mirror of
https://github.com/opentofu/opentofu.git
synced 2025-01-08 15:13:56 -06:00
provider/aws: Add plan-level validation for SG CIDR blocks
Adds plan-level validation for both IPv4 and IPv6 CIDR Blocks in an AWS SecurityGroup resource, as well as the AWS Security Group Rule resource. ``` $ make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSSecurityGroup_invalidCIDRBlock' ==> Checking that code complies with gofmt requirements... go generate $(go list ./... | grep -v /terraform/vendor/) 2017/03/16 11:32:54 Generated command/internal_plugin_list.go TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSSecurityGroup_invalidCIDRBlock -timeout 120m === RUN TestAccAWSSecurityGroup_invalidCIDRBlock --- PASS: TestAccAWSSecurityGroup_invalidCIDRBlock (0.01s) PASS ok github.com/hashicorp/terraform/builtin/providers/aws 0.017s ``` ``` $ make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSSecurityGroupRule_ExpectInvalidCIDR' ==> Checking that code complies with gofmt requirements... go generate $(go list ./... | grep -v /terraform/vendor/) 2017/03/16 11:46:21 Generated command/internal_plugin_list.go TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSSecurityGroupRule_ExpectInvalidCIDR -timeout 120m === RUN TestAccAWSSecurityGroupRule_ExpectInvalidCIDR --- PASS: TestAccAWSSecurityGroupRule_ExpectInvalidCIDR (0.01s) PASS ok github.com/hashicorp/terraform/builtin/providers/aws 0.016s ```
This commit is contained in:
parent
686ebb7578
commit
925265016b
@ -105,13 +105,19 @@ func resourceAwsSecurityGroup() *schema.Resource {
|
||||
"cidr_blocks": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
Elem: &schema.Schema{Type: schema.TypeString},
|
||||
Elem: &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
ValidateFunc: validateCIDRNetworkAddress,
|
||||
},
|
||||
},
|
||||
|
||||
"ipv6_cidr_blocks": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
Elem: &schema.Schema{Type: schema.TypeString},
|
||||
Elem: &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
ValidateFunc: validateCIDRNetworkAddress,
|
||||
},
|
||||
},
|
||||
|
||||
"security_groups": {
|
||||
@ -156,13 +162,19 @@ func resourceAwsSecurityGroup() *schema.Resource {
|
||||
"cidr_blocks": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
Elem: &schema.Schema{Type: schema.TypeString},
|
||||
Elem: &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
ValidateFunc: validateCIDRNetworkAddress,
|
||||
},
|
||||
},
|
||||
|
||||
"ipv6_cidr_blocks": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
Elem: &schema.Schema{Type: schema.TypeString},
|
||||
Elem: &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
ValidateFunc: validateCIDRNetworkAddress,
|
||||
},
|
||||
},
|
||||
|
||||
"prefix_list_ids": {
|
||||
|
@ -58,14 +58,20 @@ func resourceAwsSecurityGroupRule() *schema.Resource {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
ForceNew: true,
|
||||
Elem: &schema.Schema{Type: schema.TypeString},
|
||||
Elem: &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
ValidateFunc: validateCIDRNetworkAddress,
|
||||
},
|
||||
},
|
||||
|
||||
"ipv6_cidr_blocks": {
|
||||
Type: schema.TypeList,
|
||||
Optional: true,
|
||||
ForceNew: true,
|
||||
Elem: &schema.Schema{Type: schema.TypeString},
|
||||
Elem: &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
ValidateFunc: validateCIDRNetworkAddress,
|
||||
},
|
||||
},
|
||||
|
||||
"prefix_list_ids": {
|
||||
|
@ -354,6 +354,25 @@ func TestAccAWSSecurityGroupRule_ExpectInvalidTypeError(t *testing.T) {
|
||||
})
|
||||
}
|
||||
|
||||
func TestAccAWSSecurityGroupRule_ExpectInvalidCIDR(t *testing.T) {
|
||||
rInt := acctest.RandInt()
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy,
|
||||
Steps: []resource.TestStep{
|
||||
{
|
||||
Config: testAccAWSSecurityGroupRuleInvalidIPv4CIDR(rInt),
|
||||
ExpectError: regexp.MustCompile("invalid CIDR address: 1.2.3.4/33"),
|
||||
},
|
||||
{
|
||||
Config: testAccAWSSecurityGroupRuleInvalidIPv6CIDR(rInt),
|
||||
ExpectError: regexp.MustCompile("invalid CIDR address: ::/244"),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
// testing partial match implementation
|
||||
func TestAccAWSSecurityGroupRule_PartialMatching_basic(t *testing.T) {
|
||||
var group ec2.SecurityGroup
|
||||
@ -1166,3 +1185,35 @@ func testAccAWSSecurityGroupRuleExpectInvalidType(rInt int) string {
|
||||
source_security_group_id = "${aws_security_group.web.id}"
|
||||
}`, rInt)
|
||||
}
|
||||
|
||||
func testAccAWSSecurityGroupRuleInvalidIPv4CIDR(rInt int) string {
|
||||
return fmt.Sprintf(`
|
||||
resource "aws_security_group" "foo" {
|
||||
name = "testing-failure-%d"
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "ing" {
|
||||
type = "ingress"
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
cidr_blocks = ["1.2.3.4/33"]
|
||||
security_group_id = "${aws_security_group.foo.id}"
|
||||
}`, rInt)
|
||||
}
|
||||
|
||||
func testAccAWSSecurityGroupRuleInvalidIPv6CIDR(rInt int) string {
|
||||
return fmt.Sprintf(`
|
||||
resource "aws_security_group" "foo" {
|
||||
name = "testing-failure-%d"
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "ing" {
|
||||
type = "egress"
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
ipv6_cidr_blocks = ["::/244"]
|
||||
security_group_id = "${aws_security_group.foo.id}"
|
||||
}`, rInt)
|
||||
}
|
||||
|
@ -719,6 +719,32 @@ func TestAccAWSSecurityGroup_drift_complex(t *testing.T) {
|
||||
})
|
||||
}
|
||||
|
||||
func TestAccAWSSecurityGroup_invalidCIDRBlock(t *testing.T) {
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
CheckDestroy: testAccCheckAWSSecurityGroupDestroy,
|
||||
Steps: []resource.TestStep{
|
||||
{
|
||||
Config: testAccAWSSecurityGroupInvalidIngressCidr,
|
||||
ExpectError: regexp.MustCompile("invalid CIDR address: 1.2.3.4/33"),
|
||||
},
|
||||
{
|
||||
Config: testAccAWSSecurityGroupInvalidEgressCidr,
|
||||
ExpectError: regexp.MustCompile("invalid CIDR address: 1.2.3.4/33"),
|
||||
},
|
||||
{
|
||||
Config: testAccAWSSecurityGroupInvalidIPv6IngressCidr,
|
||||
ExpectError: regexp.MustCompile("invalid CIDR address: ::/244"),
|
||||
},
|
||||
{
|
||||
Config: testAccAWSSecurityGroupInvalidIPv6EgressCidr,
|
||||
ExpectError: regexp.MustCompile("invalid CIDR address: ::/244"),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error {
|
||||
conn := testAccProvider.Meta().(*AWSClient).ec2conn
|
||||
|
||||
@ -1649,6 +1675,54 @@ resource "aws_security_group" "web" {
|
||||
}`, acctest.RandInt(), acctest.RandInt())
|
||||
}
|
||||
|
||||
const testAccAWSSecurityGroupInvalidIngressCidr = `
|
||||
resource "aws_security_group" "foo" {
|
||||
name = "testing-foo"
|
||||
description = "foo-testing"
|
||||
ingress {
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
cidr_blocks = ["1.2.3.4/33"]
|
||||
}
|
||||
}`
|
||||
|
||||
const testAccAWSSecurityGroupInvalidEgressCidr = `
|
||||
resource "aws_security_group" "foo" {
|
||||
name = "testing-foo"
|
||||
description = "foo-testing"
|
||||
egress {
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
cidr_blocks = ["1.2.3.4/33"]
|
||||
}
|
||||
}`
|
||||
|
||||
const testAccAWSSecurityGroupInvalidIPv6IngressCidr = `
|
||||
resource "aws_security_group" "foo" {
|
||||
name = "testing-foo"
|
||||
description = "foo-testing"
|
||||
ingress {
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
ipv6_cidr_blocks = ["::/244"]
|
||||
}
|
||||
}`
|
||||
|
||||
const testAccAWSSecurityGroupInvalidIPv6EgressCidr = `
|
||||
resource "aws_security_group" "foo" {
|
||||
name = "testing-foo"
|
||||
description = "foo-testing"
|
||||
egress {
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
ipv6_cidr_blocks = ["::/244"]
|
||||
}
|
||||
}`
|
||||
|
||||
const testAccAWSSecurityGroupCombindCIDRandGroups = `
|
||||
resource "aws_vpc" "foo" {
|
||||
cidr_block = "10.1.0.0/16"
|
||||
|
Loading…
Reference in New Issue
Block a user