Commit Graph

30 Commits

Author SHA1 Message Date
Clint 4d126aaf6f provider/aws: Fix regression in Security Group Rules with self reference (#7706)
* provider/aws: Failing test for #7670

* provider/aws: Fix security group rule regression with self (#7670)
2016-07-20 15:47:10 -05:00
David Tolnay db627798e6 provider/aws: Handle spurious failures in resourceAwsSecurityGroupRuleRead (#7377)
Previously, any old HTTP error would be treated as the security_group_rule being
deleted. In reality there are only a few cases where this is the right
assumption.
2016-07-07 16:06:02 -05:00
stevehorsfield 03c2c4408f Add support for 'prefix_list_ids' to AWS VPC security group rules
Prefix list IDs are used when allowing egress to an AWS VPC Endpoint.

See http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html#vpc-endpoints-routing
2016-06-30 15:48:27 -07:00
Clint 2ba1b0fb01 provider/aws: Populate self in Security Group Rule imports (#7164)
* provider/aws: Populate self in Security Group Rule imports

* provider/aws: Add regression test for SG Rule import
2016-06-30 15:01:38 -05:00
David Glasser b3425447e5 provider/aws: fix aws_security_group_rule refresh (#6730)
When two rules differ only in source security group, EC2 APIs return
them as a single rule, but Terraform requires separate
aws_security_group_rule resources.

6bdab07174 changed Read to set source_security_group_id (and
cidr_blocks) from the rule returned from EC2 and chose the first
source_security_group_id arbitrarily, which is wrong.

Makes TestAccAWSSecurityGroupRule_PartialMatching_Source pass again.

Also adds a comment noting that there is a bug in the new resource
importing feature.

Fixes #6728.
2016-05-25 10:59:41 -05:00
Mitchell Hashimoto 6bdab07174
providers/aws: security group import imports rules 2016-05-11 13:02:36 -07:00
Justin Nauman 7f738bebd3 provider/aws: Support eventually consistent aws_security_group_rule (#6325)
* TF-6256 - SG Rule Retry

- Preferring slower but consistent runs when AWS API calls do not properly return the SG Rule in the list of ingress/egress rules.
- Testing has shown that several times that we had to exceed 20 attempts
before the SG was actually returned

* TF-6256 - Refactor of rule lookup

- Adjusting to use resource.Retry
- Extract lookup method for matching ipPermissions set
2016-05-03 17:21:04 -05:00
clint shryock e98d7d706f provider/aws: Convert protocols to standard format for Security Groups
Convert network protocols to their names for keys/state, fixing issue(s) when
using them interchangeably.
2016-03-28 10:32:39 -05:00
James Nugent 3adae0216c provider/aws: Fix crash creating rules in aws SGs
This commit uses Group Name in preference to Group ID where appropriate
in the aws_security_group_rule resource. This fixes the crash reported
in #5310.

Fixes #5310.
2016-02-25 13:50:24 -05:00
James Nugent 69272f3113 provider/aws: error with empty list item on sg
This addresses the case where `compact` has not been used on a list
passed into security group as cidr_block. See #3786. Compact is still
the correct answer there, but we should prefer returning an error to
a panic. Fixes #3786.
2015-12-02 11:36:50 -05:00
clint shryock e9cb722471 providers/aws: Fix issue recreating security group rule if it has been destroyed 2015-11-24 13:50:30 -06:00
Paul Hinze 6b6b5a43c3 provider/aws: serialize SG rule access to fix race condition
Because `aws_security_group_rule` resources are an abstraction on top of
Security Groups, they must interact with the AWS Security Group APIs in
a pattern that often results in lots of parallel requests interacting
with the same security group.

We've found that this pattern can trigger race conditions resulting in
inconsistent behavior, including:

 * Rules that report as created but don't actually exist on AWS's side
 * Rules that show up in AWS but don't register as being created
   locally, resulting in follow up attempts to authorize the rule
   failing w/ Duplicate errors

Here, we introduce a per-SG mutex that must be held by any security
group before it is allowed to interact with AWS APIs. This protects the
space between `DescribeSecurityGroup` and `Authorize*` / `Revoke*`
calls, ensuring that no other rules interact with the SG during that
span.

The included test exposes the race by applying a security group with
lots of rules, which based on the dependency graph can all be handled in
parallel. This fails most of the time without the new locking behavior.

I've omitted the mutex from `Read`, since it is only called during the
Refresh walk when no changes are being made, meaning a bunch of parallel
`DescribeSecurityGroup` API calls should be consistent in that case.
2015-11-18 12:39:59 -06:00
Clint Shryock 9f3a17e9b4 update sg rule ids 2015-10-12 15:51:47 -05:00
Clint Shryock 03aac9f42b Expand on an error case with more descriptive error 2015-10-12 15:51:21 -05:00
Clint Shryock d3c5c0d85f provider/aws: Update Security Group Rules to Version 2 2015-10-12 15:51:21 -05:00
Clint Shryock 0c2f189d08 provider/aws: Update to aws-sdk 0.9.0 rc1 2015-08-17 13:27:16 -05:00
Clint Shryock f4fb053982 provider/aws: Fix issue in Security Group Rules where the Security Group is not found 2015-07-30 14:10:19 -05:00
Clint Shryock 579ccbefea provider/aws: Update source to comply with upstream breaking change 2015-07-28 15:29:46 -05:00
Mitchell Hashimoto fef5741ded providers/aws: fix another crash case 2015-06-23 22:48:39 -07:00
Mitchell Hashimoto b0169adf02 providers/aws: more guards against crashy cases [GH-2308] 2015-06-23 16:23:24 -07:00
Paul Hinze e0fccf2dcc provider/aws: fix sg rule crash
Fixes crash in #2431

Decided that `findResourceSecurityGroup` should return an error when
the SG is not found, since the callers cannot happily continue with a
`nil` SG

Also passes through a few error cases that were being swallowed.

/cc @catsby
2015-06-23 09:25:55 -05:00
Clint Shryock 44eb55f8f6 update link to actually work 2015-06-19 11:50:10 -05:00
Clint Shryock 645a5aa55b add warning message to explain scenario of conflicting rules 2015-06-19 11:23:59 -05:00
Clint Shryock 640836ee58 rename method, update docs 2015-06-17 09:35:50 -05:00
Clint Shryock 359826be26 clean up some conflicts with 2015-06-16 16:38:26 -05:00
Jesse Szwedko 7e0a340baf Consider security groups with source security groups when hashing
Previously they would conflict you had multiple security group rules
with the same ingress or egress ports but different source security
groups because only the CIDR blocks were considered (which are empty
when using source security groups).

Updated to include migrations (from clint@ctshryock.com)

Signed-off-by: Clint Shryock <clint@ctshryock.com>
2015-06-16 14:54:16 -05:00
Clint Shryock 5c50ba0c2a provider/aws: Fix SG rule self reference bug 2015-06-10 09:40:05 -05:00
Paul Hinze b71fa3d0ae provider/aws: handle upstream aws-sdk-go repo move
`awslabs/aws-sdk-go => aws/aws-sdk-go`

Congrats to upstream on the promotion. :)
2015-06-03 13:36:57 -05:00
Paul Hinze 31258e06c6 provider/aws: fix breakages from awserr refactor
This landed in aws-sdk-go yesterday, breaking the AWS provider in many places:

3c259c9586

Here, with much sedding, grepping, and manual massaging, we attempt to
catch Terraform up to the new `awserr.Error` interface world.
2015-05-20 06:21:23 -05:00
Clint Shryock 885efa0837 provider/aws: Add Security Group Rule as a top level resource
- document conflict with sg rules and sg in-line rules
- for this to work, ingress rules need to be computed
2015-05-05 16:56:39 -05:00