aws: Force users to use from_port, to_port = 0 on network ACLs with -1 protocol

AWS doesn't store ports for -1 protocol rules, thus the read from the API will always come up with a different hash. Force the user to make a deliberate port choice when enabling -1 protocol rules. All from_port and to_port's on these rules must be 0.
2015-05-06 09:14:33 -04:00 · 2015-05-06 09:14:33 -04:00 · b888b31e08
parent d14049c8ad
commit b888b31e08
3 changed files with 51 additions and 0 deletions
--- a/builtin/providers/aws/network_acl_entry.go
+++ b/builtin/providers/aws/network_acl_entry.go
@ -66,3 +66,19 @@ func protocolIntegers() map[string]int {
 	}
 	return protocolIntegers
 }
+
+// expectedPortPair stores a pair of ports we expect to see together.
+type expectedPortPair struct {
+	to_port   int64
+	from_port int64
+}
+
+// validatePorts ensures the ports and protocol match expected
+// values.
+func validatePorts(to int64, from int64, expected expectedPortPair) bool {
+	if to != expected.to_port || from != expected.from_port {
+		return false
+	}
+
+	return true
+}
--- a/builtin/providers/aws/network_acl_entry_test.go
+++ b/builtin/providers/aws/network_acl_entry_test.go
@ -135,3 +135,20 @@ func Test_flattenNetworkACLEntry(t *testing.T) {
 	}

 }
+
+func Test_validatePorts(t *testing.T) {
+	for _, ts := range []struct {
+		to       int64
+		from     int64
+		expected *expectedPortPair
+		wanted   bool
+	}{
+		{0, 0, &expectedPortPair{0, 0}, true},
+		{0, 1, &expectedPortPair{0, 0}, false},
+	} {
+		got := validatePorts(ts.to, ts.from, *ts.expected)
+		if got != ts.wanted {
+			t.Fatalf("Got: %t; Expected: %t\n", got, ts.wanted)
+		}
+	}
+}
--- a/builtin/providers/aws/resource_aws_network_acl.go
+++ b/builtin/providers/aws/resource_aws_network_acl.go
@ -266,6 +266,24 @@ func updateNetworkAclEntries(d *schema.ResourceData, entryType string, conn *ec2
 		return err
 	}
 	for _, add := range toBeCreated {
+		// Protocol -1 rules don't store ports in AWS. Thus, they'll always
+		// hash differently when being read out of the API. Force the user
+		// to set from_port and to_port to 0 for these rules, to keep the
+		// hashing consistent.
+		if *add.Protocol == "-1" {
+			to := *add.PortRange.To
+			from := *add.PortRange.From
+			expected := &expectedPortPair{
+				to_port:   0,
+				from_port: 0,
+			}
+			if ok := validatePorts(to, from, *expected); !ok {
+				return fmt.Errorf(
+					"to_port (%d) and from_port (%d) must both be 0 to use the the 'all' \"-1\" protocol!",
+					to, from)
+			}
+		}
+
 		// Add new Acl entry
 		_, err := conn.CreateNetworkACLEntry(&ec2.CreateNetworkACLEntryInput{
 			NetworkACLID: aws.String(d.Id()),