r/aws_ec2_client_vpn_endpoint_network_association: Adding option to apply additional security groups to target network #7500
Conversation
…pply additional security groups to target network
ghost
added
size/L
bflad
added
the
enhancement
website/docs/r/ec2_client_vpn_network_association.html.markdown
Outdated
Show resolved
Hide resolved
bflad
added
the
waiting-response
|
@bflad Thanks again for your feedback. I believe I've addressed all of your comments. |
ghost
removed
the
waiting-response
| testAccCheckAwsEc2ClientVpnNetworkAssociationExists("aws_ec2_client_vpn_network_association.test", &assoc1), | ||
| resource.TestCheckResourceAttr("aws_ec2_client_vpn_network_association.test", "security_groups.#", "2"), | ||
| ), | ||
| }, |
There was a problem hiding this comment.
We should include another TestStep here that performs some form of update 👍
There was a problem hiding this comment.
One thing I'm noticing with the Update function is that ApplySecurityGroupsToClientVpnTargetNetwork call doesn't zero out security_groups it just replaces ones that are already there. Going from 2 security groups to zero means that the call ignores the empty request and leaves the security groups untouched. Weird, but not unmanageable.
There was a problem hiding this comment.
Sorry that was what I was trying to say in #7500 (comment)
There was a problem hiding this comment.
Ok, I think I see what you are saying. See my latest commit. I was able to get the behavior I'm looking for by making security_groups a required parameter (to account for the API adding the default VPC security group in the absence of custom groups). Not ideal but it works.
There was a problem hiding this comment.
Scratch that, Travis doesn't like the Required + Computed part.
ghost
added
size/XL
| subnet_id = "${aws_subnet.example.id}" | ||
| client_vpn_endpoint_id = "${aws_ec2_client_vpn_endpoint.example.id}" | ||
| subnet_id = "${aws_subnet.example.id}" | ||
| security_groups = [""] |
There was a problem hiding this comment.
This should be omitted in this case.
| @@ -26,12 +37,13 @@ The following arguments are supported: | |||
|
|
|||
| * `client_vpn_endpoint_id` - (Required) The ID of the Client VPN endpoint. | |||
| * `subnet_id` - (Required) The ID of the subnet to associate with the Client VPN endpoint. | |||
| * `security_groups` - (Required) A list of up to five custom security groups to apply to the target network. Not populating this parameter will result in the subnet inheriting the default VPC security group. Regardless of what you choose, you must define this parameter due to the AWS API automatically assigning the default VPC security group if no other groups are included in the call. | |||
There was a problem hiding this comment.
This should be updated back to Optional.
| * `security_groups` - (Required) A list of up to five custom security groups to apply to the target network. Not populating this parameter will result in the subnet inheriting the default VPC security group. Regardless of what you choose, you must define this parameter due to the AWS API automatically assigning the default VPC security group if no other groups are included in the call. | |
| * `security_groups` - (Optional) A list of up to five custom VPC security groups to apply to the target network. Not populating this parameter will result in the subnet inheriting the default VPC security group. To remove all custom VPC security groups, this list must be configured to contain only the default VPC security group. |
|
@bflad I did a lot of thinking about how all these parts work together around the VPN endpoint and I think it makes sense to consolidate network associations into the endpoint resource (See #7564). I have pulled in the changes made here into that PR. Take a look and let me know what you think. If that's the preferred route, then we can probably close this out. |
|
Is this PR being abandoned in favor of #7564? It would be great to get this functionality in since client vpn still requires manual configuration of ingress authorization, securitygroups, routes. |
|
@bryanlikes That is my intention, but I've been waiting on more movement with my other PR before closing out this one. |
|
+1 |
|
These commits were merged as part of #14146 and will release with version 3.3.0, later today. 👍 |
|
This has been released in version 3.3.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Fixes #7495
Changes proposed in this pull request:
vpc_idandsecurity_groupsactual parameters so we can use those values to add additional security groups to a target network.Output from acceptance testing: