From dd0850af593d3c365c1adf7325d7847626c63d67 Mon Sep 17 00:00:00 2001 From: Clint Date: Wed, 29 Jun 2016 15:55:58 -0500 Subject: [PATCH] provider/aws: Add inplace edit/update DB Security Group Rule Ingress (#7245) --- .../aws/resource_aws_db_security_group.go | 72 ++++++++++++++++++- 1 file changed, 71 insertions(+), 1 deletion(-) diff --git a/builtin/providers/aws/resource_aws_db_security_group.go b/builtin/providers/aws/resource_aws_db_security_group.go index 6edffb6c5..0b396f65b 100644 --- a/builtin/providers/aws/resource_aws_db_security_group.go +++ b/builtin/providers/aws/resource_aws_db_security_group.go @@ -46,7 +46,6 @@ func resourceAwsDbSecurityGroup() *schema.Resource { "ingress": &schema.Schema{ Type: schema.TypeSet, Required: true, - ForceNew: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "cidr": &schema.Schema{ @@ -209,6 +208,42 @@ func resourceAwsDbSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) d.SetPartial("tags") } } + + if d.HasChange("ingress") { + sg, err := resourceAwsDbSecurityGroupRetrieve(d, meta) + if err != nil { + return err + } + + oi, ni := d.GetChange("ingress") + if oi == nil { + oi = new(schema.Set) + } + if ni == nil { + ni = new(schema.Set) + } + + ois := oi.(*schema.Set) + nis := ni.(*schema.Set) + removeIngress := ois.Difference(nis).List() + newIngress := nis.Difference(ois).List() + + // DELETE old Ingress rules + for _, ing := range removeIngress { + err := resourceAwsDbSecurityGroupRevokeRule(ing, *sg.DBSecurityGroupName, conn) + if err != nil { + return err + } + } + + // ADD new/updated Ingress rules + for _, ing := range newIngress { + err := resourceAwsDbSecurityGroupAuthorizeRule(ing, *sg.DBSecurityGroupName, conn) + if err != nil { + return err + } + } + } d.Partial(false) return resourceAwsDbSecurityGroupRead(d, meta) @@ -293,6 +328,41 @@ func resourceAwsDbSecurityGroupAuthorizeRule(ingress interface{}, dbSecurityGrou return nil } +// Revokes the ingress rule on the db security group +func resourceAwsDbSecurityGroupRevokeRule(ingress interface{}, dbSecurityGroupName string, conn *rds.RDS) error { + ing := ingress.(map[string]interface{}) + + opts := rds.RevokeDBSecurityGroupIngressInput{ + DBSecurityGroupName: aws.String(dbSecurityGroupName), + } + + if attr, ok := ing["cidr"]; ok && attr != "" { + opts.CIDRIP = aws.String(attr.(string)) + } + + if attr, ok := ing["security_group_name"]; ok && attr != "" { + opts.EC2SecurityGroupName = aws.String(attr.(string)) + } + + if attr, ok := ing["security_group_id"]; ok && attr != "" { + opts.EC2SecurityGroupId = aws.String(attr.(string)) + } + + if attr, ok := ing["security_group_owner_id"]; ok && attr != "" { + opts.EC2SecurityGroupOwnerId = aws.String(attr.(string)) + } + + log.Printf("[DEBUG] Revoking ingress rule configuration: %#v", opts) + + _, err := conn.RevokeDBSecurityGroupIngress(&opts) + + if err != nil { + return fmt.Errorf("Error revoking security group ingress: %s", err) + } + + return nil +} + func resourceAwsDbSecurityGroupIngressHash(v interface{}) int { var buf bytes.Buffer m := v.(map[string]interface{})