Merge pull request #1162 from hashicorp/aws-go-security-groups

provider/aws: Convert AWS Security Groups to aws-sdk-go

builtin/providers/aws/resource_aws_security_group.go

@@ -7,10 +7,11 @@ import (
 	"sort"
 	"time"
 
+	"github.com/hashicorp/aws-sdk-go/aws"
+	"github.com/hashicorp/aws-sdk-go/gen/ec2"
 	"github.com/hashicorp/terraform/helper/hashcode"
 	"github.com/hashicorp/terraform/helper/resource"
 	"github.com/hashicorp/terraform/helper/schema"
-	"github.com/mitchellh/goamz/ec2"
 )
 
 func resourceAwsSecurityGroup() *schema.Resource {
@@ -141,18 +142,18 @@ func resourceAwsSecurityGroup() *schema.Resource {
 }
 
 func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) error {
-	ec2conn := meta.(*AWSClient).ec2conn
+	ec2conn := meta.(*AWSClient).awsEC2conn
 
-	securityGroupOpts := ec2.SecurityGroup{
+	securityGroupOpts := &ec2.CreateSecurityGroupRequest{
-		Name: d.Get("name").(string),
+		GroupName: aws.String(d.Get("name").(string)),
 	}
 
 	if v := d.Get("vpc_id"); v != nil {
-		securityGroupOpts.VpcId = v.(string)
+		securityGroupOpts.VPCID = aws.String(v.(string))
 	}
 
 	if v := d.Get("description"); v != nil {
-		securityGroupOpts.Description = v.(string)
+		securityGroupOpts.Description = aws.String(v.(string))
 	}
 
 	log.Printf(
@@ -162,7 +163,7 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er
 		return fmt.Errorf("Error creating Security Group: %s", err)
 	}
 
-	d.SetId(createResp.Id)
+	d.SetId(*createResp.GroupID)
 
 	log.Printf("[INFO] Security Group ID: %s", d.Id())
 
@@ -186,7 +187,7 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er
 }
 
 func resourceAwsSecurityGroupRead(d *schema.ResourceData, meta interface{}) error {
-	ec2conn := meta.(*AWSClient).ec2conn
+	ec2conn := meta.(*AWSClient).awsEC2conn
 
 	sgRaw, _, err := SGStateRefreshFunc(ec2conn, d.Id())()
 	if err != nil {
@@ -197,24 +198,23 @@ func resourceAwsSecurityGroupRead(d *schema.ResourceData, meta interface{}) erro
 		return nil
 	}
 
-	sg := sgRaw.(*ec2.SecurityGroupInfo)
+	sg := sgRaw.(ec2.SecurityGroup)
 
-	ingressRules := resourceAwsSecurityGroupIPPermGather(d, sg.IPPerms)
+	ingressRules := resourceAwsSecurityGroupIPPermGather(d, sg.IPPermissions)
-	egressRules := resourceAwsSecurityGroupIPPermGather(d, sg.IPPermsEgress)
+	egressRules := resourceAwsSecurityGroupIPPermGather(d, sg.IPPermissionsEgress)
 
 	d.Set("description", sg.Description)
-	d.Set("name", sg.Name)
+	d.Set("name", sg.GroupName)
-	d.Set("vpc_id", sg.VpcId)
+	d.Set("vpc_id", sg.VPCID)
-	d.Set("owner_id", sg.OwnerId)
+	d.Set("owner_id", sg.OwnerID)
 	d.Set("ingress", ingressRules)
 	d.Set("egress", egressRules)
-	d.Set("tags", tagsToMap(sg.Tags))
+	d.Set("tags", tagsToMapSDK(sg.Tags))
-
 	return nil
 }
 
 func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) error {
-	ec2conn := meta.(*AWSClient).ec2conn
+	ec2conn := meta.(*AWSClient).awsEC2conn
 
 	sgRaw, _, err := SGStateRefreshFunc(ec2conn, d.Id())()
 	if err != nil {
@@ -224,7 +224,8 @@ func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) er
 		d.SetId("")
 		return nil
 	}
-	group := sgRaw.(*ec2.SecurityGroupInfo).SecurityGroup
+
+	group := sgRaw.(ec2.SecurityGroup)
 
 	err = resourceAwsSecurityGroupUpdateRules(d, "ingress", meta, group)
 	if err != nil {
@@ -238,7 +239,7 @@ func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) er
 		}
 	}
 
-	if err := setTags(ec2conn, d); err != nil {
+	if err := setTagsSDK(ec2conn, d); err != nil {
 		return err
 	}
 
@@ -248,14 +249,16 @@ func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) er
 }
 
 func resourceAwsSecurityGroupDelete(d *schema.ResourceData, meta interface{}) error {
-	ec2conn := meta.(*AWSClient).ec2conn
+	ec2conn := meta.(*AWSClient).awsEC2conn
 
 	log.Printf("[DEBUG] Security Group destroy: %v", d.Id())
 
 	return resource.Retry(5*time.Minute, func() error {
-		_, err := ec2conn.DeleteSecurityGroup(ec2.SecurityGroup{Id: d.Id()})
+		err := ec2conn.DeleteSecurityGroup(&ec2.DeleteSecurityGroupRequest{
+			GroupID: aws.String(d.Id()),
+		})
 		if err != nil {
-			ec2err, ok := err.(*ec2.Error)
+			ec2err, ok := err.(aws.APIError)
 			if !ok {
 				return err
 			}
@@ -313,34 +316,45 @@ func resourceAwsSecurityGroupRuleHash(v interface{}) int {
 	return hashcode.String(buf.String())
 }
 
-func resourceAwsSecurityGroupIPPermGather(d *schema.ResourceData, permissions []ec2.IPPerm) []map[string]interface{} {
+func resourceAwsSecurityGroupIPPermGather(d *schema.ResourceData, permissions []ec2.IPPermission) []map[string]interface{} {
 	ruleMap := make(map[string]map[string]interface{})
 	for _, perm := range permissions {
-		k := fmt.Sprintf("%s-%d-%d", perm.Protocol, perm.FromPort, perm.ToPort)
+		var fromPort, toPort int
+		if v := perm.FromPort; v != nil {
+			fromPort = *v
+		}
+		if v := perm.ToPort; v != nil {
+			toPort = *v
+		}
+
+		k := fmt.Sprintf("%s-%d-%d", *perm.IPProtocol, fromPort, toPort)
 		m, ok := ruleMap[k]
 		if !ok {
 			m = make(map[string]interface{})
 			ruleMap[k] = m
 		}
 
-		m["from_port"] = perm.FromPort
+		m["from_port"] = fromPort
-		m["to_port"] = perm.ToPort
+		m["to_port"] = toPort
-		m["protocol"] = perm.Protocol
+		m["protocol"] = *perm.IPProtocol
 
-		if len(perm.SourceIPs) > 0 {
+		if len(perm.IPRanges) > 0 {
 			raw, ok := m["cidr_blocks"]
 			if !ok {
-				raw = make([]string, 0, len(perm.SourceIPs))
+				raw = make([]string, 0, len(perm.IPRanges))
 			}
 			list := raw.([]string)
 
-			list = append(list, perm.SourceIPs...)
+			for _, ip := range perm.IPRanges {
+				list = append(list, *ip.CIDRIP)
+			}
+
 			m["cidr_blocks"] = list
 		}
 
 		var groups []string
-		if len(perm.SourceGroups) > 0 {
+		if len(perm.UserIDGroupPairs) > 0 {
-			groups = flattenSecurityGroups(perm.SourceGroups)
+			groups = flattenSecurityGroupsSDK(perm.UserIDGroupPairs)
 		}
 		for i, id := range groups {
 			if id == d.Id() {
@@ -364,7 +378,6 @@ func resourceAwsSecurityGroupIPPermGather(d *schema.ResourceData, permissions []
 	for _, m := range ruleMap {
 		rules = append(rules, m)
 	}
-
 	return rules
 }
 
@@ -383,6 +396,7 @@ func resourceAwsSecurityGroupUpdateRules(
 		os := o.(*schema.Set)
 		ns := n.(*schema.Set)
 
+		// TODO: re-munge this when test is updated
 		remove := expandIPPerms(d.Id(), os.Difference(ns).List())
 		add := expandIPPerms(d.Id(), ns.Difference(os).List())
 
@@ -396,34 +410,53 @@ func resourceAwsSecurityGroupUpdateRules(
 		// not have service issues.
 
 		if len(remove) > 0 || len(add) > 0 {
-			ec2conn := meta.(*AWSClient).ec2conn
+			ec2conn := meta.(*AWSClient).awsEC2conn
 
+			var err error
 			if len(remove) > 0 {
-				// Revoke the old rules
+				log.Printf("[DEBUG] Revoking security group %#v %s rule: %#v",
-				revoke := ec2conn.RevokeSecurityGroup
+					group, ruleset, remove)
+
 				if ruleset == "egress" {
-					revoke = ec2conn.RevokeSecurityGroupEgress
+					req := &ec2.RevokeSecurityGroupEgressRequest{
+						GroupID:       group.GroupID,
+						IPPermissions: remove,
+					}
+					err = ec2conn.RevokeSecurityGroupEgress(req)
+				} else {
+					req := &ec2.RevokeSecurityGroupIngressRequest{
+						GroupID:       group.GroupID,
+						IPPermissions: remove,
+					}
+					err = ec2conn.RevokeSecurityGroupIngress(req)
 				}
 
-				log.Printf("[DEBUG] Revoking security group %s %s rule: %#v",
+				if err != nil {
-					group, ruleset, remove)
-				if _, err := revoke(group, remove); err != nil {
 					return fmt.Errorf(
-						"Error revoking security group %s rules: %s",
+						"Error authorizing security group %s rules: %s",
 						ruleset, err)
 				}
 			}
 
 			if len(add) > 0 {
+				log.Printf("[DEBUG] Authorizing security group %#v %s rule: %#v",
+					group, ruleset, add)
 				// Authorize the new rules
-				authorize := ec2conn.AuthorizeSecurityGroup
 				if ruleset == "egress" {
-					authorize = ec2conn.AuthorizeSecurityGroupEgress
+					req := &ec2.AuthorizeSecurityGroupEgressRequest{
+						GroupID:       group.GroupID,
+						IPPermissions: add,
+					}
+					err = ec2conn.AuthorizeSecurityGroupEgress(req)
+				} else {
+					req := &ec2.AuthorizeSecurityGroupIngressRequest{
+						GroupID:       group.GroupID,
+						IPPermissions: add,
+					}
+					err = ec2conn.AuthorizeSecurityGroupIngress(req)
 				}
 
-				log.Printf("[DEBUG] Authorizing security group %s %s rule: %#v",
+				if err != nil {
-					group, ruleset, add)
-				if _, err := authorize(group, add); err != nil {
 					return fmt.Errorf(
 						"Error authorizing security group %s rules: %s",
 						ruleset, err)
@@ -431,7 +464,6 @@ func resourceAwsSecurityGroupUpdateRules(
 			}
 		}
 	}
-
 	return nil
 }
 
@@ -439,10 +471,12 @@ func resourceAwsSecurityGroupUpdateRules(
 // a security group.
 func SGStateRefreshFunc(conn *ec2.EC2, id string) resource.StateRefreshFunc {
 	return func() (interface{}, string, error) {
-		sgs := []ec2.SecurityGroup{ec2.SecurityGroup{Id: id}}
+		req := &ec2.DescribeSecurityGroupsRequest{
-		resp, err := conn.SecurityGroups(sgs, nil)
+			GroupIDs: []string{id},
+		}
+		resp, err := conn.DescribeSecurityGroups(req)
 		if err != nil {
-			if ec2err, ok := err.(*ec2.Error); ok {
+			if ec2err, ok := err.(aws.APIError); ok {
 				if ec2err.Code == "InvalidSecurityGroupID.NotFound" ||
 					ec2err.Code == "InvalidGroup.NotFound" {
 					resp = nil
@@ -460,7 +494,7 @@ func SGStateRefreshFunc(conn *ec2.EC2, id string) resource.StateRefreshFunc {
 			return nil, "", nil
 		}
 
-		group := &resp.Groups[0]
+		group := resp.SecurityGroups[0]
 		return group, "exists", nil
 	}
 }

builtin/providers/aws/resource_aws_security_group_test.go

@@ -2,16 +2,18 @@ package aws
 
 import (
 	"fmt"
+	"log"
 	"reflect"
 	"testing"
 
+	"github.com/hashicorp/aws-sdk-go/aws"
+	"github.com/hashicorp/aws-sdk-go/gen/ec2"
 	"github.com/hashicorp/terraform/helper/resource"
 	"github.com/hashicorp/terraform/terraform"
-	"github.com/mitchellh/goamz/ec2"
 )
 
 func TestAccAWSSecurityGroup_normal(t *testing.T) {
-	var group ec2.SecurityGroupInfo
+	var group ec2.SecurityGroup
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@@ -44,7 +46,7 @@ func TestAccAWSSecurityGroup_normal(t *testing.T) {
 }
 
 func TestAccAWSSecurityGroup_self(t *testing.T) {
-	var group ec2.SecurityGroupInfo
+	var group ec2.SecurityGroup
 
 	checkSelf := func(s *terraform.State) (err error) {
 		defer func() {
@@ -53,7 +55,7 @@ func TestAccAWSSecurityGroup_self(t *testing.T) {
 			}
 		}()
 
-		if group.IPPerms[0].SourceGroups[0].Id != group.Id {
+		if *group.IPPermissions[0].UserIDGroupPairs[0].GroupID != *group.GroupID {
 			return fmt.Errorf("bad: %#v", group)
 		}
 
@@ -89,10 +91,10 @@ func TestAccAWSSecurityGroup_self(t *testing.T) {
 }
 
 func TestAccAWSSecurityGroup_vpc(t *testing.T) {
-	var group ec2.SecurityGroupInfo
+	var group ec2.SecurityGroup
 
 	testCheck := func(*terraform.State) error {
-		if group.VpcId == "" {
+		if *group.VPCID == "" {
 			return fmt.Errorf("should have vpc ID")
 		}
 
@@ -141,7 +143,7 @@ func TestAccAWSSecurityGroup_vpc(t *testing.T) {
 }
 
 func TestAccAWSSecurityGroup_MultiIngress(t *testing.T) {
-	var group ec2.SecurityGroupInfo
+	var group ec2.SecurityGroup
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@@ -159,7 +161,7 @@ func TestAccAWSSecurityGroup_MultiIngress(t *testing.T) {
 }
 
 func TestAccAWSSecurityGroup_Change(t *testing.T) {
-	var group ec2.SecurityGroupInfo
+	var group ec2.SecurityGroup
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@@ -184,30 +186,27 @@ func TestAccAWSSecurityGroup_Change(t *testing.T) {
 }
 
 func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error {
-	conn := testAccProvider.Meta().(*AWSClient).ec2conn
+	conn := testAccProvider.Meta().(*AWSClient).awsEC2conn
 
 	for _, rs := range s.RootModule().Resources {
 		if rs.Type != "aws_security_group" {
 			continue
 		}
 
-		sgs := []ec2.SecurityGroup{
-			ec2.SecurityGroup{
-				Id: rs.Primary.ID,
-			},
-		}
-
 		// Retrieve our group
-		resp, err := conn.SecurityGroups(sgs, nil)
+		req := &ec2.DescribeSecurityGroupsRequest{
+			GroupIDs: []string{rs.Primary.ID},
+		}
+		resp, err := conn.DescribeSecurityGroups(req)
 		if err == nil {
-			if len(resp.Groups) > 0 && resp.Groups[0].Id == rs.Primary.ID {
+			if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupID == rs.Primary.ID {
 				return fmt.Errorf("Security Group (%s) still exists.", rs.Primary.ID)
 			}
 
 			return nil
 		}
 
-		ec2err, ok := err.(*ec2.Error)
+		ec2err, ok := err.(aws.APIError)
 		if !ok {
 			return err
 		}
@@ -220,7 +219,7 @@ func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error {
 	return nil
 }
 
-func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroupInfo) resource.TestCheckFunc {
+func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroup) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
 		if !ok {
@@ -231,20 +230,19 @@ func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroupInfo)
 			return fmt.Errorf("No Security Group is set")
 		}
 
-		conn := testAccProvider.Meta().(*AWSClient).ec2conn
+		conn := testAccProvider.Meta().(*AWSClient).awsEC2conn
-		sgs := []ec2.SecurityGroup{
+		req := &ec2.DescribeSecurityGroupsRequest{
-			ec2.SecurityGroup{
+			GroupIDs: []string{rs.Primary.ID},
-				Id: rs.Primary.ID,
-			},
 		}
-		resp, err := conn.SecurityGroups(sgs, nil)
+		resp, err := conn.DescribeSecurityGroups(req)
 		if err != nil {
 			return err
 		}
 
-		if len(resp.Groups) > 0 && resp.Groups[0].Id == rs.Primary.ID {
+		if len(resp.SecurityGroups) > 0 && *resp.SecurityGroups[0].GroupID == rs.Primary.ID {
 
-			*group = resp.Groups[0]
+			log.Printf("\n==\n===\nfound group\n===\n==\n")
+			*group = resp.SecurityGroups[0]
 
 			return nil
 		}
@@ -253,32 +251,32 @@ func testAccCheckAWSSecurityGroupExists(n string, group *ec2.SecurityGroupInfo)
 	}
 }
 
-func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroupInfo) resource.TestCheckFunc {
+func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
-		p := ec2.IPPerm{
+		p := ec2.IPPermission{
-			FromPort:  80,
+			FromPort:   aws.Integer(80),
-			ToPort:    8000,
+			ToPort:     aws.Integer(8000),
-			Protocol:  "tcp",
+			IPProtocol: aws.String("tcp"),
-			SourceIPs: []string{"10.0.0.0/8"},
+			IPRanges:   []ec2.IPRange{ec2.IPRange{aws.String("10.0.0.0/8")}},
 		}
 
-		if group.Name != "terraform_acceptance_test_example" {
+		if *group.GroupName != "terraform_acceptance_test_example" {
-			return fmt.Errorf("Bad name: %s", group.Name)
+			return fmt.Errorf("Bad name: %s", *group.GroupName)
 		}
 
-		if group.Description != "Used in the terraform acceptance tests" {
+		if *group.Description != "Used in the terraform acceptance tests" {
-			return fmt.Errorf("Bad description: %s", group.Description)
+			return fmt.Errorf("Bad description: %s", *group.Description)
 		}
 
-		if len(group.IPPerms) == 0 {
+		if len(group.IPPermissions) == 0 {
 			return fmt.Errorf("No IPPerms")
 		}
 
 		// Compare our ingress
-		if !reflect.DeepEqual(group.IPPerms[0], p) {
+		if !reflect.DeepEqual(group.IPPermissions[0], p) {
 			return fmt.Errorf(
 				"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
-				group.IPPerms[0],
+				group.IPPermissions[0],
 				p)
 		}
 
@@ -287,7 +285,7 @@ func testAccCheckAWSSecurityGroupAttributes(group *ec2.SecurityGroupInfo) resour
 }
 
 func TestAccAWSSecurityGroup_tags(t *testing.T) {
-	var group ec2.SecurityGroupInfo
+	var group ec2.SecurityGroup
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@@ -298,7 +296,7 @@ func TestAccAWSSecurityGroup_tags(t *testing.T) {
 				Config: testAccAWSSecurityGroupConfigTags,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group),
-					testAccCheckTags(&group.Tags, "foo", "bar"),
+					testAccCheckTagsSDK(&group.Tags, "foo", "bar"),
 				),
 			},
 
@@ -306,56 +304,56 @@ func TestAccAWSSecurityGroup_tags(t *testing.T) {
 				Config: testAccAWSSecurityGroupConfigTagsUpdate,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSSecurityGroupExists("aws_security_group.foo", &group),
-					testAccCheckTags(&group.Tags, "foo", ""),
+					testAccCheckTagsSDK(&group.Tags, "foo", ""),
-					testAccCheckTags(&group.Tags, "bar", "baz"),
+					testAccCheckTagsSDK(&group.Tags, "bar", "baz"),
 				),
 			},
 		},
 	})
 }
 
-func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroupInfo) resource.TestCheckFunc {
+func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroup) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
-		p := []ec2.IPPerm{
+		p := []ec2.IPPermission{
-			ec2.IPPerm{
+			ec2.IPPermission{
-				FromPort:  80,
+				FromPort:   aws.Integer(80),
-				ToPort:    9000,
+				ToPort:     aws.Integer(9000),
-				Protocol:  "tcp",
+				IPProtocol: aws.String("tcp"),
-				SourceIPs: []string{"10.0.0.0/8"},
+				IPRanges:   []ec2.IPRange{ec2.IPRange{aws.String("10.0.0.0/8")}},
 			},
-			ec2.IPPerm{
+			ec2.IPPermission{
-				FromPort:  80,
+				FromPort:   aws.Integer(80),
-				ToPort:    8000,
+				ToPort:     aws.Integer(8000),
-				Protocol:  "tcp",
+				IPProtocol: aws.String("tcp"),
-				SourceIPs: []string{"0.0.0.0/0", "10.0.0.0/8"},
+				IPRanges:   []ec2.IPRange{ec2.IPRange{aws.String("0.0.0.0/0")}, ec2.IPRange{aws.String("10.0.0.0/8")}},
 			},
 		}
 
-		if group.Name != "terraform_acceptance_test_example" {
+		if *group.GroupName != "terraform_acceptance_test_example" {
-			return fmt.Errorf("Bad name: %s", group.Name)
+			return fmt.Errorf("Bad name: %s", *group.GroupName)
 		}
 
-		if group.Description != "Used in the terraform acceptance tests" {
+		if *group.Description != "Used in the terraform acceptance tests" {
-			return fmt.Errorf("Bad description: %s", group.Description)
+			return fmt.Errorf("Bad description: %s", *group.Description)
 		}
 
 		// Compare our ingress
-		if len(group.IPPerms) != 2 {
+		if len(group.IPPermissions) != 2 {
 			return fmt.Errorf(
 				"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
-				group.IPPerms,
+				group.IPPermissions,
 				p)
 		}
 
-		if group.IPPerms[0].ToPort == 8000 {
+		if *group.IPPermissions[0].ToPort == 8000 {
-			group.IPPerms[1], group.IPPerms[0] =
+			group.IPPermissions[1], group.IPPermissions[0] =
-				group.IPPerms[0], group.IPPerms[1]
+				group.IPPermissions[0], group.IPPermissions[1]
 		}
 
-		if !reflect.DeepEqual(group.IPPerms, p) {
+		if !reflect.DeepEqual(group.IPPermissions, p) {
 			return fmt.Errorf(
 				"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
-				group.IPPerms,
+				group.IPPermissions,
 				p)
 		}
 

builtin/providers/aws/structure.go

@@ -4,6 +4,7 @@ import (
 	"strings"
 
 	"github.com/hashicorp/aws-sdk-go/aws"
+	awsEC2 "github.com/hashicorp/aws-sdk-go/gen/ec2"
 	"github.com/hashicorp/aws-sdk-go/gen/elb"
 	"github.com/hashicorp/aws-sdk-go/gen/rds"
 	"github.com/hashicorp/terraform/helper/schema"
@@ -39,15 +40,15 @@ func expandListeners(configured []interface{}) ([]elb.Listener, error) {
 
 // Takes the result of flatmap.Expand for an array of ingress/egress
 // security group rules and returns EC2 API compatible objects
-func expandIPPerms(id string, configured []interface{}) []ec2.IPPerm {
+func expandIPPerms(id string, configured []interface{}) []awsEC2.IPPermission {
-	perms := make([]ec2.IPPerm, len(configured))
+	perms := make([]awsEC2.IPPermission, len(configured))
 	for i, mRaw := range configured {
-		var perm ec2.IPPerm
+		var perm awsEC2.IPPermission
 		m := mRaw.(map[string]interface{})
 
-		perm.FromPort = m["from_port"].(int)
+		perm.FromPort = aws.Integer(m["from_port"].(int))
-		perm.ToPort = m["to_port"].(int)
+		perm.ToPort = aws.Integer(m["to_port"].(int))
-		perm.Protocol = m["protocol"].(string)
+		perm.IPProtocol = aws.String(m["protocol"].(string))
 
 		var groups []string
 		if raw, ok := m["security_groups"]; ok {
@@ -61,25 +62,25 @@ func expandIPPerms(id string, configured []interface{}) []ec2.IPPerm {
 		}
 
 		if len(groups) > 0 {
-			perm.SourceGroups = make([]ec2.UserSecurityGroup, len(groups))
+			perm.UserIDGroupPairs = make([]awsEC2.UserIDGroupPair, len(groups))
 			for i, name := range groups {
 				ownerId, id := "", name
 				if items := strings.Split(id, "/"); len(items) > 1 {
 					ownerId, id = items[0], items[1]
 				}
 
-				perm.SourceGroups[i] = ec2.UserSecurityGroup{
+				perm.UserIDGroupPairs[i] = awsEC2.UserIDGroupPair{
-					Id:      id,
+					GroupID: aws.String(id),
-					OwnerId: ownerId,
+					UserID:  aws.String(ownerId),
 				}
 			}
 		}
 
 		if raw, ok := m["cidr_blocks"]; ok {
 			list := raw.([]interface{})
-			perm.SourceIPs = make([]string, len(list))
+			perm.IPRanges = make([]awsEC2.IPRange, len(list))
 			for i, v := range list {
-				perm.SourceIPs[i] = v.(string)
+				perm.IPRanges[i] = awsEC2.IPRange{aws.String(v.(string))}
 			}
 		}
 
@@ -111,31 +112,6 @@ func expandParameters(configured []interface{}) ([]rds.Parameter, error) {
 	return parameters, nil
 }
 
-// Flattens an array of ipPerms into a list of primitives that
-// flatmap.Flatten() can handle
-func flattenIPPerms(list []ec2.IPPerm) []map[string]interface{} {
-	result := make([]map[string]interface{}, 0, len(list))
-
-	for _, perm := range list {
-		n := make(map[string]interface{})
-		n["from_port"] = perm.FromPort
-		n["protocol"] = perm.Protocol
-		n["to_port"] = perm.ToPort
-
-		if len(perm.SourceIPs) > 0 {
-			n["cidr_blocks"] = perm.SourceIPs
-		}
-
-		if v := flattenSecurityGroups(perm.SourceGroups); len(v) > 0 {
-			n["security_groups"] = v
-		}
-
-		result = append(result, n)
-	}
-
-	return result
-}
-
 // Flattens a health check into something that flatmap.Flatten()
 // can handle
 func flattenHealthCheck(check *elb.HealthCheck) []map[string]interface{} {
@@ -162,6 +138,15 @@ func flattenSecurityGroups(list []ec2.UserSecurityGroup) []string {
 	return result
 }
 
+// Flattens an array of UserSecurityGroups into a []string
+func flattenSecurityGroupsSDK(list []awsEC2.UserIDGroupPair) []string {
+	result := make([]string, 0, len(list))
+	for _, g := range list {
+		result = append(result, *g.GroupID)
+	}
+	return result
+}
+
 // Flattens an array of Instances into a []string
 func flattenInstances(list []elb.Instance) []string {
 	result := make([]string, 0, len(list))

builtin/providers/aws/structure_test.go

@@ -1,16 +1,17 @@
 package aws
 
 import (
+	"log"
 	"reflect"
 	"testing"
 
 	"github.com/hashicorp/aws-sdk-go/aws"
+	awsEC2 "github.com/hashicorp/aws-sdk-go/gen/ec2"
 	"github.com/hashicorp/aws-sdk-go/gen/elb"
 	"github.com/hashicorp/aws-sdk-go/gen/rds"
 	"github.com/hashicorp/terraform/flatmap"
 	"github.com/hashicorp/terraform/helper/hashcode"
 	"github.com/hashicorp/terraform/helper/schema"
-	"github.com/mitchellh/goamz/ec2"
 )
 
 // Returns test configuration
@@ -61,120 +62,60 @@ func TestExpandIPPerms(t *testing.T) {
 	}
 	perms := expandIPPerms("foo", expanded)
 
-	expected := []ec2.IPPerm{
+	log.Printf("wtf is perms:\n%#v", perms)
-		ec2.IPPerm{
+
-			Protocol:  "icmp",
+	expected := []awsEC2.IPPermission{
-			FromPort:  1,
+		awsEC2.IPPermission{
-			ToPort:    -1,
+			IPProtocol: aws.String("icmp"),
-			SourceIPs: []string{"0.0.0.0/0"},
+			FromPort:   aws.Integer(1),
-			SourceGroups: []ec2.UserSecurityGroup{
+			ToPort:     aws.Integer(-1),
-				ec2.UserSecurityGroup{
+			IPRanges:   []awsEC2.IPRange{awsEC2.IPRange{aws.String("0.0.0.0/0")}},
-					OwnerId: "foo",
+			UserIDGroupPairs: []awsEC2.UserIDGroupPair{
-					Id:      "sg-22222",
+				awsEC2.UserIDGroupPair{
+					UserID:  aws.String("foo"),
+					GroupID: aws.String("sg-22222"),
 				},
-				ec2.UserSecurityGroup{
+				awsEC2.UserIDGroupPair{
-					Id: "sg-11111",
+					GroupID: aws.String("sg-22222"),
 				},
 			},
 		},
-		ec2.IPPerm{
+		awsEC2.IPPermission{
-			Protocol: "icmp",
+			IPProtocol: aws.String("icmp"),
-			FromPort: 1,
+			FromPort:   aws.Integer(1),
-			ToPort:   -1,
+			ToPort:     aws.Integer(-1),
-			SourceGroups: []ec2.UserSecurityGroup{
+			UserIDGroupPairs: []awsEC2.UserIDGroupPair{
-				ec2.UserSecurityGroup{
+				awsEC2.UserIDGroupPair{
-					Id: "foo",
+					UserID: aws.String("foo"),
 				},
 			},
 		},
 	}
 
-	if !reflect.DeepEqual(perms, expected) {
+	exp := expected[0]
+	perm := perms[0]
+
+	if *exp.FromPort != *perm.FromPort {
 		t.Fatalf(
 			"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
-			perms[0],
+			*perm.FromPort,
-			expected)
+			*exp.FromPort)
 	}
 
-}
+	if *exp.IPRanges[0].CIDRIP != *perm.IPRanges[0].CIDRIP {
-
+		t.Fatalf(
-func TestFlattenIPPerms(t *testing.T) {
+			"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
-	cases := []struct {
+			*perm.IPRanges[0].CIDRIP,
-		Input  []ec2.IPPerm
+			*exp.IPRanges[0].CIDRIP)
-		Output []map[string]interface{}
-	}{
-		{
-			Input: []ec2.IPPerm{
-				ec2.IPPerm{
-					Protocol:  "icmp",
-					FromPort:  1,
-					ToPort:    -1,
-					SourceIPs: []string{"0.0.0.0/0"},
-					SourceGroups: []ec2.UserSecurityGroup{
-						ec2.UserSecurityGroup{
-							Id: "sg-11111",
-						},
-					},
-				},
-			},
-
-			Output: []map[string]interface{}{
-				map[string]interface{}{
-					"protocol":        "icmp",
-					"from_port":       1,
-					"to_port":         -1,
-					"cidr_blocks":     []string{"0.0.0.0/0"},
-					"security_groups": []string{"sg-11111"},
-				},
-			},
-		},
-
-		{
-			Input: []ec2.IPPerm{
-				ec2.IPPerm{
-					Protocol:     "icmp",
-					FromPort:     1,
-					ToPort:       -1,
-					SourceIPs:    []string{"0.0.0.0/0"},
-					SourceGroups: nil,
-				},
-			},
-
-			Output: []map[string]interface{}{
-				map[string]interface{}{
-					"protocol":    "icmp",
-					"from_port":   1,
-					"to_port":     -1,
-					"cidr_blocks": []string{"0.0.0.0/0"},
-				},
-			},
-		},
-		{
-			Input: []ec2.IPPerm{
-				ec2.IPPerm{
-					Protocol:  "icmp",
-					FromPort:  1,
-					ToPort:    -1,
-					SourceIPs: nil,
-				},
-			},
-
-			Output: []map[string]interface{}{
-				map[string]interface{}{
-					"protocol":  "icmp",
-					"from_port": 1,
-					"to_port":   -1,
-				},
-			},
-		},
 	}
 
-	for _, tc := range cases {
+	if *exp.UserIDGroupPairs[0].UserID != *perm.UserIDGroupPairs[0].UserID {
-		output := flattenIPPerms(tc.Input)
+		t.Fatalf(
-		if !reflect.DeepEqual(output, tc.Output) {
+			"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
-			t.Fatalf("Input:\n\n%#v\n\nOutput:\n\n%#v", tc.Input, output)
+			*perm.UserIDGroupPairs[0].UserID,
-		}
+			*exp.UserIDGroupPairs[0].UserID)
 	}
+
 }
 
 func TestExpandListeners(t *testing.T) {