github.com/vtorhonen/terraform@v0.9.0-beta2.0.20170307220345-5d894e4ffda7/builtin/providers/alicloud/resource_alicloud_security_group_rule.go (about) 1 package alicloud 2 3 import ( 4 "fmt" 5 "github.com/denverdino/aliyungo/ecs" 6 "github.com/hashicorp/terraform/helper/schema" 7 "log" 8 "strings" 9 ) 10 11 func resourceAliyunSecurityGroupRule() *schema.Resource { 12 return &schema.Resource{ 13 Create: resourceAliyunSecurityGroupRuleCreate, 14 Read: resourceAliyunSecurityGroupRuleRead, 15 Delete: resourceAliyunSecurityGroupRuleDelete, 16 17 Schema: map[string]*schema.Schema{ 18 "type": &schema.Schema{ 19 Type: schema.TypeString, 20 Required: true, 21 ForceNew: true, 22 ValidateFunc: validateSecurityRuleType, 23 Description: "Type of rule, ingress (inbound) or egress (outbound).", 24 }, 25 26 "ip_protocol": &schema.Schema{ 27 Type: schema.TypeString, 28 Required: true, 29 ForceNew: true, 30 ValidateFunc: validateSecurityRuleIpProtocol, 31 }, 32 33 "nic_type": &schema.Schema{ 34 Type: schema.TypeString, 35 Optional: true, 36 ForceNew: true, 37 ValidateFunc: validateSecurityRuleNicType, 38 }, 39 40 "policy": &schema.Schema{ 41 Type: schema.TypeString, 42 Optional: true, 43 ForceNew: true, 44 ValidateFunc: validateSecurityRulePolicy, 45 }, 46 47 "port_range": &schema.Schema{ 48 Type: schema.TypeString, 49 Required: true, 50 ForceNew: true, 51 }, 52 53 "priority": &schema.Schema{ 54 Type: schema.TypeInt, 55 Optional: true, 56 ForceNew: true, 57 ValidateFunc: validateSecurityPriority, 58 }, 59 60 "security_group_id": &schema.Schema{ 61 Type: schema.TypeString, 62 Required: true, 63 ForceNew: true, 64 }, 65 66 "cidr_ip": &schema.Schema{ 67 Type: schema.TypeString, 68 Optional: true, 69 ForceNew: true, 70 Default: "0.0.0.0/0", 71 }, 72 73 "source_security_group_id": &schema.Schema{ 74 Type: schema.TypeString, 75 Optional: true, 76 ForceNew: true, 77 }, 78 79 "source_group_owner_account": &schema.Schema{ 80 Type: schema.TypeString, 81 Optional: true, 82 ForceNew: true, 83 }, 84 }, 85 } 86 } 87 88 func resourceAliyunSecurityGroupRuleCreate(d *schema.ResourceData, meta interface{}) error { 89 conn := meta.(*AliyunClient).ecsconn 90 91 ruleType := d.Get("type").(string) 92 sgId := d.Get("security_group_id").(string) 93 ptl := d.Get("ip_protocol").(string) 94 port := d.Get("port_range").(string) 95 96 var autherr error 97 switch GroupRuleDirection(ruleType) { 98 case GroupRuleIngress: 99 args, err := buildAliyunSecurityIngressArgs(d, meta) 100 if err != nil { 101 return err 102 } 103 autherr = conn.AuthorizeSecurityGroup(args) 104 case GroupRuleEgress: 105 args, err := buildAliyunSecurityEgressArgs(d, meta) 106 if err != nil { 107 return err 108 } 109 autherr = conn.AuthorizeSecurityGroupEgress(args) 110 default: 111 return fmt.Errorf("Security Group Rule must be type 'ingress' or type 'egress'") 112 } 113 114 if autherr != nil { 115 return fmt.Errorf( 116 "Error authorizing security group rule type %s: %s", 117 ruleType, autherr) 118 } 119 120 d.SetId(sgId + ":" + ruleType + ":" + ptl + ":" + port) 121 return resourceAliyunSecurityGroupRuleRead(d, meta) 122 } 123 124 func resourceAliyunSecurityGroupRuleRead(d *schema.ResourceData, meta interface{}) error { 125 client := meta.(*AliyunClient) 126 parts := strings.Split(d.Id(), ":") 127 sgId := parts[0] 128 types := parts[1] 129 ip_protocol := parts[2] 130 port_range := parts[3] 131 rule, err := client.DescribeSecurityGroupRule(sgId, types, ip_protocol, port_range) 132 133 if err != nil { 134 if notFoundError(err) { 135 d.SetId("") 136 return nil 137 } 138 return fmt.Errorf("Error SecurityGroup rule: %#v", err) 139 } 140 log.Printf("[WARN]sg %s, type %s, protocol %s, port %s, rule %#v", sgId, types, ip_protocol, port_range, rule) 141 d.Set("type", rule.Direction) 142 d.Set("ip_protocol", strings.ToLower(string(rule.IpProtocol))) 143 d.Set("nic_type", rule.NicType) 144 d.Set("policy", strings.ToLower(string(rule.Policy))) 145 d.Set("port_range", rule.PortRange) 146 d.Set("priority", rule.Priority) 147 d.Set("security_group_id", sgId) 148 //support source and desc by type 149 if GroupRuleDirection(types) == GroupRuleIngress { 150 d.Set("cidr_ip", rule.SourceCidrIp) 151 d.Set("source_security_group_id", rule.SourceGroupId) 152 d.Set("source_group_owner_account", rule.SourceGroupOwnerAccount) 153 } else { 154 d.Set("cidr_ip", rule.DestCidrIp) 155 d.Set("source_security_group_id", rule.DestGroupId) 156 d.Set("source_group_owner_account", rule.DestGroupOwnerAccount) 157 } 158 159 return nil 160 } 161 162 func resourceAliyunSecurityGroupRuleDelete(d *schema.ResourceData, meta interface{}) error { 163 client := meta.(*AliyunClient) 164 args, err := buildAliyunSecurityIngressArgs(d, meta) 165 166 if err != nil { 167 return err 168 } 169 revokeArgs := &ecs.RevokeSecurityGroupArgs{ 170 AuthorizeSecurityGroupArgs: *args, 171 } 172 return client.RevokeSecurityGroup(revokeArgs) 173 } 174 175 func buildAliyunSecurityIngressArgs(d *schema.ResourceData, meta interface{}) (*ecs.AuthorizeSecurityGroupArgs, error) { 176 conn := meta.(*AliyunClient).ecsconn 177 178 args := &ecs.AuthorizeSecurityGroupArgs{ 179 RegionId: getRegion(d, meta), 180 } 181 182 if v := d.Get("ip_protocol").(string); v != "" { 183 args.IpProtocol = ecs.IpProtocol(v) 184 } 185 186 if v := d.Get("port_range").(string); v != "" { 187 args.PortRange = v 188 } 189 190 if v := d.Get("policy").(string); v != "" { 191 args.Policy = ecs.PermissionPolicy(v) 192 } 193 194 if v := d.Get("priority").(int); v != 0 { 195 args.Priority = v 196 } 197 198 if v := d.Get("nic_type").(string); v != "" { 199 args.NicType = ecs.NicType(v) 200 } 201 202 if v := d.Get("cidr_ip").(string); v != "" { 203 args.SourceCidrIp = v 204 } 205 206 if v := d.Get("source_security_group_id").(string); v != "" { 207 args.SourceGroupId = v 208 } 209 210 if v := d.Get("source_group_owner_account").(string); v != "" { 211 args.SourceGroupOwnerAccount = v 212 } 213 214 sgId := d.Get("security_group_id").(string) 215 216 sgArgs := &ecs.DescribeSecurityGroupAttributeArgs{ 217 SecurityGroupId: sgId, 218 RegionId: getRegion(d, meta), 219 } 220 221 _, err := conn.DescribeSecurityGroupAttribute(sgArgs) 222 if err != nil { 223 return nil, fmt.Errorf("Error get security group %s error: %#v", sgId, err) 224 } 225 226 args.SecurityGroupId = sgId 227 228 return args, nil 229 } 230 231 func buildAliyunSecurityEgressArgs(d *schema.ResourceData, meta interface{}) (*ecs.AuthorizeSecurityGroupEgressArgs, error) { 232 conn := meta.(*AliyunClient).ecsconn 233 234 args := &ecs.AuthorizeSecurityGroupEgressArgs{ 235 RegionId: getRegion(d, meta), 236 } 237 238 if v := d.Get("ip_protocol").(string); v != "" { 239 args.IpProtocol = ecs.IpProtocol(v) 240 } 241 242 if v := d.Get("port_range").(string); v != "" { 243 args.PortRange = v 244 } 245 246 if v := d.Get("policy").(string); v != "" { 247 args.Policy = ecs.PermissionPolicy(v) 248 } 249 250 if v := d.Get("priority").(int); v != 0 { 251 args.Priority = v 252 } 253 254 if v := d.Get("nic_type").(string); v != "" { 255 args.NicType = ecs.NicType(v) 256 } 257 258 if v := d.Get("cidr_ip").(string); v != "" { 259 args.DestCidrIp = v 260 } 261 262 if v := d.Get("source_security_group_id").(string); v != "" { 263 args.DestGroupId = v 264 } 265 266 if v := d.Get("source_group_owner_account").(string); v != "" { 267 args.DestGroupOwnerAccount = v 268 } 269 270 sgId := d.Get("security_group_id").(string) 271 272 sgArgs := &ecs.DescribeSecurityGroupAttributeArgs{ 273 SecurityGroupId: sgId, 274 RegionId: getRegion(d, meta), 275 } 276 277 _, err := conn.DescribeSecurityGroupAttribute(sgArgs) 278 if err != nil { 279 return nil, fmt.Errorf("Error get security group %s error: %#v", sgId, err) 280 } 281 282 args.SecurityGroupId = sgId 283 284 return args, nil 285 }