github.com/mohanarpit/terraform@v0.6.16-0.20160909104007-291f29853544/builtin/providers/aws/resource_aws_network_acl_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/aws/aws-sdk-go/aws" 8 "github.com/aws/aws-sdk-go/aws/awserr" 9 "github.com/aws/aws-sdk-go/service/ec2" 10 "github.com/hashicorp/terraform/helper/resource" 11 "github.com/hashicorp/terraform/terraform" 12 ) 13 14 func TestAccAWSNetworkAcl_EgressAndIngressRules(t *testing.T) { 15 var networkAcl ec2.NetworkAcl 16 17 resource.Test(t, resource.TestCase{ 18 PreCheck: func() { testAccPreCheck(t) }, 19 IDRefreshName: "aws_network_acl.bar", 20 Providers: testAccProviders, 21 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 22 Steps: []resource.TestStep{ 23 resource.TestStep{ 24 Config: testAccAWSNetworkAclEgressNIngressConfig, 25 Check: resource.ComposeTestCheckFunc( 26 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 27 resource.TestCheckResourceAttr( 28 "aws_network_acl.bar", "ingress.109047673.protocol", "6"), 29 resource.TestCheckResourceAttr( 30 "aws_network_acl.bar", "ingress.109047673.rule_no", "1"), 31 resource.TestCheckResourceAttr( 32 "aws_network_acl.bar", "ingress.109047673.from_port", "80"), 33 resource.TestCheckResourceAttr( 34 "aws_network_acl.bar", "ingress.109047673.to_port", "80"), 35 resource.TestCheckResourceAttr( 36 "aws_network_acl.bar", "ingress.109047673.action", "allow"), 37 resource.TestCheckResourceAttr( 38 "aws_network_acl.bar", "ingress.109047673.cidr_block", "10.3.0.0/18"), 39 resource.TestCheckResourceAttr( 40 "aws_network_acl.bar", "egress.868403673.protocol", "6"), 41 resource.TestCheckResourceAttr( 42 "aws_network_acl.bar", "egress.868403673.rule_no", "2"), 43 resource.TestCheckResourceAttr( 44 "aws_network_acl.bar", "egress.868403673.from_port", "443"), 45 resource.TestCheckResourceAttr( 46 "aws_network_acl.bar", "egress.868403673.to_port", "443"), 47 resource.TestCheckResourceAttr( 48 "aws_network_acl.bar", "egress.868403673.cidr_block", "10.3.0.0/18"), 49 resource.TestCheckResourceAttr( 50 "aws_network_acl.bar", "egress.868403673.action", "allow"), 51 ), 52 }, 53 }, 54 }) 55 } 56 57 func TestAccAWSNetworkAcl_OnlyIngressRules_basic(t *testing.T) { 58 var networkAcl ec2.NetworkAcl 59 60 resource.Test(t, resource.TestCase{ 61 PreCheck: func() { testAccPreCheck(t) }, 62 IDRefreshName: "aws_network_acl.foos", 63 Providers: testAccProviders, 64 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 65 Steps: []resource.TestStep{ 66 resource.TestStep{ 67 Config: testAccAWSNetworkAclIngressConfig, 68 Check: resource.ComposeTestCheckFunc( 69 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 70 // testAccCheckSubnetAssociation("aws_network_acl.foos", "aws_subnet.blob"), 71 resource.TestCheckResourceAttr( 72 "aws_network_acl.foos", "ingress.1451312565.protocol", "6"), 73 resource.TestCheckResourceAttr( 74 "aws_network_acl.foos", "ingress.1451312565.rule_no", "2"), 75 resource.TestCheckResourceAttr( 76 "aws_network_acl.foos", "ingress.1451312565.from_port", "443"), 77 resource.TestCheckResourceAttr( 78 "aws_network_acl.foos", "ingress.1451312565.to_port", "443"), 79 resource.TestCheckResourceAttr( 80 "aws_network_acl.foos", "ingress.1451312565.action", "deny"), 81 resource.TestCheckResourceAttr( 82 "aws_network_acl.foos", "ingress.1451312565.cidr_block", "10.2.0.0/18"), 83 ), 84 }, 85 }, 86 }) 87 } 88 89 func TestAccAWSNetworkAcl_OnlyIngressRules_update(t *testing.T) { 90 var networkAcl ec2.NetworkAcl 91 92 resource.Test(t, resource.TestCase{ 93 PreCheck: func() { testAccPreCheck(t) }, 94 IDRefreshName: "aws_network_acl.foos", 95 Providers: testAccProviders, 96 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 97 Steps: []resource.TestStep{ 98 resource.TestStep{ 99 Config: testAccAWSNetworkAclIngressConfig, 100 Check: resource.ComposeTestCheckFunc( 101 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 102 testIngressRuleLength(&networkAcl, 2), 103 resource.TestCheckResourceAttr( 104 "aws_network_acl.foos", "ingress.2048097841.protocol", "6"), 105 resource.TestCheckResourceAttr( 106 "aws_network_acl.foos", "ingress.2048097841.rule_no", "1"), 107 resource.TestCheckResourceAttr( 108 "aws_network_acl.foos", "ingress.2048097841.from_port", "0"), 109 resource.TestCheckResourceAttr( 110 "aws_network_acl.foos", "ingress.2048097841.to_port", "22"), 111 resource.TestCheckResourceAttr( 112 "aws_network_acl.foos", "ingress.2048097841.action", "deny"), 113 resource.TestCheckResourceAttr( 114 "aws_network_acl.foos", "ingress.1451312565.cidr_block", "10.2.0.0/18"), 115 resource.TestCheckResourceAttr( 116 "aws_network_acl.foos", "ingress.1451312565.from_port", "443"), 117 resource.TestCheckResourceAttr( 118 "aws_network_acl.foos", "ingress.1451312565.rule_no", "2"), 119 ), 120 }, 121 resource.TestStep{ 122 Config: testAccAWSNetworkAclIngressConfigChange, 123 Check: resource.ComposeTestCheckFunc( 124 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 125 testIngressRuleLength(&networkAcl, 1), 126 resource.TestCheckResourceAttr( 127 "aws_network_acl.foos", "ingress.2048097841.protocol", "6"), 128 resource.TestCheckResourceAttr( 129 "aws_network_acl.foos", "ingress.2048097841.rule_no", "1"), 130 resource.TestCheckResourceAttr( 131 "aws_network_acl.foos", "ingress.2048097841.from_port", "0"), 132 resource.TestCheckResourceAttr( 133 "aws_network_acl.foos", "ingress.2048097841.to_port", "22"), 134 resource.TestCheckResourceAttr( 135 "aws_network_acl.foos", "ingress.2048097841.action", "deny"), 136 resource.TestCheckResourceAttr( 137 "aws_network_acl.foos", "ingress.2048097841.cidr_block", "10.2.0.0/18"), 138 ), 139 }, 140 }, 141 }) 142 } 143 144 func TestAccAWSNetworkAcl_OnlyEgressRules(t *testing.T) { 145 var networkAcl ec2.NetworkAcl 146 147 resource.Test(t, resource.TestCase{ 148 PreCheck: func() { testAccPreCheck(t) }, 149 IDRefreshName: "aws_network_acl.bond", 150 Providers: testAccProviders, 151 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 152 Steps: []resource.TestStep{ 153 resource.TestStep{ 154 Config: testAccAWSNetworkAclEgressConfig, 155 Check: resource.ComposeTestCheckFunc( 156 testAccCheckAWSNetworkAclExists("aws_network_acl.bond", &networkAcl), 157 testAccCheckTags(&networkAcl.Tags, "foo", "bar"), 158 ), 159 }, 160 }, 161 }) 162 } 163 164 func TestAccAWSNetworkAcl_SubnetChange(t *testing.T) { 165 166 resource.Test(t, resource.TestCase{ 167 PreCheck: func() { testAccPreCheck(t) }, 168 IDRefreshName: "aws_network_acl.bar", 169 Providers: testAccProviders, 170 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 171 Steps: []resource.TestStep{ 172 resource.TestStep{ 173 Config: testAccAWSNetworkAclSubnetConfig, 174 Check: resource.ComposeTestCheckFunc( 175 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"), 176 ), 177 }, 178 resource.TestStep{ 179 Config: testAccAWSNetworkAclSubnetConfigChange, 180 Check: resource.ComposeTestCheckFunc( 181 testAccCheckSubnetIsNotAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"), 182 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.new"), 183 ), 184 }, 185 }, 186 }) 187 188 } 189 190 func TestAccAWSNetworkAcl_Subnets(t *testing.T) { 191 var networkAcl ec2.NetworkAcl 192 193 checkACLSubnets := func(acl *ec2.NetworkAcl, count int) resource.TestCheckFunc { 194 return func(*terraform.State) (err error) { 195 if count != len(acl.Associations) { 196 return fmt.Errorf("ACL association count does not match, expected %d, got %d", count, len(acl.Associations)) 197 } 198 199 return nil 200 } 201 } 202 203 resource.Test(t, resource.TestCase{ 204 PreCheck: func() { testAccPreCheck(t) }, 205 IDRefreshName: "aws_network_acl.bar", 206 Providers: testAccProviders, 207 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 208 Steps: []resource.TestStep{ 209 resource.TestStep{ 210 Config: testAccAWSNetworkAclSubnet_SubnetIds, 211 Check: resource.ComposeTestCheckFunc( 212 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 213 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.one"), 214 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.two"), 215 checkACLSubnets(&networkAcl, 2), 216 ), 217 }, 218 219 resource.TestStep{ 220 Config: testAccAWSNetworkAclSubnet_SubnetIdsUpdate, 221 Check: resource.ComposeTestCheckFunc( 222 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 223 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.one"), 224 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.three"), 225 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.four"), 226 checkACLSubnets(&networkAcl, 3), 227 ), 228 }, 229 }, 230 }) 231 232 } 233 234 func testAccCheckAWSNetworkAclDestroy(s *terraform.State) error { 235 conn := testAccProvider.Meta().(*AWSClient).ec2conn 236 237 for _, rs := range s.RootModule().Resources { 238 if rs.Type != "aws_network" { 239 continue 240 } 241 242 // Retrieve the network acl 243 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 244 NetworkAclIds: []*string{aws.String(rs.Primary.ID)}, 245 }) 246 if err == nil { 247 if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID { 248 return fmt.Errorf("Network Acl (%s) still exists.", rs.Primary.ID) 249 } 250 251 return nil 252 } 253 254 ec2err, ok := err.(awserr.Error) 255 if !ok { 256 return err 257 } 258 // Confirm error code is what we want 259 if ec2err.Code() != "InvalidNetworkAclID.NotFound" { 260 return err 261 } 262 } 263 264 return nil 265 } 266 267 func testAccCheckAWSNetworkAclExists(n string, networkAcl *ec2.NetworkAcl) resource.TestCheckFunc { 268 return func(s *terraform.State) error { 269 rs, ok := s.RootModule().Resources[n] 270 if !ok { 271 return fmt.Errorf("Not found: %s", n) 272 } 273 274 if rs.Primary.ID == "" { 275 return fmt.Errorf("No Security Group is set") 276 } 277 conn := testAccProvider.Meta().(*AWSClient).ec2conn 278 279 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 280 NetworkAclIds: []*string{aws.String(rs.Primary.ID)}, 281 }) 282 if err != nil { 283 return err 284 } 285 286 if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID { 287 *networkAcl = *resp.NetworkAcls[0] 288 return nil 289 } 290 291 return fmt.Errorf("Network Acls not found") 292 } 293 } 294 295 func testIngressRuleLength(networkAcl *ec2.NetworkAcl, length int) resource.TestCheckFunc { 296 return func(s *terraform.State) error { 297 var ingressEntries []*ec2.NetworkAclEntry 298 for _, e := range networkAcl.Entries { 299 if *e.Egress == false { 300 ingressEntries = append(ingressEntries, e) 301 } 302 } 303 // There is always a default rule (ALL Traffic ... DENY) 304 // so we have to increase the length by 1 305 if len(ingressEntries) != length+1 { 306 return fmt.Errorf("Invalid number of ingress entries found; count = %d", len(ingressEntries)) 307 } 308 return nil 309 } 310 } 311 312 func testAccCheckSubnetIsAssociatedWithAcl(acl string, sub string) resource.TestCheckFunc { 313 return func(s *terraform.State) error { 314 networkAcl := s.RootModule().Resources[acl] 315 subnet := s.RootModule().Resources[sub] 316 317 conn := testAccProvider.Meta().(*AWSClient).ec2conn 318 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 319 NetworkAclIds: []*string{aws.String(networkAcl.Primary.ID)}, 320 Filters: []*ec2.Filter{ 321 &ec2.Filter{ 322 Name: aws.String("association.subnet-id"), 323 Values: []*string{aws.String(subnet.Primary.ID)}, 324 }, 325 }, 326 }) 327 if err != nil { 328 return err 329 } 330 if len(resp.NetworkAcls) > 0 { 331 return nil 332 } 333 334 return fmt.Errorf("Network Acl %s is not associated with subnet %s", acl, sub) 335 } 336 } 337 338 func testAccCheckSubnetIsNotAssociatedWithAcl(acl string, subnet string) resource.TestCheckFunc { 339 return func(s *terraform.State) error { 340 networkAcl := s.RootModule().Resources[acl] 341 subnet := s.RootModule().Resources[subnet] 342 343 conn := testAccProvider.Meta().(*AWSClient).ec2conn 344 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 345 NetworkAclIds: []*string{aws.String(networkAcl.Primary.ID)}, 346 Filters: []*ec2.Filter{ 347 &ec2.Filter{ 348 Name: aws.String("association.subnet-id"), 349 Values: []*string{aws.String(subnet.Primary.ID)}, 350 }, 351 }, 352 }) 353 354 if err != nil { 355 return err 356 } 357 if len(resp.NetworkAcls) > 0 { 358 return fmt.Errorf("Network Acl %s is still associated with subnet %s", acl, subnet) 359 } 360 return nil 361 } 362 } 363 364 const testAccAWSNetworkAclIngressConfig = ` 365 resource "aws_vpc" "foo" { 366 cidr_block = "10.1.0.0/16" 367 tags { 368 Name = "TestAccAWSNetworkAcl_OnlyIngressRules" 369 } 370 } 371 resource "aws_subnet" "blob" { 372 cidr_block = "10.1.1.0/24" 373 vpc_id = "${aws_vpc.foo.id}" 374 map_public_ip_on_launch = true 375 } 376 resource "aws_network_acl" "foos" { 377 vpc_id = "${aws_vpc.foo.id}" 378 ingress = { 379 protocol = "tcp" 380 rule_no = 1 381 action = "deny" 382 cidr_block = "10.2.0.0/18" 383 from_port = 0 384 to_port = 22 385 } 386 ingress = { 387 protocol = "tcp" 388 rule_no = 2 389 action = "deny" 390 cidr_block = "10.2.0.0/18" 391 from_port = 443 392 to_port = 443 393 } 394 395 subnet_ids = ["${aws_subnet.blob.id}"] 396 } 397 ` 398 const testAccAWSNetworkAclIngressConfigChange = ` 399 resource "aws_vpc" "foo" { 400 cidr_block = "10.1.0.0/16" 401 tags { 402 Name = "TestAccAWSNetworkAcl_OnlyIngressRules" 403 } 404 } 405 resource "aws_subnet" "blob" { 406 cidr_block = "10.1.1.0/24" 407 vpc_id = "${aws_vpc.foo.id}" 408 map_public_ip_on_launch = true 409 } 410 resource "aws_network_acl" "foos" { 411 vpc_id = "${aws_vpc.foo.id}" 412 ingress = { 413 protocol = "tcp" 414 rule_no = 1 415 action = "deny" 416 cidr_block = "10.2.0.0/18" 417 from_port = 0 418 to_port = 22 419 } 420 subnet_ids = ["${aws_subnet.blob.id}"] 421 } 422 ` 423 424 const testAccAWSNetworkAclEgressConfig = ` 425 resource "aws_vpc" "foo" { 426 cidr_block = "10.2.0.0/16" 427 tags { 428 Name = "TestAccAWSNetworkAcl_OnlyEgressRules" 429 } 430 } 431 resource "aws_subnet" "blob" { 432 cidr_block = "10.2.0.0/24" 433 vpc_id = "${aws_vpc.foo.id}" 434 map_public_ip_on_launch = true 435 } 436 resource "aws_network_acl" "bond" { 437 vpc_id = "${aws_vpc.foo.id}" 438 egress = { 439 protocol = "tcp" 440 rule_no = 2 441 action = "allow" 442 cidr_block = "10.2.0.0/18" 443 from_port = 443 444 to_port = 443 445 } 446 447 egress = { 448 protocol = "-1" 449 rule_no = 4 450 action = "allow" 451 cidr_block = "0.0.0.0/0" 452 from_port = 0 453 to_port = 0 454 } 455 456 egress = { 457 protocol = "tcp" 458 rule_no = 1 459 action = "allow" 460 cidr_block = "10.2.0.0/18" 461 from_port = 80 462 to_port = 80 463 } 464 465 egress = { 466 protocol = "tcp" 467 rule_no = 3 468 action = "allow" 469 cidr_block = "10.2.0.0/18" 470 from_port = 22 471 to_port = 22 472 } 473 474 tags { 475 foo = "bar" 476 } 477 } 478 ` 479 480 const testAccAWSNetworkAclEgressNIngressConfig = ` 481 resource "aws_vpc" "foo" { 482 cidr_block = "10.3.0.0/16" 483 tags { 484 Name = "TestAccAWSNetworkAcl_EgressAndIngressRules" 485 } 486 } 487 resource "aws_subnet" "blob" { 488 cidr_block = "10.3.0.0/24" 489 vpc_id = "${aws_vpc.foo.id}" 490 map_public_ip_on_launch = true 491 } 492 resource "aws_network_acl" "bar" { 493 vpc_id = "${aws_vpc.foo.id}" 494 egress = { 495 protocol = "tcp" 496 rule_no = 2 497 action = "allow" 498 cidr_block = "10.3.0.0/18" 499 from_port = 443 500 to_port = 443 501 } 502 503 ingress = { 504 protocol = "tcp" 505 rule_no = 1 506 action = "allow" 507 cidr_block = "10.3.0.0/18" 508 from_port = 80 509 to_port = 80 510 } 511 } 512 ` 513 const testAccAWSNetworkAclSubnetConfig = ` 514 resource "aws_vpc" "foo" { 515 cidr_block = "10.1.0.0/16" 516 tags { 517 Name = "TestAccAWSNetworkAcl_SubnetChange" 518 } 519 } 520 resource "aws_subnet" "old" { 521 cidr_block = "10.1.111.0/24" 522 vpc_id = "${aws_vpc.foo.id}" 523 map_public_ip_on_launch = true 524 } 525 resource "aws_subnet" "new" { 526 cidr_block = "10.1.1.0/24" 527 vpc_id = "${aws_vpc.foo.id}" 528 map_public_ip_on_launch = true 529 } 530 resource "aws_network_acl" "roll" { 531 vpc_id = "${aws_vpc.foo.id}" 532 subnet_ids = ["${aws_subnet.new.id}"] 533 } 534 resource "aws_network_acl" "bar" { 535 vpc_id = "${aws_vpc.foo.id}" 536 subnet_ids = ["${aws_subnet.old.id}"] 537 } 538 ` 539 540 const testAccAWSNetworkAclSubnetConfigChange = ` 541 resource "aws_vpc" "foo" { 542 cidr_block = "10.1.0.0/16" 543 tags { 544 Name = "TestAccAWSNetworkAcl_SubnetChange" 545 } 546 } 547 resource "aws_subnet" "old" { 548 cidr_block = "10.1.111.0/24" 549 vpc_id = "${aws_vpc.foo.id}" 550 map_public_ip_on_launch = true 551 } 552 resource "aws_subnet" "new" { 553 cidr_block = "10.1.1.0/24" 554 vpc_id = "${aws_vpc.foo.id}" 555 map_public_ip_on_launch = true 556 } 557 resource "aws_network_acl" "bar" { 558 vpc_id = "${aws_vpc.foo.id}" 559 subnet_ids = ["${aws_subnet.new.id}"] 560 } 561 ` 562 563 const testAccAWSNetworkAclSubnet_SubnetIds = ` 564 resource "aws_vpc" "foo" { 565 cidr_block = "10.1.0.0/16" 566 tags { 567 Name = "TestAccAWSNetworkAcl_Subnets" 568 } 569 } 570 resource "aws_subnet" "one" { 571 cidr_block = "10.1.111.0/24" 572 vpc_id = "${aws_vpc.foo.id}" 573 tags { 574 Name = "acl-subnets-test" 575 } 576 } 577 resource "aws_subnet" "two" { 578 cidr_block = "10.1.1.0/24" 579 vpc_id = "${aws_vpc.foo.id}" 580 tags { 581 Name = "acl-subnets-test" 582 } 583 } 584 resource "aws_network_acl" "bar" { 585 vpc_id = "${aws_vpc.foo.id}" 586 subnet_ids = ["${aws_subnet.one.id}", "${aws_subnet.two.id}"] 587 tags { 588 Name = "acl-subnets-test" 589 } 590 } 591 ` 592 593 const testAccAWSNetworkAclSubnet_SubnetIdsUpdate = ` 594 resource "aws_vpc" "foo" { 595 cidr_block = "10.1.0.0/16" 596 tags { 597 Name = "TestAccAWSNetworkAcl_Subnets" 598 } 599 } 600 resource "aws_subnet" "one" { 601 cidr_block = "10.1.111.0/24" 602 vpc_id = "${aws_vpc.foo.id}" 603 tags { 604 Name = "acl-subnets-test" 605 } 606 } 607 resource "aws_subnet" "two" { 608 cidr_block = "10.1.1.0/24" 609 vpc_id = "${aws_vpc.foo.id}" 610 tags { 611 Name = "acl-subnets-test" 612 } 613 } 614 615 resource "aws_subnet" "three" { 616 cidr_block = "10.1.222.0/24" 617 vpc_id = "${aws_vpc.foo.id}" 618 tags { 619 Name = "acl-subnets-test" 620 } 621 } 622 resource "aws_subnet" "four" { 623 cidr_block = "10.1.4.0/24" 624 vpc_id = "${aws_vpc.foo.id}" 625 tags { 626 Name = "acl-subnets-test" 627 } 628 } 629 resource "aws_network_acl" "bar" { 630 vpc_id = "${aws_vpc.foo.id}" 631 subnet_ids = [ 632 "${aws_subnet.one.id}", 633 "${aws_subnet.three.id}", 634 "${aws_subnet.four.id}", 635 ] 636 tags { 637 Name = "acl-subnets-test" 638 } 639 } 640 `