mirror of
https://github.com/opentofu/opentofu.git
synced 2025-02-25 18:45:20 -06:00
aws: Force users to use from_port, to_port = 0 on network ACLs with -1 protocol
AWS doesn't store ports for -1 protocol rules, thus the read from the API will always come up with a different hash. Force the user to make a deliberate port choice when enabling -1 protocol rules. All from_port and to_port's on these rules must be 0.
This commit is contained in:
Christopher Tiwald
parent
d14049c8ad
commit
b888b31e08
@ -66,3 +66,19 @@ func protocolIntegers() map[string]int {
|
|||||||
}
|
}
|
||||||
return protocolIntegers
|
return protocolIntegers
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// expectedPortPair stores a pair of ports we expect to see together.
|
||||||
|
type expectedPortPair struct {
|
||||||
|
to_port int64
|
||||||
|
from_port int64
|
||||||
|
}
|
||||||
|
|
||||||
|
// validatePorts ensures the ports and protocol match expected
|
||||||
|
// values.
|
||||||
|
func validatePorts(to int64, from int64, expected expectedPortPair) bool {
|
||||||
|
if to != expected.to_port || from != expected.from_port {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|||||||
@ -135,3 +135,20 @@ func Test_flattenNetworkACLEntry(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func Test_validatePorts(t *testing.T) {
|
||||||
|
for _, ts := range []struct {
|
||||||
|
to int64
|
||||||
|
from int64
|
||||||
|
expected *expectedPortPair
|
||||||
|
wanted bool
|
||||||
|
}{
|
||||||
|
{0, 0, &expectedPortPair{0, 0}, true},
|
||||||
|
{0, 1, &expectedPortPair{0, 0}, false},
|
||||||
|
} {
|
||||||
|
got := validatePorts(ts.to, ts.from, *ts.expected)
|
||||||
|
if got != ts.wanted {
|
||||||
|
t.Fatalf("Got: %t; Expected: %t\n", got, ts.wanted)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@ -266,6 +266,24 @@ func updateNetworkAclEntries(d *schema.ResourceData, entryType string, conn *ec2
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
for _, add := range toBeCreated {
|
for _, add := range toBeCreated {
|
||||||
|
// Protocol -1 rules don't store ports in AWS. Thus, they'll always
|
||||||
|
// hash differently when being read out of the API. Force the user
|
||||||
|
// to set from_port and to_port to 0 for these rules, to keep the
|
||||||
|
// hashing consistent.
|
||||||
|
if *add.Protocol == "-1" {
|
||||||
|
to := *add.PortRange.To
|
||||||
|
from := *add.PortRange.From
|
||||||
|
expected := &expectedPortPair{
|
||||||
|
to_port: 0,
|
||||||
|
from_port: 0,
|
||||||
|
}
|
||||||
|
if ok := validatePorts(to, from, *expected); !ok {
|
||||||
|
return fmt.Errorf(
|
||||||
|
"to_port (%d) and from_port (%d) must both be 0 to use the the 'all' \"-1\" protocol!",
|
||||||
|
to, from)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Add new Acl entry
|
// Add new Acl entry
|
||||||
_, err := conn.CreateNetworkACLEntry(&ec2.CreateNetworkACLEntryInput{
|
_, err := conn.CreateNetworkACLEntry(&ec2.CreateNetworkACLEntryInput{
|
||||||
NetworkACLID: aws.String(d.Id()),
|
NetworkACLID: aws.String(d.Id()),
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user