Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Authorization Rules for Client VPN #13950

Merged
merged 50 commits into from
Jul 8, 2020

Conversation

gdavison
Copy link
Contributor

@gdavison gdavison commented Jun 25, 2020

This continues the work done in #7564 to add Authorization Rules for Client VPN. The Authorization Rules are implemented as a standalone resource.

Routes will be addressed by #10508.

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #7494
Closes #13959
Closes #13910

Release note for CHANGELOG:

**New Resource:** `aws_ec2_client_vpn_authorization_rule`

Output from acceptance testing:

$ TEST=./aws make testacc TESTARGS='-run=TestAccAwsEc2ClientVpn'

--- PASS: TestAccAwsEc2ClientVpn (4.19s)
    --- PASS: TestAccAwsEc2ClientVpn/Endpoint_disappears (10.99s)
    --- PASS: TestAccAwsEc2ClientVpn/AuthorizationRule_Subnets (47.84s)
    --- PASS: TestAccAwsEc2ClientVpn/AuthorizationRule_groups (62.22s)
    --- PASS: TestAccAwsEc2ClientVpn/AuthorizationRule_basic (33.63s)
    --- PASS: TestAccAwsEc2ClientVpn/AuthorizationRule_disappears (32.72s)
    --- PASS: TestAccAwsEc2ClientVpn/Endpoint_tags (25.65s)
    --- PASS: TestAccAwsEc2ClientVpn/Endpoint_basic (12.06s)
    --- PASS: TestAccAwsEc2ClientVpn/Endpoint_splitTunnel (18.12s)
    --- PASS: TestAccAwsEc2ClientVpn/Endpoint_withLogGroup (17.66s)
    --- PASS: TestAccAwsEc2ClientVpn/Endpoint_withDNSServers (16.74s)
    --- PASS: TestAccAwsEc2ClientVpn/NetworkAssociation_disappears (589.53s)
    --- PASS: TestAccAwsEc2ClientVpn/NetworkAssociation_basic (705.36s)
    --- PASS: TestAccAwsEc2ClientVpn/Endpoint_msAD (1833.75s)
    --- PASS: TestAccAwsEc2ClientVpn/Endpoint_mutualAuthAndMsAD (1845.04s)

slapula and others added 23 commits February 12, 2019 07:39
…network associations and authorization rules as parameters
# Conflicts:
#	aws/resource_aws_ec2_client_vpn_endpoint.go
#	aws/resource_aws_ec2_client_vpn_endpoint_test.go
#	website/docs/r/ec2_client_vpn_endpoint.html.markdown
…emoves `network_association` field from `aws_ec2_client_vpn_endpoint` resource
@ghost ghost added size/XL Managed by automation to categorize the size of a PR. provider Pertains to the provider itself, rather than any interaction with AWS. service/ec2 Issues and PRs that pertain to the ec2 service. documentation Introduces or discusses updates to documentation. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Jun 25, 2020
@ghost ghost added size/XXL Managed by automation to categorize the size of a PR. and removed size/XL Managed by automation to categorize the size of a PR. labels Jun 26, 2020
@gdavison
Copy link
Contributor Author

Acceptance tests are failing due to provider not waiting for deletion of Client VPN endpoint #13910

@gdavison gdavison force-pushed the resource-aws-ec2-client-vpn-consolidation branch from f0e7904 to d85342a Compare July 1, 2020 00:16
@gdavison gdavison marked this pull request as ready for review July 1, 2020 06:15
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @gdavison 👋 Left some initial feedback below since its introducing a few complexities that currently are not present anywhere else in the codebase and we already discussed the semaphore business, but please reach out with any questions. 👍

aws/internal/service/ec2/errors.go Show resolved Hide resolved
aws/internal/service/ec2/id.go Outdated Show resolved Hide resolved
aws/internal/service/ec2/id.go Outdated Show resolved Hide resolved
result, err := conn.DescribeClientVpnEndpoints(&ec2.DescribeClientVpnEndpointsInput{
ClientVpnEndpointIds: aws.StringSlice([]string{endpointID}),
})
if tfec2.ErrCodeEquals(err, tfec2.ErrCodeClientVpnEndpointIdNotFound) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we'll need to globally decide whether errors like these should be handled in these service packages or downstream in the resource implementations so they can decide what to do with them. For example, this swallows available request ID information from the SDK unless debug logging is enabled.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this case, we need to handle at least some of the errors here, or else the calling WaitForState() will error out instead of returning cleanly

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the real difference is that if/when this code is generated, it then needs an additional layer of knowledge of errors rather than just how to handle the API structures. Not a big deal in the short term, but something to consider for longer term.

@@ -39,3 +40,41 @@ func LocalGatewayRouteTableVpcAssociationState(conn *ec2.EC2, localGatewayRouteT
return association, aws.StringValue(association.State), nil
}
}

const (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the plan be to always separate const declarations in these files based on some criteria?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was following the model of a separate const block for each resource type as well as keeping them together with the corresponding Status function

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely not something for this PR, but wonder if we should change these to per "resource" files then like status_ClientVpnEndpoint.go -- something to noodle over in #12840!

aws/resource_aws_ec2_client_vpn_authorization_rule_test.go Outdated Show resolved Hide resolved
website/docs/r/ec2_client_vpn_endpoint.html.markdown Outdated Show resolved Hide resolved
aws/internal/tfawsresource/sync.go Outdated Show resolved Hide resolved
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's go! 🚀

Output from acceptance testing:

--- PASS: TestAccAwsEc2ClientVpn (4.23s)
    --- PASS: TestAccAwsEc2ClientVpn/Endpoint_withDNSServers (17.91s)
    --- PASS: TestAccAwsEc2ClientVpn/Endpoint_withLogGroup (19.48s)
    --- PASS: TestAccAwsEc2ClientVpn/Endpoint_tags (26.70s)
    --- PASS: TestAccAwsEc2ClientVpn/AuthorizationRule_basic (33.05s)
    --- PASS: TestAccAwsEc2ClientVpn/NetworkAssociation_disappears (613.82s)
    --- PASS: TestAccAwsEc2ClientVpn/NetworkAssociation_basic (623.53s)
    --- PASS: TestAccAwsEc2ClientVpn/AuthorizationRule_Subnets (48.77s)
    --- PASS: TestAccAwsEc2ClientVpn/AuthorizationRule_disappears (33.33s)
    --- PASS: TestAccAwsEc2ClientVpn/Endpoint_basic (11.02s)
    --- PASS: TestAccAwsEc2ClientVpn/Endpoint_disappears (9.88s)
    --- PASS: TestAccAwsEc2ClientVpn/Endpoint_splitTunnel (17.77s)
    --- PASS: TestAccAwsEc2ClientVpn/AuthorizationRule_groups (62.18s)
    --- PASS: TestAccAwsEc2ClientVpn/Endpoint_mutualAuthAndMsAD (1813.60s)
    --- PASS: TestAccAwsEc2ClientVpn/Endpoint_msAD (1883.59s)

aws/internal/service/ec2/filter.go Show resolved Hide resolved
aws/internal/service/ec2/waiter/status.go Outdated Show resolved Hide resolved
@@ -39,3 +40,41 @@ func LocalGatewayRouteTableVpcAssociationState(conn *ec2.EC2, localGatewayRouteT
return association, aws.StringValue(association.State), nil
}
}

const (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely not something for this PR, but wonder if we should change these to per "resource" files then like status_ClientVpnEndpoint.go -- something to noodle over in #12840!

aws/internal/service/ec2/finder/finder.go Show resolved Hide resolved
aws/resource_aws_ec2_client_vpn_authorization_rule.go Outdated Show resolved Hide resolved
result, err := conn.DescribeClientVpnEndpoints(&ec2.DescribeClientVpnEndpointsInput{
ClientVpnEndpointIds: aws.StringSlice([]string{endpointID}),
})
if tfec2.ErrCodeEquals(err, tfec2.ErrCodeClientVpnEndpointIdNotFound) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the real difference is that if/when this code is generated, it then needs an additional layer of knowledge of errors rather than just how to handle the API structures. Not a big deal in the short term, but something to consider for longer term.

gdavison and others added 2 commits July 8, 2020 09:29
Removes outdated comment

Co-authored-by: Brian Flad <[email protected]>
Removes unneeded checks

Co-authored-by: Brian Flad <[email protected]>
@gdavison gdavison merged commit f2a92cf into master Jul 8, 2020
@gdavison gdavison deleted the resource-aws-ec2-client-vpn-consolidation branch July 8, 2020 21:44
@gdavison gdavison added this to the v2.70.0 milestone Jul 8, 2020
gdavison added a commit that referenced this pull request Jul 8, 2020
@ghost
Copy link

ghost commented Jul 10, 2020

This has been released in version 2.70.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Aug 8, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Aug 8, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
documentation Introduces or discusses updates to documentation. provider Pertains to the provider itself, rather than any interaction with AWS. service/ec2 Issues and PRs that pertain to the ec2 service. size/XXL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
3 participants