Merge pull request #856 from CashStar/aws_egress

provider/aws: adding support for egress rules in AWS Security Groups
This commit is contained in:
Mitchell Hashimoto 2015-02-17 13:59:47 -08:00
commit 0feb29944c
3 changed files with 169 additions and 49 deletions

View File

@ -81,7 +81,52 @@ func resourceAwsSecurityGroup() *schema.Resource {
}, },
}, },
}, },
Set: resourceAwsSecurityGroupIngressHash, Set: resourceAwsSecurityGroupRuleHash,
},
"egress": &schema.Schema{
Type: schema.TypeSet,
Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"from_port": &schema.Schema{
Type: schema.TypeInt,
Required: true,
},
"to_port": &schema.Schema{
Type: schema.TypeInt,
Required: true,
},
"protocol": &schema.Schema{
Type: schema.TypeString,
Required: true,
},
"cidr_blocks": &schema.Schema{
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{Type: schema.TypeString},
},
"security_groups": &schema.Schema{
Type: schema.TypeSet,
Optional: true,
Elem: &schema.Schema{Type: schema.TypeString},
Set: func(v interface{}) int {
return hashcode.String(v.(string))
},
},
"self": &schema.Schema{
Type: schema.TypeBool,
Optional: true,
Default: false,
},
},
},
Set: resourceAwsSecurityGroupRuleHash,
}, },
"owner_id": &schema.Schema{ "owner_id": &schema.Schema{
@ -139,28 +184,14 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er
return resourceAwsSecurityGroupUpdate(d, meta) return resourceAwsSecurityGroupUpdate(d, meta)
} }
func resourceAwsSecurityGroupRead(d *schema.ResourceData, meta interface{}) error { func resourceAwsSecurityGroupIPPermGather(d *schema.ResourceData, permissions []ec2.IPPerm) []map[string]interface{} {
ec2conn := meta.(*AWSClient).ec2conn ruleMap := make(map[string]map[string]interface{})
for _, perm := range permissions {
sgRaw, _, err := SGStateRefreshFunc(ec2conn, d.Id())()
if err != nil {
return err
}
if sgRaw == nil {
d.SetId("")
return nil
}
sg := sgRaw.(*ec2.SecurityGroupInfo)
// Gather our ingress rules
ingressMap := make(map[string]map[string]interface{})
for _, perm := range sg.IPPerms {
k := fmt.Sprintf("%s-%d-%d", perm.Protocol, perm.FromPort, perm.ToPort) k := fmt.Sprintf("%s-%d-%d", perm.Protocol, perm.FromPort, perm.ToPort)
m, ok := ingressMap[k] m, ok := ruleMap[k]
if !ok { if !ok {
m = make(map[string]interface{}) m = make(map[string]interface{})
ingressMap[k] = m ruleMap[k] = m
} }
m["from_port"] = perm.FromPort m["from_port"] = perm.FromPort
@ -200,22 +231,15 @@ func resourceAwsSecurityGroupRead(d *schema.ResourceData, meta interface{}) erro
m["security_groups"] = list m["security_groups"] = list
} }
} }
ingressRules := make([]map[string]interface{}, 0, len(ingressMap)) rules := make([]map[string]interface{}, 0, len(ruleMap))
for _, m := range ingressMap { for _, m := range ruleMap {
ingressRules = append(ingressRules, m) rules = append(rules, m)
} }
d.Set("description", sg.Description) return rules
d.Set("name", sg.Name)
d.Set("vpc_id", sg.VpcId)
d.Set("owner_id", sg.OwnerId)
d.Set("ingress", ingressRules)
d.Set("tags", tagsToMap(sg.Tags))
return nil
} }
func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) error { func resourceAwsSecurityGroupRead(d *schema.ResourceData, meta interface{}) error {
ec2conn := meta.(*AWSClient).ec2conn ec2conn := meta.(*AWSClient).ec2conn
sgRaw, _, err := SGStateRefreshFunc(ec2conn, d.Id())() sgRaw, _, err := SGStateRefreshFunc(ec2conn, d.Id())()
@ -226,10 +250,26 @@ func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) er
d.SetId("") d.SetId("")
return nil return nil
} }
group := sgRaw.(*ec2.SecurityGroupInfo).SecurityGroup
if d.HasChange("ingress") { sg := sgRaw.(*ec2.SecurityGroupInfo)
o, n := d.GetChange("ingress")
ingressRules := resourceAwsSecurityGroupIPPermGather(d, sg.IPPerms)
egressRules := resourceAwsSecurityGroupIPPermGather(d, sg.IPPermsEgress)
d.Set("description", sg.Description)
d.Set("name", sg.Name)
d.Set("vpc_id", sg.VpcId)
d.Set("owner_id", sg.OwnerId)
d.Set("ingress", ingressRules)
d.Set("egress", egressRules)
d.Set("tags", tagsToMap(sg.Tags))
return nil
}
func resourceAwsSecurityGroupUpdateRules(d *schema.ResourceData, ruleset string, meta interface{}, group ec2.SecurityGroup) error {
if d.HasChange(ruleset) {
o, n := d.GetChange(ruleset)
if o == nil { if o == nil {
o = new(schema.Set) o = new(schema.Set)
} }
@ -252,29 +292,70 @@ func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) er
// adding is easier here, and Terraform should be fast enough to // adding is easier here, and Terraform should be fast enough to
// not have service issues. // not have service issues.
if len(remove) > 0 || len(add) > 0 {
ec2conn := meta.(*AWSClient).ec2conn
if len(remove) > 0 { if len(remove) > 0 {
// Revoke the old rules // Revoke the old rules
_, err = ec2conn.RevokeSecurityGroup(group, remove) revoke := ec2conn.RevokeSecurityGroup
if ruleset == "egress" {
revoke = ec2conn.RevokeSecurityGroupEgress
}
_, err := revoke(group, remove)
if err != nil { if err != nil {
return fmt.Errorf("Error authorizing security group ingress rules: %s", err) return fmt.Errorf("Error revoking security group %s rules: %s", ruleset, err)
} }
} }
if len(add) > 0 { if len(add) > 0 {
// Authorize the new rules // Authorize the new rules
_, err := ec2conn.AuthorizeSecurityGroup(group, add) authorize := ec2conn.AuthorizeSecurityGroup
if err != nil { if ruleset == "egress" {
return fmt.Errorf("Error authorizing security group ingress rules: %s", err) authorize = ec2conn.AuthorizeSecurityGroupEgress
} }
_, err := authorize(group, add)
if err != nil {
return fmt.Errorf("Error authorizing security group %s rules: %s", ruleset, err)
}
}
}
}
return nil
}
func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) error {
ec2conn := meta.(*AWSClient).ec2conn
sgRaw, _, err := SGStateRefreshFunc(ec2conn, d.Id())()
if err != nil {
return err
}
if sgRaw == nil {
d.SetId("")
return nil
}
group := sgRaw.(*ec2.SecurityGroupInfo).SecurityGroup
err = resourceAwsSecurityGroupUpdateRules(d, "ingress", ec2conn, group)
if err != nil {
return err
}
if d.Get("vpc_id") != nil {
err = resourceAwsSecurityGroupUpdateRules(d, "egress", ec2conn, group)
if err != nil {
return err
} }
} }
if err := setTags(ec2conn, d); err != nil { if err := setTags(ec2conn, d); err != nil {
return err return err
} else {
d.SetPartial("tags")
} }
d.SetPartial("tags")
return resourceAwsSecurityGroupRead(d, meta) return resourceAwsSecurityGroupRead(d, meta)
} }
@ -307,7 +388,7 @@ func resourceAwsSecurityGroupDelete(d *schema.ResourceData, meta interface{}) er
}) })
} }
func resourceAwsSecurityGroupIngressHash(v interface{}) int { func resourceAwsSecurityGroupRuleHash(v interface{}) int {
var buf bytes.Buffer var buf bytes.Buffer
m := v.(map[string]interface{}) m := v.(map[string]interface{})
buf.WriteString(fmt.Sprintf("%d-", m["from_port"].(int))) buf.WriteString(fmt.Sprintf("%d-", m["from_port"].(int)))

View File

@ -123,6 +123,16 @@ func TestAccAWSSecurityGroup_vpc(t *testing.T) {
"aws_security_group.web", "ingress.332851786.cidr_blocks.#", "1"), "aws_security_group.web", "ingress.332851786.cidr_blocks.#", "1"),
resource.TestCheckResourceAttr( resource.TestCheckResourceAttr(
"aws_security_group.web", "ingress.332851786.cidr_blocks.0", "10.0.0.0/8"), "aws_security_group.web", "ingress.332851786.cidr_blocks.0", "10.0.0.0/8"),
resource.TestCheckResourceAttr(
"aws_security_group.web", "egress.332851786.protocol", "tcp"),
resource.TestCheckResourceAttr(
"aws_security_group.web", "egress.332851786.from_port", "80"),
resource.TestCheckResourceAttr(
"aws_security_group.web", "egress.332851786.to_port", "8000"),
resource.TestCheckResourceAttr(
"aws_security_group.web", "egress.332851786.cidr_blocks.#", "1"),
resource.TestCheckResourceAttr(
"aws_security_group.web", "egress.332851786.cidr_blocks.0", "10.0.0.0/8"),
testCheck, testCheck,
), ),
}, },
@ -418,6 +428,13 @@ resource "aws_security_group" "web" {
to_port = 8000 to_port = 8000
cidr_blocks = ["10.0.0.0/8"] cidr_blocks = ["10.0.0.0/8"]
} }
egress {
protocol = "tcp"
from_port = 80
to_port = 8000
cidr_blocks = ["10.0.0.0/8"]
}
} }
` `

View File

@ -25,6 +25,13 @@ resource "aws_security_group" "allow_all" {
protocol = "tcp" protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] cidr_blocks = ["0.0.0.0/0"]
} }
egress {
from_port = 0
to_port = 65535
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
} }
``` ```
@ -56,6 +63,9 @@ The following arguments are supported:
* `description` - (Required) The security group description. * `description` - (Required) The security group description.
* `ingress` - (Optional) Can be specified multiple times for each * `ingress` - (Optional) Can be specified multiple times for each
ingress rule. Each ingress block supports fields documented below. ingress rule. Each ingress block supports fields documented below.
* `egress` - (Optional) Can be specified multiple times for each
egress rule. Each egress block supports fields documented below.
VPC only.
* `vpc_id` - (Optional) The VPC ID. * `vpc_id` - (Optional) The VPC ID.
* `owner_id` - (Optional) The AWS Owner ID. * `owner_id` - (Optional) The AWS Owner ID.
@ -70,6 +80,17 @@ The `ingress` block supports:
* `to_port` - (Required) The end range port. * `to_port` - (Required) The end range port.
* `tags` - (Optional) A mapping of tags to assign to the resource. * `tags` - (Optional) A mapping of tags to assign to the resource.
The `egress` block supports:
* `cidr_blocks` - (Optional) List of CIDR blocks. Cannot be used with `security_groups`.
* `from_port` - (Required) The start port.
* `protocol` - (Required) The protocol.
* `security_groups` - (Optional) List of security group IDs. Cannot be used with `cidr_blocks`.
* `self` - (Optional) If true, the security group itself will be added as
a source to this egress rule.
* `to_port` - (Required) The end range port.
* `tags` - (Optional) A mapping of tags to assign to the resource.
## Attributes Reference ## Attributes Reference
The following attributes are exported: The following attributes are exported:
@ -80,3 +101,4 @@ The following attributes are exported:
* `name` - The name of the security group * `name` - The name of the security group
* `description` - The description of the security group * `description` - The description of the security group
* `ingress` - The ingress rules. See above for more. * `ingress` - The ingress rules. See above for more.
* `egress` - The egress rules. See above for more.