ResiLien
/
terraform
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

providers/aws: fix security group self ingress rules on EC2-classic

This commit is contained in:
Mitchell Hashimoto 2015-03-18 13:47:59 +00:00
parent 18a83347b5
commit d823a8cf81
3 changed files with 99 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
builtin/providers/aws/resource_aws_security_group.go
View File

@ -396,8 +396,8 @@ func resourceAwsSecurityGroupUpdateRules(
os := o.(*schema.Set) os := o.(*schema.Set)
ns := n.(*schema.Set) ns := n.(*schema.Set)
remove := expandIPPerms(d.Id(), os.Difference(ns).List()) remove := expandIPPerms(group, os.Difference(ns).List())
add := expandIPPerms(d.Id(), ns.Difference(os).List()) add := expandIPPerms(group, ns.Difference(os).List())
// TODO: We need to handle partial state better in the in-between // TODO: We need to handle partial state better in the in-between
// in this update. // in this update.
@ -452,6 +452,11 @@ func resourceAwsSecurityGroupUpdateRules(
GroupID: group.GroupID, GroupID: group.GroupID,
IPPermissions: add, IPPermissions: add,
} }
if group.VPCID == nil || *group.VPCID == "" {
req.GroupID = nil
req.GroupName = group.GroupName
}
err = ec2conn.AuthorizeSecurityGroupIngress(req) err = ec2conn.AuthorizeSecurityGroupIngress(req)
} }

16
builtin/providers/aws/structure.go
View File

@ -39,7 +39,10 @@ func expandListeners(configured []interface{}) ([]elb.Listener, error) {
// Takes the result of flatmap.Expand for an array of ingress/egress // Takes the result of flatmap.Expand for an array of ingress/egress
// security group rules and returns EC2 API compatible objects // security group rules and returns EC2 API compatible objects
func expandIPPerms(id string, configured []interface{}) []ec2.IPPermission { func expandIPPerms(
group ec2.SecurityGroup, configured []interface{}) []ec2.IPPermission {
vpc := group.VPCID != nil
perms := make([]ec2.IPPermission, len(configured)) perms := make([]ec2.IPPermission, len(configured))
for i, mRaw := range configured { for i, mRaw := range configured {
var perm ec2.IPPermission var perm ec2.IPPermission
@ -57,7 +60,11 @@ func expandIPPerms(id string, configured []interface{}) []ec2.IPPermission {
} }
} }
if v, ok := m["self"]; ok && v.(bool) { if v, ok := m["self"]; ok && v.(bool) {
groups = append(groups, id) if vpc {
groups = append(groups, *group.GroupID)
} else {
groups = append(groups, *group.GroupName)
}
} }
if len(groups) > 0 { if len(groups) > 0 {
@ -72,6 +79,11 @@ func expandIPPerms(id string, configured []interface{}) []ec2.IPPermission {
GroupID: aws.String(id), GroupID: aws.String(id),
UserID: aws.String(ownerId), UserID: aws.String(ownerId),
} }
if !vpc {
perm.UserIDGroupPairs[i].GroupID = nil
perm.UserIDGroupPairs[i].GroupName = aws.String(id)
perm.UserIDGroupPairs[i].UserID = nil
}
} }
} }

79
builtin/providers/aws/structure_test.go
View File

@ -59,7 +59,11 @@ func TestExpandIPPerms(t *testing.T) {
"self": true, "self": true,
}, },
} }
perms := expandIPPerms("foo", expanded) group := ec2.SecurityGroup{
GroupID: aws.String("foo"),
VPCID: aws.String("bar"),
}
perms := expandIPPerms(group, expanded)
expected := []ec2.IPPermission{ expected := []ec2.IPPermission{
ec2.IPPermission{ ec2.IPPermission{
@ -115,6 +119,79 @@ func TestExpandIPPerms(t *testing.T) {
} }
func TestExpandIPPerms_nonVPC(t *testing.T) {
hash := func(v interface{}) int {
return hashcode.String(v.(string))
}
expanded := []interface{}{
map[string]interface{}{
"protocol": "icmp",
"from_port": 1,
"to_port": -1,
"cidr_blocks": []interface{}{"0.0.0.0/0"},
"security_groups": schema.NewSet(hash, []interface{}{
"sg-11111",
"foo/sg-22222",
}),
},
map[string]interface{}{
"protocol": "icmp",
"from_port": 1,
"to_port": -1,
"self": true,
},
}
group := ec2.SecurityGroup{
GroupName: aws.String("foo"),
}
perms := expandIPPerms(group, expanded)
expected := []ec2.IPPermission{
ec2.IPPermission{
IPProtocol: aws.String("icmp"),
FromPort: aws.Integer(1),
ToPort: aws.Integer(-1),
IPRanges: []ec2.IPRange{ec2.IPRange{aws.String("0.0.0.0/0")}},
UserIDGroupPairs: []ec2.UserIDGroupPair{
ec2.UserIDGroupPair{
GroupName: aws.String("sg-22222"),
},
ec2.UserIDGroupPair{
GroupName: aws.String("sg-22222"),
},
},
},
ec2.IPPermission{
IPProtocol: aws.String("icmp"),
FromPort: aws.Integer(1),
ToPort: aws.Integer(-1),
UserIDGroupPairs: []ec2.UserIDGroupPair{
ec2.UserIDGroupPair{
GroupName: aws.String("foo"),
},
},
},
}
exp := expected[0]
perm := perms[0]
if *exp.FromPort != *perm.FromPort {
t.Fatalf(
"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
*perm.FromPort,
*exp.FromPort)
}
if *exp.IPRanges[0].CIDRIP != *perm.IPRanges[0].CIDRIP {
t.Fatalf(
"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
*perm.IPRanges[0].CIDRIP,
*exp.IPRanges[0].CIDRIP)
}
}
func TestExpandListeners(t *testing.T) { func TestExpandListeners(t *testing.T) {
expanded := []interface{}{ expanded := []interface{}{
map[string]interface{}{ map[string]interface{}{