{endpoint.ServiceName}}, 449 }, 450 } 451 452 log.Printf("[DEBUG] Reading VPC Endpoint prefix list: %s", prefixListInput) 453 prefixListsOutput, err := conn.DescribePrefixLists(prefixListInput) 454 455 if err != nil { 456 _, ok := err.(awserr.Error) 457 if !ok { 458 return fmt.Errorf("Error reading VPC Endpoint prefix list: %s", err.Error()) 459 } 460 } 461 462 if len(prefixListsOutput.PrefixLists) != 1 { 463 return fmt.Errorf("There are multiple prefix lists associated with the service name '%s'. Unexpected", prefixListsOutput) 464 } 465 466 p = ec2.IpPermission{ 467 IpProtocol: aws.String("-1"), 468 PrefixListIds: []*ec2.PrefixListId{ 469 &ec2.PrefixListId{PrefixListId: prefixListsOutput.PrefixLists[0].PrefixListId}, 470 }, 471 } 472 473 return nil 474 } 475 476 resource.Test(t, resource.TestCase{ 477 PreCheck: func() { testAccPreCheck(t) }, 478 Providers: testAccProviders, 479 CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, 480 Steps: []resource.TestStep{ 481 resource.TestStep{ 482 Config: testAccAWSSecurityGroupRulePrefixListEgressConfig, 483 Check: resource.ComposeTestCheckFunc( 484 testAccCheckAWSSecurityGroupRuleExists("aws_security_group.egress", &group), 485 // lookup info on the VPC Endpoint created, to populate the expected 486 // IP Perm 487 testAccCheckVpcEndpointExists("aws_vpc_endpoint.s3-us-west-2", &endpoint), 488 setupSG, 489 testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.egress_1", &group, &p, "egress"), 490 ), 491 }, 492 }, 493 }) 494 } 495 496 func testAccCheckAWSSecurityGroupRuleDestroy(s *terraform.State) error { 497 conn := testAccProvider.Meta().(*AWSClient).ec2conn 498 499 for _, rs := range s.RootModule().Resources { 500 if rs.Type != "aws_security_group" { 501 continue 502 } 503 504 // Retrieve our group 505 req := &ec2.DescribeSecurityGroupsInput{ 506 GroupIds: []*string{aws.String(rs.Primary.ID)}, 507 } 508 resp, err := conn.DescribeSecurityGroups(req) 509 if err == nil { 510 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 511 return fmt.Errorf("Security Group (%s) still exists.", rs.Primary.ID) 512 } 513 514 return nil 515 } 516 517 ec2err, ok := err.(awserr.Error) 518 if !ok { 519 return err 520 } 521 // Confirm error code is what we want 522 if ec2err.Code() != "InvalidGroup.NotFound" { 523 return err 524 } 525 } 526 527 return nil 528 } 529 530 func testAccCheckAWSSecurityGroupRuleExists(n string, group *ec2.SecurityGroup) resource.TestCheckFunc { 531 return func(s *terraform.State) error { 532 rs, ok := s.RootModule().Resources[n] 533 if !ok { 534 return fmt.Errorf("Not found: %s", n) 535 } 536 537 if rs.Primary.ID == "" { 538 return fmt.Errorf("No Security Group is set") 539 } 540 541 conn := testAccProvider.Meta().(*AWSClient).ec2conn 542 req := &ec2.DescribeSecurityGroupsInput{ 543 GroupIds: []*string{aws.String(rs.Primary.ID)}, 544 } 545 resp, err := conn.DescribeSecurityGroups(req) 546 if err != nil { 547 return err 548 } 549 550 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 551 *group = *resp.SecurityGroups[0] 552 return nil 553 } 554 555 return fmt.Errorf("Security Group not found") 556 } 557 } 558 559 func testAccCheckAWSSecurityGroupRuleAttributes(n string, group *ec2.SecurityGroup, p *ec2.IpPermission, ruleType string) resource.TestCheckFunc { 560 return func(s *terraform.State) error { 561 rs, ok := s.RootModule().Resources[n] 562 if !ok { 563 return fmt.Errorf("Security Group Rule Not found: %s", n) 564 } 565 566 if rs.Primary.ID == "" { 567 return fmt.Errorf("No Security Group Rule is set") 568 } 569 570 if p == nil { 571 p = &ec2.IpPermission{ 572 FromPort: aws.Int64(80), 573 ToPort: aws.Int64(8000), 574 IpProtocol: aws.String("tcp"), 575 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 576 } 577 } 578 579 var matchingRule *ec2.IpPermission 580 var rules []*ec2.IpPermission 581 if ruleType == "ingress" { 582 rules = group.IpPermissions 583 } else { 584 rules = group.IpPermissionsEgress 585 } 586 587 if len(rules) == 0 { 588 return fmt.Errorf("No IPPerms") 589 } 590 591 for _, r := range rules { 592 if r.ToPort != nil && *p.ToPort != *r.ToPort { 593 continue 594 } 595 596 if r.FromPort != nil && *p.FromPort != *r.FromPort { 597 continue 598 } 599 600 if r.IpProtocol != nil && *p.IpProtocol != *r.IpProtocol { 601 continue 602 } 603 604 remaining := len(p.IpRanges) 605 for _, ip := range p.IpRanges { 606 for _, rip := range r.IpRanges { 607 if *ip.CidrIp == *rip.CidrIp { 608 remaining-- 609 } 610 } 611 } 612 613 if remaining > 0 { 614 continue 615 } 616 617 remaining = len(p.UserIdGroupPairs) 618 for _, ip := range p.UserIdGroupPairs { 619 for _, rip := range r.UserIdGroupPairs { 620 if *ip.GroupId == *rip.GroupId { 621 remaining-- 622 } 623 } 624 } 625 626 if remaining > 0 { 627 continue 628 } 629 630 remaining = len(p.PrefixListIds) 631 for _, pip := range p.PrefixListIds { 632 for _, rpip := range r.PrefixListIds { 633 if *pip.PrefixListId == *rpip.PrefixListId { 634 remaining-- 635 } 636 } 637 } 638 639 if remaining > 0 { 640 continue 641 } 642 643 matchingRule = r 644 } 645 646 if matchingRule != nil { 647 log.Printf("[DEBUG] Matching rule found : %s", matchingRule) 648 return nil 649 } 650 651 return fmt.Errorf("Error here\n\tlooking for %s, wasn't found in %s", p, rules) 652 } 653 } 654 655 const testAccAWSSecurityGroupRuleIngressConfig = ` 656 resource "aws_security_group" "web" { 657 name = "terraform_acceptance_test_example" 658 description = "Used in the terraform acceptance tests" 659 660 tags { 661 Name = "tf-acc-test" 662 } 663 } 664 665 resource "aws_security_group_rule" "ingress_1" { 666 type = "ingress" 667 protocol = "tcp" 668 from_port = 80 669 to_port = 8000 670 cidr_blocks = ["10.0.0.0/8"] 671 672 security_group_id = "${aws_security_group.web.id}" 673 } 674 ` 675 676 const testAccAWSSecurityGroupRuleIngress_protocolConfig = ` 677 resource "aws_vpc" "tftest" { 678 cidr_block = "10.0.0.0/16" 679 680 tags { 681 Name = "tf-testing" 682 } 683 } 684 685 resource "aws_security_group" "web" { 686 vpc_id = "${aws_vpc.tftest.id}" 687 688 tags { 689 Name = "tf-acc-test" 690 } 691 } 692 693 resource "aws_security_group_rule" "ingress_1" { 694 type = "ingress" 695 protocol = "6" 696 from_port = 80 697 to_port = 8000 698 cidr_blocks = ["10.0.0.0/8"] 699 700 security_group_id = "${aws_security_group.web.id}" 701 } 702 703 ` 704 705 const testAccAWSSecurityGroupRuleIssue5310 = ` 706 provider "aws" { 707 region = "us-east-1" 708 } 709 710 resource "aws_security_group" "issue_5310" { 711 name = "terraform-test-issue_5310" 712 description = "SG for test of issue 5310" 713 } 714 715 resource "aws_security_group_rule" "issue_5310" { 716 type = "ingress" 717 from_port = 0 718 to_port = 65535 719 protocol = "tcp" 720 security_group_id = "${aws_security_group.issue_5310.id}" 721 self = true 722 } 723 ` 724 725 const testAccAWSSecurityGroupRuleIngressClassicConfig = ` 726 provider "aws" { 727 region = "us-east-1" 728 } 729 730 resource "aws_security_group" "web" { 731 name = "terraform_acceptance_test_example" 732 description = "Used in the terraform acceptance tests" 733 734 tags { 735 Name = "tf-acc-test" 736 } 737 } 738 739 resource "aws_security_group_rule" "ingress_1" { 740 type = "ingress" 741 protocol = "tcp" 742 from_port = 80 743 to_port = 8000 744 cidr_blocks = ["10.0.0.0/8"] 745 746 security_group_id = "${aws_security_group.web.id}" 747 } 748 ` 749 750 const testAccAWSSecurityGroupRuleEgressConfig = ` 751 resource "aws_security_group" "web" { 752 name = "terraform_acceptance_test_example" 753 description = "Used in the terraform acceptance tests" 754 755 tags { 756 Name = "tf-acc-test" 757 } 758 } 759 760 resource "aws_security_group_rule" "egress_1" { 761 type = "egress" 762 protocol = "tcp" 763 from_port = 80 764 to_port = 8000 765 cidr_blocks = ["10.0.0.0/8"] 766 767 security_group_id = "${aws_security_group.web.id}" 768 } 769 ` 770 771 const testAccAWSSecurityGroupRuleConfigMultiIngress = ` 772 resource "aws_security_group" "web" { 773 name = "terraform_acceptance_test_example_2" 774 description = "Used in the terraform acceptance tests" 775 } 776 777 resource "aws_security_group" "worker" { 778 name = "terraform_acceptance_test_example_worker" 779 description = "Used in the terraform acceptance tests" 780 } 781 782 783 resource "aws_security_group_rule" "ingress_1" { 784 type = "ingress" 785 protocol = "tcp" 786 from_port = 22 787 to_port = 22 788 cidr_blocks = ["10.0.0.0/8"] 789 790 security_group_id = "${aws_security_group.web.id}" 791 } 792 793 resource "aws_security_group_rule" "ingress_2" { 794 type = "ingress" 795 protocol = "tcp" 796 from_port = 80 797 to_port = 8000 798 self = true 799 800 security_group_id = "${aws_security_group.web.id}" 801 } 802 ` 803 804 // check for GH-1985 regression 805 const testAccAWSSecurityGroupRuleConfigSelfReference = ` 806 provider "aws" { 807 region = "us-west-2" 808 } 809 810 resource "aws_vpc" "main" { 811 cidr_block = "10.0.0.0/16" 812 tags { 813 Name = "sg-self-test" 814 } 815 } 816 817 resource "aws_security_group" "web" { 818 name = "main" 819 vpc_id = "${aws_vpc.main.id}" 820 tags { 821 Name = "sg-self-test" 822 } 823 } 824 825 resource "aws_security_group_rule" "self" { 826 type = "ingress" 827 protocol = "-1" 828 from_port = 0 829 to_port = 0 830 self = true 831 security_group_id = "${aws_security_group.web.id}" 832 } 833 ` 834 835 const testAccAWSSecurityGroupRulePartialMatching = ` 836 resource "aws_vpc" "default" { 837 cidr_block = "10.0.0.0/16" 838 tags { 839 Name = "tf-sg-rule-bug" 840 } 841 } 842 843 resource "aws_security_group" "web" { 844 name = "tf-other" 845 vpc_id = "${aws_vpc.default.id}" 846 tags { 847 Name = "tf-other-sg" 848 } 849 } 850 851 resource "aws_security_group" "nat" { 852 name = "tf-nat" 853 vpc_id = "${aws_vpc.default.id}" 854 tags { 855 Name = "tf-nat-sg" 856 } 857 } 858 859 resource "aws_security_group_rule" "ingress" { 860 type = "ingress" 861 from_port = 80 862 to_port = 80 863 protocol = "tcp" 864 cidr_blocks = ["10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24"] 865 866 security_group_id = "${aws_security_group.web.id}" 867 } 868 869 resource "aws_security_group_rule" "other" { 870 type = "ingress" 871 from_port = 80 872 to_port = 80 873 protocol = "tcp" 874 cidr_blocks = ["10.0.5.0/24"] 875 876 security_group_id = "${aws_security_group.web.id}" 877 } 878 879 // same a above, but different group, to guard against bad hashing 880 resource "aws_security_group_rule" "nat_ingress" { 881 type = "ingress" 882 from_port = 80 883 to_port = 80 884 protocol = "tcp" 885 cidr_blocks = ["10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24"] 886 887 security_group_id = "${aws_security_group.nat.id}" 888 } 889 ` 890 891 const testAccAWSSecurityGroupRulePartialMatching_Source = ` 892 resource "aws_vpc" "default" { 893 cidr_block = "10.0.0.0/16" 894 tags { 895 Name = "tf-sg-rule-bug" 896 } 897 } 898 899 resource "aws_security_group" "web" { 900 name = "tf-other" 901 vpc_id = "${aws_vpc.default.id}" 902 tags { 903 Name = "tf-other-sg" 904 } 905 } 906 907 resource "aws_security_group" "nat" { 908 name = "tf-nat" 909 vpc_id = "${aws_vpc.default.id}" 910 tags { 911 Name = "tf-nat-sg" 912 } 913 } 914 915 resource "aws_security_group_rule" "source_ingress" { 916 type = "ingress" 917 from_port = 80 918 to_port = 80 919 protocol = "tcp" 920 921 source_security_group_id = "${aws_security_group.nat.id}" 922 security_group_id = "${aws_security_group.web.id}" 923 } 924 925 resource "aws_security_group_rule" "other_ingress" { 926 type = "ingress" 927 from_port = 80 928 to_port = 80 929 protocol = "tcp" 930 cidr_blocks = ["10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24"] 931 932 security_group_id = "${aws_security_group.web.id}" 933 } 934 ` 935 936 var testAccAWSSecurityGroupRuleRace = func() string { 937 var b bytes.Buffer 938 iterations := 50 939 b.WriteString(fmt.Sprintf(` 940 resource "aws_vpc" "default" { 941 cidr_block = "10.0.0.0/16" 942 tags { Name = "tf-sg-rule-race" } 943 } 944 945 resource "aws_security_group" "race" { 946 name = "tf-sg-rule-race-group-%d" 947 vpc_id = "${aws_vpc.default.id}" 948 } 949 `, acctest.RandInt())) 950 for i := 1; i < iterations; i++ { 951 b.WriteString(fmt.Sprintf(` 952 resource "aws_security_group_rule" "ingress%d" { 953 security_group_id = "${aws_security_group.race.id}" 954 type = "ingress" 955 from_port = %d 956 to_port = %d 957 protocol = "tcp" 958 cidr_blocks = ["10.0.0.%d/32"] 959 } 960 961 resource "aws_security_group_rule" "egress%d" { 962 security_group_id = "${aws_security_group.race.id}" 963 type = "egress" 964 from_port = %d 965 to_port = %d 966 protocol = "tcp" 967 cidr_blocks = ["10.0.0.%d/32"] 968 } 969 `, i, i, i, i, i, i, i, i)) 970 } 971 return b.String() 972 }() 973 974 const testAccAWSSecurityGroupRulePrefixListEgressConfig = ` 975 976 resource "aws_vpc" "tf_sg_prefix_list_egress_test" { 977 cidr_block = "10.0.0.0/16" 978 tags { 979 Name = "tf_sg_prefix_list_egress_test" 980 } 981 } 982 983 resource "aws_route_table" "default" { 984 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 985 } 986 987 resource "aws_vpc_endpoint" "s3-us-west-2" { 988 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 989 service_name = "com.amazonaws.us-west-2.s3" 990 route_table_ids = ["${aws_route_table.default.id}"] 991 policy = <<POLICY 992 { 993 "Version": "2012-10-17", 994 "Statement": [ 995 { 996 "Sid":"AllowAll", 997 "Effect":"Allow", 998 "Principal":"*", 999 "Action":"*", 1000 "Resource":"*" 1001 } 1002 ] 1003 } 1004 POLICY 1005 } 1006 1007 resource "aws_security_group" "egress" { 1008 name = "terraform_acceptance_test_prefix_list_egress" 1009 description = "Used in the terraform acceptance tests" 1010 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 1011 } 1012 1013 resource "aws_security_group_rule" "egress_1" { 1014 type = "egress" 1015 protocol = "-1" 1016 from_port = 0 1017 to_port = 0 1018 prefix_list_ids = ["${aws_vpc_endpoint.s3-us-west-2.prefix_list_id}"] 1019 security_group_id = "${aws_security_group.egress.id}" 1020 } 1021 ` 1022 1023 const testAccAWSSecurityGroupRuleSelfInSource = ` 1024 resource "aws_vpc" "foo" { 1025 cidr_block = "10.1.0.0/16" 1026 1027 tags { 1028 Name = "tf_sg_rule_self_group" 1029 } 1030 } 1031 1032 resource "aws_security_group" "web" { 1033 name = "allow_all" 1034 description = "Allow all inbound traffic" 1035 vpc_id = "${aws_vpc.foo.id}" 1036 } 1037 1038 resource "aws_security_group_rule" "allow_self" { 1039 type = "ingress" 1040 from_port = 0 1041 to_port = 0 1042 protocol = "-1" 1043 security_group_id = "${aws_security_group.web.id}" 1044 source_security_group_id = "${aws_security_group.web.id}" 1045 } 1046 `