github.com/vtorhonen/terraform@v0.9.0-beta2.0.20170307220345-5d894e4ffda7/builtin/providers/aws/resource_aws_network_acl_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/aws/aws-sdk-go/aws" 8 "github.com/aws/aws-sdk-go/aws/awserr" 9 "github.com/aws/aws-sdk-go/service/ec2" 10 "github.com/hashicorp/terraform/helper/resource" 11 "github.com/hashicorp/terraform/terraform" 12 ) 13 14 func TestAccAWSNetworkAcl_EgressAndIngressRules(t *testing.T) { 15 var networkAcl ec2.NetworkAcl 16 17 resource.Test(t, resource.TestCase{ 18 PreCheck: func() { testAccPreCheck(t) }, 19 IDRefreshName: "aws_network_acl.bar", 20 Providers: testAccProviders, 21 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 22 Steps: []resource.TestStep{ 23 resource.TestStep{ 24 Config: testAccAWSNetworkAclEgressNIngressConfig, 25 Check: resource.ComposeTestCheckFunc( 26 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 27 resource.TestCheckResourceAttr( 28 "aws_network_acl.bar", "ingress.109047673.protocol", "6"), 29 resource.TestCheckResourceAttr( 30 "aws_network_acl.bar", "ingress.109047673.rule_no", "1"), 31 resource.TestCheckResourceAttr( 32 "aws_network_acl.bar", "ingress.109047673.from_port", "80"), 33 resource.TestCheckResourceAttr( 34 "aws_network_acl.bar", "ingress.109047673.to_port", "80"), 35 resource.TestCheckResourceAttr( 36 "aws_network_acl.bar", "ingress.109047673.action", "allow"), 37 resource.TestCheckResourceAttr( 38 "aws_network_acl.bar", "ingress.109047673.cidr_block", "10.3.0.0/18"), 39 resource.TestCheckResourceAttr( 40 "aws_network_acl.bar", "egress.868403673.protocol", "6"), 41 resource.TestCheckResourceAttr( 42 "aws_network_acl.bar", "egress.868403673.rule_no", "2"), 43 resource.TestCheckResourceAttr( 44 "aws_network_acl.bar", "egress.868403673.from_port", "443"), 45 resource.TestCheckResourceAttr( 46 "aws_network_acl.bar", "egress.868403673.to_port", "443"), 47 resource.TestCheckResourceAttr( 48 "aws_network_acl.bar", "egress.868403673.cidr_block", "10.3.0.0/18"), 49 resource.TestCheckResourceAttr( 50 "aws_network_acl.bar", "egress.868403673.action", "allow"), 51 ), 52 }, 53 }, 54 }) 55 } 56 57 func TestAccAWSNetworkAcl_OnlyIngressRules_basic(t *testing.T) { 58 var networkAcl ec2.NetworkAcl 59 60 resource.Test(t, resource.TestCase{ 61 PreCheck: func() { testAccPreCheck(t) }, 62 IDRefreshName: "aws_network_acl.foos", 63 Providers: testAccProviders, 64 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 65 Steps: []resource.TestStep{ 66 resource.TestStep{ 67 Config: testAccAWSNetworkAclIngressConfig, 68 Check: resource.ComposeTestCheckFunc( 69 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 70 // testAccCheckSubnetAssociation("aws_network_acl.foos", "aws_subnet.blob"), 71 resource.TestCheckResourceAttr( 72 "aws_network_acl.foos", "ingress.1451312565.protocol", "6"), 73 resource.TestCheckResourceAttr( 74 "aws_network_acl.foos", "ingress.1451312565.rule_no", "2"), 75 resource.TestCheckResourceAttr( 76 "aws_network_acl.foos", "ingress.1451312565.from_port", "443"), 77 resource.TestCheckResourceAttr( 78 "aws_network_acl.foos", "ingress.1451312565.to_port", "443"), 79 resource.TestCheckResourceAttr( 80 "aws_network_acl.foos", "ingress.1451312565.action", "deny"), 81 resource.TestCheckResourceAttr( 82 "aws_network_acl.foos", "ingress.1451312565.cidr_block", "10.2.0.0/18"), 83 ), 84 }, 85 }, 86 }) 87 } 88 89 func TestAccAWSNetworkAcl_OnlyIngressRules_update(t *testing.T) { 90 var networkAcl ec2.NetworkAcl 91 92 resource.Test(t, resource.TestCase{ 93 PreCheck: func() { testAccPreCheck(t) }, 94 IDRefreshName: "aws_network_acl.foos", 95 Providers: testAccProviders, 96 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 97 Steps: []resource.TestStep{ 98 resource.TestStep{ 99 Config: testAccAWSNetworkAclIngressConfig, 100 Check: resource.ComposeTestCheckFunc( 101 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 102 testIngressRuleLength(&networkAcl, 2), 103 resource.TestCheckResourceAttr( 104 "aws_network_acl.foos", "ingress.2048097841.protocol", "6"), 105 resource.TestCheckResourceAttr( 106 "aws_network_acl.foos", "ingress.2048097841.rule_no", "1"), 107 resource.TestCheckResourceAttr( 108 "aws_network_acl.foos", "ingress.2048097841.from_port", "0"), 109 resource.TestCheckResourceAttr( 110 "aws_network_acl.foos", "ingress.2048097841.to_port", "22"), 111 resource.TestCheckResourceAttr( 112 "aws_network_acl.foos", "ingress.2048097841.action", "deny"), 113 resource.TestCheckResourceAttr( 114 "aws_network_acl.foos", "ingress.1451312565.cidr_block", "10.2.0.0/18"), 115 resource.TestCheckResourceAttr( 116 "aws_network_acl.foos", "ingress.1451312565.from_port", "443"), 117 resource.TestCheckResourceAttr( 118 "aws_network_acl.foos", "ingress.1451312565.rule_no", "2"), 119 ), 120 }, 121 resource.TestStep{ 122 Config: testAccAWSNetworkAclIngressConfigChange, 123 Check: resource.ComposeTestCheckFunc( 124 testAccCheckAWSNetworkAclExists("aws_network_acl.foos", &networkAcl), 125 testIngressRuleLength(&networkAcl, 1), 126 resource.TestCheckResourceAttr( 127 "aws_network_acl.foos", "ingress.2048097841.protocol", "6"), 128 resource.TestCheckResourceAttr( 129 "aws_network_acl.foos", "ingress.2048097841.rule_no", "1"), 130 resource.TestCheckResourceAttr( 131 "aws_network_acl.foos", "ingress.2048097841.from_port", "0"), 132 resource.TestCheckResourceAttr( 133 "aws_network_acl.foos", "ingress.2048097841.to_port", "22"), 134 resource.TestCheckResourceAttr( 135 "aws_network_acl.foos", "ingress.2048097841.action", "deny"), 136 resource.TestCheckResourceAttr( 137 "aws_network_acl.foos", "ingress.2048097841.cidr_block", "10.2.0.0/18"), 138 ), 139 }, 140 }, 141 }) 142 } 143 144 func TestAccAWSNetworkAcl_OnlyEgressRules(t *testing.T) { 145 var networkAcl ec2.NetworkAcl 146 147 resource.Test(t, resource.TestCase{ 148 PreCheck: func() { testAccPreCheck(t) }, 149 IDRefreshName: "aws_network_acl.bond", 150 Providers: testAccProviders, 151 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 152 Steps: []resource.TestStep{ 153 resource.TestStep{ 154 Config: testAccAWSNetworkAclEgressConfig, 155 Check: resource.ComposeTestCheckFunc( 156 testAccCheckAWSNetworkAclExists("aws_network_acl.bond", &networkAcl), 157 testAccCheckTags(&networkAcl.Tags, "foo", "bar"), 158 ), 159 }, 160 }, 161 }) 162 } 163 164 func TestAccAWSNetworkAcl_SubnetChange(t *testing.T) { 165 166 resource.Test(t, resource.TestCase{ 167 PreCheck: func() { testAccPreCheck(t) }, 168 IDRefreshName: "aws_network_acl.bar", 169 Providers: testAccProviders, 170 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 171 Steps: []resource.TestStep{ 172 resource.TestStep{ 173 Config: testAccAWSNetworkAclSubnetConfig, 174 Check: resource.ComposeTestCheckFunc( 175 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"), 176 ), 177 }, 178 resource.TestStep{ 179 Config: testAccAWSNetworkAclSubnetConfigChange, 180 Check: resource.ComposeTestCheckFunc( 181 testAccCheckSubnetIsNotAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.old"), 182 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.new"), 183 ), 184 }, 185 }, 186 }) 187 188 } 189 190 func TestAccAWSNetworkAcl_Subnets(t *testing.T) { 191 var networkAcl ec2.NetworkAcl 192 193 checkACLSubnets := func(acl *ec2.NetworkAcl, count int) resource.TestCheckFunc { 194 return func(*terraform.State) (err error) { 195 if count != len(acl.Associations) { 196 return fmt.Errorf("ACL association count does not match, expected %d, got %d", count, len(acl.Associations)) 197 } 198 199 return nil 200 } 201 } 202 203 resource.Test(t, resource.TestCase{ 204 PreCheck: func() { testAccPreCheck(t) }, 205 IDRefreshName: "aws_network_acl.bar", 206 Providers: testAccProviders, 207 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 208 Steps: []resource.TestStep{ 209 resource.TestStep{ 210 Config: testAccAWSNetworkAclSubnet_SubnetIds, 211 Check: resource.ComposeTestCheckFunc( 212 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 213 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.one"), 214 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.two"), 215 checkACLSubnets(&networkAcl, 2), 216 ), 217 }, 218 219 resource.TestStep{ 220 Config: testAccAWSNetworkAclSubnet_SubnetIdsUpdate, 221 Check: resource.ComposeTestCheckFunc( 222 testAccCheckAWSNetworkAclExists("aws_network_acl.bar", &networkAcl), 223 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.one"), 224 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.three"), 225 testAccCheckSubnetIsAssociatedWithAcl("aws_network_acl.bar", "aws_subnet.four"), 226 checkACLSubnets(&networkAcl, 3), 227 ), 228 }, 229 }, 230 }) 231 } 232 233 func TestAccAWSNetworkAcl_espProtocol(t *testing.T) { 234 var networkAcl ec2.NetworkAcl 235 236 resource.Test(t, resource.TestCase{ 237 PreCheck: func() { testAccPreCheck(t) }, 238 IDRefreshName: "aws_network_acl.testesp", 239 Providers: testAccProviders, 240 CheckDestroy: testAccCheckAWSNetworkAclDestroy, 241 Steps: []resource.TestStep{ 242 resource.TestStep{ 243 Config: testAccAWSNetworkAclEsp, 244 Check: resource.ComposeTestCheckFunc( 245 testAccCheckAWSNetworkAclExists("aws_network_acl.testesp", &networkAcl), 246 ), 247 }, 248 }, 249 }) 250 } 251 252 func testAccCheckAWSNetworkAclDestroy(s *terraform.State) error { 253 conn := testAccProvider.Meta().(*AWSClient).ec2conn 254 255 for _, rs := range s.RootModule().Resources { 256 if rs.Type != "aws_network" { 257 continue 258 } 259 260 // Retrieve the network acl 261 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 262 NetworkAclIds: []*string{aws.String(rs.Primary.ID)}, 263 }) 264 if err == nil { 265 if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID { 266 return fmt.Errorf("Network Acl (%s) still exists.", rs.Primary.ID) 267 } 268 269 return nil 270 } 271 272 ec2err, ok := err.(awserr.Error) 273 if !ok { 274 return err 275 } 276 // Confirm error code is what we want 277 if ec2err.Code() != "InvalidNetworkAclID.NotFound" { 278 return err 279 } 280 } 281 282 return nil 283 } 284 285 func testAccCheckAWSNetworkAclExists(n string, networkAcl *ec2.NetworkAcl) resource.TestCheckFunc { 286 return func(s *terraform.State) error { 287 rs, ok := s.RootModule().Resources[n] 288 if !ok { 289 return fmt.Errorf("Not found: %s", n) 290 } 291 292 if rs.Primary.ID == "" { 293 return fmt.Errorf("No Security Group is set") 294 } 295 conn := testAccProvider.Meta().(*AWSClient).ec2conn 296 297 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 298 NetworkAclIds: []*string{aws.String(rs.Primary.ID)}, 299 }) 300 if err != nil { 301 return err 302 } 303 304 if len(resp.NetworkAcls) > 0 && *resp.NetworkAcls[0].NetworkAclId == rs.Primary.ID { 305 *networkAcl = *resp.NetworkAcls[0] 306 return nil 307 } 308 309 return fmt.Errorf("Network Acls not found") 310 } 311 } 312 313 func testIngressRuleLength(networkAcl *ec2.NetworkAcl, length int) resource.TestCheckFunc { 314 return func(s *terraform.State) error { 315 var ingressEntries []*ec2.NetworkAclEntry 316 for _, e := range networkAcl.Entries { 317 if *e.Egress == false { 318 ingressEntries = append(ingressEntries, e) 319 } 320 } 321 // There is always a default rule (ALL Traffic ... DENY) 322 // so we have to increase the length by 1 323 if len(ingressEntries) != length+1 { 324 return fmt.Errorf("Invalid number of ingress entries found; count = %d", len(ingressEntries)) 325 } 326 return nil 327 } 328 } 329 330 func testAccCheckSubnetIsAssociatedWithAcl(acl string, sub string) resource.TestCheckFunc { 331 return func(s *terraform.State) error { 332 networkAcl := s.RootModule().Resources[acl] 333 subnet := s.RootModule().Resources[sub] 334 335 conn := testAccProvider.Meta().(*AWSClient).ec2conn 336 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 337 NetworkAclIds: []*string{aws.String(networkAcl.Primary.ID)}, 338 Filters: []*ec2.Filter{ 339 &ec2.Filter{ 340 Name: aws.String("association.subnet-id"), 341 Values: []*string{aws.String(subnet.Primary.ID)}, 342 }, 343 }, 344 }) 345 if err != nil { 346 return err 347 } 348 if len(resp.NetworkAcls) > 0 { 349 return nil 350 } 351 352 return fmt.Errorf("Network Acl %s is not associated with subnet %s", acl, sub) 353 } 354 } 355 356 func testAccCheckSubnetIsNotAssociatedWithAcl(acl string, subnet string) resource.TestCheckFunc { 357 return func(s *terraform.State) error { 358 networkAcl := s.RootModule().Resources[acl] 359 subnet := s.RootModule().Resources[subnet] 360 361 conn := testAccProvider.Meta().(*AWSClient).ec2conn 362 resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{ 363 NetworkAclIds: []*string{aws.String(networkAcl.Primary.ID)}, 364 Filters: []*ec2.Filter{ 365 &ec2.Filter{ 366 Name: aws.String("association.subnet-id"), 367 Values: []*string{aws.String(subnet.Primary.ID)}, 368 }, 369 }, 370 }) 371 372 if err != nil { 373 return err 374 } 375 if len(resp.NetworkAcls) > 0 { 376 return fmt.Errorf("Network Acl %s is still associated with subnet %s", acl, subnet) 377 } 378 return nil 379 } 380 } 381 382 const testAccAWSNetworkAclIngressConfig = ` 383 resource "aws_vpc" "foo" { 384 cidr_block = "10.1.0.0/16" 385 tags { 386 Name = "TestAccAWSNetworkAcl_OnlyIngressRules" 387 } 388 } 389 resource "aws_subnet" "blob" { 390 cidr_block = "10.1.1.0/24" 391 vpc_id = "${aws_vpc.foo.id}" 392 map_public_ip_on_launch = true 393 } 394 resource "aws_network_acl" "foos" { 395 vpc_id = "${aws_vpc.foo.id}" 396 ingress = { 397 protocol = "tcp" 398 rule_no = 1 399 action = "deny" 400 cidr_block = "10.2.0.0/18" 401 from_port = 0 402 to_port = 22 403 } 404 ingress = { 405 protocol = "tcp" 406 rule_no = 2 407 action = "deny" 408 cidr_block = "10.2.0.0/18" 409 from_port = 443 410 to_port = 443 411 } 412 413 subnet_ids = ["${aws_subnet.blob.id}"] 414 } 415 ` 416 const testAccAWSNetworkAclIngressConfigChange = ` 417 resource "aws_vpc" "foo" { 418 cidr_block = "10.1.0.0/16" 419 tags { 420 Name = "TestAccAWSNetworkAcl_OnlyIngressRules" 421 } 422 } 423 resource "aws_subnet" "blob" { 424 cidr_block = "10.1.1.0/24" 425 vpc_id = "${aws_vpc.foo.id}" 426 map_public_ip_on_launch = true 427 } 428 resource "aws_network_acl" "foos" { 429 vpc_id = "${aws_vpc.foo.id}" 430 ingress = { 431 protocol = "tcp" 432 rule_no = 1 433 action = "deny" 434 cidr_block = "10.2.0.0/18" 435 from_port = 0 436 to_port = 22 437 } 438 subnet_ids = ["${aws_subnet.blob.id}"] 439 } 440 ` 441 442 const testAccAWSNetworkAclEgressConfig = ` 443 resource "aws_vpc" "foo" { 444 cidr_block = "10.2.0.0/16" 445 tags { 446 Name = "TestAccAWSNetworkAcl_OnlyEgressRules" 447 } 448 } 449 resource "aws_subnet" "blob" { 450 cidr_block = "10.2.0.0/24" 451 vpc_id = "${aws_vpc.foo.id}" 452 map_public_ip_on_launch = true 453 } 454 resource "aws_network_acl" "bond" { 455 vpc_id = "${aws_vpc.foo.id}" 456 egress = { 457 protocol = "tcp" 458 rule_no = 2 459 action = "allow" 460 cidr_block = "10.2.0.0/18" 461 from_port = 443 462 to_port = 443 463 } 464 465 egress = { 466 protocol = "-1" 467 rule_no = 4 468 action = "allow" 469 cidr_block = "0.0.0.0/0" 470 from_port = 0 471 to_port = 0 472 } 473 474 egress = { 475 protocol = "tcp" 476 rule_no = 1 477 action = "allow" 478 cidr_block = "10.2.0.0/18" 479 from_port = 80 480 to_port = 80 481 } 482 483 egress = { 484 protocol = "tcp" 485 rule_no = 3 486 action = "allow" 487 cidr_block = "10.2.0.0/18" 488 from_port = 22 489 to_port = 22 490 } 491 492 tags { 493 foo = "bar" 494 } 495 } 496 ` 497 498 const testAccAWSNetworkAclEgressNIngressConfig = ` 499 resource "aws_vpc" "foo" { 500 cidr_block = "10.3.0.0/16" 501 tags { 502 Name = "TestAccAWSNetworkAcl_EgressAndIngressRules" 503 } 504 } 505 resource "aws_subnet" "blob" { 506 cidr_block = "10.3.0.0/24" 507 vpc_id = "${aws_vpc.foo.id}" 508 map_public_ip_on_launch = true 509 } 510 resource "aws_network_acl" "bar" { 511 vpc_id = "${aws_vpc.foo.id}" 512 egress = { 513 protocol = "tcp" 514 rule_no = 2 515 action = "allow" 516 cidr_block = "10.3.0.0/18" 517 from_port = 443 518 to_port = 443 519 } 520 521 ingress = { 522 protocol = "tcp" 523 rule_no = 1 524 action = "allow" 525 cidr_block = "10.3.0.0/18" 526 from_port = 80 527 to_port = 80 528 } 529 } 530 ` 531 const testAccAWSNetworkAclSubnetConfig = ` 532 resource "aws_vpc" "foo" { 533 cidr_block = "10.1.0.0/16" 534 tags { 535 Name = "TestAccAWSNetworkAcl_SubnetChange" 536 } 537 } 538 resource "aws_subnet" "old" { 539 cidr_block = "10.1.111.0/24" 540 vpc_id = "${aws_vpc.foo.id}" 541 map_public_ip_on_launch = true 542 } 543 resource "aws_subnet" "new" { 544 cidr_block = "10.1.1.0/24" 545 vpc_id = "${aws_vpc.foo.id}" 546 map_public_ip_on_launch = true 547 } 548 resource "aws_network_acl" "roll" { 549 vpc_id = "${aws_vpc.foo.id}" 550 subnet_ids = ["${aws_subnet.new.id}"] 551 } 552 resource "aws_network_acl" "bar" { 553 vpc_id = "${aws_vpc.foo.id}" 554 subnet_ids = ["${aws_subnet.old.id}"] 555 } 556 ` 557 558 const testAccAWSNetworkAclSubnetConfigChange = ` 559 resource "aws_vpc" "foo" { 560 cidr_block = "10.1.0.0/16" 561 tags { 562 Name = "TestAccAWSNetworkAcl_SubnetChange" 563 } 564 } 565 resource "aws_subnet" "old" { 566 cidr_block = "10.1.111.0/24" 567 vpc_id = "${aws_vpc.foo.id}" 568 map_public_ip_on_launch = true 569 } 570 resource "aws_subnet" "new" { 571 cidr_block = "10.1.1.0/24" 572 vpc_id = "${aws_vpc.foo.id}" 573 map_public_ip_on_launch = true 574 } 575 resource "aws_network_acl" "bar" { 576 vpc_id = "${aws_vpc.foo.id}" 577 subnet_ids = ["${aws_subnet.new.id}"] 578 } 579 ` 580 581 const testAccAWSNetworkAclSubnet_SubnetIds = ` 582 resource "aws_vpc" "foo" { 583 cidr_block = "10.1.0.0/16" 584 tags { 585 Name = "TestAccAWSNetworkAcl_Subnets" 586 } 587 } 588 resource "aws_subnet" "one" { 589 cidr_block = "10.1.111.0/24" 590 vpc_id = "${aws_vpc.foo.id}" 591 tags { 592 Name = "acl-subnets-test" 593 } 594 } 595 resource "aws_subnet" "two" { 596 cidr_block = "10.1.1.0/24" 597 vpc_id = "${aws_vpc.foo.id}" 598 tags { 599 Name = "acl-subnets-test" 600 } 601 } 602 resource "aws_network_acl" "bar" { 603 vpc_id = "${aws_vpc.foo.id}" 604 subnet_ids = ["${aws_subnet.one.id}", "${aws_subnet.two.id}"] 605 tags { 606 Name = "acl-subnets-test" 607 } 608 } 609 ` 610 611 const testAccAWSNetworkAclSubnet_SubnetIdsUpdate = ` 612 resource "aws_vpc" "foo" { 613 cidr_block = "10.1.0.0/16" 614 tags { 615 Name = "TestAccAWSNetworkAcl_Subnets" 616 } 617 } 618 resource "aws_subnet" "one" { 619 cidr_block = "10.1.111.0/24" 620 vpc_id = "${aws_vpc.foo.id}" 621 tags { 622 Name = "acl-subnets-test" 623 } 624 } 625 resource "aws_subnet" "two" { 626 cidr_block = "10.1.1.0/24" 627 vpc_id = "${aws_vpc.foo.id}" 628 tags { 629 Name = "acl-subnets-test" 630 } 631 } 632 633 resource "aws_subnet" "three" { 634 cidr_block = "10.1.222.0/24" 635 vpc_id = "${aws_vpc.foo.id}" 636 tags { 637 Name = "acl-subnets-test" 638 } 639 } 640 resource "aws_subnet" "four" { 641 cidr_block = "10.1.4.0/24" 642 vpc_id = "${aws_vpc.foo.id}" 643 tags { 644 Name = "acl-subnets-test" 645 } 646 } 647 resource "aws_network_acl" "bar" { 648 vpc_id = "${aws_vpc.foo.id}" 649 subnet_ids = [ 650 "${aws_subnet.one.id}", 651 "${aws_subnet.three.id}", 652 "${aws_subnet.four.id}", 653 ] 654 tags { 655 Name = "acl-subnets-test" 656 } 657 } 658 ` 659 660 const testAccAWSNetworkAclEsp = ` 661 resource "aws_vpc" "testespvpc" { 662 cidr_block = "10.1.0.0/16" 663 } 664 665 resource "aws_network_acl" "testesp" { 666 vpc_id = "${aws_vpc.testespvpc.id}" 667 668 egress { 669 protocol = "esp" 670 rule_no = 5 671 action = "allow" 672 cidr_block = "10.3.0.0/18" 673 from_port = 0 674 to_port = 0 675 } 676 677 tags { 678 Name = "test_esp" 679 } 680 } 681 `