Merge pull request #856 from CashStar/aws_egress
provider/aws: adding support for egress rules in AWS Security Groups
This commit is contained in:
commit
0feb29944c
|
@ -81,7 +81,52 @@ func resourceAwsSecurityGroup() *schema.Resource {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Set: resourceAwsSecurityGroupIngressHash,
|
Set: resourceAwsSecurityGroupRuleHash,
|
||||||
|
},
|
||||||
|
|
||||||
|
"egress": &schema.Schema{
|
||||||
|
Type: schema.TypeSet,
|
||||||
|
Optional: true,
|
||||||
|
Elem: &schema.Resource{
|
||||||
|
Schema: map[string]*schema.Schema{
|
||||||
|
"from_port": &schema.Schema{
|
||||||
|
Type: schema.TypeInt,
|
||||||
|
Required: true,
|
||||||
|
},
|
||||||
|
|
||||||
|
"to_port": &schema.Schema{
|
||||||
|
Type: schema.TypeInt,
|
||||||
|
Required: true,
|
||||||
|
},
|
||||||
|
|
||||||
|
"protocol": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Required: true,
|
||||||
|
},
|
||||||
|
|
||||||
|
"cidr_blocks": &schema.Schema{
|
||||||
|
Type: schema.TypeList,
|
||||||
|
Optional: true,
|
||||||
|
Elem: &schema.Schema{Type: schema.TypeString},
|
||||||
|
},
|
||||||
|
|
||||||
|
"security_groups": &schema.Schema{
|
||||||
|
Type: schema.TypeSet,
|
||||||
|
Optional: true,
|
||||||
|
Elem: &schema.Schema{Type: schema.TypeString},
|
||||||
|
Set: func(v interface{}) int {
|
||||||
|
return hashcode.String(v.(string))
|
||||||
|
},
|
||||||
|
},
|
||||||
|
|
||||||
|
"self": &schema.Schema{
|
||||||
|
Type: schema.TypeBool,
|
||||||
|
Optional: true,
|
||||||
|
Default: false,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Set: resourceAwsSecurityGroupRuleHash,
|
||||||
},
|
},
|
||||||
|
|
||||||
"owner_id": &schema.Schema{
|
"owner_id": &schema.Schema{
|
||||||
|
@ -139,28 +184,14 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er
|
||||||
return resourceAwsSecurityGroupUpdate(d, meta)
|
return resourceAwsSecurityGroupUpdate(d, meta)
|
||||||
}
|
}
|
||||||
|
|
||||||
func resourceAwsSecurityGroupRead(d *schema.ResourceData, meta interface{}) error {
|
func resourceAwsSecurityGroupIPPermGather(d *schema.ResourceData, permissions []ec2.IPPerm) []map[string]interface{} {
|
||||||
ec2conn := meta.(*AWSClient).ec2conn
|
ruleMap := make(map[string]map[string]interface{})
|
||||||
|
for _, perm := range permissions {
|
||||||
sgRaw, _, err := SGStateRefreshFunc(ec2conn, d.Id())()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if sgRaw == nil {
|
|
||||||
d.SetId("")
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
sg := sgRaw.(*ec2.SecurityGroupInfo)
|
|
||||||
|
|
||||||
// Gather our ingress rules
|
|
||||||
ingressMap := make(map[string]map[string]interface{})
|
|
||||||
for _, perm := range sg.IPPerms {
|
|
||||||
k := fmt.Sprintf("%s-%d-%d", perm.Protocol, perm.FromPort, perm.ToPort)
|
k := fmt.Sprintf("%s-%d-%d", perm.Protocol, perm.FromPort, perm.ToPort)
|
||||||
m, ok := ingressMap[k]
|
m, ok := ruleMap[k]
|
||||||
if !ok {
|
if !ok {
|
||||||
m = make(map[string]interface{})
|
m = make(map[string]interface{})
|
||||||
ingressMap[k] = m
|
ruleMap[k] = m
|
||||||
}
|
}
|
||||||
|
|
||||||
m["from_port"] = perm.FromPort
|
m["from_port"] = perm.FromPort
|
||||||
|
@ -200,22 +231,15 @@ func resourceAwsSecurityGroupRead(d *schema.ResourceData, meta interface{}) erro
|
||||||
m["security_groups"] = list
|
m["security_groups"] = list
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
ingressRules := make([]map[string]interface{}, 0, len(ingressMap))
|
rules := make([]map[string]interface{}, 0, len(ruleMap))
|
||||||
for _, m := range ingressMap {
|
for _, m := range ruleMap {
|
||||||
ingressRules = append(ingressRules, m)
|
rules = append(rules, m)
|
||||||
}
|
}
|
||||||
|
|
||||||
d.Set("description", sg.Description)
|
return rules
|
||||||
d.Set("name", sg.Name)
|
|
||||||
d.Set("vpc_id", sg.VpcId)
|
|
||||||
d.Set("owner_id", sg.OwnerId)
|
|
||||||
d.Set("ingress", ingressRules)
|
|
||||||
d.Set("tags", tagsToMap(sg.Tags))
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) error {
|
func resourceAwsSecurityGroupRead(d *schema.ResourceData, meta interface{}) error {
|
||||||
ec2conn := meta.(*AWSClient).ec2conn
|
ec2conn := meta.(*AWSClient).ec2conn
|
||||||
|
|
||||||
sgRaw, _, err := SGStateRefreshFunc(ec2conn, d.Id())()
|
sgRaw, _, err := SGStateRefreshFunc(ec2conn, d.Id())()
|
||||||
|
@ -226,10 +250,26 @@ func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) er
|
||||||
d.SetId("")
|
d.SetId("")
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
group := sgRaw.(*ec2.SecurityGroupInfo).SecurityGroup
|
|
||||||
|
|
||||||
if d.HasChange("ingress") {
|
sg := sgRaw.(*ec2.SecurityGroupInfo)
|
||||||
o, n := d.GetChange("ingress")
|
|
||||||
|
ingressRules := resourceAwsSecurityGroupIPPermGather(d, sg.IPPerms)
|
||||||
|
egressRules := resourceAwsSecurityGroupIPPermGather(d, sg.IPPermsEgress)
|
||||||
|
|
||||||
|
d.Set("description", sg.Description)
|
||||||
|
d.Set("name", sg.Name)
|
||||||
|
d.Set("vpc_id", sg.VpcId)
|
||||||
|
d.Set("owner_id", sg.OwnerId)
|
||||||
|
d.Set("ingress", ingressRules)
|
||||||
|
d.Set("egress", egressRules)
|
||||||
|
d.Set("tags", tagsToMap(sg.Tags))
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func resourceAwsSecurityGroupUpdateRules(d *schema.ResourceData, ruleset string, meta interface{}, group ec2.SecurityGroup) error {
|
||||||
|
if d.HasChange(ruleset) {
|
||||||
|
o, n := d.GetChange(ruleset)
|
||||||
if o == nil {
|
if o == nil {
|
||||||
o = new(schema.Set)
|
o = new(schema.Set)
|
||||||
}
|
}
|
||||||
|
@ -252,29 +292,70 @@ func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) er
|
||||||
// adding is easier here, and Terraform should be fast enough to
|
// adding is easier here, and Terraform should be fast enough to
|
||||||
// not have service issues.
|
// not have service issues.
|
||||||
|
|
||||||
|
if len(remove) > 0 || len(add) > 0 {
|
||||||
|
|
||||||
|
ec2conn := meta.(*AWSClient).ec2conn
|
||||||
|
|
||||||
if len(remove) > 0 {
|
if len(remove) > 0 {
|
||||||
// Revoke the old rules
|
// Revoke the old rules
|
||||||
_, err = ec2conn.RevokeSecurityGroup(group, remove)
|
revoke := ec2conn.RevokeSecurityGroup
|
||||||
|
if ruleset == "egress" {
|
||||||
|
revoke = ec2conn.RevokeSecurityGroupEgress
|
||||||
|
}
|
||||||
|
_, err := revoke(group, remove)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("Error authorizing security group ingress rules: %s", err)
|
return fmt.Errorf("Error revoking security group %s rules: %s", ruleset, err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(add) > 0 {
|
if len(add) > 0 {
|
||||||
// Authorize the new rules
|
// Authorize the new rules
|
||||||
_, err := ec2conn.AuthorizeSecurityGroup(group, add)
|
authorize := ec2conn.AuthorizeSecurityGroup
|
||||||
if err != nil {
|
if ruleset == "egress" {
|
||||||
return fmt.Errorf("Error authorizing security group ingress rules: %s", err)
|
authorize = ec2conn.AuthorizeSecurityGroupEgress
|
||||||
}
|
}
|
||||||
|
_, err := authorize(group, add)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Error authorizing security group %s rules: %s", ruleset, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) error {
|
||||||
|
ec2conn := meta.(*AWSClient).ec2conn
|
||||||
|
|
||||||
|
sgRaw, _, err := SGStateRefreshFunc(ec2conn, d.Id())()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if sgRaw == nil {
|
||||||
|
d.SetId("")
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
group := sgRaw.(*ec2.SecurityGroupInfo).SecurityGroup
|
||||||
|
|
||||||
|
err = resourceAwsSecurityGroupUpdateRules(d, "ingress", ec2conn, group)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if d.Get("vpc_id") != nil {
|
||||||
|
err = resourceAwsSecurityGroupUpdateRules(d, "egress", ec2conn, group)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := setTags(ec2conn, d); err != nil {
|
if err := setTags(ec2conn, d); err != nil {
|
||||||
return err
|
return err
|
||||||
} else {
|
|
||||||
d.SetPartial("tags")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
d.SetPartial("tags")
|
||||||
|
|
||||||
return resourceAwsSecurityGroupRead(d, meta)
|
return resourceAwsSecurityGroupRead(d, meta)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -307,7 +388,7 @@ func resourceAwsSecurityGroupDelete(d *schema.ResourceData, meta interface{}) er
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
func resourceAwsSecurityGroupIngressHash(v interface{}) int {
|
func resourceAwsSecurityGroupRuleHash(v interface{}) int {
|
||||||
var buf bytes.Buffer
|
var buf bytes.Buffer
|
||||||
m := v.(map[string]interface{})
|
m := v.(map[string]interface{})
|
||||||
buf.WriteString(fmt.Sprintf("%d-", m["from_port"].(int)))
|
buf.WriteString(fmt.Sprintf("%d-", m["from_port"].(int)))
|
||||||
|
|
|
@ -123,6 +123,16 @@ func TestAccAWSSecurityGroup_vpc(t *testing.T) {
|
||||||
"aws_security_group.web", "ingress.332851786.cidr_blocks.#", "1"),
|
"aws_security_group.web", "ingress.332851786.cidr_blocks.#", "1"),
|
||||||
resource.TestCheckResourceAttr(
|
resource.TestCheckResourceAttr(
|
||||||
"aws_security_group.web", "ingress.332851786.cidr_blocks.0", "10.0.0.0/8"),
|
"aws_security_group.web", "ingress.332851786.cidr_blocks.0", "10.0.0.0/8"),
|
||||||
|
resource.TestCheckResourceAttr(
|
||||||
|
"aws_security_group.web", "egress.332851786.protocol", "tcp"),
|
||||||
|
resource.TestCheckResourceAttr(
|
||||||
|
"aws_security_group.web", "egress.332851786.from_port", "80"),
|
||||||
|
resource.TestCheckResourceAttr(
|
||||||
|
"aws_security_group.web", "egress.332851786.to_port", "8000"),
|
||||||
|
resource.TestCheckResourceAttr(
|
||||||
|
"aws_security_group.web", "egress.332851786.cidr_blocks.#", "1"),
|
||||||
|
resource.TestCheckResourceAttr(
|
||||||
|
"aws_security_group.web", "egress.332851786.cidr_blocks.0", "10.0.0.0/8"),
|
||||||
testCheck,
|
testCheck,
|
||||||
),
|
),
|
||||||
},
|
},
|
||||||
|
@ -418,6 +428,13 @@ resource "aws_security_group" "web" {
|
||||||
to_port = 8000
|
to_port = 8000
|
||||||
cidr_blocks = ["10.0.0.0/8"]
|
cidr_blocks = ["10.0.0.0/8"]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
egress {
|
||||||
|
protocol = "tcp"
|
||||||
|
from_port = 80
|
||||||
|
to_port = 8000
|
||||||
|
cidr_blocks = ["10.0.0.0/8"]
|
||||||
|
}
|
||||||
}
|
}
|
||||||
`
|
`
|
||||||
|
|
||||||
|
|
|
@ -25,6 +25,13 @@ resource "aws_security_group" "allow_all" {
|
||||||
protocol = "tcp"
|
protocol = "tcp"
|
||||||
cidr_blocks = ["0.0.0.0/0"]
|
cidr_blocks = ["0.0.0.0/0"]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
egress {
|
||||||
|
from_port = 0
|
||||||
|
to_port = 65535
|
||||||
|
protocol = "tcp"
|
||||||
|
cidr_blocks = ["0.0.0.0/0"]
|
||||||
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -56,6 +63,9 @@ The following arguments are supported:
|
||||||
* `description` - (Required) The security group description.
|
* `description` - (Required) The security group description.
|
||||||
* `ingress` - (Optional) Can be specified multiple times for each
|
* `ingress` - (Optional) Can be specified multiple times for each
|
||||||
ingress rule. Each ingress block supports fields documented below.
|
ingress rule. Each ingress block supports fields documented below.
|
||||||
|
* `egress` - (Optional) Can be specified multiple times for each
|
||||||
|
egress rule. Each egress block supports fields documented below.
|
||||||
|
VPC only.
|
||||||
* `vpc_id` - (Optional) The VPC ID.
|
* `vpc_id` - (Optional) The VPC ID.
|
||||||
* `owner_id` - (Optional) The AWS Owner ID.
|
* `owner_id` - (Optional) The AWS Owner ID.
|
||||||
|
|
||||||
|
@ -70,6 +80,17 @@ The `ingress` block supports:
|
||||||
* `to_port` - (Required) The end range port.
|
* `to_port` - (Required) The end range port.
|
||||||
* `tags` - (Optional) A mapping of tags to assign to the resource.
|
* `tags` - (Optional) A mapping of tags to assign to the resource.
|
||||||
|
|
||||||
|
The `egress` block supports:
|
||||||
|
|
||||||
|
* `cidr_blocks` - (Optional) List of CIDR blocks. Cannot be used with `security_groups`.
|
||||||
|
* `from_port` - (Required) The start port.
|
||||||
|
* `protocol` - (Required) The protocol.
|
||||||
|
* `security_groups` - (Optional) List of security group IDs. Cannot be used with `cidr_blocks`.
|
||||||
|
* `self` - (Optional) If true, the security group itself will be added as
|
||||||
|
a source to this egress rule.
|
||||||
|
* `to_port` - (Required) The end range port.
|
||||||
|
* `tags` - (Optional) A mapping of tags to assign to the resource.
|
||||||
|
|
||||||
## Attributes Reference
|
## Attributes Reference
|
||||||
|
|
||||||
The following attributes are exported:
|
The following attributes are exported:
|
||||||
|
@ -80,3 +101,4 @@ The following attributes are exported:
|
||||||
* `name` - The name of the security group
|
* `name` - The name of the security group
|
||||||
* `description` - The description of the security group
|
* `description` - The description of the security group
|
||||||
* `ingress` - The ingress rules. See above for more.
|
* `ingress` - The ingress rules. See above for more.
|
||||||
|
* `egress` - The egress rules. See above for more.
|
||||||
|
|
Loading…
Reference in New Issue