mirror of
https://github.com/opentofu/opentofu.git
synced 2025-02-20 11:48:24 -06:00
1994b1111d
``` % make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSSecurityGroup_' ✹ ✭ ==> Checking that code complies with gofmt requirements... go generate $(go list ./... | grep -v /terraform/vendor/) 2017/03/13 19:07:33 Generated command/internal_plugin_list.go TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSSecurityGroup_ -timeout 120m === RUN TestAccAWSSecurityGroup_importBasic --- PASS: TestAccAWSSecurityGroup_importBasic (48.67s) === RUN TestAccAWSSecurityGroup_importIpv6 --- PASS: TestAccAWSSecurityGroup_importIpv6 (51.71s) === RUN TestAccAWSSecurityGroup_importSelf --- PASS: TestAccAWSSecurityGroup_importSelf (58.46s) === RUN TestAccAWSSecurityGroup_importSourceSecurityGroup --- PASS: TestAccAWSSecurityGroup_importSourceSecurityGroup (65.99s) === RUN TestAccAWSSecurityGroup_basic --- PASS: TestAccAWSSecurityGroup_basic (62.18s) === RUN TestAccAWSSecurityGroup_ipv6 --- PASS: TestAccAWSSecurityGroup_ipv6 (47.38s) === RUN TestAccAWSSecurityGroup_tagsCreatedFirst --- PASS: TestAccAWSSecurityGroup_tagsCreatedFirst (30.48s) === RUN TestAccAWSSecurityGroup_namePrefix --- PASS: TestAccAWSSecurityGroup_namePrefix (16.90s) === RUN TestAccAWSSecurityGroup_self --- PASS: TestAccAWSSecurityGroup_self (45.36s) === RUN TestAccAWSSecurityGroup_vpc --- PASS: TestAccAWSSecurityGroup_vpc (45.76s) === RUN TestAccAWSSecurityGroup_vpcNegOneIngress --- PASS: TestAccAWSSecurityGroup_vpcNegOneIngress (44.50s) === RUN TestAccAWSSecurityGroup_vpcProtoNumIngress --- PASS: TestAccAWSSecurityGroup_vpcProtoNumIngress (45.01s) === RUN TestAccAWSSecurityGroup_MultiIngress --- PASS: TestAccAWSSecurityGroup_MultiIngress (50.67s) === RUN TestAccAWSSecurityGroup_Change --- PASS: TestAccAWSSecurityGroup_Change (76.34s) === RUN TestAccAWSSecurityGroup_generatedName --- PASS: TestAccAWSSecurityGroup_generatedName (46.29s) === RUN TestAccAWSSecurityGroup_DefaultEgress_VPC --- PASS: TestAccAWSSecurityGroup_DefaultEgress_VPC (48.10s) === RUN TestAccAWSSecurityGroup_DefaultEgress_Classic --- PASS: TestAccAWSSecurityGroup_DefaultEgress_Classic (16.71s) === RUN TestAccAWSSecurityGroup_drift --- PASS: TestAccAWSSecurityGroup_drift (22.73s) === RUN TestAccAWSSecurityGroup_drift_complex --- PASS: TestAccAWSSecurityGroup_drift_complex (54.14s) === RUN TestAccAWSSecurityGroup_tags --- PASS: TestAccAWSSecurityGroup_tags (74.12s) === RUN TestAccAWSSecurityGroup_CIDRandGroups --- PASS: TestAccAWSSecurityGroup_CIDRandGroups (55.83s) === RUN TestAccAWSSecurityGroup_ingressWithCidrAndSGs --- PASS: TestAccAWSSecurityGroup_ingressWithCidrAndSGs (54.40s) === RUN TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic --- PASS: TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic (26.93s) === RUN TestAccAWSSecurityGroup_egressWithPrefixList --- PASS: TestAccAWSSecurityGroup_egressWithPrefixList (61.39s) === RUN TestAccAWSSecurityGroup_failWithDiffMismatch --- PASS: TestAccAWSSecurityGroup_failWithDiffMismatch (55.93s) PASS ok github.com/hashicorp/terraform/builtin/providers/aws 1136.500s ```
140 lines
4.1 KiB
Go
140 lines
4.1 KiB
Go
package aws
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/aws/aws-sdk-go/service/ec2"
|
|
"github.com/hashicorp/errwrap"
|
|
"github.com/hashicorp/terraform/helper/schema"
|
|
)
|
|
|
|
// Security group import fans out to multiple resources due to the
|
|
// security group rules. Instead of creating one resource with nested
|
|
// rules, we use the best practices approach of one resource per rule.
|
|
func resourceAwsSecurityGroupImportState(
|
|
d *schema.ResourceData,
|
|
meta interface{}) ([]*schema.ResourceData, error) {
|
|
conn := meta.(*AWSClient).ec2conn
|
|
|
|
// First query the security group
|
|
sgRaw, _, err := SGStateRefreshFunc(conn, d.Id())()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if sgRaw == nil {
|
|
return nil, fmt.Errorf("security group not found")
|
|
}
|
|
sg := sgRaw.(*ec2.SecurityGroup)
|
|
|
|
// Start building our results
|
|
results := make([]*schema.ResourceData, 1,
|
|
1+len(sg.IpPermissions)+len(sg.IpPermissionsEgress))
|
|
results[0] = d
|
|
|
|
// Construct the rules
|
|
permMap := map[string][]*ec2.IpPermission{
|
|
"ingress": sg.IpPermissions,
|
|
"egress": sg.IpPermissionsEgress,
|
|
}
|
|
for ruleType, perms := range permMap {
|
|
for _, perm := range perms {
|
|
ds, err := resourceAwsSecurityGroupImportStatePerm(sg, ruleType, perm)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
results = append(results, ds...)
|
|
}
|
|
}
|
|
|
|
return results, nil
|
|
}
|
|
|
|
func resourceAwsSecurityGroupImportStatePerm(sg *ec2.SecurityGroup, ruleType string, perm *ec2.IpPermission) ([]*schema.ResourceData, error) {
|
|
var result []*schema.ResourceData
|
|
|
|
if len(perm.UserIdGroupPairs) == 0 {
|
|
r, err := resourceAwsSecurityGroupImportStatePermPair(sg, ruleType, perm)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
result = append(result, r)
|
|
} else {
|
|
// If the rule contained more than one source security group, this
|
|
// will iterate over them and create one rule for each
|
|
// source security group.
|
|
for _, pair := range perm.UserIdGroupPairs {
|
|
p := &ec2.IpPermission{
|
|
FromPort: perm.FromPort,
|
|
IpProtocol: perm.IpProtocol,
|
|
PrefixListIds: perm.PrefixListIds,
|
|
ToPort: perm.ToPort,
|
|
|
|
UserIdGroupPairs: []*ec2.UserIdGroupPair{pair},
|
|
}
|
|
|
|
if perm.Ipv6Ranges != nil {
|
|
p.Ipv6Ranges = perm.Ipv6Ranges
|
|
}
|
|
|
|
if perm.IpRanges != nil {
|
|
p.IpRanges = perm.IpRanges
|
|
}
|
|
|
|
r, err := resourceAwsSecurityGroupImportStatePermPair(sg, ruleType, p)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
result = append(result, r)
|
|
}
|
|
}
|
|
return result, nil
|
|
}
|
|
|
|
func resourceAwsSecurityGroupImportStatePermPair(sg *ec2.SecurityGroup, ruleType string, perm *ec2.IpPermission) (*schema.ResourceData, error) {
|
|
// Construct the rule. We do this by populating the absolute
|
|
// minimum necessary for Refresh on the rule to work. This
|
|
// happens to be a lot of fields since they're almost all needed
|
|
// for de-dupping.
|
|
sgId := sg.GroupId
|
|
id := ipPermissionIDHash(*sgId, ruleType, perm)
|
|
ruleResource := resourceAwsSecurityGroupRule()
|
|
d := ruleResource.Data(nil)
|
|
d.SetId(id)
|
|
d.SetType("aws_security_group_rule")
|
|
d.Set("security_group_id", sgId)
|
|
d.Set("type", ruleType)
|
|
|
|
// 'self' is false by default. Below, we range over the group ids and set true
|
|
// if the parent sg id is found
|
|
d.Set("self", false)
|
|
|
|
if len(perm.UserIdGroupPairs) > 0 {
|
|
s := perm.UserIdGroupPairs[0]
|
|
|
|
// Check for Pair that is the same as the Security Group, to denote self.
|
|
// Otherwise, mark the group id in source_security_group_id
|
|
isVPC := sg.VpcId != nil && *sg.VpcId != ""
|
|
if isVPC {
|
|
if *s.GroupId == *sg.GroupId {
|
|
d.Set("self", true)
|
|
// prune the self reference from the UserIdGroupPairs, so we don't
|
|
// have duplicate sg ids (both self and in source_security_group_id)
|
|
perm.UserIdGroupPairs = append(perm.UserIdGroupPairs[:0], perm.UserIdGroupPairs[0+1:]...)
|
|
}
|
|
} else {
|
|
if *s.GroupName == *sg.GroupName {
|
|
d.Set("self", true)
|
|
// prune the self reference from the UserIdGroupPairs, so we don't
|
|
// have duplicate sg ids (both self and in source_security_group_id)
|
|
perm.UserIdGroupPairs = append(perm.UserIdGroupPairs[:0], perm.UserIdGroupPairs[0+1:]...)
|
|
}
|
|
}
|
|
}
|
|
|
|
if err := setFromIPPerm(d, sg, perm); err != nil {
|
|
return nil, errwrap.Wrapf("Error importing AWS Security Group: {{err}}", err)
|
|
}
|
|
|
|
return d, nil
|
|
}
|