-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Authorization Rules for Client VPN #13950
Conversation
…network associations and authorization rules as parameters
# Conflicts: # aws/resource_aws_ec2_client_vpn_endpoint.go # aws/resource_aws_ec2_client_vpn_endpoint_test.go # website/docs/r/ec2_client_vpn_endpoint.html.markdown
…emoves `network_association` field from `aws_ec2_client_vpn_endpoint` resource
Acceptance tests are failing due to provider not waiting for deletion of Client VPN endpoint #13910 |
# Conflicts: # aws/resource_aws_ec2_client_vpn_network_association_test.go
f0e7904
to
d85342a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @gdavison 👋 Left some initial feedback below since its introducing a few complexities that currently are not present anywhere else in the codebase and we already discussed the semaphore business, but please reach out with any questions. 👍
result, err := conn.DescribeClientVpnEndpoints(&ec2.DescribeClientVpnEndpointsInput{ | ||
ClientVpnEndpointIds: aws.StringSlice([]string{endpointID}), | ||
}) | ||
if tfec2.ErrCodeEquals(err, tfec2.ErrCodeClientVpnEndpointIdNotFound) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we'll need to globally decide whether errors like these should be handled in these service packages or downstream in the resource implementations so they can decide what to do with them. For example, this swallows available request ID information from the SDK unless debug logging is enabled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this case, we need to handle at least some of the errors here, or else the calling WaitForState()
will error out instead of returning cleanly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess the real difference is that if/when this code is generated, it then needs an additional layer of knowledge of errors rather than just how to handle the API structures. Not a big deal in the short term, but something to consider for longer term.
@@ -39,3 +40,41 @@ func LocalGatewayRouteTableVpcAssociationState(conn *ec2.EC2, localGatewayRouteT | |||
return association, aws.StringValue(association.State), nil | |||
} | |||
} | |||
|
|||
const ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should the plan be to always separate const
declarations in these files based on some criteria?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was following the model of a separate const
block for each resource type as well as keeping them together with the corresponding Status
function
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Definitely not something for this PR, but wonder if we should change these to per "resource" files then like status_ClientVpnEndpoint.go
-- something to noodle over in #12840!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's go! 🚀
Output from acceptance testing:
--- PASS: TestAccAwsEc2ClientVpn (4.23s)
--- PASS: TestAccAwsEc2ClientVpn/Endpoint_withDNSServers (17.91s)
--- PASS: TestAccAwsEc2ClientVpn/Endpoint_withLogGroup (19.48s)
--- PASS: TestAccAwsEc2ClientVpn/Endpoint_tags (26.70s)
--- PASS: TestAccAwsEc2ClientVpn/AuthorizationRule_basic (33.05s)
--- PASS: TestAccAwsEc2ClientVpn/NetworkAssociation_disappears (613.82s)
--- PASS: TestAccAwsEc2ClientVpn/NetworkAssociation_basic (623.53s)
--- PASS: TestAccAwsEc2ClientVpn/AuthorizationRule_Subnets (48.77s)
--- PASS: TestAccAwsEc2ClientVpn/AuthorizationRule_disappears (33.33s)
--- PASS: TestAccAwsEc2ClientVpn/Endpoint_basic (11.02s)
--- PASS: TestAccAwsEc2ClientVpn/Endpoint_disappears (9.88s)
--- PASS: TestAccAwsEc2ClientVpn/Endpoint_splitTunnel (17.77s)
--- PASS: TestAccAwsEc2ClientVpn/AuthorizationRule_groups (62.18s)
--- PASS: TestAccAwsEc2ClientVpn/Endpoint_mutualAuthAndMsAD (1813.60s)
--- PASS: TestAccAwsEc2ClientVpn/Endpoint_msAD (1883.59s)
@@ -39,3 +40,41 @@ func LocalGatewayRouteTableVpcAssociationState(conn *ec2.EC2, localGatewayRouteT | |||
return association, aws.StringValue(association.State), nil | |||
} | |||
} | |||
|
|||
const ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Definitely not something for this PR, but wonder if we should change these to per "resource" files then like status_ClientVpnEndpoint.go
-- something to noodle over in #12840!
result, err := conn.DescribeClientVpnEndpoints(&ec2.DescribeClientVpnEndpointsInput{ | ||
ClientVpnEndpointIds: aws.StringSlice([]string{endpointID}), | ||
}) | ||
if tfec2.ErrCodeEquals(err, tfec2.ErrCodeClientVpnEndpointIdNotFound) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess the real difference is that if/when this code is generated, it then needs an additional layer of knowledge of errors rather than just how to handle the API structures. Not a big deal in the short term, but something to consider for longer term.
Removes outdated comment Co-authored-by: Brian Flad <[email protected]>
Removes unneeded checks Co-authored-by: Brian Flad <[email protected]>
This has been released in version 2.70.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
This continues the work done in #7564 to add Authorization Rules for Client VPN. The Authorization Rules are implemented as a standalone resource.
Routes will be addressed by #10508.
Community Note
Closes #7494
Closes #13959
Closes #13910
Release note for CHANGELOG:
Output from acceptance testing: