github.com/vtorhonen/terraform@v0.9.0-beta2.0.20170307220345-5d894e4ffda7/builtin/providers/aws/resource_aws_waf_web_acl_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/hashicorp/terraform/helper/resource" 8 "github.com/hashicorp/terraform/terraform" 9 10 "github.com/aws/aws-sdk-go/aws" 11 "github.com/aws/aws-sdk-go/aws/awserr" 12 "github.com/aws/aws-sdk-go/service/waf" 13 "github.com/hashicorp/terraform/helper/acctest" 14 ) 15 16 func TestAccAWSWafWebAcl_basic(t *testing.T) { 17 var v waf.WebACL 18 wafAclName := fmt.Sprintf("wafacl%s", acctest.RandString(5)) 19 20 resource.Test(t, resource.TestCase{ 21 PreCheck: func() { testAccPreCheck(t) }, 22 Providers: testAccProviders, 23 CheckDestroy: testAccCheckAWSWafWebAclDestroy, 24 Steps: []resource.TestStep{ 25 resource.TestStep{ 26 Config: testAccAWSWafWebAclConfig(wafAclName), 27 Check: resource.ComposeTestCheckFunc( 28 testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &v), 29 resource.TestCheckResourceAttr( 30 "aws_waf_web_acl.waf_acl", "default_action.#", "1"), 31 resource.TestCheckResourceAttr( 32 "aws_waf_web_acl.waf_acl", "default_action.4234791575.type", "ALLOW"), 33 resource.TestCheckResourceAttr( 34 "aws_waf_web_acl.waf_acl", "name", wafAclName), 35 resource.TestCheckResourceAttr( 36 "aws_waf_web_acl.waf_acl", "rules.#", "1"), 37 resource.TestCheckResourceAttr( 38 "aws_waf_web_acl.waf_acl", "metric_name", wafAclName), 39 ), 40 }, 41 }, 42 }) 43 } 44 45 func TestAccAWSWafWebAcl_changeNameForceNew(t *testing.T) { 46 var before, after waf.WebACL 47 wafAclName := fmt.Sprintf("wafacl%s", acctest.RandString(5)) 48 wafAclNewName := fmt.Sprintf("wafacl%s", acctest.RandString(5)) 49 50 resource.Test(t, resource.TestCase{ 51 PreCheck: func() { testAccPreCheck(t) }, 52 Providers: testAccProviders, 53 CheckDestroy: testAccCheckAWSWafWebAclDestroy, 54 Steps: []resource.TestStep{ 55 { 56 Config: testAccAWSWafWebAclConfig(wafAclName), 57 Check: resource.ComposeTestCheckFunc( 58 testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &before), 59 resource.TestCheckResourceAttr( 60 "aws_waf_web_acl.waf_acl", "default_action.#", "1"), 61 resource.TestCheckResourceAttr( 62 "aws_waf_web_acl.waf_acl", "default_action.4234791575.type", "ALLOW"), 63 resource.TestCheckResourceAttr( 64 "aws_waf_web_acl.waf_acl", "name", wafAclName), 65 resource.TestCheckResourceAttr( 66 "aws_waf_web_acl.waf_acl", "rules.#", "1"), 67 resource.TestCheckResourceAttr( 68 "aws_waf_web_acl.waf_acl", "metric_name", wafAclName), 69 ), 70 }, 71 { 72 Config: testAccAWSWafWebAclConfigChangeName(wafAclNewName), 73 Check: resource.ComposeTestCheckFunc( 74 testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &after), 75 resource.TestCheckResourceAttr( 76 "aws_waf_web_acl.waf_acl", "default_action.#", "1"), 77 resource.TestCheckResourceAttr( 78 "aws_waf_web_acl.waf_acl", "default_action.4234791575.type", "ALLOW"), 79 resource.TestCheckResourceAttr( 80 "aws_waf_web_acl.waf_acl", "name", wafAclNewName), 81 resource.TestCheckResourceAttr( 82 "aws_waf_web_acl.waf_acl", "rules.#", "1"), 83 resource.TestCheckResourceAttr( 84 "aws_waf_web_acl.waf_acl", "metric_name", wafAclNewName), 85 ), 86 }, 87 }, 88 }) 89 } 90 91 func TestAccAWSWafWebAcl_changeDefaultAction(t *testing.T) { 92 var before, after waf.WebACL 93 wafAclName := fmt.Sprintf("wafacl%s", acctest.RandString(5)) 94 wafAclNewName := fmt.Sprintf("wafacl%s", acctest.RandString(5)) 95 96 resource.Test(t, resource.TestCase{ 97 PreCheck: func() { testAccPreCheck(t) }, 98 Providers: testAccProviders, 99 CheckDestroy: testAccCheckAWSWafWebAclDestroy, 100 Steps: []resource.TestStep{ 101 { 102 Config: testAccAWSWafWebAclConfig(wafAclName), 103 Check: resource.ComposeTestCheckFunc( 104 testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &before), 105 resource.TestCheckResourceAttr( 106 "aws_waf_web_acl.waf_acl", "default_action.#", "1"), 107 resource.TestCheckResourceAttr( 108 "aws_waf_web_acl.waf_acl", "default_action.4234791575.type", "ALLOW"), 109 resource.TestCheckResourceAttr( 110 "aws_waf_web_acl.waf_acl", "name", wafAclName), 111 resource.TestCheckResourceAttr( 112 "aws_waf_web_acl.waf_acl", "rules.#", "1"), 113 resource.TestCheckResourceAttr( 114 "aws_waf_web_acl.waf_acl", "metric_name", wafAclName), 115 ), 116 }, 117 { 118 Config: testAccAWSWafWebAclConfigDefaultAction(wafAclNewName), 119 Check: resource.ComposeTestCheckFunc( 120 testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &after), 121 resource.TestCheckResourceAttr( 122 "aws_waf_web_acl.waf_acl", "default_action.#", "1"), 123 resource.TestCheckResourceAttr( 124 "aws_waf_web_acl.waf_acl", "default_action.2267395054.type", "BLOCK"), 125 resource.TestCheckResourceAttr( 126 "aws_waf_web_acl.waf_acl", "name", wafAclNewName), 127 resource.TestCheckResourceAttr( 128 "aws_waf_web_acl.waf_acl", "rules.#", "1"), 129 resource.TestCheckResourceAttr( 130 "aws_waf_web_acl.waf_acl", "metric_name", wafAclNewName), 131 ), 132 }, 133 }, 134 }) 135 } 136 137 func TestAccAWSWafWebAcl_disappears(t *testing.T) { 138 var v waf.WebACL 139 wafAclName := fmt.Sprintf("wafacl%s", acctest.RandString(5)) 140 141 resource.Test(t, resource.TestCase{ 142 PreCheck: func() { testAccPreCheck(t) }, 143 Providers: testAccProviders, 144 CheckDestroy: testAccCheckAWSWafWebAclDestroy, 145 Steps: []resource.TestStep{ 146 { 147 Config: testAccAWSWafWebAclConfig(wafAclName), 148 Check: resource.ComposeTestCheckFunc( 149 testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &v), 150 testAccCheckAWSWafWebAclDisappears(&v), 151 ), 152 ExpectNonEmptyPlan: true, 153 }, 154 }, 155 }) 156 } 157 158 func testAccCheckAWSWafWebAclDisappears(v *waf.WebACL) resource.TestCheckFunc { 159 return func(s *terraform.State) error { 160 conn := testAccProvider.Meta().(*AWSClient).wafconn 161 162 // ChangeToken 163 var ct *waf.GetChangeTokenInput 164 165 resp, err := conn.GetChangeToken(ct) 166 if err != nil { 167 return fmt.Errorf("Error getting change token: %s", err) 168 } 169 170 req := &waf.UpdateWebACLInput{ 171 ChangeToken: resp.ChangeToken, 172 WebACLId: v.WebACLId, 173 } 174 175 for _, ActivatedRule := range v.Rules { 176 WebACLUpdate := &waf.WebACLUpdate{ 177 Action: aws.String("DELETE"), 178 ActivatedRule: &waf.ActivatedRule{ 179 Priority: ActivatedRule.Priority, 180 RuleId: ActivatedRule.RuleId, 181 Action: ActivatedRule.Action, 182 }, 183 } 184 req.Updates = append(req.Updates, WebACLUpdate) 185 } 186 187 _, err = conn.UpdateWebACL(req) 188 if err != nil { 189 return fmt.Errorf("Error Updating WAF ACL: %s", err) 190 } 191 192 resp, err = conn.GetChangeToken(ct) 193 if err != nil { 194 return fmt.Errorf("Error getting change token for waf ACL: %s", err) 195 } 196 197 opts := &waf.DeleteWebACLInput{ 198 ChangeToken: resp.ChangeToken, 199 WebACLId: v.WebACLId, 200 } 201 if _, err := conn.DeleteWebACL(opts); err != nil { 202 return err 203 } 204 return nil 205 } 206 } 207 208 func testAccCheckAWSWafWebAclDestroy(s *terraform.State) error { 209 for _, rs := range s.RootModule().Resources { 210 if rs.Type != "aws_waf_web_acl" { 211 continue 212 } 213 214 conn := testAccProvider.Meta().(*AWSClient).wafconn 215 resp, err := conn.GetWebACL( 216 &waf.GetWebACLInput{ 217 WebACLId: aws.String(rs.Primary.ID), 218 }) 219 220 if err == nil { 221 if *resp.WebACL.WebACLId == rs.Primary.ID { 222 return fmt.Errorf("WebACL %s still exists", rs.Primary.ID) 223 } 224 } 225 226 // Return nil if the WebACL is already destroyed 227 if awsErr, ok := err.(awserr.Error); ok { 228 if awsErr.Code() == "WAFNonexistentItemException" { 229 return nil 230 } 231 } 232 233 return err 234 } 235 236 return nil 237 } 238 239 func testAccCheckAWSWafWebAclExists(n string, v *waf.WebACL) resource.TestCheckFunc { 240 return func(s *terraform.State) error { 241 rs, ok := s.RootModule().Resources[n] 242 if !ok { 243 return fmt.Errorf("Not found: %s", n) 244 } 245 246 if rs.Primary.ID == "" { 247 return fmt.Errorf("No WebACL ID is set") 248 } 249 250 conn := testAccProvider.Meta().(*AWSClient).wafconn 251 resp, err := conn.GetWebACL(&waf.GetWebACLInput{ 252 WebACLId: aws.String(rs.Primary.ID), 253 }) 254 255 if err != nil { 256 return err 257 } 258 259 if *resp.WebACL.WebACLId == rs.Primary.ID { 260 *v = *resp.WebACL 261 return nil 262 } 263 264 return fmt.Errorf("WebACL (%s) not found", rs.Primary.ID) 265 } 266 } 267 268 func testAccAWSWafWebAclConfig(name string) string { 269 return fmt.Sprintf(`resource "aws_waf_ipset" "ipset" { 270 name = "%s" 271 ip_set_descriptors { 272 type = "IPV4" 273 value = "192.0.7.0/24" 274 } 275 } 276 277 resource "aws_waf_rule" "wafrule" { 278 depends_on = ["aws_waf_ipset.ipset"] 279 name = "%s" 280 metric_name = "%s" 281 predicates { 282 data_id = "${aws_waf_ipset.ipset.id}" 283 negated = false 284 type = "IPMatch" 285 } 286 } 287 resource "aws_waf_web_acl" "waf_acl" { 288 depends_on = ["aws_waf_ipset.ipset", "aws_waf_rule.wafrule"] 289 name = "%s" 290 metric_name = "%s" 291 default_action { 292 type = "ALLOW" 293 } 294 rules { 295 action { 296 type = "BLOCK" 297 } 298 priority = 1 299 rule_id = "${aws_waf_rule.wafrule.id}" 300 } 301 }`, name, name, name, name, name) 302 } 303 304 func testAccAWSWafWebAclConfigChangeName(name string) string { 305 return fmt.Sprintf(`resource "aws_waf_ipset" "ipset" { 306 name = "%s" 307 ip_set_descriptors { 308 type = "IPV4" 309 value = "192.0.7.0/24" 310 } 311 } 312 313 resource "aws_waf_rule" "wafrule" { 314 depends_on = ["aws_waf_ipset.ipset"] 315 name = "%s" 316 metric_name = "%s" 317 predicates { 318 data_id = "${aws_waf_ipset.ipset.id}" 319 negated = false 320 type = "IPMatch" 321 } 322 } 323 resource "aws_waf_web_acl" "waf_acl" { 324 depends_on = ["aws_waf_ipset.ipset", "aws_waf_rule.wafrule"] 325 name = "%s" 326 metric_name = "%s" 327 default_action { 328 type = "ALLOW" 329 } 330 rules { 331 action { 332 type = "BLOCK" 333 } 334 priority = 1 335 rule_id = "${aws_waf_rule.wafrule.id}" 336 } 337 }`, name, name, name, name, name) 338 } 339 340 func testAccAWSWafWebAclConfigDefaultAction(name string) string { 341 return fmt.Sprintf(`resource "aws_waf_ipset" "ipset" { 342 name = "%s" 343 ip_set_descriptors { 344 type = "IPV4" 345 value = "192.0.7.0/24" 346 } 347 } 348 349 resource "aws_waf_rule" "wafrule" { 350 depends_on = ["aws_waf_ipset.ipset"] 351 name = "%s" 352 metric_name = "%s" 353 predicates { 354 data_id = "${aws_waf_ipset.ipset.id}" 355 negated = false 356 type = "IPMatch" 357 } 358 } 359 resource "aws_waf_web_acl" "waf_acl" { 360 depends_on = ["aws_waf_ipset.ipset", "aws_waf_rule.wafrule"] 361 name = "%s" 362 metric_name = "%s" 363 default_action { 364 type = "BLOCK" 365 } 366 rules { 367 action { 368 type = "BLOCK" 369 } 370 priority = 1 371 rule_id = "${aws_waf_rule.wafrule.id}" 372 } 373 }`, name, name, name, name, name) 374 }