provider/aws: Revoke default ipv6 egress rule for aws_security_group (#15075)
Fixes: #14522 To follow similar work in IPv4, we are now going to revoke the default IPv6 egress rule from an empty AWS security group ``` % make testacc TEST=./builtin/providers/aws/ TESTARGS='-run=TestAccAWSSecurityGroup_ipv4andipv6Egress' ==> Checking that code complies with gofmt requirements... go generate $(go list ./... | grep -v /terraform/vendor/) 2017/06/05 14:01:52 Generated command/internal_plugin_list.go TF_ACC=1 go test ./builtin/providers/aws/ -v -run=TestAccAWSSecurityGroup_ipv4andipv6Egress -timeout 120m === RUN TestAccAWSSecurityGroup_ipv4andipv6Egress --- PASS: TestAccAWSSecurityGroup_ipv4andipv6Egress (63.39s) PASS ok github.com/hashicorp/terraform/builtin/providers/aws 63.423s ```
This commit is contained in:
parent
0149e6d1f5
commit
df11150a6a
|
@ -295,6 +295,34 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er
|
|||
d.Id(), err)
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] Revoking default IPv6 egress rule for Security Group for %s", d.Id())
|
||||
req = &ec2.RevokeSecurityGroupEgressInput{
|
||||
GroupId: createResp.GroupId,
|
||||
IpPermissions: []*ec2.IpPermission{
|
||||
{
|
||||
FromPort: aws.Int64(int64(0)),
|
||||
ToPort: aws.Int64(int64(0)),
|
||||
Ipv6Ranges: []*ec2.Ipv6Range{
|
||||
{
|
||||
CidrIpv6: aws.String("::/0"),
|
||||
},
|
||||
},
|
||||
IpProtocol: aws.String("-1"),
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
_, err = conn.RevokeSecurityGroupEgress(req)
|
||||
if err != nil {
|
||||
//If we have a NotFound, then we are trying to remove the default IPv6 egress of a non-IPv6
|
||||
//enabled SG
|
||||
if ec2err, ok := err.(awserr.Error); ok && ec2err.Code() != "InvalidPermission.NotFound" {
|
||||
return fmt.Errorf(
|
||||
"Error revoking default IPv6 egress rule for Security Group (%s): %s",
|
||||
d.Id(), err)
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
return resourceAwsSecurityGroupUpdate(d, meta)
|
||||
|
|
|
@ -1010,6 +1010,26 @@ func TestAccAWSSecurityGroup_egressWithPrefixList(t *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
func TestAccAWSSecurityGroup_ipv4andipv6Egress(t *testing.T) {
|
||||
var group ec2.SecurityGroup
|
||||
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
CheckDestroy: testAccCheckAWSSecurityGroupDestroy,
|
||||
Steps: []resource.TestStep{
|
||||
{
|
||||
Config: testAccAWSSecurityGroupConfigIpv4andIpv6Egress,
|
||||
Check: resource.ComposeTestCheckFunc(
|
||||
testAccCheckAWSSecurityGroupExists("aws_security_group.egress", &group),
|
||||
resource.TestCheckResourceAttr(
|
||||
"aws_security_group.egress", "egress.#", "2"),
|
||||
),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func testAccCheckAWSSecurityGroupSGandCidrAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc {
|
||||
return func(s *terraform.State) error {
|
||||
if *group.GroupName != "terraform_acceptance_test_example" {
|
||||
|
@ -2080,6 +2100,40 @@ resource "aws_security_group_rule" "allow_ipv6_cidr_block" {
|
|||
}
|
||||
`
|
||||
|
||||
const testAccAWSSecurityGroupConfigIpv4andIpv6Egress = `
|
||||
resource "aws_vpc" "foo" {
|
||||
cidr_block = "10.1.0.0/16"
|
||||
assign_generated_ipv6_cidr_block = true
|
||||
tags {
|
||||
Name = "tf_sg_ipv4_and_ipv6_acc_test"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_security_group" "egress" {
|
||||
name = "terraform_acceptance_test_example"
|
||||
description = "Used in the terraform acceptance tests"
|
||||
vpc_id = "${aws_vpc.foo.id}"
|
||||
ingress {
|
||||
from_port = 22
|
||||
to_port = 22
|
||||
protocol = "6"
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
}
|
||||
egress {
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
}
|
||||
egress {
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
ipv6_cidr_blocks = ["::/0"]
|
||||
}
|
||||
}
|
||||
`
|
||||
|
||||
const testAccAWSSecurityGroupConfigPrefixListEgress = `
|
||||
resource "aws_vpc" "tf_sg_prefix_list_egress_test" {
|
||||
cidr_block = "10.0.0.0/16"
|
||||
|
|
Loading…
Reference in New Issue