Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Nitro Enclaves in aws_instance and aws_launch_template #16361

Merged
merged 8 commits into from
Dec 15, 2020
Merged

Support Nitro Enclaves in aws_instance and aws_launch_template #16361

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
fb95a2a
Add enclave options for aws_instance
hansnielsen Nov 21, 2020
1ce695b
Add acceptance tests for aws_instance
hansnielsen Nov 21, 2020
c1024cf
Add enclave options for aws_launch_template
hansnielsen Nov 21, 2020
4005ea7
Add aws_launch_template acceptance tests
hansnielsen Nov 21, 2020
33ec1e9
Add docs
hansnielsen Nov 21, 2020
5bed2a6
Review feedback: Test and doc fixes
hansnielsen Dec 13, 2020
3dc3967
Review feedback: Mark aws_instance schema as computed
hansnielsen Dec 13, 2020
cc2beb6
Review feedback: Remove unnecessary Optionals
hansnielsen Dec 13, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions aws/data_source_aws_instance.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,21 @@ func dataSourceAwsInstance() *schema.Resource {
Type: schema.TypeBool,
Computed: true,
},
"enclave_options": {
Type: schema.TypeList,
Optional: true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this schema attribute cannot be used to filter the lookup as an argument, Optional should be removed. 👍

Suggested change
Optional: true,

Computed: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"enabled": {
Type: schema.TypeBool,
Optional: true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similarly:

Suggested change
Optional: true,

Computed: true,
},
},
},
},
},
}
}
Expand Down Expand Up @@ -535,5 +550,9 @@ func instanceDescriptionAttributes(d *schema.ResourceData, instance *ec2.Instanc
return fmt.Errorf("error setting metadata_options: %s", err)
}

if err := d.Set("enclave_options", flattenEc2EnclaveOptions(instance.EnclaveOptions)); err != nil {
return fmt.Errorf("error setting enclave_options: %s", err)
}

return nil
}
46 changes: 46 additions & 0 deletions aws/data_source_aws_instance_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -489,6 +489,26 @@ func TestAccAWSInstanceDataSource_metadataOptions(t *testing.T) {
})
}

func TestAccAWSInstanceDataSource_enclaveOptions(t *testing.T) {
resourceName := "aws_instance.test"
datasourceName := "data.aws_instance.test"
rName := acctest.RandomWithPrefix("tf-acc-test")

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
Steps: []resource.TestStep{
{
Config: testAccInstanceDataSourceConfig_enclaveOptions(rName),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttrPair(datasourceName, "enclave_options.#", resourceName, "enclave_options.#"),
resource.TestCheckResourceAttrPair(datasourceName, "enclave_options.0.enabled", resourceName, "enclave_options.0.enabled"),
),
},
},
})
}

// Lookup based on InstanceID
var testAccInstanceDataSourceConfig = testAccLatestAmazonLinuxHvmEbsAmiConfig() + `
resource "aws_instance" "test" {
Expand Down Expand Up @@ -920,3 +940,29 @@ data "aws_instance" "test" {
}
`, rName))
}

func testAccInstanceDataSourceConfig_enclaveOptions(rName string) string {
return composeConfig(
testAccLatestAmazonLinuxHvmEbsAmiConfig(),
testAccAwsInstanceVpcConfig(rName, false),
testAccAvailableEc2InstanceTypeForRegion("c5a.xlarge", "c5.xlarge"),
fmt.Sprintf(`
resource "aws_instance" "test" {
ami = data.aws_ami.amzn-ami-minimal-hvm-ebs.id
instance_type = data.aws_ec2_instance_type_offering.available.instance_type
subnet_id = aws_subnet.test.id

tags = {
Name = %[1]q
}

enclave_options {
enabled = true
}
}

data "aws_instance" "test" {
instance_id = aws_instance.test.id
}
`, rName))
}
16 changes: 16 additions & 0 deletions aws/data_source_aws_launch_template.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -222,6 +222,18 @@ func dataSourceAwsLaunchTemplate() *schema.Resource {
},
},
},
"enclave_options": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"enabled": {
Type: schema.TypeBool,
Computed: true,
},
},
},
},
"monitoring": {
Type: schema.TypeList,
Computed: true,
Expand Down Expand Up @@ -498,6 +510,10 @@ func dataSourceAwsLaunchTemplateRead(d *schema.ResourceData, meta interface{}) e
return fmt.Errorf("error setting metadata_options: %w", err)
}

if err := d.Set("enclave_options", getEnclaveOptions(ltData.EnclaveOptions)); err != nil {
return fmt.Errorf("error setting enclave_options: %w", err)
}

if err := d.Set("monitoring", getMonitoring(ltData.Monitoring)); err != nil {
return fmt.Errorf("error setting monitoring: %w", err)
}
Expand Down
37 changes: 37 additions & 0 deletions aws/data_source_aws_launch_template_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,27 @@ func TestAccAWSLaunchTemplateDataSource_metadataOptions(t *testing.T) {
})
}

func TestAccAWSLaunchTemplateDataSource_enclaveOptions(t *testing.T) {
rName := acctest.RandomWithPrefix("tf-acc-test")
dataSourceName := "data.aws_launch_template.test"
resourceName := "aws_launch_template.test"

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSLaunchTemplateDestroy,
Steps: []resource.TestStep{
{
Config: testAccAWSLaunchTemplateDataSourceConfig_enclaveOptions(rName),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttrPair(dataSourceName, "enclave_options.#", resourceName, "enclave_options.#"),
resource.TestCheckResourceAttrPair(dataSourceName, "enclave_options.0.enabled", resourceName, "enclave_options.0.enabled"),
),
},
},
})
}

func TestAccAWSLaunchTemplateDataSource_associatePublicIPAddress(t *testing.T) {
rName := acctest.RandomWithPrefix("tf-acc-test")
dataSourceName := "data.aws_launch_template.test"
Expand Down Expand Up @@ -274,6 +295,22 @@ data "aws_launch_template" "test" {
`, rName)
}

func testAccAWSLaunchTemplateDataSourceConfig_enclaveOptions(rName string) string {
return fmt.Sprintf(`
resource "aws_launch_template" "test" {
name = %[1]q

enclave_options {
enabled = true
}
}

data "aws_launch_template" "test" {
name = aws_launch_template.test.name
}
`, rName)
}

func testAccAWSLaunchTemplateDataSourceConfig_associatePublicIpAddress(rName, associatePublicIPAddress string) string {
return fmt.Sprintf(`
resource "aws_launch_template" "test" {
Expand Down
49 changes: 49 additions & 0 deletions aws/resource_aws_instance.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -576,6 +576,22 @@ func resourceAwsInstance() *schema.Resource {
},
},
},

"enclave_options": {
Type: schema.TypeList,
Optional: true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be safe and prevent unexpected differences for operators should the EC2 API return this information with existing configurations not having it, let's add Computed here:

Suggested change
Optional: true,
Optional: true,
Computed: true,

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also switched the enabled field to Computed: true. This means that aws_instance resources that originally had enclaves enabled won't force a new resource if the enclave_options block is removed, which seems like a reasonable behavior.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The top level Computed: true on configuration blocks prevents differences from showing up in nested attributes if the configuration is not provided even if it does not match the default. Since there is one nested attribute though, it is probably okay since most operators would likely configure both the block and the attribute.

MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"enabled": {
Type: schema.TypeBool,
Default: false,
Optional: true,
ForceNew: true,
},
},
},
},
},
}
}
Expand Down Expand Up @@ -625,6 +641,7 @@ func resourceAwsInstanceCreate(d *schema.ResourceData, meta interface{}) error {
CpuOptions: instanceOpts.CpuOptions,
HibernationOptions: instanceOpts.HibernationOptions,
MetadataOptions: instanceOpts.MetadataOptions,
EnclaveOptions: instanceOpts.EnclaveOptions,
TagSpecifications: tagSpecifications,
}

Expand Down Expand Up @@ -780,6 +797,10 @@ func resourceAwsInstanceRead(d *schema.ResourceData, meta interface{}) error {
return fmt.Errorf("error setting metadata_options: %s", err)
}

if err := d.Set("enclave_options", flattenEc2EnclaveOptions(instance.EnclaveOptions)); err != nil {
return fmt.Errorf("error setting enclave_options: %s", err)
}

d.Set("ami", instance.ImageId)
d.Set("instance_type", instance.InstanceType)
d.Set("key_name", instance.KeyName)
Expand Down Expand Up @@ -2150,6 +2171,7 @@ type awsInstanceOpts struct {
CpuOptions *ec2.CpuOptionsRequest
HibernationOptions *ec2.HibernationOptionsRequest
MetadataOptions *ec2.InstanceMetadataOptionsRequest
EnclaveOptions *ec2.EnclaveOptionsRequest
}

func buildAwsInstanceOpts(d *schema.ResourceData, meta interface{}) (*awsInstanceOpts, error) {
Expand All @@ -2162,6 +2184,7 @@ func buildAwsInstanceOpts(d *schema.ResourceData, meta interface{}) (*awsInstanc
ImageID: aws.String(d.Get("ami").(string)),
InstanceType: aws.String(instanceType),
MetadataOptions: expandEc2InstanceMetadataOptions(d.Get("metadata_options").([]interface{})),
EnclaveOptions: expandEc2EnclaveOptions(d.Get("enclave_options").([]interface{})),
}

// Set default cpu_credits as Unlimited for T3 instance type
Expand Down Expand Up @@ -2465,6 +2488,20 @@ func expandEc2InstanceMetadataOptions(l []interface{}) *ec2.InstanceMetadataOpti
return opts
}

func expandEc2EnclaveOptions(l []interface{}) *ec2.EnclaveOptionsRequest {
if len(l) == 0 || l[0] == nil {
return nil
}

m := l[0].(map[string]interface{})

opts := &ec2.EnclaveOptionsRequest{
Enabled: aws.Bool(m["enabled"].(bool)),
}

return opts
}

//Expands an array of secondary Private IPs into a ec2 Private IP Address Spec
func expandSecondaryPrivateIPAddresses(ips []interface{}) []*ec2.PrivateIpAddressSpecification {
specs := make([]*ec2.PrivateIpAddressSpecification, 0, len(ips))
Expand Down Expand Up @@ -2492,6 +2529,18 @@ func flattenEc2InstanceMetadataOptions(opts *ec2.InstanceMetadataOptionsResponse
return []interface{}{m}
}

func flattenEc2EnclaveOptions(opts *ec2.EnclaveOptions) []interface{} {
if opts == nil {
return nil
}

m := map[string]interface{}{
"enabled": aws.BoolValue(opts.Enabled),
}

return []interface{}{m}
}

// resourceAwsInstanceFindByID returns the EC2 instance by ID
// * If the instance is found, returns the instance and nil
// * If no instance is found, returns nil and nil
Expand Down
62 changes: 62 additions & 0 deletions aws/resource_aws_instance_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3110,6 +3110,41 @@ func TestAccAWSInstance_metadataOptions(t *testing.T) {
})
}

func TestAccAWSInstance_enclaveOptions(t *testing.T) {
var instance1, instance2 ec2.Instance
resourceName := "aws_instance.test"

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckInstanceDestroy,
Steps: []resource.TestStep{
{
Config: testAccInstanceConfigEnclaveOptions(true),
Check: resource.ComposeTestCheckFunc(
testAccCheckInstanceExists(resourceName, &instance1),
resource.TestCheckResourceAttr(resourceName, "enclave_options.#", "1"),
resource.TestCheckResourceAttr(resourceName, "enclave_options.0.enabled", "true"),
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccInstanceConfigEnclaveOptions(false),
Check: resource.ComposeTestCheckFunc(
testAccCheckInstanceExists(resourceName, &instance2),
testAccCheckInstanceRecreated(&instance1, &instance2),
resource.TestCheckResourceAttr(resourceName, "enclave_options.#", "1"),
resource.TestCheckResourceAttr(resourceName, "enclave_options.0.enabled", "false"),
),
},
},
})
}

func testAccCheckInstanceNotRecreated(t *testing.T,
before, after *ec2.Instance) resource.TestCheckFunc {
return func(s *terraform.State) error {
Expand Down Expand Up @@ -5102,6 +5137,33 @@ resource "aws_instance" "test" {
`, rName))
}

func testAccInstanceConfigEnclaveOptions(enabled bool) string {
name := "tf-acc-instance-enclaves"
return composeConfig(
testAccLatestAmazonLinuxHvmEbsAmiConfig(),
testAccAwsInstanceVpcConfig(name, false),
testAccAvailableEc2InstanceTypeForRegion("c5a.xlarge", "c5.xlarge"),
fmt.Sprintf(`
resource "aws_instance" "test" {
ami = data.aws_ami.amzn-ami-minimal-hvm-ebs.id
instance_type = data.aws_ec2_instance_type_offering.available.instance_type
subnet_id = aws_subnet.test.id

enclave_options {
enabled = %[2]t
}

tags = {
Name = %[1]q
}
}

data "aws_instance" "test" {
instance_id = aws_instance.test.id
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resource testing should omit data source 👍

Suggested change
data "aws_instance" "test" {
instance_id = aws_instance.test.id
}

`, name, enabled))
}

func testAccAwsEc2InstanceConfigDynamicEBSBlockDevices() string {
return composeConfig(testAccLatestAmazonLinuxPvEbsAmiConfig(), `
resource "aws_instance" "test" {
Expand Down
Loading