Merge pull request #1189 from hashicorp/b-aws-instance-sec-groups

Fix issue with Network interfaces and an instance-level security groups
2025-02-25 18:45:20 -06:00 · 2015-03-13 16:37:11 -05:00 · 2015-03-13 16:37:11 -05:00 · 9c7f5975bb
commit 9c7f5975bb
parent c30cb09c80 cd15c9aaf9
3 changed files with 96 additions and 15 deletions
--- a/builtin/providers/aws/resource_aws_instance.go
+++ b/builtin/providers/aws/resource_aws_instance.go
@ -293,6 +293,17 @@ func resourceAwsInstanceCreate(d *schema.ResourceData, meta interface{}) error {
 	subnet, hasSubnet := d.GetOk("subnet_id")
 	subnetID := subnet.(string)

+	var groups []string
+	if v := d.Get("security_groups"); v != nil {
+		// Security group names.
+		// For a nondefault VPC, you must use security group IDs instead.
+		// See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html
+		for _, v := range v.(*schema.Set).List() {
+			str := v.(string)
+			groups = append(groups, str)
+		}
+	}
+
 	if hasSubnet && associatePublicIPAddress {
 		// If we have a non-default VPC / Subnet specified, we can flag
 		// AssociatePublicIpAddress to get a Public IP assigned. By default these are not provided.
@ -311,6 +322,10 @@ func resourceAwsInstanceCreate(d *schema.ResourceData, meta interface{}) error {
 			ni.PrivateIPAddress = aws.String(v.(string))
 		}

+		if len(groups) > 0 {
+			ni.Groups = groups
+		}
+
 		runOpts.NetworkInterfaces = []ec2.InstanceNetworkInterfaceSpecification{ni}
 	} else {
 		if subnetID != "" {
@ -320,21 +335,6 @@ func resourceAwsInstanceCreate(d *schema.ResourceData, meta interface{}) error {
 		if v, ok := d.GetOk("private_ip"); ok {
 			runOpts.PrivateIPAddress = aws.String(v.(string))
 		}
-	}
-
-	if v, ok := d.GetOk("key_name"); ok {
-		runOpts.KeyName = aws.String(v.(string))
-	}
-
-	if v := d.Get("security_groups"); v != nil {
-		// Security group names.
-		// For a nondefault VPC, you must use security group IDs instead.
-		// See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html
-		var groups []string
-		for _, v := range v.(*schema.Set).List() {
-			str := v.(string)
-			groups = append(groups, str)
-		}
 		if runOpts.SubnetID != nil &&
 			*runOpts.SubnetID != "" {
 			runOpts.SecurityGroupIDs = groups
@ -343,6 +343,10 @@ func resourceAwsInstanceCreate(d *schema.ResourceData, meta interface{}) error {
 		}
 	}

+	if v, ok := d.GetOk("key_name"); ok {
+		runOpts.KeyName = aws.String(v.(string))
+	}
+
 	blockDevices := make([]interface{}, 0)

 	if v := d.Get("block_device"); v != nil {
--- a/builtin/providers/aws/resource_aws_instance_test.go
+++ b/builtin/providers/aws/resource_aws_instance_test.go
@ -207,6 +207,25 @@ func TestAccAWSInstance_vpc(t *testing.T) {
 	})
 }

+func TestAccInstance_NetworkInstanceSecurityGroups(t *testing.T) {
+	var v ec2.Instance
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckInstanceDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccInstanceNetworkInstanceSecurityGroups,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckInstanceExists(
+						"aws_instance.foo_instance", &v),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAWSInstance_tags(t *testing.T) {
 	var v ec2.Instance

@ -533,3 +552,49 @@ resource "aws_instance" "foo" {
 	private_ip = "10.1.1.42"
 }
 `
+
+const testAccInstanceNetworkInstanceSecurityGroups = `
+resource "aws_internet_gateway" "gw" {
+  vpc_id = "${aws_vpc.foo.id}"
+}
+
+resource "aws_vpc" "foo" {
+  cidr_block = "10.1.0.0/16"
+	tags {
+		Name = "tf-network-test"
+	}
+}
+
+resource "aws_security_group" "tf_test_foo" {
+  name = "tf_test_foo"
+  description = "foo"
+  vpc_id="${aws_vpc.foo.id}"
+
+  ingress {
+    protocol = "icmp"
+    from_port = -1
+    to_port = -1
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_subnet" "foo" {
+  cidr_block = "10.1.1.0/24"
+  vpc_id = "${aws_vpc.foo.id}"
+}
+
+resource "aws_instance" "foo_instance" {
+  ami = "ami-21f78e11"
+  instance_type = "t1.micro"
+  security_groups = ["${aws_security_group.tf_test_foo.id}"]
+  subnet_id = "${aws_subnet.foo.id}"
+  associate_public_ip_address = true
+	depends_on = ["aws_internet_gateway.gw"]
+}
+
+resource "aws_eip" "foo_eip" {
+  instance = "${aws_instance.foo_instance.id}"
+  vpc = true
+	depends_on = ["aws_internet_gateway.gw"]
+}
+`
--- a/website/source/docs/providers/aws/r/internet_gateway.html.markdown
+++ b/website/source/docs/providers/aws/r/internet_gateway.html.markdown
@ -29,6 +29,18 @@ The following arguments are supported:
 * `vpc_id` - (Required) The VPC ID to create in.
 * `tags` - (Optional) A mapping of tags to assign to the resource.

+-> **Note:** It's recommended to denote that the AWS Instance or Elastic IP depends on the Internet Gateway. For example:  
+
+
+    resource "aws_internet_gateway" "gw" {
+      vpc_id = "${aws_vpc.main.id}"
+    }
+
+    resource "aws_instance" "foo" {  
+      depends_on = ["aws_internet_gateway.gw"]  
+    }
+
+
 ## Attributes Reference

 The following attributes are exported: