diff --git a/builtin/providers/aws/network_acl_entry.go b/builtin/providers/aws/network_acl_entry.go index 5a09746d6..84937af6a 100644 --- a/builtin/providers/aws/network_acl_entry.go +++ b/builtin/providers/aws/network_acl_entry.go @@ -82,8 +82,6 @@ func protocolIntegers() map[string]int { var protocolIntegers = make(map[string]int) protocolIntegers = map[string]int{ // defined at https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml - "ah": 51, - "esp": 50, "udp": 17, "tcp": 6, "icmp": 1, diff --git a/builtin/providers/aws/resource_aws_security_group_test.go b/builtin/providers/aws/resource_aws_security_group_test.go index 34dece107..44a580d39 100644 --- a/builtin/providers/aws/resource_aws_security_group_test.go +++ b/builtin/providers/aws/resource_aws_security_group_test.go @@ -471,6 +471,47 @@ func TestAccAWSSecurityGroup_vpcNegOneIngress(t *testing.T) { }, }) } +func TestAccAWSSecurityGroup_vpcProtoNumIngress(t *testing.T) { + var group ec2.SecurityGroup + + testCheck := func(*terraform.State) error { + if *group.VpcId == "" { + return fmt.Errorf("should have vpc ID") + } + + return nil + } + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + IDRefreshName: "aws_security_group.web", + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSSecurityGroupDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccAWSSecurityGroupConfigVpcProtoNumIngress, + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSSecurityGroupExists("aws_security_group.web", &group), + resource.TestCheckResourceAttr( + "aws_security_group.web", "name", "terraform_acceptance_test_example"), + resource.TestCheckResourceAttr( + "aws_security_group.web", "description", "Used in the terraform acceptance tests"), + resource.TestCheckResourceAttr( + "aws_security_group.web", "ingress.2449525218.protocol", "50"), + resource.TestCheckResourceAttr( + "aws_security_group.web", "ingress.2449525218.from_port", "0"), + resource.TestCheckResourceAttr( + "aws_security_group.web", "ingress.2449525218.to_port", "0"), + resource.TestCheckResourceAttr( + "aws_security_group.web", "ingress.2449525218.cidr_blocks.#", "1"), + resource.TestCheckResourceAttr( + "aws_security_group.web", "ingress.2449525218.cidr_blocks.0", "10.0.0.0/8"), + testCheck, + ), + }, + }, + }) +} func TestAccAWSSecurityGroup_MultiIngress(t *testing.T) { var group ec2.SecurityGroup @@ -1240,6 +1281,26 @@ resource "aws_security_group" "web" { } } ` + +const testAccAWSSecurityGroupConfigVpcProtoNumIngress = ` +resource "aws_vpc" "foo" { + cidr_block = "10.1.0.0/16" +} + +resource "aws_security_group" "web" { + name = "terraform_acceptance_test_example" + description = "Used in the terraform acceptance tests" + vpc_id = "${aws_vpc.foo.id}" + + ingress { + protocol = "50" + from_port = 0 + to_port = 0 + cidr_blocks = ["10.0.0.0/8"] + } +} +` + const testAccAWSSecurityGroupConfigMultiIngress = ` resource "aws_vpc" "foo" { cidr_block = "10.1.0.0/16" diff --git a/website/source/docs/providers/aws/r/security_group.html.markdown b/website/source/docs/providers/aws/r/security_group.html.markdown index aa8fe2f2b..df853bd85 100644 --- a/website/source/docs/providers/aws/r/security_group.html.markdown +++ b/website/source/docs/providers/aws/r/security_group.html.markdown @@ -87,7 +87,7 @@ The `ingress` block supports: * `cidr_blocks` - (Optional) List of CIDR blocks. * `from_port` - (Required) The start port (or ICMP type number if protocol is "icmp") * `protocol` - (Required) The protocol. If you select a protocol of -"-1", you must specify a "from_port" and "to_port" equal to 0. +"-1", you must specify a "from_port" and "to_port" equal to 0. If not icmp, tcp, udp, or all use the [protocol number](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) * `security_groups` - (Optional) List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC. * `self` - (Optional) If true, the security group itself will be added as @@ -100,7 +100,7 @@ The `egress` block supports: * `prefix_list_ids` - (Optional) List of prefix list IDs (for allowing access to VPC endpoints) * `from_port` - (Required) The start port (or ICMP type number if protocol is "icmp") * `protocol` - (Required) The protocol. If you select a protocol of -"-1", you must specify a "from_port" and "to_port" equal to 0. +"-1", you must specify a "from_port" and "to_port" equal to 0. If not icmp, tcp, udp, or all use the [protocol number](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) * `security_groups` - (Optional) List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC. * `self` - (Optional) If true, the security group itself will be added as @@ -156,7 +156,7 @@ The following attributes are exported: ## Import -Security Groups can be imported using the `security group id`, e.g. +Security Groups can be imported using the `security group id`, e.g. ``` $ terraform import aws_security_group.elb_sg sg-903004f8 diff --git a/website/source/docs/providers/aws/r/security_group_rule.html.markdown b/website/source/docs/providers/aws/r/security_group_rule.html.markdown index f10aedd1a..0e4a2f37b 100644 --- a/website/source/docs/providers/aws/r/security_group_rule.html.markdown +++ b/website/source/docs/providers/aws/r/security_group_rule.html.markdown @@ -45,7 +45,7 @@ or `egress` (outbound). * `prefix_list_ids` - (Optional) List of prefix list IDs (for allowing access to VPC endpoints). Only valid with `egress`. * `from_port` - (Required) The start port (or ICMP type number if protocol is "icmp"). -* `protocol` - (Required) The protocol. +* `protocol` - (Required) The protocol. If not icmp, tcp, udp, or all use the [protocol number](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) * `security_group_id` - (Required) The security group to apply this rule to. * `source_security_group_id` - (Optional) The security group id to allow access to/from, depending on the `type`. Cannot be specified with `cidr_blocks`.