From da7041f4bedd1ce2bcc61433321f5a4f38b40fd8 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Sun, 16 Apr 2017 18:39:42 -0400 Subject: [PATCH] Remove aws_network_acl_rule if not found. (#13608) --- .../aws/resource_aws_network_acl_rule.go | 17 +++++- .../aws/resource_aws_network_acl_rule_test.go | 56 ++++++++++++++++++- 2 files changed, 70 insertions(+), 3 deletions(-) diff --git a/builtin/providers/aws/resource_aws_network_acl_rule.go b/builtin/providers/aws/resource_aws_network_acl_rule.go index 5cce925c5..d3aa099fc 100644 --- a/builtin/providers/aws/resource_aws_network_acl_rule.go +++ b/builtin/providers/aws/resource_aws_network_acl_rule.go @@ -163,10 +163,14 @@ func resourceAwsNetworkAclRuleCreate(d *schema.ResourceData, meta interface{}) e // API (see issue GH-4721). Retry the `findNetworkAclRule` function until it is // visible (which in most cases is likely immediately). err = resource.Retry(3*time.Minute, func() *resource.RetryError { - _, findErr := findNetworkAclRule(d, meta) + r, findErr := findNetworkAclRule(d, meta) if findErr != nil { return resource.RetryableError(findErr) } + if r == nil { + err := fmt.Errorf("Network ACL rule (%s) not found", d.Id()) + return resource.RetryableError(err) + } return nil }) @@ -182,6 +186,11 @@ func resourceAwsNetworkAclRuleRead(d *schema.ResourceData, meta interface{}) err if err != nil { return err } + if resp == nil { + log.Printf("[DEBUG] Network ACL rule (%s) not found", d.Id()) + d.SetId("") + return nil + } d.Set("rule_number", resp.RuleNumber) d.Set("cidr_block", resp.CidrBlock) @@ -257,7 +266,11 @@ func findNetworkAclRule(d *schema.ResourceData, meta interface{}) (*ec2.NetworkA return nil, fmt.Errorf("Error Finding Network Acl Rule %d: %s", d.Get("rule_number").(int), err.Error()) } - if resp == nil || len(resp.NetworkAcls) != 1 || resp.NetworkAcls[0] == nil { + if resp == nil || len(resp.NetworkAcls) == 0 || resp.NetworkAcls[0] == nil { + // Missing NACL rule. + return nil, nil + } + if len(resp.NetworkAcls) > 1 { return nil, fmt.Errorf( "Expected to find one Network ACL, got: %#v", resp.NetworkAcls) diff --git a/builtin/providers/aws/resource_aws_network_acl_rule_test.go b/builtin/providers/aws/resource_aws_network_acl_rule_test.go index f9ab943a8..19b34cef7 100644 --- a/builtin/providers/aws/resource_aws_network_acl_rule_test.go +++ b/builtin/providers/aws/resource_aws_network_acl_rule_test.go @@ -137,6 +137,26 @@ func TestResourceAWSNetworkAclRule_validateICMPArgumentValue(t *testing.T) { } +func TestAccAWSNetworkAclRule_deleteRule(t *testing.T) { + var networkAcl ec2.NetworkAcl + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSNetworkAclRuleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSNetworkAclRuleBasicConfig, + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSNetworkAclRuleExists("aws_network_acl_rule.baz", &networkAcl), + testAccCheckAWSNetworkAclRuleDelete("aws_network_acl_rule.baz"), + ), + ExpectNonEmptyPlan: true, + }, + }, + }) +} + func testAccCheckAWSNetworkAclRuleDestroy(s *terraform.State) error { for _, rs := range s.RootModule().Resources { @@ -179,7 +199,7 @@ func testAccCheckAWSNetworkAclRuleExists(n string, networkAcl *ec2.NetworkAcl) r } if rs.Primary.ID == "" { - return fmt.Errorf("No Network ACL Id is set") + return fmt.Errorf("No Network ACL Rule Id is set") } req := &ec2.DescribeNetworkAclsInput{ @@ -209,6 +229,40 @@ func testAccCheckAWSNetworkAclRuleExists(n string, networkAcl *ec2.NetworkAcl) r } } +func testAccCheckAWSNetworkAclRuleDelete(n string) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + + if rs.Primary.ID == "" { + return fmt.Errorf("No Network ACL Rule Id is set") + } + + egress, err := strconv.ParseBool(rs.Primary.Attributes["egress"]) + if err != nil { + return err + } + ruleNo, err := strconv.ParseInt(rs.Primary.Attributes["rule_number"], 10, 64) + if err != nil { + return err + } + + conn := testAccProvider.Meta().(*AWSClient).ec2conn + _, err = conn.DeleteNetworkAclEntry(&ec2.DeleteNetworkAclEntryInput{ + NetworkAclId: aws.String(rs.Primary.Attributes["network_acl_id"]), + RuleNumber: aws.Int64(ruleNo), + Egress: aws.Bool(egress), + }) + if err != nil { + return fmt.Errorf("Error deleting Network ACL Rule (%s) in testAccCheckAWSNetworkAclRuleDelete: %s", rs.Primary.ID, err) + } + + return nil + } +} + const testAccAWSNetworkAclRuleBasicConfig = ` provider "aws" { region = "us-east-1"