github.com/mohanarpit/terraform@v0.6.16-0.20160909104007-291f29853544/builtin/providers/aws/resource_aws_security_group_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "reflect" 6 "regexp" 7 "strings" 8 "testing" 9 10 "github.com/aws/aws-sdk-go/aws" 11 "github.com/aws/aws-sdk-go/aws/awserr" 12 "github.com/aws/aws-sdk-go/service/ec2" 13 "github.com/hashicorp/terraform/helper/acctest" 14 "github.com/hashicorp/terraform/helper/resource" 15 "github.com/hashicorp/terraform/helper/schema" 16 "github.com/hashicorp/terraform/terraform" 17 ) 18 19 func TestProtocolStateFunc(t *testing.T) { 20 cases := []struct { 21 input interface{} 22 expected string 23 }{ 24 { 25 input: "tcp", 26 expected: "tcp", 27 }, 28 { 29 input: 6, 30 expected: "", 31 }, 32 { 33 input: "17", 34 expected: "udp", 35 }, 36 { 37 input: "all", 38 expected: "-1", 39 }, 40 { 41 input: "-1", 42 expected: "-1", 43 }, 44 { 45 input: -1, 46 expected: "", 47 }, 48 { 49 input: "1", 50 expected: "icmp", 51 }, 52 { 53 input: "icmp", 54 expected: "icmp", 55 }, 56 { 57 input: 1, 58 expected: "", 59 }, 60 } 61 for _, c := range cases { 62 result := protocolStateFunc(c.input) 63 if result != c.expected { 64 t.Errorf("Error matching protocol, expected (%s), got (%s)", c.expected, result) 65 } 66 } 67 } 68 69 func TestProtocolForValue(t *testing.T) { 70 cases := []struct { 71 input string 72 expected string 73 }{ 74 { 75 input: "tcp", 76 expected: "tcp", 77 }, 78 { 79 input: "6", 80 expected: "tcp", 81 }, 82 { 83 input: "udp", 84 expected: "udp", 85 }, 86 { 87 input: "17", 88 expected: "udp", 89 }, 90 { 91 input: "all", 92 expected: "-1", 93 }, 94 { 95 input: "-1", 96 expected: "-1", 97 }, 98 { 99 input: "tCp", 100 expected: "tcp", 101 }, 102 { 103 input: "6", 104 expected: "tcp", 105 }, 106 { 107 input: "UDp", 108 expected: "udp", 109 }, 110 { 111 input: "17", 112 expected: "udp", 113 }, 114 { 115 input: "ALL", 116 expected: "-1", 117 }, 118 { 119 input: "icMp", 120 expected: "icmp", 121 }, 122 { 123 input: "1", 124 expected: "icmp", 125 }, 126 } 127 128 for _, c := range cases { 129 result := protocolForValue(c.input) 130 if result != c.expected { 131 t.Errorf("Error matching protocol, expected (%s), got (%s)", c.expected, result) 132 } 133 } 134 } 135 136 func TestResourceAwsSecurityGroupIPPermGather(t *testing.T) { 137 raw := []*ec2.IpPermission{ 138 &ec2.IpPermission{ 139 IpProtocol: aws.String("tcp"), 140 FromPort: aws.Int64(int64(1)), 141 ToPort: aws.Int64(int64(-1)), 142 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("0.0.0.0/0")}}, 143 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 144 &ec2.UserIdGroupPair{ 145 GroupId: aws.String("sg-11111"), 146 }, 147 }, 148 }, 149 &ec2.IpPermission{ 150 IpProtocol: aws.String("tcp"), 151 FromPort: aws.Int64(int64(80)), 152 ToPort: aws.Int64(int64(80)), 153 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 154 // VPC 155 &ec2.UserIdGroupPair{ 156 GroupId: aws.String("sg-22222"), 157 }, 158 }, 159 }, 160 &ec2.IpPermission{ 161 IpProtocol: aws.String("tcp"), 162 FromPort: aws.Int64(int64(443)), 163 ToPort: aws.Int64(int64(443)), 164 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 165 // Classic 166 &ec2.UserIdGroupPair{ 167 UserId: aws.String("12345"), 168 GroupId: aws.String("sg-33333"), 169 GroupName: aws.String("ec2_classic"), 170 }, 171 &ec2.UserIdGroupPair{ 172 UserId: aws.String("amazon-elb"), 173 GroupId: aws.String("sg-d2c979d3"), 174 GroupName: aws.String("amazon-elb-sg"), 175 }, 176 }, 177 }, 178 &ec2.IpPermission{ 179 IpProtocol: aws.String("-1"), 180 FromPort: aws.Int64(int64(0)), 181 ToPort: aws.Int64(int64(0)), 182 PrefixListIds: []*ec2.PrefixListId{&ec2.PrefixListId{PrefixListId: aws.String("pl-12345678")}}, 183 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 184 // VPC 185 &ec2.UserIdGroupPair{ 186 GroupId: aws.String("sg-22222"), 187 }, 188 }, 189 }, 190 } 191 192 local := []map[string]interface{}{ 193 map[string]interface{}{ 194 "protocol": "tcp", 195 "from_port": int64(1), 196 "to_port": int64(-1), 197 "cidr_blocks": []string{"0.0.0.0/0"}, 198 "self": true, 199 }, 200 map[string]interface{}{ 201 "protocol": "tcp", 202 "from_port": int64(80), 203 "to_port": int64(80), 204 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 205 "sg-22222", 206 }), 207 }, 208 map[string]interface{}{ 209 "protocol": "tcp", 210 "from_port": int64(443), 211 "to_port": int64(443), 212 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 213 "ec2_classic", 214 "amazon-elb/amazon-elb-sg", 215 }), 216 }, 217 map[string]interface{}{ 218 "protocol": "-1", 219 "from_port": int64(0), 220 "to_port": int64(0), 221 "prefix_list_ids": []string{"pl-12345678"}, 222 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 223 "sg-22222", 224 }), 225 }, 226 } 227 228 out := resourceAwsSecurityGroupIPPermGather("sg-11111", raw, aws.String("12345")) 229 for _, i := range out { 230 // loop and match rules, because the ordering is not guarneteed 231 for _, l := range local { 232 if i["from_port"] == l["from_port"] { 233 234 if i["to_port"] != l["to_port"] { 235 t.Fatalf("to_port does not match") 236 } 237 238 if _, ok := i["cidr_blocks"]; ok { 239 if !reflect.DeepEqual(i["cidr_blocks"], l["cidr_blocks"]) { 240 t.Fatalf("error matching cidr_blocks") 241 } 242 } 243 244 if _, ok := i["security_groups"]; ok { 245 outSet := i["security_groups"].(*schema.Set) 246 localSet := l["security_groups"].(*schema.Set) 247 248 if !outSet.Equal(localSet) { 249 t.Fatalf("Security Group sets are not equal") 250 } 251 } 252 } 253 } 254 } 255 } 256 257 func TestAccAWSSecurityGroup_basic(t *testing.T) { 258 var group ec2.SecurityGroup 259 260 resource.Test(t, resource.TestCase{ 261 PreCheck: func() { testAccPreCheck(t) }, 262 IDRefreshName: "aws_security_group.web", 263 Providers: testAccProviders, 264 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 265 Steps: []resource.TestStep{ 266 resource.TestStep{ 267 Config: testAccAWSSecurityGroupConfig, 268 Check: resource.ComposeTestCheckFunc( 269 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 270 testAccCheckAWSSecurityGroupAttributes(&group), 271 resource.TestCheckResourceAttr( 272 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 273 resource.TestCheckResourceAttr( 274 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 275 resource.TestCheckResourceAttr( 276 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 277 resource.TestCheckResourceAttr( 278 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 279 resource.TestCheckResourceAttr( 280 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 281 resource.TestCheckResourceAttr( 282 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 283 resource.TestCheckResourceAttr( 284 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 285 ), 286 }, 287 }, 288 }) 289 } 290 291 func TestAccAWSSecurityGroup_tagsCreatedFirst(t *testing.T) { 292 var group ec2.SecurityGroup 293 294 resource.Test(t, resource.TestCase{ 295 PreCheck: func() { testAccPreCheck(t) }, 296 Providers: testAccProviders, 297 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 298 Steps: []resource.TestStep{ 299 resource.TestStep{ 300 Config: testAccAWSSecurityGroupConfigForTagsOrdering, 301 ExpectError: regexp.MustCompile("InvalidParameterValue"), 302 Check: resource.ComposeTestCheckFunc( 303 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 304 testAccCheckTags(&group.Tags, "Name", "tf-acc-test"), 305 ), 306 }, 307 }, 308 }) 309 } 310 311 func TestAccAWSSecurityGroup_namePrefix(t *testing.T) { 312 var group ec2.SecurityGroup 313 314 resource.Test(t, resource.TestCase{ 315 PreCheck: func() { testAccPreCheck(t) }, 316 IDRefreshName: "aws_security_group.baz", 317 IDRefreshIgnore: []string{"name_prefix"}, 318 Providers: testAccProviders, 319 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 320 Steps: []resource.TestStep{ 321 resource.TestStep{ 322 Config: testAccAWSSecurityGroupPrefixNameConfig, 323 Check: resource.ComposeTestCheckFunc( 324 testAccCheckAWSSecurityGroupExists("aws_security_group.baz", &group), 325 testAccCheckAWSSecurityGroupGeneratedNamePrefix( 326 "aws_security_group.baz", "baz-"), 327 ), 328 }, 329 }, 330 }) 331 } 332 333 func TestAccAWSSecurityGroup_self(t *testing.T) { 334 var group ec2.SecurityGroup 335 336 checkSelf := func(s *terraform.State) (err error) { 337 defer func() { 338 if e := recover(); e != nil { 339 err = fmt.Errorf("bad: %#v", group) 340 } 341 }() 342 343 if *group.IpPermissions[0].UserIdGroupPairs[0].GroupId != *group.GroupId { 344 return fmt.Errorf("bad: %#v", group) 345 } 346 347 return nil 348 } 349 350 resource.Test(t, resource.TestCase{ 351 PreCheck: func() { testAccPreCheck(t) }, 352 IDRefreshName: "aws_security_group.web", 353 Providers: testAccProviders, 354 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 355 Steps: []resource.TestStep{ 356 resource.TestStep{ 357 Config: testAccAWSSecurityGroupConfigSelf, 358 Check: resource.ComposeTestCheckFunc( 359 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 360 resource.TestCheckResourceAttr( 361 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 362 resource.TestCheckResourceAttr( 363 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 364 resource.TestCheckResourceAttr( 365 "aws_security_group.web", "ingress.3971148406.protocol", "tcp"), 366 resource.TestCheckResourceAttr( 367 "aws_security_group.web", "ingress.3971148406.from_port", "80"), 368 resource.TestCheckResourceAttr( 369 "aws_security_group.web", "ingress.3971148406.to_port", "8000"), 370 resource.TestCheckResourceAttr( 371 "aws_security_group.web", "ingress.3971148406.self", "true"), 372 checkSelf, 373 ), 374 }, 375 }, 376 }) 377 } 378 379 func TestAccAWSSecurityGroup_vpc(t *testing.T) { 380 var group ec2.SecurityGroup 381 382 testCheck := func(*terraform.State) error { 383 if *group.VpcId == "" { 384 return fmt.Errorf("should have vpc ID") 385 } 386 387 return nil 388 } 389 390 resource.Test(t, resource.TestCase{ 391 PreCheck: func() { testAccPreCheck(t) }, 392 IDRefreshName: "aws_security_group.web", 393 Providers: testAccProviders, 394 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 395 Steps: []resource.TestStep{ 396 resource.TestStep{ 397 Config: testAccAWSSecurityGroupConfigVpc, 398 Check: resource.ComposeTestCheckFunc( 399 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 400 testAccCheckAWSSecurityGroupAttributes(&group), 401 resource.TestCheckResourceAttr( 402 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 403 resource.TestCheckResourceAttr( 404 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 405 resource.TestCheckResourceAttr( 406 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 407 resource.TestCheckResourceAttr( 408 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 409 resource.TestCheckResourceAttr( 410 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 411 resource.TestCheckResourceAttr( 412 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 413 resource.TestCheckResourceAttr( 414 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 415 resource.TestCheckResourceAttr( 416 "aws_security_group.web", "egress.3629188364.protocol", "tcp"), 417 resource.TestCheckResourceAttr( 418 "aws_security_group.web", "egress.3629188364.from_port", "80"), 419 resource.TestCheckResourceAttr( 420 "aws_security_group.web", "egress.3629188364.to_port", "8000"), 421 resource.TestCheckResourceAttr( 422 "aws_security_group.web", "egress.3629188364.cidr_blocks.#", "1"), 423 resource.TestCheckResourceAttr( 424 "aws_security_group.web", "egress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 425 testCheck, 426 ), 427 }, 428 }, 429 }) 430 } 431 432 func TestAccAWSSecurityGroup_vpcNegOneIngress(t *testing.T) { 433 var group ec2.SecurityGroup 434 435 testCheck := func(*terraform.State) error { 436 if *group.VpcId == "" { 437 return fmt.Errorf("should have vpc ID") 438 } 439 440 return nil 441 } 442 443 resource.Test(t, resource.TestCase{ 444 PreCheck: func() { testAccPreCheck(t) }, 445 IDRefreshName: "aws_security_group.web", 446 Providers: testAccProviders, 447 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 448 Steps: []resource.TestStep{ 449 resource.TestStep{ 450 Config: testAccAWSSecurityGroupConfigVpcNegOneIngress, 451 Check: resource.ComposeTestCheckFunc( 452 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 453 testAccCheckAWSSecurityGroupAttributesNegOneProtocol(&group), 454 resource.TestCheckResourceAttr( 455 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 456 resource.TestCheckResourceAttr( 457 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 458 resource.TestCheckResourceAttr( 459 "aws_security_group.web", "ingress.956249133.protocol", "-1"), 460 resource.TestCheckResourceAttr( 461 "aws_security_group.web", "ingress.956249133.from_port", "0"), 462 resource.TestCheckResourceAttr( 463 "aws_security_group.web", "ingress.956249133.to_port", "0"), 464 resource.TestCheckResourceAttr( 465 "aws_security_group.web", "ingress.956249133.cidr_blocks.#", "1"), 466 resource.TestCheckResourceAttr( 467 "aws_security_group.web", "ingress.956249133.cidr_blocks.0", "10.0.0.0/8"), 468 testCheck, 469 ), 470 }, 471 }, 472 }) 473 } 474 func TestAccAWSSecurityGroup_MultiIngress(t *testing.T) { 475 var group ec2.SecurityGroup 476 477 resource.Test(t, resource.TestCase{ 478 PreCheck: func() { testAccPreCheck(t) }, 479 IDRefreshName: "aws_security_group.web", 480 Providers: testAccProviders, 481 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 482 Steps: []resource.TestStep{ 483 resource.TestStep{ 484 Config: testAccAWSSecurityGroupConfigMultiIngress, 485 Check: resource.ComposeTestCheckFunc( 486 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 487 ), 488 }, 489 }, 490 }) 491 } 492 493 func TestAccAWSSecurityGroup_Change(t *testing.T) { 494 var group ec2.SecurityGroup 495 496 resource.Test(t, resource.TestCase{ 497 PreCheck: func() { testAccPreCheck(t) }, 498 IDRefreshName: "aws_security_group.web", 499 Providers: testAccProviders, 500 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 501 Steps: []resource.TestStep{ 502 resource.TestStep{ 503 Config: testAccAWSSecurityGroupConfig, 504 Check: resource.ComposeTestCheckFunc( 505 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 506 ), 507 }, 508 resource.TestStep{ 509 Config: testAccAWSSecurityGroupConfigChange, 510 Check: resource.ComposeTestCheckFunc( 511 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 512 testAccCheckAWSSecurityGroupAttributesChanged(&group), 513 ), 514 }, 515 }, 516 }) 517 } 518 519 func TestAccAWSSecurityGroup_generatedName(t *testing.T) { 520 var group ec2.SecurityGroup 521 522 resource.Test(t, resource.TestCase{ 523 PreCheck: func() { testAccPreCheck(t) }, 524 IDRefreshName: "aws_security_group.web", 525 Providers: testAccProviders, 526 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 527 Steps: []resource.TestStep{ 528 resource.TestStep{ 529 Config: testAccAWSSecurityGroupConfig_generatedName, 530 Check: resource.ComposeTestCheckFunc( 531 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 532 resource.TestCheckResourceAttr( 533 "aws_security_group.web", "description", "Managed by Terraform"), 534 func(s *terraform.State) error { 535 if group.GroupName == nil { 536 return fmt.Errorf("bad: No SG name") 537 } 538 if !strings.HasPrefix(*group.GroupName, "terraform-") { 539 return fmt.Errorf("No terraform- prefix: %s", *group.GroupName) 540 } 541 return nil 542 }, 543 ), 544 }, 545 }, 546 }) 547 } 548 549 func TestAccAWSSecurityGroup_DefaultEgress_VPC(t *testing.T) { 550 551 // VPC 552 resource.Test(t, resource.TestCase{ 553 PreCheck: func() { testAccPreCheck(t) }, 554 IDRefreshName: "aws_security_group.worker", 555 Providers: testAccProviders, 556 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 557 Steps: []resource.TestStep{ 558 resource.TestStep{ 559 Config: testAccAWSSecurityGroupConfigDefaultEgress, 560 Check: resource.ComposeTestCheckFunc( 561 testAccCheckAWSSecurityGroupExistsWithoutDefault("aws_security_group.worker"), 562 ), 563 }, 564 }, 565 }) 566 } 567 568 func TestAccAWSSecurityGroup_DefaultEgress_Classic(t *testing.T) { 569 570 // Classic 571 var group ec2.SecurityGroup 572 resource.Test(t, resource.TestCase{ 573 PreCheck: func() { testAccPreCheck(t) }, 574 IDRefreshName: "aws_security_group.web", 575 Providers: testAccProviders, 576 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 577 Steps: []resource.TestStep{ 578 resource.TestStep{ 579 Config: testAccAWSSecurityGroupConfigClassic, 580 Check: resource.ComposeTestCheckFunc( 581 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 582 ), 583 }, 584 }, 585 }) 586 } 587 588 // Testing drift detection with groups containing the same port and types 589 func TestAccAWSSecurityGroup_drift(t *testing.T) { 590 var group ec2.SecurityGroup 591 resource.Test(t, resource.TestCase{ 592 PreCheck: func() { testAccPreCheck(t) }, 593 Providers: testAccProviders, 594 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 595 Steps: []resource.TestStep{ 596 resource.TestStep{ 597 Config: testAccAWSSecurityGroupConfig_drift(), 598 Check: resource.ComposeTestCheckFunc( 599 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 600 resource.TestCheckResourceAttr( 601 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 602 resource.TestCheckResourceAttr( 603 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 604 resource.TestCheckResourceAttr( 605 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 606 resource.TestCheckResourceAttr( 607 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 608 resource.TestCheckResourceAttr( 609 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 610 resource.TestCheckResourceAttr( 611 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 612 ), 613 }, 614 }, 615 }) 616 } 617 618 func TestAccAWSSecurityGroup_drift_complex(t *testing.T) { 619 var group ec2.SecurityGroup 620 621 resource.Test(t, resource.TestCase{ 622 PreCheck: func() { testAccPreCheck(t) }, 623 Providers: testAccProviders, 624 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 625 Steps: []resource.TestStep{ 626 resource.TestStep{ 627 Config: testAccAWSSecurityGroupConfig_drift_complex(), 628 Check: resource.ComposeTestCheckFunc( 629 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 630 resource.TestCheckResourceAttr( 631 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 632 resource.TestCheckResourceAttr( 633 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 634 resource.TestCheckResourceAttr( 635 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 636 resource.TestCheckResourceAttr( 637 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 638 resource.TestCheckResourceAttr( 639 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 640 resource.TestCheckResourceAttr( 641 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 642 ), 643 }, 644 }, 645 }) 646 } 647 648 func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error { 649 conn := testAccProvider.Meta().(*AWSClient).ec2conn 650 651 for _, rs := range s.RootModule().Resources { 652 if rs.Type != "aws_security_group" { 653 continue 654 } 655 656 // Retrieve our group 657 req := &ec2.DescribeSecurityGroupsInput{ 658 GroupIds: []*string{aws.String(rs.Primary.ID)}, 659 } 660 resp, err := conn.DescribeSecurityGroups(req) 661 if err == nil { 662 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 663 return fmt.Errorf("Security Group (%s) still exists.", rs.Primary.ID) 664 } 665 666 return nil 667 } 668 669 ec2err, ok := err.(awserr.Error) 670 if !ok { 671 return err 672 } 673 // Confirm error code is what we want 674 if ec2err.Code() != "InvalidGroup.NotFound" { 675 return err 676 } 677 } 678 679 return nil 680 } 681 682 func testAccCheckAWSSecurityGroupGeneratedNamePrefix( 683 resource, prefix string) resource.TestCheckFunc { 684 return func(s *terraform.State) error { 685 r, ok := s.RootModule().Resources[resource] 686 if !ok { 687 return fmt.Errorf("Resource not found") 688 } 689 name, ok := r.Primary.Attributes["name"] 690 if !ok { 691 return fmt.Errorf("Name attr not found: %#v", r.Primary.Attributes) 692 } 693 if !strings.HasPrefix(name, prefix) { 694 return fmt.Errorf("Name: %q, does not have prefix: %q", name, prefix) 695 } 696 return nil 697 } 698 } 699 700 func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroup) resource.TestCheckFunc { 701 return func(s *terraform.State) error { 702 rs, ok := s.RootModule().Resources[n] 703 if !ok { 704 return fmt.Errorf("Not found: %s", n) 705 } 706 707 if rs.Primary.ID == "" { 708 return fmt.Errorf("No Security Group is set") 709 } 710 711 conn := testAccProvider.Meta().(*AWSClient).ec2conn 712 req := &ec2.DescribeSecurityGroupsInput{ 713 GroupIds: []*string{aws.String(rs.Primary.ID)}, 714 } 715 resp, err := conn.DescribeSecurityGroups(req) 716 if err != nil { 717 return err 718 } 719 720 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 721 *group = *resp.SecurityGroups[0] 722 return nil 723 } 724 725 return fmt.Errorf("Security Group not found") 726 } 727 } 728 729 func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 730 return func(s *terraform.State) error { 731 p := &ec2.IpPermission{ 732 FromPort: aws.Int64(80), 733 ToPort: aws.Int64(8000), 734 IpProtocol: aws.String("tcp"), 735 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 736 } 737 738 if *group.GroupName != "terraform_acceptance_test_example" { 739 return fmt.Errorf("Bad name: %s", *group.GroupName) 740 } 741 742 if *group.Description != "Used in the terraform acceptance tests" { 743 return fmt.Errorf("Bad description: %s", *group.Description) 744 } 745 746 if len(group.IpPermissions) == 0 { 747 return fmt.Errorf("No IPPerms") 748 } 749 750 // Compare our ingress 751 if !reflect.DeepEqual(group.IpPermissions[0], p) { 752 return fmt.Errorf( 753 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 754 group.IpPermissions[0], 755 p) 756 } 757 758 return nil 759 } 760 } 761 762 func testAccCheckAWSSecurityGroupAttributesNegOneProtocol(group *ec2.SecurityGroup) resource.TestCheckFunc { 763 return func(s *terraform.State) error { 764 p := &ec2.IpPermission{ 765 IpProtocol: aws.String("-1"), 766 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 767 } 768 769 if *group.GroupName != "terraform_acceptance_test_example" { 770 return fmt.Errorf("Bad name: %s", *group.GroupName) 771 } 772 773 if *group.Description != "Used in the terraform acceptance tests" { 774 return fmt.Errorf("Bad description: %s", *group.Description) 775 } 776 777 if len(group.IpPermissions) == 0 { 778 return fmt.Errorf("No IPPerms") 779 } 780 781 // Compare our ingress 782 if !reflect.DeepEqual(group.IpPermissions[0], p) { 783 return fmt.Errorf( 784 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 785 group.IpPermissions[0], 786 p) 787 } 788 789 return nil 790 } 791 } 792 793 func TestAccAWSSecurityGroup_tags(t *testing.T) { 794 var group ec2.SecurityGroup 795 796 resource.Test(t, resource.TestCase{ 797 PreCheck: func() { testAccPreCheck(t) }, 798 Providers: testAccProviders, 799 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 800 Steps: []resource.TestStep{ 801 resource.TestStep{ 802 Config: testAccAWSSecurityGroupConfigTags, 803 Check: resource.ComposeTestCheckFunc( 804 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 805 testAccCheckTags(&group.Tags, "foo", "bar"), 806 ), 807 }, 808 809 resource.TestStep{ 810 Config: testAccAWSSecurityGroupConfigTagsUpdate, 811 Check: resource.ComposeTestCheckFunc( 812 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 813 testAccCheckTags(&group.Tags, "foo", ""), 814 testAccCheckTags(&group.Tags, "bar", "baz"), 815 testAccCheckTags(&group.Tags, "env", "Production"), 816 ), 817 }, 818 }, 819 }) 820 } 821 822 func TestAccAWSSecurityGroup_CIDRandGroups(t *testing.T) { 823 var group ec2.SecurityGroup 824 825 resource.Test(t, resource.TestCase{ 826 PreCheck: func() { testAccPreCheck(t) }, 827 Providers: testAccProviders, 828 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 829 Steps: []resource.TestStep{ 830 resource.TestStep{ 831 Config: testAccAWSSecurityGroupCombindCIDRandGroups, 832 Check: resource.ComposeTestCheckFunc( 833 testAccCheckAWSSecurityGroupExists("aws_security_group.mixed", &group), 834 // testAccCheckAWSSecurityGroupAttributes(&group), 835 ), 836 }, 837 }, 838 }) 839 } 840 841 func TestAccAWSSecurityGroup_ingressWithCidrAndSGs(t *testing.T) { 842 var group ec2.SecurityGroup 843 844 resource.Test(t, resource.TestCase{ 845 PreCheck: func() { testAccPreCheck(t) }, 846 Providers: testAccProviders, 847 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 848 Steps: []resource.TestStep{ 849 resource.TestStep{ 850 Config: testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs, 851 Check: resource.ComposeTestCheckFunc( 852 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 853 testAccCheckAWSSecurityGroupSGandCidrAttributes(&group), 854 resource.TestCheckResourceAttr( 855 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 856 resource.TestCheckResourceAttr( 857 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 858 resource.TestCheckResourceAttr( 859 "aws_security_group.web", "ingress.#", "2"), 860 ), 861 }, 862 }, 863 }) 864 } 865 866 // This test requires an EC2 Classic region 867 func TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic(t *testing.T) { 868 var group ec2.SecurityGroup 869 870 resource.Test(t, resource.TestCase{ 871 PreCheck: func() { testAccPreCheck(t) }, 872 Providers: testAccProviders, 873 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 874 Steps: []resource.TestStep{ 875 resource.TestStep{ 876 Config: testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs_classic, 877 Check: resource.ComposeTestCheckFunc( 878 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 879 testAccCheckAWSSecurityGroupSGandCidrAttributes(&group), 880 resource.TestCheckResourceAttr( 881 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 882 resource.TestCheckResourceAttr( 883 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 884 resource.TestCheckResourceAttr( 885 "aws_security_group.web", "ingress.#", "2"), 886 ), 887 }, 888 }, 889 }) 890 } 891 892 func TestAccAWSSecurityGroup_egressWithPrefixList(t *testing.T) { 893 var group ec2.SecurityGroup 894 895 resource.Test(t, resource.TestCase{ 896 PreCheck: func() { testAccPreCheck(t) }, 897 Providers: testAccProviders, 898 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 899 Steps: []resource.TestStep{ 900 resource.TestStep{ 901 Config: testAccAWSSecurityGroupConfigPrefixListEgress, 902 Check: resource.ComposeTestCheckFunc( 903 testAccCheckAWSSecurityGroupExists("aws_security_group.egress", &group), 904 testAccCheckAWSSecurityGroupPrefixListAttributes(&group), 905 resource.TestCheckResourceAttr( 906 "aws_security_group.egress", "egress.#", "1"), 907 ), 908 }, 909 }, 910 }) 911 } 912 913 func testAccCheckAWSSecurityGroupSGandCidrAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 914 return func(s *terraform.State) error { 915 if *group.GroupName != "terraform_acceptance_test_example" { 916 return fmt.Errorf("Bad name: %s", *group.GroupName) 917 } 918 919 if *group.Description != "Used in the terraform acceptance tests" { 920 return fmt.Errorf("Bad description: %s", *group.Description) 921 } 922 923 if len(group.IpPermissions) == 0 { 924 return fmt.Errorf("No IPPerms") 925 } 926 927 if len(group.IpPermissions) != 2 { 928 return fmt.Errorf("Expected 2 ingress rules, got %d", len(group.IpPermissions)) 929 } 930 931 for _, p := range group.IpPermissions { 932 if *p.FromPort == int64(22) { 933 if len(p.IpRanges) != 1 || p.UserIdGroupPairs != nil { 934 return fmt.Errorf("Found ip perm of 22, but not the right ipranges / pairs: %s", p) 935 } 936 continue 937 } else if *p.FromPort == int64(80) { 938 if len(p.IpRanges) != 1 || len(p.UserIdGroupPairs) != 1 { 939 return fmt.Errorf("Found ip perm of 80, but not the right ipranges / pairs: %s", p) 940 } 941 continue 942 } 943 return fmt.Errorf("Found a rouge rule") 944 } 945 946 return nil 947 } 948 } 949 950 func testAccCheckAWSSecurityGroupPrefixListAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 951 return func(s *terraform.State) error { 952 if *group.GroupName != "terraform_acceptance_test_prefix_list_egress" { 953 return fmt.Errorf("Bad name: %s", *group.GroupName) 954 } 955 if *group.Description != "Used in the terraform acceptance tests" { 956 return fmt.Errorf("Bad description: %s", *group.Description) 957 } 958 if len(group.IpPermissionsEgress) == 0 { 959 return fmt.Errorf("No egress IPPerms") 960 } 961 if len(group.IpPermissionsEgress) != 1 { 962 return fmt.Errorf("Expected 1 egress rule, got %d", len(group.IpPermissions)) 963 } 964 965 p := group.IpPermissionsEgress[0] 966 967 if len(p.PrefixListIds) != 1 { 968 return fmt.Errorf("Expected 1 prefix list, got %d", len(p.PrefixListIds)) 969 } 970 971 return nil 972 } 973 } 974 975 func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroup) resource.TestCheckFunc { 976 return func(s *terraform.State) error { 977 p := []*ec2.IpPermission{ 978 &ec2.IpPermission{ 979 FromPort: aws.Int64(80), 980 ToPort: aws.Int64(9000), 981 IpProtocol: aws.String("tcp"), 982 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 983 }, 984 &ec2.IpPermission{ 985 FromPort: aws.Int64(80), 986 ToPort: aws.Int64(8000), 987 IpProtocol: aws.String("tcp"), 988 IpRanges: []*ec2.IpRange{ 989 &ec2.IpRange{ 990 CidrIp: aws.String("0.0.0.0/0"), 991 }, 992 &ec2.IpRange{ 993 CidrIp: aws.String("10.0.0.0/8"), 994 }, 995 }, 996 }, 997 } 998 999 if *group.GroupName != "terraform_acceptance_test_example" { 1000 return fmt.Errorf("Bad name: %s", *group.GroupName) 1001 } 1002 1003 if *group.Description != "Used in the terraform acceptance tests" { 1004 return fmt.Errorf("Bad description: %s", *group.Description) 1005 } 1006 1007 // Compare our ingress 1008 if len(group.IpPermissions) != 2 { 1009 return fmt.Errorf( 1010 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 1011 group.IpPermissions, 1012 p) 1013 } 1014 1015 if *group.IpPermissions[0].ToPort == 8000 { 1016 group.IpPermissions[1], group.IpPermissions[0] = 1017 group.IpPermissions[0], group.IpPermissions[1] 1018 } 1019 1020 if !reflect.DeepEqual(group.IpPermissions, p) { 1021 return fmt.Errorf( 1022 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 1023 group.IpPermissions, 1024 p) 1025 } 1026 1027 return nil 1028 } 1029 } 1030 1031 func testAccCheckAWSSecurityGroupExistsWithoutDefault(n string) resource.TestCheckFunc { 1032 return func(s *terraform.State) error { 1033 rs, ok := s.RootModule().Resources[n] 1034 if !ok { 1035 return fmt.Errorf("Not found: %s", n) 1036 } 1037 1038 if rs.Primary.ID == "" { 1039 return fmt.Errorf("No Security Group is set") 1040 } 1041 1042 conn := testAccProvider.Meta().(*AWSClient).ec2conn 1043 req := &ec2.DescribeSecurityGroupsInput{ 1044 GroupIds: []*string{aws.String(rs.Primary.ID)}, 1045 } 1046 resp, err := conn.DescribeSecurityGroups(req) 1047 if err != nil { 1048 return err 1049 } 1050 1051 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 1052 group := *resp.SecurityGroups[0] 1053 1054 if len(group.IpPermissionsEgress) != 1 { 1055 return fmt.Errorf("Security Group should have only 1 egress rule, got %d", len(group.IpPermissionsEgress)) 1056 } 1057 } 1058 1059 return nil 1060 } 1061 } 1062 1063 func TestAccAWSSecurityGroup_failWithDiffMismatch(t *testing.T) { 1064 var group ec2.SecurityGroup 1065 1066 resource.Test(t, resource.TestCase{ 1067 PreCheck: func() { testAccPreCheck(t) }, 1068 Providers: testAccProviders, 1069 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 1070 Steps: []resource.TestStep{ 1071 resource.TestStep{ 1072 Config: testAccAWSSecurityGroupConfig_failWithDiffMismatch, 1073 Check: resource.ComposeTestCheckFunc( 1074 testAccCheckAWSSecurityGroupExists("aws_security_group.nat", &group), 1075 ), 1076 }, 1077 }, 1078 }) 1079 } 1080 1081 const testAccAWSSecurityGroupConfigForTagsOrdering = ` 1082 resource "aws_vpc" "foo" { 1083 cidr_block = "10.1.0.0/16" 1084 } 1085 1086 resource "aws_security_group" "web" { 1087 name = "terraform_acceptance_test_example" 1088 description = "Used in the terraform acceptance tests" 1089 vpc_id = "${aws_vpc.foo.id}" 1090 1091 ingress { 1092 protocol = "6" 1093 from_port = 80 1094 to_port = 80000 1095 cidr_blocks = ["10.0.0.0/8"] 1096 } 1097 1098 egress { 1099 protocol = "tcp" 1100 from_port = 80 1101 to_port = 8000 1102 cidr_blocks = ["10.0.0.0/8"] 1103 } 1104 1105 tags { 1106 Name = "tf-acc-test" 1107 } 1108 }` 1109 1110 const testAccAWSSecurityGroupConfig = ` 1111 resource "aws_vpc" "foo" { 1112 cidr_block = "10.1.0.0/16" 1113 } 1114 1115 resource "aws_security_group" "web" { 1116 name = "terraform_acceptance_test_example" 1117 description = "Used in the terraform acceptance tests" 1118 vpc_id = "${aws_vpc.foo.id}" 1119 1120 ingress { 1121 protocol = "6" 1122 from_port = 80 1123 to_port = 8000 1124 cidr_blocks = ["10.0.0.0/8"] 1125 } 1126 1127 egress { 1128 protocol = "tcp" 1129 from_port = 80 1130 to_port = 8000 1131 cidr_blocks = ["10.0.0.0/8"] 1132 } 1133 1134 tags { 1135 Name = "tf-acc-test" 1136 } 1137 } 1138 ` 1139 1140 const testAccAWSSecurityGroupConfigChange = ` 1141 resource "aws_vpc" "foo" { 1142 cidr_block = "10.1.0.0/16" 1143 } 1144 1145 resource "aws_security_group" "web" { 1146 name = "terraform_acceptance_test_example" 1147 description = "Used in the terraform acceptance tests" 1148 vpc_id = "${aws_vpc.foo.id}" 1149 1150 ingress { 1151 protocol = "tcp" 1152 from_port = 80 1153 to_port = 9000 1154 cidr_blocks = ["10.0.0.0/8"] 1155 } 1156 1157 ingress { 1158 protocol = "tcp" 1159 from_port = 80 1160 to_port = 8000 1161 cidr_blocks = ["0.0.0.0/0", "10.0.0.0/8"] 1162 } 1163 1164 egress { 1165 protocol = "tcp" 1166 from_port = 80 1167 to_port = 8000 1168 cidr_blocks = ["10.0.0.0/8"] 1169 } 1170 } 1171 ` 1172 1173 const testAccAWSSecurityGroupConfigSelf = ` 1174 resource "aws_vpc" "foo" { 1175 cidr_block = "10.1.0.0/16" 1176 } 1177 1178 resource "aws_security_group" "web" { 1179 name = "terraform_acceptance_test_example" 1180 description = "Used in the terraform acceptance tests" 1181 vpc_id = "${aws_vpc.foo.id}" 1182 1183 ingress { 1184 protocol = "tcp" 1185 from_port = 80 1186 to_port = 8000 1187 self = true 1188 } 1189 1190 egress { 1191 protocol = "tcp" 1192 from_port = 80 1193 to_port = 8000 1194 cidr_blocks = ["10.0.0.0/8"] 1195 } 1196 } 1197 ` 1198 1199 const testAccAWSSecurityGroupConfigVpc = ` 1200 resource "aws_vpc" "foo" { 1201 cidr_block = "10.1.0.0/16" 1202 } 1203 1204 resource "aws_security_group" "web" { 1205 name = "terraform_acceptance_test_example" 1206 description = "Used in the terraform acceptance tests" 1207 vpc_id = "${aws_vpc.foo.id}" 1208 1209 ingress { 1210 protocol = "tcp" 1211 from_port = 80 1212 to_port = 8000 1213 cidr_blocks = ["10.0.0.0/8"] 1214 } 1215 1216 egress { 1217 protocol = "tcp" 1218 from_port = 80 1219 to_port = 8000 1220 cidr_blocks = ["10.0.0.0/8"] 1221 } 1222 } 1223 ` 1224 1225 const testAccAWSSecurityGroupConfigVpcNegOneIngress = ` 1226 resource "aws_vpc" "foo" { 1227 cidr_block = "10.1.0.0/16" 1228 } 1229 1230 resource "aws_security_group" "web" { 1231 name = "terraform_acceptance_test_example" 1232 description = "Used in the terraform acceptance tests" 1233 vpc_id = "${aws_vpc.foo.id}" 1234 1235 ingress { 1236 protocol = "-1" 1237 from_port = 0 1238 to_port = 0 1239 cidr_blocks = ["10.0.0.0/8"] 1240 } 1241 } 1242 ` 1243 const testAccAWSSecurityGroupConfigMultiIngress = ` 1244 resource "aws_vpc" "foo" { 1245 cidr_block = "10.1.0.0/16" 1246 } 1247 1248 resource "aws_security_group" "worker" { 1249 name = "terraform_acceptance_test_example_1" 1250 description = "Used in the terraform acceptance tests" 1251 vpc_id = "${aws_vpc.foo.id}" 1252 1253 ingress { 1254 protocol = "tcp" 1255 from_port = 80 1256 to_port = 8000 1257 cidr_blocks = ["10.0.0.0/8"] 1258 } 1259 1260 egress { 1261 protocol = "tcp" 1262 from_port = 80 1263 to_port = 8000 1264 cidr_blocks = ["10.0.0.0/8"] 1265 } 1266 } 1267 1268 resource "aws_security_group" "web" { 1269 name = "terraform_acceptance_test_example_2" 1270 description = "Used in the terraform acceptance tests" 1271 vpc_id = "${aws_vpc.foo.id}" 1272 1273 ingress { 1274 protocol = "tcp" 1275 from_port = 22 1276 to_port = 22 1277 cidr_blocks = ["10.0.0.0/8"] 1278 } 1279 1280 ingress { 1281 protocol = "tcp" 1282 from_port = 800 1283 to_port = 800 1284 cidr_blocks = ["10.0.0.0/8"] 1285 } 1286 1287 ingress { 1288 protocol = "tcp" 1289 from_port = 80 1290 to_port = 8000 1291 security_groups = ["${aws_security_group.worker.id}"] 1292 } 1293 1294 egress { 1295 protocol = "tcp" 1296 from_port = 80 1297 to_port = 8000 1298 cidr_blocks = ["10.0.0.0/8"] 1299 } 1300 } 1301 ` 1302 1303 const testAccAWSSecurityGroupConfigTags = ` 1304 resource "aws_vpc" "foo" { 1305 cidr_block = "10.1.0.0/16" 1306 } 1307 1308 resource "aws_security_group" "foo" { 1309 name = "terraform_acceptance_test_example" 1310 description = "Used in the terraform acceptance tests" 1311 vpc_id = "${aws_vpc.foo.id}" 1312 1313 ingress { 1314 protocol = "tcp" 1315 from_port = 80 1316 to_port = 8000 1317 cidr_blocks = ["10.0.0.0/8"] 1318 } 1319 1320 egress { 1321 protocol = "tcp" 1322 from_port = 80 1323 to_port = 8000 1324 cidr_blocks = ["10.0.0.0/8"] 1325 } 1326 1327 tags { 1328 foo = "bar" 1329 } 1330 } 1331 ` 1332 1333 const testAccAWSSecurityGroupConfigTagsUpdate = ` 1334 resource "aws_vpc" "foo" { 1335 cidr_block = "10.1.0.0/16" 1336 } 1337 1338 resource "aws_security_group" "foo" { 1339 name = "terraform_acceptance_test_example" 1340 description = "Used in the terraform acceptance tests" 1341 vpc_id = "${aws_vpc.foo.id}" 1342 1343 ingress { 1344 protocol = "tcp" 1345 from_port = 80 1346 to_port = 8000 1347 cidr_blocks = ["10.0.0.0/8"] 1348 } 1349 1350 egress { 1351 protocol = "tcp" 1352 from_port = 80 1353 to_port = 8000 1354 cidr_blocks = ["10.0.0.0/8"] 1355 } 1356 1357 tags { 1358 bar = "baz" 1359 env = "Production" 1360 } 1361 } 1362 ` 1363 1364 const testAccAWSSecurityGroupConfig_generatedName = ` 1365 resource "aws_vpc" "foo" { 1366 cidr_block = "10.1.0.0/16" 1367 } 1368 1369 resource "aws_security_group" "web" { 1370 vpc_id = "${aws_vpc.foo.id}" 1371 1372 ingress { 1373 protocol = "tcp" 1374 from_port = 80 1375 to_port = 8000 1376 cidr_blocks = ["10.0.0.0/8"] 1377 } 1378 1379 egress { 1380 protocol = "tcp" 1381 from_port = 80 1382 to_port = 8000 1383 cidr_blocks = ["10.0.0.0/8"] 1384 } 1385 1386 tags { 1387 Name = "tf-acc-test" 1388 } 1389 } 1390 ` 1391 1392 const testAccAWSSecurityGroupConfigDefaultEgress = ` 1393 resource "aws_vpc" "tf_sg_egress_test" { 1394 cidr_block = "10.0.0.0/16" 1395 tags { 1396 Name = "tf_sg_egress_test" 1397 } 1398 } 1399 1400 resource "aws_security_group" "worker" { 1401 name = "terraform_acceptance_test_example_1" 1402 description = "Used in the terraform acceptance tests" 1403 vpc_id = "${aws_vpc.tf_sg_egress_test.id}" 1404 1405 egress { 1406 protocol = "tcp" 1407 from_port = 80 1408 to_port = 8000 1409 cidr_blocks = ["10.0.0.0/8"] 1410 } 1411 } 1412 ` 1413 1414 const testAccAWSSecurityGroupConfigClassic = ` 1415 provider "aws" { 1416 region = "us-east-1" 1417 } 1418 1419 resource "aws_security_group" "web" { 1420 name = "terraform_acceptance_test_example_1" 1421 description = "Used in the terraform acceptance tests" 1422 } 1423 ` 1424 1425 const testAccAWSSecurityGroupPrefixNameConfig = ` 1426 provider "aws" { 1427 region = "us-east-1" 1428 } 1429 1430 resource "aws_security_group" "baz" { 1431 name_prefix = "baz-" 1432 description = "Used in the terraform acceptance tests" 1433 } 1434 ` 1435 1436 func testAccAWSSecurityGroupConfig_drift() string { 1437 return fmt.Sprintf(` 1438 resource "aws_security_group" "web" { 1439 name = "tf_acc_%d" 1440 description = "Used in the terraform acceptance tests" 1441 1442 ingress { 1443 protocol = "tcp" 1444 from_port = 80 1445 to_port = 8000 1446 cidr_blocks = ["10.0.0.0/8"] 1447 } 1448 1449 ingress { 1450 protocol = "tcp" 1451 from_port = 80 1452 to_port = 8000 1453 cidr_blocks = ["206.0.0.0/8"] 1454 } 1455 1456 tags { 1457 Name = "tf-acc-test" 1458 } 1459 } 1460 `, acctest.RandInt()) 1461 } 1462 1463 func testAccAWSSecurityGroupConfig_drift_complex() string { 1464 return fmt.Sprintf(` 1465 resource "aws_vpc" "foo" { 1466 cidr_block = "10.1.0.0/16" 1467 } 1468 1469 resource "aws_security_group" "otherweb" { 1470 name = "tf_acc_%d" 1471 description = "Used in the terraform acceptance tests" 1472 vpc_id = "${aws_vpc.foo.id}" 1473 } 1474 1475 resource "aws_security_group" "web" { 1476 name = "tf_acc_%d" 1477 description = "Used in the terraform acceptance tests" 1478 vpc_id = "${aws_vpc.foo.id}" 1479 1480 ingress { 1481 protocol = "tcp" 1482 from_port = 80 1483 to_port = 8000 1484 cidr_blocks = ["10.0.0.0/8"] 1485 } 1486 1487 ingress { 1488 protocol = "tcp" 1489 from_port = 80 1490 to_port = 8000 1491 cidr_blocks = ["206.0.0.0/8"] 1492 } 1493 1494 ingress { 1495 protocol = "tcp" 1496 from_port = 22 1497 to_port = 22 1498 security_groups = ["${aws_security_group.otherweb.id}"] 1499 } 1500 1501 egress { 1502 protocol = "tcp" 1503 from_port = 80 1504 to_port = 8000 1505 cidr_blocks = ["206.0.0.0/8"] 1506 } 1507 1508 egress { 1509 protocol = "tcp" 1510 from_port = 80 1511 to_port = 8000 1512 cidr_blocks = ["10.0.0.0/8"] 1513 } 1514 1515 egress { 1516 protocol = "tcp" 1517 from_port = 22 1518 to_port = 22 1519 security_groups = ["${aws_security_group.otherweb.id}"] 1520 } 1521 1522 tags { 1523 Name = "tf-acc-test" 1524 } 1525 }`, acctest.RandInt(), acctest.RandInt()) 1526 } 1527 1528 const testAccAWSSecurityGroupCombindCIDRandGroups = ` 1529 resource "aws_vpc" "foo" { 1530 cidr_block = "10.1.0.0/16" 1531 } 1532 1533 resource "aws_security_group" "two" { 1534 name = "tf-test-1" 1535 vpc_id = "${aws_vpc.foo.id}" 1536 tags { 1537 Name = "tf-test-1" 1538 } 1539 } 1540 1541 resource "aws_security_group" "one" { 1542 name = "tf-test-2" 1543 vpc_id = "${aws_vpc.foo.id}" 1544 tags { 1545 Name = "tf-test-w" 1546 } 1547 } 1548 1549 resource "aws_security_group" "three" { 1550 name = "tf-test-3" 1551 vpc_id = "${aws_vpc.foo.id}" 1552 tags { 1553 Name = "tf-test-3" 1554 } 1555 } 1556 1557 resource "aws_security_group" "mixed" { 1558 name = "tf-mix-test" 1559 vpc_id = "${aws_vpc.foo.id}" 1560 1561 ingress { 1562 from_port = 80 1563 to_port = 80 1564 protocol = "tcp" 1565 cidr_blocks = ["10.0.0.0/16", "10.1.0.0/16", "10.7.0.0/16"] 1566 1567 security_groups = [ 1568 "${aws_security_group.one.id}", 1569 "${aws_security_group.two.id}", 1570 "${aws_security_group.three.id}", 1571 ] 1572 } 1573 1574 tags { 1575 Name = "tf-mix-test" 1576 } 1577 } 1578 ` 1579 1580 const testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs = ` 1581 resource "aws_vpc" "foo" { 1582 cidr_block = "10.1.0.0/16" 1583 } 1584 1585 resource "aws_security_group" "other_web" { 1586 name = "tf_other_acc_tests" 1587 description = "Used in the terraform acceptance tests" 1588 vpc_id = "${aws_vpc.foo.id}" 1589 1590 tags { 1591 Name = "tf-acc-test" 1592 } 1593 } 1594 1595 resource "aws_security_group" "web" { 1596 name = "terraform_acceptance_test_example" 1597 description = "Used in the terraform acceptance tests" 1598 vpc_id = "${aws_vpc.foo.id}" 1599 1600 ingress { 1601 protocol = "tcp" 1602 from_port = "22" 1603 to_port = "22" 1604 1605 cidr_blocks = [ 1606 "192.168.0.1/32", 1607 ] 1608 } 1609 1610 ingress { 1611 protocol = "tcp" 1612 from_port = 80 1613 to_port = 8000 1614 cidr_blocks = ["10.0.0.0/8"] 1615 security_groups = ["${aws_security_group.other_web.id}"] 1616 } 1617 1618 egress { 1619 protocol = "tcp" 1620 from_port = 80 1621 to_port = 8000 1622 cidr_blocks = ["10.0.0.0/8"] 1623 } 1624 1625 tags { 1626 Name = "tf-acc-test" 1627 } 1628 } 1629 ` 1630 1631 const testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs_classic = ` 1632 provider "aws" { 1633 region = "us-east-1" 1634 } 1635 1636 resource "aws_security_group" "other_web" { 1637 name = "tf_other_acc_tests" 1638 description = "Used in the terraform acceptance tests" 1639 1640 tags { 1641 Name = "tf-acc-test" 1642 } 1643 } 1644 1645 resource "aws_security_group" "web" { 1646 name = "terraform_acceptance_test_example" 1647 description = "Used in the terraform acceptance tests" 1648 1649 ingress { 1650 protocol = "tcp" 1651 from_port = "22" 1652 to_port = "22" 1653 1654 cidr_blocks = [ 1655 "192.168.0.1/32", 1656 ] 1657 } 1658 1659 ingress { 1660 protocol = "tcp" 1661 from_port = 80 1662 to_port = 8000 1663 cidr_blocks = ["10.0.0.0/8"] 1664 security_groups = ["${aws_security_group.other_web.name}"] 1665 } 1666 1667 tags { 1668 Name = "tf-acc-test" 1669 } 1670 } 1671 ` 1672 1673 // fails to apply in one pass with the error "diffs didn't match during apply" 1674 // GH-2027 1675 const testAccAWSSecurityGroupConfig_failWithDiffMismatch = ` 1676 resource "aws_vpc" "main" { 1677 cidr_block = "10.0.0.0/16" 1678 1679 tags { 1680 Name = "tf-test" 1681 } 1682 } 1683 1684 resource "aws_security_group" "ssh_base" { 1685 name = "test-ssh-base" 1686 vpc_id = "${aws_vpc.main.id}" 1687 } 1688 1689 resource "aws_security_group" "jump" { 1690 name = "test-jump" 1691 vpc_id = "${aws_vpc.main.id}" 1692 } 1693 1694 resource "aws_security_group" "provision" { 1695 name = "test-provision" 1696 vpc_id = "${aws_vpc.main.id}" 1697 } 1698 1699 resource "aws_security_group" "nat" { 1700 vpc_id = "${aws_vpc.main.id}" 1701 name = "nat" 1702 description = "For nat servers " 1703 1704 ingress { 1705 from_port = 22 1706 to_port = 22 1707 protocol = "tcp" 1708 security_groups = ["${aws_security_group.jump.id}"] 1709 } 1710 1711 ingress { 1712 from_port = 22 1713 to_port = 22 1714 protocol = "tcp" 1715 security_groups = ["${aws_security_group.provision.id}"] 1716 } 1717 } 1718 ` 1719 const testAccAWSSecurityGroupConfig_importSelf = ` 1720 resource "aws_vpc" "foo" { 1721 cidr_block = "10.1.0.0/16" 1722 1723 tags { 1724 Name = "tf_sg_import_test" 1725 } 1726 } 1727 1728 resource "aws_security_group" "allow_all" { 1729 name = "allow_all" 1730 description = "Allow all inbound traffic" 1731 vpc_id = "${aws_vpc.foo.id}" 1732 } 1733 1734 resource "aws_security_group_rule" "allow_all" { 1735 type = "ingress" 1736 from_port = 0 1737 to_port = 65535 1738 protocol = "tcp" 1739 cidr_blocks = ["0.0.0.0/0"] 1740 1741 security_group_id = "${aws_security_group.allow_all.id}" 1742 } 1743 1744 resource "aws_security_group_rule" "allow_all-1" { 1745 type = "ingress" 1746 from_port = 65534 1747 to_port = 65535 1748 protocol = "tcp" 1749 1750 self = true 1751 security_group_id = "${aws_security_group.allow_all.id}" 1752 } 1753 ` 1754 1755 const testAccAWSSecurityGroupConfigPrefixListEgress = ` 1756 resource "aws_vpc" "tf_sg_prefix_list_egress_test" { 1757 cidr_block = "10.0.0.0/16" 1758 tags { 1759 Name = "tf_sg_prefix_list_egress_test" 1760 } 1761 } 1762 1763 resource "aws_route_table" "default" { 1764 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 1765 } 1766 1767 resource "aws_vpc_endpoint" "s3-us-west-2" { 1768 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 1769 service_name = "com.amazonaws.us-west-2.s3" 1770 route_table_ids = ["${aws_route_table.default.id}"] 1771 policy = <<POLICY 1772 { 1773 "Version": "2012-10-17", 1774 "Statement": [ 1775 { 1776 "Sid":"AllowAll", 1777 "Effect":"Allow", 1778 "Principal":"*", 1779 "Action":"*", 1780 "Resource":"*" 1781 } 1782 ] 1783 } 1784 POLICY 1785 } 1786 1787 resource "aws_security_group" "egress" { 1788 name = "terraform_acceptance_test_prefix_list_egress" 1789 description = "Used in the terraform acceptance tests" 1790 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 1791 1792 egress { 1793 protocol = "-1" 1794 from_port = 0 1795 to_port = 0 1796 prefix_list_ids = ["${aws_vpc_endpoint.s3-us-west-2.prefix_list_id}"] 1797 } 1798 } 1799 `