ResiLien
/
terraform
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

provider/aws: Fix regression in Security Group Rules with self reference (#7706) 

* provider/aws: Failing test for #7670

* provider/aws: Fix security group rule regression with self (#7670)
This commit is contained in:
Clint 2016-07-20 15:47:10 -05:00 committed by GitHub
parent 7193ec5cb9
commit 4d126aaf6f
3 changed files with 71 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
builtin/providers/aws/import_aws_security_group.go
View File

@ -49,6 +49,34 @@ func resourceAwsSecurityGroupImportState(
d.SetType("aws_security_group_rule") d.SetType("aws_security_group_rule")
d.Set("security_group_id", sgId) d.Set("security_group_id", sgId)
d.Set("type", ruleType) d.Set("type", ruleType)
// 'self' is false by default. Below, we range over the group ids and set true
// if the parent sg id is found
d.Set("self", false)
if len(perm.UserIdGroupPairs) > 0 {
s := perm.UserIdGroupPairs[0]
// Check for Pair that is the same as the Security Group, to denote self.
// Otherwise, mark the group id in source_security_group_id
isVPC := sg.VpcId != nil && *sg.VpcId != ""
if isVPC {
if *s.GroupId == *sg.GroupId {
d.Set("self", true)
// prune the self reference from the UserIdGroupPairs, so we don't
// have duplicate sg ids (both self and in source_security_group_id)
perm.UserIdGroupPairs = append(perm.UserIdGroupPairs[:0], perm.UserIdGroupPairs[0+1:]...)
}
} else {
if *s.GroupName == *sg.GroupName {
d.Set("self", true)
// prune the self reference from the UserIdGroupPairs, so we don't
// have duplicate sg ids (both self and in source_security_group_id)
perm.UserIdGroupPairs = append(perm.UserIdGroupPairs[:0], perm.UserIdGroupPairs[0+1:]...)
}
}
}
// XXX If the rule contained more than one source security group, this // XXX If the rule contained more than one source security group, this
// will choose one of them. We actually need to create one rule for each // will choose one of them. We actually need to create one rule for each
// source security group. // source security group.

13
builtin/providers/aws/resource_aws_security_group_rule.go
View File

@ -498,7 +498,6 @@ func expandIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup) (*ec2.IpPermiss
} }
if v, ok := d.GetOk("self"); ok && v.(bool) { if v, ok := d.GetOk("self"); ok && v.(bool) {
// if sg.GroupId != nil {
if sg.VpcId != nil && *sg.VpcId != "" { if sg.VpcId != nil && *sg.VpcId != "" {
groups[*sg.GroupId] = true groups[*sg.GroupId] = true
} else { } else {
@ -574,10 +573,6 @@ func setFromIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup, rule *ec2.IpPe
d.Set("cidr_blocks", cb) d.Set("cidr_blocks", cb)
// 'self' is false by default. Below, we range over the group ids and set true
// if the parent sg id is found
d.Set("self", false)
var pl []string var pl []string
for _, p := range rule.PrefixListIds { for _, p := range rule.PrefixListIds {
pl = append(pl, *p.PrefixListId) pl = append(pl, *p.PrefixListId)
@ -587,17 +582,9 @@ func setFromIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup, rule *ec2.IpPe
if len(rule.UserIdGroupPairs) > 0 { if len(rule.UserIdGroupPairs) > 0 {
s := rule.UserIdGroupPairs[0] s := rule.UserIdGroupPairs[0]
// Check for Pair that is the same as the Security Group, to denote self.
// Otherwise, mark the group id in source_security_group_id
if isVPC { if isVPC {
if *s.GroupId == *sg.GroupId {
d.Set("self", true)
}
d.Set("source_security_group_id", *s.GroupId) d.Set("source_security_group_id", *s.GroupId)
} else { } else {
if *s.GroupName == *sg.GroupName {
d.Set("self", true)
}
d.Set("source_security_group_id", *s.GroupName) d.Set("source_security_group_id", *s.GroupName)
} }
} }

43
builtin/providers/aws/resource_aws_security_group_rule_test.go
View File

@ -416,6 +416,24 @@ func TestAccAWSSecurityGroupRule_Race(t *testing.T) {
}) })
} }
func TestAccAWSSecurityGroupRule_SelfSource(t *testing.T) {
var group ec2.SecurityGroup
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy,
Steps: []resource.TestStep{
resource.TestStep{
Config: testAccAWSSecurityGroupRuleSelfInSource,
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group),
),
},
},
})
}
func TestAccAWSSecurityGroupRule_PrefixListEgress(t *testing.T) { func TestAccAWSSecurityGroupRule_PrefixListEgress(t *testing.T) {
var group ec2.SecurityGroup var group ec2.SecurityGroup
var endpoint ec2.VpcEndpoint var endpoint ec2.VpcEndpoint
@ -1001,3 +1019,28 @@ resource "aws_security_group_rule" "egress_1" {
security_group_id = "${aws_security_group.egress.id}" security_group_id = "${aws_security_group.egress.id}"
} }
` `
const testAccAWSSecurityGroupRuleSelfInSource = `
resource "aws_vpc" "foo" {
cidr_block = "10.1.0.0/16"
tags {
Name = "tf_sg_rule_self_group"
}
}
resource "aws_security_group" "web" {
name = "allow_all"
description = "Allow all inbound traffic"
vpc_id = "${aws_vpc.foo.id}"
}
resource "aws_security_group_rule" "allow_self" {
type = "ingress"
from_port = 0
to_port = 0
protocol = "-1"
security_group_id = "${aws_security_group.web.id}"
source_security_group_id = "${aws_security_group.web.id}"
}
`