github.com/peterbale/terraform@v0.9.0-beta2.0.20170315142748-5723acd55547/builtin/providers/aws/resource_aws_security_group_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "reflect" 6 "regexp" 7 "strings" 8 "testing" 9 10 "github.com/aws/aws-sdk-go/aws" 11 "github.com/aws/aws-sdk-go/aws/awserr" 12 "github.com/aws/aws-sdk-go/service/ec2" 13 "github.com/hashicorp/terraform/helper/acctest" 14 "github.com/hashicorp/terraform/helper/resource" 15 "github.com/hashicorp/terraform/helper/schema" 16 "github.com/hashicorp/terraform/terraform" 17 ) 18 19 func TestProtocolStateFunc(t *testing.T) { 20 cases := []struct { 21 input interface{} 22 expected string 23 }{ 24 { 25 input: "tcp", 26 expected: "tcp", 27 }, 28 { 29 input: 6, 30 expected: "", 31 }, 32 { 33 input: "17", 34 expected: "udp", 35 }, 36 { 37 input: "all", 38 expected: "-1", 39 }, 40 { 41 input: "-1", 42 expected: "-1", 43 }, 44 { 45 input: -1, 46 expected: "", 47 }, 48 { 49 input: "1", 50 expected: "icmp", 51 }, 52 { 53 input: "icmp", 54 expected: "icmp", 55 }, 56 { 57 input: 1, 58 expected: "", 59 }, 60 } 61 for _, c := range cases { 62 result := protocolStateFunc(c.input) 63 if result != c.expected { 64 t.Errorf("Error matching protocol, expected (%s), got (%s)", c.expected, result) 65 } 66 } 67 } 68 69 func TestProtocolForValue(t *testing.T) { 70 cases := []struct { 71 input string 72 expected string 73 }{ 74 { 75 input: "tcp", 76 expected: "tcp", 77 }, 78 { 79 input: "6", 80 expected: "tcp", 81 }, 82 { 83 input: "udp", 84 expected: "udp", 85 }, 86 { 87 input: "17", 88 expected: "udp", 89 }, 90 { 91 input: "all", 92 expected: "-1", 93 }, 94 { 95 input: "-1", 96 expected: "-1", 97 }, 98 { 99 input: "tCp", 100 expected: "tcp", 101 }, 102 { 103 input: "6", 104 expected: "tcp", 105 }, 106 { 107 input: "UDp", 108 expected: "udp", 109 }, 110 { 111 input: "17", 112 expected: "udp", 113 }, 114 { 115 input: "ALL", 116 expected: "-1", 117 }, 118 { 119 input: "icMp", 120 expected: "icmp", 121 }, 122 { 123 input: "1", 124 expected: "icmp", 125 }, 126 } 127 128 for _, c := range cases { 129 result := protocolForValue(c.input) 130 if result != c.expected { 131 t.Errorf("Error matching protocol, expected (%s), got (%s)", c.expected, result) 132 } 133 } 134 } 135 136 func TestResourceAwsSecurityGroupIPPermGather(t *testing.T) { 137 raw := []*ec2.IpPermission{ 138 { 139 IpProtocol: aws.String("tcp"), 140 FromPort: aws.Int64(int64(1)), 141 ToPort: aws.Int64(int64(-1)), 142 IpRanges: []*ec2.IpRange{{CidrIp: aws.String("0.0.0.0/0")}}, 143 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 144 { 145 GroupId: aws.String("sg-11111"), 146 }, 147 }, 148 }, 149 { 150 IpProtocol: aws.String("tcp"), 151 FromPort: aws.Int64(int64(80)), 152 ToPort: aws.Int64(int64(80)), 153 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 154 // VPC 155 { 156 GroupId: aws.String("sg-22222"), 157 }, 158 }, 159 }, 160 { 161 IpProtocol: aws.String("tcp"), 162 FromPort: aws.Int64(int64(443)), 163 ToPort: aws.Int64(int64(443)), 164 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 165 // Classic 166 { 167 UserId: aws.String("12345"), 168 GroupId: aws.String("sg-33333"), 169 GroupName: aws.String("ec2_classic"), 170 }, 171 { 172 UserId: aws.String("amazon-elb"), 173 GroupId: aws.String("sg-d2c979d3"), 174 GroupName: aws.String("amazon-elb-sg"), 175 }, 176 }, 177 }, 178 { 179 IpProtocol: aws.String("-1"), 180 FromPort: aws.Int64(int64(0)), 181 ToPort: aws.Int64(int64(0)), 182 PrefixListIds: []*ec2.PrefixListId{{PrefixListId: aws.String("pl-12345678")}}, 183 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 184 // VPC 185 { 186 GroupId: aws.String("sg-22222"), 187 }, 188 }, 189 }, 190 } 191 192 local := []map[string]interface{}{ 193 { 194 "protocol": "tcp", 195 "from_port": int64(1), 196 "to_port": int64(-1), 197 "cidr_blocks": []string{"0.0.0.0/0"}, 198 "self": true, 199 }, 200 { 201 "protocol": "tcp", 202 "from_port": int64(80), 203 "to_port": int64(80), 204 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 205 "sg-22222", 206 }), 207 }, 208 { 209 "protocol": "tcp", 210 "from_port": int64(443), 211 "to_port": int64(443), 212 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 213 "ec2_classic", 214 "amazon-elb/amazon-elb-sg", 215 }), 216 }, 217 { 218 "protocol": "-1", 219 "from_port": int64(0), 220 "to_port": int64(0), 221 "prefix_list_ids": []string{"pl-12345678"}, 222 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 223 "sg-22222", 224 }), 225 }, 226 } 227 228 out := resourceAwsSecurityGroupIPPermGather("sg-11111", raw, aws.String("12345")) 229 for _, i := range out { 230 // loop and match rules, because the ordering is not guarneteed 231 for _, l := range local { 232 if i["from_port"] == l["from_port"] { 233 234 if i["to_port"] != l["to_port"] { 235 t.Fatalf("to_port does not match") 236 } 237 238 if _, ok := i["cidr_blocks"]; ok { 239 if !reflect.DeepEqual(i["cidr_blocks"], l["cidr_blocks"]) { 240 t.Fatalf("error matching cidr_blocks") 241 } 242 } 243 244 if _, ok := i["security_groups"]; ok { 245 outSet := i["security_groups"].(*schema.Set) 246 localSet := l["security_groups"].(*schema.Set) 247 248 if !outSet.Equal(localSet) { 249 t.Fatalf("Security Group sets are not equal") 250 } 251 } 252 } 253 } 254 } 255 } 256 257 func TestAccAWSSecurityGroup_basic(t *testing.T) { 258 var group ec2.SecurityGroup 259 260 resource.Test(t, resource.TestCase{ 261 PreCheck: func() { testAccPreCheck(t) }, 262 IDRefreshName: "aws_security_group.web", 263 Providers: testAccProviders, 264 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 265 Steps: []resource.TestStep{ 266 { 267 Config: testAccAWSSecurityGroupConfig, 268 Check: resource.ComposeTestCheckFunc( 269 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 270 testAccCheckAWSSecurityGroupAttributes(&group), 271 resource.TestCheckResourceAttr( 272 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 273 resource.TestCheckResourceAttr( 274 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 275 resource.TestCheckResourceAttr( 276 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 277 resource.TestCheckResourceAttr( 278 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 279 resource.TestCheckResourceAttr( 280 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 281 resource.TestCheckResourceAttr( 282 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 283 resource.TestCheckResourceAttr( 284 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 285 ), 286 }, 287 }, 288 }) 289 } 290 291 func TestAccAWSSecurityGroup_ipv6(t *testing.T) { 292 var group ec2.SecurityGroup 293 294 resource.Test(t, resource.TestCase{ 295 PreCheck: func() { testAccPreCheck(t) }, 296 IDRefreshName: "aws_security_group.web", 297 Providers: testAccProviders, 298 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 299 Steps: []resource.TestStep{ 300 { 301 Config: testAccAWSSecurityGroupConfigIpv6, 302 Check: resource.ComposeTestCheckFunc( 303 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 304 resource.TestCheckResourceAttr( 305 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 306 resource.TestCheckResourceAttr( 307 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 308 resource.TestCheckResourceAttr( 309 "aws_security_group.web", "ingress.2293451516.protocol", "tcp"), 310 resource.TestCheckResourceAttr( 311 "aws_security_group.web", "ingress.2293451516.from_port", "80"), 312 resource.TestCheckResourceAttr( 313 "aws_security_group.web", "ingress.2293451516.to_port", "8000"), 314 resource.TestCheckResourceAttr( 315 "aws_security_group.web", "ingress.2293451516.ipv6_cidr_blocks.#", "1"), 316 resource.TestCheckResourceAttr( 317 "aws_security_group.web", "ingress.2293451516.ipv6_cidr_blocks.0", "::/0"), 318 ), 319 }, 320 }, 321 }) 322 } 323 324 func TestAccAWSSecurityGroup_tagsCreatedFirst(t *testing.T) { 325 var group ec2.SecurityGroup 326 327 resource.Test(t, resource.TestCase{ 328 PreCheck: func() { testAccPreCheck(t) }, 329 Providers: testAccProviders, 330 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 331 Steps: []resource.TestStep{ 332 { 333 Config: testAccAWSSecurityGroupConfigForTagsOrdering, 334 ExpectError: regexp.MustCompile("InvalidParameterValue"), 335 Check: resource.ComposeTestCheckFunc( 336 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 337 testAccCheckTags(&group.Tags, "Name", "tf-acc-test"), 338 ), 339 }, 340 }, 341 }) 342 } 343 344 func TestAccAWSSecurityGroup_namePrefix(t *testing.T) { 345 var group ec2.SecurityGroup 346 347 resource.Test(t, resource.TestCase{ 348 PreCheck: func() { testAccPreCheck(t) }, 349 IDRefreshName: "aws_security_group.baz", 350 IDRefreshIgnore: []string{"name_prefix"}, 351 Providers: testAccProviders, 352 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 353 Steps: []resource.TestStep{ 354 { 355 Config: testAccAWSSecurityGroupPrefixNameConfig, 356 Check: resource.ComposeTestCheckFunc( 357 testAccCheckAWSSecurityGroupExists("aws_security_group.baz", &group), 358 testAccCheckAWSSecurityGroupGeneratedNamePrefix( 359 "aws_security_group.baz", "baz-"), 360 ), 361 }, 362 }, 363 }) 364 } 365 366 func TestAccAWSSecurityGroup_self(t *testing.T) { 367 var group ec2.SecurityGroup 368 369 checkSelf := func(s *terraform.State) (err error) { 370 defer func() { 371 if e := recover(); e != nil { 372 err = fmt.Errorf("bad: %#v", group) 373 } 374 }() 375 376 if *group.IpPermissions[0].UserIdGroupPairs[0].GroupId != *group.GroupId { 377 return fmt.Errorf("bad: %#v", group) 378 } 379 380 return nil 381 } 382 383 resource.Test(t, resource.TestCase{ 384 PreCheck: func() { testAccPreCheck(t) }, 385 IDRefreshName: "aws_security_group.web", 386 Providers: testAccProviders, 387 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 388 Steps: []resource.TestStep{ 389 { 390 Config: testAccAWSSecurityGroupConfigSelf, 391 Check: resource.ComposeTestCheckFunc( 392 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 393 resource.TestCheckResourceAttr( 394 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 395 resource.TestCheckResourceAttr( 396 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 397 resource.TestCheckResourceAttr( 398 "aws_security_group.web", "ingress.3971148406.protocol", "tcp"), 399 resource.TestCheckResourceAttr( 400 "aws_security_group.web", "ingress.3971148406.from_port", "80"), 401 resource.TestCheckResourceAttr( 402 "aws_security_group.web", "ingress.3971148406.to_port", "8000"), 403 resource.TestCheckResourceAttr( 404 "aws_security_group.web", "ingress.3971148406.self", "true"), 405 checkSelf, 406 ), 407 }, 408 }, 409 }) 410 } 411 412 func TestAccAWSSecurityGroup_vpc(t *testing.T) { 413 var group ec2.SecurityGroup 414 415 testCheck := func(*terraform.State) error { 416 if *group.VpcId == "" { 417 return fmt.Errorf("should have vpc ID") 418 } 419 420 return nil 421 } 422 423 resource.Test(t, resource.TestCase{ 424 PreCheck: func() { testAccPreCheck(t) }, 425 IDRefreshName: "aws_security_group.web", 426 Providers: testAccProviders, 427 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 428 Steps: []resource.TestStep{ 429 { 430 Config: testAccAWSSecurityGroupConfigVpc, 431 Check: resource.ComposeTestCheckFunc( 432 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 433 testAccCheckAWSSecurityGroupAttributes(&group), 434 resource.TestCheckResourceAttr( 435 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 436 resource.TestCheckResourceAttr( 437 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 438 resource.TestCheckResourceAttr( 439 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 440 resource.TestCheckResourceAttr( 441 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 442 resource.TestCheckResourceAttr( 443 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 444 resource.TestCheckResourceAttr( 445 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 446 resource.TestCheckResourceAttr( 447 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 448 resource.TestCheckResourceAttr( 449 "aws_security_group.web", "egress.3629188364.protocol", "tcp"), 450 resource.TestCheckResourceAttr( 451 "aws_security_group.web", "egress.3629188364.from_port", "80"), 452 resource.TestCheckResourceAttr( 453 "aws_security_group.web", "egress.3629188364.to_port", "8000"), 454 resource.TestCheckResourceAttr( 455 "aws_security_group.web", "egress.3629188364.cidr_blocks.#", "1"), 456 resource.TestCheckResourceAttr( 457 "aws_security_group.web", "egress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 458 testCheck, 459 ), 460 }, 461 }, 462 }) 463 } 464 465 func TestAccAWSSecurityGroup_vpcNegOneIngress(t *testing.T) { 466 var group ec2.SecurityGroup 467 468 testCheck := func(*terraform.State) error { 469 if *group.VpcId == "" { 470 return fmt.Errorf("should have vpc ID") 471 } 472 473 return nil 474 } 475 476 resource.Test(t, resource.TestCase{ 477 PreCheck: func() { testAccPreCheck(t) }, 478 IDRefreshName: "aws_security_group.web", 479 Providers: testAccProviders, 480 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 481 Steps: []resource.TestStep{ 482 { 483 Config: testAccAWSSecurityGroupConfigVpcNegOneIngress, 484 Check: resource.ComposeTestCheckFunc( 485 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 486 testAccCheckAWSSecurityGroupAttributesNegOneProtocol(&group), 487 resource.TestCheckResourceAttr( 488 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 489 resource.TestCheckResourceAttr( 490 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 491 resource.TestCheckResourceAttr( 492 "aws_security_group.web", "ingress.956249133.protocol", "-1"), 493 resource.TestCheckResourceAttr( 494 "aws_security_group.web", "ingress.956249133.from_port", "0"), 495 resource.TestCheckResourceAttr( 496 "aws_security_group.web", "ingress.956249133.to_port", "0"), 497 resource.TestCheckResourceAttr( 498 "aws_security_group.web", "ingress.956249133.cidr_blocks.#", "1"), 499 resource.TestCheckResourceAttr( 500 "aws_security_group.web", "ingress.956249133.cidr_blocks.0", "10.0.0.0/8"), 501 testCheck, 502 ), 503 }, 504 }, 505 }) 506 } 507 func TestAccAWSSecurityGroup_vpcProtoNumIngress(t *testing.T) { 508 var group ec2.SecurityGroup 509 510 testCheck := func(*terraform.State) error { 511 if *group.VpcId == "" { 512 return fmt.Errorf("should have vpc ID") 513 } 514 515 return nil 516 } 517 518 resource.Test(t, resource.TestCase{ 519 PreCheck: func() { testAccPreCheck(t) }, 520 IDRefreshName: "aws_security_group.web", 521 Providers: testAccProviders, 522 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 523 Steps: []resource.TestStep{ 524 { 525 Config: testAccAWSSecurityGroupConfigVpcProtoNumIngress, 526 Check: resource.ComposeTestCheckFunc( 527 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 528 resource.TestCheckResourceAttr( 529 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 530 resource.TestCheckResourceAttr( 531 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 532 resource.TestCheckResourceAttr( 533 "aws_security_group.web", "ingress.2449525218.protocol", "50"), 534 resource.TestCheckResourceAttr( 535 "aws_security_group.web", "ingress.2449525218.from_port", "0"), 536 resource.TestCheckResourceAttr( 537 "aws_security_group.web", "ingress.2449525218.to_port", "0"), 538 resource.TestCheckResourceAttr( 539 "aws_security_group.web", "ingress.2449525218.cidr_blocks.#", "1"), 540 resource.TestCheckResourceAttr( 541 "aws_security_group.web", "ingress.2449525218.cidr_blocks.0", "10.0.0.0/8"), 542 testCheck, 543 ), 544 }, 545 }, 546 }) 547 } 548 func TestAccAWSSecurityGroup_MultiIngress(t *testing.T) { 549 var group ec2.SecurityGroup 550 551 resource.Test(t, resource.TestCase{ 552 PreCheck: func() { testAccPreCheck(t) }, 553 IDRefreshName: "aws_security_group.web", 554 Providers: testAccProviders, 555 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 556 Steps: []resource.TestStep{ 557 { 558 Config: testAccAWSSecurityGroupConfigMultiIngress, 559 Check: resource.ComposeTestCheckFunc( 560 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 561 ), 562 }, 563 }, 564 }) 565 } 566 567 func TestAccAWSSecurityGroup_Change(t *testing.T) { 568 var group ec2.SecurityGroup 569 570 resource.Test(t, resource.TestCase{ 571 PreCheck: func() { testAccPreCheck(t) }, 572 IDRefreshName: "aws_security_group.web", 573 Providers: testAccProviders, 574 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 575 Steps: []resource.TestStep{ 576 { 577 Config: testAccAWSSecurityGroupConfig, 578 Check: resource.ComposeTestCheckFunc( 579 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 580 ), 581 }, 582 { 583 Config: testAccAWSSecurityGroupConfigChange, 584 Check: resource.ComposeTestCheckFunc( 585 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 586 testAccCheckAWSSecurityGroupAttributesChanged(&group), 587 ), 588 }, 589 }, 590 }) 591 } 592 593 func TestAccAWSSecurityGroup_generatedName(t *testing.T) { 594 var group ec2.SecurityGroup 595 596 resource.Test(t, resource.TestCase{ 597 PreCheck: func() { testAccPreCheck(t) }, 598 IDRefreshName: "aws_security_group.web", 599 Providers: testAccProviders, 600 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 601 Steps: []resource.TestStep{ 602 { 603 Config: testAccAWSSecurityGroupConfig_generatedName, 604 Check: resource.ComposeTestCheckFunc( 605 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 606 resource.TestCheckResourceAttr( 607 "aws_security_group.web", "description", "Managed by Terraform"), 608 func(s *terraform.State) error { 609 if group.GroupName == nil { 610 return fmt.Errorf("bad: No SG name") 611 } 612 if !strings.HasPrefix(*group.GroupName, "terraform-") { 613 return fmt.Errorf("No terraform- prefix: %s", *group.GroupName) 614 } 615 return nil 616 }, 617 ), 618 }, 619 }, 620 }) 621 } 622 623 func TestAccAWSSecurityGroup_DefaultEgress_VPC(t *testing.T) { 624 625 // VPC 626 resource.Test(t, resource.TestCase{ 627 PreCheck: func() { testAccPreCheck(t) }, 628 IDRefreshName: "aws_security_group.worker", 629 Providers: testAccProviders, 630 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 631 Steps: []resource.TestStep{ 632 { 633 Config: testAccAWSSecurityGroupConfigDefaultEgress, 634 Check: resource.ComposeTestCheckFunc( 635 testAccCheckAWSSecurityGroupExistsWithoutDefault("aws_security_group.worker"), 636 ), 637 }, 638 }, 639 }) 640 } 641 642 func TestAccAWSSecurityGroup_DefaultEgress_Classic(t *testing.T) { 643 644 // Classic 645 var group ec2.SecurityGroup 646 resource.Test(t, resource.TestCase{ 647 PreCheck: func() { testAccPreCheck(t) }, 648 IDRefreshName: "aws_security_group.web", 649 Providers: testAccProviders, 650 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 651 Steps: []resource.TestStep{ 652 { 653 Config: testAccAWSSecurityGroupConfigClassic, 654 Check: resource.ComposeTestCheckFunc( 655 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 656 ), 657 }, 658 }, 659 }) 660 } 661 662 // Testing drift detection with groups containing the same port and types 663 func TestAccAWSSecurityGroup_drift(t *testing.T) { 664 var group ec2.SecurityGroup 665 resource.Test(t, resource.TestCase{ 666 PreCheck: func() { testAccPreCheck(t) }, 667 Providers: testAccProviders, 668 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 669 Steps: []resource.TestStep{ 670 { 671 Config: testAccAWSSecurityGroupConfig_drift(), 672 Check: resource.ComposeTestCheckFunc( 673 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 674 resource.TestCheckResourceAttr( 675 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 676 resource.TestCheckResourceAttr( 677 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 678 resource.TestCheckResourceAttr( 679 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 680 resource.TestCheckResourceAttr( 681 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 682 resource.TestCheckResourceAttr( 683 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 684 resource.TestCheckResourceAttr( 685 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 686 ), 687 }, 688 }, 689 }) 690 } 691 692 func TestAccAWSSecurityGroup_drift_complex(t *testing.T) { 693 var group ec2.SecurityGroup 694 695 resource.Test(t, resource.TestCase{ 696 PreCheck: func() { testAccPreCheck(t) }, 697 Providers: testAccProviders, 698 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 699 Steps: []resource.TestStep{ 700 { 701 Config: testAccAWSSecurityGroupConfig_drift_complex(), 702 Check: resource.ComposeTestCheckFunc( 703 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 704 resource.TestCheckResourceAttr( 705 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 706 resource.TestCheckResourceAttr( 707 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 708 resource.TestCheckResourceAttr( 709 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 710 resource.TestCheckResourceAttr( 711 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 712 resource.TestCheckResourceAttr( 713 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 714 resource.TestCheckResourceAttr( 715 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 716 ), 717 }, 718 }, 719 }) 720 } 721 722 func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error { 723 conn := testAccProvider.Meta().(*AWSClient).ec2conn 724 725 for _, rs := range s.RootModule().Resources { 726 if rs.Type != "aws_security_group" { 727 continue 728 } 729 730 // Retrieve our group 731 req := &ec2.DescribeSecurityGroupsInput{ 732 GroupIds: []*string{aws.String(rs.Primary.ID)}, 733 } 734 resp, err := conn.DescribeSecurityGroups(req) 735 if err == nil { 736 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 737 return fmt.Errorf("Security Group (%s) still exists.", rs.Primary.ID) 738 } 739 740 return nil 741 } 742 743 ec2err, ok := err.(awserr.Error) 744 if !ok { 745 return err 746 } 747 // Confirm error code is what we want 748 if ec2err.Code() != "InvalidGroup.NotFound" { 749 return err 750 } 751 } 752 753 return nil 754 } 755 756 func testAccCheckAWSSecurityGroupGeneratedNamePrefix( 757 resource, prefix string) resource.TestCheckFunc { 758 return func(s *terraform.State) error { 759 r, ok := s.RootModule().Resources[resource] 760 if !ok { 761 return fmt.Errorf("Resource not found") 762 } 763 name, ok := r.Primary.Attributes["name"] 764 if !ok { 765 return fmt.Errorf("Name attr not found: %#v", r.Primary.Attributes) 766 } 767 if !strings.HasPrefix(name, prefix) { 768 return fmt.Errorf("Name: %q, does not have prefix: %q", name, prefix) 769 } 770 return nil 771 } 772 } 773 774 func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroup) resource.TestCheckFunc { 775 return func(s *terraform.State) error { 776 rs, ok := s.RootModule().Resources[n] 777 if !ok { 778 return fmt.Errorf("Not found: %s", n) 779 } 780 781 if rs.Primary.ID == "" { 782 return fmt.Errorf("No Security Group is set") 783 } 784 785 conn := testAccProvider.Meta().(*AWSClient).ec2conn 786 req := &ec2.DescribeSecurityGroupsInput{ 787 GroupIds: []*string{aws.String(rs.Primary.ID)}, 788 } 789 resp, err := conn.DescribeSecurityGroups(req) 790 if err != nil { 791 return err 792 } 793 794 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 795 *group = *resp.SecurityGroups[0] 796 return nil 797 } 798 799 return fmt.Errorf("Security Group not found") 800 } 801 } 802 803 func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 804 return func(s *terraform.State) error { 805 p := &ec2.IpPermission{ 806 FromPort: aws.Int64(80), 807 ToPort: aws.Int64(8000), 808 IpProtocol: aws.String("tcp"), 809 IpRanges: []*ec2.IpRange{{CidrIp: aws.String("10.0.0.0/8")}}, 810 } 811 812 if *group.GroupName != "terraform_acceptance_test_example" { 813 return fmt.Errorf("Bad name: %s", *group.GroupName) 814 } 815 816 if *group.Description != "Used in the terraform acceptance tests" { 817 return fmt.Errorf("Bad description: %s", *group.Description) 818 } 819 820 if len(group.IpPermissions) == 0 { 821 return fmt.Errorf("No IPPerms") 822 } 823 824 // Compare our ingress 825 if !reflect.DeepEqual(group.IpPermissions[0], p) { 826 return fmt.Errorf( 827 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 828 group.IpPermissions[0], 829 p) 830 } 831 832 return nil 833 } 834 } 835 836 func testAccCheckAWSSecurityGroupAttributesNegOneProtocol(group *ec2.SecurityGroup) resource.TestCheckFunc { 837 return func(s *terraform.State) error { 838 p := &ec2.IpPermission{ 839 IpProtocol: aws.String("-1"), 840 IpRanges: []*ec2.IpRange{{CidrIp: aws.String("10.0.0.0/8")}}, 841 } 842 843 if *group.GroupName != "terraform_acceptance_test_example" { 844 return fmt.Errorf("Bad name: %s", *group.GroupName) 845 } 846 847 if *group.Description != "Used in the terraform acceptance tests" { 848 return fmt.Errorf("Bad description: %s", *group.Description) 849 } 850 851 if len(group.IpPermissions) == 0 { 852 return fmt.Errorf("No IPPerms") 853 } 854 855 // Compare our ingress 856 if !reflect.DeepEqual(group.IpPermissions[0], p) { 857 return fmt.Errorf( 858 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 859 group.IpPermissions[0], 860 p) 861 } 862 863 return nil 864 } 865 } 866 867 func TestAccAWSSecurityGroup_tags(t *testing.T) { 868 var group ec2.SecurityGroup 869 870 resource.Test(t, resource.TestCase{ 871 PreCheck: func() { testAccPreCheck(t) }, 872 Providers: testAccProviders, 873 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 874 Steps: []resource.TestStep{ 875 { 876 Config: testAccAWSSecurityGroupConfigTags, 877 Check: resource.ComposeTestCheckFunc( 878 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 879 testAccCheckTags(&group.Tags, "foo", "bar"), 880 ), 881 }, 882 883 { 884 Config: testAccAWSSecurityGroupConfigTagsUpdate, 885 Check: resource.ComposeTestCheckFunc( 886 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 887 testAccCheckTags(&group.Tags, "foo", ""), 888 testAccCheckTags(&group.Tags, "bar", "baz"), 889 testAccCheckTags(&group.Tags, "env", "Production"), 890 ), 891 }, 892 }, 893 }) 894 } 895 896 func TestAccAWSSecurityGroup_CIDRandGroups(t *testing.T) { 897 var group ec2.SecurityGroup 898 899 resource.Test(t, resource.TestCase{ 900 PreCheck: func() { testAccPreCheck(t) }, 901 Providers: testAccProviders, 902 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 903 Steps: []resource.TestStep{ 904 { 905 Config: testAccAWSSecurityGroupCombindCIDRandGroups, 906 Check: resource.ComposeTestCheckFunc( 907 testAccCheckAWSSecurityGroupExists("aws_security_group.mixed", &group), 908 // testAccCheckAWSSecurityGroupAttributes(&group), 909 ), 910 }, 911 }, 912 }) 913 } 914 915 func TestAccAWSSecurityGroup_ingressWithCidrAndSGs(t *testing.T) { 916 var group ec2.SecurityGroup 917 918 resource.Test(t, resource.TestCase{ 919 PreCheck: func() { testAccPreCheck(t) }, 920 Providers: testAccProviders, 921 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 922 Steps: []resource.TestStep{ 923 { 924 Config: testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs, 925 Check: resource.ComposeTestCheckFunc( 926 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 927 testAccCheckAWSSecurityGroupSGandCidrAttributes(&group), 928 resource.TestCheckResourceAttr( 929 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 930 resource.TestCheckResourceAttr( 931 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 932 resource.TestCheckResourceAttr( 933 "aws_security_group.web", "ingress.#", "2"), 934 ), 935 }, 936 }, 937 }) 938 } 939 940 // This test requires an EC2 Classic region 941 func TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic(t *testing.T) { 942 var group ec2.SecurityGroup 943 944 resource.Test(t, resource.TestCase{ 945 PreCheck: func() { testAccPreCheck(t) }, 946 Providers: testAccProviders, 947 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 948 Steps: []resource.TestStep{ 949 { 950 Config: testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs_classic, 951 Check: resource.ComposeTestCheckFunc( 952 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 953 testAccCheckAWSSecurityGroupSGandCidrAttributes(&group), 954 resource.TestCheckResourceAttr( 955 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 956 resource.TestCheckResourceAttr( 957 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 958 resource.TestCheckResourceAttr( 959 "aws_security_group.web", "ingress.#", "2"), 960 ), 961 }, 962 }, 963 }) 964 } 965 966 func TestAccAWSSecurityGroup_egressWithPrefixList(t *testing.T) { 967 var group ec2.SecurityGroup 968 969 resource.Test(t, resource.TestCase{ 970 PreCheck: func() { testAccPreCheck(t) }, 971 Providers: testAccProviders, 972 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 973 Steps: []resource.TestStep{ 974 { 975 Config: testAccAWSSecurityGroupConfigPrefixListEgress, 976 Check: resource.ComposeTestCheckFunc( 977 testAccCheckAWSSecurityGroupExists("aws_security_group.egress", &group), 978 testAccCheckAWSSecurityGroupPrefixListAttributes(&group), 979 resource.TestCheckResourceAttr( 980 "aws_security_group.egress", "egress.#", "1"), 981 ), 982 }, 983 }, 984 }) 985 } 986 987 func testAccCheckAWSSecurityGroupSGandCidrAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 988 return func(s *terraform.State) error { 989 if *group.GroupName != "terraform_acceptance_test_example" { 990 return fmt.Errorf("Bad name: %s", *group.GroupName) 991 } 992 993 if *group.Description != "Used in the terraform acceptance tests" { 994 return fmt.Errorf("Bad description: %s", *group.Description) 995 } 996 997 if len(group.IpPermissions) == 0 { 998 return fmt.Errorf("No IPPerms") 999 } 1000 1001 if len(group.IpPermissions) != 2 { 1002 return fmt.Errorf("Expected 2 ingress rules, got %d", len(group.IpPermissions)) 1003 } 1004 1005 for _, p := range group.IpPermissions { 1006 if *p.FromPort == int64(22) { 1007 if len(p.IpRanges) != 1 || p.UserIdGroupPairs != nil { 1008 return fmt.Errorf("Found ip perm of 22, but not the right ipranges / pairs: %s", p) 1009 } 1010 continue 1011 } else if *p.FromPort == int64(80) { 1012 if len(p.IpRanges) != 1 || len(p.UserIdGroupPairs) != 1 { 1013 return fmt.Errorf("Found ip perm of 80, but not the right ipranges / pairs: %s", p) 1014 } 1015 continue 1016 } 1017 return fmt.Errorf("Found a rouge rule") 1018 } 1019 1020 return nil 1021 } 1022 } 1023 1024 func testAccCheckAWSSecurityGroupPrefixListAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 1025 return func(s *terraform.State) error { 1026 if *group.GroupName != "terraform_acceptance_test_prefix_list_egress" { 1027 return fmt.Errorf("Bad name: %s", *group.GroupName) 1028 } 1029 if *group.Description != "Used in the terraform acceptance tests" { 1030 return fmt.Errorf("Bad description: %s", *group.Description) 1031 } 1032 if len(group.IpPermissionsEgress) == 0 { 1033 return fmt.Errorf("No egress IPPerms") 1034 } 1035 if len(group.IpPermissionsEgress) != 1 { 1036 return fmt.Errorf("Expected 1 egress rule, got %d", len(group.IpPermissions)) 1037 } 1038 1039 p := group.IpPermissionsEgress[0] 1040 1041 if len(p.PrefixListIds) != 1 { 1042 return fmt.Errorf("Expected 1 prefix list, got %d", len(p.PrefixListIds)) 1043 } 1044 1045 return nil 1046 } 1047 } 1048 1049 func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroup) resource.TestCheckFunc { 1050 return func(s *terraform.State) error { 1051 p := []*ec2.IpPermission{ 1052 { 1053 FromPort: aws.Int64(80), 1054 ToPort: aws.Int64(9000), 1055 IpProtocol: aws.String("tcp"), 1056 IpRanges: []*ec2.IpRange{{CidrIp: aws.String("10.0.0.0/8")}}, 1057 }, 1058 { 1059 FromPort: aws.Int64(80), 1060 ToPort: aws.Int64(8000), 1061 IpProtocol: aws.String("tcp"), 1062 IpRanges: []*ec2.IpRange{ 1063 { 1064 CidrIp: aws.String("0.0.0.0/0"), 1065 }, 1066 { 1067 CidrIp: aws.String("10.0.0.0/8"), 1068 }, 1069 }, 1070 }, 1071 } 1072 1073 if *group.GroupName != "terraform_acceptance_test_example" { 1074 return fmt.Errorf("Bad name: %s", *group.GroupName) 1075 } 1076 1077 if *group.Description != "Used in the terraform acceptance tests" { 1078 return fmt.Errorf("Bad description: %s", *group.Description) 1079 } 1080 1081 // Compare our ingress 1082 if len(group.IpPermissions) != 2 { 1083 return fmt.Errorf( 1084 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 1085 group.IpPermissions, 1086 p) 1087 } 1088 1089 if *group.IpPermissions[0].ToPort == 8000 { 1090 group.IpPermissions[1], group.IpPermissions[0] = 1091 group.IpPermissions[0], group.IpPermissions[1] 1092 } 1093 1094 if !reflect.DeepEqual(group.IpPermissions, p) { 1095 return fmt.Errorf( 1096 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 1097 group.IpPermissions, 1098 p) 1099 } 1100 1101 return nil 1102 } 1103 } 1104 1105 func testAccCheckAWSSecurityGroupExistsWithoutDefault(n string) resource.TestCheckFunc { 1106 return func(s *terraform.State) error { 1107 rs, ok := s.RootModule().Resources[n] 1108 if !ok { 1109 return fmt.Errorf("Not found: %s", n) 1110 } 1111 1112 if rs.Primary.ID == "" { 1113 return fmt.Errorf("No Security Group is set") 1114 } 1115 1116 conn := testAccProvider.Meta().(*AWSClient).ec2conn 1117 req := &ec2.DescribeSecurityGroupsInput{ 1118 GroupIds: []*string{aws.String(rs.Primary.ID)}, 1119 } 1120 resp, err := conn.DescribeSecurityGroups(req) 1121 if err != nil { 1122 return err 1123 } 1124 1125 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 1126 group := *resp.SecurityGroups[0] 1127 1128 if len(group.IpPermissionsEgress) != 1 { 1129 return fmt.Errorf("Security Group should have only 1 egress rule, got %d", len(group.IpPermissionsEgress)) 1130 } 1131 } 1132 1133 return nil 1134 } 1135 } 1136 1137 func TestAccAWSSecurityGroup_failWithDiffMismatch(t *testing.T) { 1138 var group ec2.SecurityGroup 1139 1140 resource.Test(t, resource.TestCase{ 1141 PreCheck: func() { testAccPreCheck(t) }, 1142 Providers: testAccProviders, 1143 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 1144 Steps: []resource.TestStep{ 1145 { 1146 Config: testAccAWSSecurityGroupConfig_failWithDiffMismatch, 1147 Check: resource.ComposeTestCheckFunc( 1148 testAccCheckAWSSecurityGroupExists("aws_security_group.nat", &group), 1149 ), 1150 }, 1151 }, 1152 }) 1153 } 1154 1155 const testAccAWSSecurityGroupConfigForTagsOrdering = ` 1156 resource "aws_vpc" "foo" { 1157 cidr_block = "10.1.0.0/16" 1158 } 1159 1160 resource "aws_security_group" "web" { 1161 name = "terraform_acceptance_test_example" 1162 description = "Used in the terraform acceptance tests" 1163 vpc_id = "${aws_vpc.foo.id}" 1164 1165 ingress { 1166 protocol = "6" 1167 from_port = 80 1168 to_port = 80000 1169 cidr_blocks = ["10.0.0.0/8"] 1170 } 1171 1172 egress { 1173 protocol = "tcp" 1174 from_port = 80 1175 to_port = 8000 1176 cidr_blocks = ["10.0.0.0/8"] 1177 } 1178 1179 tags { 1180 Name = "tf-acc-test" 1181 } 1182 }` 1183 1184 const testAccAWSSecurityGroupConfigIpv6 = ` 1185 resource "aws_vpc" "foo" { 1186 cidr_block = "10.1.0.0/16" 1187 } 1188 1189 resource "aws_security_group" "web" { 1190 name = "terraform_acceptance_test_example" 1191 description = "Used in the terraform acceptance tests" 1192 vpc_id = "${aws_vpc.foo.id}" 1193 1194 ingress { 1195 protocol = "6" 1196 from_port = 80 1197 to_port = 8000 1198 ipv6_cidr_blocks = ["::/0"] 1199 } 1200 1201 egress { 1202 protocol = "tcp" 1203 from_port = 80 1204 to_port = 8000 1205 ipv6_cidr_blocks = ["::/0"] 1206 } 1207 1208 tags { 1209 Name = "tf-acc-test" 1210 } 1211 } 1212 ` 1213 1214 const testAccAWSSecurityGroupConfig = ` 1215 resource "aws_vpc" "foo" { 1216 cidr_block = "10.1.0.0/16" 1217 } 1218 1219 resource "aws_security_group" "web" { 1220 name = "terraform_acceptance_test_example" 1221 description = "Used in the terraform acceptance tests" 1222 vpc_id = "${aws_vpc.foo.id}" 1223 1224 ingress { 1225 protocol = "6" 1226 from_port = 80 1227 to_port = 8000 1228 cidr_blocks = ["10.0.0.0/8"] 1229 } 1230 1231 egress { 1232 protocol = "tcp" 1233 from_port = 80 1234 to_port = 8000 1235 cidr_blocks = ["10.0.0.0/8"] 1236 } 1237 1238 tags { 1239 Name = "tf-acc-test" 1240 } 1241 } 1242 ` 1243 1244 const testAccAWSSecurityGroupConfigChange = ` 1245 resource "aws_vpc" "foo" { 1246 cidr_block = "10.1.0.0/16" 1247 } 1248 1249 resource "aws_security_group" "web" { 1250 name = "terraform_acceptance_test_example" 1251 description = "Used in the terraform acceptance tests" 1252 vpc_id = "${aws_vpc.foo.id}" 1253 1254 ingress { 1255 protocol = "tcp" 1256 from_port = 80 1257 to_port = 9000 1258 cidr_blocks = ["10.0.0.0/8"] 1259 } 1260 1261 ingress { 1262 protocol = "tcp" 1263 from_port = 80 1264 to_port = 8000 1265 cidr_blocks = ["0.0.0.0/0", "10.0.0.0/8"] 1266 } 1267 1268 egress { 1269 protocol = "tcp" 1270 from_port = 80 1271 to_port = 8000 1272 cidr_blocks = ["10.0.0.0/8"] 1273 } 1274 } 1275 ` 1276 1277 const testAccAWSSecurityGroupConfigSelf = ` 1278 resource "aws_vpc" "foo" { 1279 cidr_block = "10.1.0.0/16" 1280 } 1281 1282 resource "aws_security_group" "web" { 1283 name = "terraform_acceptance_test_example" 1284 description = "Used in the terraform acceptance tests" 1285 vpc_id = "${aws_vpc.foo.id}" 1286 1287 ingress { 1288 protocol = "tcp" 1289 from_port = 80 1290 to_port = 8000 1291 self = true 1292 } 1293 1294 egress { 1295 protocol = "tcp" 1296 from_port = 80 1297 to_port = 8000 1298 cidr_blocks = ["10.0.0.0/8"] 1299 } 1300 } 1301 ` 1302 1303 const testAccAWSSecurityGroupConfigVpc = ` 1304 resource "aws_vpc" "foo" { 1305 cidr_block = "10.1.0.0/16" 1306 } 1307 1308 resource "aws_security_group" "web" { 1309 name = "terraform_acceptance_test_example" 1310 description = "Used in the terraform acceptance tests" 1311 vpc_id = "${aws_vpc.foo.id}" 1312 1313 ingress { 1314 protocol = "tcp" 1315 from_port = 80 1316 to_port = 8000 1317 cidr_blocks = ["10.0.0.0/8"] 1318 } 1319 1320 egress { 1321 protocol = "tcp" 1322 from_port = 80 1323 to_port = 8000 1324 cidr_blocks = ["10.0.0.0/8"] 1325 } 1326 } 1327 ` 1328 1329 const testAccAWSSecurityGroupConfigVpcNegOneIngress = ` 1330 resource "aws_vpc" "foo" { 1331 cidr_block = "10.1.0.0/16" 1332 } 1333 1334 resource "aws_security_group" "web" { 1335 name = "terraform_acceptance_test_example" 1336 description = "Used in the terraform acceptance tests" 1337 vpc_id = "${aws_vpc.foo.id}" 1338 1339 ingress { 1340 protocol = "-1" 1341 from_port = 0 1342 to_port = 0 1343 cidr_blocks = ["10.0.0.0/8"] 1344 } 1345 } 1346 ` 1347 1348 const testAccAWSSecurityGroupConfigVpcProtoNumIngress = ` 1349 resource "aws_vpc" "foo" { 1350 cidr_block = "10.1.0.0/16" 1351 } 1352 1353 resource "aws_security_group" "web" { 1354 name = "terraform_acceptance_test_example" 1355 description = "Used in the terraform acceptance tests" 1356 vpc_id = "${aws_vpc.foo.id}" 1357 1358 ingress { 1359 protocol = "50" 1360 from_port = 0 1361 to_port = 0 1362 cidr_blocks = ["10.0.0.0/8"] 1363 } 1364 } 1365 ` 1366 1367 const testAccAWSSecurityGroupConfigMultiIngress = ` 1368 resource "aws_vpc" "foo" { 1369 cidr_block = "10.1.0.0/16" 1370 } 1371 1372 resource "aws_security_group" "worker" { 1373 name = "terraform_acceptance_test_example_1" 1374 description = "Used in the terraform acceptance tests" 1375 vpc_id = "${aws_vpc.foo.id}" 1376 1377 ingress { 1378 protocol = "tcp" 1379 from_port = 80 1380 to_port = 8000 1381 cidr_blocks = ["10.0.0.0/8"] 1382 } 1383 1384 egress { 1385 protocol = "tcp" 1386 from_port = 80 1387 to_port = 8000 1388 cidr_blocks = ["10.0.0.0/8"] 1389 } 1390 } 1391 1392 resource "aws_security_group" "web" { 1393 name = "terraform_acceptance_test_example_2" 1394 description = "Used in the terraform acceptance tests" 1395 vpc_id = "${aws_vpc.foo.id}" 1396 1397 ingress { 1398 protocol = "tcp" 1399 from_port = 22 1400 to_port = 22 1401 cidr_blocks = ["10.0.0.0/8"] 1402 } 1403 1404 ingress { 1405 protocol = "tcp" 1406 from_port = 800 1407 to_port = 800 1408 cidr_blocks = ["10.0.0.0/8"] 1409 } 1410 1411 ingress { 1412 protocol = "tcp" 1413 from_port = 80 1414 to_port = 8000 1415 security_groups = ["${aws_security_group.worker.id}"] 1416 } 1417 1418 egress { 1419 protocol = "tcp" 1420 from_port = 80 1421 to_port = 8000 1422 cidr_blocks = ["10.0.0.0/8"] 1423 } 1424 } 1425 ` 1426 1427 const testAccAWSSecurityGroupConfigTags = ` 1428 resource "aws_vpc" "foo" { 1429 cidr_block = "10.1.0.0/16" 1430 } 1431 1432 resource "aws_security_group" "foo" { 1433 name = "terraform_acceptance_test_example" 1434 description = "Used in the terraform acceptance tests" 1435 vpc_id = "${aws_vpc.foo.id}" 1436 1437 ingress { 1438 protocol = "tcp" 1439 from_port = 80 1440 to_port = 8000 1441 cidr_blocks = ["10.0.0.0/8"] 1442 } 1443 1444 egress { 1445 protocol = "tcp" 1446 from_port = 80 1447 to_port = 8000 1448 cidr_blocks = ["10.0.0.0/8"] 1449 } 1450 1451 tags { 1452 foo = "bar" 1453 } 1454 } 1455 ` 1456 1457 const testAccAWSSecurityGroupConfigTagsUpdate = ` 1458 resource "aws_vpc" "foo" { 1459 cidr_block = "10.1.0.0/16" 1460 } 1461 1462 resource "aws_security_group" "foo" { 1463 name = "terraform_acceptance_test_example" 1464 description = "Used in the terraform acceptance tests" 1465 vpc_id = "${aws_vpc.foo.id}" 1466 1467 ingress { 1468 protocol = "tcp" 1469 from_port = 80 1470 to_port = 8000 1471 cidr_blocks = ["10.0.0.0/8"] 1472 } 1473 1474 egress { 1475 protocol = "tcp" 1476 from_port = 80 1477 to_port = 8000 1478 cidr_blocks = ["10.0.0.0/8"] 1479 } 1480 1481 tags { 1482 bar = "baz" 1483 env = "Production" 1484 } 1485 } 1486 ` 1487 1488 const testAccAWSSecurityGroupConfig_generatedName = ` 1489 resource "aws_vpc" "foo" { 1490 cidr_block = "10.1.0.0/16" 1491 } 1492 1493 resource "aws_security_group" "web" { 1494 vpc_id = "${aws_vpc.foo.id}" 1495 1496 ingress { 1497 protocol = "tcp" 1498 from_port = 80 1499 to_port = 8000 1500 cidr_blocks = ["10.0.0.0/8"] 1501 } 1502 1503 egress { 1504 protocol = "tcp" 1505 from_port = 80 1506 to_port = 8000 1507 cidr_blocks = ["10.0.0.0/8"] 1508 } 1509 1510 tags { 1511 Name = "tf-acc-test" 1512 } 1513 } 1514 ` 1515 1516 const testAccAWSSecurityGroupConfigDefaultEgress = ` 1517 resource "aws_vpc" "tf_sg_egress_test" { 1518 cidr_block = "10.0.0.0/16" 1519 tags { 1520 Name = "tf_sg_egress_test" 1521 } 1522 } 1523 1524 resource "aws_security_group" "worker" { 1525 name = "terraform_acceptance_test_example_1" 1526 description = "Used in the terraform acceptance tests" 1527 vpc_id = "${aws_vpc.tf_sg_egress_test.id}" 1528 1529 egress { 1530 protocol = "tcp" 1531 from_port = 80 1532 to_port = 8000 1533 cidr_blocks = ["10.0.0.0/8"] 1534 } 1535 } 1536 ` 1537 1538 const testAccAWSSecurityGroupConfigClassic = ` 1539 provider "aws" { 1540 region = "us-east-1" 1541 } 1542 1543 resource "aws_security_group" "web" { 1544 name = "terraform_acceptance_test_example_1" 1545 description = "Used in the terraform acceptance tests" 1546 } 1547 ` 1548 1549 const testAccAWSSecurityGroupPrefixNameConfig = ` 1550 provider "aws" { 1551 region = "us-east-1" 1552 } 1553 1554 resource "aws_security_group" "baz" { 1555 name_prefix = "baz-" 1556 description = "Used in the terraform acceptance tests" 1557 } 1558 ` 1559 1560 func testAccAWSSecurityGroupConfig_drift() string { 1561 return fmt.Sprintf(` 1562 resource "aws_security_group" "web" { 1563 name = "tf_acc_%d" 1564 description = "Used in the terraform acceptance tests" 1565 1566 ingress { 1567 protocol = "tcp" 1568 from_port = 80 1569 to_port = 8000 1570 cidr_blocks = ["10.0.0.0/8"] 1571 } 1572 1573 ingress { 1574 protocol = "tcp" 1575 from_port = 80 1576 to_port = 8000 1577 cidr_blocks = ["206.0.0.0/8"] 1578 } 1579 1580 tags { 1581 Name = "tf-acc-test" 1582 } 1583 } 1584 `, acctest.RandInt()) 1585 } 1586 1587 func testAccAWSSecurityGroupConfig_drift_complex() string { 1588 return fmt.Sprintf(` 1589 resource "aws_vpc" "foo" { 1590 cidr_block = "10.1.0.0/16" 1591 } 1592 1593 resource "aws_security_group" "otherweb" { 1594 name = "tf_acc_%d" 1595 description = "Used in the terraform acceptance tests" 1596 vpc_id = "${aws_vpc.foo.id}" 1597 } 1598 1599 resource "aws_security_group" "web" { 1600 name = "tf_acc_%d" 1601 description = "Used in the terraform acceptance tests" 1602 vpc_id = "${aws_vpc.foo.id}" 1603 1604 ingress { 1605 protocol = "tcp" 1606 from_port = 80 1607 to_port = 8000 1608 cidr_blocks = ["10.0.0.0/8"] 1609 } 1610 1611 ingress { 1612 protocol = "tcp" 1613 from_port = 80 1614 to_port = 8000 1615 cidr_blocks = ["206.0.0.0/8"] 1616 } 1617 1618 ingress { 1619 protocol = "tcp" 1620 from_port = 22 1621 to_port = 22 1622 security_groups = ["${aws_security_group.otherweb.id}"] 1623 } 1624 1625 egress { 1626 protocol = "tcp" 1627 from_port = 80 1628 to_port = 8000 1629 cidr_blocks = ["206.0.0.0/8"] 1630 } 1631 1632 egress { 1633 protocol = "tcp" 1634 from_port = 80 1635 to_port = 8000 1636 cidr_blocks = ["10.0.0.0/8"] 1637 } 1638 1639 egress { 1640 protocol = "tcp" 1641 from_port = 22 1642 to_port = 22 1643 security_groups = ["${aws_security_group.otherweb.id}"] 1644 } 1645 1646 tags { 1647 Name = "tf-acc-test" 1648 } 1649 }`, acctest.RandInt(), acctest.RandInt()) 1650 } 1651 1652 const testAccAWSSecurityGroupCombindCIDRandGroups = ` 1653 resource "aws_vpc" "foo" { 1654 cidr_block = "10.1.0.0/16" 1655 } 1656 1657 resource "aws_security_group" "two" { 1658 name = "tf-test-1" 1659 vpc_id = "${aws_vpc.foo.id}" 1660 tags { 1661 Name = "tf-test-1" 1662 } 1663 } 1664 1665 resource "aws_security_group" "one" { 1666 name = "tf-test-2" 1667 vpc_id = "${aws_vpc.foo.id}" 1668 tags { 1669 Name = "tf-test-w" 1670 } 1671 } 1672 1673 resource "aws_security_group" "three" { 1674 name = "tf-test-3" 1675 vpc_id = "${aws_vpc.foo.id}" 1676 tags { 1677 Name = "tf-test-3" 1678 } 1679 } 1680 1681 resource "aws_security_group" "mixed" { 1682 name = "tf-mix-test" 1683 vpc_id = "${aws_vpc.foo.id}" 1684 1685 ingress { 1686 from_port = 80 1687 to_port = 80 1688 protocol = "tcp" 1689 cidr_blocks = ["10.0.0.0/16", "10.1.0.0/16", "10.7.0.0/16"] 1690 1691 security_groups = [ 1692 "${aws_security_group.one.id}", 1693 "${aws_security_group.two.id}", 1694 "${aws_security_group.three.id}", 1695 ] 1696 } 1697 1698 tags { 1699 Name = "tf-mix-test" 1700 } 1701 } 1702 ` 1703 1704 const testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs = ` 1705 resource "aws_vpc" "foo" { 1706 cidr_block = "10.1.0.0/16" 1707 } 1708 1709 resource "aws_security_group" "other_web" { 1710 name = "tf_other_acc_tests" 1711 description = "Used in the terraform acceptance tests" 1712 vpc_id = "${aws_vpc.foo.id}" 1713 1714 tags { 1715 Name = "tf-acc-test" 1716 } 1717 } 1718 1719 resource "aws_security_group" "web" { 1720 name = "terraform_acceptance_test_example" 1721 description = "Used in the terraform acceptance tests" 1722 vpc_id = "${aws_vpc.foo.id}" 1723 1724 ingress { 1725 protocol = "tcp" 1726 from_port = "22" 1727 to_port = "22" 1728 1729 cidr_blocks = [ 1730 "192.168.0.1/32", 1731 ] 1732 } 1733 1734 ingress { 1735 protocol = "tcp" 1736 from_port = 80 1737 to_port = 8000 1738 cidr_blocks = ["10.0.0.0/8"] 1739 security_groups = ["${aws_security_group.other_web.id}"] 1740 } 1741 1742 egress { 1743 protocol = "tcp" 1744 from_port = 80 1745 to_port = 8000 1746 cidr_blocks = ["10.0.0.0/8"] 1747 } 1748 1749 tags { 1750 Name = "tf-acc-test" 1751 } 1752 } 1753 ` 1754 1755 const testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs_classic = ` 1756 provider "aws" { 1757 region = "us-east-1" 1758 } 1759 1760 resource "aws_security_group" "other_web" { 1761 name = "tf_other_acc_tests" 1762 description = "Used in the terraform acceptance tests" 1763 1764 tags { 1765 Name = "tf-acc-test" 1766 } 1767 } 1768 1769 resource "aws_security_group" "web" { 1770 name = "terraform_acceptance_test_example" 1771 description = "Used in the terraform acceptance tests" 1772 1773 ingress { 1774 protocol = "tcp" 1775 from_port = "22" 1776 to_port = "22" 1777 1778 cidr_blocks = [ 1779 "192.168.0.1/32", 1780 ] 1781 } 1782 1783 ingress { 1784 protocol = "tcp" 1785 from_port = 80 1786 to_port = 8000 1787 cidr_blocks = ["10.0.0.0/8"] 1788 security_groups = ["${aws_security_group.other_web.name}"] 1789 } 1790 1791 tags { 1792 Name = "tf-acc-test" 1793 } 1794 } 1795 ` 1796 1797 // fails to apply in one pass with the error "diffs didn't match during apply" 1798 // GH-2027 1799 const testAccAWSSecurityGroupConfig_failWithDiffMismatch = ` 1800 resource "aws_vpc" "main" { 1801 cidr_block = "10.0.0.0/16" 1802 1803 tags { 1804 Name = "tf-test" 1805 } 1806 } 1807 1808 resource "aws_security_group" "ssh_base" { 1809 name = "test-ssh-base" 1810 vpc_id = "${aws_vpc.main.id}" 1811 } 1812 1813 resource "aws_security_group" "jump" { 1814 name = "test-jump" 1815 vpc_id = "${aws_vpc.main.id}" 1816 } 1817 1818 resource "aws_security_group" "provision" { 1819 name = "test-provision" 1820 vpc_id = "${aws_vpc.main.id}" 1821 } 1822 1823 resource "aws_security_group" "nat" { 1824 vpc_id = "${aws_vpc.main.id}" 1825 name = "nat" 1826 description = "For nat servers " 1827 1828 ingress { 1829 from_port = 22 1830 to_port = 22 1831 protocol = "tcp" 1832 security_groups = ["${aws_security_group.jump.id}"] 1833 } 1834 1835 ingress { 1836 from_port = 22 1837 to_port = 22 1838 protocol = "tcp" 1839 security_groups = ["${aws_security_group.provision.id}"] 1840 } 1841 } 1842 ` 1843 const testAccAWSSecurityGroupConfig_importSelf = ` 1844 resource "aws_vpc" "foo" { 1845 cidr_block = "10.1.0.0/16" 1846 1847 tags { 1848 Name = "tf_sg_import_test" 1849 } 1850 } 1851 1852 resource "aws_security_group" "allow_all" { 1853 name = "allow_all" 1854 description = "Allow all inbound traffic" 1855 vpc_id = "${aws_vpc.foo.id}" 1856 } 1857 1858 resource "aws_security_group_rule" "allow_all" { 1859 type = "ingress" 1860 from_port = 0 1861 to_port = 65535 1862 protocol = "tcp" 1863 cidr_blocks = ["0.0.0.0/0"] 1864 1865 security_group_id = "${aws_security_group.allow_all.id}" 1866 } 1867 1868 resource "aws_security_group_rule" "allow_all-1" { 1869 type = "ingress" 1870 from_port = 65534 1871 to_port = 65535 1872 protocol = "tcp" 1873 1874 self = true 1875 security_group_id = "${aws_security_group.allow_all.id}" 1876 } 1877 ` 1878 1879 const testAccAWSSecurityGroupConfig_importSourceSecurityGroup = ` 1880 resource "aws_vpc" "foo" { 1881 cidr_block = "10.1.0.0/16" 1882 1883 tags { 1884 Name = "tf_sg_import_test" 1885 } 1886 } 1887 1888 resource "aws_security_group" "test_group_1" { 1889 name = "test group 1" 1890 vpc_id = "${aws_vpc.foo.id}" 1891 } 1892 1893 resource "aws_security_group" "test_group_2" { 1894 name = "test group 2" 1895 vpc_id = "${aws_vpc.foo.id}" 1896 } 1897 1898 resource "aws_security_group" "test_group_3" { 1899 name = "test group 3" 1900 vpc_id = "${aws_vpc.foo.id}" 1901 } 1902 1903 resource "aws_security_group_rule" "allow_test_group_2" { 1904 type = "ingress" 1905 from_port = 0 1906 to_port = 0 1907 protocol = "tcp" 1908 1909 source_security_group_id = "${aws_security_group.test_group_1.id}" 1910 security_group_id = "${aws_security_group.test_group_2.id}" 1911 } 1912 1913 resource "aws_security_group_rule" "allow_test_group_3" { 1914 type = "ingress" 1915 from_port = 0 1916 to_port = 0 1917 protocol = "tcp" 1918 1919 source_security_group_id = "${aws_security_group.test_group_1.id}" 1920 security_group_id = "${aws_security_group.test_group_3.id}" 1921 } 1922 ` 1923 1924 const testAccAWSSecurityGroupConfigPrefixListEgress = ` 1925 resource "aws_vpc" "tf_sg_prefix_list_egress_test" { 1926 cidr_block = "10.0.0.0/16" 1927 tags { 1928 Name = "tf_sg_prefix_list_egress_test" 1929 } 1930 } 1931 1932 resource "aws_route_table" "default" { 1933 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 1934 } 1935 1936 resource "aws_vpc_endpoint" "s3-us-west-2" { 1937 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 1938 service_name = "com.amazonaws.us-west-2.s3" 1939 route_table_ids = ["${aws_route_table.default.id}"] 1940 policy = <<POLICY 1941 { 1942 "Version": "2012-10-17", 1943 "Statement": [ 1944 { 1945 "Sid":"AllowAll", 1946 "Effect":"Allow", 1947 "Principal":"*", 1948 "Action":"*", 1949 "Resource":"*" 1950 } 1951 ] 1952 } 1953 POLICY 1954 } 1955 1956 resource "aws_security_group" "egress" { 1957 name = "terraform_acceptance_test_prefix_list_egress" 1958 description = "Used in the terraform acceptance tests" 1959 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 1960 1961 egress { 1962 protocol = "-1" 1963 from_port = 0 1964 to_port = 0 1965 prefix_list_ids = ["${aws_vpc_endpoint.s3-us-west-2.prefix_list_id}"] 1966 } 1967 } 1968 `