r/security_group_rule: parse description correctly (#1959)

* r/security_group_rule: parse description correctly * r/security_group_rule: test multi description * fix: use prefix_list_ids only within egress * fix: detect rule by Ipv6Ranges as well
hashicorp · Nov 17, 2017 · 06602d7 · 06602d7
1 parent d315184
commit 06602d7
Show file tree

Hide file tree

Showing 2 changed files with 291 additions and 20 deletions.
diff --git a/aws/resource_aws_security_group_rule.go b/aws/resource_aws_security_group_rule.go
@@ -281,7 +281,9 @@ func resourceAwsSecurityGroupRuleRead(d *schema.ResourceData, meta interface{})
 	if err := setFromIPPerm(d, sg, p); err != nil {
 		return errwrap.Wrapf("Error setting IP Permission for Security Group Rule: {{err}}", err)
 	}
-	setDescriptionFromIPPerm(d, rule)
+
+	d.Set("description", descriptionFromIPPerm(d, rule))
+
 	return nil
 }
 
@@ -695,38 +697,86 @@ func setFromIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup, rule *ec2.IpPe
 	return nil
 }
 
-func setDescriptionFromIPPerm(d *schema.ResourceData, rule *ec2.IpPermission) {
-	var description string
+func descriptionFromIPPerm(d *schema.ResourceData, rule *ec2.IpPermission) string {
+	// probe IpRanges
+	cidrIps := make(map[string]bool)
+	if raw, ok := d.GetOk("cidr_blocks"); ok {
+		for _, v := range raw.([]interface{}) {
+			cidrIps[v.(string)] = true
+		}
+	}
+
+	if len(cidrIps) > 0 {
+		for _, c := range rule.IpRanges {
+			if _, ok := cidrIps[*c.CidrIp]; !ok {
+				continue
+			}
 
-	for _, c := range rule.IpRanges {
-		desc := aws.StringValue(c.Description)
-		if desc != "" {
-			description = desc
+			if desc := aws.StringValue(c.Description); desc != "" {
+				return desc
+			}
 		}
 	}
 
-	for _, ip := range rule.Ipv6Ranges {
-		desc := aws.StringValue(ip.Description)
-		if desc != "" {
-			description = desc
+	// probe Ipv6Ranges
+	cidrIpv6s := make(map[string]bool)
+	if raw, ok := d.GetOk("ipv6_cidr_blocks"); ok {
+		for _, v := range raw.([]interface{}) {
+			cidrIpv6s[v.(string)] = true
 		}
 	}
 
-	for _, p := range rule.PrefixListIds {
-		desc := aws.StringValue(p.Description)
-		if desc != "" {
-			description = desc
+	if len(cidrIpv6s) > 0 {
+		for _, ip := range rule.Ipv6Ranges {
+			if _, ok := cidrIpv6s[*ip.CidrIpv6]; !ok {
+				continue
+			}
+
+			if desc := aws.StringValue(ip.Description); desc != "" {
+				return desc
+			}
 		}
 	}
 
-	if len(rule.UserIdGroupPairs) > 0 {
-		desc := aws.StringValue(rule.UserIdGroupPairs[0].Description)
-		if desc != "" {
-			description = desc
+	// probe PrefixListIds
+	listIds := make(map[string]bool)
+	if raw, ok := d.GetOk("prefix_list_ids"); ok {
+		for _, v := range raw.([]interface{}) {
+			listIds[v.(string)] = true
+		}
+	}
+
+	if len(listIds) > 0 {
+		for _, p := range rule.PrefixListIds {
+			if _, ok := listIds[*p.PrefixListId]; !ok {
+				continue
+			}
+
+			if desc := aws.StringValue(p.Description); desc != "" {
+				return desc
+			}
+		}
+	}
+
+	// probe UserIdGroupPairs
+	groupIds := make(map[string]bool)
+	if raw, ok := d.GetOk("source_security_group_id"); ok {
+		groupIds[raw.(string)] = true
+	}
+
+	if len(groupIds) > 0 {
+		for _, gp := range rule.UserIdGroupPairs {
+			if _, ok := groupIds[*gp.GroupId]; !ok {
+				continue
+			}
+
+			if desc := aws.StringValue(gp.Description); desc != "" {
+				return desc
+			}
 		}
 	}
 
-	d.Set("description", description)
+	return ""
 }
 
 // Validates that either 'cidr_blocks', 'ipv6_cidr_blocks', 'self', or 'source_security_group_id' is set

diff --git a/aws/resource_aws_security_group_rule_test.go b/aws/resource_aws_security_group_rule_test.go
@@ -676,6 +676,139 @@ func TestAccAWSSecurityGroupRule_EgressDescription_updates(t *testing.T) {
 	})
 }
 
+func TestAccAWSSecurityGroupRule_MultiDescription(t *testing.T) {
+	var group ec2.SecurityGroup
+	var nat ec2.SecurityGroup
+	rInt := acctest.RandInt()
+
+	rule1 := ec2.IpPermission{
+		FromPort:   aws.Int64(22),
+		ToPort:     aws.Int64(22),
+		IpProtocol: aws.String("tcp"),
+		IpRanges: []*ec2.IpRange{
+			{CidrIp: aws.String("0.0.0.0/0"), Description: aws.String("CIDR Description")},
+		},
+	}
+
+	rule2 := ec2.IpPermission{
+		FromPort:   aws.Int64(22),
+		ToPort:     aws.Int64(22),
+		IpProtocol: aws.String("tcp"),
+		Ipv6Ranges: []*ec2.Ipv6Range{
+			{CidrIpv6: aws.String("::/0"), Description: aws.String("IPv6 CIDR Description")},
+		},
+	}
+
+	var rule3 ec2.IpPermission
+
+	// This function creates the expected IPPermission with the group id from an
+	// external security group, needed because Security Group IDs are generated on
+	// AWS side and can't be known ahead of time.
+	setupSG := func(*terraform.State) error {
+		if nat.GroupId == nil {
+			return fmt.Errorf("Error: nat group has nil GroupID")
+		}
+
+		rule3 = ec2.IpPermission{
+			FromPort:   aws.Int64(22),
+			ToPort:     aws.Int64(22),
+			IpProtocol: aws.String("tcp"),
+			UserIdGroupPairs: []*ec2.UserIdGroupPair{
+				{GroupId: nat.GroupId, Description: aws.String("NAT SG Description")},
+			},
+		}
+
+		return nil
+	}
+
+	var endpoint ec2.VpcEndpoint
+	var rule4 ec2.IpPermission
+
+	// This function creates the expected IPPermission with the prefix list ID from
+	// the VPC Endpoint created in the test
+	setupPL := func(*terraform.State) error {
+		conn := testAccProvider.Meta().(*AWSClient).ec2conn
+		prefixListInput := &ec2.DescribePrefixListsInput{
+			Filters: []*ec2.Filter{
+				{Name: aws.String("prefix-list-name"), Values: []*string{endpoint.ServiceName}},
+			},
+		}
+
+		log.Printf("[DEBUG] Reading VPC Endpoint prefix list: %s", prefixListInput)
+		prefixListsOutput, err := conn.DescribePrefixLists(prefixListInput)
+
+		if err != nil {
+			_, ok := err.(awserr.Error)
+			if !ok {
+				return fmt.Errorf("Error reading VPC Endpoint prefix list: %s", err.Error())
+			}
+		}
+
+		if len(prefixListsOutput.PrefixLists) != 1 {
+			return fmt.Errorf("There are multiple prefix lists associated with the service name '%s'. Unexpected", prefixListsOutput)
+		}
+
+		rule4 = ec2.IpPermission{
+			FromPort:   aws.Int64(22),
+			ToPort:     aws.Int64(22),
+			IpProtocol: aws.String("tcp"),
+			PrefixListIds: []*ec2.PrefixListId{
+				{PrefixListId: prefixListsOutput.PrefixLists[0].PrefixListId, Description: aws.String("Prefix List Description")},
+			},
+		}
+
+		return nil
+	}
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSSecurityGroupRuleMultiDescription(rInt, "ingress"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSecurityGroupRuleExists("aws_security_group.worker", &group),
+					testAccCheckAWSSecurityGroupRuleExists("aws_security_group.nat", &nat),
+					testAccCheckVpcEndpointExists("aws_vpc_endpoint.s3-us-west-2", &endpoint),
+
+					testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.ingress_rule_1", &group, &rule1, "ingress"),
+					resource.TestCheckResourceAttr("aws_security_group_rule.ingress_rule_1", "description", "CIDR Description"),
+
+					testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.ingress_rule_2", &group, &rule2, "ingress"),
+					resource.TestCheckResourceAttr("aws_security_group_rule.ingress_rule_2", "description", "IPv6 CIDR Description"),
+
+					setupSG,
+					testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.ingress_rule_3", &group, &rule3, "ingress"),
+					resource.TestCheckResourceAttr("aws_security_group_rule.ingress_rule_3", "description", "NAT SG Description"),
+				),
+			},
+			{
+				Config: testAccAWSSecurityGroupRuleMultiDescription(rInt, "egress"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSecurityGroupRuleExists("aws_security_group.worker", &group),
+					testAccCheckAWSSecurityGroupRuleExists("aws_security_group.nat", &nat),
+					testAccCheckVpcEndpointExists("aws_vpc_endpoint.s3-us-west-2", &endpoint),
+
+					testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.egress_rule_1", &group, &rule1, "egress"),
+					resource.TestCheckResourceAttr("aws_security_group_rule.egress_rule_1", "description", "CIDR Description"),
+
+					testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.egress_rule_2", &group, &rule2, "egress"),
+					resource.TestCheckResourceAttr("aws_security_group_rule.egress_rule_2", "description", "IPv6 CIDR Description"),
+
+					setupSG,
+					testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.egress_rule_3", &group, &rule3, "egress"),
+					resource.TestCheckResourceAttr("aws_security_group_rule.egress_rule_3", "description", "NAT SG Description"),
+
+					setupPL,
+					testAccCheckAWSSecurityGroupRuleAttributes("aws_security_group_rule.egress_rule_4", &group, &rule4, "egress"),
+					resource.TestCheckResourceAttr("aws_security_group_rule.egress_rule_4", "description", "Prefix List Description"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckAWSSecurityGroupRuleDestroy(s *terraform.State) error {
 	conn := testAccProvider.Meta().(*AWSClient).ec2conn
 
@@ -797,6 +930,19 @@ func testAccCheckAWSSecurityGroupRuleAttributes(n string, group *ec2.SecurityGro
 				continue
 			}
 
+			remaining = len(p.Ipv6Ranges)
+			for _, ip := range p.Ipv6Ranges {
+				for _, rip := range r.Ipv6Ranges {
+					if *ip.CidrIpv6 == *rip.CidrIpv6 {
+						remaining--
+					}
+				}
+			}
+
+			if remaining > 0 {
+				continue
+			}
+
 			remaining = len(p.UserIdGroupPairs)
 			for _, ip := range p.UserIdGroupPairs {
 				for _, rip := range r.UserIdGroupPairs {
@@ -1015,6 +1161,81 @@ resource "aws_security_group_rule" "ingress_2" {
 }
 `
 
+func testAccAWSSecurityGroupRuleMultiDescription(rInt int, rType string) string {
+	var b bytes.Buffer
+	b.WriteString(fmt.Sprintf(`
+	resource "aws_vpc" "tf_sgrule_description_test" {
+		cidr_block = "10.0.0.0/16"
+		tags { Name = "tf-sg-rule-description" }
+	}
+
+	resource "aws_vpc_endpoint" "s3-us-west-2" {
+		vpc_id = "${aws_vpc.tf_sgrule_description_test.id}"
+		service_name = "com.amazonaws.us-west-2.s3"
+  	}
+
+	resource "aws_security_group" "worker" {
+		name = "terraform_test_%[1]d"
+		vpc_id = "${aws_vpc.tf_sgrule_description_test.id}"
+		description = "Used in the terraform acceptance tests"
+		tags { Name = "tf-sg-rule-description" }
+	}
+
+	resource "aws_security_group" "nat" {
+		name = "terraform_test_%[1]d_nat"
+		vpc_id = "${aws_vpc.tf_sgrule_description_test.id}"
+		description = "Used in the terraform acceptance tests"
+		tags { Name = "tf-sg-rule-description" }
+	}
+
+	resource "aws_security_group_rule" "%[2]s_rule_1" {
+		security_group_id = "${aws_security_group.worker.id}"
+		description = "CIDR Description"
+		type = "%[2]s"
+		protocol = "tcp"
+		from_port = 22
+		to_port = 22
+		cidr_blocks = ["0.0.0.0/0"]
+	}
+
+	resource "aws_security_group_rule" "%[2]s_rule_2" {
+		security_group_id = "${aws_security_group.worker.id}"
+		description = "IPv6 CIDR Description"
+		type = "%[2]s"
+		protocol = "tcp"
+		from_port = 22
+		to_port = 22
+		ipv6_cidr_blocks = ["::/0"]
+	}
+
+	resource "aws_security_group_rule" "%[2]s_rule_3" {
+		security_group_id = "${aws_security_group.worker.id}"
+		description = "NAT SG Description"
+		type = "%[2]s"
+		protocol = "tcp"
+		from_port = 22
+		to_port = 22
+		source_security_group_id = "${aws_security_group.nat.id}"
+	}
+	`, rInt, rType))
+
+	if rType == "egress" {
+		b.WriteString(fmt.Sprintf(`
+	resource "aws_security_group_rule" "egress_rule_4" {
+		security_group_id = "${aws_security_group.worker.id}"
+		description = "Prefix List Description"
+		type = "egress"
+		protocol = "tcp"
+		from_port = 22
+		to_port = 22
+		prefix_list_ids = ["${aws_vpc_endpoint.s3-us-west-2.prefix_list_id}"]
+	}
+		`))
+	}
+
+	return b.String()
+}
+
 // check for GH-1985 regression
 const testAccAWSSecurityGroupRuleConfigSelfReference = `
 provider "aws" {