terraform/builtin/providers/aws/resource_aws_security_group.go

package aws

import (
	"fmt"
	"log"
	"time"

	"github.com/hashicorp/terraform/flatmap"
	"github.com/hashicorp/terraform/helper/config"
	"github.com/hashicorp/terraform/helper/diff"
	"github.com/hashicorp/terraform/helper/resource"
	"github.com/hashicorp/terraform/terraform"
	"github.com/mitchellh/goamz/ec2"
)

func resource_aws_security_group_create(
	s *terraform.ResourceState,
	d *terraform.ResourceDiff,
	meta interface{}) (*terraform.ResourceState, error) {
	p := meta.(*ResourceProvider)
	ec2conn := p.ec2conn

	// Merge the diff into the state so that we have all the attributes
	// properly.
	rs := s.MergeDiff(d)

	securityGroupOpts := ec2.SecurityGroup{
		Name: rs.Attributes["name"],
	}

	if rs.Attributes["vpc_id"] != "" {
		securityGroupOpts.VpcId = rs.Attributes["vpc_id"]
	}

	if rs.Attributes["description"] != "" {
		securityGroupOpts.Description = rs.Attributes["description"]
	}

	log.Printf("[DEBUG] Security Group create configuration: %#v", securityGroupOpts)
	createResp, err := ec2conn.CreateSecurityGroup(securityGroupOpts)
	if err != nil {
		return nil, fmt.Errorf("Error creating Security Group: %s", err)
	}

	rs.ID = createResp.Id
	group := createResp.SecurityGroup

	log.Printf("[INFO] Security Group ID: %s", rs.ID)

	// Wait for the security group to truly exist
	log.Printf(
		"[DEBUG] Waiting for SG (%s) to exist",
		s.ID)
	stateConf := &resource.StateChangeConf{
		Pending: []string{""},
		Target:  "exists",
		Refresh: SGStateRefreshFunc(ec2conn, rs.ID),
		Timeout: 1 * time.Minute,
	}
	if _, err := stateConf.WaitForState(); err != nil {
		return s, fmt.Errorf(
			"Error waiting for SG (%s) to become available: %s",
			rs.ID, err)
	}

	// Expand the "ingress" array to goamz compat []ec2.IPPerm
	ingressRules := []ec2.IPPerm{}
	v, ok := flatmap.Expand(rs.Attributes, "ingress").([]interface{})
	if ok {
		ingressRules, err = expandIPPerms(v)
		if err != nil {
			return rs, err
		}
	}

	if len(ingressRules) > 0 {
		_, err = ec2conn.AuthorizeSecurityGroup(group, ingressRules)
		if err != nil {
			return rs, fmt.Errorf("Error authorizing security group ingress rules: %s", err)
		}
	}

	return resource_aws_security_group_refresh(rs, meta)
}

func resource_aws_security_group_destroy(
	s *terraform.ResourceState,
	meta interface{}) error {
	p := meta.(*ResourceProvider)
	ec2conn := p.ec2conn

	log.Printf("[DEBUG] Security Group destroy: %v", s.ID)

	_, err := ec2conn.DeleteSecurityGroup(ec2.SecurityGroup{Id: s.ID})
	if err != nil {
		ec2err, ok := err.(*ec2.Error)
		if ok && ec2err.Code == "InvalidGroup.NotFound" {
			return nil
		}
	}

	return err
}

func resource_aws_security_group_refresh(
	s *terraform.ResourceState,
	meta interface{}) (*terraform.ResourceState, error) {
	p := meta.(*ResourceProvider)
	ec2conn := p.ec2conn

	sgRaw, _, err := SGStateRefreshFunc(ec2conn, s.ID)()
	if err != nil {
		return s, err
	}
	if sgRaw == nil {
		return nil, nil
	}

	return resource_aws_security_group_update_state(
		s, sgRaw.(*ec2.SecurityGroupInfo))
}

func resource_aws_security_group_diff(
	s *terraform.ResourceState,
	c *terraform.ResourceConfig,
	meta interface{}) (*terraform.ResourceDiff, error) {

	b := &diff.ResourceBuilder{
		Attrs: map[string]diff.AttrType{
			"name":        diff.AttrTypeCreate,
			"description": diff.AttrTypeUpdate,
			"ingress":     diff.AttrTypeUpdate,
			"vpc_id":      diff.AttrTypeCreate,
		},

		ComputedAttrs: []string{
			"owner_id",
			"vpc_id",
		},
	}

	return b.Diff(s, c)
}

func resource_aws_security_group_update_state(
	s *terraform.ResourceState,
	sg *ec2.SecurityGroupInfo) (*terraform.ResourceState, error) {

	s.Attributes["description"] = sg.Description
	s.Attributes["name"] = sg.Name
	s.Attributes["vpc_id"] = sg.VpcId
	s.Attributes["owner_id"] = sg.OwnerId

	// Flatten our ingress values
	toFlatten := make(map[string]interface{})
	toFlatten["ingress"] = flattenIPPerms(sg.IPPerms)

	for k, v := range flatmap.Flatten(toFlatten) {
		s.Attributes[k] = v
	}

	s.Dependencies = nil
	if s.Attributes["vpc_id"] != "" {
		s.Dependencies = append(s.Dependencies,
			terraform.ResourceDependency{ID: s.Attributes["vpc_id"]},
		)
	}

	return s, nil
}

func resource_aws_security_group_validation() *config.Validator {
	return &config.Validator{
		Required: []string{
			"name",
			"ingress.*",
			"ingress.*.from_port",
			"ingress.*.to_port",
			"ingress.*.protocol",
		},
		Optional: []string{
			"description",
			"vpc_id",
			"owner_id",
			"ingress.*.cidr_blocks.*",
			"ingress.*.security_groups.*",
		},
	}
}

// SGStateRefreshFunc returns a resource.StateRefreshFunc that is used to watch
// a security group.
func SGStateRefreshFunc(conn *ec2.EC2, id string) resource.StateRefreshFunc {
	return func() (interface{}, string, error) {
		sgs := []ec2.SecurityGroup{ec2.SecurityGroup{Id: id}}
		resp, err := conn.SecurityGroups(sgs, nil)
		if err != nil {
			if ec2err, ok := err.(*ec2.Error); ok {
				if ec2err.Code == "InvalidSecurityGroupID.NotFound" ||
					ec2err.Code == "InvalidGroup.NotFound" {
					resp = nil
					err = nil
				}
			}

			if err != nil {
				log.Printf("Error on SGStateRefresh: %s", err)
				return nil, "", err
			}
		}

		if resp == nil {
			return nil, "", nil
		}

		group := &resp.Groups[0]
		return group, "exists", nil
	}
}
providers/aws: security groups 2014-07-08 20:06:39 +02:00			`package aws`

			`import (`
			`"fmt"`
			`"log"`
providers/aws/aws_security_group: wait for it to exist 2014-07-17 20:14:51 +02:00			`"time"`
providers/aws: security groups 2014-07-08 20:06:39 +02:00
terraform: add ID to diff implicitly 2014-07-09 01:58:31 +02:00			`"github.com/hashicorp/terraform/flatmap"`
providers/aws: security group validations 2014-07-15 18:40:20 +02:00			`"github.com/hashicorp/terraform/helper/config"`
providers/aws: security groups 2014-07-08 20:06:39 +02:00			`"github.com/hashicorp/terraform/helper/diff"`
providers/aws/aws_security_group: wait for it to exist 2014-07-17 20:14:51 +02:00			`"github.com/hashicorp/terraform/helper/resource"`
providers/aws: security groups 2014-07-08 20:06:39 +02:00			`"github.com/hashicorp/terraform/terraform"`
			`"github.com/mitchellh/goamz/ec2"`
			`)`

			`func resource_aws_security_group_create(`
			`s *terraform.ResourceState,`
			`d *terraform.ResourceDiff,`
			`meta interface{}) (*terraform.ResourceState, error) {`
			`p := meta.(*ResourceProvider)`
			`ec2conn := p.ec2conn`

			`// Merge the diff into the state so that we have all the attributes`
			`// properly.`
			`rs := s.MergeDiff(d)`

			`securityGroupOpts := ec2.SecurityGroup{`
providers/aws: actually return ingress rule on refresh, tests 2014-07-17 02:13:16 +02:00			`Name: rs.Attributes["name"],`
			`}`

			`if rs.Attributes["vpc_id"] != "" {`
			`securityGroupOpts.VpcId = rs.Attributes["vpc_id"]`
			`}`

			`if rs.Attributes["description"] != "" {`
			`securityGroupOpts.Description = rs.Attributes["description"]`
providers/aws: security groups 2014-07-08 20:06:39 +02:00			`}`

			`log.Printf("[DEBUG] Security Group create configuration: %#v", securityGroupOpts)`
			`createResp, err := ec2conn.CreateSecurityGroup(securityGroupOpts)`
			`if err != nil {`
			`return nil, fmt.Errorf("Error creating Security Group: %s", err)`
			`}`

			`rs.ID = createResp.Id`
providers/aws: egress and ingress for sg 2014-07-08 22:33:59 +02:00			`group := createResp.SecurityGroup`
providers/aws: security groups 2014-07-08 20:06:39 +02:00
			`log.Printf("[INFO] Security Group ID: %s", rs.ID)`
providers/aws/aws_security_group: wait for it to exist 2014-07-17 20:14:51 +02:00
			`// Wait for the security group to truly exist`
			`log.Printf(`
			`"[DEBUG] Waiting for SG (%s) to exist",`
			`s.ID)`
			`stateConf := &resource.StateChangeConf{`
			`Pending: []string{""},`
			`Target: "exists",`
			`Refresh: SGStateRefreshFunc(ec2conn, rs.ID),`
			`Timeout: 1 * time.Minute,`
			`}`
			`if _, err := stateConf.WaitForState(); err != nil {`
			`return s, fmt.Errorf(`
			`"Error waiting for SG (%s) to become available: %s",`
			`rs.ID, err)`
			`}`
providers/aws: security groups 2014-07-08 20:06:39 +02:00
providers/aws: egress and ingress for sg 2014-07-08 22:33:59 +02:00			`// Expand the "ingress" array to goamz compat []ec2.IPPerm`
providers/aws/aws_security_group: wait for it to exist 2014-07-17 20:14:51 +02:00			`ingressRules := []ec2.IPPerm{}`
providers/aws: ingress and egress rules 2014-07-08 23:47:03 +02:00			`v, ok := flatmap.Expand(rs.Attributes, "ingress").([]interface{})`
			`if ok {`
providers/aws: fixed tons of aws stuff 2014-07-25 00:50:18 +02:00			`ingressRules, err = expandIPPerms(v)`
			`if err != nil {`
			`return rs, err`
			`}`
providers/aws: ingress and egress rules 2014-07-08 23:47:03 +02:00			`}`
providers/aws: egress and ingress for sg 2014-07-08 22:33:59 +02:00
providers/aws: ingress and egress rules 2014-07-08 23:47:03 +02:00			`if len(ingressRules) > 0 {`
providers/aws: egress and ingress for sg 2014-07-08 22:33:59 +02:00			`_, err = ec2conn.AuthorizeSecurityGroup(group, ingressRules)`
			`if err != nil {`
			`return rs, fmt.Errorf("Error authorizing security group ingress rules: %s", err)`
			`}`
			`}`

providers/aws/aws_security_group: wait for it to exist 2014-07-17 20:14:51 +02:00			`return resource_aws_security_group_refresh(rs, meta)`
providers/aws: security groups 2014-07-08 20:06:39 +02:00			`}`

			`func resource_aws_security_group_destroy(`
			`s *terraform.ResourceState,`
			`meta interface{}) error {`
			`p := meta.(*ResourceProvider)`
			`ec2conn := p.ec2conn`

			`log.Printf("[DEBUG] Security Group destroy: %v", s.ID)`

			`_, err := ec2conn.DeleteSecurityGroup(ec2.SecurityGroup{Id: s.ID})`
			`if err != nil {`
			`ec2err, ok := err.(*ec2.Error)`
			`if ok && ec2err.Code == "InvalidGroup.NotFound" {`
			`return nil`
			`}`
			`}`

			`return err`
			`}`

			`func resource_aws_security_group_refresh(`
			`s *terraform.ResourceState,`
			`meta interface{}) (*terraform.ResourceState, error) {`
			`p := meta.(*ResourceProvider)`
			`ec2conn := p.ec2conn`

providers/aws/aws_security_group: wait for it to exist 2014-07-17 20:14:51 +02:00			`sgRaw, _, err := SGStateRefreshFunc(ec2conn, s.ID)()`
providers/aws: security groups 2014-07-08 20:06:39 +02:00			`if err != nil {`
			`return s, err`
			`}`
providers/aws/aws_security_group: wait for it to exist 2014-07-17 20:14:51 +02:00			`if sgRaw == nil {`
			`return nil, nil`
			`}`
providers/aws: security groups 2014-07-08 20:06:39 +02:00
providers/aws/aws_security_group: wait for it to exist 2014-07-17 20:14:51 +02:00			`return resource_aws_security_group_update_state(`
			`s, sgRaw.(*ec2.SecurityGroupInfo))`
providers/aws: security groups 2014-07-08 20:06:39 +02:00			`}`

			`func resource_aws_security_group_diff(`
			`s *terraform.ResourceState,`
			`c *terraform.ResourceConfig,`
			`meta interface{}) (*terraform.ResourceDiff, error) {`

			`b := &diff.ResourceBuilder{`
			`Attrs: map[string]diff.AttrType{`
			`"name": diff.AttrTypeCreate,`
providers/aws: fix tests for aws_security_group 2014-07-16 16:50:52 +02:00			`"description": diff.AttrTypeUpdate,`
terraform: add ID to diff implicitly 2014-07-09 01:58:31 +02:00			`"ingress": diff.AttrTypeUpdate,`
providers/aws: VPC assignment fix, and dependencies for destroy 2014-07-17 19:03:15 +02:00			`"vpc_id": diff.AttrTypeCreate,`
providers/aws: security groups 2014-07-08 20:06:39 +02:00			`},`

			`ComputedAttrs: []string{`
			`"owner_id",`
providers/aws: actually return ingress rule on refresh, tests 2014-07-17 02:13:16 +02:00			`"vpc_id",`
providers/aws: security groups 2014-07-08 20:06:39 +02:00			`},`
			`}`

			`return b.Diff(s, c)`
			`}`

			`func resource_aws_security_group_update_state(`
			`s *terraform.ResourceState,`
			`sg ec2.SecurityGroupInfo) (terraform.ResourceState, error) {`

providers/aws: fix SG typo 2014-07-09 18:18:17 +02:00			`s.Attributes["description"] = sg.Description`
providers/aws: security groups 2014-07-08 20:06:39 +02:00			`s.Attributes["name"] = sg.Name`
			`s.Attributes["vpc_id"] = sg.VpcId`
			`s.Attributes["owner_id"] = sg.OwnerId`

providers/aws: actually return ingress rule on refresh, tests 2014-07-17 02:13:16 +02:00			`// Flatten our ingress values`
providers/aws: sg flattening of refresh 2014-07-09 02:24:50 +02:00			`toFlatten := make(map[string]interface{})`
			`toFlatten["ingress"] = flattenIPPerms(sg.IPPerms)`

			`for k, v := range flatmap.Flatten(toFlatten) {`
			`s.Attributes[k] = v`
			`}`

providers/aws: VPC assignment fix, and dependencies for destroy 2014-07-17 19:03:15 +02:00			`s.Dependencies = nil`
			`if s.Attributes["vpc_id"] != "" {`
			`s.Dependencies = append(s.Dependencies,`
			`terraform.ResourceDependency{ID: s.Attributes["vpc_id"]},`
			`)`
			`}`

providers/aws: security groups 2014-07-08 20:06:39 +02:00			`return s, nil`
			`}`

providers/aws: security group validations 2014-07-15 18:40:20 +02:00			`func resource_aws_security_group_validation() *config.Validator {`
			`return &config.Validator{`
			`Required: []string{`
			`"name",`
providers/aws: fix security group validations 2014-07-15 20:19:24 +02:00			`"ingress.*",`
providers/aws: fix tests for aws_security_group 2014-07-16 16:50:52 +02:00			`"ingress.*.from_port",`
			`"ingress.*.to_port",`
			`"ingress.*.protocol",`
providers/aws: security group validations 2014-07-15 18:40:20 +02:00			`},`
			`Optional: []string{`
			`"description",`
providers/aws: fix security group validations 2014-07-15 20:19:24 +02:00			`"vpc_id",`
			`"owner_id",`
providers/aws: actually return ingress rule on refresh, tests 2014-07-17 02:13:16 +02:00			`"ingress..cidr_blocks.",`
			`"ingress..security_groups.",`
providers/aws: security group validations 2014-07-15 18:40:20 +02:00			`},`
			`}`
			`}`
providers/aws/aws_security_group: wait for it to exist 2014-07-17 20:14:51 +02:00
			`// SGStateRefreshFunc returns a resource.StateRefreshFunc that is used to watch`
			`// a security group.`
			`func SGStateRefreshFunc(conn *ec2.EC2, id string) resource.StateRefreshFunc {`
			`return func() (interface{}, string, error) {`
			`sgs := []ec2.SecurityGroup{ec2.SecurityGroup{Id: id}}`
			`resp, err := conn.SecurityGroups(sgs, nil)`
			`if err != nil {`
providers/aws/aws_security_group: we need to check for one other error 2014-07-17 20:28:40 +02:00			`if ec2err, ok := err.(*ec2.Error); ok {`
			`if ec2err.Code == "InvalidSecurityGroupID.NotFound" \|\|`
			`ec2err.Code == "InvalidGroup.NotFound" {`
			`resp = nil`
			`err = nil`
			`}`
			`}`

			`if err != nil {`
providers/aws/aws_security_group: wait for it to exist 2014-07-17 20:14:51 +02:00			`log.Printf("Error on SGStateRefresh: %s", err)`
			`return nil, "", err`
			`}`
			`}`

			`if resp == nil {`
			`return nil, "", nil`
			`}`

			`group := &resp.Groups[0]`
			`return group, "exists", nil`
			`}`
			`}`