github.com/tam7t/terraform@v0.7.0-rc2.0.20160705125922-be2469a05c5e/builtin/providers/aws/resource_aws_security_group_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "reflect" 6 "strings" 7 "testing" 8 9 "github.com/aws/aws-sdk-go/aws" 10 "github.com/aws/aws-sdk-go/aws/awserr" 11 "github.com/aws/aws-sdk-go/service/ec2" 12 "github.com/hashicorp/terraform/helper/acctest" 13 "github.com/hashicorp/terraform/helper/resource" 14 "github.com/hashicorp/terraform/helper/schema" 15 "github.com/hashicorp/terraform/terraform" 16 ) 17 18 func TestProtocolStateFunc(t *testing.T) { 19 cases := []struct { 20 input interface{} 21 expected string 22 }{ 23 { 24 input: "tcp", 25 expected: "tcp", 26 }, 27 { 28 input: 6, 29 expected: "", 30 }, 31 { 32 input: "17", 33 expected: "udp", 34 }, 35 { 36 input: "all", 37 expected: "-1", 38 }, 39 { 40 input: "-1", 41 expected: "-1", 42 }, 43 { 44 input: -1, 45 expected: "", 46 }, 47 { 48 input: "1", 49 expected: "icmp", 50 }, 51 { 52 input: "icmp", 53 expected: "icmp", 54 }, 55 { 56 input: 1, 57 expected: "", 58 }, 59 } 60 for _, c := range cases { 61 result := protocolStateFunc(c.input) 62 if result != c.expected { 63 t.Errorf("Error matching protocol, expected (%s), got (%s)", c.expected, result) 64 } 65 } 66 } 67 68 func TestProtocolForValue(t *testing.T) { 69 cases := []struct { 70 input string 71 expected string 72 }{ 73 { 74 input: "tcp", 75 expected: "tcp", 76 }, 77 { 78 input: "6", 79 expected: "tcp", 80 }, 81 { 82 input: "udp", 83 expected: "udp", 84 }, 85 { 86 input: "17", 87 expected: "udp", 88 }, 89 { 90 input: "all", 91 expected: "-1", 92 }, 93 { 94 input: "-1", 95 expected: "-1", 96 }, 97 { 98 input: "tCp", 99 expected: "tcp", 100 }, 101 { 102 input: "6", 103 expected: "tcp", 104 }, 105 { 106 input: "UDp", 107 expected: "udp", 108 }, 109 { 110 input: "17", 111 expected: "udp", 112 }, 113 { 114 input: "ALL", 115 expected: "-1", 116 }, 117 { 118 input: "icMp", 119 expected: "icmp", 120 }, 121 { 122 input: "1", 123 expected: "icmp", 124 }, 125 } 126 127 for _, c := range cases { 128 result := protocolForValue(c.input) 129 if result != c.expected { 130 t.Errorf("Error matching protocol, expected (%s), got (%s)", c.expected, result) 131 } 132 } 133 } 134 135 func TestResourceAwsSecurityGroupIPPermGather(t *testing.T) { 136 raw := []*ec2.IpPermission{ 137 &ec2.IpPermission{ 138 IpProtocol: aws.String("tcp"), 139 FromPort: aws.Int64(int64(1)), 140 ToPort: aws.Int64(int64(-1)), 141 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("0.0.0.0/0")}}, 142 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 143 &ec2.UserIdGroupPair{ 144 GroupId: aws.String("sg-11111"), 145 }, 146 }, 147 }, 148 &ec2.IpPermission{ 149 IpProtocol: aws.String("tcp"), 150 FromPort: aws.Int64(int64(80)), 151 ToPort: aws.Int64(int64(80)), 152 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 153 // VPC 154 &ec2.UserIdGroupPair{ 155 GroupId: aws.String("sg-22222"), 156 }, 157 }, 158 }, 159 &ec2.IpPermission{ 160 IpProtocol: aws.String("tcp"), 161 FromPort: aws.Int64(int64(443)), 162 ToPort: aws.Int64(int64(443)), 163 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 164 // Classic 165 &ec2.UserIdGroupPair{ 166 UserId: aws.String("12345"), 167 GroupId: aws.String("sg-33333"), 168 GroupName: aws.String("ec2_classic"), 169 }, 170 &ec2.UserIdGroupPair{ 171 UserId: aws.String("amazon-elb"), 172 GroupId: aws.String("sg-d2c979d3"), 173 GroupName: aws.String("amazon-elb-sg"), 174 }, 175 }, 176 }, 177 } 178 179 local := []map[string]interface{}{ 180 map[string]interface{}{ 181 "protocol": "tcp", 182 "from_port": int64(1), 183 "to_port": int64(-1), 184 "cidr_blocks": []string{"0.0.0.0/0"}, 185 "self": true, 186 }, 187 map[string]interface{}{ 188 "protocol": "tcp", 189 "from_port": int64(80), 190 "to_port": int64(80), 191 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 192 "sg-22222", 193 }), 194 }, 195 map[string]interface{}{ 196 "protocol": "tcp", 197 "from_port": int64(443), 198 "to_port": int64(443), 199 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 200 "ec2_classic", 201 "amazon-elb/amazon-elb-sg", 202 }), 203 }, 204 } 205 206 out := resourceAwsSecurityGroupIPPermGather("sg-11111", raw, aws.String("12345")) 207 for _, i := range out { 208 // loop and match rules, because the ordering is not guarneteed 209 for _, l := range local { 210 if i["from_port"] == l["from_port"] { 211 212 if i["to_port"] != l["to_port"] { 213 t.Fatalf("to_port does not match") 214 } 215 216 if _, ok := i["cidr_blocks"]; ok { 217 if !reflect.DeepEqual(i["cidr_blocks"], l["cidr_blocks"]) { 218 t.Fatalf("error matching cidr_blocks") 219 } 220 } 221 222 if _, ok := i["security_groups"]; ok { 223 outSet := i["security_groups"].(*schema.Set) 224 localSet := l["security_groups"].(*schema.Set) 225 226 if !outSet.Equal(localSet) { 227 t.Fatalf("Security Group sets are not equal") 228 } 229 } 230 } 231 } 232 } 233 } 234 235 func TestAccAWSSecurityGroup_basic(t *testing.T) { 236 var group ec2.SecurityGroup 237 238 resource.Test(t, resource.TestCase{ 239 PreCheck: func() { testAccPreCheck(t) }, 240 IDRefreshName: "aws_security_group.web", 241 Providers: testAccProviders, 242 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 243 Steps: []resource.TestStep{ 244 resource.TestStep{ 245 Config: testAccAWSSecurityGroupConfig, 246 Check: resource.ComposeTestCheckFunc( 247 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 248 testAccCheckAWSSecurityGroupAttributes(&group), 249 resource.TestCheckResourceAttr( 250 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 251 resource.TestCheckResourceAttr( 252 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 253 resource.TestCheckResourceAttr( 254 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 255 resource.TestCheckResourceAttr( 256 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 257 resource.TestCheckResourceAttr( 258 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 259 resource.TestCheckResourceAttr( 260 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 261 resource.TestCheckResourceAttr( 262 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 263 ), 264 }, 265 }, 266 }) 267 } 268 269 func TestAccAWSSecurityGroup_namePrefix(t *testing.T) { 270 var group ec2.SecurityGroup 271 272 resource.Test(t, resource.TestCase{ 273 PreCheck: func() { testAccPreCheck(t) }, 274 IDRefreshName: "aws_security_group.baz", 275 IDRefreshIgnore: []string{"name_prefix"}, 276 Providers: testAccProviders, 277 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 278 Steps: []resource.TestStep{ 279 resource.TestStep{ 280 Config: testAccAWSSecurityGroupPrefixNameConfig, 281 Check: resource.ComposeTestCheckFunc( 282 testAccCheckAWSSecurityGroupExists("aws_security_group.baz", &group), 283 testAccCheckAWSSecurityGroupGeneratedNamePrefix( 284 "aws_security_group.baz", "baz-"), 285 ), 286 }, 287 }, 288 }) 289 } 290 291 func TestAccAWSSecurityGroup_self(t *testing.T) { 292 var group ec2.SecurityGroup 293 294 checkSelf := func(s *terraform.State) (err error) { 295 defer func() { 296 if e := recover(); e != nil { 297 err = fmt.Errorf("bad: %#v", group) 298 } 299 }() 300 301 if *group.IpPermissions[0].UserIdGroupPairs[0].GroupId != *group.GroupId { 302 return fmt.Errorf("bad: %#v", group) 303 } 304 305 return nil 306 } 307 308 resource.Test(t, resource.TestCase{ 309 PreCheck: func() { testAccPreCheck(t) }, 310 IDRefreshName: "aws_security_group.web", 311 Providers: testAccProviders, 312 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 313 Steps: []resource.TestStep{ 314 resource.TestStep{ 315 Config: testAccAWSSecurityGroupConfigSelf, 316 Check: resource.ComposeTestCheckFunc( 317 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 318 resource.TestCheckResourceAttr( 319 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 320 resource.TestCheckResourceAttr( 321 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 322 resource.TestCheckResourceAttr( 323 "aws_security_group.web", "ingress.3971148406.protocol", "tcp"), 324 resource.TestCheckResourceAttr( 325 "aws_security_group.web", "ingress.3971148406.from_port", "80"), 326 resource.TestCheckResourceAttr( 327 "aws_security_group.web", "ingress.3971148406.to_port", "8000"), 328 resource.TestCheckResourceAttr( 329 "aws_security_group.web", "ingress.3971148406.self", "true"), 330 checkSelf, 331 ), 332 }, 333 }, 334 }) 335 } 336 337 func TestAccAWSSecurityGroup_vpc(t *testing.T) { 338 var group ec2.SecurityGroup 339 340 testCheck := func(*terraform.State) error { 341 if *group.VpcId == "" { 342 return fmt.Errorf("should have vpc ID") 343 } 344 345 return nil 346 } 347 348 resource.Test(t, resource.TestCase{ 349 PreCheck: func() { testAccPreCheck(t) }, 350 IDRefreshName: "aws_security_group.web", 351 Providers: testAccProviders, 352 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 353 Steps: []resource.TestStep{ 354 resource.TestStep{ 355 Config: testAccAWSSecurityGroupConfigVpc, 356 Check: resource.ComposeTestCheckFunc( 357 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 358 testAccCheckAWSSecurityGroupAttributes(&group), 359 resource.TestCheckResourceAttr( 360 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 361 resource.TestCheckResourceAttr( 362 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 363 resource.TestCheckResourceAttr( 364 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 365 resource.TestCheckResourceAttr( 366 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 367 resource.TestCheckResourceAttr( 368 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 369 resource.TestCheckResourceAttr( 370 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 371 resource.TestCheckResourceAttr( 372 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 373 resource.TestCheckResourceAttr( 374 "aws_security_group.web", "egress.3629188364.protocol", "tcp"), 375 resource.TestCheckResourceAttr( 376 "aws_security_group.web", "egress.3629188364.from_port", "80"), 377 resource.TestCheckResourceAttr( 378 "aws_security_group.web", "egress.3629188364.to_port", "8000"), 379 resource.TestCheckResourceAttr( 380 "aws_security_group.web", "egress.3629188364.cidr_blocks.#", "1"), 381 resource.TestCheckResourceAttr( 382 "aws_security_group.web", "egress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 383 testCheck, 384 ), 385 }, 386 }, 387 }) 388 } 389 390 func TestAccAWSSecurityGroup_vpcNegOneIngress(t *testing.T) { 391 var group ec2.SecurityGroup 392 393 testCheck := func(*terraform.State) error { 394 if *group.VpcId == "" { 395 return fmt.Errorf("should have vpc ID") 396 } 397 398 return nil 399 } 400 401 resource.Test(t, resource.TestCase{ 402 PreCheck: func() { testAccPreCheck(t) }, 403 IDRefreshName: "aws_security_group.web", 404 Providers: testAccProviders, 405 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 406 Steps: []resource.TestStep{ 407 resource.TestStep{ 408 Config: testAccAWSSecurityGroupConfigVpcNegOneIngress, 409 Check: resource.ComposeTestCheckFunc( 410 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 411 testAccCheckAWSSecurityGroupAttributesNegOneProtocol(&group), 412 resource.TestCheckResourceAttr( 413 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 414 resource.TestCheckResourceAttr( 415 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 416 resource.TestCheckResourceAttr( 417 "aws_security_group.web", "ingress.956249133.protocol", "-1"), 418 resource.TestCheckResourceAttr( 419 "aws_security_group.web", "ingress.956249133.from_port", "0"), 420 resource.TestCheckResourceAttr( 421 "aws_security_group.web", "ingress.956249133.to_port", "0"), 422 resource.TestCheckResourceAttr( 423 "aws_security_group.web", "ingress.956249133.cidr_blocks.#", "1"), 424 resource.TestCheckResourceAttr( 425 "aws_security_group.web", "ingress.956249133.cidr_blocks.0", "10.0.0.0/8"), 426 testCheck, 427 ), 428 }, 429 }, 430 }) 431 } 432 func TestAccAWSSecurityGroup_MultiIngress(t *testing.T) { 433 var group ec2.SecurityGroup 434 435 resource.Test(t, resource.TestCase{ 436 PreCheck: func() { testAccPreCheck(t) }, 437 IDRefreshName: "aws_security_group.web", 438 Providers: testAccProviders, 439 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 440 Steps: []resource.TestStep{ 441 resource.TestStep{ 442 Config: testAccAWSSecurityGroupConfigMultiIngress, 443 Check: resource.ComposeTestCheckFunc( 444 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 445 ), 446 }, 447 }, 448 }) 449 } 450 451 func TestAccAWSSecurityGroup_Change(t *testing.T) { 452 var group ec2.SecurityGroup 453 454 resource.Test(t, resource.TestCase{ 455 PreCheck: func() { testAccPreCheck(t) }, 456 IDRefreshName: "aws_security_group.web", 457 Providers: testAccProviders, 458 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 459 Steps: []resource.TestStep{ 460 resource.TestStep{ 461 Config: testAccAWSSecurityGroupConfig, 462 Check: resource.ComposeTestCheckFunc( 463 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 464 ), 465 }, 466 resource.TestStep{ 467 Config: testAccAWSSecurityGroupConfigChange, 468 Check: resource.ComposeTestCheckFunc( 469 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 470 testAccCheckAWSSecurityGroupAttributesChanged(&group), 471 ), 472 }, 473 }, 474 }) 475 } 476 477 func TestAccAWSSecurityGroup_generatedName(t *testing.T) { 478 var group ec2.SecurityGroup 479 480 resource.Test(t, resource.TestCase{ 481 PreCheck: func() { testAccPreCheck(t) }, 482 IDRefreshName: "aws_security_group.web", 483 Providers: testAccProviders, 484 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 485 Steps: []resource.TestStep{ 486 resource.TestStep{ 487 Config: testAccAWSSecurityGroupConfig_generatedName, 488 Check: resource.ComposeTestCheckFunc( 489 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 490 resource.TestCheckResourceAttr( 491 "aws_security_group.web", "description", "Managed by Terraform"), 492 func(s *terraform.State) error { 493 if group.GroupName == nil { 494 return fmt.Errorf("bad: No SG name") 495 } 496 if !strings.HasPrefix(*group.GroupName, "terraform-") { 497 return fmt.Errorf("No terraform- prefix: %s", *group.GroupName) 498 } 499 return nil 500 }, 501 ), 502 }, 503 }, 504 }) 505 } 506 507 func TestAccAWSSecurityGroup_DefaultEgress(t *testing.T) { 508 509 // VPC 510 resource.Test(t, resource.TestCase{ 511 PreCheck: func() { testAccPreCheck(t) }, 512 IDRefreshName: "aws_security_group.worker", 513 Providers: testAccProviders, 514 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 515 Steps: []resource.TestStep{ 516 resource.TestStep{ 517 Config: testAccAWSSecurityGroupConfigDefaultEgress, 518 Check: resource.ComposeTestCheckFunc( 519 testAccCheckAWSSecurityGroupExistsWithoutDefault("aws_security_group.worker"), 520 ), 521 }, 522 }, 523 }) 524 525 // Classic 526 var group ec2.SecurityGroup 527 resource.Test(t, resource.TestCase{ 528 PreCheck: func() { testAccPreCheck(t) }, 529 IDRefreshName: "aws_security_group.web", 530 Providers: testAccProviders, 531 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 532 Steps: []resource.TestStep{ 533 resource.TestStep{ 534 Config: testAccAWSSecurityGroupConfigClassic, 535 Check: resource.ComposeTestCheckFunc( 536 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 537 ), 538 }, 539 }, 540 }) 541 } 542 543 // Testing drift detection with groups containing the same port and types 544 func TestAccAWSSecurityGroup_drift(t *testing.T) { 545 var group ec2.SecurityGroup 546 resource.Test(t, resource.TestCase{ 547 PreCheck: func() { testAccPreCheck(t) }, 548 Providers: testAccProviders, 549 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 550 Steps: []resource.TestStep{ 551 resource.TestStep{ 552 Config: testAccAWSSecurityGroupConfig_drift(), 553 Check: resource.ComposeTestCheckFunc( 554 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 555 resource.TestCheckResourceAttr( 556 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 557 resource.TestCheckResourceAttr( 558 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 559 resource.TestCheckResourceAttr( 560 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 561 resource.TestCheckResourceAttr( 562 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 563 resource.TestCheckResourceAttr( 564 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 565 resource.TestCheckResourceAttr( 566 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 567 ), 568 }, 569 }, 570 }) 571 } 572 573 func TestAccAWSSecurityGroup_drift_complex(t *testing.T) { 574 var group ec2.SecurityGroup 575 576 resource.Test(t, resource.TestCase{ 577 PreCheck: func() { testAccPreCheck(t) }, 578 Providers: testAccProviders, 579 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 580 Steps: []resource.TestStep{ 581 resource.TestStep{ 582 Config: testAccAWSSecurityGroupConfig_drift_complex(), 583 Check: resource.ComposeTestCheckFunc( 584 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 585 resource.TestCheckResourceAttr( 586 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 587 resource.TestCheckResourceAttr( 588 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 589 resource.TestCheckResourceAttr( 590 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 591 resource.TestCheckResourceAttr( 592 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 593 resource.TestCheckResourceAttr( 594 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 595 resource.TestCheckResourceAttr( 596 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 597 ), 598 }, 599 }, 600 }) 601 } 602 603 func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error { 604 conn := testAccProvider.Meta().(*AWSClient).ec2conn 605 606 for _, rs := range s.RootModule().Resources { 607 if rs.Type != "aws_security_group" { 608 continue 609 } 610 611 // Retrieve our group 612 req := &ec2.DescribeSecurityGroupsInput{ 613 GroupIds: []*string{aws.String(rs.Primary.ID)}, 614 } 615 resp, err := conn.DescribeSecurityGroups(req) 616 if err == nil { 617 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 618 return fmt.Errorf("Security Group (%s) still exists.", rs.Primary.ID) 619 } 620 621 return nil 622 } 623 624 ec2err, ok := err.(awserr.Error) 625 if !ok { 626 return err 627 } 628 // Confirm error code is what we want 629 if ec2err.Code() != "InvalidGroup.NotFound" { 630 return err 631 } 632 } 633 634 return nil 635 } 636 637 func testAccCheckAWSSecurityGroupGeneratedNamePrefix( 638 resource, prefix string) resource.TestCheckFunc { 639 return func(s *terraform.State) error { 640 r, ok := s.RootModule().Resources[resource] 641 if !ok { 642 return fmt.Errorf("Resource not found") 643 } 644 name, ok := r.Primary.Attributes["name"] 645 if !ok { 646 return fmt.Errorf("Name attr not found: %#v", r.Primary.Attributes) 647 } 648 if !strings.HasPrefix(name, prefix) { 649 return fmt.Errorf("Name: %q, does not have prefix: %q", name, prefix) 650 } 651 return nil 652 } 653 } 654 655 func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroup) resource.TestCheckFunc { 656 return func(s *terraform.State) error { 657 rs, ok := s.RootModule().Resources[n] 658 if !ok { 659 return fmt.Errorf("Not found: %s", n) 660 } 661 662 if rs.Primary.ID == "" { 663 return fmt.Errorf("No Security Group is set") 664 } 665 666 conn := testAccProvider.Meta().(*AWSClient).ec2conn 667 req := &ec2.DescribeSecurityGroupsInput{ 668 GroupIds: []*string{aws.String(rs.Primary.ID)}, 669 } 670 resp, err := conn.DescribeSecurityGroups(req) 671 if err != nil { 672 return err 673 } 674 675 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 676 *group = *resp.SecurityGroups[0] 677 return nil 678 } 679 680 return fmt.Errorf("Security Group not found") 681 } 682 } 683 684 func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 685 return func(s *terraform.State) error { 686 p := &ec2.IpPermission{ 687 FromPort: aws.Int64(80), 688 ToPort: aws.Int64(8000), 689 IpProtocol: aws.String("tcp"), 690 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 691 } 692 693 if *group.GroupName != "terraform_acceptance_test_example" { 694 return fmt.Errorf("Bad name: %s", *group.GroupName) 695 } 696 697 if *group.Description != "Used in the terraform acceptance tests" { 698 return fmt.Errorf("Bad description: %s", *group.Description) 699 } 700 701 if len(group.IpPermissions) == 0 { 702 return fmt.Errorf("No IPPerms") 703 } 704 705 // Compare our ingress 706 if !reflect.DeepEqual(group.IpPermissions[0], p) { 707 return fmt.Errorf( 708 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 709 group.IpPermissions[0], 710 p) 711 } 712 713 return nil 714 } 715 } 716 717 func testAccCheckAWSSecurityGroupAttributesNegOneProtocol(group *ec2.SecurityGroup) resource.TestCheckFunc { 718 return func(s *terraform.State) error { 719 p := &ec2.IpPermission{ 720 IpProtocol: aws.String("-1"), 721 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 722 } 723 724 if *group.GroupName != "terraform_acceptance_test_example" { 725 return fmt.Errorf("Bad name: %s", *group.GroupName) 726 } 727 728 if *group.Description != "Used in the terraform acceptance tests" { 729 return fmt.Errorf("Bad description: %s", *group.Description) 730 } 731 732 if len(group.IpPermissions) == 0 { 733 return fmt.Errorf("No IPPerms") 734 } 735 736 // Compare our ingress 737 if !reflect.DeepEqual(group.IpPermissions[0], p) { 738 return fmt.Errorf( 739 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 740 group.IpPermissions[0], 741 p) 742 } 743 744 return nil 745 } 746 } 747 748 func TestAccAWSSecurityGroup_tags(t *testing.T) { 749 var group ec2.SecurityGroup 750 751 resource.Test(t, resource.TestCase{ 752 PreCheck: func() { testAccPreCheck(t) }, 753 Providers: testAccProviders, 754 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 755 Steps: []resource.TestStep{ 756 resource.TestStep{ 757 Config: testAccAWSSecurityGroupConfigTags, 758 Check: resource.ComposeTestCheckFunc( 759 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 760 testAccCheckTags(&group.Tags, "foo", "bar"), 761 ), 762 }, 763 764 resource.TestStep{ 765 Config: testAccAWSSecurityGroupConfigTagsUpdate, 766 Check: resource.ComposeTestCheckFunc( 767 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 768 testAccCheckTags(&group.Tags, "foo", ""), 769 testAccCheckTags(&group.Tags, "bar", "baz"), 770 ), 771 }, 772 }, 773 }) 774 } 775 776 func TestAccAWSSecurityGroup_CIDRandGroups(t *testing.T) { 777 var group ec2.SecurityGroup 778 779 resource.Test(t, resource.TestCase{ 780 PreCheck: func() { testAccPreCheck(t) }, 781 Providers: testAccProviders, 782 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 783 Steps: []resource.TestStep{ 784 resource.TestStep{ 785 Config: testAccAWSSecurityGroupCombindCIDRandGroups, 786 Check: resource.ComposeTestCheckFunc( 787 testAccCheckAWSSecurityGroupExists("aws_security_group.mixed", &group), 788 // testAccCheckAWSSecurityGroupAttributes(&group), 789 ), 790 }, 791 }, 792 }) 793 } 794 795 func TestAccAWSSecurityGroup_ingressWithCidrAndSGs(t *testing.T) { 796 var group ec2.SecurityGroup 797 798 resource.Test(t, resource.TestCase{ 799 PreCheck: func() { testAccPreCheck(t) }, 800 Providers: testAccProviders, 801 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 802 Steps: []resource.TestStep{ 803 resource.TestStep{ 804 Config: testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs, 805 Check: resource.ComposeTestCheckFunc( 806 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 807 testAccCheckAWSSecurityGroupSGandCidrAttributes(&group), 808 resource.TestCheckResourceAttr( 809 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 810 resource.TestCheckResourceAttr( 811 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 812 resource.TestCheckResourceAttr( 813 "aws_security_group.web", "ingress.#", "2"), 814 ), 815 }, 816 }, 817 }) 818 } 819 820 // This test requires an EC2 Classic region 821 func TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic(t *testing.T) { 822 var group ec2.SecurityGroup 823 824 resource.Test(t, resource.TestCase{ 825 PreCheck: func() { testAccPreCheck(t) }, 826 Providers: testAccProviders, 827 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 828 Steps: []resource.TestStep{ 829 resource.TestStep{ 830 Config: testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs_classic, 831 Check: resource.ComposeTestCheckFunc( 832 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 833 testAccCheckAWSSecurityGroupSGandCidrAttributes(&group), 834 resource.TestCheckResourceAttr( 835 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 836 resource.TestCheckResourceAttr( 837 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 838 resource.TestCheckResourceAttr( 839 "aws_security_group.web", "ingress.#", "2"), 840 ), 841 }, 842 }, 843 }) 844 } 845 846 func testAccCheckAWSSecurityGroupSGandCidrAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 847 return func(s *terraform.State) error { 848 if *group.GroupName != "terraform_acceptance_test_example" { 849 return fmt.Errorf("Bad name: %s", *group.GroupName) 850 } 851 852 if *group.Description != "Used in the terraform acceptance tests" { 853 return fmt.Errorf("Bad description: %s", *group.Description) 854 } 855 856 if len(group.IpPermissions) == 0 { 857 return fmt.Errorf("No IPPerms") 858 } 859 860 if len(group.IpPermissions) != 2 { 861 return fmt.Errorf("Expected 2 ingress rules, got %d", len(group.IpPermissions)) 862 } 863 864 for _, p := range group.IpPermissions { 865 if *p.FromPort == int64(22) { 866 if len(p.IpRanges) != 1 || p.UserIdGroupPairs != nil { 867 return fmt.Errorf("Found ip perm of 22, but not the right ipranges / pairs: %s", p) 868 } 869 continue 870 } else if *p.FromPort == int64(80) { 871 if len(p.IpRanges) != 1 || len(p.UserIdGroupPairs) != 1 { 872 return fmt.Errorf("Found ip perm of 80, but not the right ipranges / pairs: %s", p) 873 } 874 continue 875 } 876 return fmt.Errorf("Found a rouge rule") 877 } 878 879 return nil 880 } 881 } 882 883 func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroup) resource.TestCheckFunc { 884 return func(s *terraform.State) error { 885 p := []*ec2.IpPermission{ 886 &ec2.IpPermission{ 887 FromPort: aws.Int64(80), 888 ToPort: aws.Int64(9000), 889 IpProtocol: aws.String("tcp"), 890 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 891 }, 892 &ec2.IpPermission{ 893 FromPort: aws.Int64(80), 894 ToPort: aws.Int64(8000), 895 IpProtocol: aws.String("tcp"), 896 IpRanges: []*ec2.IpRange{ 897 &ec2.IpRange{ 898 CidrIp: aws.String("0.0.0.0/0"), 899 }, 900 &ec2.IpRange{ 901 CidrIp: aws.String("10.0.0.0/8"), 902 }, 903 }, 904 }, 905 } 906 907 if *group.GroupName != "terraform_acceptance_test_example" { 908 return fmt.Errorf("Bad name: %s", *group.GroupName) 909 } 910 911 if *group.Description != "Used in the terraform acceptance tests" { 912 return fmt.Errorf("Bad description: %s", *group.Description) 913 } 914 915 // Compare our ingress 916 if len(group.IpPermissions) != 2 { 917 return fmt.Errorf( 918 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 919 group.IpPermissions, 920 p) 921 } 922 923 if *group.IpPermissions[0].ToPort == 8000 { 924 group.IpPermissions[1], group.IpPermissions[0] = 925 group.IpPermissions[0], group.IpPermissions[1] 926 } 927 928 if !reflect.DeepEqual(group.IpPermissions, p) { 929 return fmt.Errorf( 930 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 931 group.IpPermissions, 932 p) 933 } 934 935 return nil 936 } 937 } 938 939 func testAccCheckAWSSecurityGroupExistsWithoutDefault(n string) resource.TestCheckFunc { 940 return func(s *terraform.State) error { 941 rs, ok := s.RootModule().Resources[n] 942 if !ok { 943 return fmt.Errorf("Not found: %s", n) 944 } 945 946 if rs.Primary.ID == "" { 947 return fmt.Errorf("No Security Group is set") 948 } 949 950 conn := testAccProvider.Meta().(*AWSClient).ec2conn 951 req := &ec2.DescribeSecurityGroupsInput{ 952 GroupIds: []*string{aws.String(rs.Primary.ID)}, 953 } 954 resp, err := conn.DescribeSecurityGroups(req) 955 if err != nil { 956 return err 957 } 958 959 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 960 group := *resp.SecurityGroups[0] 961 962 if len(group.IpPermissionsEgress) != 1 { 963 return fmt.Errorf("Security Group should have only 1 egress rule, got %d", len(group.IpPermissionsEgress)) 964 } 965 } 966 967 return nil 968 } 969 } 970 971 func TestAccAWSSecurityGroup_failWithDiffMismatch(t *testing.T) { 972 var group ec2.SecurityGroup 973 974 resource.Test(t, resource.TestCase{ 975 PreCheck: func() { testAccPreCheck(t) }, 976 Providers: testAccProviders, 977 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 978 Steps: []resource.TestStep{ 979 resource.TestStep{ 980 Config: testAccAWSSecurityGroupConfig_failWithDiffMismatch, 981 Check: resource.ComposeTestCheckFunc( 982 testAccCheckAWSSecurityGroupExists("aws_security_group.nat", &group), 983 ), 984 }, 985 }, 986 }) 987 } 988 989 const testAccAWSSecurityGroupConfig = ` 990 resource "aws_vpc" "foo" { 991 cidr_block = "10.1.0.0/16" 992 } 993 994 resource "aws_security_group" "web" { 995 name = "terraform_acceptance_test_example" 996 description = "Used in the terraform acceptance tests" 997 vpc_id = "${aws_vpc.foo.id}" 998 999 ingress { 1000 protocol = "6" 1001 from_port = 80 1002 to_port = 8000 1003 cidr_blocks = ["10.0.0.0/8"] 1004 } 1005 1006 egress { 1007 protocol = "tcp" 1008 from_port = 80 1009 to_port = 8000 1010 cidr_blocks = ["10.0.0.0/8"] 1011 } 1012 1013 tags { 1014 Name = "tf-acc-test" 1015 } 1016 } 1017 ` 1018 1019 const testAccAWSSecurityGroupConfigChange = ` 1020 resource "aws_vpc" "foo" { 1021 cidr_block = "10.1.0.0/16" 1022 } 1023 1024 resource "aws_security_group" "web" { 1025 name = "terraform_acceptance_test_example" 1026 description = "Used in the terraform acceptance tests" 1027 vpc_id = "${aws_vpc.foo.id}" 1028 1029 ingress { 1030 protocol = "tcp" 1031 from_port = 80 1032 to_port = 9000 1033 cidr_blocks = ["10.0.0.0/8"] 1034 } 1035 1036 ingress { 1037 protocol = "tcp" 1038 from_port = 80 1039 to_port = 8000 1040 cidr_blocks = ["0.0.0.0/0", "10.0.0.0/8"] 1041 } 1042 1043 egress { 1044 protocol = "tcp" 1045 from_port = 80 1046 to_port = 8000 1047 cidr_blocks = ["10.0.0.0/8"] 1048 } 1049 } 1050 ` 1051 1052 const testAccAWSSecurityGroupConfigSelf = ` 1053 resource "aws_vpc" "foo" { 1054 cidr_block = "10.1.0.0/16" 1055 } 1056 1057 resource "aws_security_group" "web" { 1058 name = "terraform_acceptance_test_example" 1059 description = "Used in the terraform acceptance tests" 1060 vpc_id = "${aws_vpc.foo.id}" 1061 1062 ingress { 1063 protocol = "tcp" 1064 from_port = 80 1065 to_port = 8000 1066 self = true 1067 } 1068 1069 egress { 1070 protocol = "tcp" 1071 from_port = 80 1072 to_port = 8000 1073 cidr_blocks = ["10.0.0.0/8"] 1074 } 1075 } 1076 ` 1077 1078 const testAccAWSSecurityGroupConfigVpc = ` 1079 resource "aws_vpc" "foo" { 1080 cidr_block = "10.1.0.0/16" 1081 } 1082 1083 resource "aws_security_group" "web" { 1084 name = "terraform_acceptance_test_example" 1085 description = "Used in the terraform acceptance tests" 1086 vpc_id = "${aws_vpc.foo.id}" 1087 1088 ingress { 1089 protocol = "tcp" 1090 from_port = 80 1091 to_port = 8000 1092 cidr_blocks = ["10.0.0.0/8"] 1093 } 1094 1095 egress { 1096 protocol = "tcp" 1097 from_port = 80 1098 to_port = 8000 1099 cidr_blocks = ["10.0.0.0/8"] 1100 } 1101 } 1102 ` 1103 1104 const testAccAWSSecurityGroupConfigVpcNegOneIngress = ` 1105 resource "aws_vpc" "foo" { 1106 cidr_block = "10.1.0.0/16" 1107 } 1108 1109 resource "aws_security_group" "web" { 1110 name = "terraform_acceptance_test_example" 1111 description = "Used in the terraform acceptance tests" 1112 vpc_id = "${aws_vpc.foo.id}" 1113 1114 ingress { 1115 protocol = "-1" 1116 from_port = 0 1117 to_port = 0 1118 cidr_blocks = ["10.0.0.0/8"] 1119 } 1120 } 1121 ` 1122 const testAccAWSSecurityGroupConfigMultiIngress = ` 1123 resource "aws_vpc" "foo" { 1124 cidr_block = "10.1.0.0/16" 1125 } 1126 1127 resource "aws_security_group" "worker" { 1128 name = "terraform_acceptance_test_example_1" 1129 description = "Used in the terraform acceptance tests" 1130 vpc_id = "${aws_vpc.foo.id}" 1131 1132 ingress { 1133 protocol = "tcp" 1134 from_port = 80 1135 to_port = 8000 1136 cidr_blocks = ["10.0.0.0/8"] 1137 } 1138 1139 egress { 1140 protocol = "tcp" 1141 from_port = 80 1142 to_port = 8000 1143 cidr_blocks = ["10.0.0.0/8"] 1144 } 1145 } 1146 1147 resource "aws_security_group" "web" { 1148 name = "terraform_acceptance_test_example_2" 1149 description = "Used in the terraform acceptance tests" 1150 vpc_id = "${aws_vpc.foo.id}" 1151 1152 ingress { 1153 protocol = "tcp" 1154 from_port = 22 1155 to_port = 22 1156 cidr_blocks = ["10.0.0.0/8"] 1157 } 1158 1159 ingress { 1160 protocol = "tcp" 1161 from_port = 800 1162 to_port = 800 1163 cidr_blocks = ["10.0.0.0/8"] 1164 } 1165 1166 ingress { 1167 protocol = "tcp" 1168 from_port = 80 1169 to_port = 8000 1170 security_groups = ["${aws_security_group.worker.id}"] 1171 } 1172 1173 egress { 1174 protocol = "tcp" 1175 from_port = 80 1176 to_port = 8000 1177 cidr_blocks = ["10.0.0.0/8"] 1178 } 1179 } 1180 ` 1181 1182 const testAccAWSSecurityGroupConfigTags = ` 1183 resource "aws_vpc" "foo" { 1184 cidr_block = "10.1.0.0/16" 1185 } 1186 1187 resource "aws_security_group" "foo" { 1188 name = "terraform_acceptance_test_example" 1189 description = "Used in the terraform acceptance tests" 1190 vpc_id = "${aws_vpc.foo.id}" 1191 1192 ingress { 1193 protocol = "tcp" 1194 from_port = 80 1195 to_port = 8000 1196 cidr_blocks = ["10.0.0.0/8"] 1197 } 1198 1199 egress { 1200 protocol = "tcp" 1201 from_port = 80 1202 to_port = 8000 1203 cidr_blocks = ["10.0.0.0/8"] 1204 } 1205 1206 tags { 1207 foo = "bar" 1208 } 1209 } 1210 ` 1211 1212 const testAccAWSSecurityGroupConfigTagsUpdate = ` 1213 resource "aws_vpc" "foo" { 1214 cidr_block = "10.1.0.0/16" 1215 } 1216 1217 resource "aws_security_group" "foo" { 1218 name = "terraform_acceptance_test_example" 1219 description = "Used in the terraform acceptance tests" 1220 vpc_id = "${aws_vpc.foo.id}" 1221 1222 ingress { 1223 protocol = "tcp" 1224 from_port = 80 1225 to_port = 8000 1226 cidr_blocks = ["10.0.0.0/8"] 1227 } 1228 1229 egress { 1230 protocol = "tcp" 1231 from_port = 80 1232 to_port = 8000 1233 cidr_blocks = ["10.0.0.0/8"] 1234 } 1235 1236 tags { 1237 bar = "baz" 1238 } 1239 } 1240 ` 1241 1242 const testAccAWSSecurityGroupConfig_generatedName = ` 1243 resource "aws_vpc" "foo" { 1244 cidr_block = "10.1.0.0/16" 1245 } 1246 1247 resource "aws_security_group" "web" { 1248 vpc_id = "${aws_vpc.foo.id}" 1249 1250 ingress { 1251 protocol = "tcp" 1252 from_port = 80 1253 to_port = 8000 1254 cidr_blocks = ["10.0.0.0/8"] 1255 } 1256 1257 egress { 1258 protocol = "tcp" 1259 from_port = 80 1260 to_port = 8000 1261 cidr_blocks = ["10.0.0.0/8"] 1262 } 1263 1264 tags { 1265 Name = "tf-acc-test" 1266 } 1267 } 1268 ` 1269 1270 const testAccAWSSecurityGroupConfigDefaultEgress = ` 1271 resource "aws_vpc" "tf_sg_egress_test" { 1272 cidr_block = "10.0.0.0/16" 1273 tags { 1274 Name = "tf_sg_egress_test" 1275 } 1276 } 1277 1278 resource "aws_security_group" "worker" { 1279 name = "terraform_acceptance_test_example_1" 1280 description = "Used in the terraform acceptance tests" 1281 vpc_id = "${aws_vpc.tf_sg_egress_test.id}" 1282 1283 egress { 1284 protocol = "tcp" 1285 from_port = 80 1286 to_port = 8000 1287 cidr_blocks = ["10.0.0.0/8"] 1288 } 1289 } 1290 ` 1291 1292 const testAccAWSSecurityGroupConfigClassic = ` 1293 provider "aws" { 1294 region = "us-east-1" 1295 } 1296 1297 resource "aws_security_group" "web" { 1298 name = "terraform_acceptance_test_example_1" 1299 description = "Used in the terraform acceptance tests" 1300 } 1301 ` 1302 1303 const testAccAWSSecurityGroupPrefixNameConfig = ` 1304 provider "aws" { 1305 region = "us-east-1" 1306 } 1307 1308 resource "aws_security_group" "baz" { 1309 name_prefix = "baz-" 1310 description = "Used in the terraform acceptance tests" 1311 } 1312 ` 1313 1314 func testAccAWSSecurityGroupConfig_drift() string { 1315 return fmt.Sprintf(` 1316 resource "aws_security_group" "web" { 1317 name = "tf_acc_%d" 1318 description = "Used in the terraform acceptance tests" 1319 1320 ingress { 1321 protocol = "tcp" 1322 from_port = 80 1323 to_port = 8000 1324 cidr_blocks = ["10.0.0.0/8"] 1325 } 1326 1327 ingress { 1328 protocol = "tcp" 1329 from_port = 80 1330 to_port = 8000 1331 cidr_blocks = ["206.0.0.0/8"] 1332 } 1333 1334 tags { 1335 Name = "tf-acc-test" 1336 } 1337 } 1338 `, acctest.RandInt()) 1339 } 1340 1341 func testAccAWSSecurityGroupConfig_drift_complex() string { 1342 return fmt.Sprintf(` 1343 resource "aws_vpc" "foo" { 1344 cidr_block = "10.1.0.0/16" 1345 } 1346 1347 resource "aws_security_group" "otherweb" { 1348 name = "tf_acc_%d" 1349 description = "Used in the terraform acceptance tests" 1350 vpc_id = "${aws_vpc.foo.id}" 1351 } 1352 1353 resource "aws_security_group" "web" { 1354 name = "tf_acc_%d" 1355 description = "Used in the terraform acceptance tests" 1356 vpc_id = "${aws_vpc.foo.id}" 1357 1358 ingress { 1359 protocol = "tcp" 1360 from_port = 80 1361 to_port = 8000 1362 cidr_blocks = ["10.0.0.0/8"] 1363 } 1364 1365 ingress { 1366 protocol = "tcp" 1367 from_port = 80 1368 to_port = 8000 1369 cidr_blocks = ["206.0.0.0/8"] 1370 } 1371 1372 ingress { 1373 protocol = "tcp" 1374 from_port = 22 1375 to_port = 22 1376 security_groups = ["${aws_security_group.otherweb.id}"] 1377 } 1378 1379 egress { 1380 protocol = "tcp" 1381 from_port = 80 1382 to_port = 8000 1383 cidr_blocks = ["206.0.0.0/8"] 1384 } 1385 1386 egress { 1387 protocol = "tcp" 1388 from_port = 80 1389 to_port = 8000 1390 cidr_blocks = ["10.0.0.0/8"] 1391 } 1392 1393 egress { 1394 protocol = "tcp" 1395 from_port = 22 1396 to_port = 22 1397 security_groups = ["${aws_security_group.otherweb.id}"] 1398 } 1399 1400 tags { 1401 Name = "tf-acc-test" 1402 } 1403 }`, acctest.RandInt(), acctest.RandInt()) 1404 } 1405 1406 const testAccAWSSecurityGroupCombindCIDRandGroups = ` 1407 resource "aws_vpc" "foo" { 1408 cidr_block = "10.1.0.0/16" 1409 } 1410 1411 resource "aws_security_group" "two" { 1412 name = "tf-test-1" 1413 vpc_id = "${aws_vpc.foo.id}" 1414 tags { 1415 Name = "tf-test-1" 1416 } 1417 } 1418 1419 resource "aws_security_group" "one" { 1420 name = "tf-test-2" 1421 vpc_id = "${aws_vpc.foo.id}" 1422 tags { 1423 Name = "tf-test-w" 1424 } 1425 } 1426 1427 resource "aws_security_group" "three" { 1428 name = "tf-test-3" 1429 vpc_id = "${aws_vpc.foo.id}" 1430 tags { 1431 Name = "tf-test-3" 1432 } 1433 } 1434 1435 resource "aws_security_group" "mixed" { 1436 name = "tf-mix-test" 1437 vpc_id = "${aws_vpc.foo.id}" 1438 1439 ingress { 1440 from_port = 80 1441 to_port = 80 1442 protocol = "tcp" 1443 cidr_blocks = ["10.0.0.0/16", "10.1.0.0/16", "10.7.0.0/16"] 1444 1445 security_groups = [ 1446 "${aws_security_group.one.id}", 1447 "${aws_security_group.two.id}", 1448 "${aws_security_group.three.id}", 1449 ] 1450 } 1451 1452 tags { 1453 Name = "tf-mix-test" 1454 } 1455 } 1456 ` 1457 1458 const testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs = ` 1459 resource "aws_vpc" "foo" { 1460 cidr_block = "10.1.0.0/16" 1461 } 1462 1463 resource "aws_security_group" "other_web" { 1464 name = "tf_other_acc_tests" 1465 description = "Used in the terraform acceptance tests" 1466 vpc_id = "${aws_vpc.foo.id}" 1467 1468 tags { 1469 Name = "tf-acc-test" 1470 } 1471 } 1472 1473 resource "aws_security_group" "web" { 1474 name = "terraform_acceptance_test_example" 1475 description = "Used in the terraform acceptance tests" 1476 vpc_id = "${aws_vpc.foo.id}" 1477 1478 ingress { 1479 protocol = "tcp" 1480 from_port = "22" 1481 to_port = "22" 1482 1483 cidr_blocks = [ 1484 "192.168.0.1/32", 1485 ] 1486 } 1487 1488 ingress { 1489 protocol = "tcp" 1490 from_port = 80 1491 to_port = 8000 1492 cidr_blocks = ["10.0.0.0/8"] 1493 security_groups = ["${aws_security_group.other_web.id}"] 1494 } 1495 1496 egress { 1497 protocol = "tcp" 1498 from_port = 80 1499 to_port = 8000 1500 cidr_blocks = ["10.0.0.0/8"] 1501 } 1502 1503 tags { 1504 Name = "tf-acc-test" 1505 } 1506 } 1507 ` 1508 1509 const testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs_classic = ` 1510 provider "aws" { 1511 region = "us-east-1" 1512 } 1513 1514 resource "aws_security_group" "other_web" { 1515 name = "tf_other_acc_tests" 1516 description = "Used in the terraform acceptance tests" 1517 1518 tags { 1519 Name = "tf-acc-test" 1520 } 1521 } 1522 1523 resource "aws_security_group" "web" { 1524 name = "terraform_acceptance_test_example" 1525 description = "Used in the terraform acceptance tests" 1526 1527 ingress { 1528 protocol = "tcp" 1529 from_port = "22" 1530 to_port = "22" 1531 1532 cidr_blocks = [ 1533 "192.168.0.1/32", 1534 ] 1535 } 1536 1537 ingress { 1538 protocol = "tcp" 1539 from_port = 80 1540 to_port = 8000 1541 cidr_blocks = ["10.0.0.0/8"] 1542 security_groups = ["${aws_security_group.other_web.name}"] 1543 } 1544 1545 tags { 1546 Name = "tf-acc-test" 1547 } 1548 } 1549 ` 1550 1551 // fails to apply in one pass with the error "diffs didn't match during apply" 1552 // GH-2027 1553 const testAccAWSSecurityGroupConfig_failWithDiffMismatch = ` 1554 resource "aws_vpc" "main" { 1555 cidr_block = "10.0.0.0/16" 1556 1557 tags { 1558 Name = "tf-test" 1559 } 1560 } 1561 1562 resource "aws_security_group" "ssh_base" { 1563 name = "test-ssh-base" 1564 vpc_id = "${aws_vpc.main.id}" 1565 } 1566 1567 resource "aws_security_group" "jump" { 1568 name = "test-jump" 1569 vpc_id = "${aws_vpc.main.id}" 1570 } 1571 1572 resource "aws_security_group" "provision" { 1573 name = "test-provision" 1574 vpc_id = "${aws_vpc.main.id}" 1575 } 1576 1577 resource "aws_security_group" "nat" { 1578 vpc_id = "${aws_vpc.main.id}" 1579 name = "nat" 1580 description = "For nat servers " 1581 1582 ingress { 1583 from_port = 22 1584 to_port = 22 1585 protocol = "tcp" 1586 security_groups = ["${aws_security_group.jump.id}"] 1587 } 1588 1589 ingress { 1590 from_port = 22 1591 to_port = 22 1592 protocol = "tcp" 1593 security_groups = ["${aws_security_group.provision.id}"] 1594 } 1595 } 1596 ` 1597 const testAccAWSSecurityGroupConfig_importSelf = ` 1598 resource "aws_vpc" "foo" { 1599 cidr_block = "10.1.0.0/16" 1600 1601 tags { 1602 Name = "tf_sg_import_test" 1603 } 1604 } 1605 1606 resource "aws_security_group" "allow_all" { 1607 name = "allow_all" 1608 description = "Allow all inbound traffic" 1609 vpc_id = "${aws_vpc.foo.id}" 1610 } 1611 1612 resource "aws_security_group_rule" "allow_all" { 1613 type = "ingress" 1614 from_port = 0 1615 to_port = 65535 1616 protocol = "tcp" 1617 cidr_blocks = ["0.0.0.0/0"] 1618 1619 security_group_id = "${aws_security_group.allow_all.id}" 1620 } 1621 1622 resource "aws_security_group_rule" "allow_all-1" { 1623 type = "ingress" 1624 from_port = 65534 1625 to_port = 65535 1626 protocol = "tcp" 1627 1628 self = true 1629 security_group_id = "${aws_security_group.allow_all.id}" 1630 } 1631 `