provider/aws: Add plan-level validation for SG CIDR blocks

Adds plan-level validation for both IPv4 and IPv6 CIDR Blocks in an AWS SecurityGroup resource, as well as the AWS Security Group Rule resource.

```
$ make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSSecurityGroup_invalidCIDRBlock'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/03/16 11:32:54 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSSecurityGroup_invalidCIDRBlock -timeout 120m
=== RUN   TestAccAWSSecurityGroup_invalidCIDRBlock
--- PASS: TestAccAWSSecurityGroup_invalidCIDRBlock (0.01s)
PASS
ok      github.com/hashicorp/terraform/builtin/providers/aws    0.017s
```

```
$ make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSSecurityGroupRule_ExpectInvalidCIDR'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/03/16 11:46:21 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSSecurityGroupRule_ExpectInvalidCIDR -timeout 120m
=== RUN   TestAccAWSSecurityGroupRule_ExpectInvalidCIDR
--- PASS: TestAccAWSSecurityGroupRule_ExpectInvalidCIDR (0.01s)
PASS
ok      github.com/hashicorp/terraform/builtin/providers/aws    0.016s
```
This commit is contained in:
Jake Champlin 2017-03-16 11:49:51 -04:00
parent 686ebb7578
commit 925265016b
No known key found for this signature in database
GPG Key ID: DC31F41958EF4AC2
4 changed files with 149 additions and 6 deletions

View File

@ -105,13 +105,19 @@ func resourceAwsSecurityGroup() *schema.Resource {
"cidr_blocks": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{Type: schema.TypeString},
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validateCIDRNetworkAddress,
},
},
"ipv6_cidr_blocks": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{Type: schema.TypeString},
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validateCIDRNetworkAddress,
},
},
"security_groups": {
@ -156,13 +162,19 @@ func resourceAwsSecurityGroup() *schema.Resource {
"cidr_blocks": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{Type: schema.TypeString},
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validateCIDRNetworkAddress,
},
},
"ipv6_cidr_blocks": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{Type: schema.TypeString},
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validateCIDRNetworkAddress,
},
},
"prefix_list_ids": {

View File

@ -58,14 +58,20 @@ func resourceAwsSecurityGroupRule() *schema.Resource {
Type: schema.TypeList,
Optional: true,
ForceNew: true,
Elem: &schema.Schema{Type: schema.TypeString},
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validateCIDRNetworkAddress,
},
},
"ipv6_cidr_blocks": {
Type: schema.TypeList,
Optional: true,
ForceNew: true,
Elem: &schema.Schema{Type: schema.TypeString},
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validateCIDRNetworkAddress,
},
},
"prefix_list_ids": {

View File

@ -354,6 +354,25 @@ func TestAccAWSSecurityGroupRule_ExpectInvalidTypeError(t *testing.T) {
})
}
func TestAccAWSSecurityGroupRule_ExpectInvalidCIDR(t *testing.T) {
rInt := acctest.RandInt()
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy,
Steps: []resource.TestStep{
{
Config: testAccAWSSecurityGroupRuleInvalidIPv4CIDR(rInt),
ExpectError: regexp.MustCompile("invalid CIDR address: 1.2.3.4/33"),
},
{
Config: testAccAWSSecurityGroupRuleInvalidIPv6CIDR(rInt),
ExpectError: regexp.MustCompile("invalid CIDR address: ::/244"),
},
},
})
}
// testing partial match implementation
func TestAccAWSSecurityGroupRule_PartialMatching_basic(t *testing.T) {
var group ec2.SecurityGroup
@ -1166,3 +1185,35 @@ func testAccAWSSecurityGroupRuleExpectInvalidType(rInt int) string {
source_security_group_id = "${aws_security_group.web.id}"
}`, rInt)
}
func testAccAWSSecurityGroupRuleInvalidIPv4CIDR(rInt int) string {
return fmt.Sprintf(`
resource "aws_security_group" "foo" {
name = "testing-failure-%d"
}
resource "aws_security_group_rule" "ing" {
type = "ingress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["1.2.3.4/33"]
security_group_id = "${aws_security_group.foo.id}"
}`, rInt)
}
func testAccAWSSecurityGroupRuleInvalidIPv6CIDR(rInt int) string {
return fmt.Sprintf(`
resource "aws_security_group" "foo" {
name = "testing-failure-%d"
}
resource "aws_security_group_rule" "ing" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
ipv6_cidr_blocks = ["::/244"]
security_group_id = "${aws_security_group.foo.id}"
}`, rInt)
}

View File

@ -719,6 +719,32 @@ func TestAccAWSSecurityGroup_drift_complex(t *testing.T) {
})
}
func TestAccAWSSecurityGroup_invalidCIDRBlock(t *testing.T) {
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSSecurityGroupDestroy,
Steps: []resource.TestStep{
{
Config: testAccAWSSecurityGroupInvalidIngressCidr,
ExpectError: regexp.MustCompile("invalid CIDR address: 1.2.3.4/33"),
},
{
Config: testAccAWSSecurityGroupInvalidEgressCidr,
ExpectError: regexp.MustCompile("invalid CIDR address: 1.2.3.4/33"),
},
{
Config: testAccAWSSecurityGroupInvalidIPv6IngressCidr,
ExpectError: regexp.MustCompile("invalid CIDR address: ::/244"),
},
{
Config: testAccAWSSecurityGroupInvalidIPv6EgressCidr,
ExpectError: regexp.MustCompile("invalid CIDR address: ::/244"),
},
},
})
}
func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error {
conn := testAccProvider.Meta().(*AWSClient).ec2conn
@ -1649,6 +1675,54 @@ resource "aws_security_group" "web" {
}`, acctest.RandInt(), acctest.RandInt())
}
const testAccAWSSecurityGroupInvalidIngressCidr = `
resource "aws_security_group" "foo" {
name = "testing-foo"
description = "foo-testing"
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["1.2.3.4/33"]
}
}`
const testAccAWSSecurityGroupInvalidEgressCidr = `
resource "aws_security_group" "foo" {
name = "testing-foo"
description = "foo-testing"
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["1.2.3.4/33"]
}
}`
const testAccAWSSecurityGroupInvalidIPv6IngressCidr = `
resource "aws_security_group" "foo" {
name = "testing-foo"
description = "foo-testing"
ingress {
from_port = 0
to_port = 0
protocol = "-1"
ipv6_cidr_blocks = ["::/244"]
}
}`
const testAccAWSSecurityGroupInvalidIPv6EgressCidr = `
resource "aws_security_group" "foo" {
name = "testing-foo"
description = "foo-testing"
egress {
from_port = 0
to_port = 0
protocol = "-1"
ipv6_cidr_blocks = ["::/244"]
}
}`
const testAccAWSSecurityGroupCombindCIDRandGroups = `
resource "aws_vpc" "foo" {
cidr_block = "10.1.0.0/16"