Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate that security group names aren't prefixed with sg- #15011

Closed
wants to merge 1 commit into from
Closed

Validate that security group names aren't prefixed with sg- #15011

wants to merge 1 commit into from

Conversation

tomelliff
Copy link
Contributor

The API docs have this to say:

Constraints: Up to 255 characters in length. Cannot start with sg-.

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Didn't see an issue for it but it was mentioned in https://stackoverflow.com/q/63724161/2291321 and thought it could with the extra validation adding.

Release note for CHANGELOG:

resource/aws_security_group: Provide additional plan-time validation for `name`

Output from acceptance testing:

make testacc TESTARGS='-parallel=5 -run=TestAccAWSSecurityGroup_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -parallel=5 -run=TestAccAWSSecurityGroup_ -timeout 120m
=== RUN   TestAccAWSSecurityGroup_allowAll
=== PAUSE TestAccAWSSecurityGroup_allowAll
=== RUN   TestAccAWSSecurityGroup_sourceSecurityGroup
=== PAUSE TestAccAWSSecurityGroup_sourceSecurityGroup
=== RUN   TestAccAWSSecurityGroup_IPRangeAndSecurityGroupWithSameRules
=== PAUSE TestAccAWSSecurityGroup_IPRangeAndSecurityGroupWithSameRules
=== RUN   TestAccAWSSecurityGroup_IPRangesWithSameRules
=== PAUSE TestAccAWSSecurityGroup_IPRangesWithSameRules
=== RUN   TestAccAWSSecurityGroup_basic
=== PAUSE TestAccAWSSecurityGroup_basic
=== RUN   TestAccAWSSecurityGroup_egressConfigMode
=== PAUSE TestAccAWSSecurityGroup_egressConfigMode
=== RUN   TestAccAWSSecurityGroup_ingressConfigMode
=== PAUSE TestAccAWSSecurityGroup_ingressConfigMode
=== RUN   TestAccAWSSecurityGroup_ruleGathering
=== PAUSE TestAccAWSSecurityGroup_ruleGathering
=== RUN   TestAccAWSSecurityGroup_forceRevokeRulesTrue
=== PAUSE TestAccAWSSecurityGroup_forceRevokeRulesTrue
=== RUN   TestAccAWSSecurityGroup_forceRevokeRulesFalse
=== PAUSE TestAccAWSSecurityGroup_forceRevokeRulesFalse
=== RUN   TestAccAWSSecurityGroup_ipv6
=== PAUSE TestAccAWSSecurityGroup_ipv6
=== RUN   TestAccAWSSecurityGroup_namePrefix
=== PAUSE TestAccAWSSecurityGroup_namePrefix
=== RUN   TestAccAWSSecurityGroup_self
=== PAUSE TestAccAWSSecurityGroup_self
=== RUN   TestAccAWSSecurityGroup_vpc
=== PAUSE TestAccAWSSecurityGroup_vpc
=== RUN   TestAccAWSSecurityGroup_vpcNegOneIngress
=== PAUSE TestAccAWSSecurityGroup_vpcNegOneIngress
=== RUN   TestAccAWSSecurityGroup_vpcProtoNumIngress
=== PAUSE TestAccAWSSecurityGroup_vpcProtoNumIngress
=== RUN   TestAccAWSSecurityGroup_multiIngress
=== PAUSE TestAccAWSSecurityGroup_multiIngress
=== RUN   TestAccAWSSecurityGroup_change
=== PAUSE TestAccAWSSecurityGroup_change
=== RUN   TestAccAWSSecurityGroup_ruleDescription
=== PAUSE TestAccAWSSecurityGroup_ruleDescription
=== RUN   TestAccAWSSecurityGroup_generatedName
=== PAUSE TestAccAWSSecurityGroup_generatedName
=== RUN   TestAccAWSSecurityGroup_defaultEgressVPC
=== PAUSE TestAccAWSSecurityGroup_defaultEgressVPC
=== RUN   TestAccAWSSecurityGroup_defaultEgressClassic
=== PAUSE TestAccAWSSecurityGroup_defaultEgressClassic
=== RUN   TestAccAWSSecurityGroup_drift
=== PAUSE TestAccAWSSecurityGroup_drift
=== RUN   TestAccAWSSecurityGroup_driftComplex
=== PAUSE TestAccAWSSecurityGroup_driftComplex
=== RUN   TestAccAWSSecurityGroup_invalidCIDRBlock
=== PAUSE TestAccAWSSecurityGroup_invalidCIDRBlock
=== RUN   TestAccAWSSecurityGroup_tags
=== PAUSE TestAccAWSSecurityGroup_tags
=== RUN   TestAccAWSSecurityGroup_CIDRandGroups
=== PAUSE TestAccAWSSecurityGroup_CIDRandGroups
=== RUN   TestAccAWSSecurityGroup_ingressWithCidrAndSGsVPC
=== PAUSE TestAccAWSSecurityGroup_ingressWithCidrAndSGsVPC
=== RUN   TestAccAWSSecurityGroup_ingressWithCidrAndSGsClassic
=== PAUSE TestAccAWSSecurityGroup_ingressWithCidrAndSGsClassic
=== RUN   TestAccAWSSecurityGroup_egressWithPrefixList
=== PAUSE TestAccAWSSecurityGroup_egressWithPrefixList
=== RUN   TestAccAWSSecurityGroup_ingressWithPrefixList
=== PAUSE TestAccAWSSecurityGroup_ingressWithPrefixList
=== RUN   TestAccAWSSecurityGroup_ipv4andipv6Egress
=== PAUSE TestAccAWSSecurityGroup_ipv4andipv6Egress
=== RUN   TestAccAWSSecurityGroup_failWithDiffMismatch
=== PAUSE TestAccAWSSecurityGroup_failWithDiffMismatch
=== RUN   TestAccAWSSecurityGroup_ruleLimitExceededAppend
=== PAUSE TestAccAWSSecurityGroup_ruleLimitExceededAppend
=== RUN   TestAccAWSSecurityGroup_ruleLimitCidrBlockExceededAppend
=== PAUSE TestAccAWSSecurityGroup_ruleLimitCidrBlockExceededAppend
=== RUN   TestAccAWSSecurityGroup_ruleLimitExceededPrepend
=== PAUSE TestAccAWSSecurityGroup_ruleLimitExceededPrepend
=== RUN   TestAccAWSSecurityGroup_ruleLimitExceededAllNew
=== PAUSE TestAccAWSSecurityGroup_ruleLimitExceededAllNew
=== RUN   TestAccAWSSecurityGroup_rulesDropOnError
=== PAUSE TestAccAWSSecurityGroup_rulesDropOnError
=== CONT  TestAccAWSSecurityGroup_allowAll
=== CONT  TestAccAWSSecurityGroup_defaultEgressVPC
=== CONT  TestAccAWSSecurityGroup_vpcProtoNumIngress
=== CONT  TestAccAWSSecurityGroup_ipv6
=== CONT  TestAccAWSSecurityGroup_vpcNegOneIngress
2020/09/03 15:33:21 [WARN] Truncating attribute path of 0 diagnostics for TypeSet
2020/09/03 15:33:21 [WARN] Truncating attribute path of 0 diagnostics for TypeSet
--- PASS: TestAccAWSSecurityGroup_allowAll (53.68s)
=== CONT  TestAccAWSSecurityGroup_vpc
--- PASS: TestAccAWSSecurityGroup_vpcNegOneIngress (55.40s)
=== CONT  TestAccAWSSecurityGroup_self
--- PASS: TestAccAWSSecurityGroup_defaultEgressVPC (56.06s)
=== CONT  TestAccAWSSecurityGroup_namePrefix
--- PASS: TestAccAWSSecurityGroup_vpcProtoNumIngress (56.40s)
=== CONT  TestAccAWSSecurityGroup_ruleDescription
--- PASS: TestAccAWSSecurityGroup_ipv6 (56.73s)
=== CONT  TestAccAWSSecurityGroup_ingressWithPrefixList
--- PASS: TestAccAWSSecurityGroup_namePrefix (46.04s)
=== CONT  TestAccAWSSecurityGroup_generatedName
--- PASS: TestAccAWSSecurityGroup_vpc (55.92s)
=== CONT  TestAccAWSSecurityGroup_egressWithPrefixList
2020/09/03 15:34:34 [DEBUG] Waiting for state to become: [success]
--- PASS: TestAccAWSSecurityGroup_self (57.06s)
=== CONT  TestAccAWSSecurityGroup_tags
--- PASS: TestAccAWSSecurityGroup_ingressWithPrefixList (71.28s)
=== CONT  TestAccAWSSecurityGroup_ingressWithCidrAndSGsClassic
    provider_test.go:492: This test can only run in EC2 Classic, platforms available in us-west-2: ["VPC"]
--- SKIP: TestAccAWSSecurityGroup_ingressWithCidrAndSGsClassic (1.62s)
=== CONT  TestAccAWSSecurityGroup_ingressWithCidrAndSGsVPC
--- PASS: TestAccAWSSecurityGroup_generatedName (44.86s)
=== CONT  TestAccAWSSecurityGroup_CIDRandGroups
--- PASS: TestAccAWSSecurityGroup_egressWithPrefixList (69.48s)
=== CONT  TestAccAWSSecurityGroup_invalidCIDRBlock
--- PASS: TestAccAWSSecurityGroup_invalidCIDRBlock (3.38s)
=== CONT  TestAccAWSSecurityGroup_egressConfigMode
--- PASS: TestAccAWSSecurityGroup_ingressWithCidrAndSGsVPC (54.38s)
=== CONT  TestAccAWSSecurityGroup_forceRevokeRulesFalse
--- PASS: TestAccAWSSecurityGroup_CIDRandGroups (53.60s)
=== CONT  TestAccAWSSecurityGroup_forceRevokeRulesTrue
--- PASS: TestAccAWSSecurityGroup_ruleDescription (156.30s)
=== CONT  TestAccAWSSecurityGroup_ruleGathering
--- PASS: TestAccAWSSecurityGroup_tags (110.07s)
=== CONT  TestAccAWSSecurityGroup_driftComplex
--- PASS: TestAccAWSSecurityGroup_driftComplex (54.98s)
=== CONT  TestAccAWSSecurityGroup_drift
--- PASS: TestAccAWSSecurityGroup_ruleGathering (72.14s)
=== CONT  TestAccAWSSecurityGroup_defaultEgressClassic
=== CONT  TestAccAWSSecurityGroup_drift
    resource_aws_security_group_test.go:1550: Step 1/2 error: terraform failed: exit status 1
        
        stderr:
        
        Error: Error creating Security Group: VPCIdNotSpecified: No default VPC for this user
        	status code: 400, request id: 16e4970a-e223-45c3-8df7-26e5c6247c23
        
        
--- FAIL: TestAccAWSSecurityGroup_drift (7.44s)
=== CONT  TestAccAWSSecurityGroup_ingressConfigMode
=== CONT  TestAccAWSSecurityGroup_defaultEgressClassic
    provider_test.go:492: This test can only run in EC2 Classic, platforms available in us-west-2: ["VPC"]
--- SKIP: TestAccAWSSecurityGroup_defaultEgressClassic (1.60s)
=== CONT  TestAccAWSSecurityGroup_basic
--- PASS: TestAccAWSSecurityGroup_egressConfigMode (110.16s)
=== CONT  TestAccAWSSecurityGroup_IPRangesWithSameRules
--- PASS: TestAccAWSSecurityGroup_basic (54.60s)
=== CONT  TestAccAWSSecurityGroup_IPRangeAndSecurityGroupWithSameRules
--- PASS: TestAccAWSSecurityGroup_IPRangesWithSameRules (53.32s)
=== CONT  TestAccAWSSecurityGroup_sourceSecurityGroup
--- PASS: TestAccAWSSecurityGroup_ingressConfigMode (109.10s)
=== CONT  TestAccAWSSecurityGroup_change
--- PASS: TestAccAWSSecurityGroup_sourceSecurityGroup (49.72s)
=== CONT  TestAccAWSSecurityGroup_multiIngress
--- PASS: TestAccAWSSecurityGroup_IPRangeAndSecurityGroupWithSameRules (58.95s)
=== CONT  TestAccAWSSecurityGroup_ruleLimitCidrBlockExceededAppend
--- PASS: TestAccAWSSecurityGroup_multiIngress (65.56s)
=== CONT  TestAccAWSSecurityGroup_rulesDropOnError
=== CONT  TestAccAWSSecurityGroup_ruleLimitCidrBlockExceededAppend
    resource_aws_security_group_test.go:2484: Step 2/3, expected an error but got none
--- FAIL: TestAccAWSSecurityGroup_ruleLimitCidrBlockExceededAppend (75.62s)
=== CONT  TestAccAWSSecurityGroup_failWithDiffMismatch
--- PASS: TestAccAWSSecurityGroup_change (107.16s)
=== CONT  TestAccAWSSecurityGroup_ruleLimitExceededAppend
--- PASS: TestAccAWSSecurityGroup_failWithDiffMismatch (50.29s)
=== CONT  TestAccAWSSecurityGroup_ruleLimitExceededPrepend
--- PASS: TestAccAWSSecurityGroup_rulesDropOnError (94.51s)
=== CONT  TestAccAWSSecurityGroup_ipv4andipv6Egress
=== CONT  TestAccAWSSecurityGroup_ruleLimitExceededAppend
    resource_aws_security_group_test.go:2443: Step 2/3, expected an error but got none
--- FAIL: TestAccAWSSecurityGroup_ruleLimitExceededAppend (80.60s)
=== CONT  TestAccAWSSecurityGroup_ruleLimitExceededAllNew
=== CONT  TestAccAWSSecurityGroup_ruleLimitExceededPrepend
    resource_aws_security_group_test.go:2549: Step 2/3, expected an error but got none
--- PASS: TestAccAWSSecurityGroup_ipv4andipv6Egress (46.29s)
--- FAIL: TestAccAWSSecurityGroup_ruleLimitExceededPrepend (78.31s)
=== CONT  TestAccAWSSecurityGroup_ruleLimitExceededAllNew
    resource_aws_security_group_test.go:2590: Step 2/3, expected an error but got none
--- FAIL: TestAccAWSSecurityGroup_ruleLimitExceededAllNew (78.85s)
--- PASS: TestAccAWSSecurityGroup_forceRevokeRulesFalse (723.13s)
--- PASS: TestAccAWSSecurityGroup_forceRevokeRulesTrue (793.31s)
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	993.885s
FAIL
GNUmakefile:27: recipe for target 'testacc' failed
make: *** [testacc] Error 1

Acceptance test errors look linked to #14209 (limit is now 60 by default) and not having a default VPC in the account and region it was ran in. Wouldn't except acceptance test errors from a validation change anyway unless this validation change was a new, breaking thing.

@tomelliff tomelliff requested a review from a team September 3, 2020 14:52
@ghost ghost added size/XS Managed by automation to categorize the size of a PR. service/ec2 Issues and PRs that pertain to the ec2 service. needs-triage Waiting for first response or review from a maintainer. labels Sep 3, 2020
@tomelliff
Validate that security group names aren't prefixed with sg-
c9544f5 
The [API docs](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html) have this to say:
> Constraints: Up to 255 characters in length. Cannot start with sg-.
@tomelliff tomelliff force-pushed the validate-security-group-name-isnt-prefixed-with-sg- branch from 43d6456 to c9544f5 Compare September 3, 2020 15:08
Base automatically changed from master to main January 23, 2021 00:58
@breathingdust breathingdust requested a review from a team as a code owner January 23, 2021 00:58
@breathingdust breathingdust added enhancement Requests to existing resources that expand the functionality or scope. and removed needs-triage Waiting for first response or review from a maintainer. labels Sep 16, 2021
@zhelding
Copy link
Contributor

Pull request #21306 has significantly refactored the AWS Provider codebase. As a result, most PRs opened prior to the refactor now have merge conflicts that must be resolved before proceeding.

Specifically, PR #21306 relocated the code for all AWS resources and data sources from a single aws directory to a large number of separate directories in internal/service, each corresponding to a particular AWS service. This separation of code has also allowed for us to simplify the names of underlying functions -- while still avoiding namespace collisions.

We recognize that many pull requests have been open for some time without yet being addressed by our maintainers. Therefore, we want to make it clear that resolving these conflicts in no way affects the prioritization of a particular pull request. Once a pull request has been prioritized for review, the necessary changes will be made by a maintainer -- either directly or in collaboration with the pull request author.

For a more complete description of this refactor, including examples of how old filepaths and function names correspond to their new counterparts: please refer to issue #20000.

For a quick guide on how to amend your pull request to resolve the merge conflicts resulting from this refactor and bring it in line with our new code patterns: please refer to our Service Package Refactor Pull Request Guide.

@ewbankkit
Copy link
Contributor

@tomelliff Thanks for the contribution 🎉 👏.
This enhancement has been rolled into #24340.

@ewbankkit ewbankkit closed this Jul 21, 2022
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 21, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/ec2 Issues and PRs that pertain to the ec2 service. size/XS Managed by automation to categorize the size of a PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tomelliff @zhelding @ewbankkit @breathingdust