Merge pull request #2492 from aznashwan/f-azure-secgroup-rules-relations

provider/azure: Made segroup rules one-to-many with secgroups.
This commit is contained in:
Paul Hinze 2015-06-25 15:25:49 -05:00
commit 59fdc24d75
6 changed files with 332 additions and 191 deletions

View File

@ -348,7 +348,7 @@ resource "azure_security_group" "foo" {
resource "azure_security_group_rule" "foo" { resource "azure_security_group_rule" "foo" {
name = "rdp" name = "rdp"
security_group_name = "${azure_security_group.foo.name}" security_group_names = ["${azure_security_group.foo.name}"]
priority = 101 priority = 101
source_address_prefix = "*" source_address_prefix = "*"
source_port_range = "*" source_port_range = "*"
@ -404,7 +404,7 @@ resource "azure_security_group" "foo" {
resource "azure_security_group_rule" "foo" { resource "azure_security_group_rule" "foo" {
name = "rdp" name = "rdp"
security_group_name = "${azure_security_group.foo.name}" security_group_names = ["${azure_security_group.foo.name}"]
priority = 101 priority = 101
source_address_prefix = "*" source_address_prefix = "*"
source_port_range = "*" source_port_range = "*"
@ -422,7 +422,7 @@ resource "azure_security_group" "bar" {
resource "azure_security_group_rule" "bar" { resource "azure_security_group_rule" "bar" {
name = "rdp" name = "rdp"
security_group_name = "${azure_security_group.bar.name}" security_group_names = ["${azure_security_group.bar.name}"]
priority = 101 priority = 101
source_address_prefix = "192.168.0.0/24" source_address_prefix = "192.168.0.0/24"
source_port_range = "*" source_port_range = "*"

View File

@ -16,7 +16,6 @@ func resourceAzureSecurityGroupRule() *schema.Resource {
Create: resourceAzureSecurityGroupRuleCreate, Create: resourceAzureSecurityGroupRuleCreate,
Read: resourceAzureSecurityGroupRuleRead, Read: resourceAzureSecurityGroupRuleRead,
Update: resourceAzureSecurityGroupRuleUpdate, Update: resourceAzureSecurityGroupRuleUpdate,
Exists: resourceAzureSecurityGroupRuleExists,
Delete: resourceAzureSecurityGroupRuleDelete, Delete: resourceAzureSecurityGroupRuleDelete,
Schema: map[string]*schema.Schema{ Schema: map[string]*schema.Schema{
@ -26,11 +25,15 @@ func resourceAzureSecurityGroupRule() *schema.Resource {
ForceNew: true, ForceNew: true,
Description: parameterDescriptions["name"], Description: parameterDescriptions["name"],
}, },
"security_group_name": &schema.Schema{ "security_group_names": &schema.Schema{
Type: schema.TypeString, Type: schema.TypeSet,
Required: true, Required: true,
ForceNew: true, ForceNew: true,
Description: parameterDescriptions["netsecgroup_secgroup_name"], Description: parameterDescriptions["netsecgroup_secgroup_names"],
Elem: &schema.Schema{
Type: schema.TypeString,
},
Set: schema.HashString,
}, },
"type": &schema.Schema{ "type": &schema.Schema{
Type: schema.TypeString, Type: schema.TypeString,
@ -97,18 +100,24 @@ func resourceAzureSecurityGroupRuleCreate(d *schema.ResourceData, meta interface
Protocol: netsecgroup.RuleProtocol(d.Get("protocol").(string)), Protocol: netsecgroup.RuleProtocol(d.Get("protocol").(string)),
} }
// apply the rule to all the necessary network security groups:
secGroups := d.Get("security_group_names").(*schema.Set).List()
for _, sg := range secGroups {
secGroup := sg.(string)
// send the create request to Azure: // send the create request to Azure:
log.Println("[INFO] Sending network security group rule creation request to Azure.") log.Printf("[INFO] Sending Azure security group rule addition request for security group %q.", secGroup)
reqID, err := secGroupClient.SetNetworkSecurityGroupRule( reqID, err := secGroupClient.SetNetworkSecurityGroupRule(
d.Get("security_group_name").(string), secGroup,
rule, rule,
) )
if err != nil { if err != nil {
return fmt.Errorf("Error sending network security group rule creation request to Azure: %s", err) return fmt.Errorf("Error sending Azure network security group rule creation request for security group %q: %s", secGroup, err)
} }
err = mgmtClient.WaitForOperation(reqID, nil) err = mgmtClient.WaitForOperation(reqID, nil)
if err != nil { if err != nil {
return fmt.Errorf("Error creating network security group rule on Azure: %s", err) return fmt.Errorf("Error creating Azure network security group rule for security group %q: %s", secGroup, err)
}
} }
d.SetId(name) d.SetId(name)
@ -121,89 +130,61 @@ func resourceAzureSecurityGroupRuleRead(d *schema.ResourceData, meta interface{}
azureClient := meta.(*Client) azureClient := meta.(*Client)
secGroupClient := azureClient.secGroupClient secGroupClient := azureClient.secGroupClient
secGroupName := d.Get("security_group_name").(string) var found bool
name := d.Get("name").(string)
secGroups := d.Get("security_group_names").(*schema.Set).List()
remaining := schema.NewSet(schema.HashString, nil)
// for each of our security groups; check for our rule:
for _, sg := range secGroups {
secGroupName := sg.(string)
// get info on the network security group and check its rules for this one: // get info on the network security group and check its rules for this one:
log.Println("[INFO] Sending network security group rule query to Azure.") log.Printf("[INFO] Sending Azure network security group rule query for security group %s.", secGroupName)
secgroup, err := secGroupClient.GetNetworkSecurityGroup(secGroupName) secgroup, err := secGroupClient.GetNetworkSecurityGroup(secGroupName)
if err != nil { if err != nil {
if !management.IsResourceNotFoundError(err) { if !management.IsResourceNotFoundError(err) {
return fmt.Errorf("Error issuing network security group rules query: %s", err) return fmt.Errorf("Error issuing network security group rules query for security group %q: %s", secGroupName, err)
} else { } else {
// it meants that the network security group this rule belonged to has // it meants that the network security group this rule belonged to has
// been deleted; so we must remove this resource from the schema: // been deleted; so we skip this iteration:
d.SetId("") continue
return nil
} }
} }
// find our security rule: // find our security rule:
var found bool
name := d.Get("name").(string)
for _, rule := range secgroup.Rules { for _, rule := range secgroup.Rules {
if rule.Name == name { if rule.Name == name {
// note the fact that this rule still apllies to this security group:
found = true found = true
log.Println("[DEBUG] Reading state of Azure network security group rule.") remaining.Add(secGroupName)
d.Set("type", rule.Type)
d.Set("priority", rule.Priority)
d.Set("action", rule.Action)
d.Set("source_address_prefix", rule.SourceAddressPrefix)
d.Set("source_port_range", rule.SourcePortRange)
d.Set("destination_address_prefix", rule.DestinationAddressPrefix)
d.Set("destination_port_range", rule.DestinationPortRange)
d.Set("protocol", rule.Protocol)
break break
} }
} }
}
// check if the rule still exists, and is not, remove the resource: // check to see if there is any security group still having this rule:
if !found { if !found {
d.SetId("") d.SetId("")
return nil
} }
// now; we must update the set of security groups still having this rule:
d.Set("security_group_names", remaining)
return nil return nil
} }
// resourceAzureSecurityGroupRuleUpdate does all the necessary API calls to // resourceAzureSecurityGroupRuleUpdate does all the necessary API calls to
// update the state of a network security group ruke off Azure. // update the state of a network security group rule off Azure.
func resourceAzureSecurityGroupRuleUpdate(d *schema.ResourceData, meta interface{}) error { func resourceAzureSecurityGroupRuleUpdate(d *schema.ResourceData, meta interface{}) error {
azureClient := meta.(*Client) azureClient := meta.(*Client)
mgmtClient := azureClient.mgmtClient mgmtClient := azureClient.mgmtClient
secGroupClient := azureClient.secGroupClient secGroupClient := azureClient.secGroupClient
secGroupName := d.Get("security_group_name").(string)
// get info on the network security group and check its rules for this one:
log.Println("[INFO] Sending network security group rule query for update to Azure.")
secgroup, err := secGroupClient.GetNetworkSecurityGroup(secGroupName)
if err != nil {
if !management.IsResourceNotFoundError(err) {
return fmt.Errorf("Error issuing network security group rules query: %s", err)
} else {
// it meants that the network security group this rule belonged to has
// been deleted; so we must remove this resource from the schema:
d.SetId("")
return nil
}
}
// try and find our security group rule:
var found bool var found bool
name := d.Get("name").(string) name := d.Get("name").(string)
for _, rule := range secgroup.Rules {
if rule.Name == name {
found = true
}
}
// check is the resource has not been deleted in the meantime:
if !found {
// if not; remove the resource:
d.SetId("")
return nil
}
// else, start building up the rule request struct:
newRule := netsecgroup.RuleRequest{ newRule := netsecgroup.RuleRequest{
Name: d.Get("name").(string), Name: d.Get("name").(string),
Type: netsecgroup.RuleType(d.Get("type").(string)), Type: netsecgroup.RuleType(d.Get("type").(string)),
@ -216,57 +197,60 @@ func resourceAzureSecurityGroupRuleUpdate(d *schema.ResourceData, meta interface
Protocol: netsecgroup.RuleProtocol(d.Get("protocol").(string)), Protocol: netsecgroup.RuleProtocol(d.Get("protocol").(string)),
} }
// send the create request to Azure: // iterate over all the security groups that should have this rule and
log.Println("[INFO] Sending network security group rule update request to Azure.") // update it per security group:
remaining := schema.NewSet(schema.HashString, nil)
secGroupNames := d.Get("security_group_names").(*schema.Set).List()
for _, sg := range secGroupNames {
secGroupName := sg.(string)
// get info on the network security group and check its rules for this one:
log.Printf("[INFO] Sending Azure network security group rule query for security group %q.", secGroupName)
secgroup, err := secGroupClient.GetNetworkSecurityGroup(secGroupName)
if err != nil {
if !management.IsResourceNotFoundError(err) {
return fmt.Errorf("Error issuing network security group rules query: %s", err)
} else {
// it meants that the network security group this rule belonged to has
// been deleted; so we skip this iteration:
continue
}
}
// try and find our security group rule:
for _, rule := range secgroup.Rules {
if rule.Name == name {
// note the fact that this rule still apllies to this security group:
found = true
remaining.Add("secGroupName")
// and go ahead and update it:
log.Printf("[INFO] Sending Azure network security group rule update request for security group %q.", secGroupName)
reqID, err := secGroupClient.SetNetworkSecurityGroupRule( reqID, err := secGroupClient.SetNetworkSecurityGroupRule(
secGroupName, secGroupName,
newRule, newRule,
) )
if err != nil { if err != nil {
return fmt.Errorf("Error sending network security group rule update request to Azure: %s", err) return fmt.Errorf("Error sending Azure network security group rule update request for security group %q: %s", secGroupName, err)
} }
err = mgmtClient.WaitForOperation(reqID, nil) err = mgmtClient.WaitForOperation(reqID, nil)
if err != nil { if err != nil {
return fmt.Errorf("Error updating network security group rule on Azure: %s", err) return fmt.Errorf("Error updating Azure network security group rule for security group %q: %s", secGroupName, err)
}
}
}
} }
// check to see if there is any security group still having this rule:
if !found {
d.SetId("")
return nil return nil
} }
// resourceAzureSecurityGroupRuleExists does all the necessary API calls to // here; we must update the set of security groups still having this rule:
// check for the existence of the network security group rule on Azure. d.Set("security_group_names", remaining)
func resourceAzureSecurityGroupRuleExists(d *schema.ResourceData, meta interface{}) (bool, error) {
secGroupClient := meta.(*Client).secGroupClient
secGroupName := d.Get("security_group_name").(string) return nil
// get info on the network security group and search for our rule:
log.Println("[INFO] Sending network security group rule query for existence check to Azure.")
secgroup, err := secGroupClient.GetNetworkSecurityGroup(secGroupName)
if err != nil {
if !management.IsResourceNotFoundError(err) {
return false, fmt.Errorf("Error issuing network security group rules query: %s", err)
} else {
// it meants that the network security group this rule belonged to has
// been deleted; so we must remove this resource from the schema:
d.SetId("")
return false, nil
}
}
// try and find our security group rule:
name := d.Get("name").(string)
for _, rule := range secgroup.Rules {
if rule.Name == name {
return true, nil
}
}
// if here; it means the resource has been deleted in the
// meantime and must be removed from the schema:
d.SetId("")
return false, nil
} }
// resourceAzureSecurityGroupRuleDelete does all the necessary API calls to // resourceAzureSecurityGroupRuleDelete does all the necessary API calls to
@ -276,24 +260,26 @@ func resourceAzureSecurityGroupRuleDelete(d *schema.ResourceData, meta interface
mgmtClient := azureClient.mgmtClient mgmtClient := azureClient.mgmtClient
secGroupClient := azureClient.secGroupClient secGroupClient := azureClient.secGroupClient
secGroupName := d.Get("security_group_name").(string) name := d.Get("name").(string)
secGroupNames := d.Get("security_group_names").(*schema.Set).List()
for _, sg := range secGroupNames {
secGroupName := sg.(string)
// get info on the network security group and search for our rule: // get info on the network security group and search for our rule:
log.Println("[INFO] Sending network security group rule query for deletion to Azure.") log.Printf("[INFO] Sending network security group rule query for security group %q.", secGroupName)
secgroup, err := secGroupClient.GetNetworkSecurityGroup(secGroupName) secgroup, err := secGroupClient.GetNetworkSecurityGroup(secGroupName)
if err != nil { if err != nil {
if management.IsResourceNotFoundError(err) { if management.IsResourceNotFoundError(err) {
// it meants that the network security group this rule belonged to has // it means that this network security group this rule belonged to has
// been deleted; so we need do nothing more but stop tracking the resource: // been deleted; so we need not do anything more here:
d.SetId("") continue
return nil
} else { } else {
return fmt.Errorf("Error issuing network security group rules query: %s", err) return fmt.Errorf("Error issuing Azure network security group rules query for security group %q: %s", secGroupName, err)
} }
} }
// check is the resource has not been deleted in the meantime: // check if the rule has been deleted in the meantime:
name := d.Get("name").(string)
for _, rule := range secgroup.Rules { for _, rule := range secgroup.Rules {
if rule.Name == name { if rule.Name == name {
// if not; we shall issue the delete: // if not; we shall issue the delete:
@ -306,6 +292,8 @@ func resourceAzureSecurityGroupRuleDelete(d *schema.ResourceData, meta interface
return fmt.Errorf("Error deleting network security group rule off Azure: %s", err) return fmt.Errorf("Error deleting network security group rule off Azure: %s", err)
} }
} }
break
}
} }
return nil return nil

View File

@ -4,30 +4,44 @@ import (
"fmt" "fmt"
"testing" "testing"
"github.com/Azure/azure-sdk-for-go/management"
"github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/helper/schema"
"github.com/hashicorp/terraform/terraform" "github.com/hashicorp/terraform/terraform"
) )
func TestAccAzureSecurityGroupRule(t *testing.T) { var (
testAcctestingSecurityGroup1 = fmt.Sprintf("%s-%d", testAccSecurityGroupName, 1)
testAccTestingSecurityGroupHash1 = fmt.Sprintf("%d", schema.HashString(testAcctestingSecurityGroup1))
testAcctestingSecurityGroup2 = fmt.Sprintf("%s-%d", testAccSecurityGroupName, 2)
testAccTestingSecurityGroupHash2 = fmt.Sprintf("%d", schema.HashString(testAcctestingSecurityGroup2))
)
func TestAccAzureSecurityGroupRuleBasic(t *testing.T) {
name := "azure_security_group_rule.foo" name := "azure_security_group_rule.foo"
resource.Test(t, resource.TestCase{ resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) }, PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders, Providers: testAccProviders,
CheckDestroy: testAccCheckAzureSecurityGroupRuleDeleted, CheckDestroy: testAccCheckAzureSecurityGroupRuleDeleted([]string{testAccSecurityGroupName}),
Steps: []resource.TestStep{ Steps: []resource.TestStep{
resource.TestStep{ resource.TestStep{
Config: testAccAzureSecurityGroupRule, Config: testAccAzureSecurityGroupRuleBasicConfig,
Check: resource.ComposeTestCheckFunc( Check: resource.ComposeTestCheckFunc(
testAccCheckAzureSecurityGroupRuleExists(name), testAccCheckAzureSecurityGroupRuleExists(name, testAccSecurityGroupName),
resource.TestCheckResourceAttr(name, "name", "terraform-secgroup-rule"), resource.TestCheckResourceAttr(name, "name", "terraform-secgroup-rule"),
resource.TestCheckResourceAttr(name, "security_group_name", testAccSecurityGroupName), resource.TestCheckResourceAttr(name,
fmt.Sprintf("security_group_names.%d", schema.HashString(testAccSecurityGroupName)),
testAccSecurityGroupName),
resource.TestCheckResourceAttr(name, "type", "Inbound"), resource.TestCheckResourceAttr(name, "type", "Inbound"),
resource.TestCheckResourceAttr(name, "action", "Deny"), resource.TestCheckResourceAttr(name, "action", "Deny"),
resource.TestCheckResourceAttr(name, "priority", "200"), resource.TestCheckResourceAttr(name, "priority", "200"),
resource.TestCheckResourceAttr(name, "source_address_prefix", "100.0.0.0/32"), resource.TestCheckResourceAttr(name, "source_address_prefix", "100.0.0.0/32"),
resource.TestCheckResourceAttr(name, "source_port_range", "1000"), resource.TestCheckResourceAttr(name, "source_port_range", "1000"),
resource.TestCheckResourceAttr(name, "destination_address_prefix", "10.0.0.0/32"), resource.TestCheckResourceAttr(name, "destination_address_prefix", "10.0.0.0/32"),
resource.TestCheckResourceAttr(name, "destination_port_range", "1000"),
resource.TestCheckResourceAttr(name, "protocol", "TCP"), resource.TestCheckResourceAttr(name, "protocol", "TCP"),
), ),
}, },
@ -35,7 +49,99 @@ func TestAccAzureSecurityGroupRule(t *testing.T) {
}) })
} }
func testAccCheckAzureSecurityGroupRuleExists(name string) resource.TestCheckFunc { func TestAccAzureSecurityGroupRuleAdvanced(t *testing.T) {
name := "azure_security_group_rule.foo"
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAzureSecurityGroupRuleDeleted(
[]string{
testAcctestingSecurityGroup1,
testAcctestingSecurityGroup2,
},
),
Steps: []resource.TestStep{
resource.TestStep{
Config: testAccAzureSecurityGroupRuleAdvancedConfig,
Check: resource.ComposeTestCheckFunc(
testAccCheckAzureSecurityGroupRuleExists(name, testAcctestingSecurityGroup1),
testAccCheckAzureSecurityGroupRuleExists(name, testAcctestingSecurityGroup2),
resource.TestCheckResourceAttr(name, "name", "terraform-secgroup-rule"),
resource.TestCheckResourceAttr(name, fmt.Sprintf("security_group_names.%s",
testAccTestingSecurityGroupHash1), testAcctestingSecurityGroup1),
resource.TestCheckResourceAttr(name, fmt.Sprintf("security_group_names.%s",
testAccTestingSecurityGroupHash2), testAcctestingSecurityGroup2),
resource.TestCheckResourceAttr(name, "type", "Inbound"),
resource.TestCheckResourceAttr(name, "action", "Deny"),
resource.TestCheckResourceAttr(name, "priority", "200"),
resource.TestCheckResourceAttr(name, "source_address_prefix", "100.0.0.0/32"),
resource.TestCheckResourceAttr(name, "source_port_range", "1000"),
resource.TestCheckResourceAttr(name, "destination_address_prefix", "10.0.0.0/32"),
resource.TestCheckResourceAttr(name, "destination_port_range", "1000"),
resource.TestCheckResourceAttr(name, "protocol", "TCP"),
),
},
},
})
}
func TestAccAzureSecurityGroupRuleUpdate(t *testing.T) {
name := "azure_security_group_rule.foo"
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAzureSecurityGroupRuleDeleted(
[]string{
testAcctestingSecurityGroup1,
testAcctestingSecurityGroup2,
},
),
Steps: []resource.TestStep{
resource.TestStep{
Config: testAccAzureSecurityGroupRuleAdvancedConfig,
Check: resource.ComposeTestCheckFunc(
testAccCheckAzureSecurityGroupRuleExists(name, testAcctestingSecurityGroup1),
testAccCheckAzureSecurityGroupRuleExists(name, testAcctestingSecurityGroup2),
resource.TestCheckResourceAttr(name, "name", "terraform-secgroup-rule"),
resource.TestCheckResourceAttr(name, fmt.Sprintf("security_group_names.%s",
testAccTestingSecurityGroupHash1), testAcctestingSecurityGroup1),
resource.TestCheckResourceAttr(name, fmt.Sprintf("security_group_names.%s",
testAccTestingSecurityGroupHash2), testAcctestingSecurityGroup2),
resource.TestCheckResourceAttr(name, "type", "Inbound"),
resource.TestCheckResourceAttr(name, "action", "Deny"),
resource.TestCheckResourceAttr(name, "priority", "200"),
resource.TestCheckResourceAttr(name, "source_address_prefix", "100.0.0.0/32"),
resource.TestCheckResourceAttr(name, "source_port_range", "1000"),
resource.TestCheckResourceAttr(name, "destination_address_prefix", "10.0.0.0/32"),
resource.TestCheckResourceAttr(name, "destination_port_range", "1000"),
resource.TestCheckResourceAttr(name, "protocol", "TCP"),
),
},
resource.TestStep{
Config: testAccAzureSecurityGroupRuleUpdateConfig,
Check: resource.ComposeTestCheckFunc(
testAccCheckAzureSecurityGroupRuleExists(name, testAcctestingSecurityGroup2),
resource.TestCheckResourceAttr(name, "name", "terraform-secgroup-rule"),
resource.TestCheckResourceAttr(name, fmt.Sprintf("security_group_names.%s",
testAccTestingSecurityGroupHash2), testAcctestingSecurityGroup2),
resource.TestCheckResourceAttr(name, "type", "Outbound"),
resource.TestCheckResourceAttr(name, "action", "Allow"),
resource.TestCheckResourceAttr(name, "priority", "100"),
resource.TestCheckResourceAttr(name, "source_address_prefix", "101.0.0.0/32"),
resource.TestCheckResourceAttr(name, "source_port_range", "1000"),
resource.TestCheckResourceAttr(name, "destination_address_prefix", "10.0.0.0/32"),
resource.TestCheckResourceAttr(name, "destination_port_range", "1001"),
resource.TestCheckResourceAttr(name, "protocol", "UDP"),
),
},
},
})
}
func testAccCheckAzureSecurityGroupRuleExists(name, groupName string) resource.TestCheckFunc {
return func(s *terraform.State) error { return func(s *terraform.State) error {
resource, ok := s.RootModule().Resources[name] resource, ok := s.RootModule().Resources[name]
if !ok { if !ok {
@ -48,9 +154,9 @@ func testAccCheckAzureSecurityGroupRuleExists(name string) resource.TestCheckFun
secGroupClient := testAccProvider.Meta().(*Client).secGroupClient secGroupClient := testAccProvider.Meta().(*Client).secGroupClient
secGroup, err := secGroupClient.GetNetworkSecurityGroup(testAccSecurityGroupName) secGroup, err := secGroupClient.GetNetworkSecurityGroup(groupName)
if err != nil { if err != nil {
return fmt.Errorf("Failed getting network security group details: %s", err) return fmt.Errorf("Failed getting network security group details for %q: %s", groupName, err)
} }
for _, rule := range secGroup.Rules { for _, rule := range secGroup.Rules {
@ -63,7 +169,8 @@ func testAccCheckAzureSecurityGroupRuleExists(name string) resource.TestCheckFun
} }
} }
func testAccCheckAzureSecurityGroupRuleDeleted(s *terraform.State) error { func testAccCheckAzureSecurityGroupRuleDeleted(groups []string) resource.TestCheckFunc {
return func(s *terraform.State) error {
for _, resource := range s.RootModule().Resources { for _, resource := range s.RootModule().Resources {
if resource.Type != "azure_security_group_rule" { if resource.Type != "azure_security_group_rule" {
continue continue
@ -75,9 +182,12 @@ func testAccCheckAzureSecurityGroupRuleDeleted(s *terraform.State) error {
secGroupClient := testAccProvider.Meta().(*Client).secGroupClient secGroupClient := testAccProvider.Meta().(*Client).secGroupClient
secGroup, err := secGroupClient.GetNetworkSecurityGroup(testAccSecurityGroupName) for _, groupName := range groups {
secGroup, err := secGroupClient.GetNetworkSecurityGroup(groupName)
if err != nil { if err != nil {
return fmt.Errorf("Failed getting network security group details: %s", err) if !management.IsResourceNotFoundError(err) {
return fmt.Errorf("Failed getting network security group details for %q: %s", groupName, err)
}
} }
for _, rule := range secGroup.Rules { for _, rule := range secGroup.Rules {
@ -86,14 +196,16 @@ func testAccCheckAzureSecurityGroupRuleDeleted(s *terraform.State) error {
} }
} }
} }
}
return nil return nil
} }
}
var testAccAzureSecurityGroupRule = testAccAzureSecurityGroupConfig + ` var testAccAzureSecurityGroupRuleBasicConfig = testAccAzureSecurityGroupConfig + `
resource "azure_security_group_rule" "foo" { resource "azure_security_group_rule" "foo" {
name = "terraform-secgroup-rule" name = "terraform-secgroup-rule"
security_group_name = "${azure_security_group.foo.name}" security_group_names = ["${azure_security_group.foo.name}"]
type = "Inbound" type = "Inbound"
action = "Deny" action = "Deny"
priority = 200 priority = 200
@ -104,3 +216,34 @@ resource "azure_security_group_rule" "foo" {
protocol = "TCP" protocol = "TCP"
} }
` `
var testAccAzureSecurityGroupRuleAdvancedConfig = fmt.Sprintf(testAccAzureSecurityGroupConfigTemplate, "foo", testAcctestingSecurityGroup1) +
fmt.Sprintf(testAccAzureSecurityGroupConfigTemplate, "bar", testAcctestingSecurityGroup2) + `
resource "azure_security_group_rule" "foo" {
name = "terraform-secgroup-rule"
security_group_names = ["${azure_security_group.foo.name}", "${azure_security_group.bar.name}"]
type = "Inbound"
action = "Deny"
priority = 200
source_address_prefix = "100.0.0.0/32"
source_port_range = "1000"
destination_address_prefix = "10.0.0.0/32"
destination_port_range = "1000"
protocol = "TCP"
}
`
var testAccAzureSecurityGroupRuleUpdateConfig = fmt.Sprintf(testAccAzureSecurityGroupConfigTemplate, "foo", testAcctestingSecurityGroup1) +
fmt.Sprintf(testAccAzureSecurityGroupConfigTemplate, "bar", testAcctestingSecurityGroup2) + `
resource "azure_security_group_rule" "foo" {
name = "terraform-secgroup-rule"
security_group_names = ["${azure_security_group.bar.name}"]
type = "Outbound"
action = "Allow"
priority = 100
source_address_prefix = "101.0.0.0/32"
source_port_range = "1000"
destination_address_prefix = "10.0.0.0/32"
destination_port_range = "1001"
protocol = "UDP"
}
`

View File

@ -89,9 +89,14 @@ func testAccCheckAzureSecurityGroupDestroy(s *terraform.State) error {
return nil return nil
} }
var testAccAzureSecurityGroupConfig = fmt.Sprintf(` const testAccAzureSecurityGroupConfigTemplate = `
resource "azure_security_group" "foo" { resource "azure_security_group" "%s" {
name = "%s" name = "%s"
location = "West US" location = "West US"
label = "terraform testing security group" label = "terraform testing security group"
}`, testAccSecurityGroupName) }`
var testAccAzureSecurityGroupConfig = fmt.Sprintf(
testAccAzureSecurityGroupConfigTemplate,
"foo", "terraform-security-group",
)

View File

@ -218,7 +218,7 @@ resource "azure_security_group" "foo" {
resource "azure_security_group_rule" "foo" { resource "azure_security_group_rule" "foo" {
name = "terraform-secgroup-rule" name = "terraform-secgroup-rule"
security_group_name = "${azure_security_group.foo.name}" security_group_names = ["${azure_security_group.foo.name}"]
type = "Inbound" type = "Inbound"
action = "Deny" action = "Deny"
priority = 200 priority = 200
@ -249,7 +249,7 @@ resource "azure_security_group" "foo" {
resource "azure_security_group_rule" "foo" { resource "azure_security_group_rule" "foo" {
name = "terraform-secgroup-rule" name = "terraform-secgroup-rule"
security_group_name = "${azure_security_group.foo.name}" security_group_names = ["${azure_security_group.foo.name}"]
type = "Inbound" type = "Inbound"
action = "Deny" action = "Deny"
priority = 200 priority = 200

View File

@ -17,9 +17,13 @@ resource "azure_security_group" "web" {
... ...
} }
resource "azure_security_group" "apps" {
...
}
resource "azure_security_group_rule" "ssh_access" { resource "azure_security_group_rule" "ssh_access" {
name = "ssh-access-rule" name = "ssh-access-rule"
security_group_name = "${azure_security_group.web.name}" security_group_names = ["${azure_security_group.web.name}", "${azure_security_group.apps.name}"]
type = "Inbound" type = "Inbound"
action = "Allow" action = "Allow"
priority = 200 priority = 200
@ -34,10 +38,11 @@ resource "azure_security_group_rule" "ssh_access" {
## Argument Reference ## Argument Reference
The following arguments are supported: The following arguments are supported:
* `name` - (Required) The name of the security group the rule should be * `name` - (Required) The name of the security group rule.
applied to.
* `security_group_name` - (Required) The name of the security group m * `security_group_names` - (Required) A list of the names of the security groups
the rule should be applied to.
Changing this list forces the creation of a new resource.
* `type` - (Required) The type of the security rule. Valid options are: * `type` - (Required) The type of the security rule. Valid options are:
`Inbound` and `Outbound`. `Inbound` and `Outbound`.