github.com/peterbale/terraform@v0.9.0-beta2.0.20170315142748-5723acd55547/builtin/providers/aws/resource_aws_network_acl_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/aws/aws-sdk-go/aws" 8 "github.com/aws/aws-sdk-go/aws/awserr" 9 "github.com/aws/aws-sdk-go/service/ec2" 10 "github.com/hashicorp/terraform/helper/resource" 11 "github.com/hashicorp/terraform/terraform" 12 ) 13 14 func TestAccAWSNetworkAcl_EgressAndIngressRules(t *testing.T) { 15 var networkAcl ec2.NetworkAcl 16 17 resource.Test(t, resource.TestCase{ 18 PreCheck: func() { testAccPreCheck(t) }, 19 IDRefreshName: "aws_network_acl.bar", 20 Providers: testAccProviders, 21 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 22 Steps: []resource.TestStep{ 23 { 24 Config: testAccAWSNetworkAclEgressNIngressConfig, 25 Check: resource.ComposeAggregateTestCheckFunc( 26 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 27 resource.TestCheckResourceAttr( 28 "aws_network_acl.bar", "ingress.1871939009.protocol", "6"), 29 resource.TestCheckResourceAttr( 30 "aws_network_acl.bar", "ingress.1871939009.rule_no", "1"), 31 resource.TestCheckResourceAttr( 32 "aws_network_acl.bar", "ingress.1871939009.from_port", "80"), 33 resource.TestCheckResourceAttr( 34 "aws_network_acl.bar", "ingress.1871939009.to_port", "80"), 35 resource.TestCheckResourceAttr( 36 "aws_network_acl.bar", "ingress.1871939009.action", "allow"), 37 resource.TestCheckResourceAttr( 38 "aws_network_acl.bar", "ingress.1871939009.cidr_block", "10.3.0.0/18"), 39 resource.TestCheckResourceAttr( 40 "aws_network_acl.bar", "egress.3111164687.protocol", "6"), 41 resource.TestCheckResourceAttr( 42 "aws_network_acl.bar", "egress.3111164687.rule_no", "2"), 43 resource.TestCheckResourceAttr( 44 "aws_network_acl.bar", "egress.3111164687.from_port", "443"), 45 resource.TestCheckResourceAttr( 46 "aws_network_acl.bar", "egress.3111164687.to_port", "443"), 47 resource.TestCheckResourceAttr( 48 "aws_network_acl.bar", "egress.3111164687.cidr_block", "10.3.0.0/18"), 49 resource.TestCheckResourceAttr( 50 "aws_network_acl.bar", "egress.3111164687.action", "allow"), 51 ), 52 }, 53 }, 54 }) 55 } 56 57 func TestAccAWSNetworkAcl_OnlyIngressRules_basic(t *testing.T) { 58 var networkAcl ec2.NetworkAcl 59 60 resource.Test(t, resource.TestCase{ 61 PreCheck: func() { testAccPreCheck(t) }, 62 IDRefreshName: "aws_network_acl.foos", 63 Providers: testAccProviders, 64 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 65 Steps: []resource.TestStep{ 66 { 67 Config: testAccAWSNetworkAclIngressConfig, 68 Check: resource.ComposeAggregateTestCheckFunc( 69 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 70 resource.TestCheckResourceAttr( 71 "aws_network_acl.foos", "ingress.4245812720.protocol", "6"), 72 resource.TestCheckResourceAttr( 73 "aws_network_acl.foos", "ingress.4245812720.rule_no", "2"), 74 resource.TestCheckResourceAttr( 75 "aws_network_acl.foos", "ingress.4245812720.from_port", "443"), 76 resource.TestCheckResourceAttr( 77 "aws_network_acl.foos", "ingress.4245812720.to_port", "443"), 78 resource.TestCheckResourceAttr( 79 "aws_network_acl.foos", "ingress.4245812720.action", "deny"), 80 resource.TestCheckResourceAttr( 81 "aws_network_acl.foos", "ingress.4245812720.cidr_block", "10.2.0.0/18"), 82 ), 83 }, 84 }, 85 }) 86 } 87 88 func TestAccAWSNetworkAcl_OnlyIngressRules_update(t *testing.T) { 89 var networkAcl ec2.NetworkAcl 90 91 resource.Test(t, resource.TestCase{ 92 PreCheck: func() { testAccPreCheck(t) }, 93 IDRefreshName: "aws_network_acl.foos", 94 Providers: testAccProviders, 95 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 96 Steps: []resource.TestStep{ 97 { 98 Config: testAccAWSNetworkAclIngressConfig, 99 Check: resource.ComposeAggregateTestCheckFunc( 100 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 101 testIngressRuleLength(&networkAcl, 2), 102 resource.TestCheckResourceAttr( 103 "aws_network_acl.foos", "ingress.401088754.protocol", "6"), 104 resource.TestCheckResourceAttr( 105 "aws_network_acl.foos", "ingress.401088754.rule_no", "1"), 106 resource.TestCheckResourceAttr( 107 "aws_network_acl.foos", "ingress.401088754.from_port", "0"), 108 resource.TestCheckResourceAttr( 109 "aws_network_acl.foos", "ingress.401088754.to_port", "22"), 110 resource.TestCheckResourceAttr( 111 "aws_network_acl.foos", "ingress.401088754.action", "deny"), 112 resource.TestCheckResourceAttr( 113 "aws_network_acl.foos", "ingress.4245812720.cidr_block", "10.2.0.0/18"), 114 resource.TestCheckResourceAttr( 115 "aws_network_acl.foos", "ingress.4245812720.from_port", "443"), 116 resource.TestCheckResourceAttr( 117 "aws_network_acl.foos", "ingress.4245812720.rule_no", "2"), 118 ), 119 }, 120 { 121 Config: testAccAWSNetworkAclIngressConfigChange, 122 Check: resource.ComposeAggregateTestCheckFunc( 123 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 124 testIngressRuleLength(&networkAcl, 1), 125 resource.TestCheckResourceAttr( 126 "aws_network_acl.foos", "ingress.401088754.protocol", "6"), 127 resource.TestCheckResourceAttr( 128 "aws_network_acl.foos", "ingress.401088754.rule_no", "1"), 129 resource.TestCheckResourceAttr( 130 "aws_network_acl.foos", "ingress.401088754.from_port", "0"), 131 resource.TestCheckResourceAttr( 132 "aws_network_acl.foos", "ingress.401088754.to_port", "22"), 133 resource.TestCheckResourceAttr( 134 "aws_network_acl.foos", "ingress.401088754.action", "deny"), 135 resource.TestCheckResourceAttr( 136 "aws_network_acl.foos", "ingress.401088754.cidr_block", "10.2.0.0/18"), 137 ), 138 }, 139 }, 140 }) 141 } 142 143 func TestAccAWSNetworkAcl_OnlyEgressRules(t *testing.T) { 144 var networkAcl ec2.NetworkAcl 145 146 resource.Test(t, resource.TestCase{ 147 PreCheck: func() { testAccPreCheck(t) }, 148 IDRefreshName: "aws_network_acl.bond", 149 Providers: testAccProviders, 150 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 151 Steps: []resource.TestStep{ 152 { 153 Config: testAccAWSNetworkAclEgressConfig, 154 Check: resource.ComposeTestCheckFunc( 155 testAccCheckAWSNetworkAclExists("aws_network_acl.bond", &networkAcl), 156 testAccCheckTags(&networkAcl.Tags, "foo", "bar"), 157 ), 158 }, 159 }, 160 }) 161 } 162 163 func TestAccAWSNetworkAcl_SubnetChange(t *testing.T) { 164 165 resource.Test(t, resource.TestCase{ 166 PreCheck: func() { testAccPreCheck(t) }, 167 IDRefreshName: "aws_network_acl.bar", 168 Providers: testAccProviders, 169 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 170 Steps: []resource.TestStep{ 171 { 172 Config: testAccAWSNetworkAclSubnetConfig, 173 Check: resource.ComposeTestCheckFunc( 174 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"), 175 ), 176 }, 177 { 178 Config: testAccAWSNetworkAclSubnetConfigChange, 179 Check: resource.ComposeTestCheckFunc( 180 testAccCheckSubnetIsNotAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"), 181 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.new"), 182 ), 183 }, 184 }, 185 }) 186 187 } 188 189 func TestAccAWSNetworkAcl_Subnets(t *testing.T) { 190 var networkAcl ec2.NetworkAcl 191 192 checkACLSubnets := func(acl *ec2.NetworkAcl, count int) resource.TestCheckFunc { 193 return func(*terraform.State) (err error) { 194 if count != len(acl.Associations) { 195 return fmt.Errorf("ACL association count does not match, expected %d, got %d", count, len(acl.Associations)) 196 } 197 198 return nil 199 } 200 } 201 202 resource.Test(t, resource.TestCase{ 203 PreCheck: func() { testAccPreCheck(t) }, 204 IDRefreshName: "aws_network_acl.bar", 205 Providers: testAccProviders, 206 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 207 Steps: []resource.TestStep{ 208 { 209 Config: testAccAWSNetworkAclSubnet_SubnetIds, 210 Check: resource.ComposeTestCheckFunc( 211 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 212 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.one"), 213 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.two"), 214 checkACLSubnets(&networkAcl, 2), 215 ), 216 }, 217 218 { 219 Config: testAccAWSNetworkAclSubnet_SubnetIdsUpdate, 220 Check: resource.ComposeTestCheckFunc( 221 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 222 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.one"), 223 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.three"), 224 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.four"), 225 checkACLSubnets(&networkAcl, 3), 226 ), 227 }, 228 }, 229 }) 230 } 231 232 func TestAccAWSNetworkAcl_ipv6Rules(t *testing.T) { 233 var networkAcl ec2.NetworkAcl 234 235 resource.Test(t, resource.TestCase{ 236 PreCheck: func() { testAccPreCheck(t) }, 237 IDRefreshName: "aws_network_acl.foos", 238 Providers: testAccProviders, 239 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 240 Steps: []resource.TestStep{ 241 { 242 Config: testAccAWSNetworkAclIpv6Config, 243 Check: resource.ComposeTestCheckFunc( 244 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 245 resource.TestCheckResourceAttr( 246 "aws_network_acl.foos", "ingress.1976110835.protocol", "6"), 247 resource.TestCheckResourceAttr( 248 "aws_network_acl.foos", "ingress.1976110835.rule_no", "1"), 249 resource.TestCheckResourceAttr( 250 "aws_network_acl.foos", "ingress.1976110835.from_port", "0"), 251 resource.TestCheckResourceAttr( 252 "aws_network_acl.foos", "ingress.1976110835.to_port", "22"), 253 resource.TestCheckResourceAttr( 254 "aws_network_acl.foos", "ingress.1976110835.action", "allow"), 255 resource.TestCheckResourceAttr( 256 "aws_network_acl.foos", "ingress.1976110835.ipv6_cidr_block", "::/0"), 257 ), 258 }, 259 }, 260 }) 261 } 262 263 func TestAccAWSNetworkAcl_espProtocol(t *testing.T) { 264 var networkAcl ec2.NetworkAcl 265 266 resource.Test(t, resource.TestCase{ 267 PreCheck: func() { testAccPreCheck(t) }, 268 IDRefreshName: "aws_network_acl.testesp", 269 Providers: testAccProviders, 270 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 271 Steps: []resource.TestStep{ 272 { 273 Config: testAccAWSNetworkAclEsp, 274 Check: resource.ComposeTestCheckFunc( 275 testAccCheckAWSNetworkAclExists("aws_network_acl.testesp", &networkAcl), 276 ), 277 }, 278 }, 279 }) 280 } 281 282 func testAccCheckAWSNetworkAclDestroy(s *terraform.State) error { 283 conn := testAccProvider.Meta().(*AWSClient).ec2conn 284 285 for _, rs := range s.RootModule().Resources { 286 if rs.Type != "aws_network" { 287 continue 288 } 289 290 // Retrieve the network acl 291 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 292 NetworkAclIds: []*string{aws.String(rs.Primary.ID)}, 293 }) 294 if err == nil { 295 if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID { 296 return fmt.Errorf("Network Acl (%s) still exists.", rs.Primary.ID) 297 } 298 299 return nil 300 } 301 302 ec2err, ok := err.(awserr.Error) 303 if !ok { 304 return err 305 } 306 // Confirm error code is what we want 307 if ec2err.Code() != "InvalidNetworkAclID.NotFound" { 308 return err 309 } 310 } 311 312 return nil 313 } 314 315 func testAccCheckAWSNetworkAclExists(n string, networkAcl *ec2.NetworkAcl) resource.TestCheckFunc { 316 return func(s *terraform.State) error { 317 rs, ok := s.RootModule().Resources[n] 318 if !ok { 319 return fmt.Errorf("Not found: %s", n) 320 } 321 322 if rs.Primary.ID == "" { 323 return fmt.Errorf("No Security Group is set") 324 } 325 conn := testAccProvider.Meta().(*AWSClient).ec2conn 326 327 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 328 NetworkAclIds: []*string{aws.String(rs.Primary.ID)}, 329 }) 330 if err != nil { 331 return err 332 } 333 334 if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID { 335 *networkAcl = *resp.NetworkAcls[0] 336 return nil 337 } 338 339 return fmt.Errorf("Network Acls not found") 340 } 341 } 342 343 func testIngressRuleLength(networkAcl *ec2.NetworkAcl, length int) resource.TestCheckFunc { 344 return func(s *terraform.State) error { 345 var ingressEntries []*ec2.NetworkAclEntry 346 for _, e := range networkAcl.Entries { 347 if *e.Egress == false { 348 ingressEntries = append(ingressEntries, e) 349 } 350 } 351 // There is always a default rule (ALL Traffic ... DENY) 352 // so we have to increase the length by 1 353 if len(ingressEntries) != length+1 { 354 return fmt.Errorf("Invalid number of ingress entries found; count = %d", len(ingressEntries)) 355 } 356 return nil 357 } 358 } 359 360 func testAccCheckSubnetIsAssociatedWithAcl(acl string, sub string) resource.TestCheckFunc { 361 return func(s *terraform.State) error { 362 networkAcl := s.RootModule().Resources[acl] 363 subnet := s.RootModule().Resources[sub] 364 365 conn := testAccProvider.Meta().(*AWSClient).ec2conn 366 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 367 NetworkAclIds: []*string{aws.String(networkAcl.Primary.ID)}, 368 Filters: []*ec2.Filter{ 369 { 370 Name: aws.String("association.subnet-id"), 371 Values: []*string{aws.String(subnet.Primary.ID)}, 372 }, 373 }, 374 }) 375 if err != nil { 376 return err 377 } 378 if len(resp.NetworkAcls) > 0 { 379 return nil 380 } 381 382 return fmt.Errorf("Network Acl %s is not associated with subnet %s", acl, sub) 383 } 384 } 385 386 func testAccCheckSubnetIsNotAssociatedWithAcl(acl string, subnet string) resource.TestCheckFunc { 387 return func(s *terraform.State) error { 388 networkAcl := s.RootModule().Resources[acl] 389 subnet := s.RootModule().Resources[subnet] 390 391 conn := testAccProvider.Meta().(*AWSClient).ec2conn 392 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 393 NetworkAclIds: []*string{aws.String(networkAcl.Primary.ID)}, 394 Filters: []*ec2.Filter{ 395 { 396 Name: aws.String("association.subnet-id"), 397 Values: []*string{aws.String(subnet.Primary.ID)}, 398 }, 399 }, 400 }) 401 402 if err != nil { 403 return err 404 } 405 if len(resp.NetworkAcls) > 0 { 406 return fmt.Errorf("Network Acl %s is still associated with subnet %s", acl, subnet) 407 } 408 return nil 409 } 410 } 411 412 const testAccAWSNetworkAclIpv6Config = ` 413 resource "aws_vpc" "foo" { 414 cidr_block = "10.1.0.0/16" 415 tags { 416 Name = "TestAccAWSNetworkAcl_ipv6Rules" 417 } 418 } 419 resource "aws_subnet" "blob" { 420 cidr_block = "10.1.1.0/24" 421 vpc_id = "${aws_vpc.foo.id}" 422 map_public_ip_on_launch = true 423 } 424 resource "aws_network_acl" "foos" { 425 vpc_id = "${aws_vpc.foo.id}" 426 ingress = { 427 protocol = "tcp" 428 rule_no = 1 429 action = "allow" 430 ipv6_cidr_block = "::/0" 431 from_port = 0 432 to_port = 22 433 } 434 435 subnet_ids = ["${aws_subnet.blob.id}"] 436 } 437 ` 438 439 const testAccAWSNetworkAclIngressConfig = ` 440 resource "aws_vpc" "foo" { 441 cidr_block = "10.1.0.0/16" 442 tags { 443 Name = "TestAccAWSNetworkAcl_OnlyIngressRules" 444 } 445 } 446 resource "aws_subnet" "blob" { 447 cidr_block = "10.1.1.0/24" 448 vpc_id = "${aws_vpc.foo.id}" 449 map_public_ip_on_launch = true 450 } 451 resource "aws_network_acl" "foos" { 452 vpc_id = "${aws_vpc.foo.id}" 453 ingress = { 454 protocol = "tcp" 455 rule_no = 1 456 action = "deny" 457 cidr_block = "10.2.0.0/18" 458 from_port = 0 459 to_port = 22 460 } 461 ingress = { 462 protocol = "tcp" 463 rule_no = 2 464 action = "deny" 465 cidr_block = "10.2.0.0/18" 466 from_port = 443 467 to_port = 443 468 } 469 470 subnet_ids = ["${aws_subnet.blob.id}"] 471 } 472 ` 473 const testAccAWSNetworkAclIngressConfigChange = ` 474 resource "aws_vpc" "foo" { 475 cidr_block = "10.1.0.0/16" 476 tags { 477 Name = "TestAccAWSNetworkAcl_OnlyIngressRules" 478 } 479 } 480 resource "aws_subnet" "blob" { 481 cidr_block = "10.1.1.0/24" 482 vpc_id = "${aws_vpc.foo.id}" 483 map_public_ip_on_launch = true 484 } 485 resource "aws_network_acl" "foos" { 486 vpc_id = "${aws_vpc.foo.id}" 487 ingress = { 488 protocol = "tcp" 489 rule_no = 1 490 action = "deny" 491 cidr_block = "10.2.0.0/18" 492 from_port = 0 493 to_port = 22 494 } 495 subnet_ids = ["${aws_subnet.blob.id}"] 496 } 497 ` 498 499 const testAccAWSNetworkAclEgressConfig = ` 500 resource "aws_vpc" "foo" { 501 cidr_block = "10.2.0.0/16" 502 tags { 503 Name = "TestAccAWSNetworkAcl_OnlyEgressRules" 504 } 505 } 506 resource "aws_subnet" "blob" { 507 cidr_block = "10.2.0.0/24" 508 vpc_id = "${aws_vpc.foo.id}" 509 map_public_ip_on_launch = true 510 } 511 resource "aws_network_acl" "bond" { 512 vpc_id = "${aws_vpc.foo.id}" 513 egress = { 514 protocol = "tcp" 515 rule_no = 2 516 action = "allow" 517 cidr_block = "10.2.0.0/18" 518 from_port = 443 519 to_port = 443 520 } 521 522 egress = { 523 protocol = "-1" 524 rule_no = 4 525 action = "allow" 526 cidr_block = "0.0.0.0/0" 527 from_port = 0 528 to_port = 0 529 } 530 531 egress = { 532 protocol = "tcp" 533 rule_no = 1 534 action = "allow" 535 cidr_block = "10.2.0.0/18" 536 from_port = 80 537 to_port = 80 538 } 539 540 egress = { 541 protocol = "tcp" 542 rule_no = 3 543 action = "allow" 544 cidr_block = "10.2.0.0/18" 545 from_port = 22 546 to_port = 22 547 } 548 549 tags { 550 foo = "bar" 551 } 552 } 553 ` 554 555 const testAccAWSNetworkAclEgressNIngressConfig = ` 556 resource "aws_vpc" "foo" { 557 cidr_block = "10.3.0.0/16" 558 tags { 559 Name = "TestAccAWSNetworkAcl_EgressAndIngressRules" 560 } 561 } 562 resource "aws_subnet" "blob" { 563 cidr_block = "10.3.0.0/24" 564 vpc_id = "${aws_vpc.foo.id}" 565 map_public_ip_on_launch = true 566 } 567 resource "aws_network_acl" "bar" { 568 vpc_id = "${aws_vpc.foo.id}" 569 egress = { 570 protocol = "tcp" 571 rule_no = 2 572 action = "allow" 573 cidr_block = "10.3.0.0/18" 574 from_port = 443 575 to_port = 443 576 } 577 578 ingress = { 579 protocol = "tcp" 580 rule_no = 1 581 action = "allow" 582 cidr_block = "10.3.0.0/18" 583 from_port = 80 584 to_port = 80 585 } 586 } 587 ` 588 const testAccAWSNetworkAclSubnetConfig = ` 589 resource "aws_vpc" "foo" { 590 cidr_block = "10.1.0.0/16" 591 tags { 592 Name = "TestAccAWSNetworkAcl_SubnetChange" 593 } 594 } 595 resource "aws_subnet" "old" { 596 cidr_block = "10.1.111.0/24" 597 vpc_id = "${aws_vpc.foo.id}" 598 map_public_ip_on_launch = true 599 } 600 resource "aws_subnet" "new" { 601 cidr_block = "10.1.1.0/24" 602 vpc_id = "${aws_vpc.foo.id}" 603 map_public_ip_on_launch = true 604 } 605 resource "aws_network_acl" "roll" { 606 vpc_id = "${aws_vpc.foo.id}" 607 subnet_ids = ["${aws_subnet.new.id}"] 608 } 609 resource "aws_network_acl" "bar" { 610 vpc_id = "${aws_vpc.foo.id}" 611 subnet_ids = ["${aws_subnet.old.id}"] 612 } 613 ` 614 615 const testAccAWSNetworkAclSubnetConfigChange = ` 616 resource "aws_vpc" "foo" { 617 cidr_block = "10.1.0.0/16" 618 tags { 619 Name = "TestAccAWSNetworkAcl_SubnetChange" 620 } 621 } 622 resource "aws_subnet" "old" { 623 cidr_block = "10.1.111.0/24" 624 vpc_id = "${aws_vpc.foo.id}" 625 map_public_ip_on_launch = true 626 } 627 resource "aws_subnet" "new" { 628 cidr_block = "10.1.1.0/24" 629 vpc_id = "${aws_vpc.foo.id}" 630 map_public_ip_on_launch = true 631 } 632 resource "aws_network_acl" "bar" { 633 vpc_id = "${aws_vpc.foo.id}" 634 subnet_ids = ["${aws_subnet.new.id}"] 635 } 636 ` 637 638 const testAccAWSNetworkAclSubnet_SubnetIds = ` 639 resource "aws_vpc" "foo" { 640 cidr_block = "10.1.0.0/16" 641 tags { 642 Name = "TestAccAWSNetworkAcl_Subnets" 643 } 644 } 645 resource "aws_subnet" "one" { 646 cidr_block = "10.1.111.0/24" 647 vpc_id = "${aws_vpc.foo.id}" 648 tags { 649 Name = "acl-subnets-test" 650 } 651 } 652 resource "aws_subnet" "two" { 653 cidr_block = "10.1.1.0/24" 654 vpc_id = "${aws_vpc.foo.id}" 655 tags { 656 Name = "acl-subnets-test" 657 } 658 } 659 resource "aws_network_acl" "bar" { 660 vpc_id = "${aws_vpc.foo.id}" 661 subnet_ids = ["${aws_subnet.one.id}", "${aws_subnet.two.id}"] 662 tags { 663 Name = "acl-subnets-test" 664 } 665 } 666 ` 667 668 const testAccAWSNetworkAclSubnet_SubnetIdsUpdate = ` 669 resource "aws_vpc" "foo" { 670 cidr_block = "10.1.0.0/16" 671 tags { 672 Name = "TestAccAWSNetworkAcl_Subnets" 673 } 674 } 675 resource "aws_subnet" "one" { 676 cidr_block = "10.1.111.0/24" 677 vpc_id = "${aws_vpc.foo.id}" 678 tags { 679 Name = "acl-subnets-test" 680 } 681 } 682 resource "aws_subnet" "two" { 683 cidr_block = "10.1.1.0/24" 684 vpc_id = "${aws_vpc.foo.id}" 685 tags { 686 Name = "acl-subnets-test" 687 } 688 } 689 690 resource "aws_subnet" "three" { 691 cidr_block = "10.1.222.0/24" 692 vpc_id = "${aws_vpc.foo.id}" 693 tags { 694 Name = "acl-subnets-test" 695 } 696 } 697 resource "aws_subnet" "four" { 698 cidr_block = "10.1.4.0/24" 699 vpc_id = "${aws_vpc.foo.id}" 700 tags { 701 Name = "acl-subnets-test" 702 } 703 } 704 resource "aws_network_acl" "bar" { 705 vpc_id = "${aws_vpc.foo.id}" 706 subnet_ids = [ 707 "${aws_subnet.one.id}", 708 "${aws_subnet.three.id}", 709 "${aws_subnet.four.id}", 710 ] 711 tags { 712 Name = "acl-subnets-test" 713 } 714 } 715 ` 716 717 const testAccAWSNetworkAclEsp = ` 718 resource "aws_vpc" "testespvpc" { 719 cidr_block = "10.1.0.0/16" 720 } 721 722 resource "aws_network_acl" "testesp" { 723 vpc_id = "${aws_vpc.testespvpc.id}" 724 725 egress { 726 protocol = "esp" 727 rule_no = 5 728 action = "allow" 729 cidr_block = "10.3.0.0/18" 730 from_port = 0 731 to_port = 0 732 } 733 734 tags { 735 Name = "test_esp" 736 } 737 } 738 `