From 5245328065f6638785d1ab160d5eb0951560903d Mon Sep 17 00:00:00 2001 From: Ignacio Galarza Date: Mon, 14 Oct 2019 12:14:25 -0500 Subject: [PATCH 1/4] Added Icmp to NSG Rule Protocol validation + test --- .../resource_arm_network_security_group.go | 1 + ...resource_arm_network_security_rule_test.go | 866 +++++++++--------- 2 files changed, 434 insertions(+), 433 deletions(-) diff --git a/azurerm/resource_arm_network_security_group.go b/azurerm/resource_arm_network_security_group.go index f62ae744eadf..3433bad3d90f 100644 --- a/azurerm/resource_arm_network_security_group.go +++ b/azurerm/resource_arm_network_security_group.go @@ -74,6 +74,7 @@ func resourceArmNetworkSecurityGroup() *schema.Resource { string(network.SecurityRuleProtocolAsterisk), string(network.SecurityRuleProtocolTCP), string(network.SecurityRuleProtocolUDP), + string(network.SecurityRuleProtocolIcmp), }, true), DiffSuppressFunc: suppress.CaseDifference, }, diff --git a/azurerm/resource_arm_network_security_rule_test.go b/azurerm/resource_arm_network_security_rule_test.go index dcce030983b5..b844e3e7beea 100644 --- a/azurerm/resource_arm_network_security_rule_test.go +++ b/azurerm/resource_arm_network_security_rule_test.go @@ -1,433 +1,433 @@ -package azurerm - -import ( - "fmt" - "net/http" - "testing" - - "github.com/hashicorp/terraform-plugin-sdk/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/terraform" - "github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/response" - "github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/tf" - "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/features" - "github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils" -) - -func TestAccAzureRMNetworkSecurityRule_basic(t *testing.T) { - resourceName := "azurerm_network_security_rule.test" - rInt := tf.AccRandTimeInt() - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, - Steps: []resource.TestStep{ - { - Config: testAccAzureRMNetworkSecurityRule_basic(rInt, testLocation()), - Check: resource.ComposeTestCheckFunc( - testCheckAzureRMNetworkSecurityRuleExists(resourceName), - ), - }, - { - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, - }, - }, - }) -} - -func TestAccAzureRMNetworkSecurityRule_requiresImport(t *testing.T) { - if !features.ShouldResourcesBeImported() { - t.Skip("Skipping since resources aren't required to be imported") - return - } - - resourceName := "azurerm_network_security_rule.test" - rInt := tf.AccRandTimeInt() - location := testLocation() - - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, - Steps: []resource.TestStep{ - { - Config: testAccAzureRMNetworkSecurityRule_basic(rInt, location), - Check: resource.ComposeTestCheckFunc( - testCheckAzureRMNetworkSecurityRuleExists(resourceName), - ), - }, - { - Config: testAccAzureRMNetworkSecurityRule_requiresImport(rInt, location), - ExpectError: testRequiresImportError("azurerm_network_security_rule"), - }, - }, - }) -} - -func TestAccAzureRMNetworkSecurityRule_disappears(t *testing.T) { - resourceGroup := "azurerm_network_security_rule.test" - rInt := tf.AccRandTimeInt() - - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, - Steps: []resource.TestStep{ - { - Config: testAccAzureRMNetworkSecurityRule_basic(rInt, testLocation()), - Check: resource.ComposeTestCheckFunc( - testCheckAzureRMNetworkSecurityRuleExists(resourceGroup), - testCheckAzureRMNetworkSecurityRuleDisappears(resourceGroup), - ), - ExpectNonEmptyPlan: true, - }, - }, - }) -} - -func TestAccAzureRMNetworkSecurityRule_addingRules(t *testing.T) { - rInt := tf.AccRandTimeInt() - - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, - Steps: []resource.TestStep{ - { - Config: testAccAzureRMNetworkSecurityRule_updateBasic(rInt, testLocation()), - Check: resource.ComposeTestCheckFunc( - testCheckAzureRMNetworkSecurityRuleExists("azurerm_network_security_rule.test1"), - ), - }, - - { - Config: testAccAzureRMNetworkSecurityRule_updateExtraRule(rInt, testLocation()), - Check: resource.ComposeTestCheckFunc( - testCheckAzureRMNetworkSecurityRuleExists("azurerm_network_security_rule.test2"), - ), - }, - }, - }) -} - -func TestAccAzureRMNetworkSecurityRule_augmented(t *testing.T) { - resourceName := "azurerm_network_security_rule.test1" - rInt := tf.AccRandTimeInt() - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, - Steps: []resource.TestStep{ - { - Config: testAccAzureRMNetworkSecurityRule_augmented(rInt, testLocation()), - Check: resource.ComposeTestCheckFunc( - testCheckAzureRMNetworkSecurityRuleExists(resourceName), - ), - }, - { - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, - }, - }, - }) -} - -func TestAccAzureRMNetworkSecurityRule_applicationSecurityGroups(t *testing.T) { - resourceName := "azurerm_network_security_rule.test1" - rInt := tf.AccRandTimeInt() - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, - Steps: []resource.TestStep{ - { - Config: testAccAzureRMNetworkSecurityRule_applicationSecurityGroups(rInt, testLocation()), - Check: resource.ComposeTestCheckFunc( - testCheckAzureRMNetworkSecurityRuleExists(resourceName), - ), - }, - { - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, - }, - }, - }) -} - -func testCheckAzureRMNetworkSecurityRuleExists(resourceName string) resource.TestCheckFunc { - return func(s *terraform.State) error { - rs, ok := s.RootModule().Resources[resourceName] - if !ok { - return fmt.Errorf("Not found: %s", resourceName) - } - - sgName := rs.Primary.Attributes["network_security_group_name"] - sgrName := rs.Primary.Attributes["name"] - resourceGroup, hasResourceGroup := rs.Primary.Attributes["resource_group_name"] - if !hasResourceGroup { - return fmt.Errorf("Bad: no resource group found in state for network security rule: %q", sgName) - } - - client := testAccProvider.Meta().(*ArmClient).Network.SecurityRuleClient - ctx := testAccProvider.Meta().(*ArmClient).StopContext - - resp, err := client.Get(ctx, resourceGroup, sgName, sgrName) - if err != nil { - if utils.ResponseWasNotFound(resp.Response) { - return fmt.Errorf("Bad: Network Security Rule %q (resource group: %q) (network security group: %q) does not exist", sgrName, sgName, resourceGroup) - } - return fmt.Errorf("Error retrieving Network Security Rule %q (NSG %q / Resource Group %q): %+v", sgrName, sgName, resourceGroup, err) - } - - return nil - } -} - -func testCheckAzureRMNetworkSecurityRuleDisappears(resourceName string) resource.TestCheckFunc { - return func(s *terraform.State) error { - rs, ok := s.RootModule().Resources[resourceName] - if !ok { - return fmt.Errorf("Not found: %q", resourceName) - } - - sgName := rs.Primary.Attributes["network_security_group_name"] - sgrName := rs.Primary.Attributes["name"] - resourceGroup, hasResourceGroup := rs.Primary.Attributes["resource_group_name"] - if !hasResourceGroup { - return fmt.Errorf("Bad: no resource group found in state for network security rule: %s", sgName) - } - - client := testAccProvider.Meta().(*ArmClient).Network.SecurityRuleClient - ctx := testAccProvider.Meta().(*ArmClient).StopContext - future, err := client.Delete(ctx, resourceGroup, sgName, sgrName) - if err != nil { - if !response.WasNotFound(future.Response()) { - return fmt.Errorf("Error deleting Network Security Rule %q (NSG %q / Resource Group %q): %+v", sgrName, sgName, resourceGroup, err) - } - } - - return nil - } -} - -func testCheckAzureRMNetworkSecurityRuleDestroy(s *terraform.State) error { - client := testAccProvider.Meta().(*ArmClient).Network.SecurityRuleClient - ctx := testAccProvider.Meta().(*ArmClient).StopContext - - for _, rs := range s.RootModule().Resources { - if rs.Type != "azurerm_network_security_rule" { - continue - } - - sgName := rs.Primary.Attributes["network_security_group_name"] - sgrName := rs.Primary.Attributes["name"] - resourceGroup := rs.Primary.Attributes["resource_group_name"] - - resp, err := client.Get(ctx, resourceGroup, sgName, sgrName) - - if err != nil { - return nil - } - - if resp.StatusCode != http.StatusNotFound { - return fmt.Errorf("Network Security Rule still exists:\n%#v", resp.SecurityRulePropertiesFormat) - } - } - - return nil -} - -func testAccAzureRMNetworkSecurityRule_basic(rInt int, location string) string { - return fmt.Sprintf(` -resource "azurerm_resource_group" "test" { - name = "acctestRG-%d" - location = "%s" -} - -resource "azurerm_network_security_group" "test" { - name = "acceptanceTestSecurityGroup1" - location = "${azurerm_resource_group.test.location}" - resource_group_name = "${azurerm_resource_group.test.name}" -} - -resource "azurerm_network_security_rule" "test" { - name = "test123" - network_security_group_name = "${azurerm_network_security_group.test.name}" - resource_group_name = "${azurerm_resource_group.test.name}" - priority = 100 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "*" - source_address_prefix = "*" - destination_address_prefix = "*" -} -`, rInt, location) -} - -func testAccAzureRMNetworkSecurityRule_requiresImport(rInt int, location string) string { - template := testAccAzureRMNetworkSecurityRule_basic(rInt, location) - return fmt.Sprintf(` -%s - -resource "azurerm_network_security_rule" "import" { - name = "${azurerm_network_security_rule.test.name}" - network_security_group_name = "${azurerm_network_security_rule.test.network_security_group_name}" - resource_group_name = "${azurerm_network_security_rule.test.resource_group_name}" - priority = "${azurerm_network_security_rule.test.priority}" - direction = "${azurerm_network_security_rule.test.direction}" - access = "${azurerm_network_security_rule.test.access}" - protocol = "${azurerm_network_security_rule.test.protocol}" - source_port_range = "${azurerm_network_security_rule.test.source_port_range}" - destination_port_range = "${azurerm_network_security_rule.test.destination_port_range}" - source_address_prefix = "${azurerm_network_security_rule.test.source_address_prefix}" - destination_address_prefix = "${azurerm_network_security_rule.test.destination_address_prefix}" -} -`, template) -} - -func testAccAzureRMNetworkSecurityRule_updateBasic(rInt int, location string) string { - return fmt.Sprintf(` -resource "azurerm_resource_group" "test1" { - name = "acctestRG-%d" - location = "%s" -} - -resource "azurerm_network_security_group" "test1" { - name = "acceptanceTestSecurityGroup2" - location = "${azurerm_resource_group.test1.location}" - resource_group_name = "${azurerm_resource_group.test1.name}" -} - -resource "azurerm_network_security_rule" "test1" { - name = "test123" - priority = 100 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "*" - source_address_prefix = "*" - destination_address_prefix = "*" - resource_group_name = "${azurerm_resource_group.test1.name}" - network_security_group_name = "${azurerm_network_security_group.test1.name}" -} -`, rInt, location) -} - -func testAccAzureRMNetworkSecurityRule_updateExtraRule(rInt int, location string) string { - return fmt.Sprintf(` -resource "azurerm_resource_group" "test1" { - name = "acctestRG-%d" - location = "%s" -} - -resource "azurerm_network_security_group" "test1" { - name = "acceptanceTestSecurityGroup2" - location = "${azurerm_resource_group.test1.location}" - resource_group_name = "${azurerm_resource_group.test1.name}" -} - -resource "azurerm_network_security_rule" "test1" { - name = "test123" - priority = 100 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "*" - source_address_prefix = "*" - destination_address_prefix = "*" - resource_group_name = "${azurerm_resource_group.test1.name}" - network_security_group_name = "${azurerm_network_security_group.test1.name}" -} - -resource "azurerm_network_security_rule" "test2" { - name = "testing456" - priority = 101 - direction = "Inbound" - access = "Deny" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "*" - source_address_prefix = "*" - destination_address_prefix = "*" - resource_group_name = "${azurerm_resource_group.test1.name}" - network_security_group_name = "${azurerm_network_security_group.test1.name}" -} -`, rInt, location) -} - -func testAccAzureRMNetworkSecurityRule_augmented(rInt int, location string) string { - return fmt.Sprintf(` -resource "azurerm_resource_group" "test1" { - name = "acctestRG-%d" - location = "%s" -} - -resource "azurerm_network_security_group" "test1" { - name = "acceptanceTestSecurityGroup2" - location = "${azurerm_resource_group.test1.location}" - resource_group_name = "${azurerm_resource_group.test1.name}" -} - -resource "azurerm_network_security_rule" "test1" { - name = "test123" - priority = 100 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = ["10000-40000"] - destination_port_ranges = ["80", "443", "8080", "8190"] - source_address_prefixes = ["10.0.0.0/8", "192.168.0.0/16"] - destination_address_prefixes = ["172.16.0.0/20", "8.8.8.8"] - resource_group_name = "${azurerm_resource_group.test1.name}" - network_security_group_name = "${azurerm_network_security_group.test1.name}" -} -`, rInt, location) -} - -func testAccAzureRMNetworkSecurityRule_applicationSecurityGroups(rInt int, location string) string { - return fmt.Sprintf(` -resource "azurerm_resource_group" "test" { - name = "acctestRG-%d" - location = "%s" -} - -resource "azurerm_application_security_group" "first" { - name = "acctest-first%d" - location = "${azurerm_resource_group.test.location}" - resource_group_name = "${azurerm_resource_group.test.name}" -} - -resource "azurerm_application_security_group" "second" { - name = "acctest-second%d" - location = "${azurerm_resource_group.test.location}" - resource_group_name = "${azurerm_resource_group.test.name}" -} - -resource "azurerm_network_security_group" "test" { - name = "acctestnsg-%d" - location = "${azurerm_resource_group.test.location}" - resource_group_name = "${azurerm_resource_group.test.name}" -} - -resource "azurerm_network_security_rule" "test1" { - name = "test123" - resource_group_name = "${azurerm_resource_group.test.name}" - network_security_group_name = "${azurerm_network_security_group.test.name}" - priority = 100 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - source_application_security_group_ids = ["${azurerm_application_security_group.first.id}"] - destination_application_security_group_ids = ["${azurerm_application_security_group.second.id}"] - source_port_ranges = ["10000-40000"] - destination_port_ranges = ["80", "443", "8080", "8190"] -} -`, rInt, location, rInt, rInt, rInt) -} +package azurerm + +import ( + "fmt" + "net/http" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/terraform" + "github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/response" + "github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/tf" + "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/features" + "github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils" +) + +func TestAccAzureRMNetworkSecurityRule_basic(t *testing.T) { + resourceName := "azurerm_network_security_rule.test" + rInt := tf.AccRandTimeInt() + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMNetworkSecurityRule_basic(rInt, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMNetworkSecurityRuleExists(resourceName), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAzureRMNetworkSecurityRule_requiresImport(t *testing.T) { + if !features.ShouldResourcesBeImported() { + t.Skip("Skipping since resources aren't required to be imported") + return + } + + resourceName := "azurerm_network_security_rule.test" + rInt := tf.AccRandTimeInt() + location := testLocation() + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMNetworkSecurityRule_basic(rInt, location), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMNetworkSecurityRuleExists(resourceName), + ), + }, + { + Config: testAccAzureRMNetworkSecurityRule_requiresImport(rInt, location), + ExpectError: testRequiresImportError("azurerm_network_security_rule"), + }, + }, + }) +} + +func TestAccAzureRMNetworkSecurityRule_disappears(t *testing.T) { + resourceGroup := "azurerm_network_security_rule.test" + rInt := tf.AccRandTimeInt() + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMNetworkSecurityRule_basic(rInt, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMNetworkSecurityRuleExists(resourceGroup), + testCheckAzureRMNetworkSecurityRuleDisappears(resourceGroup), + ), + ExpectNonEmptyPlan: true, + }, + }, + }) +} + +func TestAccAzureRMNetworkSecurityRule_addingRules(t *testing.T) { + rInt := tf.AccRandTimeInt() + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMNetworkSecurityRule_updateBasic(rInt, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMNetworkSecurityRuleExists("azurerm_network_security_rule.test1"), + ), + }, + + { + Config: testAccAzureRMNetworkSecurityRule_updateExtraRule(rInt, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMNetworkSecurityRuleExists("azurerm_network_security_rule.test2"), + ), + }, + }, + }) +} + +func TestAccAzureRMNetworkSecurityRule_augmented(t *testing.T) { + resourceName := "azurerm_network_security_rule.test1" + rInt := tf.AccRandTimeInt() + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMNetworkSecurityRule_augmented(rInt, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMNetworkSecurityRuleExists(resourceName), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAzureRMNetworkSecurityRule_applicationSecurityGroups(t *testing.T) { + resourceName := "azurerm_network_security_rule.test1" + rInt := tf.AccRandTimeInt() + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMNetworkSecurityRule_applicationSecurityGroups(rInt, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMNetworkSecurityRuleExists(resourceName), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testCheckAzureRMNetworkSecurityRuleExists(resourceName string) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[resourceName] + if !ok { + return fmt.Errorf("Not found: %s", resourceName) + } + + sgName := rs.Primary.Attributes["network_security_group_name"] + sgrName := rs.Primary.Attributes["name"] + resourceGroup, hasResourceGroup := rs.Primary.Attributes["resource_group_name"] + if !hasResourceGroup { + return fmt.Errorf("Bad: no resource group found in state for network security rule: %q", sgName) + } + + client := testAccProvider.Meta().(*ArmClient).Network.SecurityRuleClient + ctx := testAccProvider.Meta().(*ArmClient).StopContext + + resp, err := client.Get(ctx, resourceGroup, sgName, sgrName) + if err != nil { + if utils.ResponseWasNotFound(resp.Response) { + return fmt.Errorf("Bad: Network Security Rule %q (resource group: %q) (network security group: %q) does not exist", sgrName, sgName, resourceGroup) + } + return fmt.Errorf("Error retrieving Network Security Rule %q (NSG %q / Resource Group %q): %+v", sgrName, sgName, resourceGroup, err) + } + + return nil + } +} + +func testCheckAzureRMNetworkSecurityRuleDisappears(resourceName string) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[resourceName] + if !ok { + return fmt.Errorf("Not found: %q", resourceName) + } + + sgName := rs.Primary.Attributes["network_security_group_name"] + sgrName := rs.Primary.Attributes["name"] + resourceGroup, hasResourceGroup := rs.Primary.Attributes["resource_group_name"] + if !hasResourceGroup { + return fmt.Errorf("Bad: no resource group found in state for network security rule: %s", sgName) + } + + client := testAccProvider.Meta().(*ArmClient).Network.SecurityRuleClient + ctx := testAccProvider.Meta().(*ArmClient).StopContext + future, err := client.Delete(ctx, resourceGroup, sgName, sgrName) + if err != nil { + if !response.WasNotFound(future.Response()) { + return fmt.Errorf("Error deleting Network Security Rule %q (NSG %q / Resource Group %q): %+v", sgrName, sgName, resourceGroup, err) + } + } + + return nil + } +} + +func testCheckAzureRMNetworkSecurityRuleDestroy(s *terraform.State) error { + client := testAccProvider.Meta().(*ArmClient).Network.SecurityRuleClient + ctx := testAccProvider.Meta().(*ArmClient).StopContext + + for _, rs := range s.RootModule().Resources { + if rs.Type != "azurerm_network_security_rule" { + continue + } + + sgName := rs.Primary.Attributes["network_security_group_name"] + sgrName := rs.Primary.Attributes["name"] + resourceGroup := rs.Primary.Attributes["resource_group_name"] + + resp, err := client.Get(ctx, resourceGroup, sgName, sgrName) + + if err != nil { + return nil + } + + if resp.StatusCode != http.StatusNotFound { + return fmt.Errorf("Network Security Rule still exists:\n%#v", resp.SecurityRulePropertiesFormat) + } + } + + return nil +} + +func testAccAzureRMNetworkSecurityRule_basic(rInt int, location string) string { + return fmt.Sprintf(` +resource "azurerm_resource_group" "test" { + name = "acctestRG-%d" + location = "%s" +} + +resource "azurerm_network_security_group" "test" { + name = "acceptanceTestSecurityGroup1" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" +} + +resource "azurerm_network_security_rule" "test" { + name = "test123" + network_security_group_name = "${azurerm_network_security_group.test.name}" + resource_group_name = "${azurerm_resource_group.test.name}" + priority = 100 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" +} +`, rInt, location) +} + +func testAccAzureRMNetworkSecurityRule_requiresImport(rInt int, location string) string { + template := testAccAzureRMNetworkSecurityRule_basic(rInt, location) + return fmt.Sprintf(` +%s + +resource "azurerm_network_security_rule" "import" { + name = "${azurerm_network_security_rule.test.name}" + network_security_group_name = "${azurerm_network_security_rule.test.network_security_group_name}" + resource_group_name = "${azurerm_network_security_rule.test.resource_group_name}" + priority = "${azurerm_network_security_rule.test.priority}" + direction = "${azurerm_network_security_rule.test.direction}" + access = "${azurerm_network_security_rule.test.access}" + protocol = "${azurerm_network_security_rule.test.protocol}" + source_port_range = "${azurerm_network_security_rule.test.source_port_range}" + destination_port_range = "${azurerm_network_security_rule.test.destination_port_range}" + source_address_prefix = "${azurerm_network_security_rule.test.source_address_prefix}" + destination_address_prefix = "${azurerm_network_security_rule.test.destination_address_prefix}" +} +`, template) +} + +func testAccAzureRMNetworkSecurityRule_updateBasic(rInt int, location string) string { + return fmt.Sprintf(` +resource "azurerm_resource_group" "test1" { + name = "acctestRG-%d" + location = "%s" +} + +resource "azurerm_network_security_group" "test1" { + name = "acceptanceTestSecurityGroup2" + location = "${azurerm_resource_group.test1.location}" + resource_group_name = "${azurerm_resource_group.test1.name}" +} + +resource "azurerm_network_security_rule" "test1" { + name = "test123" + priority = 100 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = "${azurerm_resource_group.test1.name}" + network_security_group_name = "${azurerm_network_security_group.test1.name}" +} +`, rInt, location) +} + +func testAccAzureRMNetworkSecurityRule_updateExtraRule(rInt int, location string) string { + return fmt.Sprintf(` +resource "azurerm_resource_group" "test1" { + name = "acctestRG-%d" + location = "%s" +} + +resource "azurerm_network_security_group" "test1" { + name = "acceptanceTestSecurityGroup2" + location = "${azurerm_resource_group.test1.location}" + resource_group_name = "${azurerm_resource_group.test1.name}" +} + +resource "azurerm_network_security_rule" "test1" { + name = "test123" + priority = 100 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = "${azurerm_resource_group.test1.name}" + network_security_group_name = "${azurerm_network_security_group.test1.name}" +} + +resource "azurerm_network_security_rule" "test2" { + name = "testing456" + priority = 101 + direction = "Inbound" + access = "Deny" + protocol = "Icmp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = "${azurerm_resource_group.test1.name}" + network_security_group_name = "${azurerm_network_security_group.test1.name}" +} +`, rInt, location) +} + +func testAccAzureRMNetworkSecurityRule_augmented(rInt int, location string) string { + return fmt.Sprintf(` +resource "azurerm_resource_group" "test1" { + name = "acctestRG-%d" + location = "%s" +} + +resource "azurerm_network_security_group" "test1" { + name = "acceptanceTestSecurityGroup2" + location = "${azurerm_resource_group.test1.location}" + resource_group_name = "${azurerm_resource_group.test1.name}" +} + +resource "azurerm_network_security_rule" "test1" { + name = "test123" + priority = 100 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = ["10000-40000"] + destination_port_ranges = ["80", "443", "8080", "8190"] + source_address_prefixes = ["10.0.0.0/8", "192.168.0.0/16"] + destination_address_prefixes = ["172.16.0.0/20", "8.8.8.8"] + resource_group_name = "${azurerm_resource_group.test1.name}" + network_security_group_name = "${azurerm_network_security_group.test1.name}" +} +`, rInt, location) +} + +func testAccAzureRMNetworkSecurityRule_applicationSecurityGroups(rInt int, location string) string { + return fmt.Sprintf(` +resource "azurerm_resource_group" "test" { + name = "acctestRG-%d" + location = "%s" +} + +resource "azurerm_application_security_group" "first" { + name = "acctest-first%d" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" +} + +resource "azurerm_application_security_group" "second" { + name = "acctest-second%d" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" +} + +resource "azurerm_network_security_group" "test" { + name = "acctestnsg-%d" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" +} + +resource "azurerm_network_security_rule" "test1" { + name = "test123" + resource_group_name = "${azurerm_resource_group.test.name}" + network_security_group_name = "${azurerm_network_security_group.test.name}" + priority = 100 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_application_security_group_ids = ["${azurerm_application_security_group.first.id}"] + destination_application_security_group_ids = ["${azurerm_application_security_group.second.id}"] + source_port_ranges = ["10000-40000"] + destination_port_ranges = ["80", "443", "8080", "8190"] +} +`, rInt, location, rInt, rInt, rInt) +} From bd8b44c7b147410e47261a92e22b21dca58e4778 Mon Sep 17 00:00:00 2001 From: Ignacio Galarza Date: Mon, 14 Oct 2019 12:20:06 -0500 Subject: [PATCH 2/4] Fixed line ending mistake --- ...resource_arm_network_security_rule_test.go | 866 +++++++++--------- 1 file changed, 433 insertions(+), 433 deletions(-) diff --git a/azurerm/resource_arm_network_security_rule_test.go b/azurerm/resource_arm_network_security_rule_test.go index b844e3e7beea..2ef26178c4a2 100644 --- a/azurerm/resource_arm_network_security_rule_test.go +++ b/azurerm/resource_arm_network_security_rule_test.go @@ -1,433 +1,433 @@ -package azurerm - -import ( - "fmt" - "net/http" - "testing" - - "github.com/hashicorp/terraform-plugin-sdk/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/terraform" - "github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/response" - "github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/tf" - "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/features" - "github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils" -) - -func TestAccAzureRMNetworkSecurityRule_basic(t *testing.T) { - resourceName := "azurerm_network_security_rule.test" - rInt := tf.AccRandTimeInt() - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, - Steps: []resource.TestStep{ - { - Config: testAccAzureRMNetworkSecurityRule_basic(rInt, testLocation()), - Check: resource.ComposeTestCheckFunc( - testCheckAzureRMNetworkSecurityRuleExists(resourceName), - ), - }, - { - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, - }, - }, - }) -} - -func TestAccAzureRMNetworkSecurityRule_requiresImport(t *testing.T) { - if !features.ShouldResourcesBeImported() { - t.Skip("Skipping since resources aren't required to be imported") - return - } - - resourceName := "azurerm_network_security_rule.test" - rInt := tf.AccRandTimeInt() - location := testLocation() - - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, - Steps: []resource.TestStep{ - { - Config: testAccAzureRMNetworkSecurityRule_basic(rInt, location), - Check: resource.ComposeTestCheckFunc( - testCheckAzureRMNetworkSecurityRuleExists(resourceName), - ), - }, - { - Config: testAccAzureRMNetworkSecurityRule_requiresImport(rInt, location), - ExpectError: testRequiresImportError("azurerm_network_security_rule"), - }, - }, - }) -} - -func TestAccAzureRMNetworkSecurityRule_disappears(t *testing.T) { - resourceGroup := "azurerm_network_security_rule.test" - rInt := tf.AccRandTimeInt() - - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, - Steps: []resource.TestStep{ - { - Config: testAccAzureRMNetworkSecurityRule_basic(rInt, testLocation()), - Check: resource.ComposeTestCheckFunc( - testCheckAzureRMNetworkSecurityRuleExists(resourceGroup), - testCheckAzureRMNetworkSecurityRuleDisappears(resourceGroup), - ), - ExpectNonEmptyPlan: true, - }, - }, - }) -} - -func TestAccAzureRMNetworkSecurityRule_addingRules(t *testing.T) { - rInt := tf.AccRandTimeInt() - - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, - Steps: []resource.TestStep{ - { - Config: testAccAzureRMNetworkSecurityRule_updateBasic(rInt, testLocation()), - Check: resource.ComposeTestCheckFunc( - testCheckAzureRMNetworkSecurityRuleExists("azurerm_network_security_rule.test1"), - ), - }, - - { - Config: testAccAzureRMNetworkSecurityRule_updateExtraRule(rInt, testLocation()), - Check: resource.ComposeTestCheckFunc( - testCheckAzureRMNetworkSecurityRuleExists("azurerm_network_security_rule.test2"), - ), - }, - }, - }) -} - -func TestAccAzureRMNetworkSecurityRule_augmented(t *testing.T) { - resourceName := "azurerm_network_security_rule.test1" - rInt := tf.AccRandTimeInt() - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, - Steps: []resource.TestStep{ - { - Config: testAccAzureRMNetworkSecurityRule_augmented(rInt, testLocation()), - Check: resource.ComposeTestCheckFunc( - testCheckAzureRMNetworkSecurityRuleExists(resourceName), - ), - }, - { - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, - }, - }, - }) -} - -func TestAccAzureRMNetworkSecurityRule_applicationSecurityGroups(t *testing.T) { - resourceName := "azurerm_network_security_rule.test1" - rInt := tf.AccRandTimeInt() - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, - Steps: []resource.TestStep{ - { - Config: testAccAzureRMNetworkSecurityRule_applicationSecurityGroups(rInt, testLocation()), - Check: resource.ComposeTestCheckFunc( - testCheckAzureRMNetworkSecurityRuleExists(resourceName), - ), - }, - { - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, - }, - }, - }) -} - -func testCheckAzureRMNetworkSecurityRuleExists(resourceName string) resource.TestCheckFunc { - return func(s *terraform.State) error { - rs, ok := s.RootModule().Resources[resourceName] - if !ok { - return fmt.Errorf("Not found: %s", resourceName) - } - - sgName := rs.Primary.Attributes["network_security_group_name"] - sgrName := rs.Primary.Attributes["name"] - resourceGroup, hasResourceGroup := rs.Primary.Attributes["resource_group_name"] - if !hasResourceGroup { - return fmt.Errorf("Bad: no resource group found in state for network security rule: %q", sgName) - } - - client := testAccProvider.Meta().(*ArmClient).Network.SecurityRuleClient - ctx := testAccProvider.Meta().(*ArmClient).StopContext - - resp, err := client.Get(ctx, resourceGroup, sgName, sgrName) - if err != nil { - if utils.ResponseWasNotFound(resp.Response) { - return fmt.Errorf("Bad: Network Security Rule %q (resource group: %q) (network security group: %q) does not exist", sgrName, sgName, resourceGroup) - } - return fmt.Errorf("Error retrieving Network Security Rule %q (NSG %q / Resource Group %q): %+v", sgrName, sgName, resourceGroup, err) - } - - return nil - } -} - -func testCheckAzureRMNetworkSecurityRuleDisappears(resourceName string) resource.TestCheckFunc { - return func(s *terraform.State) error { - rs, ok := s.RootModule().Resources[resourceName] - if !ok { - return fmt.Errorf("Not found: %q", resourceName) - } - - sgName := rs.Primary.Attributes["network_security_group_name"] - sgrName := rs.Primary.Attributes["name"] - resourceGroup, hasResourceGroup := rs.Primary.Attributes["resource_group_name"] - if !hasResourceGroup { - return fmt.Errorf("Bad: no resource group found in state for network security rule: %s", sgName) - } - - client := testAccProvider.Meta().(*ArmClient).Network.SecurityRuleClient - ctx := testAccProvider.Meta().(*ArmClient).StopContext - future, err := client.Delete(ctx, resourceGroup, sgName, sgrName) - if err != nil { - if !response.WasNotFound(future.Response()) { - return fmt.Errorf("Error deleting Network Security Rule %q (NSG %q / Resource Group %q): %+v", sgrName, sgName, resourceGroup, err) - } - } - - return nil - } -} - -func testCheckAzureRMNetworkSecurityRuleDestroy(s *terraform.State) error { - client := testAccProvider.Meta().(*ArmClient).Network.SecurityRuleClient - ctx := testAccProvider.Meta().(*ArmClient).StopContext - - for _, rs := range s.RootModule().Resources { - if rs.Type != "azurerm_network_security_rule" { - continue - } - - sgName := rs.Primary.Attributes["network_security_group_name"] - sgrName := rs.Primary.Attributes["name"] - resourceGroup := rs.Primary.Attributes["resource_group_name"] - - resp, err := client.Get(ctx, resourceGroup, sgName, sgrName) - - if err != nil { - return nil - } - - if resp.StatusCode != http.StatusNotFound { - return fmt.Errorf("Network Security Rule still exists:\n%#v", resp.SecurityRulePropertiesFormat) - } - } - - return nil -} - -func testAccAzureRMNetworkSecurityRule_basic(rInt int, location string) string { - return fmt.Sprintf(` -resource "azurerm_resource_group" "test" { - name = "acctestRG-%d" - location = "%s" -} - -resource "azurerm_network_security_group" "test" { - name = "acceptanceTestSecurityGroup1" - location = "${azurerm_resource_group.test.location}" - resource_group_name = "${azurerm_resource_group.test.name}" -} - -resource "azurerm_network_security_rule" "test" { - name = "test123" - network_security_group_name = "${azurerm_network_security_group.test.name}" - resource_group_name = "${azurerm_resource_group.test.name}" - priority = 100 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "*" - source_address_prefix = "*" - destination_address_prefix = "*" -} -`, rInt, location) -} - -func testAccAzureRMNetworkSecurityRule_requiresImport(rInt int, location string) string { - template := testAccAzureRMNetworkSecurityRule_basic(rInt, location) - return fmt.Sprintf(` -%s - -resource "azurerm_network_security_rule" "import" { - name = "${azurerm_network_security_rule.test.name}" - network_security_group_name = "${azurerm_network_security_rule.test.network_security_group_name}" - resource_group_name = "${azurerm_network_security_rule.test.resource_group_name}" - priority = "${azurerm_network_security_rule.test.priority}" - direction = "${azurerm_network_security_rule.test.direction}" - access = "${azurerm_network_security_rule.test.access}" - protocol = "${azurerm_network_security_rule.test.protocol}" - source_port_range = "${azurerm_network_security_rule.test.source_port_range}" - destination_port_range = "${azurerm_network_security_rule.test.destination_port_range}" - source_address_prefix = "${azurerm_network_security_rule.test.source_address_prefix}" - destination_address_prefix = "${azurerm_network_security_rule.test.destination_address_prefix}" -} -`, template) -} - -func testAccAzureRMNetworkSecurityRule_updateBasic(rInt int, location string) string { - return fmt.Sprintf(` -resource "azurerm_resource_group" "test1" { - name = "acctestRG-%d" - location = "%s" -} - -resource "azurerm_network_security_group" "test1" { - name = "acceptanceTestSecurityGroup2" - location = "${azurerm_resource_group.test1.location}" - resource_group_name = "${azurerm_resource_group.test1.name}" -} - -resource "azurerm_network_security_rule" "test1" { - name = "test123" - priority = 100 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "*" - source_address_prefix = "*" - destination_address_prefix = "*" - resource_group_name = "${azurerm_resource_group.test1.name}" - network_security_group_name = "${azurerm_network_security_group.test1.name}" -} -`, rInt, location) -} - -func testAccAzureRMNetworkSecurityRule_updateExtraRule(rInt int, location string) string { - return fmt.Sprintf(` -resource "azurerm_resource_group" "test1" { - name = "acctestRG-%d" - location = "%s" -} - -resource "azurerm_network_security_group" "test1" { - name = "acceptanceTestSecurityGroup2" - location = "${azurerm_resource_group.test1.location}" - resource_group_name = "${azurerm_resource_group.test1.name}" -} - -resource "azurerm_network_security_rule" "test1" { - name = "test123" - priority = 100 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "*" - source_address_prefix = "*" - destination_address_prefix = "*" - resource_group_name = "${azurerm_resource_group.test1.name}" - network_security_group_name = "${azurerm_network_security_group.test1.name}" -} - -resource "azurerm_network_security_rule" "test2" { - name = "testing456" - priority = 101 - direction = "Inbound" - access = "Deny" - protocol = "Icmp" - source_port_range = "*" - destination_port_range = "*" - source_address_prefix = "*" - destination_address_prefix = "*" - resource_group_name = "${azurerm_resource_group.test1.name}" - network_security_group_name = "${azurerm_network_security_group.test1.name}" -} -`, rInt, location) -} - -func testAccAzureRMNetworkSecurityRule_augmented(rInt int, location string) string { - return fmt.Sprintf(` -resource "azurerm_resource_group" "test1" { - name = "acctestRG-%d" - location = "%s" -} - -resource "azurerm_network_security_group" "test1" { - name = "acceptanceTestSecurityGroup2" - location = "${azurerm_resource_group.test1.location}" - resource_group_name = "${azurerm_resource_group.test1.name}" -} - -resource "azurerm_network_security_rule" "test1" { - name = "test123" - priority = 100 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = ["10000-40000"] - destination_port_ranges = ["80", "443", "8080", "8190"] - source_address_prefixes = ["10.0.0.0/8", "192.168.0.0/16"] - destination_address_prefixes = ["172.16.0.0/20", "8.8.8.8"] - resource_group_name = "${azurerm_resource_group.test1.name}" - network_security_group_name = "${azurerm_network_security_group.test1.name}" -} -`, rInt, location) -} - -func testAccAzureRMNetworkSecurityRule_applicationSecurityGroups(rInt int, location string) string { - return fmt.Sprintf(` -resource "azurerm_resource_group" "test" { - name = "acctestRG-%d" - location = "%s" -} - -resource "azurerm_application_security_group" "first" { - name = "acctest-first%d" - location = "${azurerm_resource_group.test.location}" - resource_group_name = "${azurerm_resource_group.test.name}" -} - -resource "azurerm_application_security_group" "second" { - name = "acctest-second%d" - location = "${azurerm_resource_group.test.location}" - resource_group_name = "${azurerm_resource_group.test.name}" -} - -resource "azurerm_network_security_group" "test" { - name = "acctestnsg-%d" - location = "${azurerm_resource_group.test.location}" - resource_group_name = "${azurerm_resource_group.test.name}" -} - -resource "azurerm_network_security_rule" "test1" { - name = "test123" - resource_group_name = "${azurerm_resource_group.test.name}" - network_security_group_name = "${azurerm_network_security_group.test.name}" - priority = 100 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - source_application_security_group_ids = ["${azurerm_application_security_group.first.id}"] - destination_application_security_group_ids = ["${azurerm_application_security_group.second.id}"] - source_port_ranges = ["10000-40000"] - destination_port_ranges = ["80", "443", "8080", "8190"] -} -`, rInt, location, rInt, rInt, rInt) -} +package azurerm + +import ( + "fmt" + "net/http" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/terraform" + "github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/response" + "github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/tf" + "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/features" + "github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils" +) + +func TestAccAzureRMNetworkSecurityRule_basic(t *testing.T) { + resourceName := "azurerm_network_security_rule.test" + rInt := tf.AccRandTimeInt() + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMNetworkSecurityRule_basic(rInt, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMNetworkSecurityRuleExists(resourceName), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAzureRMNetworkSecurityRule_requiresImport(t *testing.T) { + if !features.ShouldResourcesBeImported() { + t.Skip("Skipping since resources aren't required to be imported") + return + } + + resourceName := "azurerm_network_security_rule.test" + rInt := tf.AccRandTimeInt() + location := testLocation() + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMNetworkSecurityRule_basic(rInt, location), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMNetworkSecurityRuleExists(resourceName), + ), + }, + { + Config: testAccAzureRMNetworkSecurityRule_requiresImport(rInt, location), + ExpectError: testRequiresImportError("azurerm_network_security_rule"), + }, + }, + }) +} + +func TestAccAzureRMNetworkSecurityRule_disappears(t *testing.T) { + resourceGroup := "azurerm_network_security_rule.test" + rInt := tf.AccRandTimeInt() + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMNetworkSecurityRule_basic(rInt, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMNetworkSecurityRuleExists(resourceGroup), + testCheckAzureRMNetworkSecurityRuleDisappears(resourceGroup), + ), + ExpectNonEmptyPlan: true, + }, + }, + }) +} + +func TestAccAzureRMNetworkSecurityRule_addingRules(t *testing.T) { + rInt := tf.AccRandTimeInt() + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMNetworkSecurityRule_updateBasic(rInt, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMNetworkSecurityRuleExists("azurerm_network_security_rule.test1"), + ), + }, + + { + Config: testAccAzureRMNetworkSecurityRule_updateExtraRule(rInt, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMNetworkSecurityRuleExists("azurerm_network_security_rule.test2"), + ), + }, + }, + }) +} + +func TestAccAzureRMNetworkSecurityRule_augmented(t *testing.T) { + resourceName := "azurerm_network_security_rule.test1" + rInt := tf.AccRandTimeInt() + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMNetworkSecurityRule_augmented(rInt, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMNetworkSecurityRuleExists(resourceName), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAzureRMNetworkSecurityRule_applicationSecurityGroups(t *testing.T) { + resourceName := "azurerm_network_security_rule.test1" + rInt := tf.AccRandTimeInt() + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMNetworkSecurityRule_applicationSecurityGroups(rInt, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMNetworkSecurityRuleExists(resourceName), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testCheckAzureRMNetworkSecurityRuleExists(resourceName string) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[resourceName] + if !ok { + return fmt.Errorf("Not found: %s", resourceName) + } + + sgName := rs.Primary.Attributes["network_security_group_name"] + sgrName := rs.Primary.Attributes["name"] + resourceGroup, hasResourceGroup := rs.Primary.Attributes["resource_group_name"] + if !hasResourceGroup { + return fmt.Errorf("Bad: no resource group found in state for network security rule: %q", sgName) + } + + client := testAccProvider.Meta().(*ArmClient).Network.SecurityRuleClient + ctx := testAccProvider.Meta().(*ArmClient).StopContext + + resp, err := client.Get(ctx, resourceGroup, sgName, sgrName) + if err != nil { + if utils.ResponseWasNotFound(resp.Response) { + return fmt.Errorf("Bad: Network Security Rule %q (resource group: %q) (network security group: %q) does not exist", sgrName, sgName, resourceGroup) + } + return fmt.Errorf("Error retrieving Network Security Rule %q (NSG %q / Resource Group %q): %+v", sgrName, sgName, resourceGroup, err) + } + + return nil + } +} + +func testCheckAzureRMNetworkSecurityRuleDisappears(resourceName string) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[resourceName] + if !ok { + return fmt.Errorf("Not found: %q", resourceName) + } + + sgName := rs.Primary.Attributes["network_security_group_name"] + sgrName := rs.Primary.Attributes["name"] + resourceGroup, hasResourceGroup := rs.Primary.Attributes["resource_group_name"] + if !hasResourceGroup { + return fmt.Errorf("Bad: no resource group found in state for network security rule: %s", sgName) + } + + client := testAccProvider.Meta().(*ArmClient).Network.SecurityRuleClient + ctx := testAccProvider.Meta().(*ArmClient).StopContext + future, err := client.Delete(ctx, resourceGroup, sgName, sgrName) + if err != nil { + if !response.WasNotFound(future.Response()) { + return fmt.Errorf("Error deleting Network Security Rule %q (NSG %q / Resource Group %q): %+v", sgrName, sgName, resourceGroup, err) + } + } + + return nil + } +} + +func testCheckAzureRMNetworkSecurityRuleDestroy(s *terraform.State) error { + client := testAccProvider.Meta().(*ArmClient).Network.SecurityRuleClient + ctx := testAccProvider.Meta().(*ArmClient).StopContext + + for _, rs := range s.RootModule().Resources { + if rs.Type != "azurerm_network_security_rule" { + continue + } + + sgName := rs.Primary.Attributes["network_security_group_name"] + sgrName := rs.Primary.Attributes["name"] + resourceGroup := rs.Primary.Attributes["resource_group_name"] + + resp, err := client.Get(ctx, resourceGroup, sgName, sgrName) + + if err != nil { + return nil + } + + if resp.StatusCode != http.StatusNotFound { + return fmt.Errorf("Network Security Rule still exists:\n%#v", resp.SecurityRulePropertiesFormat) + } + } + + return nil +} + +func testAccAzureRMNetworkSecurityRule_basic(rInt int, location string) string { + return fmt.Sprintf(` +resource "azurerm_resource_group" "test" { + name = "acctestRG-%d" + location = "%s" +} + +resource "azurerm_network_security_group" "test" { + name = "acceptanceTestSecurityGroup1" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" +} + +resource "azurerm_network_security_rule" "test" { + name = "test123" + network_security_group_name = "${azurerm_network_security_group.test.name}" + resource_group_name = "${azurerm_resource_group.test.name}" + priority = 100 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" +} +`, rInt, location) +} + +func testAccAzureRMNetworkSecurityRule_requiresImport(rInt int, location string) string { + template := testAccAzureRMNetworkSecurityRule_basic(rInt, location) + return fmt.Sprintf(` +%s + +resource "azurerm_network_security_rule" "import" { + name = "${azurerm_network_security_rule.test.name}" + network_security_group_name = "${azurerm_network_security_rule.test.network_security_group_name}" + resource_group_name = "${azurerm_network_security_rule.test.resource_group_name}" + priority = "${azurerm_network_security_rule.test.priority}" + direction = "${azurerm_network_security_rule.test.direction}" + access = "${azurerm_network_security_rule.test.access}" + protocol = "${azurerm_network_security_rule.test.protocol}" + source_port_range = "${azurerm_network_security_rule.test.source_port_range}" + destination_port_range = "${azurerm_network_security_rule.test.destination_port_range}" + source_address_prefix = "${azurerm_network_security_rule.test.source_address_prefix}" + destination_address_prefix = "${azurerm_network_security_rule.test.destination_address_prefix}" +} +`, template) +} + +func testAccAzureRMNetworkSecurityRule_updateBasic(rInt int, location string) string { + return fmt.Sprintf(` +resource "azurerm_resource_group" "test1" { + name = "acctestRG-%d" + location = "%s" +} + +resource "azurerm_network_security_group" "test1" { + name = "acceptanceTestSecurityGroup2" + location = "${azurerm_resource_group.test1.location}" + resource_group_name = "${azurerm_resource_group.test1.name}" +} + +resource "azurerm_network_security_rule" "test1" { + name = "test123" + priority = 100 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = "${azurerm_resource_group.test1.name}" + network_security_group_name = "${azurerm_network_security_group.test1.name}" +} +`, rInt, location) +} + +func testAccAzureRMNetworkSecurityRule_updateExtraRule(rInt int, location string) string { + return fmt.Sprintf(` +resource "azurerm_resource_group" "test1" { + name = "acctestRG-%d" + location = "%s" +} + +resource "azurerm_network_security_group" "test1" { + name = "acceptanceTestSecurityGroup2" + location = "${azurerm_resource_group.test1.location}" + resource_group_name = "${azurerm_resource_group.test1.name}" +} + +resource "azurerm_network_security_rule" "test1" { + name = "test123" + priority = 100 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = "${azurerm_resource_group.test1.name}" + network_security_group_name = "${azurerm_network_security_group.test1.name}" +} + +resource "azurerm_network_security_rule" "test2" { + name = "testing456" + priority = 101 + direction = "Inbound" + access = "Deny" + protocol = "Icmp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = "${azurerm_resource_group.test1.name}" + network_security_group_name = "${azurerm_network_security_group.test1.name}" +} +`, rInt, location) +} + +func testAccAzureRMNetworkSecurityRule_augmented(rInt int, location string) string { + return fmt.Sprintf(` +resource "azurerm_resource_group" "test1" { + name = "acctestRG-%d" + location = "%s" +} + +resource "azurerm_network_security_group" "test1" { + name = "acceptanceTestSecurityGroup2" + location = "${azurerm_resource_group.test1.location}" + resource_group_name = "${azurerm_resource_group.test1.name}" +} + +resource "azurerm_network_security_rule" "test1" { + name = "test123" + priority = 100 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = ["10000-40000"] + destination_port_ranges = ["80", "443", "8080", "8190"] + source_address_prefixes = ["10.0.0.0/8", "192.168.0.0/16"] + destination_address_prefixes = ["172.16.0.0/20", "8.8.8.8"] + resource_group_name = "${azurerm_resource_group.test1.name}" + network_security_group_name = "${azurerm_network_security_group.test1.name}" +} +`, rInt, location) +} + +func testAccAzureRMNetworkSecurityRule_applicationSecurityGroups(rInt int, location string) string { + return fmt.Sprintf(` +resource "azurerm_resource_group" "test" { + name = "acctestRG-%d" + location = "%s" +} + +resource "azurerm_application_security_group" "first" { + name = "acctest-first%d" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" +} + +resource "azurerm_application_security_group" "second" { + name = "acctest-second%d" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" +} + +resource "azurerm_network_security_group" "test" { + name = "acctestnsg-%d" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" +} + +resource "azurerm_network_security_rule" "test1" { + name = "test123" + resource_group_name = "${azurerm_resource_group.test.name}" + network_security_group_name = "${azurerm_network_security_group.test.name}" + priority = 100 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_application_security_group_ids = ["${azurerm_application_security_group.first.id}"] + destination_application_security_group_ids = ["${azurerm_application_security_group.second.id}"] + source_port_ranges = ["10000-40000"] + destination_port_ranges = ["80", "443", "8080", "8190"] +} +`, rInt, location, rInt, rInt, rInt) +} From bbe5828f19b356fe6e8172982db516b299ad4282 Mon Sep 17 00:00:00 2001 From: Ignacio Galarza Date: Tue, 15 Oct 2019 12:49:56 -0500 Subject: [PATCH 3/4] Added validation for security rule --- azurerm/resource_arm_network_security_rule.go | 1 + 1 file changed, 1 insertion(+) diff --git a/azurerm/resource_arm_network_security_rule.go b/azurerm/resource_arm_network_security_rule.go index d0669d3caf19..056eec18c4bc 100644 --- a/azurerm/resource_arm_network_security_rule.go +++ b/azurerm/resource_arm_network_security_rule.go @@ -61,6 +61,7 @@ func resourceArmNetworkSecurityRule() *schema.Resource { string(network.SecurityRuleProtocolAsterisk), string(network.SecurityRuleProtocolTCP), string(network.SecurityRuleProtocolUDP), + string(network.SecurityRuleProtocolIcmp), }, true), DiffSuppressFunc: suppress.CaseDifference, }, From 8bb8a4a5ffaa467d01217bca7a4d611e69a0c172 Mon Sep 17 00:00:00 2001 From: Ignacio Galarza Date: Tue, 15 Oct 2019 12:50:06 -0500 Subject: [PATCH 4/4] Updated docs --- website/docs/r/network_security_group.html.markdown | 2 +- website/docs/r/network_security_rule.html.markdown | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/website/docs/r/network_security_group.html.markdown b/website/docs/r/network_security_group.html.markdown index 6e5dbc1c9c6a..0cf2037e4baf 100644 --- a/website/docs/r/network_security_group.html.markdown +++ b/website/docs/r/network_security_group.html.markdown @@ -67,7 +67,7 @@ Elements of `security_rule` support: * `description` - (Optional) A description for this rule. Restricted to 140 characters. -* `protocol` - (Required) Network protocol this rule applies to. Can be `Tcp`, `Udp` or `*` to match both. +* `protocol` - (Required) Network protocol this rule applies to. Can be `Tcp`, `Udp`, `Icmp`, or `*` to match all. * `source_port_range` - (Optional) Source Port or Range. Integer or range between `0` and `65535` or `*` to match any. This is required if `source_port_ranges` is not specified. diff --git a/website/docs/r/network_security_rule.html.markdown b/website/docs/r/network_security_rule.html.markdown index f1c565af9226..db711ab21175 100644 --- a/website/docs/r/network_security_rule.html.markdown +++ b/website/docs/r/network_security_rule.html.markdown @@ -56,7 +56,7 @@ The following arguments are supported: * `description` - (Optional) A description for this rule. Restricted to 140 characters. -* `protocol` - (Required) Network protocol this rule applies to. Possible values include `Tcp`, `Udp` or `*` (which matches both). +* `protocol` - (Required) Network protocol this rule applies to. Possible values include `Tcp`, `Udp`, `Icmp`, or `*` (which matches all). * `source_port_range` - (Optional) Source Port or Range. Integer or range between `0` and `65535` or `*` to match any. This is required if `source_port_ranges` is not specified.