github.com/peterbale/terraform@v0.9.0-beta2.0.20170315142748-5723acd55547/builtin/providers/aws/resource_aws_network_acl_test.go (about)

     1  package aws
     2  
     3  import (
     4  	"fmt"
     5  	"testing"
     6  
     7  	"github.com/aws/aws-sdk-go/aws"
     8  	"github.com/aws/aws-sdk-go/aws/awserr"
     9  	"github.com/aws/aws-sdk-go/service/ec2"
    10  	"github.com/hashicorp/terraform/helper/resource"
    11  	"github.com/hashicorp/terraform/terraform"
    12  )
    13  
    14  func TestAccAWSNetworkAcl_EgressAndIngressRules(t *testing.T) {
    15  	var networkAcl ec2.NetworkAcl
    16  
    17  	resource.Test(t, resource.TestCase{
    18  		PreCheck:      func() { testAccPreCheck(t) },
    19  		IDRefreshName: "aws_network_acl.bar",
    20  		Providers:     testAccProviders,
    21  		CheckDestroy:  testAccCheckAWSNetworkAclDestroy,
    22  		Steps: []resource.TestStep{
    23  			{
    24  				Config: testAccAWSNetworkAclEgressNIngressConfig,
    25  				Check: resource.ComposeAggregateTestCheckFunc(
    26  					testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl),
    27  					resource.TestCheckResourceAttr(
    28  						"aws_network_acl.bar", "ingress.1871939009.protocol", "6"),
    29  					resource.TestCheckResourceAttr(
    30  						"aws_network_acl.bar", "ingress.1871939009.rule_no", "1"),
    31  					resource.TestCheckResourceAttr(
    32  						"aws_network_acl.bar", "ingress.1871939009.from_port", "80"),
    33  					resource.TestCheckResourceAttr(
    34  						"aws_network_acl.bar", "ingress.1871939009.to_port", "80"),
    35  					resource.TestCheckResourceAttr(
    36  						"aws_network_acl.bar", "ingress.1871939009.action", "allow"),
    37  					resource.TestCheckResourceAttr(
    38  						"aws_network_acl.bar", "ingress.1871939009.cidr_block", "10.3.0.0/18"),
    39  					resource.TestCheckResourceAttr(
    40  						"aws_network_acl.bar", "egress.3111164687.protocol", "6"),
    41  					resource.TestCheckResourceAttr(
    42  						"aws_network_acl.bar", "egress.3111164687.rule_no", "2"),
    43  					resource.TestCheckResourceAttr(
    44  						"aws_network_acl.bar", "egress.3111164687.from_port", "443"),
    45  					resource.TestCheckResourceAttr(
    46  						"aws_network_acl.bar", "egress.3111164687.to_port", "443"),
    47  					resource.TestCheckResourceAttr(
    48  						"aws_network_acl.bar", "egress.3111164687.cidr_block", "10.3.0.0/18"),
    49  					resource.TestCheckResourceAttr(
    50  						"aws_network_acl.bar", "egress.3111164687.action", "allow"),
    51  				),
    52  			},
    53  		},
    54  	})
    55  }
    56  
    57  func TestAccAWSNetworkAcl_OnlyIngressRules_basic(t *testing.T) {
    58  	var networkAcl ec2.NetworkAcl
    59  
    60  	resource.Test(t, resource.TestCase{
    61  		PreCheck:      func() { testAccPreCheck(t) },
    62  		IDRefreshName: "aws_network_acl.foos",
    63  		Providers:     testAccProviders,
    64  		CheckDestroy:  testAccCheckAWSNetworkAclDestroy,
    65  		Steps: []resource.TestStep{
    66  			{
    67  				Config: testAccAWSNetworkAclIngressConfig,
    68  				Check: resource.ComposeAggregateTestCheckFunc(
    69  					testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl),
    70  					resource.TestCheckResourceAttr(
    71  						"aws_network_acl.foos", "ingress.4245812720.protocol", "6"),
    72  					resource.TestCheckResourceAttr(
    73  						"aws_network_acl.foos", "ingress.4245812720.rule_no", "2"),
    74  					resource.TestCheckResourceAttr(
    75  						"aws_network_acl.foos", "ingress.4245812720.from_port", "443"),
    76  					resource.TestCheckResourceAttr(
    77  						"aws_network_acl.foos", "ingress.4245812720.to_port", "443"),
    78  					resource.TestCheckResourceAttr(
    79  						"aws_network_acl.foos", "ingress.4245812720.action", "deny"),
    80  					resource.TestCheckResourceAttr(
    81  						"aws_network_acl.foos", "ingress.4245812720.cidr_block", "10.2.0.0/18"),
    82  				),
    83  			},
    84  		},
    85  	})
    86  }
    87  
    88  func TestAccAWSNetworkAcl_OnlyIngressRules_update(t *testing.T) {
    89  	var networkAcl ec2.NetworkAcl
    90  
    91  	resource.Test(t, resource.TestCase{
    92  		PreCheck:      func() { testAccPreCheck(t) },
    93  		IDRefreshName: "aws_network_acl.foos",
    94  		Providers:     testAccProviders,
    95  		CheckDestroy:  testAccCheckAWSNetworkAclDestroy,
    96  		Steps: []resource.TestStep{
    97  			{
    98  				Config: testAccAWSNetworkAclIngressConfig,
    99  				Check: resource.ComposeAggregateTestCheckFunc(
   100  					testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl),
   101  					testIngressRuleLength(&networkAcl, 2),
   102  					resource.TestCheckResourceAttr(
   103  						"aws_network_acl.foos", "ingress.401088754.protocol", "6"),
   104  					resource.TestCheckResourceAttr(
   105  						"aws_network_acl.foos", "ingress.401088754.rule_no", "1"),
   106  					resource.TestCheckResourceAttr(
   107  						"aws_network_acl.foos", "ingress.401088754.from_port", "0"),
   108  					resource.TestCheckResourceAttr(
   109  						"aws_network_acl.foos", "ingress.401088754.to_port", "22"),
   110  					resource.TestCheckResourceAttr(
   111  						"aws_network_acl.foos", "ingress.401088754.action", "deny"),
   112  					resource.TestCheckResourceAttr(
   113  						"aws_network_acl.foos", "ingress.4245812720.cidr_block", "10.2.0.0/18"),
   114  					resource.TestCheckResourceAttr(
   115  						"aws_network_acl.foos", "ingress.4245812720.from_port", "443"),
   116  					resource.TestCheckResourceAttr(
   117  						"aws_network_acl.foos", "ingress.4245812720.rule_no", "2"),
   118  				),
   119  			},
   120  			{
   121  				Config: testAccAWSNetworkAclIngressConfigChange,
   122  				Check: resource.ComposeAggregateTestCheckFunc(
   123  					testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl),
   124  					testIngressRuleLength(&networkAcl, 1),
   125  					resource.TestCheckResourceAttr(
   126  						"aws_network_acl.foos", "ingress.401088754.protocol", "6"),
   127  					resource.TestCheckResourceAttr(
   128  						"aws_network_acl.foos", "ingress.401088754.rule_no", "1"),
   129  					resource.TestCheckResourceAttr(
   130  						"aws_network_acl.foos", "ingress.401088754.from_port", "0"),
   131  					resource.TestCheckResourceAttr(
   132  						"aws_network_acl.foos", "ingress.401088754.to_port", "22"),
   133  					resource.TestCheckResourceAttr(
   134  						"aws_network_acl.foos", "ingress.401088754.action", "deny"),
   135  					resource.TestCheckResourceAttr(
   136  						"aws_network_acl.foos", "ingress.401088754.cidr_block", "10.2.0.0/18"),
   137  				),
   138  			},
   139  		},
   140  	})
   141  }
   142  
   143  func TestAccAWSNetworkAcl_OnlyEgressRules(t *testing.T) {
   144  	var networkAcl ec2.NetworkAcl
   145  
   146  	resource.Test(t, resource.TestCase{
   147  		PreCheck:      func() { testAccPreCheck(t) },
   148  		IDRefreshName: "aws_network_acl.bond",
   149  		Providers:     testAccProviders,
   150  		CheckDestroy:  testAccCheckAWSNetworkAclDestroy,
   151  		Steps: []resource.TestStep{
   152  			{
   153  				Config: testAccAWSNetworkAclEgressConfig,
   154  				Check: resource.ComposeTestCheckFunc(
   155  					testAccCheckAWSNetworkAclExists("aws_network_acl.bond", &networkAcl),
   156  					testAccCheckTags(&networkAcl.Tags, "foo", "bar"),
   157  				),
   158  			},
   159  		},
   160  	})
   161  }
   162  
   163  func TestAccAWSNetworkAcl_SubnetChange(t *testing.T) {
   164  
   165  	resource.Test(t, resource.TestCase{
   166  		PreCheck:      func() { testAccPreCheck(t) },
   167  		IDRefreshName: "aws_network_acl.bar",
   168  		Providers:     testAccProviders,
   169  		CheckDestroy:  testAccCheckAWSNetworkAclDestroy,
   170  		Steps: []resource.TestStep{
   171  			{
   172  				Config: testAccAWSNetworkAclSubnetConfig,
   173  				Check: resource.ComposeTestCheckFunc(
   174  					testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"),
   175  				),
   176  			},
   177  			{
   178  				Config: testAccAWSNetworkAclSubnetConfigChange,
   179  				Check: resource.ComposeTestCheckFunc(
   180  					testAccCheckSubnetIsNotAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"),
   181  					testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.new"),
   182  				),
   183  			},
   184  		},
   185  	})
   186  
   187  }
   188  
   189  func TestAccAWSNetworkAcl_Subnets(t *testing.T) {
   190  	var networkAcl ec2.NetworkAcl
   191  
   192  	checkACLSubnets := func(acl *ec2.NetworkAcl, count int) resource.TestCheckFunc {
   193  		return func(*terraform.State) (err error) {
   194  			if count != len(acl.Associations) {
   195  				return fmt.Errorf("ACL association count does not match, expected %d, got %d", count, len(acl.Associations))
   196  			}
   197  
   198  			return nil
   199  		}
   200  	}
   201  
   202  	resource.Test(t, resource.TestCase{
   203  		PreCheck:      func() { testAccPreCheck(t) },
   204  		IDRefreshName: "aws_network_acl.bar",
   205  		Providers:     testAccProviders,
   206  		CheckDestroy:  testAccCheckAWSNetworkAclDestroy,
   207  		Steps: []resource.TestStep{
   208  			{
   209  				Config: testAccAWSNetworkAclSubnet_SubnetIds,
   210  				Check: resource.ComposeTestCheckFunc(
   211  					testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl),
   212  					testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.one"),
   213  					testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.two"),
   214  					checkACLSubnets(&networkAcl, 2),
   215  				),
   216  			},
   217  
   218  			{
   219  				Config: testAccAWSNetworkAclSubnet_SubnetIdsUpdate,
   220  				Check: resource.ComposeTestCheckFunc(
   221  					testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl),
   222  					testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.one"),
   223  					testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.three"),
   224  					testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.four"),
   225  					checkACLSubnets(&networkAcl, 3),
   226  				),
   227  			},
   228  		},
   229  	})
   230  }
   231  
   232  func TestAccAWSNetworkAcl_ipv6Rules(t *testing.T) {
   233  	var networkAcl ec2.NetworkAcl
   234  
   235  	resource.Test(t, resource.TestCase{
   236  		PreCheck:      func() { testAccPreCheck(t) },
   237  		IDRefreshName: "aws_network_acl.foos",
   238  		Providers:     testAccProviders,
   239  		CheckDestroy:  testAccCheckAWSNetworkAclDestroy,
   240  		Steps: []resource.TestStep{
   241  			{
   242  				Config: testAccAWSNetworkAclIpv6Config,
   243  				Check: resource.ComposeTestCheckFunc(
   244  					testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl),
   245  					resource.TestCheckResourceAttr(
   246  						"aws_network_acl.foos", "ingress.1976110835.protocol", "6"),
   247  					resource.TestCheckResourceAttr(
   248  						"aws_network_acl.foos", "ingress.1976110835.rule_no", "1"),
   249  					resource.TestCheckResourceAttr(
   250  						"aws_network_acl.foos", "ingress.1976110835.from_port", "0"),
   251  					resource.TestCheckResourceAttr(
   252  						"aws_network_acl.foos", "ingress.1976110835.to_port", "22"),
   253  					resource.TestCheckResourceAttr(
   254  						"aws_network_acl.foos", "ingress.1976110835.action", "allow"),
   255  					resource.TestCheckResourceAttr(
   256  						"aws_network_acl.foos", "ingress.1976110835.ipv6_cidr_block", "::/0"),
   257  				),
   258  			},
   259  		},
   260  	})
   261  }
   262  
   263  func TestAccAWSNetworkAcl_espProtocol(t *testing.T) {
   264  	var networkAcl ec2.NetworkAcl
   265  
   266  	resource.Test(t, resource.TestCase{
   267  		PreCheck:      func() { testAccPreCheck(t) },
   268  		IDRefreshName: "aws_network_acl.testesp",
   269  		Providers:     testAccProviders,
   270  		CheckDestroy:  testAccCheckAWSNetworkAclDestroy,
   271  		Steps: []resource.TestStep{
   272  			{
   273  				Config: testAccAWSNetworkAclEsp,
   274  				Check: resource.ComposeTestCheckFunc(
   275  					testAccCheckAWSNetworkAclExists("aws_network_acl.testesp", &networkAcl),
   276  				),
   277  			},
   278  		},
   279  	})
   280  }
   281  
   282  func testAccCheckAWSNetworkAclDestroy(s *terraform.State) error {
   283  	conn := testAccProvider.Meta().(*AWSClient).ec2conn
   284  
   285  	for _, rs := range s.RootModule().Resources {
   286  		if rs.Type != "aws_network" {
   287  			continue
   288  		}
   289  
   290  		// Retrieve the network acl
   291  		resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{
   292  			NetworkAclIds: []*string{aws.String(rs.Primary.ID)},
   293  		})
   294  		if err == nil {
   295  			if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID {
   296  				return fmt.Errorf("Network Acl (%s) still exists.", rs.Primary.ID)
   297  			}
   298  
   299  			return nil
   300  		}
   301  
   302  		ec2err, ok := err.(awserr.Error)
   303  		if !ok {
   304  			return err
   305  		}
   306  		// Confirm error code is what we want
   307  		if ec2err.Code() != "InvalidNetworkAclID.NotFound" {
   308  			return err
   309  		}
   310  	}
   311  
   312  	return nil
   313  }
   314  
   315  func testAccCheckAWSNetworkAclExists(n string, networkAcl *ec2.NetworkAcl) resource.TestCheckFunc {
   316  	return func(s *terraform.State) error {
   317  		rs, ok := s.RootModule().Resources[n]
   318  		if !ok {
   319  			return fmt.Errorf("Not found: %s", n)
   320  		}
   321  
   322  		if rs.Primary.ID == "" {
   323  			return fmt.Errorf("No Security Group is set")
   324  		}
   325  		conn := testAccProvider.Meta().(*AWSClient).ec2conn
   326  
   327  		resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{
   328  			NetworkAclIds: []*string{aws.String(rs.Primary.ID)},
   329  		})
   330  		if err != nil {
   331  			return err
   332  		}
   333  
   334  		if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID {
   335  			*networkAcl = *resp.NetworkAcls[0]
   336  			return nil
   337  		}
   338  
   339  		return fmt.Errorf("Network Acls not found")
   340  	}
   341  }
   342  
   343  func testIngressRuleLength(networkAcl *ec2.NetworkAcl, length int) resource.TestCheckFunc {
   344  	return func(s *terraform.State) error {
   345  		var ingressEntries []*ec2.NetworkAclEntry
   346  		for _, e := range networkAcl.Entries {
   347  			if *e.Egress == false {
   348  				ingressEntries = append(ingressEntries, e)
   349  			}
   350  		}
   351  		// There is always a default rule (ALL Traffic ... DENY)
   352  		// so we have to increase the length by 1
   353  		if len(ingressEntries) != length+1 {
   354  			return fmt.Errorf("Invalid number of ingress entries found; count = %d", len(ingressEntries))
   355  		}
   356  		return nil
   357  	}
   358  }
   359  
   360  func testAccCheckSubnetIsAssociatedWithAcl(acl string, sub string) resource.TestCheckFunc {
   361  	return func(s *terraform.State) error {
   362  		networkAcl := s.RootModule().Resources[acl]
   363  		subnet := s.RootModule().Resources[sub]
   364  
   365  		conn := testAccProvider.Meta().(*AWSClient).ec2conn
   366  		resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{
   367  			NetworkAclIds: []*string{aws.String(networkAcl.Primary.ID)},
   368  			Filters: []*ec2.Filter{
   369  				{
   370  					Name:   aws.String("association.subnet-id"),
   371  					Values: []*string{aws.String(subnet.Primary.ID)},
   372  				},
   373  			},
   374  		})
   375  		if err != nil {
   376  			return err
   377  		}
   378  		if len(resp.NetworkAcls) > 0 {
   379  			return nil
   380  		}
   381  
   382  		return fmt.Errorf("Network Acl %s is not associated with subnet %s", acl, sub)
   383  	}
   384  }
   385  
   386  func testAccCheckSubnetIsNotAssociatedWithAcl(acl string, subnet string) resource.TestCheckFunc {
   387  	return func(s *terraform.State) error {
   388  		networkAcl := s.RootModule().Resources[acl]
   389  		subnet := s.RootModule().Resources[subnet]
   390  
   391  		conn := testAccProvider.Meta().(*AWSClient).ec2conn
   392  		resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{
   393  			NetworkAclIds: []*string{aws.String(networkAcl.Primary.ID)},
   394  			Filters: []*ec2.Filter{
   395  				{
   396  					Name:   aws.String("association.subnet-id"),
   397  					Values: []*string{aws.String(subnet.Primary.ID)},
   398  				},
   399  			},
   400  		})
   401  
   402  		if err != nil {
   403  			return err
   404  		}
   405  		if len(resp.NetworkAcls) > 0 {
   406  			return fmt.Errorf("Network Acl %s is still associated with subnet %s", acl, subnet)
   407  		}
   408  		return nil
   409  	}
   410  }
   411  
   412  const testAccAWSNetworkAclIpv6Config = `
   413  resource "aws_vpc" "foo" {
   414  	cidr_block = "10.1.0.0/16"
   415  	tags {
   416  		Name = "TestAccAWSNetworkAcl_ipv6Rules"
   417  	}
   418  }
   419  resource "aws_subnet" "blob" {
   420  	cidr_block = "10.1.1.0/24"
   421  	vpc_id = "${aws_vpc.foo.id}"
   422  	map_public_ip_on_launch = true
   423  }
   424  resource "aws_network_acl" "foos" {
   425  	vpc_id = "${aws_vpc.foo.id}"
   426  	ingress = {
   427  		protocol = "tcp"
   428  		rule_no = 1
   429  		action = "allow"
   430  		ipv6_cidr_block =  "::/0"
   431  		from_port = 0
   432  		to_port = 22
   433  	}
   434  
   435  	subnet_ids = ["${aws_subnet.blob.id}"]
   436  }
   437  `
   438  
   439  const testAccAWSNetworkAclIngressConfig = `
   440  resource "aws_vpc" "foo" {
   441  	cidr_block = "10.1.0.0/16"
   442  	tags {
   443  		Name = "TestAccAWSNetworkAcl_OnlyIngressRules"
   444  	}
   445  }
   446  resource "aws_subnet" "blob" {
   447  	cidr_block = "10.1.1.0/24"
   448  	vpc_id = "${aws_vpc.foo.id}"
   449  	map_public_ip_on_launch = true
   450  }
   451  resource "aws_network_acl" "foos" {
   452  	vpc_id = "${aws_vpc.foo.id}"
   453  	ingress = {
   454  		protocol = "tcp"
   455  		rule_no = 1
   456  		action = "deny"
   457  		cidr_block =  "10.2.0.0/18"
   458  		from_port = 0
   459  		to_port = 22
   460  	}
   461  	ingress = {
   462  		protocol = "tcp"
   463  		rule_no = 2
   464  		action = "deny"
   465  		cidr_block =  "10.2.0.0/18"
   466  		from_port = 443
   467  		to_port = 443
   468  	}
   469  
   470  	subnet_ids = ["${aws_subnet.blob.id}"]
   471  }
   472  `
   473  const testAccAWSNetworkAclIngressConfigChange = `
   474  resource "aws_vpc" "foo" {
   475  	cidr_block = "10.1.0.0/16"
   476  	tags {
   477  		Name = "TestAccAWSNetworkAcl_OnlyIngressRules"
   478  	}
   479  }
   480  resource "aws_subnet" "blob" {
   481  	cidr_block = "10.1.1.0/24"
   482  	vpc_id = "${aws_vpc.foo.id}"
   483  	map_public_ip_on_launch = true
   484  }
   485  resource "aws_network_acl" "foos" {
   486  	vpc_id = "${aws_vpc.foo.id}"
   487  	ingress = {
   488  		protocol = "tcp"
   489  		rule_no = 1
   490  		action = "deny"
   491  		cidr_block =  "10.2.0.0/18"
   492  		from_port = 0
   493  		to_port = 22
   494  	}
   495  	subnet_ids = ["${aws_subnet.blob.id}"]
   496  }
   497  `
   498  
   499  const testAccAWSNetworkAclEgressConfig = `
   500  resource "aws_vpc" "foo" {
   501  	cidr_block = "10.2.0.0/16"
   502  	tags {
   503  		Name = "TestAccAWSNetworkAcl_OnlyEgressRules"
   504  	}
   505  }
   506  resource "aws_subnet" "blob" {
   507  	cidr_block = "10.2.0.0/24"
   508  	vpc_id = "${aws_vpc.foo.id}"
   509  	map_public_ip_on_launch = true
   510  }
   511  resource "aws_network_acl" "bond" {
   512  	vpc_id = "${aws_vpc.foo.id}"
   513  	egress = {
   514  		protocol = "tcp"
   515  		rule_no = 2
   516  		action = "allow"
   517  		cidr_block =  "10.2.0.0/18"
   518  		from_port = 443
   519  		to_port = 443
   520  	}
   521  
   522  	egress = {
   523  		protocol = "-1"
   524  		rule_no = 4
   525  		action = "allow"
   526  		cidr_block = "0.0.0.0/0"
   527  		from_port = 0
   528  		to_port = 0
   529  	}
   530  
   531  	egress = {
   532  		protocol = "tcp"
   533  		rule_no = 1
   534  		action = "allow"
   535  		cidr_block =  "10.2.0.0/18"
   536  		from_port = 80
   537  		to_port = 80
   538  	}
   539  
   540  	egress = {
   541  		protocol = "tcp"
   542  		rule_no = 3
   543  		action = "allow"
   544  		cidr_block =  "10.2.0.0/18"
   545  		from_port = 22
   546  		to_port = 22
   547  	}
   548  
   549  	tags {
   550  		foo = "bar"
   551  	}
   552  }
   553  `
   554  
   555  const testAccAWSNetworkAclEgressNIngressConfig = `
   556  resource "aws_vpc" "foo" {
   557  	cidr_block = "10.3.0.0/16"
   558  	tags {
   559  		Name = "TestAccAWSNetworkAcl_EgressAndIngressRules"
   560  	}
   561  }
   562  resource "aws_subnet" "blob" {
   563  	cidr_block = "10.3.0.0/24"
   564  	vpc_id = "${aws_vpc.foo.id}"
   565  	map_public_ip_on_launch = true
   566  }
   567  resource "aws_network_acl" "bar" {
   568  	vpc_id = "${aws_vpc.foo.id}"
   569  	egress = {
   570  		protocol = "tcp"
   571  		rule_no = 2
   572  		action = "allow"
   573  		cidr_block =  "10.3.0.0/18"
   574  		from_port = 443
   575  		to_port = 443
   576  	}
   577  
   578  	ingress = {
   579  		protocol = "tcp"
   580  		rule_no = 1
   581  		action = "allow"
   582  		cidr_block =  "10.3.0.0/18"
   583  		from_port = 80
   584  		to_port = 80
   585  	}
   586  }
   587  `
   588  const testAccAWSNetworkAclSubnetConfig = `
   589  resource "aws_vpc" "foo" {
   590  	cidr_block = "10.1.0.0/16"
   591  	tags {
   592  		Name = "TestAccAWSNetworkAcl_SubnetChange"
   593  	}
   594  }
   595  resource "aws_subnet" "old" {
   596  	cidr_block = "10.1.111.0/24"
   597  	vpc_id = "${aws_vpc.foo.id}"
   598  	map_public_ip_on_launch = true
   599  }
   600  resource "aws_subnet" "new" {
   601  	cidr_block = "10.1.1.0/24"
   602  	vpc_id = "${aws_vpc.foo.id}"
   603  	map_public_ip_on_launch = true
   604  }
   605  resource "aws_network_acl" "roll" {
   606  	vpc_id = "${aws_vpc.foo.id}"
   607  	subnet_ids = ["${aws_subnet.new.id}"]
   608  }
   609  resource "aws_network_acl" "bar" {
   610  	vpc_id = "${aws_vpc.foo.id}"
   611  	subnet_ids = ["${aws_subnet.old.id}"]
   612  }
   613  `
   614  
   615  const testAccAWSNetworkAclSubnetConfigChange = `
   616  resource "aws_vpc" "foo" {
   617  	cidr_block = "10.1.0.0/16"
   618  	tags {
   619  		Name = "TestAccAWSNetworkAcl_SubnetChange"
   620  	}
   621  }
   622  resource "aws_subnet" "old" {
   623  	cidr_block = "10.1.111.0/24"
   624  	vpc_id = "${aws_vpc.foo.id}"
   625  	map_public_ip_on_launch = true
   626  }
   627  resource "aws_subnet" "new" {
   628  	cidr_block = "10.1.1.0/24"
   629  	vpc_id = "${aws_vpc.foo.id}"
   630  	map_public_ip_on_launch = true
   631  }
   632  resource "aws_network_acl" "bar" {
   633  	vpc_id = "${aws_vpc.foo.id}"
   634  	subnet_ids = ["${aws_subnet.new.id}"]
   635  }
   636  `
   637  
   638  const testAccAWSNetworkAclSubnet_SubnetIds = `
   639  resource "aws_vpc" "foo" {
   640  	cidr_block = "10.1.0.0/16"
   641  	tags {
   642  		Name = "TestAccAWSNetworkAcl_Subnets"
   643  	}
   644  }
   645  resource "aws_subnet" "one" {
   646  	cidr_block = "10.1.111.0/24"
   647  	vpc_id = "${aws_vpc.foo.id}"
   648  	tags {
   649  		Name = "acl-subnets-test"
   650  	}
   651  }
   652  resource "aws_subnet" "two" {
   653  	cidr_block = "10.1.1.0/24"
   654  	vpc_id = "${aws_vpc.foo.id}"
   655  	tags {
   656  		Name = "acl-subnets-test"
   657  	}
   658  }
   659  resource "aws_network_acl" "bar" {
   660  	vpc_id = "${aws_vpc.foo.id}"
   661  	subnet_ids = ["${aws_subnet.one.id}", "${aws_subnet.two.id}"]
   662  	tags {
   663  		Name = "acl-subnets-test"
   664  	}
   665  }
   666  `
   667  
   668  const testAccAWSNetworkAclSubnet_SubnetIdsUpdate = `
   669  resource "aws_vpc" "foo" {
   670  	cidr_block = "10.1.0.0/16"
   671  	tags {
   672  		Name = "TestAccAWSNetworkAcl_Subnets"
   673  	}
   674  }
   675  resource "aws_subnet" "one" {
   676  	cidr_block = "10.1.111.0/24"
   677  	vpc_id = "${aws_vpc.foo.id}"
   678  	tags {
   679  		Name = "acl-subnets-test"
   680  	}
   681  }
   682  resource "aws_subnet" "two" {
   683  	cidr_block = "10.1.1.0/24"
   684  	vpc_id = "${aws_vpc.foo.id}"
   685  	tags {
   686  		Name = "acl-subnets-test"
   687  	}
   688  }
   689  
   690  resource "aws_subnet" "three" {
   691  	cidr_block = "10.1.222.0/24"
   692  	vpc_id = "${aws_vpc.foo.id}"
   693  	tags {
   694  		Name = "acl-subnets-test"
   695  	}
   696  }
   697  resource "aws_subnet" "four" {
   698  	cidr_block = "10.1.4.0/24"
   699  	vpc_id = "${aws_vpc.foo.id}"
   700  	tags {
   701  		Name = "acl-subnets-test"
   702  	}
   703  }
   704  resource "aws_network_acl" "bar" {
   705  	vpc_id = "${aws_vpc.foo.id}"
   706  	subnet_ids = [
   707  		"${aws_subnet.one.id}",
   708  		"${aws_subnet.three.id}",
   709  		"${aws_subnet.four.id}",
   710  	]
   711  	tags {
   712  		Name = "acl-subnets-test"
   713  	}
   714  }
   715  `
   716  
   717  const testAccAWSNetworkAclEsp = `
   718  resource "aws_vpc" "testespvpc" {
   719    cidr_block = "10.1.0.0/16"
   720  }
   721  
   722  resource "aws_network_acl" "testesp" {
   723    vpc_id = "${aws_vpc.testespvpc.id}"
   724  
   725    egress {
   726      protocol   = "esp"
   727      rule_no    = 5
   728      action     = "allow"
   729      cidr_block = "10.3.0.0/18"
   730      from_port  = 0
   731      to_port    = 0
   732    }
   733  
   734    tags {
   735      Name = "test_esp"
   736    }
   737  }
   738  `