diff --git a/builtin/providers/aws/resource_aws_security_group.go b/builtin/providers/aws/resource_aws_security_group.go index 4598a4426..e702c1aa0 100644 --- a/builtin/providers/aws/resource_aws_security_group.go +++ b/builtin/providers/aws/resource_aws_security_group.go @@ -105,13 +105,19 @@ func resourceAwsSecurityGroup() *schema.Resource { "cidr_blocks": { Type: schema.TypeList, Optional: true, - Elem: &schema.Schema{Type: schema.TypeString}, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateFunc: validateCIDRNetworkAddress, + }, }, "ipv6_cidr_blocks": { Type: schema.TypeList, Optional: true, - Elem: &schema.Schema{Type: schema.TypeString}, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateFunc: validateCIDRNetworkAddress, + }, }, "security_groups": { @@ -156,13 +162,19 @@ func resourceAwsSecurityGroup() *schema.Resource { "cidr_blocks": { Type: schema.TypeList, Optional: true, - Elem: &schema.Schema{Type: schema.TypeString}, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateFunc: validateCIDRNetworkAddress, + }, }, "ipv6_cidr_blocks": { Type: schema.TypeList, Optional: true, - Elem: &schema.Schema{Type: schema.TypeString}, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateFunc: validateCIDRNetworkAddress, + }, }, "prefix_list_ids": { diff --git a/builtin/providers/aws/resource_aws_security_group_rule.go b/builtin/providers/aws/resource_aws_security_group_rule.go index 6c2f087fb..1372bc83d 100644 --- a/builtin/providers/aws/resource_aws_security_group_rule.go +++ b/builtin/providers/aws/resource_aws_security_group_rule.go @@ -58,14 +58,20 @@ func resourceAwsSecurityGroupRule() *schema.Resource { Type: schema.TypeList, Optional: true, ForceNew: true, - Elem: &schema.Schema{Type: schema.TypeString}, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateFunc: validateCIDRNetworkAddress, + }, }, "ipv6_cidr_blocks": { Type: schema.TypeList, Optional: true, ForceNew: true, - Elem: &schema.Schema{Type: schema.TypeString}, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateFunc: validateCIDRNetworkAddress, + }, }, "prefix_list_ids": { diff --git a/builtin/providers/aws/resource_aws_security_group_rule_test.go b/builtin/providers/aws/resource_aws_security_group_rule_test.go index d7da96054..299276304 100644 --- a/builtin/providers/aws/resource_aws_security_group_rule_test.go +++ b/builtin/providers/aws/resource_aws_security_group_rule_test.go @@ -354,6 +354,25 @@ func TestAccAWSSecurityGroupRule_ExpectInvalidTypeError(t *testing.T) { }) } +func TestAccAWSSecurityGroupRule_ExpectInvalidCIDR(t *testing.T) { + rInt := acctest.RandInt() + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSSecurityGroupRuleInvalidIPv4CIDR(rInt), + ExpectError: regexp.MustCompile("invalid CIDR address: 1.2.3.4/33"), + }, + { + Config: testAccAWSSecurityGroupRuleInvalidIPv6CIDR(rInt), + ExpectError: regexp.MustCompile("invalid CIDR address: ::/244"), + }, + }, + }) +} + // testing partial match implementation func TestAccAWSSecurityGroupRule_PartialMatching_basic(t *testing.T) { var group ec2.SecurityGroup @@ -1166,3 +1185,35 @@ func testAccAWSSecurityGroupRuleExpectInvalidType(rInt int) string { source_security_group_id = "${aws_security_group.web.id}" }`, rInt) } + +func testAccAWSSecurityGroupRuleInvalidIPv4CIDR(rInt int) string { + return fmt.Sprintf(` +resource "aws_security_group" "foo" { + name = "testing-failure-%d" +} + +resource "aws_security_group_rule" "ing" { + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["1.2.3.4/33"] + security_group_id = "${aws_security_group.foo.id}" +}`, rInt) +} + +func testAccAWSSecurityGroupRuleInvalidIPv6CIDR(rInt int) string { + return fmt.Sprintf(` +resource "aws_security_group" "foo" { + name = "testing-failure-%d" +} + +resource "aws_security_group_rule" "ing" { + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_blocks = ["::/244"] + security_group_id = "${aws_security_group.foo.id}" +}`, rInt) +} diff --git a/builtin/providers/aws/resource_aws_security_group_test.go b/builtin/providers/aws/resource_aws_security_group_test.go index 37cf2503a..f1fe67ca9 100644 --- a/builtin/providers/aws/resource_aws_security_group_test.go +++ b/builtin/providers/aws/resource_aws_security_group_test.go @@ -719,6 +719,32 @@ func TestAccAWSSecurityGroup_drift_complex(t *testing.T) { }) } +func TestAccAWSSecurityGroup_invalidCIDRBlock(t *testing.T) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSSecurityGroupDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSSecurityGroupInvalidIngressCidr, + ExpectError: regexp.MustCompile("invalid CIDR address: 1.2.3.4/33"), + }, + { + Config: testAccAWSSecurityGroupInvalidEgressCidr, + ExpectError: regexp.MustCompile("invalid CIDR address: 1.2.3.4/33"), + }, + { + Config: testAccAWSSecurityGroupInvalidIPv6IngressCidr, + ExpectError: regexp.MustCompile("invalid CIDR address: ::/244"), + }, + { + Config: testAccAWSSecurityGroupInvalidIPv6EgressCidr, + ExpectError: regexp.MustCompile("invalid CIDR address: ::/244"), + }, + }, + }) +} + func testAccCheckAWSSecurityGroupDestroy(s *terraform.State) error { conn := testAccProvider.Meta().(*AWSClient).ec2conn @@ -1649,6 +1675,54 @@ resource "aws_security_group" "web" { }`, acctest.RandInt(), acctest.RandInt()) } +const testAccAWSSecurityGroupInvalidIngressCidr = ` +resource "aws_security_group" "foo" { + name = "testing-foo" + description = "foo-testing" + ingress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["1.2.3.4/33"] + } +}` + +const testAccAWSSecurityGroupInvalidEgressCidr = ` +resource "aws_security_group" "foo" { + name = "testing-foo" + description = "foo-testing" + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["1.2.3.4/33"] + } +}` + +const testAccAWSSecurityGroupInvalidIPv6IngressCidr = ` +resource "aws_security_group" "foo" { + name = "testing-foo" + description = "foo-testing" + ingress { + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_blocks = ["::/244"] + } +}` + +const testAccAWSSecurityGroupInvalidIPv6EgressCidr = ` +resource "aws_security_group" "foo" { + name = "testing-foo" + description = "foo-testing" + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_blocks = ["::/244"] + } +}` + const testAccAWSSecurityGroupCombindCIDRandGroups = ` resource "aws_vpc" "foo" { cidr_block = "10.1.0.0/16"