github.com/ndarilek/terraform@v0.3.8-0.20150320140257-d3135c1b2bac/builtin/providers/aws/resource_aws_network_acl_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/hashicorp/aws-sdk-go/aws" 8 "github.com/hashicorp/aws-sdk-go/gen/ec2" 9 "github.com/hashicorp/terraform/terraform" 10 // "github.com/hashicorp/terraform/helper/hashcode" 11 "github.com/hashicorp/terraform/helper/resource" 12 // "github.com/hashicorp/terraform/helper/schema" 13 ) 14 15 func TestAccAWSNetworkAclsWithEgressAndIngressRules(t *testing.T) { 16 var networkAcl ec2.NetworkACL 17 18 resource.Test(t, resource.TestCase{ 19 PreCheck: func() { testAccPreCheck(t) }, 20 Providers: testAccProviders, 21 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 22 Steps: []resource.TestStep{ 23 resource.TestStep{ 24 Config: testAccAWSNetworkAclEgressNIngressConfig, 25 Check: resource.ComposeTestCheckFunc( 26 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 27 resource.TestCheckResourceAttr( 28 "aws_network_acl.bar", "ingress.3409203205.protocol", "tcp"), 29 resource.TestCheckResourceAttr( 30 "aws_network_acl.bar", "ingress.3409203205.rule_no", "1"), 31 resource.TestCheckResourceAttr( 32 "aws_network_acl.bar", "ingress.3409203205.from_port", "80"), 33 resource.TestCheckResourceAttr( 34 "aws_network_acl.bar", "ingress.3409203205.to_port", "80"), 35 resource.TestCheckResourceAttr( 36 "aws_network_acl.bar", "ingress.3409203205.action", "allow"), 37 resource.TestCheckResourceAttr( 38 "aws_network_acl.bar", "ingress.3409203205.cidr_block", "10.3.10.3/18"), 39 resource.TestCheckResourceAttr( 40 "aws_network_acl.bar", "egress.2579689292.protocol", "tcp"), 41 resource.TestCheckResourceAttr( 42 "aws_network_acl.bar", "egress.2579689292.rule_no", "2"), 43 resource.TestCheckResourceAttr( 44 "aws_network_acl.bar", "egress.2579689292.from_port", "443"), 45 resource.TestCheckResourceAttr( 46 "aws_network_acl.bar", "egress.2579689292.to_port", "443"), 47 resource.TestCheckResourceAttr( 48 "aws_network_acl.bar", "egress.2579689292.cidr_block", "10.3.2.3/18"), 49 resource.TestCheckResourceAttr( 50 "aws_network_acl.bar", "egress.2579689292.action", "allow"), 51 ), 52 }, 53 }, 54 }) 55 } 56 57 func TestAccAWSNetworkAclsOnlyIngressRules(t *testing.T) { 58 var networkAcl ec2.NetworkACL 59 60 resource.Test(t, resource.TestCase{ 61 PreCheck: func() { testAccPreCheck(t) }, 62 Providers: testAccProviders, 63 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 64 Steps: []resource.TestStep{ 65 resource.TestStep{ 66 Config: testAccAWSNetworkAclIngressConfig, 67 Check: resource.ComposeTestCheckFunc( 68 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 69 // testAccCheckSubnetAssociation("aws_network_acl.foos", "aws_subnet.blob"), 70 resource.TestCheckResourceAttr( 71 "aws_network_acl.foos", "ingress.2750166237.protocol", "tcp"), 72 resource.TestCheckResourceAttr( 73 "aws_network_acl.foos", "ingress.2750166237.rule_no", "1"), 74 resource.TestCheckResourceAttr( 75 "aws_network_acl.foos", "ingress.2750166237.from_port", "0"), 76 resource.TestCheckResourceAttr( 77 "aws_network_acl.foos", "ingress.2750166237.to_port", "22"), 78 resource.TestCheckResourceAttr( 79 "aws_network_acl.foos", "ingress.2750166237.action", "deny"), 80 resource.TestCheckResourceAttr( 81 "aws_network_acl.foos", "ingress.2750166237.cidr_block", "10.2.2.3/18"), 82 ), 83 }, 84 }, 85 }) 86 } 87 88 func TestAccAWSNetworkAclsOnlyIngressRulesChange(t *testing.T) { 89 var networkAcl ec2.NetworkACL 90 91 resource.Test(t, resource.TestCase{ 92 PreCheck: func() { testAccPreCheck(t) }, 93 Providers: testAccProviders, 94 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 95 Steps: []resource.TestStep{ 96 resource.TestStep{ 97 Config: testAccAWSNetworkAclIngressConfig, 98 Check: resource.ComposeTestCheckFunc( 99 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 100 testIngressRuleLength(&networkAcl, 2), 101 resource.TestCheckResourceAttr( 102 "aws_network_acl.foos", "ingress.37211640.protocol", "tcp"), 103 resource.TestCheckResourceAttr( 104 "aws_network_acl.foos", "ingress.37211640.rule_no", "1"), 105 resource.TestCheckResourceAttr( 106 "aws_network_acl.foos", "ingress.37211640.from_port", "0"), 107 resource.TestCheckResourceAttr( 108 "aws_network_acl.foos", "ingress.37211640.to_port", "22"), 109 resource.TestCheckResourceAttr( 110 "aws_network_acl.foos", "ingress.37211640.action", "deny"), 111 resource.TestCheckResourceAttr( 112 "aws_network_acl.foos", "ingress.37211640.cidr_block", "10.2.2.3/18"), 113 resource.TestCheckResourceAttr( 114 "aws_network_acl.foos", "ingress.2750166237.from_port", "443"), 115 resource.TestCheckResourceAttr( 116 "aws_network_acl.foos", "ingress.2750166237.rule_no", "2"), 117 ), 118 }, 119 resource.TestStep{ 120 Config: testAccAWSNetworkAclIngressConfigChange, 121 Check: resource.ComposeTestCheckFunc( 122 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 123 testIngressRuleLength(&networkAcl, 1), 124 resource.TestCheckResourceAttr( 125 "aws_network_acl.foos", "ingress.37211640.protocol", "tcp"), 126 resource.TestCheckResourceAttr( 127 "aws_network_acl.foos", "ingress.37211640.rule_no", "1"), 128 resource.TestCheckResourceAttr( 129 "aws_network_acl.foos", "ingress.37211640.from_port", "0"), 130 resource.TestCheckResourceAttr( 131 "aws_network_acl.foos", "ingress.37211640.to_port", "22"), 132 resource.TestCheckResourceAttr( 133 "aws_network_acl.foos", "ingress.37211640.action", "deny"), 134 resource.TestCheckResourceAttr( 135 "aws_network_acl.foos", "ingress.37211640.cidr_block", "10.2.2.3/18"), 136 ), 137 }, 138 }, 139 }) 140 } 141 142 func TestAccAWSNetworkAclsOnlyEgressRules(t *testing.T) { 143 var networkAcl ec2.NetworkACL 144 145 resource.Test(t, resource.TestCase{ 146 PreCheck: func() { testAccPreCheck(t) }, 147 Providers: testAccProviders, 148 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 149 Steps: []resource.TestStep{ 150 resource.TestStep{ 151 Config: testAccAWSNetworkAclEgressConfig, 152 Check: resource.ComposeTestCheckFunc( 153 testAccCheckAWSNetworkAclExists("aws_network_acl.bond", &networkAcl), 154 testAccCheckTags(&networkAcl.Tags, "foo", "bar"), 155 ), 156 }, 157 }, 158 }) 159 } 160 161 func TestAccAWSNetworkAcl_SubnetChange(t *testing.T) { 162 163 resource.Test(t, resource.TestCase{ 164 PreCheck: func() { testAccPreCheck(t) }, 165 Providers: testAccProviders, 166 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 167 Steps: []resource.TestStep{ 168 resource.TestStep{ 169 Config: testAccAWSNetworkAclSubnetConfig, 170 Check: resource.ComposeTestCheckFunc( 171 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"), 172 ), 173 }, 174 resource.TestStep{ 175 Config: testAccAWSNetworkAclSubnetConfigChange, 176 Check: resource.ComposeTestCheckFunc( 177 testAccCheckSubnetIsNotAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"), 178 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.new"), 179 ), 180 }, 181 }, 182 }) 183 184 } 185 186 func testAccCheckAWSNetworkAclDestroy(s *terraform.State) error { 187 conn := testAccProvider.Meta().(*AWSClient).ec2conn 188 189 for _, rs := range s.RootModule().Resources { 190 if rs.Type != "aws_network" { 191 continue 192 } 193 194 // Retrieve the network acl 195 resp, err := conn.DescribeNetworkACLs(&ec2.DescribeNetworkACLsRequest{ 196 NetworkACLIDs: []string{rs.Primary.ID}, 197 }) 198 if err == nil { 199 if len(resp.NetworkACLs) > 0 && *resp.NetworkACLs[0].NetworkACLID == rs.Primary.ID { 200 return fmt.Errorf("Network Acl (%s) still exists.", rs.Primary.ID) 201 } 202 203 return nil 204 } 205 206 ec2err, ok := err.(aws.APIError) 207 if !ok { 208 return err 209 } 210 // Confirm error code is what we want 211 if ec2err.Code != "InvalidNetworkAclID.NotFound" { 212 return err 213 } 214 } 215 216 return nil 217 } 218 219 func testAccCheckAWSNetworkAclExists(n string, networkAcl *ec2.NetworkACL) resource.TestCheckFunc { 220 return func(s *terraform.State) error { 221 rs, ok := s.RootModule().Resources[n] 222 if !ok { 223 return fmt.Errorf("Not found: %s", n) 224 } 225 226 if rs.Primary.ID == "" { 227 return fmt.Errorf("No Security Group is set") 228 } 229 conn := testAccProvider.Meta().(*AWSClient).ec2conn 230 231 resp, err := conn.DescribeNetworkACLs(&ec2.DescribeNetworkACLsRequest{ 232 NetworkACLIDs: []string{rs.Primary.ID}, 233 }) 234 if err != nil { 235 return err 236 } 237 238 if len(resp.NetworkACLs) > 0 && *resp.NetworkACLs[0].NetworkACLID == rs.Primary.ID { 239 *networkAcl = resp.NetworkACLs[0] 240 return nil 241 } 242 243 return fmt.Errorf("Network Acls not found") 244 } 245 } 246 247 func testIngressRuleLength(networkAcl *ec2.NetworkACL, length int) resource.TestCheckFunc { 248 return func(s *terraform.State) error { 249 var ingressEntries []ec2.NetworkACLEntry 250 for _, e := range networkAcl.Entries { 251 if *e.Egress == false { 252 ingressEntries = append(ingressEntries, e) 253 } 254 } 255 // There is always a default rule (ALL Traffic ... DENY) 256 // so we have to increase the lenght by 1 257 if len(ingressEntries) != length+1 { 258 return fmt.Errorf("Invalid number of ingress entries found; count = %d", len(ingressEntries)) 259 } 260 return nil 261 } 262 } 263 264 func testAccCheckSubnetIsAssociatedWithAcl(acl string, sub string) resource.TestCheckFunc { 265 return func(s *terraform.State) error { 266 networkAcl := s.RootModule().Resources[acl] 267 subnet := s.RootModule().Resources[sub] 268 269 conn := testAccProvider.Meta().(*AWSClient).ec2conn 270 resp, err := conn.DescribeNetworkACLs(&ec2.DescribeNetworkACLsRequest{ 271 NetworkACLIDs: []string{networkAcl.Primary.ID}, 272 Filters: []ec2.Filter{ 273 ec2.Filter{ 274 Name: aws.String("association.subnet-id"), 275 Values: []string{subnet.Primary.ID}, 276 }, 277 }, 278 }) 279 if err != nil { 280 return err 281 } 282 if len(resp.NetworkACLs) > 0 { 283 return nil 284 } 285 286 // r, _ := conn.NetworkACLs([]string{}, ec2.NewFilter()) 287 // fmt.Printf("\n\nall acls\n %#v\n\n", r.NetworkAcls) 288 // conn.NetworkAcls([]string{}, filter) 289 290 return fmt.Errorf("Network Acl %s is not associated with subnet %s", acl, sub) 291 } 292 } 293 294 func testAccCheckSubnetIsNotAssociatedWithAcl(acl string, subnet string) resource.TestCheckFunc { 295 return func(s *terraform.State) error { 296 networkAcl := s.RootModule().Resources[acl] 297 subnet := s.RootModule().Resources[subnet] 298 299 conn := testAccProvider.Meta().(*AWSClient).ec2conn 300 resp, err := conn.DescribeNetworkACLs(&ec2.DescribeNetworkACLsRequest{ 301 NetworkACLIDs: []string{networkAcl.Primary.ID}, 302 Filters: []ec2.Filter{ 303 ec2.Filter{ 304 Name: aws.String("association.subnet-id"), 305 Values: []string{subnet.Primary.ID}, 306 }, 307 }, 308 }) 309 310 if err != nil { 311 return err 312 } 313 if len(resp.NetworkACLs) > 0 { 314 return fmt.Errorf("Network Acl %s is still associated with subnet %s", acl, subnet) 315 } 316 return nil 317 } 318 } 319 320 const testAccAWSNetworkAclIngressConfig = ` 321 resource "aws_vpc" "foo" { 322 cidr_block = "10.1.0.0/16" 323 } 324 resource "aws_subnet" "blob" { 325 cidr_block = "10.1.1.0/24" 326 vpc_id = "${aws_vpc.foo.id}" 327 map_public_ip_on_launch = true 328 } 329 resource "aws_network_acl" "foos" { 330 vpc_id = "${aws_vpc.foo.id}" 331 ingress = { 332 protocol = "tcp" 333 rule_no = 1 334 action = "deny" 335 cidr_block = "10.2.2.3/18" 336 from_port = 0 337 to_port = 22 338 } 339 ingress = { 340 protocol = "tcp" 341 rule_no = 2 342 action = "deny" 343 cidr_block = "10.2.2.3/18" 344 from_port = 443 345 to_port = 443 346 } 347 subnet_id = "${aws_subnet.blob.id}" 348 } 349 ` 350 const testAccAWSNetworkAclIngressConfigChange = ` 351 resource "aws_vpc" "foo" { 352 cidr_block = "10.1.0.0/16" 353 } 354 resource "aws_subnet" "blob" { 355 cidr_block = "10.1.1.0/24" 356 vpc_id = "${aws_vpc.foo.id}" 357 map_public_ip_on_launch = true 358 } 359 resource "aws_network_acl" "foos" { 360 vpc_id = "${aws_vpc.foo.id}" 361 ingress = { 362 protocol = "tcp" 363 rule_no = 1 364 action = "deny" 365 cidr_block = "10.2.2.3/18" 366 from_port = 0 367 to_port = 22 368 } 369 subnet_id = "${aws_subnet.blob.id}" 370 } 371 ` 372 373 const testAccAWSNetworkAclEgressConfig = ` 374 resource "aws_vpc" "foo" { 375 cidr_block = "10.2.0.0/16" 376 } 377 resource "aws_subnet" "blob" { 378 cidr_block = "10.2.0.0/24" 379 vpc_id = "${aws_vpc.foo.id}" 380 map_public_ip_on_launch = true 381 } 382 resource "aws_network_acl" "bond" { 383 vpc_id = "${aws_vpc.foo.id}" 384 egress = { 385 protocol = "tcp" 386 rule_no = 2 387 action = "allow" 388 cidr_block = "10.2.2.3/18" 389 from_port = 443 390 to_port = 443 391 } 392 393 egress = { 394 protocol = "tcp" 395 rule_no = 1 396 action = "allow" 397 cidr_block = "10.2.10.3/18" 398 from_port = 80 399 to_port = 80 400 } 401 402 egress = { 403 protocol = "tcp" 404 rule_no = 3 405 action = "allow" 406 cidr_block = "10.2.10.3/18" 407 from_port = 22 408 to_port = 22 409 } 410 411 tags { 412 foo = "bar" 413 } 414 } 415 ` 416 417 const testAccAWSNetworkAclEgressNIngressConfig = ` 418 resource "aws_vpc" "foo" { 419 cidr_block = "10.3.0.0/16" 420 } 421 resource "aws_subnet" "blob" { 422 cidr_block = "10.3.0.0/24" 423 vpc_id = "${aws_vpc.foo.id}" 424 map_public_ip_on_launch = true 425 } 426 resource "aws_network_acl" "bar" { 427 vpc_id = "${aws_vpc.foo.id}" 428 egress = { 429 protocol = "tcp" 430 rule_no = 2 431 action = "allow" 432 cidr_block = "10.3.2.3/18" 433 from_port = 443 434 to_port = 443 435 } 436 437 ingress = { 438 protocol = "tcp" 439 rule_no = 1 440 action = "allow" 441 cidr_block = "10.3.10.3/18" 442 from_port = 80 443 to_port = 80 444 } 445 } 446 ` 447 const testAccAWSNetworkAclSubnetConfig = ` 448 resource "aws_vpc" "foo" { 449 cidr_block = "10.1.0.0/16" 450 } 451 resource "aws_subnet" "old" { 452 cidr_block = "10.1.111.0/24" 453 vpc_id = "${aws_vpc.foo.id}" 454 map_public_ip_on_launch = true 455 } 456 resource "aws_subnet" "new" { 457 cidr_block = "10.1.1.0/24" 458 vpc_id = "${aws_vpc.foo.id}" 459 map_public_ip_on_launch = true 460 } 461 resource "aws_network_acl" "roll" { 462 vpc_id = "${aws_vpc.foo.id}" 463 subnet_id = "${aws_subnet.new.id}" 464 } 465 resource "aws_network_acl" "bar" { 466 vpc_id = "${aws_vpc.foo.id}" 467 subnet_id = "${aws_subnet.old.id}" 468 } 469 ` 470 471 const testAccAWSNetworkAclSubnetConfigChange = ` 472 resource "aws_vpc" "foo" { 473 cidr_block = "10.1.0.0/16" 474 } 475 resource "aws_subnet" "old" { 476 cidr_block = "10.1.111.0/24" 477 vpc_id = "${aws_vpc.foo.id}" 478 map_public_ip_on_launch = true 479 } 480 resource "aws_subnet" "new" { 481 cidr_block = "10.1.1.0/24" 482 vpc_id = "${aws_vpc.foo.id}" 483 map_public_ip_on_launch = true 484 } 485 resource "aws_network_acl" "bar" { 486 vpc_id = "${aws_vpc.foo.id}" 487 subnet_id = "${aws_subnet.new.id}" 488 } 489 `