terraform/builtin/providers/aws/network_acl_entry_test.go

package aws

import (
	"reflect"
	"testing"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/service/ec2"
)

func Test_expandNetworkACLEntry(t *testing.T) {
	input := []interface{}{
		map[string]interface{}{
			"protocol":   "tcp",
			"from_port":  22,
			"to_port":    22,
			"cidr_block": "0.0.0.0/0",
			"action":     "deny",
			"rule_no":    1,
		},
		map[string]interface{}{
			"protocol":   "tcp",
			"from_port":  443,
			"to_port":    443,
			"cidr_block": "0.0.0.0/0",
			"action":     "deny",
			"rule_no":    2,
		},
		map[string]interface{}{
			"protocol":   "-1",
			"from_port":  443,
			"to_port":    443,
			"cidr_block": "0.0.0.0/0",
			"action":     "deny",
			"rule_no":    2,
		},
	}
	expanded, _ := expandNetworkAclEntries(input, "egress")

	expected := []*ec2.NetworkAclEntry{
		&ec2.NetworkAclEntry{
			Protocol: aws.String("6"),
			PortRange: &ec2.PortRange{
				From: aws.Int64(22),
				To:   aws.Int64(22),
			},
			RuleAction: aws.String("deny"),
			RuleNumber: aws.Int64(1),
			CidrBlock:  aws.String("0.0.0.0/0"),
			Egress:     aws.Bool(true),
		},
		&ec2.NetworkAclEntry{
			Protocol: aws.String("6"),
			PortRange: &ec2.PortRange{
				From: aws.Int64(443),
				To:   aws.Int64(443),
			},
			RuleAction: aws.String("deny"),
			RuleNumber: aws.Int64(2),
			CidrBlock:  aws.String("0.0.0.0/0"),
			Egress:     aws.Bool(true),
		},
		&ec2.NetworkAclEntry{
			Protocol: aws.String("-1"),
			PortRange: &ec2.PortRange{
				From: aws.Int64(443),
				To:   aws.Int64(443),
			},
			RuleAction: aws.String("deny"),
			RuleNumber: aws.Int64(2),
			CidrBlock:  aws.String("0.0.0.0/0"),
			Egress:     aws.Bool(true),
		},
	}

	if !reflect.DeepEqual(expanded, expected) {
		t.Fatalf(
			"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
			expanded,
			expected)
	}

}

func Test_flattenNetworkACLEntry(t *testing.T) {

	apiInput := []*ec2.NetworkAclEntry{
		&ec2.NetworkAclEntry{
			Protocol: aws.String("tcp"),
			PortRange: &ec2.PortRange{
				From: aws.Int64(22),
				To:   aws.Int64(22),
			},
			RuleAction: aws.String("deny"),
			RuleNumber: aws.Int64(1),
			CidrBlock:  aws.String("0.0.0.0/0"),
		},
		&ec2.NetworkAclEntry{
			Protocol: aws.String("tcp"),
			PortRange: &ec2.PortRange{
				From: aws.Int64(443),
				To:   aws.Int64(443),
			},
			RuleAction: aws.String("deny"),
			RuleNumber: aws.Int64(2),
			CidrBlock:  aws.String("0.0.0.0/0"),
		},
	}
	flattened := flattenNetworkAclEntries(apiInput)

	expected := []map[string]interface{}{
		map[string]interface{}{
			"protocol":   "tcp",
			"from_port":  int64(22),
			"to_port":    int64(22),
			"cidr_block": "0.0.0.0/0",
			"action":     "deny",
			"rule_no":    int64(1),
		},
		map[string]interface{}{
			"protocol":   "tcp",
			"from_port":  int64(443),
			"to_port":    int64(443),
			"cidr_block": "0.0.0.0/0",
			"action":     "deny",
			"rule_no":    int64(2),
		},
	}

	if !reflect.DeepEqual(flattened, expected) {
		t.Fatalf(
			"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
			flattened,
			expected)
	}

}

func Test_validatePorts(t *testing.T) {
	for _, ts := range []struct {
		to       int64
		from     int64
		expected *expectedPortPair
		wanted   bool
	}{
		{0, 0, &expectedPortPair{0, 0}, true},
		{0, 1, &expectedPortPair{0, 0}, false},
	} {
		got := validatePorts(ts.to, ts.from, *ts.expected)
		if got != ts.wanted {
			t.Fatalf("Got: %t; Expected: %t\n", got, ts.wanted)
		}
	}
}

func Test_validateCIDRBlock(t *testing.T) {
	for _, ts := range []struct {
		cidr      string
		shouldErr bool
	}{
		{"10.2.2.0/24", false},
		{"10.2.2.0/1234", true},
		{"10/24", true},
		{"10.2.2.2/24", true},
	} {
		err := validateCIDRBlock(ts.cidr)
		if ts.shouldErr && err == nil {
			t.Fatalf("Input '%s' should error but didn't!", ts.cidr)
		}
		if !ts.shouldErr && err != nil {
			t.Fatalf("Got unexpected error for '%s' input: %s", ts.cidr, err)
		}
	}
}