providers/aws: security group ingress rules treated as set [GH-87]
/cc @pearkes - !!!
This commit is contained in:
Mitchell Hashimoto
parent
3db41fe9f6
commit
4015d942ab
|
|
@ -25,8 +25,7 @@ IMPROVEMENTS:
|
||||||
attributes.
|
attributes.
|
||||||
* providers/aws: Security group rules can be updated without a
|
* providers/aws: Security group rules can be updated without a
|
||||||
destroy/create.
|
destroy/create.
|
||||||
* providers/aws: You can enable and disable dns settings for VPCs
|
* providers/aws: You can enable and disable dns settings for VPCs. [GH-172]
|
||||||
[GH-172]
|
|
||||||
|
|
||||||
BUG FIXES:
|
BUG FIXES:
|
||||||
|
|
||||||
|
|
@ -36,6 +35,8 @@ BUG FIXES:
|
||||||
* providers/aws: Fix issues around failing to read EIPs. [GH-122]
|
* providers/aws: Fix issues around failing to read EIPs. [GH-122]
|
||||||
* providers/aws: Autoscaling groups now register and export load
|
* providers/aws: Autoscaling groups now register and export load
|
||||||
balancers. [GH-207]
|
balancers. [GH-207]
|
||||||
|
* providers/aws: Ingress results are treated as a set, so order doesn't
|
||||||
|
matter anymore. [GH-87]
|
||||||
* providers/heroku: If you delete the `config_vars` block, config vars
|
* providers/heroku: If you delete the `config_vars` block, config vars
|
||||||
are properly nuked.
|
are properly nuked.
|
||||||
* providers/heroku: Domains and drains are deleted before the app.
|
* providers/heroku: Domains and drains are deleted before the app.
|
||||||
|
|
|
||||||
|
|
@ -1,11 +1,12 @@
|
||||||
package aws
|
package aws
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bytes"
|
||||||
"fmt"
|
"fmt"
|
||||||
"log"
|
"log"
|
||||||
"reflect"
|
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/hashicorp/terraform/helper/hashcode"
|
||||||
"github.com/hashicorp/terraform/helper/resource"
|
"github.com/hashicorp/terraform/helper/resource"
|
||||||
"github.com/hashicorp/terraform/helper/schema"
|
"github.com/hashicorp/terraform/helper/schema"
|
||||||
"github.com/hashicorp/terraform/terraform"
|
"github.com/hashicorp/terraform/terraform"
|
||||||
|
|
@ -38,7 +39,7 @@ func resourceAwsSecurityGroup() *schema.Resource {
|
||||||
},
|
},
|
||||||
|
|
||||||
"ingress": &schema.Schema{
|
"ingress": &schema.Schema{
|
||||||
Type: schema.TypeList,
|
Type: schema.TypeSet,
|
||||||
Required: true,
|
Required: true,
|
||||||
Elem: &schema.Resource{
|
Elem: &schema.Resource{
|
||||||
Schema: map[string]*schema.Schema{
|
Schema: map[string]*schema.Schema{
|
||||||
|
|
@ -70,6 +71,7 @@ func resourceAwsSecurityGroup() *schema.Resource {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
Set: resourceAwsSecurityGroupIngressHash,
|
||||||
},
|
},
|
||||||
|
|
||||||
"owner_id": &schema.Schema{
|
"owner_id": &schema.Schema{
|
||||||
|
|
@ -80,6 +82,27 @@ func resourceAwsSecurityGroup() *schema.Resource {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func resourceAwsSecurityGroupIngressHash(v interface{}) int {
|
||||||
|
var buf bytes.Buffer
|
||||||
|
m := v.(map[string]interface{})
|
||||||
|
buf.WriteString(fmt.Sprintf("%d-", m["from_port"].(int)))
|
||||||
|
buf.WriteString(fmt.Sprintf("%d-", m["to_port"].(int)))
|
||||||
|
buf.WriteString(fmt.Sprintf("%d-", m["protocol"].(string)))
|
||||||
|
|
||||||
|
if v, ok := m["cidr_blocks"]; ok {
|
||||||
|
for _, raw := range v.([]interface{}) {
|
||||||
|
buf.WriteString(fmt.Sprintf("%s-", raw.(string)))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if v, ok := m["security_groups"]; ok {
|
||||||
|
for _, raw := range v.([]interface{}) {
|
||||||
|
buf.WriteString(fmt.Sprintf("%s-", raw.(string)))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return hashcode.String(buf.String())
|
||||||
|
}
|
||||||
|
|
||||||
func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) error {
|
func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) error {
|
||||||
p := meta.(*ResourceProvider)
|
p := meta.(*ResourceProvider)
|
||||||
ec2conn := p.ec2conn
|
ec2conn := p.ec2conn
|
||||||
|
|
@ -127,9 +150,9 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er
|
||||||
// Expand the "ingress" array to goamz compat []ec2.IPPerm
|
// Expand the "ingress" array to goamz compat []ec2.IPPerm
|
||||||
ingressRaw := d.Get("ingress")
|
ingressRaw := d.Get("ingress")
|
||||||
if ingressRaw == nil {
|
if ingressRaw == nil {
|
||||||
ingressRaw = []interface{}{}
|
ingressRaw = new(schema.Set)
|
||||||
}
|
}
|
||||||
ingressList := ingressRaw.([]interface{})
|
ingressList := ingressRaw.(*schema.Set).List()
|
||||||
if len(ingressList) > 0 {
|
if len(ingressList) > 0 {
|
||||||
ingressRules := expandIPPerms(ingressList)
|
ingressRules := expandIPPerms(ingressList)
|
||||||
_, err = ec2conn.AuthorizeSecurityGroup(group, ingressRules)
|
_, err = ec2conn.AuthorizeSecurityGroup(group, ingressRules)
|
||||||
|
|
@ -158,60 +181,36 @@ func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) er
|
||||||
if d.HasChange("ingress") {
|
if d.HasChange("ingress") {
|
||||||
o, n := d.GetChange("ingress")
|
o, n := d.GetChange("ingress")
|
||||||
if o == nil {
|
if o == nil {
|
||||||
o = []interface{}{}
|
o = new(schema.Set)
|
||||||
}
|
}
|
||||||
if n == nil {
|
if n == nil {
|
||||||
n = []interface{}{}
|
n = new(schema.Set)
|
||||||
}
|
}
|
||||||
|
|
||||||
oldRules := expandIPPerms(o.([]interface{}))
|
os := o.(*schema.Set)
|
||||||
newRules := expandIPPerms(n.([]interface{}))
|
ns := n.(*schema.Set)
|
||||||
|
|
||||||
var add, remove []ec2.IPPerm
|
remove := expandIPPerms(os.Difference(ns).List())
|
||||||
for _, p := range newRules {
|
add := expandIPPerms(ns.Difference(os).List())
|
||||||
// Check if we have had this rule before
|
|
||||||
exists := false
|
|
||||||
for _, old := range oldRules {
|
|
||||||
if reflect.DeepEqual(old, p) {
|
|
||||||
exists = true
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if exists {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
add = append(add, p)
|
|
||||||
}
|
|
||||||
for _, p := range oldRules {
|
|
||||||
// Check if we have this rule to add
|
|
||||||
exists := false
|
|
||||||
for _, n := range newRules {
|
|
||||||
if reflect.DeepEqual(n, p) {
|
|
||||||
exists = true
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if exists {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
remove = append(remove, p)
|
|
||||||
}
|
|
||||||
|
|
||||||
// TODO: We need to handle partial state better in the in-between
|
// TODO: We need to handle partial state better in the in-between
|
||||||
// in this update.
|
// in this update.
|
||||||
|
if len(add) > 0 {
|
||||||
// Authorize the new rules
|
// Authorize the new rules
|
||||||
_, err := ec2conn.AuthorizeSecurityGroup(group, add)
|
_, err := ec2conn.AuthorizeSecurityGroup(group, add)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("Error authorizing security group ingress rules: %s", err)
|
return fmt.Errorf("Error authorizing security group ingress rules: %s", err)
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(remove) > 0 {
|
||||||
// Revoke the old rules
|
// Revoke the old rules
|
||||||
_, err = ec2conn.RevokeSecurityGroup(group, remove)
|
_, err = ec2conn.RevokeSecurityGroup(group, remove)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("Error authorizing security group ingress rules: %s", err)
|
return fmt.Errorf("Error authorizing security group ingress rules: %s", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -239,6 +239,12 @@ func (m schemaMap) diffList(
|
||||||
diff *terraform.ResourceDiff,
|
diff *terraform.ResourceDiff,
|
||||||
d *ResourceData) error {
|
d *ResourceData) error {
|
||||||
o, n, _ := d.diffChange(k)
|
o, n, _ := d.diffChange(k)
|
||||||
|
if o == nil {
|
||||||
|
o = []interface{}{}
|
||||||
|
}
|
||||||
|
if n == nil {
|
||||||
|
n = []interface{}{}
|
||||||
|
}
|
||||||
if s, ok := o.(*Set); ok {
|
if s, ok := o.(*Set); ok {
|
||||||
o = s.List()
|
o = s.List()
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue