provider/aws: Convert AWS Security Group to aws-sdk-go

Convert security group test too
2015-03-09 10:02:27 -05:00 · 2015-03-09 10:02:27 -05:00 · 20b02cacd4
parent e32ad9e3ae
commit 20b02cacd4
3 changed files with 223 additions and 123 deletions
--- a/builtin/providers/aws/resource_aws_security_group.go
+++ b/builtin/providers/aws/resource_aws_security_group.go
@ -7,10 +7,11 @@ import (
 	"sort"
 	"time"

+	"github.com/hashicorp/aws-sdk-go/aws"
+	"github.com/hashicorp/aws-sdk-go/gen/ec2"
 	"github.com/hashicorp/terraform/helper/hashcode"
 	"github.com/hashicorp/terraform/helper/resource"
 	"github.com/hashicorp/terraform/helper/schema"
-	"github.com/mitchellh/goamz/ec2"
 )

 func resourceAwsSecurityGroup() *schema.Resource {
@ -141,18 +142,18 @@ func resourceAwsSecurityGroup() *schema.Resource {
 }

 func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) error {
-	ec2conn := meta.(*AWSClient).ec2conn
+	ec2conn := meta.(*AWSClient).awsEC2conn

-	securityGroupOpts := ec2.SecurityGroup{
-		Name: d.Get("name").(string),
+	securityGroupOpts := &ec2.CreateSecurityGroupRequest{
+		GroupName: aws.String(d.Get("name").(string)),
 	}

 	if v := d.Get("vpc_id"); v != nil {
-		securityGroupOpts.VpcId = v.(string)
+		securityGroupOpts.VPCID = aws.String(v.(string))
 	}

 	if v := d.Get("description"); v != nil {
-		securityGroupOpts.Description = v.(string)
+		securityGroupOpts.Description = aws.String(v.(string))
 	}

 	log.Printf(
@ -162,7 +163,7 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er
 		return fmt.Errorf("Error creating Security Group: %s", err)
 	}

-	d.SetId(createResp.Id)
+	d.SetId(*createResp.GroupID)

 	log.Printf("[INFO] Security Group ID: %s", d.Id())

@ -186,7 +187,7 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er
 }

 func resourceAwsSecurityGroupRead(d *schema.ResourceData, meta interface{}) error {
-	ec2conn := meta.(*AWSClient).ec2conn
+	ec2conn := meta.(*AWSClient).awsEC2conn

 	sgRaw, _, err := SGStateRefreshFunc(ec2conn, d.Id())()
 	if err != nil {
@ -197,24 +198,23 @@ func resourceAwsSecurityGroupRead(d *schema.ResourceData, meta interface{}) erro
 		return nil
 	}

-	sg := sgRaw.(*ec2.SecurityGroupInfo)
+	sg := sgRaw.(ec2.SecurityGroup)

-	ingressRules := resourceAwsSecurityGroupIPPermGather(d, sg.IPPerms)
-	egressRules := resourceAwsSecurityGroupIPPermGather(d, sg.IPPermsEgress)
+	ingressRules := resourceAwsSecurityGroupIPPermGather(d, sg.IPPermissions)
+	egressRules := resourceAwsSecurityGroupIPPermGather(d, sg.IPPermissionsEgress)

 	d.Set("description", sg.Description)
-	d.Set("name", sg.Name)
-	d.Set("vpc_id", sg.VpcId)
-	d.Set("owner_id", sg.OwnerId)
+	d.Set("name", sg.GroupName)
+	d.Set("vpc_id", sg.VPCID)
+	d.Set("owner_id", sg.OwnerID)
 	d.Set("ingress", ingressRules)
 	d.Set("egress", egressRules)
-	d.Set("tags", tagsToMap(sg.Tags))
-
+	d.Set("tags", tagsToMapSDK(sg.Tags))
 	return nil
 }

 func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) error {
-	ec2conn := meta.(*AWSClient).ec2conn
+	ec2conn := meta.(*AWSClient).awsEC2conn

 	sgRaw, _, err := SGStateRefreshFunc(ec2conn, d.Id())()
 	if err != nil {
@ -224,7 +224,8 @@ func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) er
 		d.SetId("")
 		return nil
 	}
-	group := sgRaw.(*ec2.SecurityGroupInfo).SecurityGroup
+
+	group := sgRaw.(ec2.SecurityGroup)

 	err = resourceAwsSecurityGroupUpdateRules(d, "ingress", meta, group)
 	if err != nil {
@ -238,7 +239,7 @@ func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) er
 		}
 	}

-	if err := setTags(ec2conn, d); err != nil {
+	if err := setTagsSDK(ec2conn, d); err != nil {
 		return err
 	}

@ -248,14 +249,16 @@ func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) er
 }

 func resourceAwsSecurityGroupDelete(d *schema.ResourceData, meta interface{}) error {
-	ec2conn := meta.(*AWSClient).ec2conn
+	ec2conn := meta.(*AWSClient).awsEC2conn

 	log.Printf("[DEBUG] Security Group destroy: %v", d.Id())

 	return resource.Retry(5*time.Minute, func() error {
-		_, err := ec2conn.DeleteSecurityGroup(ec2.SecurityGroup{Id: d.Id()})
+		err := ec2conn.DeleteSecurityGroup(&ec2.DeleteSecurityGroupRequest{
+			GroupID: aws.String(d.Id()),
+		})
 		if err != nil {
-			ec2err, ok := err.(*ec2.Error)
+			ec2err, ok := err.(aws.APIError)
 			if !ok {
 				return err
 			}
@ -313,34 +316,49 @@ func resourceAwsSecurityGroupRuleHash(v interface{}) int {
 	return hashcode.String(buf.String())
 }

-func resourceAwsSecurityGroupIPPermGather(d *schema.ResourceData, permissions []ec2.IPPerm) []map[string]interface{} {
+func resourceAwsSecurityGroupIPPermGather(d *schema.ResourceData, permissions []ec2.IPPermission) []map[string]interface{} {
 	ruleMap := make(map[string]map[string]interface{})
 	for _, perm := range permissions {
-		k := fmt.Sprintf("%s-%d-%d", perm.Protocol, perm.FromPort, perm.ToPort)
+		var fromPort, toPort int
+		if perm.FromPort == nil {
+			fromPort = 0
+		} else {
+			fromPort = *perm.FromPort
+		}
+		if perm.ToPort == nil {
+			toPort = 0
+		} else {
+			toPort = *perm.ToPort
+		}
+
+		k := fmt.Sprintf("%s-%d-%d", *perm.IPProtocol, fromPort, toPort)
 		m, ok := ruleMap[k]
 		if !ok {
 			m = make(map[string]interface{})
 			ruleMap[k] = m
 		}

-		m["from_port"] = perm.FromPort
-		m["to_port"] = perm.ToPort
-		m["protocol"] = perm.Protocol
+		m["from_port"] = fromPort
+		m["to_port"] = toPort
+		m["protocol"] = *perm.IPProtocol

-		if len(perm.SourceIPs) > 0 {
+		if len(perm.IPRanges) > 0 {
 			raw, ok := m["cidr_blocks"]
 			if !ok {
-				raw = make([]string, 0, len(perm.SourceIPs))
+				raw = make([]string, 0, len(perm.IPRanges))
 			}
 			list := raw.([]string)

-			list = append(list, perm.SourceIPs...)
+			for _, ip := range perm.IPRanges {
+				list = append(list, *ip.CIDRIP)
+			}
+
 			m["cidr_blocks"] = list
 		}

 		var groups []string
-		if len(perm.SourceGroups) > 0 {
-			groups = flattenSecurityGroups(perm.SourceGroups)
+		if len(perm.UserIDGroupPairs) > 0 {
+			groups = flattenSecurityGroupsSDK(perm.UserIDGroupPairs)
 		}
 		for i, id := range groups {
 			if id == d.Id() {
@ -364,7 +382,6 @@ func resourceAwsSecurityGroupIPPermGather(d *schema.ResourceData, permissions []
 	for _, m := range ruleMap {
 		rules = append(rules, m)
 	}
-
 	return rules
 }

@ -383,8 +400,9 @@ func resourceAwsSecurityGroupUpdateRules(
 		os := o.(*schema.Set)
 		ns := n.(*schema.Set)

-		remove := expandIPPerms(d.Id(), os.Difference(ns).List())
-		add := expandIPPerms(d.Id(), ns.Difference(os).List())
+		// TODO: re-munge this when test is updated
+		remove := expandIPPermsSDK(d.Id(), os.Difference(ns).List())
+		add := expandIPPermsSDK(d.Id(), ns.Difference(os).List())

 		// TODO: We need to handle partial state better in the in-between
 		// in this update.
@ -396,34 +414,53 @@ func resourceAwsSecurityGroupUpdateRules(
 		// not have service issues.

 		if len(remove) > 0 || len(add) > 0 {
-			ec2conn := meta.(*AWSClient).ec2conn
+			ec2conn := meta.(*AWSClient).awsEC2conn

+			var err error
 			if len(remove) > 0 {
-				// Revoke the old rules
-				revoke := ec2conn.RevokeSecurityGroup
-				if ruleset == "egress" {
-					revoke = ec2conn.RevokeSecurityGroupEgress
-				}
-
 				log.Printf("[DEBUG] Revoking security group %s %s rule: %#v",
 					group, ruleset, remove)
-				if _, err := revoke(group, remove); err != nil {
+
+				if ruleset == "egress" {
+					req := &ec2.RevokeSecurityGroupEgressRequest{
+						GroupID:       group.GroupID,
+						IPPermissions: remove,
+					}
+					err = ec2conn.RevokeSecurityGroupEgress(req)
+				} else {
+					req := &ec2.RevokeSecurityGroupIngressRequest{
+						GroupID:       group.GroupID,
+						IPPermissions: remove,
+					}
+					err = ec2conn.RevokeSecurityGroupIngress(req)
+				}
+
+				if err != nil {
 					return fmt.Errorf(
-						"Error revoking security group %s rules: %s",
+						"Error authorizing security group %s rules: %s",
 						ruleset, err)
 				}
 			}

 			if len(add) > 0 {
-				// Authorize the new rules
-				authorize := ec2conn.AuthorizeSecurityGroup
-				if ruleset == "egress" {
-					authorize = ec2conn.AuthorizeSecurityGroupEgress
-				}
-
 				log.Printf("[DEBUG] Authorizing security group %s %s rule: %#v",
 					group, ruleset, add)
-				if _, err := authorize(group, add); err != nil {
+				// Authorize the new rules
+				if ruleset == "egress" {
+					req := &ec2.AuthorizeSecurityGroupEgressRequest{
+						GroupID:       group.GroupID,
+						IPPermissions: add,
+					}
+					err = ec2conn.AuthorizeSecurityGroupEgress(req)
+				} else {
+					req := &ec2.AuthorizeSecurityGroupIngressRequest{
+						GroupID:       group.GroupID,
+						IPPermissions: add,
+					}
+					err = ec2conn.AuthorizeSecurityGroupIngress(req)
+				}
+
+				if err != nil {
 					return fmt.Errorf(
 						"Error authorizing security group %s rules: %s",
 						ruleset, err)
@ -431,7 +468,6 @@ func resourceAwsSecurityGroupUpdateRules(
 			}
 		}
 	}
-
 	return nil
 }

@ -439,10 +475,12 @@ func resourceAwsSecurityGroupUpdateRules(
 // a security group.
 func SGStateRefreshFunc(conn *ec2.EC2, id string) resource.StateRefreshFunc {
 	return func() (interface{}, string, error) {
-		sgs := []ec2.SecurityGroup{ec2.SecurityGroup{Id: id}}
-		resp, err := conn.SecurityGroups(sgs, nil)
+		req := &ec2.DescribeSecurityGroupsRequest{
+			GroupIDs: []string{id},
+		}
+		resp, err := conn.DescribeSecurityGroups(req)
 		if err != nil {
-			if ec2err, ok := err.(*ec2.Error); ok {
+			if ec2err, ok := err.(aws.APIError); ok {
 				if ec2err.Code == "InvalidSecurityGroupID.NotFound" ||
 					ec2err.Code == "InvalidGroup.NotFound" {
 					resp = nil
@ -460,7 +498,7 @@ func SGStateRefreshFunc(conn *ec2.EC2, id string) resource.StateRefreshFunc {
 			return nil, "", nil
 		}

-		group := &resp.Groups[0]
+		group := resp.SecurityGroups[0]
 		return group, "exists", nil
 	}
 }
--- a/builtin/providers/aws/resource_aws_security_group_test.go
+++ b/builtin/providers/aws/resource_aws_security_group_test.go
@ -2,16 +2,18 @@ package aws

 import (
 	"fmt"
+	"log"
 	"reflect"
 	"testing"

+	"github.com/hashicorp/aws-sdk-go/aws"
+	"github.com/hashicorp/aws-sdk-go/gen/ec2"
 	"github.com/hashicorp/terraform/helper/resource"
 	"github.com/hashicorp/terraform/terraform"
-	"github.com/mitchellh/goamz/ec2"
 )

 func TestAccAWSSecurityGroup_normal(t *testing.T) {
-	var group ec2.SecurityGroupInfo
+	var group ec2.SecurityGroup

 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@ -44,16 +46,18 @@ func TestAccAWSSecurityGroup_normal(t *testing.T) {
 }

 func TestAccAWSSecurityGroup_self(t *testing.T) {
-	var group ec2.SecurityGroupInfo
+	var group ec2.SecurityGroup

 	checkSelf := func(s *terraform.State) (err error) {
 		defer func() {
 			if e := recover(); e != nil {
+				log.Printf("\n\nbad here!!")
 				err = fmt.Errorf("bad: %#v", group)
 			}
 		}()

-		if group.IPPerms[0].SourceGroups[0].Id != group.Id {
+		if *group.IPPermissions[0].UserIDGroupPairs[0].GroupID != *group.GroupID {
+			log.Printf("\n\n---- bad here ----\n")
 			return fmt.Errorf("bad: %#v", group)
 		}

@ -89,10 +93,10 @@ func TestAccAWSSecurityGroup_self(t *testing.T) {
 }

 func TestAccAWSSecurityGroup_vpc(t *testing.T) {
-	var group ec2.SecurityGroupInfo
+	var group ec2.SecurityGroup

 	testCheck := func(*terraform.State) error {
-		if group.VpcId == "" {
+		if *group.VPCID == "" {
 			return fmt.Errorf("should have vpc ID")
 		}

@ -141,7 +145,7 @@ func TestAccAWSSecurityGroup_vpc(t *testing.T) {
 }

 func TestAccAWSSecurityGroup_MultiIngress(t *testing.T) {
-	var group ec2.SecurityGroupInfo
+	var group ec2.SecurityGroup

 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@ -159,7 +163,7 @@ func TestAccAWSSecurityGroup_MultiIngress(t *testing.T) {
 }

 func TestAccAWSSecurityGroup_Change(t *testing.T) {
-	var group ec2.SecurityGroupInfo
+	var group ec2.SecurityGroup

 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@ -184,30 +188,27 @@ func TestAccAWSSecurityGroup_Change(t *testing.T) {
 }

 func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error {
-	conn := testAccProvider.Meta().(*AWSClient).ec2conn
+	conn := testAccProvider.Meta().(*AWSClient).awsEC2conn

 	for _, rs := range s.RootModule().Resources {
 		if rs.Type != "aws_security_group" {
 			continue
 		}

-		sgs := []ec2.SecurityGroup{
-			ec2.SecurityGroup{
-				Id: rs.Primary.ID,
-			},
-		}
-
 		// Retrieve our group
-		resp, err := conn.SecurityGroups(sgs, nil)
+		req := &ec2.DescribeSecurityGroupsRequest{
+			GroupIDs: []string{rs.Primary.ID},
+		}
+		resp, err := conn.DescribeSecurityGroups(req)
 		if err == nil {
-			if len(resp.Groups) > 0 && resp.Groups[0].Id == rs.Primary.ID {
+			if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupID == rs.Primary.ID {
 				return fmt.Errorf("Security Group (%s) still exists.", rs.Primary.ID)
 			}

 			return nil
 		}

-		ec2err, ok := err.(*ec2.Error)
+		ec2err, ok := err.(aws.APIError)
 		if !ok {
 			return err
 		}
@ -220,7 +221,7 @@ func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error {
 	return nil
 }

-func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroupInfo) resource.TestCheckFunc {
+func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroup) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
 		if !ok {
@ -231,20 +232,19 @@ func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroupInfo)
 			return fmt.Errorf("No Security Group is set")
 		}

-		conn := testAccProvider.Meta().(*AWSClient).ec2conn
-		sgs := []ec2.SecurityGroup{
-			ec2.SecurityGroup{
-				Id: rs.Primary.ID,
-			},
+		conn := testAccProvider.Meta().(*AWSClient).awsEC2conn
+		req := &ec2.DescribeSecurityGroupsRequest{
+			GroupIDs: []string{rs.Primary.ID},
 		}
-		resp, err := conn.SecurityGroups(sgs, nil)
+		resp, err := conn.DescribeSecurityGroups(req)
 		if err != nil {
 			return err
 		}

-		if len(resp.Groups) > 0 && resp.Groups[0].Id == rs.Primary.ID {
+		if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupID == rs.Primary.ID {

-			*group = resp.Groups[0]
+			log.Printf("\n==\n===\nfound group\n===\n==\n")
+			*group = resp.SecurityGroups[0]

 			return nil
 		}
@ -253,32 +253,32 @@ func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroupInfo)
 	}
 }

-func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroupInfo) resource.TestCheckFunc {
+func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
-		p := ec2.IPPerm{
-			FromPort:  80,
-			ToPort:    8000,
-			Protocol:  "tcp",
-			SourceIPs: []string{"10.0.0.0/8"},
+		p := ec2.IPPermission{
+			FromPort:   aws.Integer(80),
+			ToPort:     aws.Integer(8000),
+			IPProtocol: aws.String("tcp"),
+			IPRanges:   []ec2.IPRange{ec2.IPRange{aws.String("10.0.0.0/8")}},
 		}

-		if group.Name != "terraform_acceptance_test_example" {
-			return fmt.Errorf("Bad name: %s", group.Name)
+		if *group.GroupName != "terraform_acceptance_test_example" {
+			return fmt.Errorf("Bad name: %s", *group.GroupName)
 		}

-		if group.Description != "Used in the terraform acceptance tests" {
-			return fmt.Errorf("Bad description: %s", group.Description)
+		if *group.Description != "Used in the terraform acceptance tests" {
+			return fmt.Errorf("Bad description: %s", *group.Description)
 		}

-		if len(group.IPPerms) == 0 {
+		if len(group.IPPermissions) == 0 {
 			return fmt.Errorf("No IPPerms")
 		}

 		// Compare our ingress
-		if !reflect.DeepEqual(group.IPPerms[0], p) {
+		if !reflect.DeepEqual(group.IPPermissions[0], p) {
 			return fmt.Errorf(
 				"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
-				group.IPPerms[0],
+				group.IPPermissions[0],
 				p)
 		}

@ -287,7 +287,7 @@ func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroupInfo) resour
 }

 func TestAccAWSSecurityGroup_tags(t *testing.T) {
-	var group ec2.SecurityGroupInfo
+	var group ec2.SecurityGroup

 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@ -298,7 +298,7 @@ func TestAccAWSSecurityGroup_tags(t *testing.T) {
 				Config: testAccAWSSecurityGroupConfigTags,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group),
-					testAccCheckTags(&group.Tags, "foo", "bar"),
+					testAccCheckTagsSDK(&group.Tags, "foo", "bar"),
 				),
 			},

@ -306,56 +306,56 @@ func TestAccAWSSecurityGroup_tags(t *testing.T) {
 				Config: testAccAWSSecurityGroupConfigTagsUpdate,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group),
-					testAccCheckTags(&group.Tags, "foo", ""),
-					testAccCheckTags(&group.Tags, "bar", "baz"),
+					testAccCheckTagsSDK(&group.Tags, "foo", ""),
+					testAccCheckTagsSDK(&group.Tags, "bar", "baz"),
 				),
 			},
 		},
 	})
 }

-func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroupInfo) resource.TestCheckFunc {
+func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroup) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
-		p := []ec2.IPPerm{
-			ec2.IPPerm{
-				FromPort:  80,
-				ToPort:    9000,
-				Protocol:  "tcp",
-				SourceIPs: []string{"10.0.0.0/8"},
+		p := []ec2.IPPermission{
+			ec2.IPPermission{
+				FromPort:   aws.Integer(80),
+				ToPort:     aws.Integer(9000),
+				IPProtocol: aws.String("tcp"),
+				IPRanges:   []ec2.IPRange{ec2.IPRange{aws.String("10.0.0.0/8")}},
 			},
-			ec2.IPPerm{
-				FromPort:  80,
-				ToPort:    8000,
-				Protocol:  "tcp",
-				SourceIPs: []string{"0.0.0.0/0", "10.0.0.0/8"},
+			ec2.IPPermission{
+				FromPort:   aws.Integer(80),
+				ToPort:     aws.Integer(8000),
+				IPProtocol: aws.String("tcp"),
+				IPRanges:   []ec2.IPRange{ec2.IPRange{aws.String("0.0.0.0/0")}, ec2.IPRange{aws.String("10.0.0.0/8")}},
 			},
 		}

-		if group.Name != "terraform_acceptance_test_example" {
-			return fmt.Errorf("Bad name: %s", group.Name)
+		if *group.GroupName != "terraform_acceptance_test_example" {
+			return fmt.Errorf("Bad name: %s", *group.GroupName)
 		}

-		if group.Description != "Used in the terraform acceptance tests" {
-			return fmt.Errorf("Bad description: %s", group.Description)
+		if *group.Description != "Used in the terraform acceptance tests" {
+			return fmt.Errorf("Bad description: %s", *group.Description)
 		}

 		// Compare our ingress
-		if len(group.IPPerms) != 2 {
+		if len(group.IPPermissions) != 2 {
 			return fmt.Errorf(
 				"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
-				group.IPPerms,
+				group.IPPermissions,
 				p)
 		}

-		if group.IPPerms[0].ToPort == 8000 {
-			group.IPPerms[1], group.IPPerms[0] =
-				group.IPPerms[0], group.IPPerms[1]
+		if *group.IPPermissions[0].ToPort == 8000 {
+			group.IPPermissions[1], group.IPPermissions[0] =
+				group.IPPermissions[0], group.IPPermissions[1]
 		}

-		if !reflect.DeepEqual(group.IPPerms, p) {
+		if !reflect.DeepEqual(group.IPPermissions, p) {
 			return fmt.Errorf(
 				"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
-				group.IPPerms,
+				group.IPPermissions,
 				p)
 		}

--- a/builtin/providers/aws/structure.go
+++ b/builtin/providers/aws/structure.go
@ -4,6 +4,7 @@ import (
 	"strings"

 	"github.com/hashicorp/aws-sdk-go/aws"
+	awsEC2 "github.com/hashicorp/aws-sdk-go/gen/ec2"
 	"github.com/hashicorp/aws-sdk-go/gen/elb"
 	"github.com/hashicorp/aws-sdk-go/gen/rds"
 	"github.com/hashicorp/terraform/helper/schema"
@ -89,6 +90,58 @@ func expandIPPerms(id string, configured []interface{}) []ec2.IPPerm {
 	return perms
 }

+// Takes the result of flatmap.Expand for an array of ingress/egress
+// security group rules and returns EC2 API compatible objects
+func expandIPPermsSDK(id string, configured []interface{}) []awsEC2.IPPermission {
+	perms := make([]awsEC2.IPPermission, len(configured))
+	for i, mRaw := range configured {
+		var perm awsEC2.IPPermission
+		m := mRaw.(map[string]interface{})
+
+		perm.FromPort = aws.Integer(m["from_port"].(int))
+		perm.ToPort = aws.Integer(m["to_port"].(int))
+		perm.IPProtocol = aws.String(m["protocol"].(string))
+
+		var groups []string
+		if raw, ok := m["security_groups"]; ok {
+			list := raw.(*schema.Set).List()
+			for _, v := range list {
+				groups = append(groups, v.(string))
+			}
+		}
+		if v, ok := m["self"]; ok && v.(bool) {
+			groups = append(groups, id)
+		}
+
+		if len(groups) > 0 {
+			perm.UserIDGroupPairs = make([]awsEC2.UserIDGroupPair, len(groups))
+			for i, name := range groups {
+				ownerId, id := "", name
+				if items := strings.Split(id, "/"); len(items) > 1 {
+					ownerId, id = items[0], items[1]
+				}
+
+				perm.UserIDGroupPairs[i] = awsEC2.UserIDGroupPair{
+					GroupID: aws.String(id),
+					UserID:  aws.String(ownerId),
+				}
+			}
+		}
+
+		if raw, ok := m["cidr_blocks"]; ok {
+			list := raw.([]interface{})
+			perm.IPRanges = make([]awsEC2.IPRange, len(list))
+			for i, v := range list {
+				perm.IPRanges[i] = awsEC2.IPRange{aws.String(v.(string))}
+			}
+		}
+
+		perms[i] = perm
+	}
+
+	return perms
+}
+
 // Takes the result of flatmap.Expand for an array of parameters and
 // returns Parameter API compatible objects
 func expandParameters(configured []interface{}) ([]rds.Parameter, error) {
@ -162,6 +215,15 @@ func flattenSecurityGroups(list []ec2.UserSecurityGroup) []string {
 	return result
 }

+// Flattens an array of UserSecurityGroups into a []string
+func flattenSecurityGroupsSDK(list []awsEC2.UserIDGroupPair) []string {
+	result := make([]string, 0, len(list))
+	for _, g := range list {
+		result = append(result, *g.GroupID)
+	}
+	return result
+}
+
 // Flattens an array of Instances into a []string
 func flattenInstances(list []elb.Instance) []string {
 	result := make([]string, 0, len(list))