github.com/nathanielks/terraform@v0.6.1-0.20170509030759-13e1a62319dc/builtin/providers/aws/resource_aws_security_group_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "reflect" 6 "regexp" 7 "strings" 8 "testing" 9 10 "github.com/aws/aws-sdk-go/aws" 11 "github.com/aws/aws-sdk-go/aws/awserr" 12 "github.com/aws/aws-sdk-go/service/ec2" 13 "github.com/hashicorp/terraform/helper/acctest" 14 "github.com/hashicorp/terraform/helper/resource" 15 "github.com/hashicorp/terraform/helper/schema" 16 "github.com/hashicorp/terraform/terraform" 17 ) 18 19 func TestProtocolStateFunc(t *testing.T) { 20 cases := []struct { 21 input interface{} 22 expected string 23 }{ 24 { 25 input: "tcp", 26 expected: "tcp", 27 }, 28 { 29 input: 6, 30 expected: "", 31 }, 32 { 33 input: "17", 34 expected: "udp", 35 }, 36 { 37 input: "all", 38 expected: "-1", 39 }, 40 { 41 input: "-1", 42 expected: "-1", 43 }, 44 { 45 input: -1, 46 expected: "", 47 }, 48 { 49 input: "1", 50 expected: "icmp", 51 }, 52 { 53 input: "icmp", 54 expected: "icmp", 55 }, 56 { 57 input: 1, 58 expected: "", 59 }, 60 } 61 for _, c := range cases { 62 result := protocolStateFunc(c.input) 63 if result != c.expected { 64 t.Errorf("Error matching protocol, expected (%s), got (%s)", c.expected, result) 65 } 66 } 67 } 68 69 func TestProtocolForValue(t *testing.T) { 70 cases := []struct { 71 input string 72 expected string 73 }{ 74 { 75 input: "tcp", 76 expected: "tcp", 77 }, 78 { 79 input: "6", 80 expected: "tcp", 81 }, 82 { 83 input: "udp", 84 expected: "udp", 85 }, 86 { 87 input: "17", 88 expected: "udp", 89 }, 90 { 91 input: "all", 92 expected: "-1", 93 }, 94 { 95 input: "-1", 96 expected: "-1", 97 }, 98 { 99 input: "tCp", 100 expected: "tcp", 101 }, 102 { 103 input: "6", 104 expected: "tcp", 105 }, 106 { 107 input: "UDp", 108 expected: "udp", 109 }, 110 { 111 input: "17", 112 expected: "udp", 113 }, 114 { 115 input: "ALL", 116 expected: "-1", 117 }, 118 { 119 input: "icMp", 120 expected: "icmp", 121 }, 122 { 123 input: "1", 124 expected: "icmp", 125 }, 126 } 127 128 for _, c := range cases { 129 result := protocolForValue(c.input) 130 if result != c.expected { 131 t.Errorf("Error matching protocol, expected (%s), got (%s)", c.expected, result) 132 } 133 } 134 } 135 136 func TestResourceAwsSecurityGroupIPPermGather(t *testing.T) { 137 raw := []*ec2.IpPermission{ 138 { 139 IpProtocol: aws.String("tcp"), 140 FromPort: aws.Int64(int64(1)), 141 ToPort: aws.Int64(int64(-1)), 142 IpRanges: []*ec2.IpRange{{CidrIp: aws.String("0.0.0.0/0")}}, 143 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 144 { 145 GroupId: aws.String("sg-11111"), 146 }, 147 }, 148 }, 149 { 150 IpProtocol: aws.String("tcp"), 151 FromPort: aws.Int64(int64(80)), 152 ToPort: aws.Int64(int64(80)), 153 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 154 // VPC 155 { 156 GroupId: aws.String("sg-22222"), 157 }, 158 }, 159 }, 160 { 161 IpProtocol: aws.String("tcp"), 162 FromPort: aws.Int64(int64(443)), 163 ToPort: aws.Int64(int64(443)), 164 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 165 // Classic 166 { 167 UserId: aws.String("12345"), 168 GroupId: aws.String("sg-33333"), 169 GroupName: aws.String("ec2_classic"), 170 }, 171 { 172 UserId: aws.String("amazon-elb"), 173 GroupId: aws.String("sg-d2c979d3"), 174 GroupName: aws.String("amazon-elb-sg"), 175 }, 176 }, 177 }, 178 { 179 IpProtocol: aws.String("-1"), 180 FromPort: aws.Int64(int64(0)), 181 ToPort: aws.Int64(int64(0)), 182 PrefixListIds: []*ec2.PrefixListId{{PrefixListId: aws.String("pl-12345678")}}, 183 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 184 // VPC 185 { 186 GroupId: aws.String("sg-22222"), 187 }, 188 }, 189 }, 190 } 191 192 local := []map[string]interface{}{ 193 { 194 "protocol": "tcp", 195 "from_port": int64(1), 196 "to_port": int64(-1), 197 "cidr_blocks": []string{"0.0.0.0/0"}, 198 "self": true, 199 }, 200 { 201 "protocol": "tcp", 202 "from_port": int64(80), 203 "to_port": int64(80), 204 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 205 "sg-22222", 206 }), 207 }, 208 { 209 "protocol": "tcp", 210 "from_port": int64(443), 211 "to_port": int64(443), 212 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 213 "ec2_classic", 214 "amazon-elb/amazon-elb-sg", 215 }), 216 }, 217 { 218 "protocol": "-1", 219 "from_port": int64(0), 220 "to_port": int64(0), 221 "prefix_list_ids": []string{"pl-12345678"}, 222 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 223 "sg-22222", 224 }), 225 }, 226 } 227 228 out := resourceAwsSecurityGroupIPPermGather("sg-11111", raw, aws.String("12345")) 229 for _, i := range out { 230 // loop and match rules, because the ordering is not guarneteed 231 for _, l := range local { 232 if i["from_port"] == l["from_port"] { 233 234 if i["to_port"] != l["to_port"] { 235 t.Fatalf("to_port does not match") 236 } 237 238 if _, ok := i["cidr_blocks"]; ok { 239 if !reflect.DeepEqual(i["cidr_blocks"], l["cidr_blocks"]) { 240 t.Fatalf("error matching cidr_blocks") 241 } 242 } 243 244 if _, ok := i["security_groups"]; ok { 245 outSet := i["security_groups"].(*schema.Set) 246 localSet := l["security_groups"].(*schema.Set) 247 248 if !outSet.Equal(localSet) { 249 t.Fatalf("Security Group sets are not equal") 250 } 251 } 252 } 253 } 254 } 255 } 256 257 func TestAccAWSSecurityGroup_basic(t *testing.T) { 258 var group ec2.SecurityGroup 259 260 resource.Test(t, resource.TestCase{ 261 PreCheck: func() { testAccPreCheck(t) }, 262 IDRefreshName: "aws_security_group.web", 263 Providers: testAccProviders, 264 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 265 Steps: []resource.TestStep{ 266 { 267 Config: testAccAWSSecurityGroupConfig, 268 Check: resource.ComposeTestCheckFunc( 269 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 270 testAccCheckAWSSecurityGroupAttributes(&group), 271 resource.TestCheckResourceAttr( 272 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 273 resource.TestCheckResourceAttr( 274 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 275 resource.TestCheckResourceAttr( 276 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 277 resource.TestCheckResourceAttr( 278 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 279 resource.TestCheckResourceAttr( 280 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 281 resource.TestCheckResourceAttr( 282 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 283 resource.TestCheckResourceAttr( 284 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 285 ), 286 }, 287 }, 288 }) 289 } 290 291 func TestAccAWSSecurityGroup_ipv6(t *testing.T) { 292 var group ec2.SecurityGroup 293 294 resource.Test(t, resource.TestCase{ 295 PreCheck: func() { testAccPreCheck(t) }, 296 IDRefreshName: "aws_security_group.web", 297 Providers: testAccProviders, 298 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 299 Steps: []resource.TestStep{ 300 { 301 Config: testAccAWSSecurityGroupConfigIpv6, 302 Check: resource.ComposeTestCheckFunc( 303 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 304 resource.TestCheckResourceAttr( 305 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 306 resource.TestCheckResourceAttr( 307 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 308 resource.TestCheckResourceAttr( 309 "aws_security_group.web", "ingress.2293451516.protocol", "tcp"), 310 resource.TestCheckResourceAttr( 311 "aws_security_group.web", "ingress.2293451516.from_port", "80"), 312 resource.TestCheckResourceAttr( 313 "aws_security_group.web", "ingress.2293451516.to_port", "8000"), 314 resource.TestCheckResourceAttr( 315 "aws_security_group.web", "ingress.2293451516.ipv6_cidr_blocks.#", "1"), 316 resource.TestCheckResourceAttr( 317 "aws_security_group.web", "ingress.2293451516.ipv6_cidr_blocks.0", "::/0"), 318 ), 319 }, 320 }, 321 }) 322 } 323 324 func TestAccAWSSecurityGroup_tagsCreatedFirst(t *testing.T) { 325 var group ec2.SecurityGroup 326 327 resource.Test(t, resource.TestCase{ 328 PreCheck: func() { testAccPreCheck(t) }, 329 Providers: testAccProviders, 330 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 331 Steps: []resource.TestStep{ 332 { 333 Config: testAccAWSSecurityGroupConfigForTagsOrdering, 334 ExpectError: regexp.MustCompile("InvalidParameterValue"), 335 Check: resource.ComposeTestCheckFunc( 336 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 337 testAccCheckTags(&group.Tags, "Name", "tf-acc-test"), 338 ), 339 }, 340 }, 341 }) 342 } 343 344 func TestAccAWSSecurityGroup_namePrefix(t *testing.T) { 345 var group ec2.SecurityGroup 346 347 resource.Test(t, resource.TestCase{ 348 PreCheck: func() { testAccPreCheck(t) }, 349 IDRefreshName: "aws_security_group.baz", 350 IDRefreshIgnore: []string{"name_prefix"}, 351 Providers: testAccProviders, 352 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 353 Steps: []resource.TestStep{ 354 { 355 Config: testAccAWSSecurityGroupPrefixNameConfig, 356 Check: resource.ComposeTestCheckFunc( 357 testAccCheckAWSSecurityGroupExists("aws_security_group.baz", &group), 358 testAccCheckAWSSecurityGroupGeneratedNamePrefix( 359 "aws_security_group.baz", "baz-"), 360 ), 361 }, 362 }, 363 }) 364 } 365 366 func TestAccAWSSecurityGroup_self(t *testing.T) { 367 var group ec2.SecurityGroup 368 369 checkSelf := func(s *terraform.State) (err error) { 370 defer func() { 371 if e := recover(); e != nil { 372 err = fmt.Errorf("bad: %#v", group) 373 } 374 }() 375 376 if *group.IpPermissions[0].UserIdGroupPairs[0].GroupId != *group.GroupId { 377 return fmt.Errorf("bad: %#v", group) 378 } 379 380 return nil 381 } 382 383 resource.Test(t, resource.TestCase{ 384 PreCheck: func() { testAccPreCheck(t) }, 385 IDRefreshName: "aws_security_group.web", 386 Providers: testAccProviders, 387 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 388 Steps: []resource.TestStep{ 389 { 390 Config: testAccAWSSecurityGroupConfigSelf, 391 Check: resource.ComposeTestCheckFunc( 392 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 393 resource.TestCheckResourceAttr( 394 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 395 resource.TestCheckResourceAttr( 396 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 397 resource.TestCheckResourceAttr( 398 "aws_security_group.web", "ingress.3971148406.protocol", "tcp"), 399 resource.TestCheckResourceAttr( 400 "aws_security_group.web", "ingress.3971148406.from_port", "80"), 401 resource.TestCheckResourceAttr( 402 "aws_security_group.web", "ingress.3971148406.to_port", "8000"), 403 resource.TestCheckResourceAttr( 404 "aws_security_group.web", "ingress.3971148406.self", "true"), 405 checkSelf, 406 ), 407 }, 408 }, 409 }) 410 } 411 412 func TestAccAWSSecurityGroup_vpc(t *testing.T) { 413 var group ec2.SecurityGroup 414 415 testCheck := func(*terraform.State) error { 416 if *group.VpcId == "" { 417 return fmt.Errorf("should have vpc ID") 418 } 419 420 return nil 421 } 422 423 resource.Test(t, resource.TestCase{ 424 PreCheck: func() { testAccPreCheck(t) }, 425 IDRefreshName: "aws_security_group.web", 426 Providers: testAccProviders, 427 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 428 Steps: []resource.TestStep{ 429 { 430 Config: testAccAWSSecurityGroupConfigVpc, 431 Check: resource.ComposeTestCheckFunc( 432 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 433 testAccCheckAWSSecurityGroupAttributes(&group), 434 resource.TestCheckResourceAttr( 435 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 436 resource.TestCheckResourceAttr( 437 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 438 resource.TestCheckResourceAttr( 439 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 440 resource.TestCheckResourceAttr( 441 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 442 resource.TestCheckResourceAttr( 443 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 444 resource.TestCheckResourceAttr( 445 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 446 resource.TestCheckResourceAttr( 447 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 448 resource.TestCheckResourceAttr( 449 "aws_security_group.web", "egress.3629188364.protocol", "tcp"), 450 resource.TestCheckResourceAttr( 451 "aws_security_group.web", "egress.3629188364.from_port", "80"), 452 resource.TestCheckResourceAttr( 453 "aws_security_group.web", "egress.3629188364.to_port", "8000"), 454 resource.TestCheckResourceAttr( 455 "aws_security_group.web", "egress.3629188364.cidr_blocks.#", "1"), 456 resource.TestCheckResourceAttr( 457 "aws_security_group.web", "egress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 458 testCheck, 459 ), 460 }, 461 }, 462 }) 463 } 464 465 func TestAccAWSSecurityGroup_vpcNegOneIngress(t *testing.T) { 466 var group ec2.SecurityGroup 467 468 testCheck := func(*terraform.State) error { 469 if *group.VpcId == "" { 470 return fmt.Errorf("should have vpc ID") 471 } 472 473 return nil 474 } 475 476 resource.Test(t, resource.TestCase{ 477 PreCheck: func() { testAccPreCheck(t) }, 478 IDRefreshName: "aws_security_group.web", 479 Providers: testAccProviders, 480 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 481 Steps: []resource.TestStep{ 482 { 483 Config: testAccAWSSecurityGroupConfigVpcNegOneIngress, 484 Check: resource.ComposeTestCheckFunc( 485 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 486 testAccCheckAWSSecurityGroupAttributesNegOneProtocol(&group), 487 resource.TestCheckResourceAttr( 488 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 489 resource.TestCheckResourceAttr( 490 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 491 resource.TestCheckResourceAttr( 492 "aws_security_group.web", "ingress.956249133.protocol", "-1"), 493 resource.TestCheckResourceAttr( 494 "aws_security_group.web", "ingress.956249133.from_port", "0"), 495 resource.TestCheckResourceAttr( 496 "aws_security_group.web", "ingress.956249133.to_port", "0"), 497 resource.TestCheckResourceAttr( 498 "aws_security_group.web", "ingress.956249133.cidr_blocks.#", "1"), 499 resource.TestCheckResourceAttr( 500 "aws_security_group.web", "ingress.956249133.cidr_blocks.0", "10.0.0.0/8"), 501 testCheck, 502 ), 503 }, 504 }, 505 }) 506 } 507 func TestAccAWSSecurityGroup_vpcProtoNumIngress(t *testing.T) { 508 var group ec2.SecurityGroup 509 510 testCheck := func(*terraform.State) error { 511 if *group.VpcId == "" { 512 return fmt.Errorf("should have vpc ID") 513 } 514 515 return nil 516 } 517 518 resource.Test(t, resource.TestCase{ 519 PreCheck: func() { testAccPreCheck(t) }, 520 IDRefreshName: "aws_security_group.web", 521 Providers: testAccProviders, 522 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 523 Steps: []resource.TestStep{ 524 { 525 Config: testAccAWSSecurityGroupConfigVpcProtoNumIngress, 526 Check: resource.ComposeTestCheckFunc( 527 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 528 resource.TestCheckResourceAttr( 529 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 530 resource.TestCheckResourceAttr( 531 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 532 resource.TestCheckResourceAttr( 533 "aws_security_group.web", "ingress.2449525218.protocol", "50"), 534 resource.TestCheckResourceAttr( 535 "aws_security_group.web", "ingress.2449525218.from_port", "0"), 536 resource.TestCheckResourceAttr( 537 "aws_security_group.web", "ingress.2449525218.to_port", "0"), 538 resource.TestCheckResourceAttr( 539 "aws_security_group.web", "ingress.2449525218.cidr_blocks.#", "1"), 540 resource.TestCheckResourceAttr( 541 "aws_security_group.web", "ingress.2449525218.cidr_blocks.0", "10.0.0.0/8"), 542 testCheck, 543 ), 544 }, 545 }, 546 }) 547 } 548 func TestAccAWSSecurityGroup_MultiIngress(t *testing.T) { 549 var group ec2.SecurityGroup 550 551 resource.Test(t, resource.TestCase{ 552 PreCheck: func() { testAccPreCheck(t) }, 553 IDRefreshName: "aws_security_group.web", 554 Providers: testAccProviders, 555 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 556 Steps: []resource.TestStep{ 557 { 558 Config: testAccAWSSecurityGroupConfigMultiIngress, 559 Check: resource.ComposeTestCheckFunc( 560 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 561 ), 562 }, 563 }, 564 }) 565 } 566 567 func TestAccAWSSecurityGroup_Change(t *testing.T) { 568 var group ec2.SecurityGroup 569 570 resource.Test(t, resource.TestCase{ 571 PreCheck: func() { testAccPreCheck(t) }, 572 IDRefreshName: "aws_security_group.web", 573 Providers: testAccProviders, 574 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 575 Steps: []resource.TestStep{ 576 { 577 Config: testAccAWSSecurityGroupConfig, 578 Check: resource.ComposeTestCheckFunc( 579 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 580 ), 581 }, 582 { 583 Config: testAccAWSSecurityGroupConfigChange, 584 Check: resource.ComposeTestCheckFunc( 585 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 586 testAccCheckAWSSecurityGroupAttributesChanged(&group), 587 ), 588 }, 589 }, 590 }) 591 } 592 593 func TestAccAWSSecurityGroup_generatedName(t *testing.T) { 594 var group ec2.SecurityGroup 595 596 resource.Test(t, resource.TestCase{ 597 PreCheck: func() { testAccPreCheck(t) }, 598 IDRefreshName: "aws_security_group.web", 599 Providers: testAccProviders, 600 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 601 Steps: []resource.TestStep{ 602 { 603 Config: testAccAWSSecurityGroupConfig_generatedName, 604 Check: resource.ComposeTestCheckFunc( 605 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 606 resource.TestCheckResourceAttr( 607 "aws_security_group.web", "description", "Managed by Terraform"), 608 func(s *terraform.State) error { 609 if group.GroupName == nil { 610 return fmt.Errorf("bad: No SG name") 611 } 612 if !strings.HasPrefix(*group.GroupName, "terraform-") { 613 return fmt.Errorf("No terraform- prefix: %s", *group.GroupName) 614 } 615 return nil 616 }, 617 ), 618 }, 619 }, 620 }) 621 } 622 623 func TestAccAWSSecurityGroup_DefaultEgress_VPC(t *testing.T) { 624 625 // VPC 626 resource.Test(t, resource.TestCase{ 627 PreCheck: func() { testAccPreCheck(t) }, 628 IDRefreshName: "aws_security_group.worker", 629 Providers: testAccProviders, 630 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 631 Steps: []resource.TestStep{ 632 { 633 Config: testAccAWSSecurityGroupConfigDefaultEgress, 634 Check: resource.ComposeTestCheckFunc( 635 testAccCheckAWSSecurityGroupExistsWithoutDefault("aws_security_group.worker"), 636 ), 637 }, 638 }, 639 }) 640 } 641 642 func TestAccAWSSecurityGroup_DefaultEgress_Classic(t *testing.T) { 643 644 // Classic 645 var group ec2.SecurityGroup 646 resource.Test(t, resource.TestCase{ 647 PreCheck: func() { testAccPreCheck(t) }, 648 IDRefreshName: "aws_security_group.web", 649 Providers: testAccProviders, 650 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 651 Steps: []resource.TestStep{ 652 { 653 Config: testAccAWSSecurityGroupConfigClassic, 654 Check: resource.ComposeTestCheckFunc( 655 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 656 ), 657 }, 658 }, 659 }) 660 } 661 662 // Testing drift detection with groups containing the same port and types 663 func TestAccAWSSecurityGroup_drift(t *testing.T) { 664 var group ec2.SecurityGroup 665 resource.Test(t, resource.TestCase{ 666 PreCheck: func() { testAccPreCheck(t) }, 667 Providers: testAccProviders, 668 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 669 Steps: []resource.TestStep{ 670 { 671 Config: testAccAWSSecurityGroupConfig_drift(), 672 Check: resource.ComposeTestCheckFunc( 673 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 674 resource.TestCheckResourceAttr( 675 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 676 resource.TestCheckResourceAttr( 677 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 678 resource.TestCheckResourceAttr( 679 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 680 resource.TestCheckResourceAttr( 681 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 682 resource.TestCheckResourceAttr( 683 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 684 resource.TestCheckResourceAttr( 685 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 686 ), 687 }, 688 }, 689 }) 690 } 691 692 func TestAccAWSSecurityGroup_drift_complex(t *testing.T) { 693 var group ec2.SecurityGroup 694 695 resource.Test(t, resource.TestCase{ 696 PreCheck: func() { testAccPreCheck(t) }, 697 Providers: testAccProviders, 698 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 699 Steps: []resource.TestStep{ 700 { 701 Config: testAccAWSSecurityGroupConfig_drift_complex(), 702 Check: resource.ComposeTestCheckFunc( 703 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 704 resource.TestCheckResourceAttr( 705 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 706 resource.TestCheckResourceAttr( 707 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 708 resource.TestCheckResourceAttr( 709 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 710 resource.TestCheckResourceAttr( 711 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 712 resource.TestCheckResourceAttr( 713 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 714 resource.TestCheckResourceAttr( 715 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 716 ), 717 }, 718 }, 719 }) 720 } 721 722 func TestAccAWSSecurityGroup_invalidCIDRBlock(t *testing.T) { 723 resource.Test(t, resource.TestCase{ 724 PreCheck: func() { testAccPreCheck(t) }, 725 Providers: testAccProviders, 726 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 727 Steps: []resource.TestStep{ 728 { 729 Config: testAccAWSSecurityGroupInvalidIngressCidr, 730 ExpectError: regexp.MustCompile("invalid CIDR address: 1.2.3.4/33"), 731 }, 732 { 733 Config: testAccAWSSecurityGroupInvalidEgressCidr, 734 ExpectError: regexp.MustCompile("invalid CIDR address: 1.2.3.4/33"), 735 }, 736 { 737 Config: testAccAWSSecurityGroupInvalidIPv6IngressCidr, 738 ExpectError: regexp.MustCompile("invalid CIDR address: ::/244"), 739 }, 740 { 741 Config: testAccAWSSecurityGroupInvalidIPv6EgressCidr, 742 ExpectError: regexp.MustCompile("invalid CIDR address: ::/244"), 743 }, 744 }, 745 }) 746 } 747 748 func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error { 749 conn := testAccProvider.Meta().(*AWSClient).ec2conn 750 751 for _, rs := range s.RootModule().Resources { 752 if rs.Type != "aws_security_group" { 753 continue 754 } 755 756 // Retrieve our group 757 req := &ec2.DescribeSecurityGroupsInput{ 758 GroupIds: []*string{aws.String(rs.Primary.ID)}, 759 } 760 resp, err := conn.DescribeSecurityGroups(req) 761 if err == nil { 762 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 763 return fmt.Errorf("Security Group (%s) still exists.", rs.Primary.ID) 764 } 765 766 return nil 767 } 768 769 ec2err, ok := err.(awserr.Error) 770 if !ok { 771 return err 772 } 773 // Confirm error code is what we want 774 if ec2err.Code() != "InvalidGroup.NotFound" { 775 return err 776 } 777 } 778 779 return nil 780 } 781 782 func testAccCheckAWSSecurityGroupGeneratedNamePrefix( 783 resource, prefix string) resource.TestCheckFunc { 784 return func(s *terraform.State) error { 785 r, ok := s.RootModule().Resources[resource] 786 if !ok { 787 return fmt.Errorf("Resource not found") 788 } 789 name, ok := r.Primary.Attributes["name"] 790 if !ok { 791 return fmt.Errorf("Name attr not found: %#v", r.Primary.Attributes) 792 } 793 if !strings.HasPrefix(name, prefix) { 794 return fmt.Errorf("Name: %q, does not have prefix: %q", name, prefix) 795 } 796 return nil 797 } 798 } 799 800 func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroup) resource.TestCheckFunc { 801 return func(s *terraform.State) error { 802 rs, ok := s.RootModule().Resources[n] 803 if !ok { 804 return fmt.Errorf("Not found: %s", n) 805 } 806 807 if rs.Primary.ID == "" { 808 return fmt.Errorf("No Security Group is set") 809 } 810 811 conn := testAccProvider.Meta().(*AWSClient).ec2conn 812 req := &ec2.DescribeSecurityGroupsInput{ 813 GroupIds: []*string{aws.String(rs.Primary.ID)}, 814 } 815 resp, err := conn.DescribeSecurityGroups(req) 816 if err != nil { 817 return err 818 } 819 820 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 821 *group = *resp.SecurityGroups[0] 822 return nil 823 } 824 825 return fmt.Errorf("Security Group not found") 826 } 827 } 828 829 func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 830 return func(s *terraform.State) error { 831 p := &ec2.IpPermission{ 832 FromPort: aws.Int64(80), 833 ToPort: aws.Int64(8000), 834 IpProtocol: aws.String("tcp"), 835 IpRanges: []*ec2.IpRange{{CidrIp: aws.String("10.0.0.0/8")}}, 836 } 837 838 if *group.GroupName != "terraform_acceptance_test_example" { 839 return fmt.Errorf("Bad name: %s", *group.GroupName) 840 } 841 842 if *group.Description != "Used in the terraform acceptance tests" { 843 return fmt.Errorf("Bad description: %s", *group.Description) 844 } 845 846 if len(group.IpPermissions) == 0 { 847 return fmt.Errorf("No IPPerms") 848 } 849 850 // Compare our ingress 851 if !reflect.DeepEqual(group.IpPermissions[0], p) { 852 return fmt.Errorf( 853 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 854 group.IpPermissions[0], 855 p) 856 } 857 858 return nil 859 } 860 } 861 862 func testAccCheckAWSSecurityGroupAttributesNegOneProtocol(group *ec2.SecurityGroup) resource.TestCheckFunc { 863 return func(s *terraform.State) error { 864 p := &ec2.IpPermission{ 865 IpProtocol: aws.String("-1"), 866 IpRanges: []*ec2.IpRange{{CidrIp: aws.String("10.0.0.0/8")}}, 867 } 868 869 if *group.GroupName != "terraform_acceptance_test_example" { 870 return fmt.Errorf("Bad name: %s", *group.GroupName) 871 } 872 873 if *group.Description != "Used in the terraform acceptance tests" { 874 return fmt.Errorf("Bad description: %s", *group.Description) 875 } 876 877 if len(group.IpPermissions) == 0 { 878 return fmt.Errorf("No IPPerms") 879 } 880 881 // Compare our ingress 882 if !reflect.DeepEqual(group.IpPermissions[0], p) { 883 return fmt.Errorf( 884 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 885 group.IpPermissions[0], 886 p) 887 } 888 889 return nil 890 } 891 } 892 893 func TestAccAWSSecurityGroup_tags(t *testing.T) { 894 var group ec2.SecurityGroup 895 896 resource.Test(t, resource.TestCase{ 897 PreCheck: func() { testAccPreCheck(t) }, 898 Providers: testAccProviders, 899 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 900 Steps: []resource.TestStep{ 901 { 902 Config: testAccAWSSecurityGroupConfigTags, 903 Check: resource.ComposeTestCheckFunc( 904 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 905 testAccCheckTags(&group.Tags, "foo", "bar"), 906 ), 907 }, 908 909 { 910 Config: testAccAWSSecurityGroupConfigTagsUpdate, 911 Check: resource.ComposeTestCheckFunc( 912 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 913 testAccCheckTags(&group.Tags, "foo", ""), 914 testAccCheckTags(&group.Tags, "bar", "baz"), 915 testAccCheckTags(&group.Tags, "env", "Production"), 916 ), 917 }, 918 }, 919 }) 920 } 921 922 func TestAccAWSSecurityGroup_CIDRandGroups(t *testing.T) { 923 var group ec2.SecurityGroup 924 925 resource.Test(t, resource.TestCase{ 926 PreCheck: func() { testAccPreCheck(t) }, 927 Providers: testAccProviders, 928 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 929 Steps: []resource.TestStep{ 930 { 931 Config: testAccAWSSecurityGroupCombindCIDRandGroups, 932 Check: resource.ComposeTestCheckFunc( 933 testAccCheckAWSSecurityGroupExists("aws_security_group.mixed", &group), 934 // testAccCheckAWSSecurityGroupAttributes(&group), 935 ), 936 }, 937 }, 938 }) 939 } 940 941 func TestAccAWSSecurityGroup_ingressWithCidrAndSGs(t *testing.T) { 942 var group ec2.SecurityGroup 943 944 resource.Test(t, resource.TestCase{ 945 PreCheck: func() { testAccPreCheck(t) }, 946 Providers: testAccProviders, 947 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 948 Steps: []resource.TestStep{ 949 { 950 Config: testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs, 951 Check: resource.ComposeTestCheckFunc( 952 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 953 testAccCheckAWSSecurityGroupSGandCidrAttributes(&group), 954 resource.TestCheckResourceAttr( 955 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 956 resource.TestCheckResourceAttr( 957 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 958 resource.TestCheckResourceAttr( 959 "aws_security_group.web", "ingress.#", "2"), 960 ), 961 }, 962 }, 963 }) 964 } 965 966 // This test requires an EC2 Classic region 967 func TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic(t *testing.T) { 968 var group ec2.SecurityGroup 969 970 resource.Test(t, resource.TestCase{ 971 PreCheck: func() { testAccPreCheck(t) }, 972 Providers: testAccProviders, 973 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 974 Steps: []resource.TestStep{ 975 { 976 Config: testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs_classic, 977 Check: resource.ComposeTestCheckFunc( 978 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 979 testAccCheckAWSSecurityGroupSGandCidrAttributes(&group), 980 resource.TestCheckResourceAttr( 981 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 982 resource.TestCheckResourceAttr( 983 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 984 resource.TestCheckResourceAttr( 985 "aws_security_group.web", "ingress.#", "2"), 986 ), 987 }, 988 }, 989 }) 990 } 991 992 func TestAccAWSSecurityGroup_egressWithPrefixList(t *testing.T) { 993 var group ec2.SecurityGroup 994 995 resource.Test(t, resource.TestCase{ 996 PreCheck: func() { testAccPreCheck(t) }, 997 Providers: testAccProviders, 998 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 999 Steps: []resource.TestStep{ 1000 { 1001 Config: testAccAWSSecurityGroupConfigPrefixListEgress, 1002 Check: resource.ComposeTestCheckFunc( 1003 testAccCheckAWSSecurityGroupExists("aws_security_group.egress", &group), 1004 testAccCheckAWSSecurityGroupPrefixListAttributes(&group), 1005 resource.TestCheckResourceAttr( 1006 "aws_security_group.egress", "egress.#", "1"), 1007 ), 1008 }, 1009 }, 1010 }) 1011 } 1012 1013 func testAccCheckAWSSecurityGroupSGandCidrAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 1014 return func(s *terraform.State) error { 1015 if *group.GroupName != "terraform_acceptance_test_example" { 1016 return fmt.Errorf("Bad name: %s", *group.GroupName) 1017 } 1018 1019 if *group.Description != "Used in the terraform acceptance tests" { 1020 return fmt.Errorf("Bad description: %s", *group.Description) 1021 } 1022 1023 if len(group.IpPermissions) == 0 { 1024 return fmt.Errorf("No IPPerms") 1025 } 1026 1027 if len(group.IpPermissions) != 2 { 1028 return fmt.Errorf("Expected 2 ingress rules, got %d", len(group.IpPermissions)) 1029 } 1030 1031 for _, p := range group.IpPermissions { 1032 if *p.FromPort == int64(22) { 1033 if len(p.IpRanges) != 1 || p.UserIdGroupPairs != nil { 1034 return fmt.Errorf("Found ip perm of 22, but not the right ipranges / pairs: %s", p) 1035 } 1036 continue 1037 } else if *p.FromPort == int64(80) { 1038 if len(p.IpRanges) != 1 || len(p.UserIdGroupPairs) != 1 { 1039 return fmt.Errorf("Found ip perm of 80, but not the right ipranges / pairs: %s", p) 1040 } 1041 continue 1042 } 1043 return fmt.Errorf("Found a rouge rule") 1044 } 1045 1046 return nil 1047 } 1048 } 1049 1050 func testAccCheckAWSSecurityGroupPrefixListAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 1051 return func(s *terraform.State) error { 1052 if *group.GroupName != "terraform_acceptance_test_prefix_list_egress" { 1053 return fmt.Errorf("Bad name: %s", *group.GroupName) 1054 } 1055 if *group.Description != "Used in the terraform acceptance tests" { 1056 return fmt.Errorf("Bad description: %s", *group.Description) 1057 } 1058 if len(group.IpPermissionsEgress) == 0 { 1059 return fmt.Errorf("No egress IPPerms") 1060 } 1061 if len(group.IpPermissionsEgress) != 1 { 1062 return fmt.Errorf("Expected 1 egress rule, got %d", len(group.IpPermissions)) 1063 } 1064 1065 p := group.IpPermissionsEgress[0] 1066 1067 if len(p.PrefixListIds) != 1 { 1068 return fmt.Errorf("Expected 1 prefix list, got %d", len(p.PrefixListIds)) 1069 } 1070 1071 return nil 1072 } 1073 } 1074 1075 func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroup) resource.TestCheckFunc { 1076 return func(s *terraform.State) error { 1077 p := []*ec2.IpPermission{ 1078 { 1079 FromPort: aws.Int64(80), 1080 ToPort: aws.Int64(9000), 1081 IpProtocol: aws.String("tcp"), 1082 IpRanges: []*ec2.IpRange{{CidrIp: aws.String("10.0.0.0/8")}}, 1083 }, 1084 { 1085 FromPort: aws.Int64(80), 1086 ToPort: aws.Int64(8000), 1087 IpProtocol: aws.String("tcp"), 1088 IpRanges: []*ec2.IpRange{ 1089 { 1090 CidrIp: aws.String("0.0.0.0/0"), 1091 }, 1092 { 1093 CidrIp: aws.String("10.0.0.0/8"), 1094 }, 1095 }, 1096 }, 1097 } 1098 1099 if *group.GroupName != "terraform_acceptance_test_example" { 1100 return fmt.Errorf("Bad name: %s", *group.GroupName) 1101 } 1102 1103 if *group.Description != "Used in the terraform acceptance tests" { 1104 return fmt.Errorf("Bad description: %s", *group.Description) 1105 } 1106 1107 // Compare our ingress 1108 if len(group.IpPermissions) != 2 { 1109 return fmt.Errorf( 1110 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 1111 group.IpPermissions, 1112 p) 1113 } 1114 1115 if *group.IpPermissions[0].ToPort == 8000 { 1116 group.IpPermissions[1], group.IpPermissions[0] = 1117 group.IpPermissions[0], group.IpPermissions[1] 1118 } 1119 1120 if !reflect.DeepEqual(group.IpPermissions, p) { 1121 return fmt.Errorf( 1122 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 1123 group.IpPermissions, 1124 p) 1125 } 1126 1127 return nil 1128 } 1129 } 1130 1131 func testAccCheckAWSSecurityGroupExistsWithoutDefault(n string) resource.TestCheckFunc { 1132 return func(s *terraform.State) error { 1133 rs, ok := s.RootModule().Resources[n] 1134 if !ok { 1135 return fmt.Errorf("Not found: %s", n) 1136 } 1137 1138 if rs.Primary.ID == "" { 1139 return fmt.Errorf("No Security Group is set") 1140 } 1141 1142 conn := testAccProvider.Meta().(*AWSClient).ec2conn 1143 req := &ec2.DescribeSecurityGroupsInput{ 1144 GroupIds: []*string{aws.String(rs.Primary.ID)}, 1145 } 1146 resp, err := conn.DescribeSecurityGroups(req) 1147 if err != nil { 1148 return err 1149 } 1150 1151 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 1152 group := *resp.SecurityGroups[0] 1153 1154 if len(group.IpPermissionsEgress) != 1 { 1155 return fmt.Errorf("Security Group should have only 1 egress rule, got %d", len(group.IpPermissionsEgress)) 1156 } 1157 } 1158 1159 return nil 1160 } 1161 } 1162 1163 func TestAccAWSSecurityGroup_failWithDiffMismatch(t *testing.T) { 1164 var group ec2.SecurityGroup 1165 1166 resource.Test(t, resource.TestCase{ 1167 PreCheck: func() { testAccPreCheck(t) }, 1168 Providers: testAccProviders, 1169 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 1170 Steps: []resource.TestStep{ 1171 { 1172 Config: testAccAWSSecurityGroupConfig_failWithDiffMismatch, 1173 Check: resource.ComposeTestCheckFunc( 1174 testAccCheckAWSSecurityGroupExists("aws_security_group.nat", &group), 1175 ), 1176 }, 1177 }, 1178 }) 1179 } 1180 1181 const testAccAWSSecurityGroupConfigForTagsOrdering = ` 1182 resource "aws_vpc" "foo" { 1183 cidr_block = "10.1.0.0/16" 1184 } 1185 1186 resource "aws_security_group" "web" { 1187 name = "terraform_acceptance_test_example" 1188 description = "Used in the terraform acceptance tests" 1189 vpc_id = "${aws_vpc.foo.id}" 1190 1191 ingress { 1192 protocol = "6" 1193 from_port = 80 1194 to_port = 80000 1195 cidr_blocks = ["10.0.0.0/8"] 1196 } 1197 1198 egress { 1199 protocol = "tcp" 1200 from_port = 80 1201 to_port = 8000 1202 cidr_blocks = ["10.0.0.0/8"] 1203 } 1204 1205 tags { 1206 Name = "tf-acc-test" 1207 } 1208 }` 1209 1210 const testAccAWSSecurityGroupConfigIpv6 = ` 1211 resource "aws_vpc" "foo" { 1212 cidr_block = "10.1.0.0/16" 1213 } 1214 1215 resource "aws_security_group" "web" { 1216 name = "terraform_acceptance_test_example" 1217 description = "Used in the terraform acceptance tests" 1218 vpc_id = "${aws_vpc.foo.id}" 1219 1220 ingress { 1221 protocol = "6" 1222 from_port = 80 1223 to_port = 8000 1224 ipv6_cidr_blocks = ["::/0"] 1225 } 1226 1227 egress { 1228 protocol = "tcp" 1229 from_port = 80 1230 to_port = 8000 1231 ipv6_cidr_blocks = ["::/0"] 1232 } 1233 1234 tags { 1235 Name = "tf-acc-test" 1236 } 1237 } 1238 ` 1239 1240 const testAccAWSSecurityGroupConfig = ` 1241 resource "aws_vpc" "foo" { 1242 cidr_block = "10.1.0.0/16" 1243 } 1244 1245 resource "aws_security_group" "web" { 1246 name = "terraform_acceptance_test_example" 1247 description = "Used in the terraform acceptance tests" 1248 vpc_id = "${aws_vpc.foo.id}" 1249 1250 ingress { 1251 protocol = "6" 1252 from_port = 80 1253 to_port = 8000 1254 cidr_blocks = ["10.0.0.0/8"] 1255 } 1256 1257 egress { 1258 protocol = "tcp" 1259 from_port = 80 1260 to_port = 8000 1261 cidr_blocks = ["10.0.0.0/8"] 1262 } 1263 1264 tags { 1265 Name = "tf-acc-test" 1266 } 1267 } 1268 ` 1269 1270 const testAccAWSSecurityGroupConfigChange = ` 1271 resource "aws_vpc" "foo" { 1272 cidr_block = "10.1.0.0/16" 1273 } 1274 1275 resource "aws_security_group" "web" { 1276 name = "terraform_acceptance_test_example" 1277 description = "Used in the terraform acceptance tests" 1278 vpc_id = "${aws_vpc.foo.id}" 1279 1280 ingress { 1281 protocol = "tcp" 1282 from_port = 80 1283 to_port = 9000 1284 cidr_blocks = ["10.0.0.0/8"] 1285 } 1286 1287 ingress { 1288 protocol = "tcp" 1289 from_port = 80 1290 to_port = 8000 1291 cidr_blocks = ["0.0.0.0/0", "10.0.0.0/8"] 1292 } 1293 1294 egress { 1295 protocol = "tcp" 1296 from_port = 80 1297 to_port = 8000 1298 cidr_blocks = ["10.0.0.0/8"] 1299 } 1300 } 1301 ` 1302 1303 const testAccAWSSecurityGroupConfigSelf = ` 1304 resource "aws_vpc" "foo" { 1305 cidr_block = "10.1.0.0/16" 1306 } 1307 1308 resource "aws_security_group" "web" { 1309 name = "terraform_acceptance_test_example" 1310 description = "Used in the terraform acceptance tests" 1311 vpc_id = "${aws_vpc.foo.id}" 1312 1313 ingress { 1314 protocol = "tcp" 1315 from_port = 80 1316 to_port = 8000 1317 self = true 1318 } 1319 1320 egress { 1321 protocol = "tcp" 1322 from_port = 80 1323 to_port = 8000 1324 cidr_blocks = ["10.0.0.0/8"] 1325 } 1326 } 1327 ` 1328 1329 const testAccAWSSecurityGroupConfigVpc = ` 1330 resource "aws_vpc" "foo" { 1331 cidr_block = "10.1.0.0/16" 1332 } 1333 1334 resource "aws_security_group" "web" { 1335 name = "terraform_acceptance_test_example" 1336 description = "Used in the terraform acceptance tests" 1337 vpc_id = "${aws_vpc.foo.id}" 1338 1339 ingress { 1340 protocol = "tcp" 1341 from_port = 80 1342 to_port = 8000 1343 cidr_blocks = ["10.0.0.0/8"] 1344 } 1345 1346 egress { 1347 protocol = "tcp" 1348 from_port = 80 1349 to_port = 8000 1350 cidr_blocks = ["10.0.0.0/8"] 1351 } 1352 } 1353 ` 1354 1355 const testAccAWSSecurityGroupConfigVpcNegOneIngress = ` 1356 resource "aws_vpc" "foo" { 1357 cidr_block = "10.1.0.0/16" 1358 } 1359 1360 resource "aws_security_group" "web" { 1361 name = "terraform_acceptance_test_example" 1362 description = "Used in the terraform acceptance tests" 1363 vpc_id = "${aws_vpc.foo.id}" 1364 1365 ingress { 1366 protocol = "-1" 1367 from_port = 0 1368 to_port = 0 1369 cidr_blocks = ["10.0.0.0/8"] 1370 } 1371 } 1372 ` 1373 1374 const testAccAWSSecurityGroupConfigVpcProtoNumIngress = ` 1375 resource "aws_vpc" "foo" { 1376 cidr_block = "10.1.0.0/16" 1377 } 1378 1379 resource "aws_security_group" "web" { 1380 name = "terraform_acceptance_test_example" 1381 description = "Used in the terraform acceptance tests" 1382 vpc_id = "${aws_vpc.foo.id}" 1383 1384 ingress { 1385 protocol = "50" 1386 from_port = 0 1387 to_port = 0 1388 cidr_blocks = ["10.0.0.0/8"] 1389 } 1390 } 1391 ` 1392 1393 const testAccAWSSecurityGroupConfigMultiIngress = ` 1394 resource "aws_vpc" "foo" { 1395 cidr_block = "10.1.0.0/16" 1396 } 1397 1398 resource "aws_security_group" "worker" { 1399 name = "terraform_acceptance_test_example_1" 1400 description = "Used in the terraform acceptance tests" 1401 vpc_id = "${aws_vpc.foo.id}" 1402 1403 ingress { 1404 protocol = "tcp" 1405 from_port = 80 1406 to_port = 8000 1407 cidr_blocks = ["10.0.0.0/8"] 1408 } 1409 1410 egress { 1411 protocol = "tcp" 1412 from_port = 80 1413 to_port = 8000 1414 cidr_blocks = ["10.0.0.0/8"] 1415 } 1416 } 1417 1418 resource "aws_security_group" "web" { 1419 name = "terraform_acceptance_test_example_2" 1420 description = "Used in the terraform acceptance tests" 1421 vpc_id = "${aws_vpc.foo.id}" 1422 1423 ingress { 1424 protocol = "tcp" 1425 from_port = 22 1426 to_port = 22 1427 cidr_blocks = ["10.0.0.0/8"] 1428 } 1429 1430 ingress { 1431 protocol = "tcp" 1432 from_port = 800 1433 to_port = 800 1434 cidr_blocks = ["10.0.0.0/8"] 1435 } 1436 1437 ingress { 1438 protocol = "tcp" 1439 from_port = 80 1440 to_port = 8000 1441 security_groups = ["${aws_security_group.worker.id}"] 1442 } 1443 1444 egress { 1445 protocol = "tcp" 1446 from_port = 80 1447 to_port = 8000 1448 cidr_blocks = ["10.0.0.0/8"] 1449 } 1450 } 1451 ` 1452 1453 const testAccAWSSecurityGroupConfigTags = ` 1454 resource "aws_vpc" "foo" { 1455 cidr_block = "10.1.0.0/16" 1456 } 1457 1458 resource "aws_security_group" "foo" { 1459 name = "terraform_acceptance_test_example" 1460 description = "Used in the terraform acceptance tests" 1461 vpc_id = "${aws_vpc.foo.id}" 1462 1463 ingress { 1464 protocol = "tcp" 1465 from_port = 80 1466 to_port = 8000 1467 cidr_blocks = ["10.0.0.0/8"] 1468 } 1469 1470 egress { 1471 protocol = "tcp" 1472 from_port = 80 1473 to_port = 8000 1474 cidr_blocks = ["10.0.0.0/8"] 1475 } 1476 1477 tags { 1478 foo = "bar" 1479 } 1480 } 1481 ` 1482 1483 const testAccAWSSecurityGroupConfigTagsUpdate = ` 1484 resource "aws_vpc" "foo" { 1485 cidr_block = "10.1.0.0/16" 1486 } 1487 1488 resource "aws_security_group" "foo" { 1489 name = "terraform_acceptance_test_example" 1490 description = "Used in the terraform acceptance tests" 1491 vpc_id = "${aws_vpc.foo.id}" 1492 1493 ingress { 1494 protocol = "tcp" 1495 from_port = 80 1496 to_port = 8000 1497 cidr_blocks = ["10.0.0.0/8"] 1498 } 1499 1500 egress { 1501 protocol = "tcp" 1502 from_port = 80 1503 to_port = 8000 1504 cidr_blocks = ["10.0.0.0/8"] 1505 } 1506 1507 tags { 1508 bar = "baz" 1509 env = "Production" 1510 } 1511 } 1512 ` 1513 1514 const testAccAWSSecurityGroupConfig_generatedName = ` 1515 resource "aws_vpc" "foo" { 1516 cidr_block = "10.1.0.0/16" 1517 } 1518 1519 resource "aws_security_group" "web" { 1520 vpc_id = "${aws_vpc.foo.id}" 1521 1522 ingress { 1523 protocol = "tcp" 1524 from_port = 80 1525 to_port = 8000 1526 cidr_blocks = ["10.0.0.0/8"] 1527 } 1528 1529 egress { 1530 protocol = "tcp" 1531 from_port = 80 1532 to_port = 8000 1533 cidr_blocks = ["10.0.0.0/8"] 1534 } 1535 1536 tags { 1537 Name = "tf-acc-test" 1538 } 1539 } 1540 ` 1541 1542 const testAccAWSSecurityGroupConfigDefaultEgress = ` 1543 resource "aws_vpc" "tf_sg_egress_test" { 1544 cidr_block = "10.0.0.0/16" 1545 tags { 1546 Name = "tf_sg_egress_test" 1547 } 1548 } 1549 1550 resource "aws_security_group" "worker" { 1551 name = "terraform_acceptance_test_example_1" 1552 description = "Used in the terraform acceptance tests" 1553 vpc_id = "${aws_vpc.tf_sg_egress_test.id}" 1554 1555 egress { 1556 protocol = "tcp" 1557 from_port = 80 1558 to_port = 8000 1559 cidr_blocks = ["10.0.0.0/8"] 1560 } 1561 } 1562 ` 1563 1564 const testAccAWSSecurityGroupConfigClassic = ` 1565 provider "aws" { 1566 region = "us-east-1" 1567 } 1568 1569 resource "aws_security_group" "web" { 1570 name = "terraform_acceptance_test_example_1" 1571 description = "Used in the terraform acceptance tests" 1572 } 1573 ` 1574 1575 const testAccAWSSecurityGroupPrefixNameConfig = ` 1576 provider "aws" { 1577 region = "us-east-1" 1578 } 1579 1580 resource "aws_security_group" "baz" { 1581 name_prefix = "baz-" 1582 description = "Used in the terraform acceptance tests" 1583 } 1584 ` 1585 1586 func testAccAWSSecurityGroupConfig_drift() string { 1587 return fmt.Sprintf(` 1588 resource "aws_security_group" "web" { 1589 name = "tf_acc_%d" 1590 description = "Used in the terraform acceptance tests" 1591 1592 ingress { 1593 protocol = "tcp" 1594 from_port = 80 1595 to_port = 8000 1596 cidr_blocks = ["10.0.0.0/8"] 1597 } 1598 1599 ingress { 1600 protocol = "tcp" 1601 from_port = 80 1602 to_port = 8000 1603 cidr_blocks = ["206.0.0.0/8"] 1604 } 1605 1606 tags { 1607 Name = "tf-acc-test" 1608 } 1609 } 1610 `, acctest.RandInt()) 1611 } 1612 1613 func testAccAWSSecurityGroupConfig_drift_complex() string { 1614 return fmt.Sprintf(` 1615 resource "aws_vpc" "foo" { 1616 cidr_block = "10.1.0.0/16" 1617 } 1618 1619 resource "aws_security_group" "otherweb" { 1620 name = "tf_acc_%d" 1621 description = "Used in the terraform acceptance tests" 1622 vpc_id = "${aws_vpc.foo.id}" 1623 } 1624 1625 resource "aws_security_group" "web" { 1626 name = "tf_acc_%d" 1627 description = "Used in the terraform acceptance tests" 1628 vpc_id = "${aws_vpc.foo.id}" 1629 1630 ingress { 1631 protocol = "tcp" 1632 from_port = 80 1633 to_port = 8000 1634 cidr_blocks = ["10.0.0.0/8"] 1635 } 1636 1637 ingress { 1638 protocol = "tcp" 1639 from_port = 80 1640 to_port = 8000 1641 cidr_blocks = ["206.0.0.0/8"] 1642 } 1643 1644 ingress { 1645 protocol = "tcp" 1646 from_port = 22 1647 to_port = 22 1648 security_groups = ["${aws_security_group.otherweb.id}"] 1649 } 1650 1651 egress { 1652 protocol = "tcp" 1653 from_port = 80 1654 to_port = 8000 1655 cidr_blocks = ["206.0.0.0/8"] 1656 } 1657 1658 egress { 1659 protocol = "tcp" 1660 from_port = 80 1661 to_port = 8000 1662 cidr_blocks = ["10.0.0.0/8"] 1663 } 1664 1665 egress { 1666 protocol = "tcp" 1667 from_port = 22 1668 to_port = 22 1669 security_groups = ["${aws_security_group.otherweb.id}"] 1670 } 1671 1672 tags { 1673 Name = "tf-acc-test" 1674 } 1675 }`, acctest.RandInt(), acctest.RandInt()) 1676 } 1677 1678 const testAccAWSSecurityGroupInvalidIngressCidr = ` 1679 resource "aws_security_group" "foo" { 1680 name = "testing-foo" 1681 description = "foo-testing" 1682 ingress { 1683 from_port = 0 1684 to_port = 0 1685 protocol = "-1" 1686 cidr_blocks = ["1.2.3.4/33"] 1687 } 1688 }` 1689 1690 const testAccAWSSecurityGroupInvalidEgressCidr = ` 1691 resource "aws_security_group" "foo" { 1692 name = "testing-foo" 1693 description = "foo-testing" 1694 egress { 1695 from_port = 0 1696 to_port = 0 1697 protocol = "-1" 1698 cidr_blocks = ["1.2.3.4/33"] 1699 } 1700 }` 1701 1702 const testAccAWSSecurityGroupInvalidIPv6IngressCidr = ` 1703 resource "aws_security_group" "foo" { 1704 name = "testing-foo" 1705 description = "foo-testing" 1706 ingress { 1707 from_port = 0 1708 to_port = 0 1709 protocol = "-1" 1710 ipv6_cidr_blocks = ["::/244"] 1711 } 1712 }` 1713 1714 const testAccAWSSecurityGroupInvalidIPv6EgressCidr = ` 1715 resource "aws_security_group" "foo" { 1716 name = "testing-foo" 1717 description = "foo-testing" 1718 egress { 1719 from_port = 0 1720 to_port = 0 1721 protocol = "-1" 1722 ipv6_cidr_blocks = ["::/244"] 1723 } 1724 }` 1725 1726 const testAccAWSSecurityGroupCombindCIDRandGroups = ` 1727 resource "aws_vpc" "foo" { 1728 cidr_block = "10.1.0.0/16" 1729 } 1730 1731 resource "aws_security_group" "two" { 1732 name = "tf-test-1" 1733 vpc_id = "${aws_vpc.foo.id}" 1734 tags { 1735 Name = "tf-test-1" 1736 } 1737 } 1738 1739 resource "aws_security_group" "one" { 1740 name = "tf-test-2" 1741 vpc_id = "${aws_vpc.foo.id}" 1742 tags { 1743 Name = "tf-test-w" 1744 } 1745 } 1746 1747 resource "aws_security_group" "three" { 1748 name = "tf-test-3" 1749 vpc_id = "${aws_vpc.foo.id}" 1750 tags { 1751 Name = "tf-test-3" 1752 } 1753 } 1754 1755 resource "aws_security_group" "mixed" { 1756 name = "tf-mix-test" 1757 vpc_id = "${aws_vpc.foo.id}" 1758 1759 ingress { 1760 from_port = 80 1761 to_port = 80 1762 protocol = "tcp" 1763 cidr_blocks = ["10.0.0.0/16", "10.1.0.0/16", "10.7.0.0/16"] 1764 1765 security_groups = [ 1766 "${aws_security_group.one.id}", 1767 "${aws_security_group.two.id}", 1768 "${aws_security_group.three.id}", 1769 ] 1770 } 1771 1772 tags { 1773 Name = "tf-mix-test" 1774 } 1775 } 1776 ` 1777 1778 const testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs = ` 1779 resource "aws_vpc" "foo" { 1780 cidr_block = "10.1.0.0/16" 1781 } 1782 1783 resource "aws_security_group" "other_web" { 1784 name = "tf_other_acc_tests" 1785 description = "Used in the terraform acceptance tests" 1786 vpc_id = "${aws_vpc.foo.id}" 1787 1788 tags { 1789 Name = "tf-acc-test" 1790 } 1791 } 1792 1793 resource "aws_security_group" "web" { 1794 name = "terraform_acceptance_test_example" 1795 description = "Used in the terraform acceptance tests" 1796 vpc_id = "${aws_vpc.foo.id}" 1797 1798 ingress { 1799 protocol = "tcp" 1800 from_port = "22" 1801 to_port = "22" 1802 1803 cidr_blocks = [ 1804 "192.168.0.1/32", 1805 ] 1806 } 1807 1808 ingress { 1809 protocol = "tcp" 1810 from_port = 80 1811 to_port = 8000 1812 cidr_blocks = ["10.0.0.0/8"] 1813 security_groups = ["${aws_security_group.other_web.id}"] 1814 } 1815 1816 egress { 1817 protocol = "tcp" 1818 from_port = 80 1819 to_port = 8000 1820 cidr_blocks = ["10.0.0.0/8"] 1821 } 1822 1823 tags { 1824 Name = "tf-acc-test" 1825 } 1826 } 1827 ` 1828 1829 const testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs_classic = ` 1830 provider "aws" { 1831 region = "us-east-1" 1832 } 1833 1834 resource "aws_security_group" "other_web" { 1835 name = "tf_other_acc_tests" 1836 description = "Used in the terraform acceptance tests" 1837 1838 tags { 1839 Name = "tf-acc-test" 1840 } 1841 } 1842 1843 resource "aws_security_group" "web" { 1844 name = "terraform_acceptance_test_example" 1845 description = "Used in the terraform acceptance tests" 1846 1847 ingress { 1848 protocol = "tcp" 1849 from_port = "22" 1850 to_port = "22" 1851 1852 cidr_blocks = [ 1853 "192.168.0.1/32", 1854 ] 1855 } 1856 1857 ingress { 1858 protocol = "tcp" 1859 from_port = 80 1860 to_port = 8000 1861 cidr_blocks = ["10.0.0.0/8"] 1862 security_groups = ["${aws_security_group.other_web.name}"] 1863 } 1864 1865 tags { 1866 Name = "tf-acc-test" 1867 } 1868 } 1869 ` 1870 1871 // fails to apply in one pass with the error "diffs didn't match during apply" 1872 // GH-2027 1873 const testAccAWSSecurityGroupConfig_failWithDiffMismatch = ` 1874 resource "aws_vpc" "main" { 1875 cidr_block = "10.0.0.0/16" 1876 1877 tags { 1878 Name = "tf-test" 1879 } 1880 } 1881 1882 resource "aws_security_group" "ssh_base" { 1883 name = "test-ssh-base" 1884 vpc_id = "${aws_vpc.main.id}" 1885 } 1886 1887 resource "aws_security_group" "jump" { 1888 name = "test-jump" 1889 vpc_id = "${aws_vpc.main.id}" 1890 } 1891 1892 resource "aws_security_group" "provision" { 1893 name = "test-provision" 1894 vpc_id = "${aws_vpc.main.id}" 1895 } 1896 1897 resource "aws_security_group" "nat" { 1898 vpc_id = "${aws_vpc.main.id}" 1899 name = "nat" 1900 description = "For nat servers " 1901 1902 ingress { 1903 from_port = 22 1904 to_port = 22 1905 protocol = "tcp" 1906 security_groups = ["${aws_security_group.jump.id}"] 1907 } 1908 1909 ingress { 1910 from_port = 22 1911 to_port = 22 1912 protocol = "tcp" 1913 security_groups = ["${aws_security_group.provision.id}"] 1914 } 1915 } 1916 ` 1917 const testAccAWSSecurityGroupConfig_importSelf = ` 1918 resource "aws_vpc" "foo" { 1919 cidr_block = "10.1.0.0/16" 1920 1921 tags { 1922 Name = "tf_sg_import_test" 1923 } 1924 } 1925 1926 resource "aws_security_group" "allow_all" { 1927 name = "allow_all" 1928 description = "Allow all inbound traffic" 1929 vpc_id = "${aws_vpc.foo.id}" 1930 } 1931 1932 resource "aws_security_group_rule" "allow_all" { 1933 type = "ingress" 1934 from_port = 0 1935 to_port = 65535 1936 protocol = "tcp" 1937 cidr_blocks = ["0.0.0.0/0"] 1938 1939 security_group_id = "${aws_security_group.allow_all.id}" 1940 } 1941 1942 resource "aws_security_group_rule" "allow_all-1" { 1943 type = "ingress" 1944 from_port = 65534 1945 to_port = 65535 1946 protocol = "tcp" 1947 1948 self = true 1949 security_group_id = "${aws_security_group.allow_all.id}" 1950 } 1951 ` 1952 1953 const testAccAWSSecurityGroupConfig_importSourceSecurityGroup = ` 1954 resource "aws_vpc" "foo" { 1955 cidr_block = "10.1.0.0/16" 1956 1957 tags { 1958 Name = "tf_sg_import_test" 1959 } 1960 } 1961 1962 resource "aws_security_group" "test_group_1" { 1963 name = "test group 1" 1964 vpc_id = "${aws_vpc.foo.id}" 1965 } 1966 1967 resource "aws_security_group" "test_group_2" { 1968 name = "test group 2" 1969 vpc_id = "${aws_vpc.foo.id}" 1970 } 1971 1972 resource "aws_security_group" "test_group_3" { 1973 name = "test group 3" 1974 vpc_id = "${aws_vpc.foo.id}" 1975 } 1976 1977 resource "aws_security_group_rule" "allow_test_group_2" { 1978 type = "ingress" 1979 from_port = 0 1980 to_port = 0 1981 protocol = "tcp" 1982 1983 source_security_group_id = "${aws_security_group.test_group_1.id}" 1984 security_group_id = "${aws_security_group.test_group_2.id}" 1985 } 1986 1987 resource "aws_security_group_rule" "allow_test_group_3" { 1988 type = "ingress" 1989 from_port = 0 1990 to_port = 0 1991 protocol = "tcp" 1992 1993 source_security_group_id = "${aws_security_group.test_group_1.id}" 1994 security_group_id = "${aws_security_group.test_group_3.id}" 1995 } 1996 ` 1997 1998 const testAccAWSSecurityGroupConfig_importIPRangeAndSecurityGroupWithSameRules = ` 1999 resource "aws_vpc" "foo" { 2000 cidr_block = "10.1.0.0/16" 2001 2002 tags { 2003 Name = "tf_sg_import_test" 2004 } 2005 } 2006 2007 resource "aws_security_group" "test_group_1" { 2008 name = "test group 1" 2009 vpc_id = "${aws_vpc.foo.id}" 2010 } 2011 2012 resource "aws_security_group" "test_group_2" { 2013 name = "test group 2" 2014 vpc_id = "${aws_vpc.foo.id}" 2015 } 2016 2017 resource "aws_security_group_rule" "allow_security_group" { 2018 type = "ingress" 2019 from_port = 0 2020 to_port = 0 2021 protocol = "tcp" 2022 2023 source_security_group_id = "${aws_security_group.test_group_2.id}" 2024 security_group_id = "${aws_security_group.test_group_1.id}" 2025 } 2026 2027 resource "aws_security_group_rule" "allow_cidr_block" { 2028 type = "ingress" 2029 from_port = 0 2030 to_port = 0 2031 protocol = "tcp" 2032 2033 cidr_blocks = ["10.0.0.0/32"] 2034 security_group_id = "${aws_security_group.test_group_1.id}" 2035 } 2036 2037 resource "aws_security_group_rule" "allow_ipv6_cidr_block" { 2038 type = "ingress" 2039 from_port = 0 2040 to_port = 0 2041 protocol = "tcp" 2042 2043 ipv6_cidr_blocks = ["::/0"] 2044 security_group_id = "${aws_security_group.test_group_1.id}" 2045 } 2046 ` 2047 2048 const testAccAWSSecurityGroupConfig_importIPRangesWithSameRules = ` 2049 resource "aws_vpc" "foo" { 2050 cidr_block = "10.1.0.0/16" 2051 2052 tags { 2053 Name = "tf_sg_import_test" 2054 } 2055 } 2056 2057 resource "aws_security_group" "test_group_1" { 2058 name = "test group 1" 2059 vpc_id = "${aws_vpc.foo.id}" 2060 } 2061 2062 resource "aws_security_group_rule" "allow_cidr_block" { 2063 type = "ingress" 2064 from_port = 0 2065 to_port = 0 2066 protocol = "tcp" 2067 2068 cidr_blocks = ["10.0.0.0/32"] 2069 security_group_id = "${aws_security_group.test_group_1.id}" 2070 } 2071 2072 resource "aws_security_group_rule" "allow_ipv6_cidr_block" { 2073 type = "ingress" 2074 from_port = 0 2075 to_port = 0 2076 protocol = "tcp" 2077 2078 ipv6_cidr_blocks = ["::/0"] 2079 security_group_id = "${aws_security_group.test_group_1.id}" 2080 } 2081 ` 2082 2083 const testAccAWSSecurityGroupConfigPrefixListEgress = ` 2084 resource "aws_vpc" "tf_sg_prefix_list_egress_test" { 2085 cidr_block = "10.0.0.0/16" 2086 tags { 2087 Name = "tf_sg_prefix_list_egress_test" 2088 } 2089 } 2090 2091 resource "aws_route_table" "default" { 2092 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 2093 } 2094 2095 resource "aws_vpc_endpoint" "s3-us-west-2" { 2096 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 2097 service_name = "com.amazonaws.us-west-2.s3" 2098 route_table_ids = ["${aws_route_table.default.id}"] 2099 policy = <<POLICY 2100 { 2101 "Version": "2012-10-17", 2102 "Statement": [ 2103 { 2104 "Sid":"AllowAll", 2105 "Effect":"Allow", 2106 "Principal":"*", 2107 "Action":"*", 2108 "Resource":"*" 2109 } 2110 ] 2111 } 2112 POLICY 2113 } 2114 2115 resource "aws_security_group" "egress" { 2116 name = "terraform_acceptance_test_prefix_list_egress" 2117 description = "Used in the terraform acceptance tests" 2118 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 2119 2120 egress { 2121 protocol = "-1" 2122 from_port = 0 2123 to_port = 0 2124 prefix_list_ids = ["${aws_vpc_endpoint.s3-us-west-2.prefix_list_id}"] 2125 } 2126 } 2127 `