github.com/nicgrayson/terraform@v0.4.3-0.20150415203910-c4de50829380/builtin/providers/aws/resource_aws_security_group_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "reflect" 6 "testing" 7 8 "github.com/awslabs/aws-sdk-go/aws" 9 "github.com/awslabs/aws-sdk-go/service/ec2" 10 "github.com/hashicorp/terraform/helper/resource" 11 "github.com/hashicorp/terraform/terraform" 12 ) 13 14 func TestAccAWSSecurityGroup_normal(t *testing.T) { 15 var group ec2.SecurityGroup 16 17 resource.Test(t, resource.TestCase{ 18 PreCheck: func() { testAccPreCheck(t) }, 19 Providers: testAccProviders, 20 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 21 Steps: []resource.TestStep{ 22 resource.TestStep{ 23 Config: testAccAWSSecurityGroupConfig, 24 Check: resource.ComposeTestCheckFunc( 25 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 26 testAccCheckAWSSecurityGroupAttributes(&group), 27 resource.TestCheckResourceAttr( 28 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 29 resource.TestCheckResourceAttr( 30 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 31 resource.TestCheckResourceAttr( 32 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 33 resource.TestCheckResourceAttr( 34 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 35 resource.TestCheckResourceAttr( 36 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 37 resource.TestCheckResourceAttr( 38 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 39 resource.TestCheckResourceAttr( 40 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 41 ), 42 }, 43 }, 44 }) 45 } 46 47 func TestAccAWSSecurityGroup_self(t *testing.T) { 48 var group ec2.SecurityGroup 49 50 checkSelf := func(s *terraform.State) (err error) { 51 defer func() { 52 if e := recover(); e != nil { 53 err = fmt.Errorf("bad: %#v", group) 54 } 55 }() 56 57 if *group.IPPermissions[0].UserIDGroupPairs[0].GroupID != *group.GroupID { 58 return fmt.Errorf("bad: %#v", group) 59 } 60 61 return nil 62 } 63 64 resource.Test(t, resource.TestCase{ 65 PreCheck: func() { testAccPreCheck(t) }, 66 Providers: testAccProviders, 67 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 68 Steps: []resource.TestStep{ 69 resource.TestStep{ 70 Config: testAccAWSSecurityGroupConfigSelf, 71 Check: resource.ComposeTestCheckFunc( 72 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 73 resource.TestCheckResourceAttr( 74 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 75 resource.TestCheckResourceAttr( 76 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 77 resource.TestCheckResourceAttr( 78 "aws_security_group.web", "ingress.3971148406.protocol", "tcp"), 79 resource.TestCheckResourceAttr( 80 "aws_security_group.web", "ingress.3971148406.from_port", "80"), 81 resource.TestCheckResourceAttr( 82 "aws_security_group.web", "ingress.3971148406.to_port", "8000"), 83 resource.TestCheckResourceAttr( 84 "aws_security_group.web", "ingress.3971148406.self", "true"), 85 checkSelf, 86 ), 87 }, 88 }, 89 }) 90 } 91 92 func TestAccAWSSecurityGroup_vpc(t *testing.T) { 93 var group ec2.SecurityGroup 94 95 testCheck := func(*terraform.State) error { 96 if *group.VPCID == "" { 97 return fmt.Errorf("should have vpc ID") 98 } 99 100 return nil 101 } 102 103 resource.Test(t, resource.TestCase{ 104 PreCheck: func() { testAccPreCheck(t) }, 105 Providers: testAccProviders, 106 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 107 Steps: []resource.TestStep{ 108 resource.TestStep{ 109 Config: testAccAWSSecurityGroupConfigVpc, 110 Check: resource.ComposeTestCheckFunc( 111 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 112 testAccCheckAWSSecurityGroupAttributes(&group), 113 resource.TestCheckResourceAttr( 114 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 115 resource.TestCheckResourceAttr( 116 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 117 resource.TestCheckResourceAttr( 118 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 119 resource.TestCheckResourceAttr( 120 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 121 resource.TestCheckResourceAttr( 122 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 123 resource.TestCheckResourceAttr( 124 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 125 resource.TestCheckResourceAttr( 126 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 127 resource.TestCheckResourceAttr( 128 "aws_security_group.web", "egress.3629188364.protocol", "tcp"), 129 resource.TestCheckResourceAttr( 130 "aws_security_group.web", "egress.3629188364.from_port", "80"), 131 resource.TestCheckResourceAttr( 132 "aws_security_group.web", "egress.3629188364.to_port", "8000"), 133 resource.TestCheckResourceAttr( 134 "aws_security_group.web", "egress.3629188364.cidr_blocks.#", "1"), 135 resource.TestCheckResourceAttr( 136 "aws_security_group.web", "egress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 137 testCheck, 138 ), 139 }, 140 }, 141 }) 142 } 143 144 func TestAccAWSSecurityGroup_MultiIngress(t *testing.T) { 145 var group ec2.SecurityGroup 146 147 resource.Test(t, resource.TestCase{ 148 PreCheck: func() { testAccPreCheck(t) }, 149 Providers: testAccProviders, 150 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 151 Steps: []resource.TestStep{ 152 resource.TestStep{ 153 Config: testAccAWSSecurityGroupConfigMultiIngress, 154 Check: resource.ComposeTestCheckFunc( 155 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 156 ), 157 }, 158 }, 159 }) 160 } 161 162 func TestAccAWSSecurityGroup_Change(t *testing.T) { 163 var group ec2.SecurityGroup 164 165 resource.Test(t, resource.TestCase{ 166 PreCheck: func() { testAccPreCheck(t) }, 167 Providers: testAccProviders, 168 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 169 Steps: []resource.TestStep{ 170 resource.TestStep{ 171 Config: testAccAWSSecurityGroupConfig, 172 Check: resource.ComposeTestCheckFunc( 173 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 174 ), 175 }, 176 resource.TestStep{ 177 Config: testAccAWSSecurityGroupConfigChange, 178 Check: resource.ComposeTestCheckFunc( 179 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 180 testAccCheckAWSSecurityGroupAttributesChanged(&group), 181 ), 182 }, 183 }, 184 }) 185 } 186 187 func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error { 188 conn := testAccProvider.Meta().(*AWSClient).ec2SDKconn 189 190 for _, rs := range s.RootModule().Resources { 191 if rs.Type != "aws_security_group" { 192 continue 193 } 194 195 // Retrieve our group 196 req := &ec2.DescribeSecurityGroupsInput{ 197 GroupIDs: []*string{aws.String(rs.Primary.ID)}, 198 } 199 resp, err := conn.DescribeSecurityGroups(req) 200 if err == nil { 201 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupID == rs.Primary.ID { 202 return fmt.Errorf("Security Group (%s) still exists.", rs.Primary.ID) 203 } 204 205 return nil 206 } 207 208 ec2err, ok := err.(aws.APIError) 209 if !ok { 210 return err 211 } 212 // Confirm error code is what we want 213 if ec2err.Code != "InvalidGroup.NotFound" { 214 return err 215 } 216 } 217 218 return nil 219 } 220 221 func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroup) resource.TestCheckFunc { 222 return func(s *terraform.State) error { 223 rs, ok := s.RootModule().Resources[n] 224 if !ok { 225 return fmt.Errorf("Not found: %s", n) 226 } 227 228 if rs.Primary.ID == "" { 229 return fmt.Errorf("No Security Group is set") 230 } 231 232 conn := testAccProvider.Meta().(*AWSClient).ec2SDKconn 233 req := &ec2.DescribeSecurityGroupsInput{ 234 GroupIDs: []*string{aws.String(rs.Primary.ID)}, 235 } 236 resp, err := conn.DescribeSecurityGroups(req) 237 if err != nil { 238 return err 239 } 240 241 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupID == rs.Primary.ID { 242 *group = *resp.SecurityGroups[0] 243 return nil 244 } 245 246 return fmt.Errorf("Security Group not found") 247 } 248 } 249 250 func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 251 return func(s *terraform.State) error { 252 p := &ec2.IPPermission{ 253 FromPort: aws.Long(80), 254 ToPort: aws.Long(8000), 255 IPProtocol: aws.String("tcp"), 256 IPRanges: []*ec2.IPRange{&ec2.IPRange{CIDRIP: aws.String("10.0.0.0/8")}}, 257 } 258 259 if *group.GroupName != "terraform_acceptance_test_example" { 260 return fmt.Errorf("Bad name: %s", *group.GroupName) 261 } 262 263 if *group.Description != "Used in the terraform acceptance tests" { 264 return fmt.Errorf("Bad description: %s", *group.Description) 265 } 266 267 if len(group.IPPermissions) == 0 { 268 return fmt.Errorf("No IPPerms") 269 } 270 271 // Compare our ingress 272 if !reflect.DeepEqual(group.IPPermissions[0], p) { 273 return fmt.Errorf( 274 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 275 group.IPPermissions[0], 276 p) 277 } 278 279 return nil 280 } 281 } 282 283 func TestAccAWSSecurityGroup_tags(t *testing.T) { 284 var group ec2.SecurityGroup 285 286 resource.Test(t, resource.TestCase{ 287 PreCheck: func() { testAccPreCheck(t) }, 288 Providers: testAccProviders, 289 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 290 Steps: []resource.TestStep{ 291 resource.TestStep{ 292 Config: testAccAWSSecurityGroupConfigTags, 293 Check: resource.ComposeTestCheckFunc( 294 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 295 testAccCheckTagsSDK(&group.Tags, "foo", "bar"), 296 ), 297 }, 298 299 resource.TestStep{ 300 Config: testAccAWSSecurityGroupConfigTagsUpdate, 301 Check: resource.ComposeTestCheckFunc( 302 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 303 testAccCheckTagsSDK(&group.Tags, "foo", ""), 304 testAccCheckTagsSDK(&group.Tags, "bar", "baz"), 305 ), 306 }, 307 }, 308 }) 309 } 310 311 func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroup) resource.TestCheckFunc { 312 return func(s *terraform.State) error { 313 p := []*ec2.IPPermission{ 314 &ec2.IPPermission{ 315 FromPort: aws.Long(80), 316 ToPort: aws.Long(9000), 317 IPProtocol: aws.String("tcp"), 318 IPRanges: []*ec2.IPRange{&ec2.IPRange{CIDRIP: aws.String("10.0.0.0/8")}}, 319 }, 320 &ec2.IPPermission{ 321 FromPort: aws.Long(80), 322 ToPort: aws.Long(8000), 323 IPProtocol: aws.String("tcp"), 324 IPRanges: []*ec2.IPRange{ 325 &ec2.IPRange{ 326 CIDRIP: aws.String("0.0.0.0/0"), 327 }, 328 &ec2.IPRange{ 329 CIDRIP: aws.String("10.0.0.0/8"), 330 }, 331 }, 332 }, 333 } 334 335 if *group.GroupName != "terraform_acceptance_test_example" { 336 return fmt.Errorf("Bad name: %s", *group.GroupName) 337 } 338 339 if *group.Description != "Used in the terraform acceptance tests" { 340 return fmt.Errorf("Bad description: %s", *group.Description) 341 } 342 343 // Compare our ingress 344 if len(group.IPPermissions) != 2 { 345 return fmt.Errorf( 346 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 347 group.IPPermissions, 348 p) 349 } 350 351 if *group.IPPermissions[0].ToPort == 8000 { 352 group.IPPermissions[1], group.IPPermissions[0] = 353 group.IPPermissions[0], group.IPPermissions[1] 354 } 355 356 if !reflect.DeepEqual(group.IPPermissions, p) { 357 return fmt.Errorf( 358 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 359 group.IPPermissions, 360 p) 361 } 362 363 return nil 364 } 365 } 366 367 const testAccAWSSecurityGroupConfig = ` 368 resource "aws_security_group" "web" { 369 name = "terraform_acceptance_test_example" 370 description = "Used in the terraform acceptance tests" 371 372 ingress { 373 protocol = "tcp" 374 from_port = 80 375 to_port = 8000 376 cidr_blocks = ["10.0.0.0/8"] 377 } 378 379 tags { 380 Name = "tf-acc-test" 381 } 382 } 383 ` 384 385 const testAccAWSSecurityGroupConfigChange = ` 386 resource "aws_security_group" "web" { 387 name = "terraform_acceptance_test_example" 388 description = "Used in the terraform acceptance tests" 389 390 ingress { 391 protocol = "tcp" 392 from_port = 80 393 to_port = 9000 394 cidr_blocks = ["10.0.0.0/8"] 395 } 396 397 ingress { 398 protocol = "tcp" 399 from_port = 80 400 to_port = 8000 401 cidr_blocks = ["0.0.0.0/0", "10.0.0.0/8"] 402 } 403 } 404 ` 405 406 const testAccAWSSecurityGroupConfigSelf = ` 407 resource "aws_security_group" "web" { 408 name = "terraform_acceptance_test_example" 409 description = "Used in the terraform acceptance tests" 410 411 ingress { 412 protocol = "tcp" 413 from_port = 80 414 to_port = 8000 415 self = true 416 } 417 } 418 ` 419 420 const testAccAWSSecurityGroupConfigVpc = ` 421 resource "aws_vpc" "foo" { 422 cidr_block = "10.1.0.0/16" 423 } 424 425 resource "aws_security_group" "web" { 426 name = "terraform_acceptance_test_example" 427 description = "Used in the terraform acceptance tests" 428 vpc_id = "${aws_vpc.foo.id}" 429 430 ingress { 431 protocol = "tcp" 432 from_port = 80 433 to_port = 8000 434 cidr_blocks = ["10.0.0.0/8"] 435 } 436 437 egress { 438 protocol = "tcp" 439 from_port = 80 440 to_port = 8000 441 cidr_blocks = ["10.0.0.0/8"] 442 } 443 } 444 ` 445 446 const testAccAWSSecurityGroupConfigMultiIngress = ` 447 resource "aws_security_group" "worker" { 448 name = "terraform_acceptance_test_example_1" 449 description = "Used in the terraform acceptance tests" 450 451 ingress { 452 protocol = "tcp" 453 from_port = 80 454 to_port = 8000 455 cidr_blocks = ["10.0.0.0/8"] 456 } 457 } 458 459 resource "aws_security_group" "web" { 460 name = "terraform_acceptance_test_example_2" 461 description = "Used in the terraform acceptance tests" 462 463 ingress { 464 protocol = "tcp" 465 from_port = 22 466 to_port = 22 467 cidr_blocks = ["10.0.0.0/8"] 468 } 469 470 ingress { 471 protocol = "tcp" 472 from_port = 800 473 to_port = 800 474 cidr_blocks = ["10.0.0.0/8"] 475 } 476 477 ingress { 478 protocol = "tcp" 479 from_port = 80 480 to_port = 8000 481 security_groups = ["${aws_security_group.worker.id}"] 482 } 483 } 484 ` 485 486 const testAccAWSSecurityGroupConfigTags = ` 487 resource "aws_security_group" "foo" { 488 name = "terraform_acceptance_test_example" 489 description = "Used in the terraform acceptance tests" 490 491 ingress { 492 protocol = "tcp" 493 from_port = 80 494 to_port = 8000 495 cidr_blocks = ["10.0.0.0/8"] 496 } 497 498 tags { 499 foo = "bar" 500 } 501 } 502 ` 503 504 const testAccAWSSecurityGroupConfigTagsUpdate = ` 505 resource "aws_security_group" "foo" { 506 name = "terraform_acceptance_test_example" 507 description = "Used in the terraform acceptance tests" 508 509 ingress { 510 protocol = "tcp" 511 from_port = 80 512 to_port = 8000 513 cidr_blocks = ["10.0.0.0/8"] 514 } 515 516 tags { 517 bar = "baz" 518 } 519 } 520 `