github.com/turtlemonvh/terraform@v0.6.9-0.20151204001754-8e40b6b855e8/builtin/providers/aws/resource_aws_network_acl_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/aws/aws-sdk-go/aws" 8 "github.com/aws/aws-sdk-go/aws/awserr" 9 "github.com/aws/aws-sdk-go/service/ec2" 10 "github.com/hashicorp/terraform/helper/resource" 11 "github.com/hashicorp/terraform/terraform" 12 ) 13 14 func TestAccAWSNetworkAcl_EgressAndIngressRules(t *testing.T) { 15 var networkAcl ec2.NetworkAcl 16 17 resource.Test(t, resource.TestCase{ 18 PreCheck: func() { testAccPreCheck(t) }, 19 Providers: testAccProviders, 20 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 21 Steps: []resource.TestStep{ 22 resource.TestStep{ 23 Config: testAccAWSNetworkAclEgressNIngressConfig, 24 Check: resource.ComposeTestCheckFunc( 25 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 26 resource.TestCheckResourceAttr( 27 "aws_network_acl.bar", "ingress.109047673.protocol", "6"), 28 resource.TestCheckResourceAttr( 29 "aws_network_acl.bar", "ingress.109047673.rule_no", "1"), 30 resource.TestCheckResourceAttr( 31 "aws_network_acl.bar", "ingress.109047673.from_port", "80"), 32 resource.TestCheckResourceAttr( 33 "aws_network_acl.bar", "ingress.109047673.to_port", "80"), 34 resource.TestCheckResourceAttr( 35 "aws_network_acl.bar", "ingress.109047673.action", "allow"), 36 resource.TestCheckResourceAttr( 37 "aws_network_acl.bar", "ingress.109047673.cidr_block", "10.3.0.0/18"), 38 resource.TestCheckResourceAttr( 39 "aws_network_acl.bar", "egress.868403673.protocol", "6"), 40 resource.TestCheckResourceAttr( 41 "aws_network_acl.bar", "egress.868403673.rule_no", "2"), 42 resource.TestCheckResourceAttr( 43 "aws_network_acl.bar", "egress.868403673.from_port", "443"), 44 resource.TestCheckResourceAttr( 45 "aws_network_acl.bar", "egress.868403673.to_port", "443"), 46 resource.TestCheckResourceAttr( 47 "aws_network_acl.bar", "egress.868403673.cidr_block", "10.3.0.0/18"), 48 resource.TestCheckResourceAttr( 49 "aws_network_acl.bar", "egress.868403673.action", "allow"), 50 ), 51 }, 52 }, 53 }) 54 } 55 56 func TestAccAWSNetworkAcl_OnlyIngressRules_basic(t *testing.T) { 57 var networkAcl ec2.NetworkAcl 58 59 resource.Test(t, resource.TestCase{ 60 PreCheck: func() { testAccPreCheck(t) }, 61 Providers: testAccProviders, 62 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 63 Steps: []resource.TestStep{ 64 resource.TestStep{ 65 Config: testAccAWSNetworkAclIngressConfig, 66 Check: resource.ComposeTestCheckFunc( 67 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 68 // testAccCheckSubnetAssociation("aws_network_acl.foos", "aws_subnet.blob"), 69 resource.TestCheckResourceAttr( 70 "aws_network_acl.foos", "ingress.1451312565.protocol", "6"), 71 resource.TestCheckResourceAttr( 72 "aws_network_acl.foos", "ingress.1451312565.rule_no", "2"), 73 resource.TestCheckResourceAttr( 74 "aws_network_acl.foos", "ingress.1451312565.from_port", "443"), 75 resource.TestCheckResourceAttr( 76 "aws_network_acl.foos", "ingress.1451312565.to_port", "443"), 77 resource.TestCheckResourceAttr( 78 "aws_network_acl.foos", "ingress.1451312565.action", "deny"), 79 resource.TestCheckResourceAttr( 80 "aws_network_acl.foos", "ingress.1451312565.cidr_block", "10.2.0.0/18"), 81 ), 82 }, 83 }, 84 }) 85 } 86 87 func TestAccAWSNetworkAcl_OnlyIngressRules_update(t *testing.T) { 88 var networkAcl ec2.NetworkAcl 89 90 resource.Test(t, resource.TestCase{ 91 PreCheck: func() { testAccPreCheck(t) }, 92 Providers: testAccProviders, 93 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 94 Steps: []resource.TestStep{ 95 resource.TestStep{ 96 Config: testAccAWSNetworkAclIngressConfig, 97 Check: resource.ComposeTestCheckFunc( 98 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 99 testIngressRuleLength(&networkAcl, 2), 100 resource.TestCheckResourceAttr( 101 "aws_network_acl.foos", "ingress.2048097841.protocol", "6"), 102 resource.TestCheckResourceAttr( 103 "aws_network_acl.foos", "ingress.2048097841.rule_no", "1"), 104 resource.TestCheckResourceAttr( 105 "aws_network_acl.foos", "ingress.2048097841.from_port", "0"), 106 resource.TestCheckResourceAttr( 107 "aws_network_acl.foos", "ingress.2048097841.to_port", "22"), 108 resource.TestCheckResourceAttr( 109 "aws_network_acl.foos", "ingress.2048097841.action", "deny"), 110 resource.TestCheckResourceAttr( 111 "aws_network_acl.foos", "ingress.1451312565.cidr_block", "10.2.0.0/18"), 112 resource.TestCheckResourceAttr( 113 "aws_network_acl.foos", "ingress.1451312565.from_port", "443"), 114 resource.TestCheckResourceAttr( 115 "aws_network_acl.foos", "ingress.1451312565.rule_no", "2"), 116 ), 117 }, 118 resource.TestStep{ 119 Config: testAccAWSNetworkAclIngressConfigChange, 120 Check: resource.ComposeTestCheckFunc( 121 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 122 testIngressRuleLength(&networkAcl, 1), 123 resource.TestCheckResourceAttr( 124 "aws_network_acl.foos", "ingress.2048097841.protocol", "6"), 125 resource.TestCheckResourceAttr( 126 "aws_network_acl.foos", "ingress.2048097841.rule_no", "1"), 127 resource.TestCheckResourceAttr( 128 "aws_network_acl.foos", "ingress.2048097841.from_port", "0"), 129 resource.TestCheckResourceAttr( 130 "aws_network_acl.foos", "ingress.2048097841.to_port", "22"), 131 resource.TestCheckResourceAttr( 132 "aws_network_acl.foos", "ingress.2048097841.action", "deny"), 133 resource.TestCheckResourceAttr( 134 "aws_network_acl.foos", "ingress.2048097841.cidr_block", "10.2.0.0/18"), 135 ), 136 }, 137 }, 138 }) 139 } 140 141 func TestAccAWSNetworkAcl_OnlyEgressRules(t *testing.T) { 142 var networkAcl ec2.NetworkAcl 143 144 resource.Test(t, resource.TestCase{ 145 PreCheck: func() { testAccPreCheck(t) }, 146 Providers: testAccProviders, 147 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 148 Steps: []resource.TestStep{ 149 resource.TestStep{ 150 Config: testAccAWSNetworkAclEgressConfig, 151 Check: resource.ComposeTestCheckFunc( 152 testAccCheckAWSNetworkAclExists("aws_network_acl.bond", &networkAcl), 153 testAccCheckTags(&networkAcl.Tags, "foo", "bar"), 154 ), 155 }, 156 }, 157 }) 158 } 159 160 func TestAccAWSNetworkAcl_SubnetChange(t *testing.T) { 161 162 resource.Test(t, resource.TestCase{ 163 PreCheck: func() { testAccPreCheck(t) }, 164 Providers: testAccProviders, 165 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 166 Steps: []resource.TestStep{ 167 resource.TestStep{ 168 Config: testAccAWSNetworkAclSubnetConfig, 169 Check: resource.ComposeTestCheckFunc( 170 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"), 171 ), 172 }, 173 resource.TestStep{ 174 Config: testAccAWSNetworkAclSubnetConfigChange, 175 Check: resource.ComposeTestCheckFunc( 176 testAccCheckSubnetIsNotAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"), 177 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.new"), 178 ), 179 }, 180 }, 181 }) 182 183 } 184 185 func TestAccAWSNetworkAcl_Subnets(t *testing.T) { 186 var networkAcl ec2.NetworkAcl 187 188 checkACLSubnets := func(acl *ec2.NetworkAcl, count int) resource.TestCheckFunc { 189 return func(*terraform.State) (err error) { 190 if count != len(acl.Associations) { 191 return fmt.Errorf("ACL association count does not match, expected %d, got %d", count, len(acl.Associations)) 192 } 193 194 return nil 195 } 196 } 197 198 resource.Test(t, resource.TestCase{ 199 PreCheck: func() { testAccPreCheck(t) }, 200 Providers: testAccProviders, 201 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 202 Steps: []resource.TestStep{ 203 resource.TestStep{ 204 Config: testAccAWSNetworkAclSubnet_SubnetIds, 205 Check: resource.ComposeTestCheckFunc( 206 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 207 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.one"), 208 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.two"), 209 checkACLSubnets(&networkAcl, 2), 210 ), 211 }, 212 213 resource.TestStep{ 214 Config: testAccAWSNetworkAclSubnet_SubnetIdsUpdate, 215 Check: resource.ComposeTestCheckFunc( 216 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 217 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.one"), 218 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.three"), 219 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.four"), 220 checkACLSubnets(&networkAcl, 3), 221 ), 222 }, 223 }, 224 }) 225 226 } 227 228 func testAccCheckAWSNetworkAclDestroy(s *terraform.State) error { 229 conn := testAccProvider.Meta().(*AWSClient).ec2conn 230 231 for _, rs := range s.RootModule().Resources { 232 if rs.Type != "aws_network" { 233 continue 234 } 235 236 // Retrieve the network acl 237 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 238 NetworkAclIds: []*string{aws.String(rs.Primary.ID)}, 239 }) 240 if err == nil { 241 if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID { 242 return fmt.Errorf("Network Acl (%s) still exists.", rs.Primary.ID) 243 } 244 245 return nil 246 } 247 248 ec2err, ok := err.(awserr.Error) 249 if !ok { 250 return err 251 } 252 // Confirm error code is what we want 253 if ec2err.Code() != "InvalidNetworkAclID.NotFound" { 254 return err 255 } 256 } 257 258 return nil 259 } 260 261 func testAccCheckAWSNetworkAclExists(n string, networkAcl *ec2.NetworkAcl) resource.TestCheckFunc { 262 return func(s *terraform.State) error { 263 rs, ok := s.RootModule().Resources[n] 264 if !ok { 265 return fmt.Errorf("Not found: %s", n) 266 } 267 268 if rs.Primary.ID == "" { 269 return fmt.Errorf("No Security Group is set") 270 } 271 conn := testAccProvider.Meta().(*AWSClient).ec2conn 272 273 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 274 NetworkAclIds: []*string{aws.String(rs.Primary.ID)}, 275 }) 276 if err != nil { 277 return err 278 } 279 280 if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID { 281 *networkAcl = *resp.NetworkAcls[0] 282 return nil 283 } 284 285 return fmt.Errorf("Network Acls not found") 286 } 287 } 288 289 func testIngressRuleLength(networkAcl *ec2.NetworkAcl, length int) resource.TestCheckFunc { 290 return func(s *terraform.State) error { 291 var ingressEntries []*ec2.NetworkAclEntry 292 for _, e := range networkAcl.Entries { 293 if *e.Egress == false { 294 ingressEntries = append(ingressEntries, e) 295 } 296 } 297 // There is always a default rule (ALL Traffic ... DENY) 298 // so we have to increase the length by 1 299 if len(ingressEntries) != length+1 { 300 return fmt.Errorf("Invalid number of ingress entries found; count = %d", len(ingressEntries)) 301 } 302 return nil 303 } 304 } 305 306 func testAccCheckSubnetIsAssociatedWithAcl(acl string, sub string) resource.TestCheckFunc { 307 return func(s *terraform.State) error { 308 networkAcl := s.RootModule().Resources[acl] 309 subnet := s.RootModule().Resources[sub] 310 311 conn := testAccProvider.Meta().(*AWSClient).ec2conn 312 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 313 NetworkAclIds: []*string{aws.String(networkAcl.Primary.ID)}, 314 Filters: []*ec2.Filter{ 315 &ec2.Filter{ 316 Name: aws.String("association.subnet-id"), 317 Values: []*string{aws.String(subnet.Primary.ID)}, 318 }, 319 }, 320 }) 321 if err != nil { 322 return err 323 } 324 if len(resp.NetworkAcls) > 0 { 325 return nil 326 } 327 328 return fmt.Errorf("Network Acl %s is not associated with subnet %s", acl, sub) 329 } 330 } 331 332 func testAccCheckSubnetIsNotAssociatedWithAcl(acl string, subnet string) resource.TestCheckFunc { 333 return func(s *terraform.State) error { 334 networkAcl := s.RootModule().Resources[acl] 335 subnet := s.RootModule().Resources[subnet] 336 337 conn := testAccProvider.Meta().(*AWSClient).ec2conn 338 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 339 NetworkAclIds: []*string{aws.String(networkAcl.Primary.ID)}, 340 Filters: []*ec2.Filter{ 341 &ec2.Filter{ 342 Name: aws.String("association.subnet-id"), 343 Values: []*string{aws.String(subnet.Primary.ID)}, 344 }, 345 }, 346 }) 347 348 if err != nil { 349 return err 350 } 351 if len(resp.NetworkAcls) > 0 { 352 return fmt.Errorf("Network Acl %s is still associated with subnet %s", acl, subnet) 353 } 354 return nil 355 } 356 } 357 358 const testAccAWSNetworkAclIngressConfig = ` 359 resource "aws_vpc" "foo" { 360 cidr_block = "10.1.0.0/16" 361 } 362 resource "aws_subnet" "blob" { 363 cidr_block = "10.1.1.0/24" 364 vpc_id = "${aws_vpc.foo.id}" 365 map_public_ip_on_launch = true 366 } 367 resource "aws_network_acl" "foos" { 368 vpc_id = "${aws_vpc.foo.id}" 369 ingress = { 370 protocol = "tcp" 371 rule_no = 1 372 action = "deny" 373 cidr_block = "10.2.0.0/18" 374 from_port = 0 375 to_port = 22 376 } 377 ingress = { 378 protocol = "tcp" 379 rule_no = 2 380 action = "deny" 381 cidr_block = "10.2.0.0/18" 382 from_port = 443 383 to_port = 443 384 } 385 subnet_id = "${aws_subnet.blob.id}" 386 } 387 ` 388 const testAccAWSNetworkAclIngressConfigChange = ` 389 resource "aws_vpc" "foo" { 390 cidr_block = "10.1.0.0/16" 391 } 392 resource "aws_subnet" "blob" { 393 cidr_block = "10.1.1.0/24" 394 vpc_id = "${aws_vpc.foo.id}" 395 map_public_ip_on_launch = true 396 } 397 resource "aws_network_acl" "foos" { 398 vpc_id = "${aws_vpc.foo.id}" 399 ingress = { 400 protocol = "tcp" 401 rule_no = 1 402 action = "deny" 403 cidr_block = "10.2.0.0/18" 404 from_port = 0 405 to_port = 22 406 } 407 subnet_id = "${aws_subnet.blob.id}" 408 } 409 ` 410 411 const testAccAWSNetworkAclEgressConfig = ` 412 resource "aws_vpc" "foo" { 413 cidr_block = "10.2.0.0/16" 414 } 415 resource "aws_subnet" "blob" { 416 cidr_block = "10.2.0.0/24" 417 vpc_id = "${aws_vpc.foo.id}" 418 map_public_ip_on_launch = true 419 } 420 resource "aws_network_acl" "bond" { 421 vpc_id = "${aws_vpc.foo.id}" 422 egress = { 423 protocol = "tcp" 424 rule_no = 2 425 action = "allow" 426 cidr_block = "10.2.0.0/18" 427 from_port = 443 428 to_port = 443 429 } 430 431 egress = { 432 protocol = "-1" 433 rule_no = 4 434 action = "allow" 435 cidr_block = "0.0.0.0/0" 436 from_port = 0 437 to_port = 0 438 } 439 440 egress = { 441 protocol = "tcp" 442 rule_no = 1 443 action = "allow" 444 cidr_block = "10.2.0.0/18" 445 from_port = 80 446 to_port = 80 447 } 448 449 egress = { 450 protocol = "tcp" 451 rule_no = 3 452 action = "allow" 453 cidr_block = "10.2.0.0/18" 454 from_port = 22 455 to_port = 22 456 } 457 458 tags { 459 foo = "bar" 460 } 461 } 462 ` 463 464 const testAccAWSNetworkAclEgressNIngressConfig = ` 465 resource "aws_vpc" "foo" { 466 cidr_block = "10.3.0.0/16" 467 } 468 resource "aws_subnet" "blob" { 469 cidr_block = "10.3.0.0/24" 470 vpc_id = "${aws_vpc.foo.id}" 471 map_public_ip_on_launch = true 472 } 473 resource "aws_network_acl" "bar" { 474 vpc_id = "${aws_vpc.foo.id}" 475 egress = { 476 protocol = "tcp" 477 rule_no = 2 478 action = "allow" 479 cidr_block = "10.3.0.0/18" 480 from_port = 443 481 to_port = 443 482 } 483 484 ingress = { 485 protocol = "tcp" 486 rule_no = 1 487 action = "allow" 488 cidr_block = "10.3.0.0/18" 489 from_port = 80 490 to_port = 80 491 } 492 } 493 ` 494 const testAccAWSNetworkAclSubnetConfig = ` 495 resource "aws_vpc" "foo" { 496 cidr_block = "10.1.0.0/16" 497 } 498 resource "aws_subnet" "old" { 499 cidr_block = "10.1.111.0/24" 500 vpc_id = "${aws_vpc.foo.id}" 501 map_public_ip_on_launch = true 502 } 503 resource "aws_subnet" "new" { 504 cidr_block = "10.1.1.0/24" 505 vpc_id = "${aws_vpc.foo.id}" 506 map_public_ip_on_launch = true 507 } 508 resource "aws_network_acl" "roll" { 509 vpc_id = "${aws_vpc.foo.id}" 510 subnet_id = "${aws_subnet.new.id}" 511 } 512 resource "aws_network_acl" "bar" { 513 vpc_id = "${aws_vpc.foo.id}" 514 subnet_id = "${aws_subnet.old.id}" 515 } 516 ` 517 518 const testAccAWSNetworkAclSubnetConfigChange = ` 519 resource "aws_vpc" "foo" { 520 cidr_block = "10.1.0.0/16" 521 } 522 resource "aws_subnet" "old" { 523 cidr_block = "10.1.111.0/24" 524 vpc_id = "${aws_vpc.foo.id}" 525 map_public_ip_on_launch = true 526 } 527 resource "aws_subnet" "new" { 528 cidr_block = "10.1.1.0/24" 529 vpc_id = "${aws_vpc.foo.id}" 530 map_public_ip_on_launch = true 531 } 532 resource "aws_network_acl" "bar" { 533 vpc_id = "${aws_vpc.foo.id}" 534 subnet_id = "${aws_subnet.new.id}" 535 } 536 ` 537 538 const testAccAWSNetworkAclSubnet_SubnetIds = ` 539 resource "aws_vpc" "foo" { 540 cidr_block = "10.1.0.0/16" 541 tags { 542 Name = "acl-subnets-test" 543 } 544 } 545 resource "aws_subnet" "one" { 546 cidr_block = "10.1.111.0/24" 547 vpc_id = "${aws_vpc.foo.id}" 548 } 549 resource "aws_subnet" "two" { 550 cidr_block = "10.1.1.0/24" 551 vpc_id = "${aws_vpc.foo.id}" 552 } 553 resource "aws_network_acl" "bar" { 554 vpc_id = "${aws_vpc.foo.id}" 555 subnet_ids = ["${aws_subnet.one.id}", "${aws_subnet.two.id}"] 556 } 557 ` 558 559 const testAccAWSNetworkAclSubnet_SubnetIdsUpdate = ` 560 resource "aws_vpc" "foo" { 561 cidr_block = "10.1.0.0/16" 562 tags { 563 Name = "acl-subnets-test" 564 } 565 } 566 resource "aws_subnet" "one" { 567 cidr_block = "10.1.111.0/24" 568 vpc_id = "${aws_vpc.foo.id}" 569 } 570 resource "aws_subnet" "two" { 571 cidr_block = "10.1.1.0/24" 572 vpc_id = "${aws_vpc.foo.id}" 573 } 574 575 resource "aws_subnet" "three" { 576 cidr_block = "10.1.222.0/24" 577 vpc_id = "${aws_vpc.foo.id}" 578 } 579 resource "aws_subnet" "four" { 580 cidr_block = "10.1.4.0/24" 581 vpc_id = "${aws_vpc.foo.id}" 582 } 583 resource "aws_network_acl" "bar" { 584 vpc_id = "${aws_vpc.foo.id}" 585 subnet_ids = [ 586 "${aws_subnet.one.id}", 587 "${aws_subnet.three.id}", 588 "${aws_subnet.four.id}", 589 ] 590 } 591 `