github.com/nicgrayson/terraform@v0.4.3-0.20150415203910-c4de50829380/builtin/providers/aws/resource_aws_security_group_test.go (about)

     1  package aws
     2  
     3  import (
     4  	"fmt"
     5  	"reflect"
     6  	"testing"
     7  
     8  	"github.com/awslabs/aws-sdk-go/aws"
     9  	"github.com/awslabs/aws-sdk-go/service/ec2"
    10  	"github.com/hashicorp/terraform/helper/resource"
    11  	"github.com/hashicorp/terraform/terraform"
    12  )
    13  
    14  func TestAccAWSSecurityGroup_normal(t *testing.T) {
    15  	var group ec2.SecurityGroup
    16  
    17  	resource.Test(t, resource.TestCase{
    18  		PreCheck:     func() { testAccPreCheck(t) },
    19  		Providers:    testAccProviders,
    20  		CheckDestroy: testAccCheckAWSSecurityGroupDestroy,
    21  		Steps: []resource.TestStep{
    22  			resource.TestStep{
    23  				Config: testAccAWSSecurityGroupConfig,
    24  				Check: resource.ComposeTestCheckFunc(
    25  					testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group),
    26  					testAccCheckAWSSecurityGroupAttributes(&group),
    27  					resource.TestCheckResourceAttr(
    28  						"aws_security_group.web", "name", "terraform_acceptance_test_example"),
    29  					resource.TestCheckResourceAttr(
    30  						"aws_security_group.web", "description", "Used in the terraform acceptance tests"),
    31  					resource.TestCheckResourceAttr(
    32  						"aws_security_group.web", "ingress.3629188364.protocol", "tcp"),
    33  					resource.TestCheckResourceAttr(
    34  						"aws_security_group.web", "ingress.3629188364.from_port", "80"),
    35  					resource.TestCheckResourceAttr(
    36  						"aws_security_group.web", "ingress.3629188364.to_port", "8000"),
    37  					resource.TestCheckResourceAttr(
    38  						"aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"),
    39  					resource.TestCheckResourceAttr(
    40  						"aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"),
    41  				),
    42  			},
    43  		},
    44  	})
    45  }
    46  
    47  func TestAccAWSSecurityGroup_self(t *testing.T) {
    48  	var group ec2.SecurityGroup
    49  
    50  	checkSelf := func(s *terraform.State) (err error) {
    51  		defer func() {
    52  			if e := recover(); e != nil {
    53  				err = fmt.Errorf("bad: %#v", group)
    54  			}
    55  		}()
    56  
    57  		if *group.IPPermissions[0].UserIDGroupPairs[0].GroupID != *group.GroupID {
    58  			return fmt.Errorf("bad: %#v", group)
    59  		}
    60  
    61  		return nil
    62  	}
    63  
    64  	resource.Test(t, resource.TestCase{
    65  		PreCheck:     func() { testAccPreCheck(t) },
    66  		Providers:    testAccProviders,
    67  		CheckDestroy: testAccCheckAWSSecurityGroupDestroy,
    68  		Steps: []resource.TestStep{
    69  			resource.TestStep{
    70  				Config: testAccAWSSecurityGroupConfigSelf,
    71  				Check: resource.ComposeTestCheckFunc(
    72  					testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group),
    73  					resource.TestCheckResourceAttr(
    74  						"aws_security_group.web", "name", "terraform_acceptance_test_example"),
    75  					resource.TestCheckResourceAttr(
    76  						"aws_security_group.web", "description", "Used in the terraform acceptance tests"),
    77  					resource.TestCheckResourceAttr(
    78  						"aws_security_group.web", "ingress.3971148406.protocol", "tcp"),
    79  					resource.TestCheckResourceAttr(
    80  						"aws_security_group.web", "ingress.3971148406.from_port", "80"),
    81  					resource.TestCheckResourceAttr(
    82  						"aws_security_group.web", "ingress.3971148406.to_port", "8000"),
    83  					resource.TestCheckResourceAttr(
    84  						"aws_security_group.web", "ingress.3971148406.self", "true"),
    85  					checkSelf,
    86  				),
    87  			},
    88  		},
    89  	})
    90  }
    91  
    92  func TestAccAWSSecurityGroup_vpc(t *testing.T) {
    93  	var group ec2.SecurityGroup
    94  
    95  	testCheck := func(*terraform.State) error {
    96  		if *group.VPCID == "" {
    97  			return fmt.Errorf("should have vpc ID")
    98  		}
    99  
   100  		return nil
   101  	}
   102  
   103  	resource.Test(t, resource.TestCase{
   104  		PreCheck:     func() { testAccPreCheck(t) },
   105  		Providers:    testAccProviders,
   106  		CheckDestroy: testAccCheckAWSSecurityGroupDestroy,
   107  		Steps: []resource.TestStep{
   108  			resource.TestStep{
   109  				Config: testAccAWSSecurityGroupConfigVpc,
   110  				Check: resource.ComposeTestCheckFunc(
   111  					testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group),
   112  					testAccCheckAWSSecurityGroupAttributes(&group),
   113  					resource.TestCheckResourceAttr(
   114  						"aws_security_group.web", "name", "terraform_acceptance_test_example"),
   115  					resource.TestCheckResourceAttr(
   116  						"aws_security_group.web", "description", "Used in the terraform acceptance tests"),
   117  					resource.TestCheckResourceAttr(
   118  						"aws_security_group.web", "ingress.3629188364.protocol", "tcp"),
   119  					resource.TestCheckResourceAttr(
   120  						"aws_security_group.web", "ingress.3629188364.from_port", "80"),
   121  					resource.TestCheckResourceAttr(
   122  						"aws_security_group.web", "ingress.3629188364.to_port", "8000"),
   123  					resource.TestCheckResourceAttr(
   124  						"aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"),
   125  					resource.TestCheckResourceAttr(
   126  						"aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"),
   127  					resource.TestCheckResourceAttr(
   128  						"aws_security_group.web", "egress.3629188364.protocol", "tcp"),
   129  					resource.TestCheckResourceAttr(
   130  						"aws_security_group.web", "egress.3629188364.from_port", "80"),
   131  					resource.TestCheckResourceAttr(
   132  						"aws_security_group.web", "egress.3629188364.to_port", "8000"),
   133  					resource.TestCheckResourceAttr(
   134  						"aws_security_group.web", "egress.3629188364.cidr_blocks.#", "1"),
   135  					resource.TestCheckResourceAttr(
   136  						"aws_security_group.web", "egress.3629188364.cidr_blocks.0", "10.0.0.0/8"),
   137  					testCheck,
   138  				),
   139  			},
   140  		},
   141  	})
   142  }
   143  
   144  func TestAccAWSSecurityGroup_MultiIngress(t *testing.T) {
   145  	var group ec2.SecurityGroup
   146  
   147  	resource.Test(t, resource.TestCase{
   148  		PreCheck:     func() { testAccPreCheck(t) },
   149  		Providers:    testAccProviders,
   150  		CheckDestroy: testAccCheckAWSSecurityGroupDestroy,
   151  		Steps: []resource.TestStep{
   152  			resource.TestStep{
   153  				Config: testAccAWSSecurityGroupConfigMultiIngress,
   154  				Check: resource.ComposeTestCheckFunc(
   155  					testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group),
   156  				),
   157  			},
   158  		},
   159  	})
   160  }
   161  
   162  func TestAccAWSSecurityGroup_Change(t *testing.T) {
   163  	var group ec2.SecurityGroup
   164  
   165  	resource.Test(t, resource.TestCase{
   166  		PreCheck:     func() { testAccPreCheck(t) },
   167  		Providers:    testAccProviders,
   168  		CheckDestroy: testAccCheckAWSSecurityGroupDestroy,
   169  		Steps: []resource.TestStep{
   170  			resource.TestStep{
   171  				Config: testAccAWSSecurityGroupConfig,
   172  				Check: resource.ComposeTestCheckFunc(
   173  					testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group),
   174  				),
   175  			},
   176  			resource.TestStep{
   177  				Config: testAccAWSSecurityGroupConfigChange,
   178  				Check: resource.ComposeTestCheckFunc(
   179  					testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group),
   180  					testAccCheckAWSSecurityGroupAttributesChanged(&group),
   181  				),
   182  			},
   183  		},
   184  	})
   185  }
   186  
   187  func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error {
   188  	conn := testAccProvider.Meta().(*AWSClient).ec2SDKconn
   189  
   190  	for _, rs := range s.RootModule().Resources {
   191  		if rs.Type != "aws_security_group" {
   192  			continue
   193  		}
   194  
   195  		// Retrieve our group
   196  		req := &ec2.DescribeSecurityGroupsInput{
   197  			GroupIDs: []*string{aws.String(rs.Primary.ID)},
   198  		}
   199  		resp, err := conn.DescribeSecurityGroups(req)
   200  		if err == nil {
   201  			if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupID == rs.Primary.ID {
   202  				return fmt.Errorf("Security Group (%s) still exists.", rs.Primary.ID)
   203  			}
   204  
   205  			return nil
   206  		}
   207  
   208  		ec2err, ok := err.(aws.APIError)
   209  		if !ok {
   210  			return err
   211  		}
   212  		// Confirm error code is what we want
   213  		if ec2err.Code != "InvalidGroup.NotFound" {
   214  			return err
   215  		}
   216  	}
   217  
   218  	return nil
   219  }
   220  
   221  func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroup) resource.TestCheckFunc {
   222  	return func(s *terraform.State) error {
   223  		rs, ok := s.RootModule().Resources[n]
   224  		if !ok {
   225  			return fmt.Errorf("Not found: %s", n)
   226  		}
   227  
   228  		if rs.Primary.ID == "" {
   229  			return fmt.Errorf("No Security Group is set")
   230  		}
   231  
   232  		conn := testAccProvider.Meta().(*AWSClient).ec2SDKconn
   233  		req := &ec2.DescribeSecurityGroupsInput{
   234  			GroupIDs: []*string{aws.String(rs.Primary.ID)},
   235  		}
   236  		resp, err := conn.DescribeSecurityGroups(req)
   237  		if err != nil {
   238  			return err
   239  		}
   240  
   241  		if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupID == rs.Primary.ID {
   242  			*group = *resp.SecurityGroups[0]
   243  			return nil
   244  		}
   245  
   246  		return fmt.Errorf("Security Group not found")
   247  	}
   248  }
   249  
   250  func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc {
   251  	return func(s *terraform.State) error {
   252  		p := &ec2.IPPermission{
   253  			FromPort:   aws.Long(80),
   254  			ToPort:     aws.Long(8000),
   255  			IPProtocol: aws.String("tcp"),
   256  			IPRanges:   []*ec2.IPRange{&ec2.IPRange{CIDRIP: aws.String("10.0.0.0/8")}},
   257  		}
   258  
   259  		if *group.GroupName != "terraform_acceptance_test_example" {
   260  			return fmt.Errorf("Bad name: %s", *group.GroupName)
   261  		}
   262  
   263  		if *group.Description != "Used in the terraform acceptance tests" {
   264  			return fmt.Errorf("Bad description: %s", *group.Description)
   265  		}
   266  
   267  		if len(group.IPPermissions) == 0 {
   268  			return fmt.Errorf("No IPPerms")
   269  		}
   270  
   271  		// Compare our ingress
   272  		if !reflect.DeepEqual(group.IPPermissions[0], p) {
   273  			return fmt.Errorf(
   274  				"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
   275  				group.IPPermissions[0],
   276  				p)
   277  		}
   278  
   279  		return nil
   280  	}
   281  }
   282  
   283  func TestAccAWSSecurityGroup_tags(t *testing.T) {
   284  	var group ec2.SecurityGroup
   285  
   286  	resource.Test(t, resource.TestCase{
   287  		PreCheck:     func() { testAccPreCheck(t) },
   288  		Providers:    testAccProviders,
   289  		CheckDestroy: testAccCheckAWSSecurityGroupDestroy,
   290  		Steps: []resource.TestStep{
   291  			resource.TestStep{
   292  				Config: testAccAWSSecurityGroupConfigTags,
   293  				Check: resource.ComposeTestCheckFunc(
   294  					testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group),
   295  					testAccCheckTagsSDK(&group.Tags, "foo", "bar"),
   296  				),
   297  			},
   298  
   299  			resource.TestStep{
   300  				Config: testAccAWSSecurityGroupConfigTagsUpdate,
   301  				Check: resource.ComposeTestCheckFunc(
   302  					testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group),
   303  					testAccCheckTagsSDK(&group.Tags, "foo", ""),
   304  					testAccCheckTagsSDK(&group.Tags, "bar", "baz"),
   305  				),
   306  			},
   307  		},
   308  	})
   309  }
   310  
   311  func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroup) resource.TestCheckFunc {
   312  	return func(s *terraform.State) error {
   313  		p := []*ec2.IPPermission{
   314  			&ec2.IPPermission{
   315  				FromPort:   aws.Long(80),
   316  				ToPort:     aws.Long(9000),
   317  				IPProtocol: aws.String("tcp"),
   318  				IPRanges:   []*ec2.IPRange{&ec2.IPRange{CIDRIP: aws.String("10.0.0.0/8")}},
   319  			},
   320  			&ec2.IPPermission{
   321  				FromPort:   aws.Long(80),
   322  				ToPort:     aws.Long(8000),
   323  				IPProtocol: aws.String("tcp"),
   324  				IPRanges: []*ec2.IPRange{
   325  					&ec2.IPRange{
   326  						CIDRIP: aws.String("0.0.0.0/0"),
   327  					},
   328  					&ec2.IPRange{
   329  						CIDRIP: aws.String("10.0.0.0/8"),
   330  					},
   331  				},
   332  			},
   333  		}
   334  
   335  		if *group.GroupName != "terraform_acceptance_test_example" {
   336  			return fmt.Errorf("Bad name: %s", *group.GroupName)
   337  		}
   338  
   339  		if *group.Description != "Used in the terraform acceptance tests" {
   340  			return fmt.Errorf("Bad description: %s", *group.Description)
   341  		}
   342  
   343  		// Compare our ingress
   344  		if len(group.IPPermissions) != 2 {
   345  			return fmt.Errorf(
   346  				"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
   347  				group.IPPermissions,
   348  				p)
   349  		}
   350  
   351  		if *group.IPPermissions[0].ToPort == 8000 {
   352  			group.IPPermissions[1], group.IPPermissions[0] =
   353  				group.IPPermissions[0], group.IPPermissions[1]
   354  		}
   355  
   356  		if !reflect.DeepEqual(group.IPPermissions, p) {
   357  			return fmt.Errorf(
   358  				"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
   359  				group.IPPermissions,
   360  				p)
   361  		}
   362  
   363  		return nil
   364  	}
   365  }
   366  
   367  const testAccAWSSecurityGroupConfig = `
   368  resource "aws_security_group" "web" {
   369    name = "terraform_acceptance_test_example"
   370    description = "Used in the terraform acceptance tests"
   371  
   372    ingress {
   373      protocol = "tcp"
   374      from_port = 80
   375      to_port = 8000
   376      cidr_blocks = ["10.0.0.0/8"]
   377    }
   378  
   379  	tags {
   380  		Name = "tf-acc-test"
   381  	}
   382  }
   383  `
   384  
   385  const testAccAWSSecurityGroupConfigChange = `
   386  resource "aws_security_group" "web" {
   387    name = "terraform_acceptance_test_example"
   388    description = "Used in the terraform acceptance tests"
   389  
   390    ingress {
   391      protocol = "tcp"
   392      from_port = 80
   393      to_port = 9000
   394      cidr_blocks = ["10.0.0.0/8"]
   395    }
   396  
   397    ingress {
   398      protocol = "tcp"
   399      from_port = 80
   400      to_port = 8000
   401      cidr_blocks = ["0.0.0.0/0", "10.0.0.0/8"]
   402    }
   403  }
   404  `
   405  
   406  const testAccAWSSecurityGroupConfigSelf = `
   407  resource "aws_security_group" "web" {
   408    name = "terraform_acceptance_test_example"
   409    description = "Used in the terraform acceptance tests"
   410  
   411    ingress {
   412      protocol = "tcp"
   413      from_port = 80
   414      to_port = 8000
   415      self = true
   416    }
   417  }
   418  `
   419  
   420  const testAccAWSSecurityGroupConfigVpc = `
   421  resource "aws_vpc" "foo" {
   422    cidr_block = "10.1.0.0/16"
   423  }
   424  
   425  resource "aws_security_group" "web" {
   426    name = "terraform_acceptance_test_example"
   427    description = "Used in the terraform acceptance tests"
   428    vpc_id = "${aws_vpc.foo.id}"
   429  
   430    ingress {
   431      protocol = "tcp"
   432      from_port = 80
   433      to_port = 8000
   434      cidr_blocks = ["10.0.0.0/8"]
   435    }
   436  
   437  	egress {
   438  		protocol = "tcp"
   439  		from_port = 80
   440  		to_port = 8000
   441  		cidr_blocks = ["10.0.0.0/8"]
   442  	}
   443  }
   444  `
   445  
   446  const testAccAWSSecurityGroupConfigMultiIngress = `
   447  resource "aws_security_group" "worker" {
   448    name = "terraform_acceptance_test_example_1"
   449    description = "Used in the terraform acceptance tests"
   450  
   451    ingress {
   452      protocol = "tcp"
   453      from_port = 80
   454      to_port = 8000
   455      cidr_blocks = ["10.0.0.0/8"]
   456    }
   457  }
   458  
   459  resource "aws_security_group" "web" {
   460    name = "terraform_acceptance_test_example_2"
   461    description = "Used in the terraform acceptance tests"
   462  
   463    ingress {
   464      protocol = "tcp"
   465      from_port = 22
   466      to_port = 22
   467      cidr_blocks = ["10.0.0.0/8"]
   468    }
   469  
   470    ingress {
   471      protocol = "tcp"
   472      from_port = 800
   473      to_port = 800
   474      cidr_blocks = ["10.0.0.0/8"]
   475    }
   476  
   477    ingress {
   478      protocol = "tcp"
   479      from_port = 80
   480      to_port = 8000
   481      security_groups = ["${aws_security_group.worker.id}"]
   482    }
   483  }
   484  `
   485  
   486  const testAccAWSSecurityGroupConfigTags = `
   487  resource "aws_security_group" "foo" {
   488  	name = "terraform_acceptance_test_example"
   489    description = "Used in the terraform acceptance tests"
   490  
   491    ingress {
   492      protocol = "tcp"
   493      from_port = 80
   494      to_port = 8000
   495      cidr_blocks = ["10.0.0.0/8"]
   496    }
   497  
   498    tags {
   499      foo = "bar"
   500    }
   501  }
   502  `
   503  
   504  const testAccAWSSecurityGroupConfigTagsUpdate = `
   505  resource "aws_security_group" "foo" {
   506    name = "terraform_acceptance_test_example"
   507    description = "Used in the terraform acceptance tests"
   508  
   509    ingress {
   510      protocol = "tcp"
   511      from_port = 80
   512      to_port = 8000
   513      cidr_blocks = ["10.0.0.0/8"]
   514    }
   515  
   516    tags {
   517      bar = "baz"
   518    }
   519  }
   520  `