github.com/vtorhonen/terraform@v0.9.0-beta2.0.20170307220345-5d894e4ffda7/builtin/providers/aws/resource_aws_waf_web_acl_test.go (about)

     1  package aws
     2  
     3  import (
     4  	"fmt"
     5  	"testing"
     6  
     7  	"github.com/hashicorp/terraform/helper/resource"
     8  	"github.com/hashicorp/terraform/terraform"
     9  
    10  	"github.com/aws/aws-sdk-go/aws"
    11  	"github.com/aws/aws-sdk-go/aws/awserr"
    12  	"github.com/aws/aws-sdk-go/service/waf"
    13  	"github.com/hashicorp/terraform/helper/acctest"
    14  )
    15  
    16  func TestAccAWSWafWebAcl_basic(t *testing.T) {
    17  	var v waf.WebACL
    18  	wafAclName := fmt.Sprintf("wafacl%s", acctest.RandString(5))
    19  
    20  	resource.Test(t, resource.TestCase{
    21  		PreCheck:     func() { testAccPreCheck(t) },
    22  		Providers:    testAccProviders,
    23  		CheckDestroy: testAccCheckAWSWafWebAclDestroy,
    24  		Steps: []resource.TestStep{
    25  			resource.TestStep{
    26  				Config: testAccAWSWafWebAclConfig(wafAclName),
    27  				Check: resource.ComposeTestCheckFunc(
    28  					testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &v),
    29  					resource.TestCheckResourceAttr(
    30  						"aws_waf_web_acl.waf_acl", "default_action.#", "1"),
    31  					resource.TestCheckResourceAttr(
    32  						"aws_waf_web_acl.waf_acl", "default_action.4234791575.type", "ALLOW"),
    33  					resource.TestCheckResourceAttr(
    34  						"aws_waf_web_acl.waf_acl", "name", wafAclName),
    35  					resource.TestCheckResourceAttr(
    36  						"aws_waf_web_acl.waf_acl", "rules.#", "1"),
    37  					resource.TestCheckResourceAttr(
    38  						"aws_waf_web_acl.waf_acl", "metric_name", wafAclName),
    39  				),
    40  			},
    41  		},
    42  	})
    43  }
    44  
    45  func TestAccAWSWafWebAcl_changeNameForceNew(t *testing.T) {
    46  	var before, after waf.WebACL
    47  	wafAclName := fmt.Sprintf("wafacl%s", acctest.RandString(5))
    48  	wafAclNewName := fmt.Sprintf("wafacl%s", acctest.RandString(5))
    49  
    50  	resource.Test(t, resource.TestCase{
    51  		PreCheck:     func() { testAccPreCheck(t) },
    52  		Providers:    testAccProviders,
    53  		CheckDestroy: testAccCheckAWSWafWebAclDestroy,
    54  		Steps: []resource.TestStep{
    55  			{
    56  				Config: testAccAWSWafWebAclConfig(wafAclName),
    57  				Check: resource.ComposeTestCheckFunc(
    58  					testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &before),
    59  					resource.TestCheckResourceAttr(
    60  						"aws_waf_web_acl.waf_acl", "default_action.#", "1"),
    61  					resource.TestCheckResourceAttr(
    62  						"aws_waf_web_acl.waf_acl", "default_action.4234791575.type", "ALLOW"),
    63  					resource.TestCheckResourceAttr(
    64  						"aws_waf_web_acl.waf_acl", "name", wafAclName),
    65  					resource.TestCheckResourceAttr(
    66  						"aws_waf_web_acl.waf_acl", "rules.#", "1"),
    67  					resource.TestCheckResourceAttr(
    68  						"aws_waf_web_acl.waf_acl", "metric_name", wafAclName),
    69  				),
    70  			},
    71  			{
    72  				Config: testAccAWSWafWebAclConfigChangeName(wafAclNewName),
    73  				Check: resource.ComposeTestCheckFunc(
    74  					testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &after),
    75  					resource.TestCheckResourceAttr(
    76  						"aws_waf_web_acl.waf_acl", "default_action.#", "1"),
    77  					resource.TestCheckResourceAttr(
    78  						"aws_waf_web_acl.waf_acl", "default_action.4234791575.type", "ALLOW"),
    79  					resource.TestCheckResourceAttr(
    80  						"aws_waf_web_acl.waf_acl", "name", wafAclNewName),
    81  					resource.TestCheckResourceAttr(
    82  						"aws_waf_web_acl.waf_acl", "rules.#", "1"),
    83  					resource.TestCheckResourceAttr(
    84  						"aws_waf_web_acl.waf_acl", "metric_name", wafAclNewName),
    85  				),
    86  			},
    87  		},
    88  	})
    89  }
    90  
    91  func TestAccAWSWafWebAcl_changeDefaultAction(t *testing.T) {
    92  	var before, after waf.WebACL
    93  	wafAclName := fmt.Sprintf("wafacl%s", acctest.RandString(5))
    94  	wafAclNewName := fmt.Sprintf("wafacl%s", acctest.RandString(5))
    95  
    96  	resource.Test(t, resource.TestCase{
    97  		PreCheck:     func() { testAccPreCheck(t) },
    98  		Providers:    testAccProviders,
    99  		CheckDestroy: testAccCheckAWSWafWebAclDestroy,
   100  		Steps: []resource.TestStep{
   101  			{
   102  				Config: testAccAWSWafWebAclConfig(wafAclName),
   103  				Check: resource.ComposeTestCheckFunc(
   104  					testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &before),
   105  					resource.TestCheckResourceAttr(
   106  						"aws_waf_web_acl.waf_acl", "default_action.#", "1"),
   107  					resource.TestCheckResourceAttr(
   108  						"aws_waf_web_acl.waf_acl", "default_action.4234791575.type", "ALLOW"),
   109  					resource.TestCheckResourceAttr(
   110  						"aws_waf_web_acl.waf_acl", "name", wafAclName),
   111  					resource.TestCheckResourceAttr(
   112  						"aws_waf_web_acl.waf_acl", "rules.#", "1"),
   113  					resource.TestCheckResourceAttr(
   114  						"aws_waf_web_acl.waf_acl", "metric_name", wafAclName),
   115  				),
   116  			},
   117  			{
   118  				Config: testAccAWSWafWebAclConfigDefaultAction(wafAclNewName),
   119  				Check: resource.ComposeTestCheckFunc(
   120  					testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &after),
   121  					resource.TestCheckResourceAttr(
   122  						"aws_waf_web_acl.waf_acl", "default_action.#", "1"),
   123  					resource.TestCheckResourceAttr(
   124  						"aws_waf_web_acl.waf_acl", "default_action.2267395054.type", "BLOCK"),
   125  					resource.TestCheckResourceAttr(
   126  						"aws_waf_web_acl.waf_acl", "name", wafAclNewName),
   127  					resource.TestCheckResourceAttr(
   128  						"aws_waf_web_acl.waf_acl", "rules.#", "1"),
   129  					resource.TestCheckResourceAttr(
   130  						"aws_waf_web_acl.waf_acl", "metric_name", wafAclNewName),
   131  				),
   132  			},
   133  		},
   134  	})
   135  }
   136  
   137  func TestAccAWSWafWebAcl_disappears(t *testing.T) {
   138  	var v waf.WebACL
   139  	wafAclName := fmt.Sprintf("wafacl%s", acctest.RandString(5))
   140  
   141  	resource.Test(t, resource.TestCase{
   142  		PreCheck:     func() { testAccPreCheck(t) },
   143  		Providers:    testAccProviders,
   144  		CheckDestroy: testAccCheckAWSWafWebAclDestroy,
   145  		Steps: []resource.TestStep{
   146  			{
   147  				Config: testAccAWSWafWebAclConfig(wafAclName),
   148  				Check: resource.ComposeTestCheckFunc(
   149  					testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &v),
   150  					testAccCheckAWSWafWebAclDisappears(&v),
   151  				),
   152  				ExpectNonEmptyPlan: true,
   153  			},
   154  		},
   155  	})
   156  }
   157  
   158  func testAccCheckAWSWafWebAclDisappears(v *waf.WebACL) resource.TestCheckFunc {
   159  	return func(s *terraform.State) error {
   160  		conn := testAccProvider.Meta().(*AWSClient).wafconn
   161  
   162  		// ChangeToken
   163  		var ct *waf.GetChangeTokenInput
   164  
   165  		resp, err := conn.GetChangeToken(ct)
   166  		if err != nil {
   167  			return fmt.Errorf("Error getting change token: %s", err)
   168  		}
   169  
   170  		req := &waf.UpdateWebACLInput{
   171  			ChangeToken: resp.ChangeToken,
   172  			WebACLId:    v.WebACLId,
   173  		}
   174  
   175  		for _, ActivatedRule := range v.Rules {
   176  			WebACLUpdate := &waf.WebACLUpdate{
   177  				Action: aws.String("DELETE"),
   178  				ActivatedRule: &waf.ActivatedRule{
   179  					Priority: ActivatedRule.Priority,
   180  					RuleId:   ActivatedRule.RuleId,
   181  					Action:   ActivatedRule.Action,
   182  				},
   183  			}
   184  			req.Updates = append(req.Updates, WebACLUpdate)
   185  		}
   186  
   187  		_, err = conn.UpdateWebACL(req)
   188  		if err != nil {
   189  			return fmt.Errorf("Error Updating WAF ACL: %s", err)
   190  		}
   191  
   192  		resp, err = conn.GetChangeToken(ct)
   193  		if err != nil {
   194  			return fmt.Errorf("Error getting change token for waf ACL: %s", err)
   195  		}
   196  
   197  		opts := &waf.DeleteWebACLInput{
   198  			ChangeToken: resp.ChangeToken,
   199  			WebACLId:    v.WebACLId,
   200  		}
   201  		if _, err := conn.DeleteWebACL(opts); err != nil {
   202  			return err
   203  		}
   204  		return nil
   205  	}
   206  }
   207  
   208  func testAccCheckAWSWafWebAclDestroy(s *terraform.State) error {
   209  	for _, rs := range s.RootModule().Resources {
   210  		if rs.Type != "aws_waf_web_acl" {
   211  			continue
   212  		}
   213  
   214  		conn := testAccProvider.Meta().(*AWSClient).wafconn
   215  		resp, err := conn.GetWebACL(
   216  			&waf.GetWebACLInput{
   217  				WebACLId: aws.String(rs.Primary.ID),
   218  			})
   219  
   220  		if err == nil {
   221  			if *resp.WebACL.WebACLId == rs.Primary.ID {
   222  				return fmt.Errorf("WebACL %s still exists", rs.Primary.ID)
   223  			}
   224  		}
   225  
   226  		// Return nil if the WebACL is already destroyed
   227  		if awsErr, ok := err.(awserr.Error); ok {
   228  			if awsErr.Code() == "WAFNonexistentItemException" {
   229  				return nil
   230  			}
   231  		}
   232  
   233  		return err
   234  	}
   235  
   236  	return nil
   237  }
   238  
   239  func testAccCheckAWSWafWebAclExists(n string, v *waf.WebACL) resource.TestCheckFunc {
   240  	return func(s *terraform.State) error {
   241  		rs, ok := s.RootModule().Resources[n]
   242  		if !ok {
   243  			return fmt.Errorf("Not found: %s", n)
   244  		}
   245  
   246  		if rs.Primary.ID == "" {
   247  			return fmt.Errorf("No WebACL ID is set")
   248  		}
   249  
   250  		conn := testAccProvider.Meta().(*AWSClient).wafconn
   251  		resp, err := conn.GetWebACL(&waf.GetWebACLInput{
   252  			WebACLId: aws.String(rs.Primary.ID),
   253  		})
   254  
   255  		if err != nil {
   256  			return err
   257  		}
   258  
   259  		if *resp.WebACL.WebACLId == rs.Primary.ID {
   260  			*v = *resp.WebACL
   261  			return nil
   262  		}
   263  
   264  		return fmt.Errorf("WebACL (%s) not found", rs.Primary.ID)
   265  	}
   266  }
   267  
   268  func testAccAWSWafWebAclConfig(name string) string {
   269  	return fmt.Sprintf(`resource "aws_waf_ipset" "ipset" {
   270    name = "%s"
   271    ip_set_descriptors {
   272      type = "IPV4"
   273      value = "192.0.7.0/24"
   274    }
   275  }
   276  
   277  resource "aws_waf_rule" "wafrule" {
   278    depends_on = ["aws_waf_ipset.ipset"]
   279    name = "%s"
   280    metric_name = "%s"
   281    predicates {
   282      data_id = "${aws_waf_ipset.ipset.id}"
   283      negated = false
   284      type = "IPMatch"
   285    }
   286  }
   287  resource "aws_waf_web_acl" "waf_acl" {
   288    depends_on = ["aws_waf_ipset.ipset", "aws_waf_rule.wafrule"]
   289    name = "%s"
   290    metric_name = "%s"
   291    default_action {
   292      type = "ALLOW"
   293    }
   294    rules {
   295      action {
   296         type = "BLOCK"
   297      }
   298      priority = 1 
   299      rule_id = "${aws_waf_rule.wafrule.id}"
   300    }
   301  }`, name, name, name, name, name)
   302  }
   303  
   304  func testAccAWSWafWebAclConfigChangeName(name string) string {
   305  	return fmt.Sprintf(`resource "aws_waf_ipset" "ipset" {
   306    name = "%s"
   307    ip_set_descriptors {
   308      type = "IPV4"
   309      value = "192.0.7.0/24"
   310    }
   311  }
   312  
   313  resource "aws_waf_rule" "wafrule" {
   314    depends_on = ["aws_waf_ipset.ipset"]
   315    name = "%s"
   316    metric_name = "%s"
   317    predicates {
   318      data_id = "${aws_waf_ipset.ipset.id}"
   319      negated = false
   320      type = "IPMatch"
   321    }
   322  }
   323  resource "aws_waf_web_acl" "waf_acl" {
   324    depends_on = ["aws_waf_ipset.ipset", "aws_waf_rule.wafrule"]
   325    name = "%s"
   326    metric_name = "%s"
   327    default_action {
   328      type = "ALLOW"
   329    }
   330    rules {
   331      action {
   332         type = "BLOCK"
   333      }
   334      priority = 1 
   335      rule_id = "${aws_waf_rule.wafrule.id}"
   336    }
   337  }`, name, name, name, name, name)
   338  }
   339  
   340  func testAccAWSWafWebAclConfigDefaultAction(name string) string {
   341  	return fmt.Sprintf(`resource "aws_waf_ipset" "ipset" {
   342    name = "%s"
   343    ip_set_descriptors {
   344      type = "IPV4"
   345      value = "192.0.7.0/24"
   346    }
   347  }
   348  
   349  resource "aws_waf_rule" "wafrule" {
   350    depends_on = ["aws_waf_ipset.ipset"]
   351    name = "%s"
   352    metric_name = "%s"
   353    predicates {
   354      data_id = "${aws_waf_ipset.ipset.id}"
   355      negated = false
   356      type = "IPMatch"
   357    }
   358  }
   359  resource "aws_waf_web_acl" "waf_acl" {
   360    depends_on = ["aws_waf_ipset.ipset", "aws_waf_rule.wafrule"]
   361    name = "%s"
   362    metric_name = "%s"
   363    default_action {
   364      type = "BLOCK"
   365    }
   366    rules {
   367      action {
   368         type = "BLOCK"
   369      }
   370      priority = 1 
   371      rule_id = "${aws_waf_rule.wafrule.id}"
   372    }
   373  }`, name, name, name, name, name)
   374  }