From 4a9d90aca40d6032ff5e2aa1a641bfc64ddac24d Mon Sep 17 00:00:00 2001 From: O327903 Date: Tue, 6 Feb 2024 01:44:15 +0000 Subject: [PATCH 01/16] Add support for TLS for ECS Service Connect --- internal/service/ecs/service.go | 73 +++++++++++++++++++++++- internal/service/ecs/service_test.go | 72 +++++++++++++++++++++++ website/docs/r/ecs_service.html.markdown | 15 +++++ 3 files changed, 157 insertions(+), 3 deletions(-) diff --git a/internal/service/ecs/service.go b/internal/service/ecs/service.go index 139abef7aea..dca01eda64b 100644 --- a/internal/service/ecs/service.go +++ b/internal/service/ecs/service.go @@ -414,6 +414,36 @@ func ResourceService() *schema.Resource { Type: schema.TypeString, Required: true, }, + "tls": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "issuer_cert_authority": { + Type: schema.TypeList, + Required: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "aws_pca_authority_arn": { + Type: schema.TypeString, + Required: true, + }, + }, + }, + }, + "kms_key_id": { + Type: schema.TypeString, + Required: true, + }, + "role_arn": { + Type: schema.TypeString, + Required: true, + }, + }, + }, + }, }, }, }, @@ -764,9 +794,9 @@ func resourceServiceRead(ctx context.Context, d *schema.ResourceData, meta inter return sdkdiag.AppendErrorf(diags, "setting network_configuration: %s", err) } - // if err := d.Set("service_connect_configuration", flattenServiceConnectConfiguration(service.ServiceConnectConfiguration)); err != nil { - // return fmt.Errorf("setting service_connect_configuration for (%s): %w", d.Id(), err) - // } + //if err := d.Set("service_connect_configuration", flattenServiceConnectConfiguration(service.ServiceConnectConfiguration)); err != nil { + // return sdkdiag.AppendErrorf(diags, "setting service_connect_configuration: %s", err) + //} if err := d.Set("service_registries", flattenServiceRegistries(service.ServiceRegistries)); err != nil { return sdkdiag.AppendErrorf(diags, "setting service_registries: %s", err) @@ -1441,12 +1471,49 @@ func expandServices(srv []interface{}) []*ecs.ServiceConnectService { config.PortName = aws.String(v) } + if v, ok := raw["tls"].([]interface{}); ok && len(v) > 0 { + config.Tls = expandTls(v) + } + out = append(out, &config) } return out } +func expandTls(tls []interface{}) *ecs.ServiceConnectTlsConfiguration { + if len(tls) == 0 { + return nil + } + + raw := tls[0].(map[string]interface{}) + tlsConfig := &ecs.ServiceConnectTlsConfiguration{} + if v, ok := raw["issuer_cert_authority"].([]interface{}); ok && len(v) > 0 { + tlsConfig.IssuerCertificateAuthority = expandIssuerCertAuthority(v) + } + if v, ok := raw["kms_key"].(string); ok && v != "" { + tlsConfig.KmsKey = aws.String(v) + } + if v, ok := raw["role_arn"].(string); ok && v != "" { + tlsConfig.RoleArn = aws.String(v) + } + return tlsConfig +} + +func expandIssuerCertAuthority(pca []interface{}) *ecs.ServiceConnectTlsCertificateAuthority { + if len(pca) == 0 { + return nil + } + + raw := pca[0].(map[string]interface{}) + config := &ecs.ServiceConnectTlsCertificateAuthority{} + + if v, ok := raw["aws_pca_authority_arn"].(string); ok && v != "" { + config.AwsPcaAuthorityArn = aws.String(v) + } + return config +} + func expandClientAliases(srv []interface{}) []*ecs.ServiceConnectClientAlias { if len(srv) == 0 { return nil diff --git a/internal/service/ecs/service_test.go b/internal/service/ecs/service_test.go index f5c0aa175b7..1aa364ba6e4 100644 --- a/internal/service/ecs/service_test.go +++ b/internal/service/ecs/service_test.go @@ -4237,6 +4237,32 @@ resource "aws_ecs_service" "test" { func testAccServiceConfig_serviceConnectAllAttributes(rName string) string { return fmt.Sprintf(` +resource "aws_kms_key" "test" { + description = %[1]q + deletion_window_in_days = 7 +} + +resource "aws_iam_role" "test" { + name = %[1]q + + assume_role_policy = < Date: Wed, 7 Feb 2024 09:34:12 +0000 Subject: [PATCH 02/16] Add support for TLS for ECS Service Connect --- .changelog/35684.txt | 3 ++ .ci/tools/go.mod | 4 ++- internal/service/ecs/service.go | 4 +-- internal/service/ecs/service_test.go | 37 +++++++++++++++++++++++- website/docs/r/ecs_service.html.markdown | 2 +- 5 files changed, 45 insertions(+), 5 deletions(-) create mode 100644 .changelog/35684.txt diff --git a/.changelog/35684.txt b/.changelog/35684.txt new file mode 100644 index 00000000000..ca03fc2c0c3 --- /dev/null +++ b/.changelog/35684.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +resource/aws_ecs_service: Add TLS support for ECS Service Connect +``` \ No newline at end of file diff --git a/.ci/tools/go.mod b/.ci/tools/go.mod index d8158c9b759..05e21bcbb00 100644 --- a/.ci/tools/go.mod +++ b/.ci/tools/go.mod @@ -1,6 +1,8 @@ module github.com/hashicorp/terraform-provider-aws/tools -go 1.20 +go 1.21 + +toolchain go1.21.5 require ( github.com/YakDriver/tfproviderdocs v0.11.0 diff --git a/internal/service/ecs/service.go b/internal/service/ecs/service.go index dca01eda64b..73ca9248f3a 100644 --- a/internal/service/ecs/service.go +++ b/internal/service/ecs/service.go @@ -433,9 +433,9 @@ func ResourceService() *schema.Resource { }, }, }, - "kms_key_id": { + "kms_key": { Type: schema.TypeString, - Required: true, + Optional: true, }, "role_arn": { Type: schema.TypeString, diff --git a/internal/service/ecs/service_test.go b/internal/service/ecs/service_test.go index 1aa364ba6e4..ab687e1168f 100644 --- a/internal/service/ecs/service_test.go +++ b/internal/service/ecs/service_test.go @@ -4240,6 +4240,40 @@ func testAccServiceConfig_serviceConnectAllAttributes(rName string) string { resource "aws_kms_key" "test" { description = %[1]q deletion_window_in_days = 7 + policy = data.aws_iam_policy_document.test.json +} + + +data "aws_iam_policy_document" "test" { + policy_id = "KMSPolicy" + + statement { + sid = "Root User Permissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + actions = [ + "kms:*"] + resources = [ "*"] + } + + statement { + sid = "EC2 kms permissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ aws_iam_role.test.arn ] + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyPair"] + resources = ["*"] + } } resource "aws_iam_role" "test" { @@ -4327,7 +4361,7 @@ resource "aws_ecs_service" "test" { issuer_cert_authority { aws_pca_authority_arn = aws_acmpca_certificate_authority.test.arn } - kms_key_id = aws_kms_key.test.arn + kms_key = aws_kms_key.test.arn role_arn = aws_iam_role.test.arn } } @@ -4372,6 +4406,7 @@ resource "aws_acmpca_certificate_authority" "test" { } data "aws_partition" "current" {} +data "aws_caller_identity" "current" {} `, rName) } diff --git a/website/docs/r/ecs_service.html.markdown b/website/docs/r/ecs_service.html.markdown index 38497e83e43..a37d75212dc 100644 --- a/website/docs/r/ecs_service.html.markdown +++ b/website/docs/r/ecs_service.html.markdown @@ -246,7 +246,7 @@ For more information, see [Task Networking](https://docs.aws.amazon.com/AmazonEC `tls` supports the following: * `issuer_cert_authority` - (Required) The details of the certificate authority which will issue the certificate. -* `kms_key_id` - (Required) The KMS key used to encrypt the private key in Secrets Manager. +* `kms_key` - (Required) The KMS key used to encrypt the private key in Secrets Manager. * `role_arn` - (Required) The ARN of the IAM Role that's associated with the Service Connect TLS. ### issuer_cert_authority From 0c0ded0e922cde37deb5791f114362ba1c4fc02a Mon Sep 17 00:00:00 2001 From: O327903 Date: Wed, 7 Feb 2024 10:47:01 +0000 Subject: [PATCH 03/16] Fix go.mod --- .ci/tools/go.mod | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.ci/tools/go.mod b/.ci/tools/go.mod index 05e21bcbb00..d8158c9b759 100644 --- a/.ci/tools/go.mod +++ b/.ci/tools/go.mod @@ -1,8 +1,6 @@ module github.com/hashicorp/terraform-provider-aws/tools -go 1.21 - -toolchain go1.21.5 +go 1.20 require ( github.com/YakDriver/tfproviderdocs v0.11.0 From f8ba1b62222859f4867ee020ae9edd491b13e563 Mon Sep 17 00:00:00 2001 From: O327903 Date: Fri, 9 Feb 2024 23:28:15 +0000 Subject: [PATCH 04/16] Added timeout configuration for ECS Service Connect --- .changelog/35684.txt | 1 + internal/service/ecs/service.go | 38 ++++++++++++++++++++++++++++ internal/service/ecs/service_test.go | 9 +++++-- 3 files changed, 46 insertions(+), 2 deletions(-) diff --git a/.changelog/35684.txt b/.changelog/35684.txt index ca03fc2c0c3..2e5bd37f25c 100644 --- a/.changelog/35684.txt +++ b/.changelog/35684.txt @@ -1,3 +1,4 @@ ```release-note:enhancement resource/aws_ecs_service: Add TLS support for ECS Service Connect +resource/aws_ecs_service: Add timeout configuration for ECS Service Connect ``` \ No newline at end of file diff --git a/internal/service/ecs/service.go b/internal/service/ecs/service.go index 73ca9248f3a..1098f4bb4bd 100644 --- a/internal/service/ecs/service.go +++ b/internal/service/ecs/service.go @@ -444,6 +444,25 @@ func ResourceService() *schema.Resource { }, }, }, + "timeout": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "idle_timeout_seconds": { + Type: schema.TypeInt, + Optional: true, + ValidateFunc: validation.IntBetween(0, 2147483647), + }, + "per_request_timeout_seconds": { + Type: schema.TypeInt, + Optional: true, + ValidateFunc: validation.IntBetween(0, 2147483647), + }, + }, + }, + }, }, }, }, @@ -1475,12 +1494,31 @@ func expandServices(srv []interface{}) []*ecs.ServiceConnectService { config.Tls = expandTls(v) } + if v, ok := raw["timeout"].([]interface{}); ok && len(v) > 0 { + config.Timeout = expandTimeout(v) + } + out = append(out, &config) } return out } +func expandTimeout(timeout []interface{}) *ecs.TimeoutConfiguration { + if len(timeout) == 0 { + return nil + } + raw := timeout[0].(map[string]interface{}) + timeoutConfig := &ecs.TimeoutConfiguration{} + if v, ok := raw["idle_timeout_seconds"].(int); ok { + timeoutConfig.IdleTimeoutSeconds = aws.Int64(int64(v)) + } + if v, ok := raw["per_request_timeout_seconds"].(int); ok { + timeoutConfig.PerRequestTimeoutSeconds = aws.Int64(int64(v)) + } + return timeoutConfig +} + func expandTls(tls []interface{}) *ecs.ServiceConnectTlsConfiguration { if len(tls) == 0 { return nil diff --git a/internal/service/ecs/service_test.go b/internal/service/ecs/service_test.go index ab687e1168f..eab45f01a79 100644 --- a/internal/service/ecs/service_test.go +++ b/internal/service/ecs/service_test.go @@ -4320,9 +4320,10 @@ resource "aws_ecs_task_definition" "test" { "portMappings": [ { "hostPort": 0, - "protocol": "tcp", + "appProtocol": "http", "containerPort": 27017, - "name": "tf-test" + "name": "tf-test", + "protocol": "tcp" } ] } @@ -4364,6 +4365,10 @@ resource "aws_ecs_service" "test" { kms_key = aws_kms_key.test.arn role_arn = aws_iam_role.test.arn } + timeout { + idle_timeout_seconds = 120 + per_request_timeout_seconds = 60 + } } } } From 642ac5b2e8ad056b3d27aca66f4a7b2a40da7ed6 Mon Sep 17 00:00:00 2001 From: O327903 Date: Fri, 9 Feb 2024 23:35:22 +0000 Subject: [PATCH 05/16] Added timeout configuration for ECS Service Connect --- website/docs/r/ecs_service.html.markdown | 36 +++++++++++++++--------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/website/docs/r/ecs_service.html.markdown b/website/docs/r/ecs_service.html.markdown index a37d75212dc..041a96246fd 100644 --- a/website/docs/r/ecs_service.html.markdown +++ b/website/docs/r/ecs_service.html.markdown @@ -241,19 +241,6 @@ For more information, see [Task Networking](https://docs.aws.amazon.com/AmazonEC * `namespace` - (Optional) The namespace name or ARN of the [`aws_service_discovery_http_namespace`](/docs/providers/aws/r/service_discovery_http_namespace.html) for use with Service Connect. * `service` - (Optional) The list of Service Connect service objects. See below. -### tls - -`tls` supports the following: - -* `issuer_cert_authority` - (Required) The details of the certificate authority which will issue the certificate. -* `kms_key` - (Required) The KMS key used to encrypt the private key in Secrets Manager. -* `role_arn` - (Required) The ARN of the IAM Role that's associated with the Service Connect TLS. - -### issuer_cert_authority - -`issuer_cert_authority` supports the following: - -* `aws_pca_authority_arn`: The ARN of the [`aws_acmpca_certificate_authority`](/docs/providers/aws/r/acmpca_certificate_authority.html) used to create the TLS Certificates. ### log_configuration @@ -278,8 +265,31 @@ For more information, see [Task Networking](https://docs.aws.amazon.com/AmazonEC * `discovery_name` - (Optional) The name of the new AWS Cloud Map service that Amazon ECS creates for this Amazon ECS service. * `ingress_port_override` - (Optional) The port number for the Service Connect proxy to listen on. * `port_name` - (Required) The name of one of the `portMappings` from all the containers in the task definition of this Amazon ECS service. +* `timeout` - (Optional) Configuration timeouts for Service Connect * `tls` - (Optional) The configuration for enabling Transport Layer Security (TLS) +### timeout + +`timeout` supports the following: + +* `idle_timeout_seconds` - (Optional) The amount of time in seconds a connection will stay active while idle. A value of 0 can be set to disable idleTimeout. +* `per_request_timeout_seconds` - (Optional) The amount of time in seconds for the upstream to respond with a complete response per request. A value of 0 can be set to disable perRequestTimeout. Can only be set when appProtocol isn't TCP. + +### tls + +`tls` supports the following: + +* `issuer_cert_authority` - (Required) The details of the certificate authority which will issue the certificate. +* `kms_key` - (Required) The KMS key used to encrypt the private key in Secrets Manager. +* `role_arn` - (Required) The ARN of the IAM Role that's associated with the Service Connect TLS. + +### issuer_cert_authority + +`issuer_cert_authority` supports the following: + +* `aws_pca_authority_arn`: The ARN of the [`aws_acmpca_certificate_authority`](/docs/providers/aws/r/acmpca_certificate_authority.html) used to create the TLS Certificates. + + ### client_alias `client_alias` supports the following: From aa1ab3115699d159563e028bea58d72327891acf Mon Sep 17 00:00:00 2001 From: O327903 Date: Fri, 9 Feb 2024 23:59:55 +0000 Subject: [PATCH 06/16] Fix Lint issues --- internal/service/ecs/service.go | 4 +-- internal/service/ecs/service_test.go | 44 ++++++++++++------------ website/docs/r/ecs_service.html.markdown | 2 -- 3 files changed, 24 insertions(+), 26 deletions(-) diff --git a/internal/service/ecs/service.go b/internal/service/ecs/service.go index 1098f4bb4bd..0571b382d9e 100644 --- a/internal/service/ecs/service.go +++ b/internal/service/ecs/service.go @@ -1491,7 +1491,7 @@ func expandServices(srv []interface{}) []*ecs.ServiceConnectService { } if v, ok := raw["tls"].([]interface{}); ok && len(v) > 0 { - config.Tls = expandTls(v) + config.Tls = expandTLS(v) } if v, ok := raw["timeout"].([]interface{}); ok && len(v) > 0 { @@ -1519,7 +1519,7 @@ func expandTimeout(timeout []interface{}) *ecs.TimeoutConfiguration { return timeoutConfig } -func expandTls(tls []interface{}) *ecs.ServiceConnectTlsConfiguration { +func expandTLS(tls []interface{}) *ecs.ServiceConnectTlsConfiguration { if len(tls) == 0 { return nil } diff --git a/internal/service/ecs/service_test.go b/internal/service/ecs/service_test.go index eab45f01a79..0b09111bf66 100644 --- a/internal/service/ecs/service_test.go +++ b/internal/service/ecs/service_test.go @@ -4240,7 +4240,7 @@ func testAccServiceConfig_serviceConnectAllAttributes(rName string) string { resource "aws_kms_key" "test" { description = %[1]q deletion_window_in_days = 7 - policy = data.aws_iam_policy_document.test.json + policy = data.aws_iam_policy_document.test.json } @@ -4248,38 +4248,38 @@ data "aws_iam_policy_document" "test" { policy_id = "KMSPolicy" statement { - sid = "Root User Permissions" - effect = "Allow" + sid = "Root User Permissions" + effect = "Allow" principals { - type = "AWS" + type = "AWS" identifiers = [ - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] } - actions = [ - "kms:*"] - resources = [ "*"] + actions = [ + "kms:*"] + resources = ["*"] } statement { - sid = "EC2 kms permissions" - effect = "Allow" + sid = "EC2 kms permissions" + effect = "Allow" principals { type = "AWS" - identifiers = [ aws_iam_role.test.arn ] + identifiers = [aws_iam_role.test.arn] } - actions = [ + actions = [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", - "kms:GenerateDataKeyPair"] + "kms:GenerateDataKeyPair"] resources = ["*"] } } resource "aws_iam_role" "test" { - name = %[1]q + name = %[1]q - assume_role_policy = < Date: Sat, 10 Feb 2024 00:05:06 +0000 Subject: [PATCH 07/16] Fix Lint issues --- internal/service/ecs/service_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/service/ecs/service_test.go b/internal/service/ecs/service_test.go index 0b09111bf66..ac1ec6c2855 100644 --- a/internal/service/ecs/service_test.go +++ b/internal/service/ecs/service_test.go @@ -4406,7 +4406,7 @@ resource "aws_acmpca_certificate_authority" "test" { } } tags = { - AmazonECSManaged = "true" + AmazonECSManaged = "true" } } From 86cdcd445870429a7e6fd01898d6b37de8f1a617 Mon Sep 17 00:00:00 2001 From: O327903 Date: Sat, 10 Feb 2024 00:26:10 +0000 Subject: [PATCH 08/16] Fix Lint issues --- internal/service/ecs/service_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/service/ecs/service_test.go b/internal/service/ecs/service_test.go index ac1ec6c2855..760aefc006f 100644 --- a/internal/service/ecs/service_test.go +++ b/internal/service/ecs/service_test.go @@ -4253,7 +4253,7 @@ data "aws_iam_policy_document" "test" { principals { type = "AWS" identifiers = [ - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"] } actions = [ "kms:*"] From d5858a72693918c7d801bd59fa31231a4ed27085 Mon Sep 17 00:00:00 2001 From: O327903 Date: Sat, 10 Feb 2024 00:36:33 +0000 Subject: [PATCH 09/16] Fix Optionality on role_arn and acm_pca_authority_arn as per spec: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ServiceConnectTlsConfiguration.html --- internal/service/ecs/service.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/service/ecs/service.go b/internal/service/ecs/service.go index 0571b382d9e..2eb8d0c18af 100644 --- a/internal/service/ecs/service.go +++ b/internal/service/ecs/service.go @@ -428,7 +428,7 @@ func ResourceService() *schema.Resource { Schema: map[string]*schema.Schema{ "aws_pca_authority_arn": { Type: schema.TypeString, - Required: true, + Optional: true, }, }, }, @@ -439,7 +439,7 @@ func ResourceService() *schema.Resource { }, "role_arn": { Type: schema.TypeString, - Required: true, + Optional: true, }, }, }, From 5826871bcd41900586c392982dc70a6fa1707784 Mon Sep 17 00:00:00 2001 From: O327903 Date: Sat, 10 Feb 2024 00:59:17 +0000 Subject: [PATCH 10/16] Fix Docs to reflect optionality --- website/docs/r/ecs_service.html.markdown | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/docs/r/ecs_service.html.markdown b/website/docs/r/ecs_service.html.markdown index 0d07bf6d7e2..6509401a9d1 100644 --- a/website/docs/r/ecs_service.html.markdown +++ b/website/docs/r/ecs_service.html.markdown @@ -279,14 +279,14 @@ For more information, see [Task Networking](https://docs.aws.amazon.com/AmazonEC `tls` supports the following: * `issuer_cert_authority` - (Required) The details of the certificate authority which will issue the certificate. -* `kms_key` - (Required) The KMS key used to encrypt the private key in Secrets Manager. -* `role_arn` - (Required) The ARN of the IAM Role that's associated with the Service Connect TLS. +* `kms_key` - (Optional) The KMS key used to encrypt the private key in Secrets Manager. +* `role_arn` -(Optional) The ARN of the IAM Role that's associated with the Service Connect TLS. ### issuer_cert_authority `issuer_cert_authority` supports the following: -* `aws_pca_authority_arn`: The ARN of the [`aws_acmpca_certificate_authority`](/docs/providers/aws/r/acmpca_certificate_authority.html) used to create the TLS Certificates. +* `aws_pca_authority_arn`: (Optional) The ARN of the [`aws_acmpca_certificate_authority`](/docs/providers/aws/r/acmpca_certificate_authority.html) used to create the TLS Certificates. ### client_alias From 1ef627a97cb1bd1c6df03a297b0c8dfc9d0ef5be Mon Sep 17 00:00:00 2001 From: O327903 Date: Sat, 10 Feb 2024 01:00:24 +0000 Subject: [PATCH 11/16] Fix Docs to reflect optionality --- website/docs/r/ecs_service.html.markdown | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/docs/r/ecs_service.html.markdown b/website/docs/r/ecs_service.html.markdown index 6509401a9d1..7c7a625900c 100644 --- a/website/docs/r/ecs_service.html.markdown +++ b/website/docs/r/ecs_service.html.markdown @@ -280,13 +280,13 @@ For more information, see [Task Networking](https://docs.aws.amazon.com/AmazonEC * `issuer_cert_authority` - (Required) The details of the certificate authority which will issue the certificate. * `kms_key` - (Optional) The KMS key used to encrypt the private key in Secrets Manager. -* `role_arn` -(Optional) The ARN of the IAM Role that's associated with the Service Connect TLS. +* `role_arn` - (Optional) The ARN of the IAM Role that's associated with the Service Connect TLS. ### issuer_cert_authority `issuer_cert_authority` supports the following: -* `aws_pca_authority_arn`: (Optional) The ARN of the [`aws_acmpca_certificate_authority`](/docs/providers/aws/r/acmpca_certificate_authority.html) used to create the TLS Certificates. +* `aws_pca_authority_arn` - (Optional) The ARN of the [`aws_acmpca_certificate_authority`](/docs/providers/aws/r/acmpca_certificate_authority.html) used to create the TLS Certificates. ### client_alias From 2636578cf9c0b95ed335592428cf9a6eeeff5521 Mon Sep 17 00:00:00 2001 From: dgr237 <33848543+dgr237@users.noreply.github.com> Date: Mon, 12 Feb 2024 15:38:07 +0000 Subject: [PATCH 12/16] Update internal/service/ecs/service.go Co-authored-by: Tyler Lynch --- internal/service/ecs/service.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/service/ecs/service.go b/internal/service/ecs/service.go index 2eb8d0c18af..4ce7b375a33 100644 --- a/internal/service/ecs/service.go +++ b/internal/service/ecs/service.go @@ -429,6 +429,7 @@ func ResourceService() *schema.Resource { "aws_pca_authority_arn": { Type: schema.TypeString, Optional: true, + ValidateFunc: verify.ValidARN, }, }, }, From 66c8c0be5b539eb6b031221c371cefb5272078a3 Mon Sep 17 00:00:00 2001 From: dgr237 <33848543+dgr237@users.noreply.github.com> Date: Mon, 12 Feb 2024 15:38:16 +0000 Subject: [PATCH 13/16] Update internal/service/ecs/service.go Co-authored-by: Tyler Lynch --- internal/service/ecs/service.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/service/ecs/service.go b/internal/service/ecs/service.go index 4ce7b375a33..ae26ab04782 100644 --- a/internal/service/ecs/service.go +++ b/internal/service/ecs/service.go @@ -441,6 +441,7 @@ func ResourceService() *schema.Resource { "role_arn": { Type: schema.TypeString, Optional: true, + ValidateFunc: verify.ValidARN, }, }, }, From eafc5831a848450d06dce3bf91b155b21de80b5c Mon Sep 17 00:00:00 2001 From: O327903 Date: Mon, 12 Feb 2024 16:24:15 +0000 Subject: [PATCH 14/16] Gofmt error --- internal/service/ecs/service.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/service/ecs/service.go b/internal/service/ecs/service.go index ae26ab04782..1a1f5e8ec30 100644 --- a/internal/service/ecs/service.go +++ b/internal/service/ecs/service.go @@ -427,8 +427,8 @@ func ResourceService() *schema.Resource { Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "aws_pca_authority_arn": { - Type: schema.TypeString, - Optional: true, + Type: schema.TypeString, + Optional: true, ValidateFunc: verify.ValidARN, }, }, @@ -439,8 +439,8 @@ func ResourceService() *schema.Resource { Optional: true, }, "role_arn": { - Type: schema.TypeString, - Optional: true, + Type: schema.TypeString, + Optional: true, ValidateFunc: verify.ValidARN, }, }, From e76010edaef24d00ef8c2eafe269c83bd079df18 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Mon, 12 Feb 2024 13:23:00 -0500 Subject: [PATCH 15/16] Tweak CHANGELOG entry. --- .changelog/35684.txt | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.changelog/35684.txt b/.changelog/35684.txt index 2e5bd37f25c..235b729785f 100644 --- a/.changelog/35684.txt +++ b/.changelog/35684.txt @@ -1,4 +1,3 @@ ```release-note:enhancement -resource/aws_ecs_service: Add TLS support for ECS Service Connect -resource/aws_ecs_service: Add timeout configuration for ECS Service Connect +resource/aws_ecs_service: Add `service_connect_configuration.service.timeout` and `service_connect_configuration.service.tls` configuration blocks ``` \ No newline at end of file From d99168ab39a5cbeb8d0a1992482c2451f5674cab Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Mon, 12 Feb 2024 13:25:28 -0500 Subject: [PATCH 16/16] r/aws_ecs_service: Alphabetize attributes. --- internal/service/ecs/service.go | 46 ++++++++++++++++----------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/internal/service/ecs/service.go b/internal/service/ecs/service.go index 1a1f5e8ec30..cac4fc069ef 100644 --- a/internal/service/ecs/service.go +++ b/internal/service/ecs/service.go @@ -414,6 +414,25 @@ func ResourceService() *schema.Resource { Type: schema.TypeString, Required: true, }, + "timeout": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "idle_timeout_seconds": { + Type: schema.TypeInt, + Optional: true, + ValidateFunc: validation.IntBetween(0, 2147483647), + }, + "per_request_timeout_seconds": { + Type: schema.TypeInt, + Optional: true, + ValidateFunc: validation.IntBetween(0, 2147483647), + }, + }, + }, + }, "tls": { Type: schema.TypeList, Optional: true, @@ -446,25 +465,6 @@ func ResourceService() *schema.Resource { }, }, }, - "timeout": { - Type: schema.TypeList, - Optional: true, - MaxItems: 1, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "idle_timeout_seconds": { - Type: schema.TypeInt, - Optional: true, - ValidateFunc: validation.IntBetween(0, 2147483647), - }, - "per_request_timeout_seconds": { - Type: schema.TypeInt, - Optional: true, - ValidateFunc: validation.IntBetween(0, 2147483647), - }, - }, - }, - }, }, }, }, @@ -1492,14 +1492,14 @@ func expandServices(srv []interface{}) []*ecs.ServiceConnectService { config.PortName = aws.String(v) } - if v, ok := raw["tls"].([]interface{}); ok && len(v) > 0 { - config.Tls = expandTLS(v) - } - if v, ok := raw["timeout"].([]interface{}); ok && len(v) > 0 { config.Timeout = expandTimeout(v) } + if v, ok := raw["tls"].([]interface{}); ok && len(v) > 0 { + config.Tls = expandTLS(v) + } + out = append(out, &config) }