provider/aws: Add plan-level validation for SG CIDR blocks

Adds plan-level validation for both IPv4 and IPv6 CIDR Blocks in an AWS SecurityGroup resource, as well as the AWS Security Group Rule resource. ``` $ make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSSecurityGroup_invalidCIDRBlock' ==> Checking that code complies with gofmt requirements... go generate $(go list ./... | grep -v /terraform/vendor/) 2017/03/16 11:32:54 Generated command/internal_plugin_list.go TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSSecurityGroup_invalidCIDRBlock -timeout 120m === RUN TestAccAWSSecurityGroup_invalidCIDRBlock --- PASS: TestAccAWSSecurityGroup_invalidCIDRBlock (0.01s) PASS ok github.com/hashicorp/terraform/builtin/providers/aws 0.017s ``` ``` $ make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSSecurityGroupRule_ExpectInvalidCIDR' ==> Checking that code complies with gofmt requirements... go generate $(go list ./... | grep -v /terraform/vendor/) 2017/03/16 11:46:21 Generated command/internal_plugin_list.go TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSSecurityGroupRule_ExpectInvalidCIDR -timeout 120m === RUN TestAccAWSSecurityGroupRule_ExpectInvalidCIDR --- PASS: TestAccAWSSecurityGroupRule_ExpectInvalidCIDR (0.01s) PASS ok github.com/hashicorp/terraform/builtin/providers/aws 0.016s ```
2017-03-16 11:49:51 -04:00 · 2017-03-16 11:49:51 -04:00 · 925265016b
parent 686ebb7578
commit 925265016b
4 changed files with 149 additions and 6 deletions
--- a/builtin/providers/aws/resource_aws_security_group.go
+++ b/builtin/providers/aws/resource_aws_security_group.go
@ -105,13 +105,19 @@ func resourceAwsSecurityGroup() *schema.Resource {
 						"cidr_blocks": {
 							Type:     schema.TypeList,
 							Optional: true,
-							Elem:     &schema.Schema{Type: schema.TypeString},
+							Elem: &schema.Schema{
+								Type:         schema.TypeString,
+								ValidateFunc: validateCIDRNetworkAddress,
+							},
 						},

 						"ipv6_cidr_blocks": {
 							Type:     schema.TypeList,
 							Optional: true,
-							Elem:     &schema.Schema{Type: schema.TypeString},
+							Elem: &schema.Schema{
+								Type:         schema.TypeString,
+								ValidateFunc: validateCIDRNetworkAddress,
+							},
 						},

 						"security_groups": {
@ -156,13 +162,19 @@ func resourceAwsSecurityGroup() *schema.Resource {
 						"cidr_blocks": {
 							Type:     schema.TypeList,
 							Optional: true,
-							Elem:     &schema.Schema{Type: schema.TypeString},
+							Elem: &schema.Schema{
+								Type:         schema.TypeString,
+								ValidateFunc: validateCIDRNetworkAddress,
+							},
 						},

 						"ipv6_cidr_blocks": {
 							Type:     schema.TypeList,
 							Optional: true,
-							Elem:     &schema.Schema{Type: schema.TypeString},
+							Elem: &schema.Schema{
+								Type:         schema.TypeString,
+								ValidateFunc: validateCIDRNetworkAddress,
+							},
 						},

 						"prefix_list_ids": {
--- a/builtin/providers/aws/resource_aws_security_group_rule.go
+++ b/builtin/providers/aws/resource_aws_security_group_rule.go
@ -58,14 +58,20 @@ func resourceAwsSecurityGroupRule() *schema.Resource {
 				Type:     schema.TypeList,
 				Optional: true,
 				ForceNew: true,
-				Elem:     &schema.Schema{Type: schema.TypeString},
+				Elem: &schema.Schema{
+					Type:         schema.TypeString,
+					ValidateFunc: validateCIDRNetworkAddress,
+				},
 			},

 			"ipv6_cidr_blocks": {
 				Type:     schema.TypeList,
 				Optional: true,
 				ForceNew: true,
-				Elem:     &schema.Schema{Type: schema.TypeString},
+				Elem: &schema.Schema{
+					Type:         schema.TypeString,
+					ValidateFunc: validateCIDRNetworkAddress,
+				},
 			},

 			"prefix_list_ids": {
--- a/builtin/providers/aws/resource_aws_security_group_rule_test.go
+++ b/builtin/providers/aws/resource_aws_security_group_rule_test.go
@ -354,6 +354,25 @@ func TestAccAWSSecurityGroupRule_ExpectInvalidTypeError(t *testing.T) {
 	})
 }

+func TestAccAWSSecurityGroupRule_ExpectInvalidCIDR(t *testing.T) {
+	rInt := acctest.RandInt()
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccAWSSecurityGroupRuleInvalidIPv4CIDR(rInt),
+				ExpectError: regexp.MustCompile("invalid CIDR address: 1.2.3.4/33"),
+			},
+			{
+				Config:      testAccAWSSecurityGroupRuleInvalidIPv6CIDR(rInt),
+				ExpectError: regexp.MustCompile("invalid CIDR address: ::/244"),
+			},
+		},
+	})
+}
+
 // testing partial match implementation
 func TestAccAWSSecurityGroupRule_PartialMatching_basic(t *testing.T) {
 	var group ec2.SecurityGroup
@ -1166,3 +1185,35 @@ func testAccAWSSecurityGroupRuleExpectInvalidType(rInt int) string {
 		source_security_group_id = "${aws_security_group.web.id}"
 	}`, rInt)
 }
+
+func testAccAWSSecurityGroupRuleInvalidIPv4CIDR(rInt int) string {
+	return fmt.Sprintf(`
+resource "aws_security_group" "foo" {
+  name = "testing-failure-%d"
+}
+
+resource "aws_security_group_rule" "ing" {
+  type = "ingress"
+  from_port = 0
+  to_port = 0
+  protocol = "-1"
+  cidr_blocks = ["1.2.3.4/33"]
+  security_group_id = "${aws_security_group.foo.id}"
+}`, rInt)
+}
+
+func testAccAWSSecurityGroupRuleInvalidIPv6CIDR(rInt int) string {
+	return fmt.Sprintf(`
+resource "aws_security_group" "foo" {
+  name = "testing-failure-%d"
+}
+
+resource "aws_security_group_rule" "ing" {
+  type = "egress"
+  from_port = 0
+  to_port = 0
+  protocol = "-1"
+  ipv6_cidr_blocks = ["::/244"]
+  security_group_id = "${aws_security_group.foo.id}"
+}`, rInt)
+}
--- a/builtin/providers/aws/resource_aws_security_group_test.go
+++ b/builtin/providers/aws/resource_aws_security_group_test.go
@ -719,6 +719,32 @@ func TestAccAWSSecurityGroup_drift_complex(t *testing.T) {
 	})
 }

+func TestAccAWSSecurityGroup_invalidCIDRBlock(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSSecurityGroupDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccAWSSecurityGroupInvalidIngressCidr,
+				ExpectError: regexp.MustCompile("invalid CIDR address: 1.2.3.4/33"),
+			},
+			{
+				Config:      testAccAWSSecurityGroupInvalidEgressCidr,
+				ExpectError: regexp.MustCompile("invalid CIDR address: 1.2.3.4/33"),
+			},
+			{
+				Config:      testAccAWSSecurityGroupInvalidIPv6IngressCidr,
+				ExpectError: regexp.MustCompile("invalid CIDR address: ::/244"),
+			},
+			{
+				Config:      testAccAWSSecurityGroupInvalidIPv6EgressCidr,
+				ExpectError: regexp.MustCompile("invalid CIDR address: ::/244"),
+			},
+		},
+	})
+}
+
 func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error {
 	conn := testAccProvider.Meta().(*AWSClient).ec2conn

@ -1649,6 +1675,54 @@ resource "aws_security_group" "web" {
 }`, acctest.RandInt(), acctest.RandInt())
 }

+const testAccAWSSecurityGroupInvalidIngressCidr = `
+resource "aws_security_group" "foo" {
+  name = "testing-foo"
+  description = "foo-testing"
+  ingress {
+    from_port = 0
+    to_port = 0
+    protocol = "-1"
+    cidr_blocks = ["1.2.3.4/33"]
+  }
+}`
+
+const testAccAWSSecurityGroupInvalidEgressCidr = `
+resource "aws_security_group" "foo" {
+  name = "testing-foo"
+  description = "foo-testing"
+  egress {
+    from_port = 0
+    to_port = 0
+    protocol = "-1"
+    cidr_blocks = ["1.2.3.4/33"]
+  }
+}`
+
+const testAccAWSSecurityGroupInvalidIPv6IngressCidr = `
+resource "aws_security_group" "foo" {
+  name = "testing-foo"
+  description = "foo-testing"
+  ingress {
+    from_port = 0
+    to_port = 0
+    protocol = "-1"
+    ipv6_cidr_blocks = ["::/244"]
+  }
+}`
+
+const testAccAWSSecurityGroupInvalidIPv6EgressCidr = `
+resource "aws_security_group" "foo" {
+  name = "testing-foo"
+  description = "foo-testing"
+  egress {
+    from_port = 0
+    to_port = 0
+    protocol = "-1"
+    ipv6_cidr_blocks = ["::/244"]
+  }
+}`
+
 const testAccAWSSecurityGroupCombindCIDRandGroups = `
 resource "aws_vpc" "foo" {
 	cidr_block = "10.1.0.0/16"