func expandIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup) (*ec2.IpPermission, error) { var perm ec2.IpPermission perm.FromPort = aws.Int64(int64(d.Get("from_port").(int))) perm.ToPort = aws.Int64(int64(d.Get("to_port").(int))) protocol := protocolForValue(d.Get("protocol").(string)) perm.IpProtocol = aws.String(protocol) // build a group map that behaves like a set groups := make(map[string]bool) if raw, ok := d.GetOk("source_security_group_id"); ok { groups[raw.(string)] = true } if v, ok := d.GetOk("self"); ok && v.(bool) { if sg.VpcId != nil && *sg.VpcId != "" { groups[*sg.GroupId] = true } else { groups[*sg.GroupName] = true } } if len(groups) > 0 { perm.UserIdGroupPairs = make([]*ec2.UserIdGroupPair, len(groups)) // build string list of group name/ids var gl []string for k, _ := range groups { gl = append(gl, k) } for i, name := range gl { ownerId, id := "", name if items := strings.Split(id, "/"); len(items) > 1 { ownerId, id = items[0], items[1] } perm.UserIdGroupPairs[i] = &ec2.UserIdGroupPair{ GroupId: aws.String(id), UserId: aws.String(ownerId), } if sg.VpcId == nil || *sg.VpcId == "" { perm.UserIdGroupPairs[i].GroupId = nil perm.UserIdGroupPairs[i].GroupName = aws.String(id) perm.UserIdGroupPairs[i].UserId = nil } } } if raw, ok := d.GetOk("cidr_blocks"); ok { list := raw.([]interface{}) perm.IpRanges = make([]*ec2.IpRange, len(list)) for i, v := range list { cidrIP, ok := v.(string) if !ok { return nil, fmt.Errorf("empty element found in cidr_blocks - consider using the compact function") } perm.IpRanges[i] = &ec2.IpRange{CidrIp: aws.String(cidrIP)} } } if raw, ok := d.GetOk("prefix_list_ids"); ok { list := raw.([]interface{}) perm.PrefixListIds = make([]*ec2.PrefixListId, len(list)) for i, v := range list { prefixListID, ok := v.(string) if !ok { return nil, fmt.Errorf("empty element found in prefix_list_ids - consider using the compact function") } perm.PrefixListIds[i] = &ec2.PrefixListId{PrefixListId: aws.String(prefixListID)} } } return &perm, nil }
func resourceAwsSecurityGroupImportStatePermPair(sg *ec2.SecurityGroup, ruleType string, perm *ec2.IpPermission) (*schema.ResourceData, error) { // Construct the rule. We do this by populating the absolute // minimum necessary for Refresh on the rule to work. This // happens to be a lot of fields since they're almost all needed // for de-dupping. sgId := sg.GroupId id := ipPermissionIDHash(*sgId, ruleType, perm) ruleResource := resourceAwsSecurityGroupRule() d := ruleResource.Data(nil) d.SetId(id) d.SetType("aws_security_group_rule") d.Set("security_group_id", sgId) d.Set("type", ruleType) // 'self' is false by default. Below, we range over the group ids and set true // if the parent sg id is found d.Set("self", false) if len(perm.UserIdGroupPairs) > 0 { s := perm.UserIdGroupPairs[0] // Check for Pair that is the same as the Security Group, to denote self. // Otherwise, mark the group id in source_security_group_id isVPC := sg.VpcId != nil && *sg.VpcId != "" if isVPC { if *s.GroupId == *sg.GroupId { d.Set("self", true) // prune the self reference from the UserIdGroupPairs, so we don't // have duplicate sg ids (both self and in source_security_group_id) perm.UserIdGroupPairs = append(perm.UserIdGroupPairs[:0], perm.UserIdGroupPairs[0+1:]...) } } else { if *s.GroupName == *sg.GroupName { d.Set("self", true) // prune the self reference from the UserIdGroupPairs, so we don't // have duplicate sg ids (both self and in source_security_group_id) perm.UserIdGroupPairs = append(perm.UserIdGroupPairs[:0], perm.UserIdGroupPairs[0+1:]...) } } } if err := setFromIPPerm(d, sg, perm); err != nil { return nil, errwrap.Wrapf("Error importing AWS Security Group: {{err}}", err) } return d, nil }
func expandIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup) *ec2.IpPermission { var perm ec2.IpPermission perm.FromPort = aws.Int64(int64(d.Get("from_port").(int))) perm.ToPort = aws.Int64(int64(d.Get("to_port").(int))) perm.IpProtocol = aws.String(d.Get("protocol").(string)) // build a group map that behaves like a set groups := make(map[string]bool) if raw, ok := d.GetOk("source_security_group_id"); ok { groups[raw.(string)] = true } if v, ok := d.GetOk("self"); ok && v.(bool) { if sg.VpcId != nil && *sg.VpcId != "" { groups[*sg.GroupId] = true } else { groups[*sg.GroupName] = true } } if len(groups) > 0 { perm.UserIdGroupPairs = make([]*ec2.UserIdGroupPair, len(groups)) // build string list of group name/ids var gl []string for k, _ := range groups { gl = append(gl, k) } for i, name := range gl { ownerId, id := "", name if items := strings.Split(id, "/"); len(items) > 1 { ownerId, id = items[0], items[1] } perm.UserIdGroupPairs[i] = &ec2.UserIdGroupPair{ GroupId: aws.String(id), UserId: aws.String(ownerId), } if sg.VpcId == nil || *sg.VpcId == "" { perm.UserIdGroupPairs[i].GroupId = nil perm.UserIdGroupPairs[i].GroupName = aws.String(id) perm.UserIdGroupPairs[i].UserId = nil } } } if raw, ok := d.GetOk("cidr_blocks"); ok { list := raw.([]interface{}) perm.IpRanges = make([]*ec2.IpRange, len(list)) for i, v := range list { perm.IpRanges[i] = &ec2.IpRange{CidrIp: aws.String(v.(string))} } } return &perm }
func migrateExpandIPPerm(attrs map[string]string) (*ec2.IpPermission, error) { var perm ec2.IpPermission tp, err := strconv.Atoi(attrs["to_port"]) if err != nil { return nil, fmt.Errorf("Error converting to_port in Security Group migration") } fp, err := strconv.Atoi(attrs["from_port"]) if err != nil { return nil, fmt.Errorf("Error converting from_port in Security Group migration") } perm.ToPort = aws.Int64(int64(tp)) perm.FromPort = aws.Int64(int64(fp)) perm.IpProtocol = aws.String(attrs["protocol"]) groups := make(map[string]bool) if attrs["self"] == "true" { groups[attrs["security_group_id"]] = true } if attrs["source_security_group_id"] != "" { groups[attrs["source_security_group_id"]] = true } if len(groups) > 0 { perm.UserIdGroupPairs = make([]*ec2.UserIdGroupPair, len(groups)) // build string list of group name/ids var gl []string for k, _ := range groups { gl = append(gl, k) } for i, name := range gl { perm.UserIdGroupPairs[i] = &ec2.UserIdGroupPair{ GroupId: aws.String(name), } } } var cb []string for k, v := range attrs { if k != "cidr_blocks.#" && strings.HasPrefix(k, "cidr_blocks") { cb = append(cb, v) } } if len(cb) > 0 { perm.IpRanges = make([]*ec2.IpRange, len(cb)) for i, v := range cb { perm.IpRanges[i] = &ec2.IpRange{CidrIp: aws.String(v)} } } return &perm, nil }
// Takes the result of flatmap.Expand for an array of ingress/egress security // group rules and returns EC2 API compatible objects. This function will error // if it finds invalid permissions input, namely a protocol of "-1" with either // to_port or from_port set to a non-zero value. func expandIPPerms( group *ec2.SecurityGroup, configured []interface{}) ([]*ec2.IpPermission, error) { vpc := group.VpcId != nil perms := make([]*ec2.IpPermission, len(configured)) for i, mRaw := range configured { var perm ec2.IpPermission m := mRaw.(map[string]interface{}) perm.FromPort = aws.Int64(int64(m["from_port"].(int))) perm.ToPort = aws.Int64(int64(m["to_port"].(int))) perm.IpProtocol = aws.String(m["protocol"].(string)) // When protocol is "-1", AWS won't store any ports for the // rule, but also won't error if the user specifies ports other // than '0'. Force the user to make a deliberate '0' port // choice when specifying a "-1" protocol, and tell them about // AWS's behavior in the error message. if *perm.IpProtocol == "-1" && (*perm.FromPort != 0 || *perm.ToPort != 0) { return nil, fmt.Errorf( "from_port (%d) and to_port (%d) must both be 0 to use the the 'ALL' \"-1\" protocol!", *perm.FromPort, *perm.ToPort) } var groups []string if raw, ok := m["security_groups"]; ok { list := raw.(*schema.Set).List() for _, v := range list { groups = append(groups, v.(string)) } } if v, ok := m["self"]; ok && v.(bool) { if vpc { groups = append(groups, *group.GroupId) } else { groups = append(groups, *group.GroupName) } } if len(groups) > 0 { perm.UserIdGroupPairs = make([]*ec2.UserIdGroupPair, len(groups)) for i, name := range groups { ownerId, id := "", name if items := strings.Split(id, "/"); len(items) > 1 { ownerId, id = items[0], items[1] } perm.UserIdGroupPairs[i] = &ec2.UserIdGroupPair{ GroupId: aws.String(id), } if ownerId != "" { perm.UserIdGroupPairs[i].UserId = aws.String(ownerId) } if !vpc { perm.UserIdGroupPairs[i].GroupId = nil perm.UserIdGroupPairs[i].GroupName = aws.String(id) } } } if raw, ok := m["cidr_blocks"]; ok { list := raw.([]interface{}) for _, v := range list { perm.IpRanges = append(perm.IpRanges, &ec2.IpRange{CidrIp: aws.String(v.(string))}) } } perms[i] = &perm } return perms, nil }