terraform/builtin/providers/aws/resource_aws_db_security_gr...

292 lines
7.2 KiB
Go
Raw Normal View History

2014-07-23 04:22:52 +02:00
package aws
import (
2014-11-24 14:04:48 +01:00
"bytes"
2014-07-23 04:22:52 +02:00
"fmt"
"log"
"time"
2015-04-15 22:02:52 +02:00
"github.com/awslabs/aws-sdk-go/aws"
"github.com/awslabs/aws-sdk-go/service/rds"
2014-11-24 14:04:48 +01:00
"github.com/hashicorp/terraform/helper/hashcode"
2014-07-23 04:22:52 +02:00
"github.com/hashicorp/terraform/helper/multierror"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/helper/schema"
2014-07-23 04:22:52 +02:00
)
func resourceAwsDbSecurityGroup() *schema.Resource {
return &schema.Resource{
Create: resourceAwsDbSecurityGroupCreate,
Read: resourceAwsDbSecurityGroupRead,
Delete: resourceAwsDbSecurityGroupDelete,
Schema: map[string]*schema.Schema{
"name": &schema.Schema{
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"description": &schema.Schema{
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"ingress": &schema.Schema{
2014-11-24 14:04:48 +01:00
Type: schema.TypeSet,
Required: true,
ForceNew: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"cidr": &schema.Schema{
Type: schema.TypeString,
2014-11-24 14:04:48 +01:00
Optional: true,
},
"security_group_name": &schema.Schema{
Type: schema.TypeString,
2014-11-24 14:04:48 +01:00
Optional: true,
Computed: true,
},
"security_group_id": &schema.Schema{
Type: schema.TypeString,
Optional: true,
Computed: true,
},
"security_group_owner_id": &schema.Schema{
Type: schema.TypeString,
Optional: true,
Computed: true,
},
},
},
2014-11-24 14:04:48 +01:00
Set: resourceAwsDbSecurityGroupIngressHash,
},
},
}
}
2014-07-23 04:22:52 +02:00
func resourceAwsDbSecurityGroupCreate(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).rdsconn
2014-07-23 04:22:52 +02:00
var err error
var errs []error
2015-04-15 22:02:52 +02:00
opts := rds.CreateDBSecurityGroupInput{
DBSecurityGroupName: aws.String(d.Get("name").(string)),
DBSecurityGroupDescription: aws.String(d.Get("description").(string)),
2014-07-23 04:22:52 +02:00
}
log.Printf("[DEBUG] DB Security Group create configuration: %#v", opts)
_, err = conn.CreateDBSecurityGroup(&opts)
if err != nil {
return fmt.Errorf("Error creating DB Security Group: %s", err)
2014-07-23 04:22:52 +02:00
}
d.SetId(d.Get("name").(string))
2014-07-23 04:22:52 +02:00
log.Printf("[INFO] DB Security Group ID: %s", d.Id())
2014-07-23 04:22:52 +02:00
sg, err := resourceAwsDbSecurityGroupRetrieve(d, meta)
2014-07-23 04:22:52 +02:00
if err != nil {
return err
2014-07-23 04:22:52 +02:00
}
2014-11-24 14:04:48 +01:00
ingresses := d.Get("ingress").(*schema.Set)
for _, ing := range ingresses.List() {
err := resourceAwsDbSecurityGroupAuthorizeRule(ing, *sg.DBSecurityGroupName, conn)
2014-11-24 14:04:48 +01:00
if err != nil {
errs = append(errs, err)
2014-07-23 04:22:52 +02:00
}
2014-11-24 14:04:48 +01:00
}
2014-07-23 04:22:52 +02:00
2014-11-24 14:04:48 +01:00
if len(errs) > 0 {
return &multierror.Error{Errors: errs}
2014-07-23 04:22:52 +02:00
}
log.Println(
"[INFO] Waiting for Ingress Authorizations to be authorized")
stateConf := &resource.StateChangeConf{
Pending: []string{"authorizing"},
Target: "authorized",
2014-11-24 14:04:48 +01:00
Refresh: resourceAwsDbSecurityGroupStateRefreshFunc(d, meta),
2014-07-23 04:22:52 +02:00
Timeout: 10 * time.Minute,
}
// Wait, catching any errors
_, err = stateConf.WaitForState()
if err != nil {
return err
}
return resourceAwsDbSecurityGroupRead(d, meta)
2014-07-23 04:22:52 +02:00
}
func resourceAwsDbSecurityGroupRead(d *schema.ResourceData, meta interface{}) error {
sg, err := resourceAwsDbSecurityGroupRetrieve(d, meta)
2014-07-23 04:22:52 +02:00
if err != nil {
return err
2014-07-23 04:22:52 +02:00
}
d.Set("name", *sg.DBSecurityGroupName)
d.Set("description", *sg.DBSecurityGroupDescription)
2014-07-23 04:22:52 +02:00
2014-11-24 14:04:48 +01:00
// Create an empty schema.Set to hold all ingress rules
rules := &schema.Set{
F: resourceAwsDbSecurityGroupIngressHash,
2014-07-23 04:22:52 +02:00
}
for _, v := range sg.IPRanges {
rule := map[string]interface{}{"cidr": *v.CIDRIP}
2014-11-24 14:04:48 +01:00
rules.Add(rule)
2014-07-23 04:22:52 +02:00
}
for _, g := range sg.EC2SecurityGroups {
2014-11-24 14:04:48 +01:00
rule := map[string]interface{}{
"security_group_name": *g.EC2SecurityGroupName,
"security_group_id": *g.EC2SecurityGroupID,
"security_group_owner_id": *g.EC2SecurityGroupOwnerID,
2014-11-24 14:04:48 +01:00
}
rules.Add(rule)
2014-07-23 04:22:52 +02:00
}
2014-11-24 14:04:48 +01:00
d.Set("ingress", rules)
return nil
2014-07-23 04:22:52 +02:00
}
func resourceAwsDbSecurityGroupDelete(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).rdsconn
log.Printf("[DEBUG] DB Security Group destroy: %v", d.Id())
2015-04-15 22:02:52 +02:00
opts := rds.DeleteDBSecurityGroupInput{DBSecurityGroupName: aws.String(d.Id())}
log.Printf("[DEBUG] DB Security Group destroy configuration: %v", opts)
2015-04-15 22:02:52 +02:00
_, err := conn.DeleteDBSecurityGroup(&opts)
if err != nil {
newerr, ok := err.(aws.APIError)
if ok && newerr.Code == "InvalidDBSecurityGroup.NotFound" {
return nil
}
return err
}
return nil
}
func resourceAwsDbSecurityGroupRetrieve(d *schema.ResourceData, meta interface{}) (*rds.DBSecurityGroup, error) {
conn := meta.(*AWSClient).rdsconn
2015-04-15 22:02:52 +02:00
opts := rds.DescribeDBSecurityGroupsInput{
DBSecurityGroupName: aws.String(d.Id()),
2014-07-23 04:22:52 +02:00
}
log.Printf("[DEBUG] DB Security Group describe configuration: %#v", opts)
resp, err := conn.DescribeDBSecurityGroups(&opts)
if err != nil {
return nil, fmt.Errorf("Error retrieving DB Security Groups: %s", err)
}
if len(resp.DBSecurityGroups) != 1 ||
*resp.DBSecurityGroups[0].DBSecurityGroupName != d.Id() {
return nil, fmt.Errorf("Unable to find DB Security Group: %#v", resp.DBSecurityGroups)
2014-07-23 04:22:52 +02:00
}
2015-04-15 22:02:52 +02:00
return resp.DBSecurityGroups[0], nil
2014-07-23 04:22:52 +02:00
}
// Authorizes the ingress rule on the db security group
func resourceAwsDbSecurityGroupAuthorizeRule(ingress interface{}, dbSecurityGroupName string, conn *rds.RDS) error {
2014-07-23 04:22:52 +02:00
ing := ingress.(map[string]interface{})
2015-04-15 22:02:52 +02:00
opts := rds.AuthorizeDBSecurityGroupIngressInput{
DBSecurityGroupName: aws.String(dbSecurityGroupName),
2014-07-23 04:22:52 +02:00
}
2014-11-24 14:04:48 +01:00
if attr, ok := ing["cidr"]; ok && attr != "" {
opts.CIDRIP = aws.String(attr.(string))
2014-11-24 14:04:48 +01:00
}
2014-07-23 04:22:52 +02:00
2014-11-24 14:04:48 +01:00
if attr, ok := ing["security_group_name"]; ok && attr != "" {
opts.EC2SecurityGroupName = aws.String(attr.(string))
2014-07-23 04:22:52 +02:00
}
2014-11-24 14:04:48 +01:00
if attr, ok := ing["security_group_id"]; ok && attr != "" {
opts.EC2SecurityGroupID = aws.String(attr.(string))
2014-11-24 14:04:48 +01:00
}
if attr, ok := ing["security_group_owner_id"]; ok && attr != "" {
opts.EC2SecurityGroupOwnerID = aws.String(attr.(string))
2014-07-23 04:22:52 +02:00
}
log.Printf("[DEBUG] Authorize ingress rule configuration: %#v", opts)
_, err := conn.AuthorizeDBSecurityGroupIngress(&opts)
if err != nil {
return fmt.Errorf("Error authorizing security group ingress: %s", err)
}
return nil
}
2014-11-24 14:04:48 +01:00
func resourceAwsDbSecurityGroupIngressHash(v interface{}) int {
var buf bytes.Buffer
m := v.(map[string]interface{})
if v, ok := m["cidr"]; ok {
buf.WriteString(fmt.Sprintf("%s-", v.(string)))
}
if v, ok := m["security_group_name"]; ok {
buf.WriteString(fmt.Sprintf("%s-", v.(string)))
}
if v, ok := m["security_group_id"]; ok {
buf.WriteString(fmt.Sprintf("%s-", v.(string)))
}
if v, ok := m["security_group_owner_id"]; ok {
buf.WriteString(fmt.Sprintf("%s-", v.(string)))
}
return hashcode.String(buf.String())
}
func resourceAwsDbSecurityGroupStateRefreshFunc(
d *schema.ResourceData, meta interface{}) resource.StateRefreshFunc {
2014-07-23 04:22:52 +02:00
return func() (interface{}, string, error) {
2014-11-24 14:04:48 +01:00
v, err := resourceAwsDbSecurityGroupRetrieve(d, meta)
2014-07-23 04:22:52 +02:00
if err != nil {
log.Printf("Error on retrieving DB Security Group when waiting: %s", err)
return nil, "", err
}
statuses := make([]string, 0, len(v.EC2SecurityGroups)+len(v.IPRanges))
for _, ec2g := range v.EC2SecurityGroups {
statuses = append(statuses, *ec2g.Status)
}
for _, ips := range v.IPRanges {
statuses = append(statuses, *ips.Status)
}
2014-07-23 04:22:52 +02:00
for _, stat := range statuses {
// Not done
if stat != "authorized" {
return nil, "authorizing", nil
}
}
return v, "authorized", nil
}
}