Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow prefix_list_ids on ingress rules in an aws_security_group #5916

Merged
merged 1 commit into from
Sep 18, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions aws/resource_aws_security_group.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,12 @@ func resourceAwsSecurityGroup() *schema.Resource {
},
},

"prefix_list_ids": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{Type: schema.TypeString},
},

"security_groups": {
Type: schema.TypeSet,
Optional: true,
Expand Down
98 changes: 96 additions & 2 deletions aws/resource_aws_security_group_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1753,7 +1753,7 @@ func TestAccAWSSecurityGroup_egressWithPrefixList(t *testing.T) {
Config: testAccAWSSecurityGroupConfigPrefixListEgress,
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSSecurityGroupExists("aws_security_group.egress", &group),
testAccCheckAWSSecurityGroupPrefixListAttributes(&group),
testAccCheckAWSSecurityGroupEgressPrefixListAttributes(&group),
resource.TestCheckResourceAttr(
"aws_security_group.egress", "egress.#", "1"),
),
Expand All @@ -1762,6 +1762,27 @@ func TestAccAWSSecurityGroup_egressWithPrefixList(t *testing.T) {
})
}

func TestAccAWSSecurityGroup_ingressWithPrefixList(t *testing.T) {
var group ec2.SecurityGroup

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSSecurityGroupDestroy,
Steps: []resource.TestStep{
{
Config: testAccAWSSecurityGroupConfigPrefixListIngress,
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSSecurityGroupExists("aws_security_group.ingress", &group),
testAccCheckAWSSecurityGroupIngressPrefixListAttributes(&group),
resource.TestCheckResourceAttr(
"aws_security_group.ingress", "ingress.#", "1"),
),
},
},
})
}

func TestAccAWSSecurityGroup_ipv4andipv6Egress(t *testing.T) {
var group ec2.SecurityGroup

Expand Down Expand Up @@ -1839,7 +1860,7 @@ func testAccCheckAWSSecurityGroupSGandCidrAttributes(group *ec2.SecurityGroup) r
}
}

func testAccCheckAWSSecurityGroupPrefixListAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc {
func testAccCheckAWSSecurityGroupEgressPrefixListAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc {
return func(s *terraform.State) error {
if *group.GroupName != "terraform_acceptance_test_prefix_list_egress" {
return fmt.Errorf("Bad name: %s", *group.GroupName)
Expand All @@ -1864,6 +1885,31 @@ func testAccCheckAWSSecurityGroupPrefixListAttributes(group *ec2.SecurityGroup)
}
}

func testAccCheckAWSSecurityGroupIngressPrefixListAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc {
return func(s *terraform.State) error {
if *group.GroupName != "terraform_acceptance_test_prefix_list_ingress" {
return fmt.Errorf("Bad name: %s", *group.GroupName)
}
if *group.Description != "Used in the terraform acceptance tests" {
return fmt.Errorf("Bad description: %s", *group.Description)
}
if len(group.IpPermissions) == 0 {
return fmt.Errorf("No IPPerms")
}
if len(group.IpPermissions) != 1 {
return fmt.Errorf("Expected 1 rule, got %d", len(group.IpPermissions))
}

p := group.IpPermissions[0]

if len(p.PrefixListIds) != 1 {
return fmt.Errorf("Expected 1 prefix list, got %d", len(p.PrefixListIds))
}

return nil
}
}

func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroup) resource.TestCheckFunc {
return func(s *terraform.State) error {
p := []*ec2.IpPermission{
Expand Down Expand Up @@ -3407,6 +3453,54 @@ resource "aws_security_group" "egress" {
}
`

const testAccAWSSecurityGroupConfigPrefixListIngress = `
data "aws_region" "current" {}

resource "aws_vpc" "tf_sg_prefix_list_ingress_test" {
cidr_block = "10.0.0.0/16"
tags {
Name = "terraform-testacc-security-group-prefix-list-ingress"
}
}

resource "aws_route_table" "default" {
vpc_id = "${aws_vpc.tf_sg_prefix_list_ingress_test.id}"
}

resource "aws_vpc_endpoint" "test" {
vpc_id = "${aws_vpc.tf_sg_prefix_list_ingress_test.id}"
service_name = "com.amazonaws.${data.aws_region.current.name}.s3"
route_table_ids = ["${aws_route_table.default.id}"]
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid":"AllowAll",
"Effect":"Allow",
"Principal":"*",
"Action":"*",
"Resource":"*"
}
]
}
POLICY
}

resource "aws_security_group" "ingress" {
name = "terraform_acceptance_test_prefix_list_ingress"
description = "Used in the terraform acceptance tests"
vpc_id = "${aws_vpc.tf_sg_prefix_list_ingress_test.id}"

ingress {
protocol = "-1"
from_port = 0
to_port = 0
prefix_list_ids = ["${aws_vpc_endpoint.test.prefix_list_id}"]
}
}
`

func testAccAWSSecurityGroupConfig_ruleGathering(sgName string) string {
return fmt.Sprintf(`
variable "name" {
Expand Down
1 change: 1 addition & 0 deletions website/docs/r/security_group.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ The `ingress` block supports:

* `cidr_blocks` - (Optional) List of CIDR blocks.
* `ipv6_cidr_blocks` - (Optional) List of IPv6 CIDR blocks.
* `prefix_list_ids` - (Optional) List of prefix list IDs.
* `from_port` - (Required) The start port (or ICMP type number if protocol is "icmp")
* `protocol` - (Required) The protocol. If you select a protocol of
"-1" (semantically equivalent to `"all"`, which is not a valid value here), you must specify a "from_port" and "to_port" equal to 0. If not icmp, tcp, udp, or "-1" use the [protocol number](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)
Expand Down