From df11150a6a81f1d470481061a435e7739df324cc Mon Sep 17 00:00:00 2001 From: Paul Stack Date: Tue, 6 Jun 2017 00:53:04 +0300 Subject: [PATCH] provider/aws: Revoke default ipv6 egress rule for aws_security_group (#15075) Fixes: #14522 To follow similar work in IPv4, we are now going to revoke the default IPv6 egress rule from an empty AWS security group ``` % make testacc TEST=./builtin/providers/aws/ TESTARGS='-run=TestAccAWSSecurityGroup_ipv4andipv6Egress' ==> Checking that code complies with gofmt requirements... go generate $(go list ./... | grep -v /terraform/vendor/) 2017/06/05 14:01:52 Generated command/internal_plugin_list.go TF_ACC=1 go test ./builtin/providers/aws/ -v -run=TestAccAWSSecurityGroup_ipv4andipv6Egress -timeout 120m === RUN TestAccAWSSecurityGroup_ipv4andipv6Egress --- PASS: TestAccAWSSecurityGroup_ipv4andipv6Egress (63.39s) PASS ok github.com/hashicorp/terraform/builtin/providers/aws 63.423s ``` --- .../aws/resource_aws_security_group.go | 28 ++++++++++ .../aws/resource_aws_security_group_test.go | 54 +++++++++++++++++++ 2 files changed, 82 insertions(+) diff --git a/builtin/providers/aws/resource_aws_security_group.go b/builtin/providers/aws/resource_aws_security_group.go index 4f67e69c5..0322c9e03 100644 --- a/builtin/providers/aws/resource_aws_security_group.go +++ b/builtin/providers/aws/resource_aws_security_group.go @@ -295,6 +295,34 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er d.Id(), err) } + log.Printf("[DEBUG] Revoking default IPv6 egress rule for Security Group for %s", d.Id()) + req = &ec2.RevokeSecurityGroupEgressInput{ + GroupId: createResp.GroupId, + IpPermissions: []*ec2.IpPermission{ + { + FromPort: aws.Int64(int64(0)), + ToPort: aws.Int64(int64(0)), + Ipv6Ranges: []*ec2.Ipv6Range{ + { + CidrIpv6: aws.String("::/0"), + }, + }, + IpProtocol: aws.String("-1"), + }, + }, + } + + _, err = conn.RevokeSecurityGroupEgress(req) + if err != nil { + //If we have a NotFound, then we are trying to remove the default IPv6 egress of a non-IPv6 + //enabled SG + if ec2err, ok := err.(awserr.Error); ok && ec2err.Code() != "InvalidPermission.NotFound" { + return fmt.Errorf( + "Error revoking default IPv6 egress rule for Security Group (%s): %s", + d.Id(), err) + } + } + } return resourceAwsSecurityGroupUpdate(d, meta) diff --git a/builtin/providers/aws/resource_aws_security_group_test.go b/builtin/providers/aws/resource_aws_security_group_test.go index f5a4f8d16..dfa55d7c0 100644 --- a/builtin/providers/aws/resource_aws_security_group_test.go +++ b/builtin/providers/aws/resource_aws_security_group_test.go @@ -1010,6 +1010,26 @@ func TestAccAWSSecurityGroup_egressWithPrefixList(t *testing.T) { }) } +func TestAccAWSSecurityGroup_ipv4andipv6Egress(t *testing.T) { + var group ec2.SecurityGroup + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSSecurityGroupDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSSecurityGroupConfigIpv4andIpv6Egress, + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSSecurityGroupExists("aws_security_group.egress", &group), + resource.TestCheckResourceAttr( + "aws_security_group.egress", "egress.#", "2"), + ), + }, + }, + }) +} + func testAccCheckAWSSecurityGroupSGandCidrAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc { return func(s *terraform.State) error { if *group.GroupName != "terraform_acceptance_test_example" { @@ -2080,6 +2100,40 @@ resource "aws_security_group_rule" "allow_ipv6_cidr_block" { } ` +const testAccAWSSecurityGroupConfigIpv4andIpv6Egress = ` +resource "aws_vpc" "foo" { + cidr_block = "10.1.0.0/16" + assign_generated_ipv6_cidr_block = true + tags { + Name = "tf_sg_ipv4_and_ipv6_acc_test" + } +} + +resource "aws_security_group" "egress" { + name = "terraform_acceptance_test_example" + description = "Used in the terraform acceptance tests" + vpc_id = "${aws_vpc.foo.id}" + ingress { + from_port = 22 + to_port = 22 + protocol = "6" + cidr_blocks = ["0.0.0.0/0"] + } + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_blocks = ["::/0"] + } +} +` + const testAccAWSSecurityGroupConfigPrefixListEgress = ` resource "aws_vpc" "tf_sg_prefix_list_egress_test" { cidr_block = "10.0.0.0/16"