Previously the check for if we are setting `CidrBlock` or `IPv6CidrBlock` during an `Update` of the `aws_network_acl` resource would populate the input struct with a nil string value `""`. This caused our acceptance tests to fail, and broke the resource's functionality if a user only set `CidrBlock` or `IPv6CidrBlock` for either an `ingress` or `egress` rule as the API would error out with an `Invalid CidrBlock` error.
Previously:
```
aws_network_acl.bond: Error creating egress entry: InvalidParameterValue: CIDR block is malformed
status code: 400, request id: 0620e0b7-4e30-4c14-9a7a-5d373cc9f33b
```
Currently:
```
$ make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSNetworkAcl'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/03/15 15:41:17 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSNetworkAcl -timeout 120m
=== RUN TestAccAWSNetworkAcl_importBasic
--- PASS: TestAccAWSNetworkAcl_importBasic (26.96s)
=== RUN TestAccAWSNetworkAclRule_basic
--- PASS: TestAccAWSNetworkAclRule_basic (23.08s)
=== RUN TestAccAWSNetworkAclRule_ipv6
--- PASS: TestAccAWSNetworkAclRule_ipv6 (26.24s)
=== RUN TestAccAWSNetworkAcl_EgressAndIngressRules
--- PASS: TestAccAWSNetworkAcl_EgressAndIngressRules (25.11s)
=== RUN TestAccAWSNetworkAcl_OnlyIngressRules_basic
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_basic (31.82s)
=== RUN TestAccAWSNetworkAcl_OnlyIngressRules_update
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_update (48.59s)
=== RUN TestAccAWSNetworkAcl_OnlyEgressRules
--- PASS: TestAccAWSNetworkAcl_OnlyEgressRules (25.48s)
=== RUN TestAccAWSNetworkAcl_SubnetChange
--- PASS: TestAccAWSNetworkAcl_SubnetChange (57.12s)
=== RUN TestAccAWSNetworkAcl_Subnets
--- PASS: TestAccAWSNetworkAcl_Subnets (67.55s)
=== RUN TestAccAWSNetworkAcl_ipv6Rules
--- PASS: TestAccAWSNetworkAcl_ipv6Rules (31.52s)
=== RUN TestAccAWSNetworkAcl_espProtocol
acc--- PASS: TestAccAWSNetworkAcl_espProtocol (24.37s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 387.855s
```
* provider/aws: Default Network ACL resource
Provides a resource to manage the default AWS Network ACL. VPC Only.
* Remove subnet_id update, mark as computed value. Remove extra tag update
* refactor default rule number to be a constant
* refactor revokeRulesForType to be revokeAllNetworkACLEntries
Refactor method to delete all network ACL entries, regardless of type. The
previous implementation was under the assumption that we may only eliminate some
rule types and possibly not others, so the split was necessary.
We're now removing them all, so the logic isn't necessary
Several doc and test cleanups are here as well
* smite subnet_id, improve docs
Fix retry after removing associations by correctly checking and returning an
error. This should patch the VPC/Resource leak in our nightly acceptance tests.
Change the `RetryFunc` from a plain `error` return type to a
specialized `RetryError` which must decide whether it is
retryable or not.
Add `RetryableError` / `NonRetryableError` factory functions that
callers are meant to use to build up these errors.
This makes it eminently clear whether or not a given error is
retryable from inside the client code.
Goal here is to _not_ change any behavior, simply reflect the
existing behavior with the new, clearer, API.
* Fixup Exists and CheckDestroy assertions
* Make ingress/egress computed on network_acl, otherwise you could
never use network_acl_rule with a managed network_acl without a
perpetual diff.
This landed in aws-sdk-go yesterday, breaking the AWS provider in many places:
3c259c9586
Here, with much sedding, grepping, and manual massaging, we attempt to
catch Terraform up to the new `awserr.Error` interface world.
Users can input a limited number of protocol names (e.g. "tcp") as
inputs to network ACL rules, but the API only supports valid protocol
number:
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
Preserve the convenience of protocol names and simultaneously support
numbers by only writing numbers to the state file. Also use numbers
when hashing the rules, to keep everything consistent.
AWS will accept any overly-specific IP/mask combination, such as
10.1.2.2/24, but will store it by its implied network: 10.1.2.0/24.
This results in hashing errors, because the remote API will return
hashing results out of sync with the local configuration file.
Enforce a stricter API rule than AWS. Force users to use valid masks,
and run a quick calculation on their input to discover their intent.
AWS doesn't store ports for -1 protocol rules, thus the read from the
API will always come up with a different hash. Force the user to make a
deliberate port choice when enabling -1 protocol rules. All from_port
and to_port's on these rules must be 0.
AWS includes default rules with all network ACL resources which cannot
be modified by the user. Don't attempt to store them locally or change
them remotely if they are already stored -- it'll consistently result
in hashing problems.
resourceAwsNetworkAclRead swallowed these errors resulting in rules
that never properly updated. Implement an entry-to-maplist function
that'll allow us to write something that Set knows how to read.
The upstream behavior here changed, and the request needs a `nil`
instead of an empty slice to indicate that we _don't_ want to filter on
Network ACL IDs.
fixes#1634
Fixes the following vet reports:
builtin/providers/aws/resource_aws_network_acl.go:191: wrong number of args for format in Errorf call: 2 needed but 3 args
builtin/providers/aws/resource_aws_network_acl.go:264: wrong number of args for format in Errorf call: 1 needed but 2 args
builtin/providers/aws/resource_aws_network_acl.go:268: wrong number of args for format in Errorf call: 1 needed but 2 args
builtin/providers/aws/resource_aws_network_acl.go:286: arg m[to_port].(int) for printf verb %s of wrong type: int
builtin/providers/aws/resource_aws_network_acl_test.go:277: arg r.NetworkAcls for printf verb %s of wrong type: []github.com/mitchellh/goamz/ec2.NetworkAcl
builtin/providers/aws/resource_aws_subnet_test.go:21: arg v.MapPublicIpOnLaunch for printf verb %s of wrong type: bool
Kit Ewbank