Move block for deleing default rule into the create method; only invoke once
This commit is contained in:
Clint Shryock
parent
ee65684abe
commit
8ded3c2d1b
|
|
@ -150,7 +150,7 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er
|
|||
|
||||
if v := d.Get("vpc_id"); v != nil {
|
||||
if len(d.Get("egress").(*schema.Set).List()) == 0 {
|
||||
return fmt.Errorf("Error creating Security Group: Security groups inside a VPC require an egress rule. See http://localhost:4567/docs/providers/aws/r/security_group.html for more information.")
|
||||
return fmt.Errorf("Error creating Security Group: Security groups inside a VPC require an egress rule. See http://terraform.io/docs/providers/aws/r/security_group.html for more information.")
|
||||
}
|
||||
|
||||
securityGroupOpts.VPCID = aws.String(v.(string))
|
||||
|
|
@ -195,6 +195,35 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er
|
|||
d.Id(), err)
|
||||
}
|
||||
|
||||
// AWS defaults all Security Groups to have an ALLOW ALL egress rule. Here we
|
||||
// revoke that rule, so users don't unknowningly have/use it.
|
||||
if v := d.Get("vpc_id"); v != nil {
|
||||
log.Printf("[DEBUG] Revoking default egress rule for Security Group for %s", d.Id())
|
||||
|
||||
req := &ec2.RevokeSecurityGroupEgressInput{
|
||||
GroupID: createResp.GroupID,
|
||||
IPPermissions: []*ec2.IPPermission{
|
||||
&ec2.IPPermission{
|
||||
FromPort: aws.Long(int64(0)),
|
||||
ToPort: aws.Long(int64(0)),
|
||||
IPRanges: []*ec2.IPRange{
|
||||
&ec2.IPRange{
|
||||
CIDRIP: aws.String("0.0.0.0/0"),
|
||||
},
|
||||
},
|
||||
IPProtocol: aws.String("-1"),
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
if _, err = conn.RevokeSecurityGroupEgress(req); err != nil {
|
||||
return fmt.Errorf(
|
||||
"Error revoking default egress rule for Security Group (%s): %s",
|
||||
d.Id(), err)
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
return resourceAwsSecurityGroupUpdate(d, meta)
|
||||
}
|
||||
|
||||
|
|
@ -408,29 +437,12 @@ func resourceAwsSecurityGroupUpdateRules(
|
|||
}
|
||||
|
||||
os := o.(*schema.Set)
|
||||
ns := n.(*schema.Set)
|
||||
ns := n.(*schema.Set)
|
||||
|
||||
remove := expandIPPerms(group, os.Difference(ns).List())
|
||||
remove := expandIPPerms(group, os.Difference(ns).List())
|
||||
add := expandIPPerms(group, ns.Difference(os).List())
|
||||
|
||||
if len(remove) == 0 && len(os.List()) == 0 && ruleset == "egress" {
|
||||
// For new Security groups, a default Egress rule is created. Here we add
|
||||
// the equivelent IPPermission struct for removal, so that only the
|
||||
// supplied egress rules exist in the security group.
|
||||
remove = append(remove, &ec2.IPPermission{
|
||||
FromPort: aws.Long(int64(0)),
|
||||
ToPort: aws.Long(int64(0)),
|
||||
IPRanges: []*ec2.IPRange{
|
||||
&ec2.IPRange{
|
||||
CIDRIP: aws.String("0.0.0.0/0"),
|
||||
},
|
||||
},
|
||||
IPProtocol: aws.String("-1"),
|
||||
})
|
||||
}
|
||||
|
||||
add := expandIPPerms(group, ns.Difference(os).List())
|
||||
|
||||
// TODO: We need to handle partial state better in the in-between
|
||||
// TODO: We need to handle partial state better in the in-between
|
||||
// in this update.
|
||||
|
||||
// TODO: It'd be nicer to authorize before removing, but then we have
|
||||
|
|
|
|||
Loading…
Reference in New Issue