func expandIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup) (*ec2.IpPermission, error) {
var perm ec2.IpPermission
perm.FromPort = aws.Int64(int64(d.Get("from_port").(int)))
perm.ToPort = aws.Int64(int64(d.Get("to_port").(int)))
protocol := protocolForValue(d.Get("protocol").(string))
perm.IpProtocol = aws.String(protocol)
// build a group map that behaves like a set
groups := make(map[string]bool)
if raw, ok := d.GetOk("source_security_group_id"); ok {
groups[raw.(string)] = true
}
if v, ok := d.GetOk("self"); ok && v.(bool) {
if sg.VpcId != nil && *sg.VpcId != "" {
groups[*sg.GroupId] = true
} else {
groups[*sg.GroupName] = true
}
}
if len(groups) > 0 {
perm.UserIdGroupPairs = make([]*ec2.UserIdGroupPair, len(groups))
// build string list of group name/ids
var gl []string
for k, _ := range groups {
gl = append(gl, k)
}
for i, name := range gl {
ownerId, id := "", name
if items := strings.Split(id, "/"); len(items) > 1 {
ownerId, id = items[0], items[1]
}
perm.UserIdGroupPairs[i] = &ec2.UserIdGroupPair{
GroupId: aws.String(id),
UserId: aws.String(ownerId),
}
if sg.VpcId == nil || *sg.VpcId == "" {
perm.UserIdGroupPairs[i].GroupId = nil
perm.UserIdGroupPairs[i].GroupName = aws.String(id)
perm.UserIdGroupPairs[i].UserId = nil
}
}
}
if raw, ok := d.GetOk("cidr_blocks"); ok {
list := raw.([]interface{})
perm.IpRanges = make([]*ec2.IpRange, len(list))
for i, v := range list {
cidrIP, ok := v.(string)
if !ok {
return nil, fmt.Errorf("empty element found in cidr_blocks - consider using the compact function")
}
perm.IpRanges[i] = &ec2.IpRange{CidrIp: aws.String(cidrIP)}
}
}
if raw, ok := d.GetOk("prefix_list_ids"); ok {
list := raw.([]interface{})
perm.PrefixListIds = make([]*ec2.PrefixListId, len(list))
for i, v := range list {
prefixListID, ok := v.(string)
if !ok {
return nil, fmt.Errorf("empty element found in prefix_list_ids - consider using the compact function")
}
perm.PrefixListIds[i] = &ec2.PrefixListId{PrefixListId: aws.String(prefixListID)}
}
}
return &perm, nil
}
func resourceAwsSecurityGroupImportStatePermPair(sg *ec2.SecurityGroup, ruleType string, perm *ec2.IpPermission) (*schema.ResourceData, error) {
// Construct the rule. We do this by populating the absolute
// minimum necessary for Refresh on the rule to work. This
// happens to be a lot of fields since they're almost all needed
// for de-dupping.
sgId := sg.GroupId
id := ipPermissionIDHash(*sgId, ruleType, perm)
ruleResource := resourceAwsSecurityGroupRule()
d := ruleResource.Data(nil)
d.SetId(id)
d.SetType("aws_security_group_rule")
d.Set("security_group_id", sgId)
d.Set("type", ruleType)
// 'self' is false by default. Below, we range over the group ids and set true
// if the parent sg id is found
d.Set("self", false)
if len(perm.UserIdGroupPairs) > 0 {
s := perm.UserIdGroupPairs[0]
// Check for Pair that is the same as the Security Group, to denote self.
// Otherwise, mark the group id in source_security_group_id
isVPC := sg.VpcId != nil && *sg.VpcId != ""
if isVPC {
if *s.GroupId == *sg.GroupId {
d.Set("self", true)
// prune the self reference from the UserIdGroupPairs, so we don't
// have duplicate sg ids (both self and in source_security_group_id)
perm.UserIdGroupPairs = append(perm.UserIdGroupPairs[:0], perm.UserIdGroupPairs[0+1:]...)
}
} else {
if *s.GroupName == *sg.GroupName {
d.Set("self", true)
// prune the self reference from the UserIdGroupPairs, so we don't
// have duplicate sg ids (both self and in source_security_group_id)
perm.UserIdGroupPairs = append(perm.UserIdGroupPairs[:0], perm.UserIdGroupPairs[0+1:]...)
}
}
}
if err := setFromIPPerm(d, sg, perm); err != nil {
return nil, errwrap.Wrapf("Error importing AWS Security Group: {{err}}", err)
}
return d, nil
}
func expandIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup) *ec2.IpPermission {
var perm ec2.IpPermission
perm.FromPort = aws.Int64(int64(d.Get("from_port").(int)))
perm.ToPort = aws.Int64(int64(d.Get("to_port").(int)))
perm.IpProtocol = aws.String(d.Get("protocol").(string))
// build a group map that behaves like a set
groups := make(map[string]bool)
if raw, ok := d.GetOk("source_security_group_id"); ok {
groups[raw.(string)] = true
}
if v, ok := d.GetOk("self"); ok && v.(bool) {
if sg.VpcId != nil && *sg.VpcId != "" {
groups[*sg.GroupId] = true
} else {
groups[*sg.GroupName] = true
}
}
if len(groups) > 0 {
perm.UserIdGroupPairs = make([]*ec2.UserIdGroupPair, len(groups))
// build string list of group name/ids
var gl []string
for k, _ := range groups {
gl = append(gl, k)
}
for i, name := range gl {
ownerId, id := "", name
if items := strings.Split(id, "/"); len(items) > 1 {
ownerId, id = items[0], items[1]
}
perm.UserIdGroupPairs[i] = &ec2.UserIdGroupPair{
GroupId: aws.String(id),
UserId: aws.String(ownerId),
}
if sg.VpcId == nil || *sg.VpcId == "" {
perm.UserIdGroupPairs[i].GroupId = nil
perm.UserIdGroupPairs[i].GroupName = aws.String(id)
perm.UserIdGroupPairs[i].UserId = nil
}
}
}
if raw, ok := d.GetOk("cidr_blocks"); ok {
list := raw.([]interface{})
perm.IpRanges = make([]*ec2.IpRange, len(list))
for i, v := range list {
perm.IpRanges[i] = &ec2.IpRange{CidrIp: aws.String(v.(string))}
}
}
return &perm
}
func migrateExpandIPPerm(attrs map[string]string) (*ec2.IpPermission, error) {
var perm ec2.IpPermission
tp, err := strconv.Atoi(attrs["to_port"])
if err != nil {
return nil, fmt.Errorf("Error converting to_port in Security Group migration")
}
fp, err := strconv.Atoi(attrs["from_port"])
if err != nil {
return nil, fmt.Errorf("Error converting from_port in Security Group migration")
}
perm.ToPort = aws.Int64(int64(tp))
perm.FromPort = aws.Int64(int64(fp))
perm.IpProtocol = aws.String(attrs["protocol"])
groups := make(map[string]bool)
if attrs["self"] == "true" {
groups[attrs["security_group_id"]] = true
}
if attrs["source_security_group_id"] != "" {
groups[attrs["source_security_group_id"]] = true
}
if len(groups) > 0 {
perm.UserIdGroupPairs = make([]*ec2.UserIdGroupPair, len(groups))
// build string list of group name/ids
var gl []string
for k, _ := range groups {
gl = append(gl, k)
}
for i, name := range gl {
perm.UserIdGroupPairs[i] = &ec2.UserIdGroupPair{
GroupId: aws.String(name),
}
}
}
var cb []string
for k, v := range attrs {
if k != "cidr_blocks.#" && strings.HasPrefix(k, "cidr_blocks") {
cb = append(cb, v)
}
}
if len(cb) > 0 {
perm.IpRanges = make([]*ec2.IpRange, len(cb))
for i, v := range cb {
perm.IpRanges[i] = &ec2.IpRange{CidrIp: aws.String(v)}
}
}
return &perm, nil
}
// Takes the result of flatmap.Expand for an array of ingress/egress security
// group rules and returns EC2 API compatible objects. This function will error
// if it finds invalid permissions input, namely a protocol of "-1" with either
// to_port or from_port set to a non-zero value.
func expandIPPerms(
group *ec2.SecurityGroup, configured []interface{}) ([]*ec2.IpPermission, error) {
vpc := group.VpcId != nil
perms := make([]*ec2.IpPermission, len(configured))
for i, mRaw := range configured {
var perm ec2.IpPermission
m := mRaw.(map[string]interface{})
perm.FromPort = aws.Int64(int64(m["from_port"].(int)))
perm.ToPort = aws.Int64(int64(m["to_port"].(int)))
perm.IpProtocol = aws.String(m["protocol"].(string))
// When protocol is "-1", AWS won't store any ports for the
// rule, but also won't error if the user specifies ports other
// than '0'. Force the user to make a deliberate '0' port
// choice when specifying a "-1" protocol, and tell them about
// AWS's behavior in the error message.
if *perm.IpProtocol == "-1" && (*perm.FromPort != 0 || *perm.ToPort != 0) {
return nil, fmt.Errorf(
"from_port (%d) and to_port (%d) must both be 0 to use the the 'ALL' \"-1\" protocol!",
*perm.FromPort, *perm.ToPort)
}
var groups []string
if raw, ok := m["security_groups"]; ok {
list := raw.(*schema.Set).List()
for _, v := range list {
groups = append(groups, v.(string))
}
}
if v, ok := m["self"]; ok && v.(bool) {
if vpc {
groups = append(groups, *group.GroupId)
} else {
groups = append(groups, *group.GroupName)
}
}
if len(groups) > 0 {
perm.UserIdGroupPairs = make([]*ec2.UserIdGroupPair, len(groups))
for i, name := range groups {
ownerId, id := "", name
if items := strings.Split(id, "/"); len(items) > 1 {
ownerId, id = items[0], items[1]
}
perm.UserIdGroupPairs[i] = &ec2.UserIdGroupPair{
GroupId: aws.String(id),
}
if ownerId != "" {
perm.UserIdGroupPairs[i].UserId = aws.String(ownerId)
}
if !vpc {
perm.UserIdGroupPairs[i].GroupId = nil
perm.UserIdGroupPairs[i].GroupName = aws.String(id)
}
}
}
if raw, ok := m["cidr_blocks"]; ok {
list := raw.([]interface{})
for _, v := range list {
perm.IpRanges = append(perm.IpRanges, &ec2.IpRange{CidrIp: aws.String(v.(string))})
}
}
perms[i] = &perm
}
return perms, nil
}
