r/aws_networkmanager_core_network_policy_attachment

[GlennChia]

Description

Creates a new resource that attaches a policy to an existing Core Network. When doing this, it sets the latest policy as the LIVE policy. Refer to the Core network policies documentation for more information.

Clarifications and design choices

1. Since this resource modifies the policy_document, which is currently defined as an argument for the aws_networkmanager_core_network resource, it will lead to diffs after refresh. This is solved by changing it to optional and computed.

2. optional and computed were also chosen because policy_document can also be updated since am optional create_base_policy was introduced to create a base Core Network policy document at create-time. This base policy will be set to the LIVE state. It is important that the Core Network has a LIVE policy because this is required if VPC attachments were to be attached to the Core Network at create-time. Hence, in the next plan or apply, the policy_document needs to be computed to read the policy created from the create_base_policy argument. This new argument is not returned by the read APIs and is added to ImportStateVerifyIgnore.

3. The base policy requires a region. Hence, a base_policy_region argument was introduced for practitioners to pass in their own region. This is useful in scenarios where an organization may not permit resources to be deployed in certain regions and practitioners want to have the flexibility to deploy resources into an allow-listed region. This argument is optional and defaults to the region defined in the providers block. This new argument is not returned by the read APIs and is added to ImportStateVerifyIgnore.

4. The core_network resource also has 2 computed attributes segments and edges that are computed after the policy has been applied. With the new aws_networkmanager_core_network_policy_attachment resource, the computed arguments are not computed immediately after the apply since customized_diff logic will not be triggered because the policy document is not managed by the aws_networkmanager_core_network resource. This can potentially be solved by implementing a data source for core network just for reading the latest attributes.
   

   terraform-provider-aws/internal/service/networkmanager/core_network.go

   Lines 340 to 349 in 88e1985

   	func resourceCoreNetworkCustomizeDiff(_ context.Context, d *schema.ResourceDiff, meta interface{}) error {
   	if d.HasChange("policy_document") {
   	if o, n := d.GetChange("policy_document"); !verify.JSONStringsEqual(o.(string), n.(string)) {
   	d.SetNewComputed("edges")
   	d.SetNewComputed("segments")
   	}
   	}
   	return nil
   	}

Relations

Closes #28867

References

• ExecuteCoreNetworkChangeSet
• PutCoreNetworkPolicy

Output from Acceptance Testing

$ make testacc TESTARGS='-run=TestAccNetworkManagerCoreNetwork' PKG=networkmanager
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/networkmanager/... -v -count 1 -parallel 20  -run=TestAccNetworkManagerCoreNetwork -timeout 180m
=== RUN   TestAccNetworkManagerCoreNetworkPolicyAttachment_basic
=== PAUSE TestAccNetworkManagerCoreNetworkPolicyAttachment_basic
=== RUN   TestAccNetworkManagerCoreNetworkPolicyAttachment_vpcAttachment
=== PAUSE TestAccNetworkManagerCoreNetworkPolicyAttachment_vpcAttachment
=== RUN   TestAccNetworkManagerCoreNetworkPolicyDocumentDataSource_basic
=== PAUSE TestAccNetworkManagerCoreNetworkPolicyDocumentDataSource_basic
=== RUN   TestAccNetworkManagerCoreNetwork_basic
=== PAUSE TestAccNetworkManagerCoreNetwork_basic
=== RUN   TestAccNetworkManagerCoreNetwork_disappears
=== PAUSE TestAccNetworkManagerCoreNetwork_disappears
=== RUN   TestAccNetworkManagerCoreNetwork_tags
=== PAUSE TestAccNetworkManagerCoreNetwork_tags
=== RUN   TestAccNetworkManagerCoreNetwork_description
=== PAUSE TestAccNetworkManagerCoreNetwork_description
=== RUN   TestAccNetworkManagerCoreNetwork_policyDocument
=== PAUSE TestAccNetworkManagerCoreNetwork_policyDocument
=== RUN   TestAccNetworkManagerCoreNetwork_createBasePolicyDocumentWithoutRegion
=== PAUSE TestAccNetworkManagerCoreNetwork_createBasePolicyDocumentWithoutRegion
=== RUN   TestAccNetworkManagerCoreNetwork_createBasePolicyDocumentWithRegion
=== PAUSE TestAccNetworkManagerCoreNetwork_createBasePolicyDocumentWithRegion
=== RUN   TestAccNetworkManagerCoreNetwork_withoutPolicyDocumentUpdateToCreateBasePolicyDocument
=== PAUSE TestAccNetworkManagerCoreNetwork_withoutPolicyDocumentUpdateToCreateBasePolicyDocument
=== CONT  TestAccNetworkManagerCoreNetworkPolicyAttachment_basic
=== CONT  TestAccNetworkManagerCoreNetwork_description
=== CONT  TestAccNetworkManagerCoreNetwork_createBasePolicyDocumentWithRegion
=== CONT  TestAccNetworkManagerCoreNetwork_disappears
=== CONT  TestAccNetworkManagerCoreNetworkPolicyAttachment_vpcAttachment
=== CONT  TestAccNetworkManagerCoreNetwork_withoutPolicyDocumentUpdateToCreateBasePolicyDocument
=== CONT  TestAccNetworkManagerCoreNetwork_basic
=== CONT  TestAccNetworkManagerCoreNetwork_policyDocument
=== CONT  TestAccNetworkManagerCoreNetwork_createBasePolicyDocumentWithoutRegion
=== CONT  TestAccNetworkManagerCoreNetworkPolicyDocumentDataSource_basic
=== CONT  TestAccNetworkManagerCoreNetwork_tags
--- PASS: TestAccNetworkManagerCoreNetworkPolicyDocumentDataSource_basic (16.71s)
--- PASS: TestAccNetworkManagerCoreNetwork_basic (56.99s)
--- PASS: TestAccNetworkManagerCoreNetwork_disappears (74.55s)
--- PASS: TestAccNetworkManagerCoreNetwork_description (86.32s)
--- PASS: TestAccNetworkManagerCoreNetwork_tags (101.51s)
--- PASS: TestAccNetworkManagerCoreNetwork_createBasePolicyDocumentWithRegion (415.17s)
--- PASS: TestAccNetworkManagerCoreNetwork_createBasePolicyDocumentWithoutRegion (446.75s)
--- PASS: TestAccNetworkManagerCoreNetwork_withoutPolicyDocumentUpdateToCreateBasePolicyDocument (536.58s)
--- PASS: TestAccNetworkManagerCoreNetwork_policyDocument (694.38s)
--- PASS: TestAccNetworkManagerCoreNetworkPolicyAttachment_basic (748.33s)
--- PASS: TestAccNetworkManagerCoreNetworkPolicyAttachment_vpcAttachment (1080.44s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/networkmanager     1080.548s
...

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

• Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
• Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

[GlennChia]

Working on adding more tests for various scenarios like having a vpc_attachment

[jar-b]

LGTM 🎉

$ make testacc TESTARGS='-run=TestAccNetworkManagerCoreNetwork' PKG=networkmanager ACCTEST_PARALLELISM=6
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/networkmanager/... -v -count 1 -parallel 6  -run=TestAccNetworkManagerCoreNetwork -timeout 180m
=== RUN   TestAccNetworkManagerCoreNetworkPolicyAttachment_basic
=== PAUSE TestAccNetworkManagerCoreNetworkPolicyAttachment_basic
=== RUN   TestAccNetworkManagerCoreNetworkPolicyAttachment_vpcAttachment
=== PAUSE TestAccNetworkManagerCoreNetworkPolicyAttachment_vpcAttachment
=== RUN   TestAccNetworkManagerCoreNetworkPolicyDocumentDataSource_basic
=== PAUSE TestAccNetworkManagerCoreNetworkPolicyDocumentDataSource_basic
=== RUN   TestAccNetworkManagerCoreNetwork_basic
=== PAUSE TestAccNetworkManagerCoreNetwork_basic
=== RUN   TestAccNetworkManagerCoreNetwork_disappears
=== PAUSE TestAccNetworkManagerCoreNetwork_disappears
=== RUN   TestAccNetworkManagerCoreNetwork_tags
=== PAUSE TestAccNetworkManagerCoreNetwork_tags
=== RUN   TestAccNetworkManagerCoreNetwork_description
=== PAUSE TestAccNetworkManagerCoreNetwork_description
=== RUN   TestAccNetworkManagerCoreNetwork_policyDocument
=== PAUSE TestAccNetworkManagerCoreNetwork_policyDocument
=== RUN   TestAccNetworkManagerCoreNetwork_createBasePolicyDocumentWithoutRegion
=== PAUSE TestAccNetworkManagerCoreNetwork_createBasePolicyDocumentWithoutRegion
=== RUN   TestAccNetworkManagerCoreNetwork_createBasePolicyDocumentWithRegion
=== PAUSE TestAccNetworkManagerCoreNetwork_createBasePolicyDocumentWithRegion
=== RUN   TestAccNetworkManagerCoreNetwork_withoutPolicyDocumentUpdateToCreateBasePolicyDocument
=== PAUSE TestAccNetworkManagerCoreNetwork_withoutPolicyDocumentUpdateToCreateBasePolicyDocument
=== CONT  TestAccNetworkManagerCoreNetworkPolicyAttachment_basic
=== CONT  TestAccNetworkManagerCoreNetwork_description
=== CONT  TestAccNetworkManagerCoreNetwork_basic
=== CONT  TestAccNetworkManagerCoreNetworkPolicyDocumentDataSource_basic
=== CONT  TestAccNetworkManagerCoreNetwork_tags
=== CONT  TestAccNetworkManagerCoreNetworkPolicyAttachment_vpcAttachment
--- PASS: TestAccNetworkManagerCoreNetworkPolicyDocumentDataSource_basic (9.21s)
=== CONT  TestAccNetworkManagerCoreNetwork_createBasePolicyDocumentWithRegion
--- PASS: TestAccNetworkManagerCoreNetwork_description (54.62s)
=== CONT  TestAccNetworkManagerCoreNetwork_withoutPolicyDocumentUpdateToCreateBasePolicyDocument
--- PASS: TestAccNetworkManagerCoreNetwork_basic (64.34s)
=== CONT  TestAccNetworkManagerCoreNetwork_disappears
--- PASS: TestAccNetworkManagerCoreNetwork_tags (64.74s)
=== CONT  TestAccNetworkManagerCoreNetwork_createBasePolicyDocumentWithoutRegion
--- PASS: TestAccNetworkManagerCoreNetwork_disappears (23.30s)
=== CONT  TestAccNetworkManagerCoreNetwork_policyDocument
--- PASS: TestAccNetworkManagerCoreNetwork_createBasePolicyDocumentWithRegion (406.38s)
--- PASS: TestAccNetworkManagerCoreNetwork_createBasePolicyDocumentWithoutRegion (480.38s)
--- PASS: TestAccNetworkManagerCoreNetwork_withoutPolicyDocumentUpdateToCreateBasePolicyDocument (504.74s)
--- PASS: TestAccNetworkManagerCoreNetworkPolicyAttachment_basic (726.05s)
--- PASS: TestAccNetworkManagerCoreNetwork_policyDocument (711.66s)
--- PASS: TestAccNetworkManagerCoreNetworkPolicyAttachment_vpcAttachment (1081.52s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/networkmanager     1084.660s

[jar-b]

Thanks for your contribution, @GlennChia!

[github-actions]

This functionality has been released in v4.54.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.