github.com/vtorhonen/terraform@v0.9.0-beta2.0.20170307220345-5d894e4ffda7/builtin/providers/aws/resource_aws_security_group_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "reflect" 6 "regexp" 7 "strings" 8 "testing" 9 10 "github.com/aws/aws-sdk-go/aws" 11 "github.com/aws/aws-sdk-go/aws/awserr" 12 "github.com/aws/aws-sdk-go/service/ec2" 13 "github.com/hashicorp/terraform/helper/acctest" 14 "github.com/hashicorp/terraform/helper/resource" 15 "github.com/hashicorp/terraform/helper/schema" 16 "github.com/hashicorp/terraform/terraform" 17 ) 18 19 func TestProtocolStateFunc(t *testing.T) { 20 cases := []struct { 21 input interface{} 22 expected string 23 }{ 24 { 25 input: "tcp", 26 expected: "tcp", 27 }, 28 { 29 input: 6, 30 expected: "", 31 }, 32 { 33 input: "17", 34 expected: "udp", 35 }, 36 { 37 input: "all", 38 expected: "-1", 39 }, 40 { 41 input: "-1", 42 expected: "-1", 43 }, 44 { 45 input: -1, 46 expected: "", 47 }, 48 { 49 input: "1", 50 expected: "icmp", 51 }, 52 { 53 input: "icmp", 54 expected: "icmp", 55 }, 56 { 57 input: 1, 58 expected: "", 59 }, 60 } 61 for _, c := range cases { 62 result := protocolStateFunc(c.input) 63 if result != c.expected { 64 t.Errorf("Error matching protocol, expected (%s), got (%s)", c.expected, result) 65 } 66 } 67 } 68 69 func TestProtocolForValue(t *testing.T) { 70 cases := []struct { 71 input string 72 expected string 73 }{ 74 { 75 input: "tcp", 76 expected: "tcp", 77 }, 78 { 79 input: "6", 80 expected: "tcp", 81 }, 82 { 83 input: "udp", 84 expected: "udp", 85 }, 86 { 87 input: "17", 88 expected: "udp", 89 }, 90 { 91 input: "all", 92 expected: "-1", 93 }, 94 { 95 input: "-1", 96 expected: "-1", 97 }, 98 { 99 input: "tCp", 100 expected: "tcp", 101 }, 102 { 103 input: "6", 104 expected: "tcp", 105 }, 106 { 107 input: "UDp", 108 expected: "udp", 109 }, 110 { 111 input: "17", 112 expected: "udp", 113 }, 114 { 115 input: "ALL", 116 expected: "-1", 117 }, 118 { 119 input: "icMp", 120 expected: "icmp", 121 }, 122 { 123 input: "1", 124 expected: "icmp", 125 }, 126 } 127 128 for _, c := range cases { 129 result := protocolForValue(c.input) 130 if result != c.expected { 131 t.Errorf("Error matching protocol, expected (%s), got (%s)", c.expected, result) 132 } 133 } 134 } 135 136 func TestResourceAwsSecurityGroupIPPermGather(t *testing.T) { 137 raw := []*ec2.IpPermission{ 138 &ec2.IpPermission{ 139 IpProtocol: aws.String("tcp"), 140 FromPort: aws.Int64(int64(1)), 141 ToPort: aws.Int64(int64(-1)), 142 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("0.0.0.0/0")}}, 143 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 144 &ec2.UserIdGroupPair{ 145 GroupId: aws.String("sg-11111"), 146 }, 147 }, 148 }, 149 &ec2.IpPermission{ 150 IpProtocol: aws.String("tcp"), 151 FromPort: aws.Int64(int64(80)), 152 ToPort: aws.Int64(int64(80)), 153 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 154 // VPC 155 &ec2.UserIdGroupPair{ 156 GroupId: aws.String("sg-22222"), 157 }, 158 }, 159 }, 160 &ec2.IpPermission{ 161 IpProtocol: aws.String("tcp"), 162 FromPort: aws.Int64(int64(443)), 163 ToPort: aws.Int64(int64(443)), 164 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 165 // Classic 166 &ec2.UserIdGroupPair{ 167 UserId: aws.String("12345"), 168 GroupId: aws.String("sg-33333"), 169 GroupName: aws.String("ec2_classic"), 170 }, 171 &ec2.UserIdGroupPair{ 172 UserId: aws.String("amazon-elb"), 173 GroupId: aws.String("sg-d2c979d3"), 174 GroupName: aws.String("amazon-elb-sg"), 175 }, 176 }, 177 }, 178 &ec2.IpPermission{ 179 IpProtocol: aws.String("-1"), 180 FromPort: aws.Int64(int64(0)), 181 ToPort: aws.Int64(int64(0)), 182 PrefixListIds: []*ec2.PrefixListId{&ec2.PrefixListId{PrefixListId: aws.String("pl-12345678")}}, 183 UserIdGroupPairs: []*ec2.UserIdGroupPair{ 184 // VPC 185 &ec2.UserIdGroupPair{ 186 GroupId: aws.String("sg-22222"), 187 }, 188 }, 189 }, 190 } 191 192 local := []map[string]interface{}{ 193 map[string]interface{}{ 194 "protocol": "tcp", 195 "from_port": int64(1), 196 "to_port": int64(-1), 197 "cidr_blocks": []string{"0.0.0.0/0"}, 198 "self": true, 199 }, 200 map[string]interface{}{ 201 "protocol": "tcp", 202 "from_port": int64(80), 203 "to_port": int64(80), 204 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 205 "sg-22222", 206 }), 207 }, 208 map[string]interface{}{ 209 "protocol": "tcp", 210 "from_port": int64(443), 211 "to_port": int64(443), 212 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 213 "ec2_classic", 214 "amazon-elb/amazon-elb-sg", 215 }), 216 }, 217 map[string]interface{}{ 218 "protocol": "-1", 219 "from_port": int64(0), 220 "to_port": int64(0), 221 "prefix_list_ids": []string{"pl-12345678"}, 222 "security_groups": schema.NewSet(schema.HashString, []interface{}{ 223 "sg-22222", 224 }), 225 }, 226 } 227 228 out := resourceAwsSecurityGroupIPPermGather("sg-11111", raw, aws.String("12345")) 229 for _, i := range out { 230 // loop and match rules, because the ordering is not guarneteed 231 for _, l := range local { 232 if i["from_port"] == l["from_port"] { 233 234 if i["to_port"] != l["to_port"] { 235 t.Fatalf("to_port does not match") 236 } 237 238 if _, ok := i["cidr_blocks"]; ok { 239 if !reflect.DeepEqual(i["cidr_blocks"], l["cidr_blocks"]) { 240 t.Fatalf("error matching cidr_blocks") 241 } 242 } 243 244 if _, ok := i["security_groups"]; ok { 245 outSet := i["security_groups"].(*schema.Set) 246 localSet := l["security_groups"].(*schema.Set) 247 248 if !outSet.Equal(localSet) { 249 t.Fatalf("Security Group sets are not equal") 250 } 251 } 252 } 253 } 254 } 255 } 256 257 func TestAccAWSSecurityGroup_basic(t *testing.T) { 258 var group ec2.SecurityGroup 259 260 resource.Test(t, resource.TestCase{ 261 PreCheck: func() { testAccPreCheck(t) }, 262 IDRefreshName: "aws_security_group.web", 263 Providers: testAccProviders, 264 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 265 Steps: []resource.TestStep{ 266 resource.TestStep{ 267 Config: testAccAWSSecurityGroupConfig, 268 Check: resource.ComposeTestCheckFunc( 269 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 270 testAccCheckAWSSecurityGroupAttributes(&group), 271 resource.TestCheckResourceAttr( 272 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 273 resource.TestCheckResourceAttr( 274 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 275 resource.TestCheckResourceAttr( 276 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 277 resource.TestCheckResourceAttr( 278 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 279 resource.TestCheckResourceAttr( 280 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 281 resource.TestCheckResourceAttr( 282 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 283 resource.TestCheckResourceAttr( 284 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 285 ), 286 }, 287 }, 288 }) 289 } 290 291 func TestAccAWSSecurityGroup_tagsCreatedFirst(t *testing.T) { 292 var group ec2.SecurityGroup 293 294 resource.Test(t, resource.TestCase{ 295 PreCheck: func() { testAccPreCheck(t) }, 296 Providers: testAccProviders, 297 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 298 Steps: []resource.TestStep{ 299 resource.TestStep{ 300 Config: testAccAWSSecurityGroupConfigForTagsOrdering, 301 ExpectError: regexp.MustCompile("InvalidParameterValue"), 302 Check: resource.ComposeTestCheckFunc( 303 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 304 testAccCheckTags(&group.Tags, "Name", "tf-acc-test"), 305 ), 306 }, 307 }, 308 }) 309 } 310 311 func TestAccAWSSecurityGroup_namePrefix(t *testing.T) { 312 var group ec2.SecurityGroup 313 314 resource.Test(t, resource.TestCase{ 315 PreCheck: func() { testAccPreCheck(t) }, 316 IDRefreshName: "aws_security_group.baz", 317 IDRefreshIgnore: []string{"name_prefix"}, 318 Providers: testAccProviders, 319 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 320 Steps: []resource.TestStep{ 321 resource.TestStep{ 322 Config: testAccAWSSecurityGroupPrefixNameConfig, 323 Check: resource.ComposeTestCheckFunc( 324 testAccCheckAWSSecurityGroupExists("aws_security_group.baz", &group), 325 testAccCheckAWSSecurityGroupGeneratedNamePrefix( 326 "aws_security_group.baz", "baz-"), 327 ), 328 }, 329 }, 330 }) 331 } 332 333 func TestAccAWSSecurityGroup_self(t *testing.T) { 334 var group ec2.SecurityGroup 335 336 checkSelf := func(s *terraform.State) (err error) { 337 defer func() { 338 if e := recover(); e != nil { 339 err = fmt.Errorf("bad: %#v", group) 340 } 341 }() 342 343 if *group.IpPermissions[0].UserIdGroupPairs[0].GroupId != *group.GroupId { 344 return fmt.Errorf("bad: %#v", group) 345 } 346 347 return nil 348 } 349 350 resource.Test(t, resource.TestCase{ 351 PreCheck: func() { testAccPreCheck(t) }, 352 IDRefreshName: "aws_security_group.web", 353 Providers: testAccProviders, 354 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 355 Steps: []resource.TestStep{ 356 resource.TestStep{ 357 Config: testAccAWSSecurityGroupConfigSelf, 358 Check: resource.ComposeTestCheckFunc( 359 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 360 resource.TestCheckResourceAttr( 361 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 362 resource.TestCheckResourceAttr( 363 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 364 resource.TestCheckResourceAttr( 365 "aws_security_group.web", "ingress.3971148406.protocol", "tcp"), 366 resource.TestCheckResourceAttr( 367 "aws_security_group.web", "ingress.3971148406.from_port", "80"), 368 resource.TestCheckResourceAttr( 369 "aws_security_group.web", "ingress.3971148406.to_port", "8000"), 370 resource.TestCheckResourceAttr( 371 "aws_security_group.web", "ingress.3971148406.self", "true"), 372 checkSelf, 373 ), 374 }, 375 }, 376 }) 377 } 378 379 func TestAccAWSSecurityGroup_vpc(t *testing.T) { 380 var group ec2.SecurityGroup 381 382 testCheck := func(*terraform.State) error { 383 if *group.VpcId == "" { 384 return fmt.Errorf("should have vpc ID") 385 } 386 387 return nil 388 } 389 390 resource.Test(t, resource.TestCase{ 391 PreCheck: func() { testAccPreCheck(t) }, 392 IDRefreshName: "aws_security_group.web", 393 Providers: testAccProviders, 394 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 395 Steps: []resource.TestStep{ 396 resource.TestStep{ 397 Config: testAccAWSSecurityGroupConfigVpc, 398 Check: resource.ComposeTestCheckFunc( 399 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 400 testAccCheckAWSSecurityGroupAttributes(&group), 401 resource.TestCheckResourceAttr( 402 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 403 resource.TestCheckResourceAttr( 404 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 405 resource.TestCheckResourceAttr( 406 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 407 resource.TestCheckResourceAttr( 408 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 409 resource.TestCheckResourceAttr( 410 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 411 resource.TestCheckResourceAttr( 412 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 413 resource.TestCheckResourceAttr( 414 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 415 resource.TestCheckResourceAttr( 416 "aws_security_group.web", "egress.3629188364.protocol", "tcp"), 417 resource.TestCheckResourceAttr( 418 "aws_security_group.web", "egress.3629188364.from_port", "80"), 419 resource.TestCheckResourceAttr( 420 "aws_security_group.web", "egress.3629188364.to_port", "8000"), 421 resource.TestCheckResourceAttr( 422 "aws_security_group.web", "egress.3629188364.cidr_blocks.#", "1"), 423 resource.TestCheckResourceAttr( 424 "aws_security_group.web", "egress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 425 testCheck, 426 ), 427 }, 428 }, 429 }) 430 } 431 432 func TestAccAWSSecurityGroup_vpcNegOneIngress(t *testing.T) { 433 var group ec2.SecurityGroup 434 435 testCheck := func(*terraform.State) error { 436 if *group.VpcId == "" { 437 return fmt.Errorf("should have vpc ID") 438 } 439 440 return nil 441 } 442 443 resource.Test(t, resource.TestCase{ 444 PreCheck: func() { testAccPreCheck(t) }, 445 IDRefreshName: "aws_security_group.web", 446 Providers: testAccProviders, 447 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 448 Steps: []resource.TestStep{ 449 resource.TestStep{ 450 Config: testAccAWSSecurityGroupConfigVpcNegOneIngress, 451 Check: resource.ComposeTestCheckFunc( 452 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 453 testAccCheckAWSSecurityGroupAttributesNegOneProtocol(&group), 454 resource.TestCheckResourceAttr( 455 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 456 resource.TestCheckResourceAttr( 457 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 458 resource.TestCheckResourceAttr( 459 "aws_security_group.web", "ingress.956249133.protocol", "-1"), 460 resource.TestCheckResourceAttr( 461 "aws_security_group.web", "ingress.956249133.from_port", "0"), 462 resource.TestCheckResourceAttr( 463 "aws_security_group.web", "ingress.956249133.to_port", "0"), 464 resource.TestCheckResourceAttr( 465 "aws_security_group.web", "ingress.956249133.cidr_blocks.#", "1"), 466 resource.TestCheckResourceAttr( 467 "aws_security_group.web", "ingress.956249133.cidr_blocks.0", "10.0.0.0/8"), 468 testCheck, 469 ), 470 }, 471 }, 472 }) 473 } 474 func TestAccAWSSecurityGroup_vpcProtoNumIngress(t *testing.T) { 475 var group ec2.SecurityGroup 476 477 testCheck := func(*terraform.State) error { 478 if *group.VpcId == "" { 479 return fmt.Errorf("should have vpc ID") 480 } 481 482 return nil 483 } 484 485 resource.Test(t, resource.TestCase{ 486 PreCheck: func() { testAccPreCheck(t) }, 487 IDRefreshName: "aws_security_group.web", 488 Providers: testAccProviders, 489 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 490 Steps: []resource.TestStep{ 491 resource.TestStep{ 492 Config: testAccAWSSecurityGroupConfigVpcProtoNumIngress, 493 Check: resource.ComposeTestCheckFunc( 494 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 495 resource.TestCheckResourceAttr( 496 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 497 resource.TestCheckResourceAttr( 498 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 499 resource.TestCheckResourceAttr( 500 "aws_security_group.web", "ingress.2449525218.protocol", "50"), 501 resource.TestCheckResourceAttr( 502 "aws_security_group.web", "ingress.2449525218.from_port", "0"), 503 resource.TestCheckResourceAttr( 504 "aws_security_group.web", "ingress.2449525218.to_port", "0"), 505 resource.TestCheckResourceAttr( 506 "aws_security_group.web", "ingress.2449525218.cidr_blocks.#", "1"), 507 resource.TestCheckResourceAttr( 508 "aws_security_group.web", "ingress.2449525218.cidr_blocks.0", "10.0.0.0/8"), 509 testCheck, 510 ), 511 }, 512 }, 513 }) 514 } 515 func TestAccAWSSecurityGroup_MultiIngress(t *testing.T) { 516 var group ec2.SecurityGroup 517 518 resource.Test(t, resource.TestCase{ 519 PreCheck: func() { testAccPreCheck(t) }, 520 IDRefreshName: "aws_security_group.web", 521 Providers: testAccProviders, 522 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 523 Steps: []resource.TestStep{ 524 resource.TestStep{ 525 Config: testAccAWSSecurityGroupConfigMultiIngress, 526 Check: resource.ComposeTestCheckFunc( 527 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 528 ), 529 }, 530 }, 531 }) 532 } 533 534 func TestAccAWSSecurityGroup_Change(t *testing.T) { 535 var group ec2.SecurityGroup 536 537 resource.Test(t, resource.TestCase{ 538 PreCheck: func() { testAccPreCheck(t) }, 539 IDRefreshName: "aws_security_group.web", 540 Providers: testAccProviders, 541 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 542 Steps: []resource.TestStep{ 543 resource.TestStep{ 544 Config: testAccAWSSecurityGroupConfig, 545 Check: resource.ComposeTestCheckFunc( 546 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 547 ), 548 }, 549 resource.TestStep{ 550 Config: testAccAWSSecurityGroupConfigChange, 551 Check: resource.ComposeTestCheckFunc( 552 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 553 testAccCheckAWSSecurityGroupAttributesChanged(&group), 554 ), 555 }, 556 }, 557 }) 558 } 559 560 func TestAccAWSSecurityGroup_generatedName(t *testing.T) { 561 var group ec2.SecurityGroup 562 563 resource.Test(t, resource.TestCase{ 564 PreCheck: func() { testAccPreCheck(t) }, 565 IDRefreshName: "aws_security_group.web", 566 Providers: testAccProviders, 567 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 568 Steps: []resource.TestStep{ 569 resource.TestStep{ 570 Config: testAccAWSSecurityGroupConfig_generatedName, 571 Check: resource.ComposeTestCheckFunc( 572 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 573 resource.TestCheckResourceAttr( 574 "aws_security_group.web", "description", "Managed by Terraform"), 575 func(s *terraform.State) error { 576 if group.GroupName == nil { 577 return fmt.Errorf("bad: No SG name") 578 } 579 if !strings.HasPrefix(*group.GroupName, "terraform-") { 580 return fmt.Errorf("No terraform- prefix: %s", *group.GroupName) 581 } 582 return nil 583 }, 584 ), 585 }, 586 }, 587 }) 588 } 589 590 func TestAccAWSSecurityGroup_DefaultEgress_VPC(t *testing.T) { 591 592 // VPC 593 resource.Test(t, resource.TestCase{ 594 PreCheck: func() { testAccPreCheck(t) }, 595 IDRefreshName: "aws_security_group.worker", 596 Providers: testAccProviders, 597 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 598 Steps: []resource.TestStep{ 599 resource.TestStep{ 600 Config: testAccAWSSecurityGroupConfigDefaultEgress, 601 Check: resource.ComposeTestCheckFunc( 602 testAccCheckAWSSecurityGroupExistsWithoutDefault("aws_security_group.worker"), 603 ), 604 }, 605 }, 606 }) 607 } 608 609 func TestAccAWSSecurityGroup_DefaultEgress_Classic(t *testing.T) { 610 611 // Classic 612 var group ec2.SecurityGroup 613 resource.Test(t, resource.TestCase{ 614 PreCheck: func() { testAccPreCheck(t) }, 615 IDRefreshName: "aws_security_group.web", 616 Providers: testAccProviders, 617 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 618 Steps: []resource.TestStep{ 619 resource.TestStep{ 620 Config: testAccAWSSecurityGroupConfigClassic, 621 Check: resource.ComposeTestCheckFunc( 622 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 623 ), 624 }, 625 }, 626 }) 627 } 628 629 // Testing drift detection with groups containing the same port and types 630 func TestAccAWSSecurityGroup_drift(t *testing.T) { 631 var group ec2.SecurityGroup 632 resource.Test(t, resource.TestCase{ 633 PreCheck: func() { testAccPreCheck(t) }, 634 Providers: testAccProviders, 635 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 636 Steps: []resource.TestStep{ 637 resource.TestStep{ 638 Config: testAccAWSSecurityGroupConfig_drift(), 639 Check: resource.ComposeTestCheckFunc( 640 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 641 resource.TestCheckResourceAttr( 642 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 643 resource.TestCheckResourceAttr( 644 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 645 resource.TestCheckResourceAttr( 646 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 647 resource.TestCheckResourceAttr( 648 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 649 resource.TestCheckResourceAttr( 650 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 651 resource.TestCheckResourceAttr( 652 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 653 ), 654 }, 655 }, 656 }) 657 } 658 659 func TestAccAWSSecurityGroup_drift_complex(t *testing.T) { 660 var group ec2.SecurityGroup 661 662 resource.Test(t, resource.TestCase{ 663 PreCheck: func() { testAccPreCheck(t) }, 664 Providers: testAccProviders, 665 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 666 Steps: []resource.TestStep{ 667 resource.TestStep{ 668 Config: testAccAWSSecurityGroupConfig_drift_complex(), 669 Check: resource.ComposeTestCheckFunc( 670 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 671 resource.TestCheckResourceAttr( 672 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 673 resource.TestCheckResourceAttr( 674 "aws_security_group.web", "ingress.3629188364.protocol", "tcp"), 675 resource.TestCheckResourceAttr( 676 "aws_security_group.web", "ingress.3629188364.from_port", "80"), 677 resource.TestCheckResourceAttr( 678 "aws_security_group.web", "ingress.3629188364.to_port", "8000"), 679 resource.TestCheckResourceAttr( 680 "aws_security_group.web", "ingress.3629188364.cidr_blocks.#", "1"), 681 resource.TestCheckResourceAttr( 682 "aws_security_group.web", "ingress.3629188364.cidr_blocks.0", "10.0.0.0/8"), 683 ), 684 }, 685 }, 686 }) 687 } 688 689 func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error { 690 conn := testAccProvider.Meta().(*AWSClient).ec2conn 691 692 for _, rs := range s.RootModule().Resources { 693 if rs.Type != "aws_security_group" { 694 continue 695 } 696 697 // Retrieve our group 698 req := &ec2.DescribeSecurityGroupsInput{ 699 GroupIds: []*string{aws.String(rs.Primary.ID)}, 700 } 701 resp, err := conn.DescribeSecurityGroups(req) 702 if err == nil { 703 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 704 return fmt.Errorf("Security Group (%s) still exists.", rs.Primary.ID) 705 } 706 707 return nil 708 } 709 710 ec2err, ok := err.(awserr.Error) 711 if !ok { 712 return err 713 } 714 // Confirm error code is what we want 715 if ec2err.Code() != "InvalidGroup.NotFound" { 716 return err 717 } 718 } 719 720 return nil 721 } 722 723 func testAccCheckAWSSecurityGroupGeneratedNamePrefix( 724 resource, prefix string) resource.TestCheckFunc { 725 return func(s *terraform.State) error { 726 r, ok := s.RootModule().Resources[resource] 727 if !ok { 728 return fmt.Errorf("Resource not found") 729 } 730 name, ok := r.Primary.Attributes["name"] 731 if !ok { 732 return fmt.Errorf("Name attr not found: %#v", r.Primary.Attributes) 733 } 734 if !strings.HasPrefix(name, prefix) { 735 return fmt.Errorf("Name: %q, does not have prefix: %q", name, prefix) 736 } 737 return nil 738 } 739 } 740 741 func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroup) resource.TestCheckFunc { 742 return func(s *terraform.State) error { 743 rs, ok := s.RootModule().Resources[n] 744 if !ok { 745 return fmt.Errorf("Not found: %s", n) 746 } 747 748 if rs.Primary.ID == "" { 749 return fmt.Errorf("No Security Group is set") 750 } 751 752 conn := testAccProvider.Meta().(*AWSClient).ec2conn 753 req := &ec2.DescribeSecurityGroupsInput{ 754 GroupIds: []*string{aws.String(rs.Primary.ID)}, 755 } 756 resp, err := conn.DescribeSecurityGroups(req) 757 if err != nil { 758 return err 759 } 760 761 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 762 *group = *resp.SecurityGroups[0] 763 return nil 764 } 765 766 return fmt.Errorf("Security Group not found") 767 } 768 } 769 770 func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 771 return func(s *terraform.State) error { 772 p := &ec2.IpPermission{ 773 FromPort: aws.Int64(80), 774 ToPort: aws.Int64(8000), 775 IpProtocol: aws.String("tcp"), 776 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 777 } 778 779 if *group.GroupName != "terraform_acceptance_test_example" { 780 return fmt.Errorf("Bad name: %s", *group.GroupName) 781 } 782 783 if *group.Description != "Used in the terraform acceptance tests" { 784 return fmt.Errorf("Bad description: %s", *group.Description) 785 } 786 787 if len(group.IpPermissions) == 0 { 788 return fmt.Errorf("No IPPerms") 789 } 790 791 // Compare our ingress 792 if !reflect.DeepEqual(group.IpPermissions[0], p) { 793 return fmt.Errorf( 794 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 795 group.IpPermissions[0], 796 p) 797 } 798 799 return nil 800 } 801 } 802 803 func testAccCheckAWSSecurityGroupAttributesNegOneProtocol(group *ec2.SecurityGroup) resource.TestCheckFunc { 804 return func(s *terraform.State) error { 805 p := &ec2.IpPermission{ 806 IpProtocol: aws.String("-1"), 807 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 808 } 809 810 if *group.GroupName != "terraform_acceptance_test_example" { 811 return fmt.Errorf("Bad name: %s", *group.GroupName) 812 } 813 814 if *group.Description != "Used in the terraform acceptance tests" { 815 return fmt.Errorf("Bad description: %s", *group.Description) 816 } 817 818 if len(group.IpPermissions) == 0 { 819 return fmt.Errorf("No IPPerms") 820 } 821 822 // Compare our ingress 823 if !reflect.DeepEqual(group.IpPermissions[0], p) { 824 return fmt.Errorf( 825 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 826 group.IpPermissions[0], 827 p) 828 } 829 830 return nil 831 } 832 } 833 834 func TestAccAWSSecurityGroup_tags(t *testing.T) { 835 var group ec2.SecurityGroup 836 837 resource.Test(t, resource.TestCase{ 838 PreCheck: func() { testAccPreCheck(t) }, 839 Providers: testAccProviders, 840 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 841 Steps: []resource.TestStep{ 842 resource.TestStep{ 843 Config: testAccAWSSecurityGroupConfigTags, 844 Check: resource.ComposeTestCheckFunc( 845 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 846 testAccCheckTags(&group.Tags, "foo", "bar"), 847 ), 848 }, 849 850 resource.TestStep{ 851 Config: testAccAWSSecurityGroupConfigTagsUpdate, 852 Check: resource.ComposeTestCheckFunc( 853 testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group), 854 testAccCheckTags(&group.Tags, "foo", ""), 855 testAccCheckTags(&group.Tags, "bar", "baz"), 856 testAccCheckTags(&group.Tags, "env", "Production"), 857 ), 858 }, 859 }, 860 }) 861 } 862 863 func TestAccAWSSecurityGroup_CIDRandGroups(t *testing.T) { 864 var group ec2.SecurityGroup 865 866 resource.Test(t, resource.TestCase{ 867 PreCheck: func() { testAccPreCheck(t) }, 868 Providers: testAccProviders, 869 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 870 Steps: []resource.TestStep{ 871 resource.TestStep{ 872 Config: testAccAWSSecurityGroupCombindCIDRandGroups, 873 Check: resource.ComposeTestCheckFunc( 874 testAccCheckAWSSecurityGroupExists("aws_security_group.mixed", &group), 875 // testAccCheckAWSSecurityGroupAttributes(&group), 876 ), 877 }, 878 }, 879 }) 880 } 881 882 func TestAccAWSSecurityGroup_ingressWithCidrAndSGs(t *testing.T) { 883 var group ec2.SecurityGroup 884 885 resource.Test(t, resource.TestCase{ 886 PreCheck: func() { testAccPreCheck(t) }, 887 Providers: testAccProviders, 888 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 889 Steps: []resource.TestStep{ 890 resource.TestStep{ 891 Config: testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs, 892 Check: resource.ComposeTestCheckFunc( 893 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 894 testAccCheckAWSSecurityGroupSGandCidrAttributes(&group), 895 resource.TestCheckResourceAttr( 896 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 897 resource.TestCheckResourceAttr( 898 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 899 resource.TestCheckResourceAttr( 900 "aws_security_group.web", "ingress.#", "2"), 901 ), 902 }, 903 }, 904 }) 905 } 906 907 // This test requires an EC2 Classic region 908 func TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic(t *testing.T) { 909 var group ec2.SecurityGroup 910 911 resource.Test(t, resource.TestCase{ 912 PreCheck: func() { testAccPreCheck(t) }, 913 Providers: testAccProviders, 914 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 915 Steps: []resource.TestStep{ 916 resource.TestStep{ 917 Config: testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs_classic, 918 Check: resource.ComposeTestCheckFunc( 919 testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), 920 testAccCheckAWSSecurityGroupSGandCidrAttributes(&group), 921 resource.TestCheckResourceAttr( 922 "aws_security_group.web", "name", "terraform_acceptance_test_example"), 923 resource.TestCheckResourceAttr( 924 "aws_security_group.web", "description", "Used in the terraform acceptance tests"), 925 resource.TestCheckResourceAttr( 926 "aws_security_group.web", "ingress.#", "2"), 927 ), 928 }, 929 }, 930 }) 931 } 932 933 func TestAccAWSSecurityGroup_egressWithPrefixList(t *testing.T) { 934 var group ec2.SecurityGroup 935 936 resource.Test(t, resource.TestCase{ 937 PreCheck: func() { testAccPreCheck(t) }, 938 Providers: testAccProviders, 939 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 940 Steps: []resource.TestStep{ 941 resource.TestStep{ 942 Config: testAccAWSSecurityGroupConfigPrefixListEgress, 943 Check: resource.ComposeTestCheckFunc( 944 testAccCheckAWSSecurityGroupExists("aws_security_group.egress", &group), 945 testAccCheckAWSSecurityGroupPrefixListAttributes(&group), 946 resource.TestCheckResourceAttr( 947 "aws_security_group.egress", "egress.#", "1"), 948 ), 949 }, 950 }, 951 }) 952 } 953 954 func testAccCheckAWSSecurityGroupSGandCidrAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 955 return func(s *terraform.State) error { 956 if *group.GroupName != "terraform_acceptance_test_example" { 957 return fmt.Errorf("Bad name: %s", *group.GroupName) 958 } 959 960 if *group.Description != "Used in the terraform acceptance tests" { 961 return fmt.Errorf("Bad description: %s", *group.Description) 962 } 963 964 if len(group.IpPermissions) == 0 { 965 return fmt.Errorf("No IPPerms") 966 } 967 968 if len(group.IpPermissions) != 2 { 969 return fmt.Errorf("Expected 2 ingress rules, got %d", len(group.IpPermissions)) 970 } 971 972 for _, p := range group.IpPermissions { 973 if *p.FromPort == int64(22) { 974 if len(p.IpRanges) != 1 || p.UserIdGroupPairs != nil { 975 return fmt.Errorf("Found ip perm of 22, but not the right ipranges / pairs: %s", p) 976 } 977 continue 978 } else if *p.FromPort == int64(80) { 979 if len(p.IpRanges) != 1 || len(p.UserIdGroupPairs) != 1 { 980 return fmt.Errorf("Found ip perm of 80, but not the right ipranges / pairs: %s", p) 981 } 982 continue 983 } 984 return fmt.Errorf("Found a rouge rule") 985 } 986 987 return nil 988 } 989 } 990 991 func testAccCheckAWSSecurityGroupPrefixListAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { 992 return func(s *terraform.State) error { 993 if *group.GroupName != "terraform_acceptance_test_prefix_list_egress" { 994 return fmt.Errorf("Bad name: %s", *group.GroupName) 995 } 996 if *group.Description != "Used in the terraform acceptance tests" { 997 return fmt.Errorf("Bad description: %s", *group.Description) 998 } 999 if len(group.IpPermissionsEgress) == 0 { 1000 return fmt.Errorf("No egress IPPerms") 1001 } 1002 if len(group.IpPermissionsEgress) != 1 { 1003 return fmt.Errorf("Expected 1 egress rule, got %d", len(group.IpPermissions)) 1004 } 1005 1006 p := group.IpPermissionsEgress[0] 1007 1008 if len(p.PrefixListIds) != 1 { 1009 return fmt.Errorf("Expected 1 prefix list, got %d", len(p.PrefixListIds)) 1010 } 1011 1012 return nil 1013 } 1014 } 1015 1016 func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroup) resource.TestCheckFunc { 1017 return func(s *terraform.State) error { 1018 p := []*ec2.IpPermission{ 1019 &ec2.IpPermission{ 1020 FromPort: aws.Int64(80), 1021 ToPort: aws.Int64(9000), 1022 IpProtocol: aws.String("tcp"), 1023 IpRanges: []*ec2.IpRange{&ec2.IpRange{CidrIp: aws.String("10.0.0.0/8")}}, 1024 }, 1025 &ec2.IpPermission{ 1026 FromPort: aws.Int64(80), 1027 ToPort: aws.Int64(8000), 1028 IpProtocol: aws.String("tcp"), 1029 IpRanges: []*ec2.IpRange{ 1030 &ec2.IpRange{ 1031 CidrIp: aws.String("0.0.0.0/0"), 1032 }, 1033 &ec2.IpRange{ 1034 CidrIp: aws.String("10.0.0.0/8"), 1035 }, 1036 }, 1037 }, 1038 } 1039 1040 if *group.GroupName != "terraform_acceptance_test_example" { 1041 return fmt.Errorf("Bad name: %s", *group.GroupName) 1042 } 1043 1044 if *group.Description != "Used in the terraform acceptance tests" { 1045 return fmt.Errorf("Bad description: %s", *group.Description) 1046 } 1047 1048 // Compare our ingress 1049 if len(group.IpPermissions) != 2 { 1050 return fmt.Errorf( 1051 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 1052 group.IpPermissions, 1053 p) 1054 } 1055 1056 if *group.IpPermissions[0].ToPort == 8000 { 1057 group.IpPermissions[1], group.IpPermissions[0] = 1058 group.IpPermissions[0], group.IpPermissions[1] 1059 } 1060 1061 if !reflect.DeepEqual(group.IpPermissions, p) { 1062 return fmt.Errorf( 1063 "Got:\n\n%#v\n\nExpected:\n\n%#v\n", 1064 group.IpPermissions, 1065 p) 1066 } 1067 1068 return nil 1069 } 1070 } 1071 1072 func testAccCheckAWSSecurityGroupExistsWithoutDefault(n string) resource.TestCheckFunc { 1073 return func(s *terraform.State) error { 1074 rs, ok := s.RootModule().Resources[n] 1075 if !ok { 1076 return fmt.Errorf("Not found: %s", n) 1077 } 1078 1079 if rs.Primary.ID == "" { 1080 return fmt.Errorf("No Security Group is set") 1081 } 1082 1083 conn := testAccProvider.Meta().(*AWSClient).ec2conn 1084 req := &ec2.DescribeSecurityGroupsInput{ 1085 GroupIds: []*string{aws.String(rs.Primary.ID)}, 1086 } 1087 resp, err := conn.DescribeSecurityGroups(req) 1088 if err != nil { 1089 return err 1090 } 1091 1092 if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupId == rs.Primary.ID { 1093 group := *resp.SecurityGroups[0] 1094 1095 if len(group.IpPermissionsEgress) != 1 { 1096 return fmt.Errorf("Security Group should have only 1 egress rule, got %d", len(group.IpPermissionsEgress)) 1097 } 1098 } 1099 1100 return nil 1101 } 1102 } 1103 1104 func TestAccAWSSecurityGroup_failWithDiffMismatch(t *testing.T) { 1105 var group ec2.SecurityGroup 1106 1107 resource.Test(t, resource.TestCase{ 1108 PreCheck: func() { testAccPreCheck(t) }, 1109 Providers: testAccProviders, 1110 CheckDestroy: testAccCheckAWSSecurityGroupDestroy, 1111 Steps: []resource.TestStep{ 1112 resource.TestStep{ 1113 Config: testAccAWSSecurityGroupConfig_failWithDiffMismatch, 1114 Check: resource.ComposeTestCheckFunc( 1115 testAccCheckAWSSecurityGroupExists("aws_security_group.nat", &group), 1116 ), 1117 }, 1118 }, 1119 }) 1120 } 1121 1122 const testAccAWSSecurityGroupConfigForTagsOrdering = ` 1123 resource "aws_vpc" "foo" { 1124 cidr_block = "10.1.0.0/16" 1125 } 1126 1127 resource "aws_security_group" "web" { 1128 name = "terraform_acceptance_test_example" 1129 description = "Used in the terraform acceptance tests" 1130 vpc_id = "${aws_vpc.foo.id}" 1131 1132 ingress { 1133 protocol = "6" 1134 from_port = 80 1135 to_port = 80000 1136 cidr_blocks = ["10.0.0.0/8"] 1137 } 1138 1139 egress { 1140 protocol = "tcp" 1141 from_port = 80 1142 to_port = 8000 1143 cidr_blocks = ["10.0.0.0/8"] 1144 } 1145 1146 tags { 1147 Name = "tf-acc-test" 1148 } 1149 }` 1150 1151 const testAccAWSSecurityGroupConfig = ` 1152 resource "aws_vpc" "foo" { 1153 cidr_block = "10.1.0.0/16" 1154 } 1155 1156 resource "aws_security_group" "web" { 1157 name = "terraform_acceptance_test_example" 1158 description = "Used in the terraform acceptance tests" 1159 vpc_id = "${aws_vpc.foo.id}" 1160 1161 ingress { 1162 protocol = "6" 1163 from_port = 80 1164 to_port = 8000 1165 cidr_blocks = ["10.0.0.0/8"] 1166 } 1167 1168 egress { 1169 protocol = "tcp" 1170 from_port = 80 1171 to_port = 8000 1172 cidr_blocks = ["10.0.0.0/8"] 1173 } 1174 1175 tags { 1176 Name = "tf-acc-test" 1177 } 1178 } 1179 ` 1180 1181 const testAccAWSSecurityGroupConfigChange = ` 1182 resource "aws_vpc" "foo" { 1183 cidr_block = "10.1.0.0/16" 1184 } 1185 1186 resource "aws_security_group" "web" { 1187 name = "terraform_acceptance_test_example" 1188 description = "Used in the terraform acceptance tests" 1189 vpc_id = "${aws_vpc.foo.id}" 1190 1191 ingress { 1192 protocol = "tcp" 1193 from_port = 80 1194 to_port = 9000 1195 cidr_blocks = ["10.0.0.0/8"] 1196 } 1197 1198 ingress { 1199 protocol = "tcp" 1200 from_port = 80 1201 to_port = 8000 1202 cidr_blocks = ["0.0.0.0/0", "10.0.0.0/8"] 1203 } 1204 1205 egress { 1206 protocol = "tcp" 1207 from_port = 80 1208 to_port = 8000 1209 cidr_blocks = ["10.0.0.0/8"] 1210 } 1211 } 1212 ` 1213 1214 const testAccAWSSecurityGroupConfigSelf = ` 1215 resource "aws_vpc" "foo" { 1216 cidr_block = "10.1.0.0/16" 1217 } 1218 1219 resource "aws_security_group" "web" { 1220 name = "terraform_acceptance_test_example" 1221 description = "Used in the terraform acceptance tests" 1222 vpc_id = "${aws_vpc.foo.id}" 1223 1224 ingress { 1225 protocol = "tcp" 1226 from_port = 80 1227 to_port = 8000 1228 self = true 1229 } 1230 1231 egress { 1232 protocol = "tcp" 1233 from_port = 80 1234 to_port = 8000 1235 cidr_blocks = ["10.0.0.0/8"] 1236 } 1237 } 1238 ` 1239 1240 const testAccAWSSecurityGroupConfigVpc = ` 1241 resource "aws_vpc" "foo" { 1242 cidr_block = "10.1.0.0/16" 1243 } 1244 1245 resource "aws_security_group" "web" { 1246 name = "terraform_acceptance_test_example" 1247 description = "Used in the terraform acceptance tests" 1248 vpc_id = "${aws_vpc.foo.id}" 1249 1250 ingress { 1251 protocol = "tcp" 1252 from_port = 80 1253 to_port = 8000 1254 cidr_blocks = ["10.0.0.0/8"] 1255 } 1256 1257 egress { 1258 protocol = "tcp" 1259 from_port = 80 1260 to_port = 8000 1261 cidr_blocks = ["10.0.0.0/8"] 1262 } 1263 } 1264 ` 1265 1266 const testAccAWSSecurityGroupConfigVpcNegOneIngress = ` 1267 resource "aws_vpc" "foo" { 1268 cidr_block = "10.1.0.0/16" 1269 } 1270 1271 resource "aws_security_group" "web" { 1272 name = "terraform_acceptance_test_example" 1273 description = "Used in the terraform acceptance tests" 1274 vpc_id = "${aws_vpc.foo.id}" 1275 1276 ingress { 1277 protocol = "-1" 1278 from_port = 0 1279 to_port = 0 1280 cidr_blocks = ["10.0.0.0/8"] 1281 } 1282 } 1283 ` 1284 1285 const testAccAWSSecurityGroupConfigVpcProtoNumIngress = ` 1286 resource "aws_vpc" "foo" { 1287 cidr_block = "10.1.0.0/16" 1288 } 1289 1290 resource "aws_security_group" "web" { 1291 name = "terraform_acceptance_test_example" 1292 description = "Used in the terraform acceptance tests" 1293 vpc_id = "${aws_vpc.foo.id}" 1294 1295 ingress { 1296 protocol = "50" 1297 from_port = 0 1298 to_port = 0 1299 cidr_blocks = ["10.0.0.0/8"] 1300 } 1301 } 1302 ` 1303 1304 const testAccAWSSecurityGroupConfigMultiIngress = ` 1305 resource "aws_vpc" "foo" { 1306 cidr_block = "10.1.0.0/16" 1307 } 1308 1309 resource "aws_security_group" "worker" { 1310 name = "terraform_acceptance_test_example_1" 1311 description = "Used in the terraform acceptance tests" 1312 vpc_id = "${aws_vpc.foo.id}" 1313 1314 ingress { 1315 protocol = "tcp" 1316 from_port = 80 1317 to_port = 8000 1318 cidr_blocks = ["10.0.0.0/8"] 1319 } 1320 1321 egress { 1322 protocol = "tcp" 1323 from_port = 80 1324 to_port = 8000 1325 cidr_blocks = ["10.0.0.0/8"] 1326 } 1327 } 1328 1329 resource "aws_security_group" "web" { 1330 name = "terraform_acceptance_test_example_2" 1331 description = "Used in the terraform acceptance tests" 1332 vpc_id = "${aws_vpc.foo.id}" 1333 1334 ingress { 1335 protocol = "tcp" 1336 from_port = 22 1337 to_port = 22 1338 cidr_blocks = ["10.0.0.0/8"] 1339 } 1340 1341 ingress { 1342 protocol = "tcp" 1343 from_port = 800 1344 to_port = 800 1345 cidr_blocks = ["10.0.0.0/8"] 1346 } 1347 1348 ingress { 1349 protocol = "tcp" 1350 from_port = 80 1351 to_port = 8000 1352 security_groups = ["${aws_security_group.worker.id}"] 1353 } 1354 1355 egress { 1356 protocol = "tcp" 1357 from_port = 80 1358 to_port = 8000 1359 cidr_blocks = ["10.0.0.0/8"] 1360 } 1361 } 1362 ` 1363 1364 const testAccAWSSecurityGroupConfigTags = ` 1365 resource "aws_vpc" "foo" { 1366 cidr_block = "10.1.0.0/16" 1367 } 1368 1369 resource "aws_security_group" "foo" { 1370 name = "terraform_acceptance_test_example" 1371 description = "Used in the terraform acceptance tests" 1372 vpc_id = "${aws_vpc.foo.id}" 1373 1374 ingress { 1375 protocol = "tcp" 1376 from_port = 80 1377 to_port = 8000 1378 cidr_blocks = ["10.0.0.0/8"] 1379 } 1380 1381 egress { 1382 protocol = "tcp" 1383 from_port = 80 1384 to_port = 8000 1385 cidr_blocks = ["10.0.0.0/8"] 1386 } 1387 1388 tags { 1389 foo = "bar" 1390 } 1391 } 1392 ` 1393 1394 const testAccAWSSecurityGroupConfigTagsUpdate = ` 1395 resource "aws_vpc" "foo" { 1396 cidr_block = "10.1.0.0/16" 1397 } 1398 1399 resource "aws_security_group" "foo" { 1400 name = "terraform_acceptance_test_example" 1401 description = "Used in the terraform acceptance tests" 1402 vpc_id = "${aws_vpc.foo.id}" 1403 1404 ingress { 1405 protocol = "tcp" 1406 from_port = 80 1407 to_port = 8000 1408 cidr_blocks = ["10.0.0.0/8"] 1409 } 1410 1411 egress { 1412 protocol = "tcp" 1413 from_port = 80 1414 to_port = 8000 1415 cidr_blocks = ["10.0.0.0/8"] 1416 } 1417 1418 tags { 1419 bar = "baz" 1420 env = "Production" 1421 } 1422 } 1423 ` 1424 1425 const testAccAWSSecurityGroupConfig_generatedName = ` 1426 resource "aws_vpc" "foo" { 1427 cidr_block = "10.1.0.0/16" 1428 } 1429 1430 resource "aws_security_group" "web" { 1431 vpc_id = "${aws_vpc.foo.id}" 1432 1433 ingress { 1434 protocol = "tcp" 1435 from_port = 80 1436 to_port = 8000 1437 cidr_blocks = ["10.0.0.0/8"] 1438 } 1439 1440 egress { 1441 protocol = "tcp" 1442 from_port = 80 1443 to_port = 8000 1444 cidr_blocks = ["10.0.0.0/8"] 1445 } 1446 1447 tags { 1448 Name = "tf-acc-test" 1449 } 1450 } 1451 ` 1452 1453 const testAccAWSSecurityGroupConfigDefaultEgress = ` 1454 resource "aws_vpc" "tf_sg_egress_test" { 1455 cidr_block = "10.0.0.0/16" 1456 tags { 1457 Name = "tf_sg_egress_test" 1458 } 1459 } 1460 1461 resource "aws_security_group" "worker" { 1462 name = "terraform_acceptance_test_example_1" 1463 description = "Used in the terraform acceptance tests" 1464 vpc_id = "${aws_vpc.tf_sg_egress_test.id}" 1465 1466 egress { 1467 protocol = "tcp" 1468 from_port = 80 1469 to_port = 8000 1470 cidr_blocks = ["10.0.0.0/8"] 1471 } 1472 } 1473 ` 1474 1475 const testAccAWSSecurityGroupConfigClassic = ` 1476 provider "aws" { 1477 region = "us-east-1" 1478 } 1479 1480 resource "aws_security_group" "web" { 1481 name = "terraform_acceptance_test_example_1" 1482 description = "Used in the terraform acceptance tests" 1483 } 1484 ` 1485 1486 const testAccAWSSecurityGroupPrefixNameConfig = ` 1487 provider "aws" { 1488 region = "us-east-1" 1489 } 1490 1491 resource "aws_security_group" "baz" { 1492 name_prefix = "baz-" 1493 description = "Used in the terraform acceptance tests" 1494 } 1495 ` 1496 1497 func testAccAWSSecurityGroupConfig_drift() string { 1498 return fmt.Sprintf(` 1499 resource "aws_security_group" "web" { 1500 name = "tf_acc_%d" 1501 description = "Used in the terraform acceptance tests" 1502 1503 ingress { 1504 protocol = "tcp" 1505 from_port = 80 1506 to_port = 8000 1507 cidr_blocks = ["10.0.0.0/8"] 1508 } 1509 1510 ingress { 1511 protocol = "tcp" 1512 from_port = 80 1513 to_port = 8000 1514 cidr_blocks = ["206.0.0.0/8"] 1515 } 1516 1517 tags { 1518 Name = "tf-acc-test" 1519 } 1520 } 1521 `, acctest.RandInt()) 1522 } 1523 1524 func testAccAWSSecurityGroupConfig_drift_complex() string { 1525 return fmt.Sprintf(` 1526 resource "aws_vpc" "foo" { 1527 cidr_block = "10.1.0.0/16" 1528 } 1529 1530 resource "aws_security_group" "otherweb" { 1531 name = "tf_acc_%d" 1532 description = "Used in the terraform acceptance tests" 1533 vpc_id = "${aws_vpc.foo.id}" 1534 } 1535 1536 resource "aws_security_group" "web" { 1537 name = "tf_acc_%d" 1538 description = "Used in the terraform acceptance tests" 1539 vpc_id = "${aws_vpc.foo.id}" 1540 1541 ingress { 1542 protocol = "tcp" 1543 from_port = 80 1544 to_port = 8000 1545 cidr_blocks = ["10.0.0.0/8"] 1546 } 1547 1548 ingress { 1549 protocol = "tcp" 1550 from_port = 80 1551 to_port = 8000 1552 cidr_blocks = ["206.0.0.0/8"] 1553 } 1554 1555 ingress { 1556 protocol = "tcp" 1557 from_port = 22 1558 to_port = 22 1559 security_groups = ["${aws_security_group.otherweb.id}"] 1560 } 1561 1562 egress { 1563 protocol = "tcp" 1564 from_port = 80 1565 to_port = 8000 1566 cidr_blocks = ["206.0.0.0/8"] 1567 } 1568 1569 egress { 1570 protocol = "tcp" 1571 from_port = 80 1572 to_port = 8000 1573 cidr_blocks = ["10.0.0.0/8"] 1574 } 1575 1576 egress { 1577 protocol = "tcp" 1578 from_port = 22 1579 to_port = 22 1580 security_groups = ["${aws_security_group.otherweb.id}"] 1581 } 1582 1583 tags { 1584 Name = "tf-acc-test" 1585 } 1586 }`, acctest.RandInt(), acctest.RandInt()) 1587 } 1588 1589 const testAccAWSSecurityGroupCombindCIDRandGroups = ` 1590 resource "aws_vpc" "foo" { 1591 cidr_block = "10.1.0.0/16" 1592 } 1593 1594 resource "aws_security_group" "two" { 1595 name = "tf-test-1" 1596 vpc_id = "${aws_vpc.foo.id}" 1597 tags { 1598 Name = "tf-test-1" 1599 } 1600 } 1601 1602 resource "aws_security_group" "one" { 1603 name = "tf-test-2" 1604 vpc_id = "${aws_vpc.foo.id}" 1605 tags { 1606 Name = "tf-test-w" 1607 } 1608 } 1609 1610 resource "aws_security_group" "three" { 1611 name = "tf-test-3" 1612 vpc_id = "${aws_vpc.foo.id}" 1613 tags { 1614 Name = "tf-test-3" 1615 } 1616 } 1617 1618 resource "aws_security_group" "mixed" { 1619 name = "tf-mix-test" 1620 vpc_id = "${aws_vpc.foo.id}" 1621 1622 ingress { 1623 from_port = 80 1624 to_port = 80 1625 protocol = "tcp" 1626 cidr_blocks = ["10.0.0.0/16", "10.1.0.0/16", "10.7.0.0/16"] 1627 1628 security_groups = [ 1629 "${aws_security_group.one.id}", 1630 "${aws_security_group.two.id}", 1631 "${aws_security_group.three.id}", 1632 ] 1633 } 1634 1635 tags { 1636 Name = "tf-mix-test" 1637 } 1638 } 1639 ` 1640 1641 const testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs = ` 1642 resource "aws_vpc" "foo" { 1643 cidr_block = "10.1.0.0/16" 1644 } 1645 1646 resource "aws_security_group" "other_web" { 1647 name = "tf_other_acc_tests" 1648 description = "Used in the terraform acceptance tests" 1649 vpc_id = "${aws_vpc.foo.id}" 1650 1651 tags { 1652 Name = "tf-acc-test" 1653 } 1654 } 1655 1656 resource "aws_security_group" "web" { 1657 name = "terraform_acceptance_test_example" 1658 description = "Used in the terraform acceptance tests" 1659 vpc_id = "${aws_vpc.foo.id}" 1660 1661 ingress { 1662 protocol = "tcp" 1663 from_port = "22" 1664 to_port = "22" 1665 1666 cidr_blocks = [ 1667 "192.168.0.1/32", 1668 ] 1669 } 1670 1671 ingress { 1672 protocol = "tcp" 1673 from_port = 80 1674 to_port = 8000 1675 cidr_blocks = ["10.0.0.0/8"] 1676 security_groups = ["${aws_security_group.other_web.id}"] 1677 } 1678 1679 egress { 1680 protocol = "tcp" 1681 from_port = 80 1682 to_port = 8000 1683 cidr_blocks = ["10.0.0.0/8"] 1684 } 1685 1686 tags { 1687 Name = "tf-acc-test" 1688 } 1689 } 1690 ` 1691 1692 const testAccAWSSecurityGroupConfig_ingressWithCidrAndSGs_classic = ` 1693 provider "aws" { 1694 region = "us-east-1" 1695 } 1696 1697 resource "aws_security_group" "other_web" { 1698 name = "tf_other_acc_tests" 1699 description = "Used in the terraform acceptance tests" 1700 1701 tags { 1702 Name = "tf-acc-test" 1703 } 1704 } 1705 1706 resource "aws_security_group" "web" { 1707 name = "terraform_acceptance_test_example" 1708 description = "Used in the terraform acceptance tests" 1709 1710 ingress { 1711 protocol = "tcp" 1712 from_port = "22" 1713 to_port = "22" 1714 1715 cidr_blocks = [ 1716 "192.168.0.1/32", 1717 ] 1718 } 1719 1720 ingress { 1721 protocol = "tcp" 1722 from_port = 80 1723 to_port = 8000 1724 cidr_blocks = ["10.0.0.0/8"] 1725 security_groups = ["${aws_security_group.other_web.name}"] 1726 } 1727 1728 tags { 1729 Name = "tf-acc-test" 1730 } 1731 } 1732 ` 1733 1734 // fails to apply in one pass with the error "diffs didn't match during apply" 1735 // GH-2027 1736 const testAccAWSSecurityGroupConfig_failWithDiffMismatch = ` 1737 resource "aws_vpc" "main" { 1738 cidr_block = "10.0.0.0/16" 1739 1740 tags { 1741 Name = "tf-test" 1742 } 1743 } 1744 1745 resource "aws_security_group" "ssh_base" { 1746 name = "test-ssh-base" 1747 vpc_id = "${aws_vpc.main.id}" 1748 } 1749 1750 resource "aws_security_group" "jump" { 1751 name = "test-jump" 1752 vpc_id = "${aws_vpc.main.id}" 1753 } 1754 1755 resource "aws_security_group" "provision" { 1756 name = "test-provision" 1757 vpc_id = "${aws_vpc.main.id}" 1758 } 1759 1760 resource "aws_security_group" "nat" { 1761 vpc_id = "${aws_vpc.main.id}" 1762 name = "nat" 1763 description = "For nat servers " 1764 1765 ingress { 1766 from_port = 22 1767 to_port = 22 1768 protocol = "tcp" 1769 security_groups = ["${aws_security_group.jump.id}"] 1770 } 1771 1772 ingress { 1773 from_port = 22 1774 to_port = 22 1775 protocol = "tcp" 1776 security_groups = ["${aws_security_group.provision.id}"] 1777 } 1778 } 1779 ` 1780 const testAccAWSSecurityGroupConfig_importSelf = ` 1781 resource "aws_vpc" "foo" { 1782 cidr_block = "10.1.0.0/16" 1783 1784 tags { 1785 Name = "tf_sg_import_test" 1786 } 1787 } 1788 1789 resource "aws_security_group" "allow_all" { 1790 name = "allow_all" 1791 description = "Allow all inbound traffic" 1792 vpc_id = "${aws_vpc.foo.id}" 1793 } 1794 1795 resource "aws_security_group_rule" "allow_all" { 1796 type = "ingress" 1797 from_port = 0 1798 to_port = 65535 1799 protocol = "tcp" 1800 cidr_blocks = ["0.0.0.0/0"] 1801 1802 security_group_id = "${aws_security_group.allow_all.id}" 1803 } 1804 1805 resource "aws_security_group_rule" "allow_all-1" { 1806 type = "ingress" 1807 from_port = 65534 1808 to_port = 65535 1809 protocol = "tcp" 1810 1811 self = true 1812 security_group_id = "${aws_security_group.allow_all.id}" 1813 } 1814 ` 1815 1816 const testAccAWSSecurityGroupConfig_importSourceSecurityGroup = ` 1817 resource "aws_vpc" "foo" { 1818 cidr_block = "10.1.0.0/16" 1819 1820 tags { 1821 Name = "tf_sg_import_test" 1822 } 1823 } 1824 1825 resource "aws_security_group" "test_group_1" { 1826 name = "test group 1" 1827 vpc_id = "${aws_vpc.foo.id}" 1828 } 1829 1830 resource "aws_security_group" "test_group_2" { 1831 name = "test group 2" 1832 vpc_id = "${aws_vpc.foo.id}" 1833 } 1834 1835 resource "aws_security_group" "test_group_3" { 1836 name = "test group 3" 1837 vpc_id = "${aws_vpc.foo.id}" 1838 } 1839 1840 resource "aws_security_group_rule" "allow_test_group_2" { 1841 type = "ingress" 1842 from_port = 0 1843 to_port = 0 1844 protocol = "tcp" 1845 1846 source_security_group_id = "${aws_security_group.test_group_1.id}" 1847 security_group_id = "${aws_security_group.test_group_2.id}" 1848 } 1849 1850 resource "aws_security_group_rule" "allow_test_group_3" { 1851 type = "ingress" 1852 from_port = 0 1853 to_port = 0 1854 protocol = "tcp" 1855 1856 source_security_group_id = "${aws_security_group.test_group_1.id}" 1857 security_group_id = "${aws_security_group.test_group_3.id}" 1858 } 1859 ` 1860 1861 const testAccAWSSecurityGroupConfigPrefixListEgress = ` 1862 resource "aws_vpc" "tf_sg_prefix_list_egress_test" { 1863 cidr_block = "10.0.0.0/16" 1864 tags { 1865 Name = "tf_sg_prefix_list_egress_test" 1866 } 1867 } 1868 1869 resource "aws_route_table" "default" { 1870 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 1871 } 1872 1873 resource "aws_vpc_endpoint" "s3-us-west-2" { 1874 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 1875 service_name = "com.amazonaws.us-west-2.s3" 1876 route_table_ids = ["${aws_route_table.default.id}"] 1877 policy = <<POLICY 1878 { 1879 "Version": "2012-10-17", 1880 "Statement": [ 1881 { 1882 "Sid":"AllowAll", 1883 "Effect":"Allow", 1884 "Principal":"*", 1885 "Action":"*", 1886 "Resource":"*" 1887 } 1888 ] 1889 } 1890 POLICY 1891 } 1892 1893 resource "aws_security_group" "egress" { 1894 name = "terraform_acceptance_test_prefix_list_egress" 1895 description = "Used in the terraform acceptance tests" 1896 vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" 1897 1898 egress { 1899 protocol = "-1" 1900 from_port = 0 1901 to_port = 0 1902 prefix_list_ids = ["${aws_vpc_endpoint.s3-us-west-2.prefix_list_id}"] 1903 } 1904 } 1905 `