diff --git a/builtin/providers/aws/resource_aws_network_interface.go b/builtin/providers/aws/resource_aws_network_interface.go index aee50f0aa503..2cf7b13c330f 100644 --- a/builtin/providers/aws/resource_aws_network_interface.go +++ b/builtin/providers/aws/resource_aws_network_interface.go @@ -46,6 +46,12 @@ func resourceAwsNetworkInterface() *schema.Resource { Set: schema.HashString, }, + "source_dest_check": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + Default: true, + }, + "attachment": &schema.Schema{ Type: schema.TypeSet, Optional: true, @@ -127,6 +133,7 @@ func resourceAwsNetworkInterfaceRead(d *schema.ResourceData, meta interface{}) e d.Set("subnet_id", eni.SubnetID) d.Set("private_ips", flattenNetworkInterfacesPrivateIPAddesses(eni.PrivateIPAddresses)) d.Set("security_groups", flattenGroupIdentifiers(eni.Groups)) + d.Set("source_dest_check", eni.SourceDestCheck) // Tags d.Set("tags", tagsToMap(eni.TagSet)) @@ -221,6 +228,18 @@ func resourceAwsNetworkInterfaceUpdate(d *schema.ResourceData, meta interface{}) d.SetPartial("attachment") } + request := &ec2.ModifyNetworkInterfaceAttributeInput{ + NetworkInterfaceID: aws.String(d.Id()), + SourceDestCheck: &ec2.AttributeBooleanValue{Value: aws.Boolean(d.Get("source_dest_check").(bool))}, + } + + _, err := conn.ModifyNetworkInterfaceAttribute(request) + if err != nil { + return fmt.Errorf("Failure updating ENI: %s", err) + } + + d.SetPartial("source_dest_check") + if d.HasChange("security_groups") { request := &ec2.ModifyNetworkInterfaceAttributeInput{ NetworkInterfaceID: aws.String(d.Id()), diff --git a/builtin/providers/aws/resource_aws_network_interface_test.go b/builtin/providers/aws/resource_aws_network_interface_test.go index f83698abfea3..a444a01364dd 100644 --- a/builtin/providers/aws/resource_aws_network_interface_test.go +++ b/builtin/providers/aws/resource_aws_network_interface_test.go @@ -57,6 +57,26 @@ func TestAccAWSENI_attached(t *testing.T) { }) } +func TestAccAWSENI_sourceDestCheck(t *testing.T) { + var conf ec2.NetworkInterface + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSENIDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccAWSENIConfigWithSourceDestCheck, + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSENIExists("aws_network_interface.bar", &conf), + resource.TestCheckResourceAttr( + "aws_network_interface.bar", "source_dest_check", "false"), + ), + }, + }, + }) +} + func testAccCheckAWSENIExists(n string, res *ec2.NetworkInterface) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] @@ -108,6 +128,10 @@ func testAccCheckAWSENIAttributes(conf *ec2.NetworkInterface) resource.TestCheck return fmt.Errorf("expected private ip to be 172.16.10.100, but was %s", *conf.PrivateIPAddress) } + if *conf.SourceDestCheck != true { + return fmt.Errorf("expected source_dest_check to be true, but was %t", *conf.SourceDestCheck) + } + if len(conf.TagSet) == 0 { return fmt.Errorf("expected tags") } @@ -201,6 +225,24 @@ resource "aws_network_interface" "bar" { } ` +const testAccAWSENIConfigWithSourceDestCheck = ` +resource "aws_vpc" "foo" { + cidr_block = "172.16.0.0/16" +} + +resource "aws_subnet" "foo" { + vpc_id = "${aws_vpc.foo.id}" + cidr_block = "172.16.10.0/24" + availability_zone = "us-west-2a" +} + +resource "aws_network_interface" "bar" { + subnet_id = "${aws_subnet.foo.id}" + source_dest_check = false + private_ips = ["172.16.10.100"] +} +` + const testAccAWSENIConfigWithAttachment = ` resource "aws_vpc" "foo" { cidr_block = "172.16.0.0/16" diff --git a/website/source/docs/providers/aws/r/network_interface.markdown b/website/source/docs/providers/aws/r/network_interface.markdown index 8144d8f0f51b..0384b184a93b 100644 --- a/website/source/docs/providers/aws/r/network_interface.markdown +++ b/website/source/docs/providers/aws/r/network_interface.markdown @@ -32,6 +32,7 @@ The following arguments are supported: * `private_ips` - (Optional) List of private IPs to assign to the ENI. * `security_groups` - (Optional) List of security group IDs to assign to the ENI. * `attachment` - (Required) Block to define the attachment of the ENI. Documented below. +* `source_dest_check` - (Optional) Whether to enable source destination checking for the ENI. Default true. * `tags` - (Optional) A mapping of tags to assign to the resource. The `attachment` block supports: @@ -47,5 +48,6 @@ The following attributes are exported: * `private_ips` - List of private IPs assigned to the ENI. * `security_groups` - List of security groups attached to the ENI. * `attachment` - Block defining the attachment of the ENI. +* `source_dest_check` - Whether source destination checking is enabled * `tags` - Tags assigned to the ENI.