hashicorp · Ninir · Oct 10, 2017 · Oct 5, 2017
diff --git a/aws/resource_aws_security_group.go b/aws/resource_aws_security_group.go
@@ -132,6 +132,12 @@ func resourceAwsSecurityGroup() *schema.Resource {
 							Optional: true,
 							Default:  false,
 						},
+
+						"description": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ValidateFunc: validateSecurityGroupRuleDescription,
+						},
 					},
 				},
 				Set: resourceAwsSecurityGroupRuleHash,
@@ -195,6 +201,12 @@ func resourceAwsSecurityGroup() *schema.Resource {
 							Optional: true,
 							Default:  false,
 						},
+
+						"description": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ValidateFunc: validateSecurityGroupRuleDescription,
+						},
 					},
 				},
 				Set: resourceAwsSecurityGroupRuleHash,
@@ -500,6 +512,9 @@ func resourceAwsSecurityGroupRuleHash(v interface{}) int {
 			buf.WriteString(fmt.Sprintf("%s-", v))
 		}
 	}
+	if m["description"].(string) != "" {
+		buf.WriteString(fmt.Sprintf("%s-", m["description"].(string)))
+	}
 
 	return hashcode.String(buf.String())
 }
@@ -526,6 +541,8 @@ func resourceAwsSecurityGroupIPPermGather(groupId string, permissions []*ec2.IpP
 		m["to_port"] = toPort
 		m["protocol"] = *perm.IpProtocol
 
+		var description string
+
 		if len(perm.IpRanges) > 0 {
 			raw, ok := m["cidr_blocks"]
 			if !ok {
@@ -535,6 +552,11 @@ func resourceAwsSecurityGroupIPPermGather(groupId string, permissions []*ec2.IpP
 
 			for _, ip := range perm.IpRanges {
 				list = append(list, *ip.CidrIp)
+
+				desc := aws.StringValue(ip.Description)
+				if desc != "" {
+					description = desc
+				}
 			}
 
 			m["cidr_blocks"] = list
@@ -549,6 +571,11 @@ func resourceAwsSecurityGroupIPPermGather(groupId string, permissions []*ec2.IpP
 
 			for _, ip := range perm.Ipv6Ranges {
 				list = append(list, *ip.CidrIpv6)
+
+				desc := aws.StringValue(ip.Description)
+				if desc != "" {
+					description = desc
+				}
 			}
 
 			m["ipv6_cidr_blocks"] = list
@@ -563,6 +590,11 @@ func resourceAwsSecurityGroupIPPermGather(groupId string, permissions []*ec2.IpP
 
 			for _, pl := range perm.PrefixListIds {
 				list = append(list, *pl.PrefixListId)
+
+				desc := aws.StringValue(pl.Description)
+				if desc != "" {
+					description = desc
+				}
 			}
 
 			m["prefix_list_ids"] = list
@@ -573,6 +605,11 @@ func resourceAwsSecurityGroupIPPermGather(groupId string, permissions []*ec2.IpP
 			if *g.GroupId == groupId {
 				groups[i], groups = groups[len(groups)-1], groups[:len(groups)-1]
 				m["self"] = true
+
+				desc := aws.StringValue(g.Description)
+				if desc != "" {
+					description = desc
+				}
 			}
 		}
 
@@ -589,10 +626,17 @@ func resourceAwsSecurityGroupIPPermGather(groupId string, permissions []*ec2.IpP
 				} else {
 					list.Add(*g.GroupId)
 				}
+
+				desc := aws.StringValue(g.Description)
+				if desc != "" {
+					description = desc
+				}
 			}
 
 			m["security_groups"] = list
 		}
+
+		m["description"] = description
 	}
 	rules := make([]map[string]interface{}, 0, len(ruleMap))
 	for _, m := range ruleMap {
@@ -1009,6 +1053,11 @@ func matchRules(rType string, local []interface{}, remote []map[string]interface
 										delete(r, "security_groups")
 									}
 
+									// copy over any remote rule description
+									if _, ok := r["description"]; ok {
+										l["description"] = r["description"]
+									}
+
 									saves = append(saves, l)
 								}
 							}

diff --git a/aws/resource_aws_security_group_rule.go b/aws/resource_aws_security_group_rule.go
@@ -21,6 +21,7 @@ func resourceAwsSecurityGroupRule() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceAwsSecurityGroupRuleCreate,
 		Read:   resourceAwsSecurityGroupRuleRead,
+		Update: resourceAwsSecurityGroupRuleUpdate,
 		Delete: resourceAwsSecurityGroupRuleDelete,
 
 		SchemaVersion: 2,
@@ -102,6 +103,12 @@ func resourceAwsSecurityGroupRule() *schema.Resource {
 				ForceNew:      true,
 				ConflictsWith: []string{"cidr_blocks"},
 			},
+
+			"description": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validateSecurityGroupRuleDescription,
+			},
 		},
 	}
 }
@@ -275,9 +282,22 @@ func resourceAwsSecurityGroupRuleRead(d *schema.ResourceData, meta interface{})
 	if err := setFromIPPerm(d, sg, p); err != nil {
 		return errwrap.Wrapf("Error setting IP Permission for Security Group Rule: {{err}}", err)
 	}
+	setDescriptionFromIPPerm(d, rule)
 	return nil
 }
 
+func resourceAwsSecurityGroupRuleUpdate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).ec2conn
+
+	if d.HasChange("description") {
+		if err := resourceSecurityGroupRuleDescriptionUpdate(conn, d); err != nil {
+			return err
+		}
+	}
+
+	return resourceAwsSecurityGroupRuleRead(d, meta)
+}
+
 func resourceAwsSecurityGroupRuleDelete(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).ec2conn
 	sg_id := d.Get("security_group_id").(string)
@@ -554,6 +574,8 @@ func expandIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup) (*ec2.IpPermiss
 		}
 	}
 
+	description := d.Get("description").(string)
+
 	if len(groups) > 0 {
 		perm.UserIdGroupPairs = make([]*ec2.UserIdGroupPair, len(groups))
 		// build string list of group name/ids
@@ -578,6 +600,10 @@ func expandIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup) (*ec2.IpPermiss
 				perm.UserIdGroupPairs[i].GroupName = aws.String(id)
 				perm.UserIdGroupPairs[i].UserId = nil
 			}
+
+			if description != "" {
+				perm.UserIdGroupPairs[i].Description = aws.String(description)
+			}
 		}
 	}
 
@@ -590,6 +616,10 @@ func expandIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup) (*ec2.IpPermiss
 				return nil, fmt.Errorf("empty element found in cidr_blocks - consider using the compact function")
 			}
 			perm.IpRanges[i] = &ec2.IpRange{CidrIp: aws.String(cidrIP)}
+
+			if description != "" {
+				perm.IpRanges[i].Description = aws.String(description)
+			}
 		}
 	}
 
@@ -602,6 +632,10 @@ func expandIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup) (*ec2.IpPermiss
 				return nil, fmt.Errorf("empty element found in ipv6_cidr_blocks - consider using the compact function")
 			}
 			perm.Ipv6Ranges[i] = &ec2.Ipv6Range{CidrIpv6: aws.String(cidrIP)}
+
+			if description != "" {
+				perm.Ipv6Ranges[i].Description = aws.String(description)
+			}
 		}
 	}
 
@@ -614,6 +648,10 @@ func expandIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup) (*ec2.IpPermiss
 				return nil, fmt.Errorf("empty element found in prefix_list_ids - consider using the compact function")
 			}
 			perm.PrefixListIds[i] = &ec2.PrefixListId{PrefixListId: aws.String(prefixListID)}
+
+			if description != "" {
+				perm.PrefixListIds[i].Description = aws.String(description)
+			}
 		}
 	}
 
@@ -631,7 +669,6 @@ func setFromIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup, rule *ec2.IpPe
 	for _, c := range rule.IpRanges {
 		cb = append(cb, *c.CidrIp)
 	}
-
 	d.Set("cidr_blocks", cb)
 
 	var ipv6 []string
@@ -659,6 +696,40 @@ func setFromIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup, rule *ec2.IpPe
 	return nil
 }
 
+func setDescriptionFromIPPerm(d *schema.ResourceData, rule *ec2.IpPermission) {
+	var description string
+
+	for _, c := range rule.IpRanges {
+		desc := aws.StringValue(c.Description)
+		if desc != "" {
+			description = desc
+		}
+	}
+
+	for _, ip := range rule.Ipv6Ranges {
+		desc := aws.StringValue(ip.Description)
+		if desc != "" {
+			description = desc
+		}
+	}
+
+	for _, p := range rule.PrefixListIds {
+		desc := aws.StringValue(p.Description)
+		if desc != "" {
+			description = desc
+		}
+	}
+
+	if len(rule.UserIdGroupPairs) > 0 {
+		desc := aws.StringValue(rule.UserIdGroupPairs[0].Description)
+		if desc != "" {
+			description = desc
+		}
+	}
+
+	d.Set("description", description)
+}
+
 // Validates that either 'cidr_blocks', 'ipv6_cidr_blocks', 'self', or 'source_security_group_id' is set
 func validateAwsSecurityGroupRule(d *schema.ResourceData) error {
 	_, blocksOk := d.GetOk("cidr_blocks")
@@ -672,3 +743,51 @@ func validateAwsSecurityGroupRule(d *schema.ResourceData) error {
 	}
 	return nil
 }
+
+func resourceSecurityGroupRuleDescriptionUpdate(conn *ec2.EC2, d *schema.ResourceData) error {
+	sg_id := d.Get("security_group_id").(string)
+
+	awsMutexKV.Lock(sg_id)
+	defer awsMutexKV.Unlock(sg_id)
+
+	sg, err := findResourceSecurityGroup(conn, sg_id)
+	if err != nil {
+		return err
+	}
+
+	perm, err := expandIPPerm(d, sg)
+	if err != nil {
+		return err
+	}
+	ruleType := d.Get("type").(string)
+	switch ruleType {
+	case "ingress":
+		req := &ec2.UpdateSecurityGroupRuleDescriptionsIngressInput{
+			GroupId:       sg.GroupId,
+			IpPermissions: []*ec2.IpPermission{perm},
+		}
+
+		_, err = conn.UpdateSecurityGroupRuleDescriptionsIngress(req)
+
+		if err != nil {
+			return fmt.Errorf(
+				"Error updating security group %s rule description: %s",
+				sg_id, err)
+		}
+	case "egress":
+		req := &ec2.UpdateSecurityGroupRuleDescriptionsEgressInput{
+			GroupId:       sg.GroupId,
+			IpPermissions: []*ec2.IpPermission{perm},
+		}
+
+		_, err = conn.UpdateSecurityGroupRuleDescriptionsEgress(req)
+
+		if err != nil {
+			return fmt.Errorf(
+				"Error updating security group %s rule description: %s",
+				sg_id, err)
+		}
+	}
+
+	return nil
+}