Merge pull request #26274 from ddericco/f-aws_directconnect_connectio…

…n-macsec f-aws_directconnect_connection_macsec
hashicorp · Dec 19, 2022 · 8e36aaf · 8e36aaf
2 parents f7f3bb4 + 1a820f4
commit 8e36aaf
Show file tree

Hide file tree

Showing 10 changed files with 755 additions and 11 deletions.
diff --git a/.changelog/26274.txt b/.changelog/26274.txt
@@ -0,0 +1,11 @@
+```release-note:new-resource
+aws_dx_macsec_key_association
+```
+
+```release-note:enhancement
+resource/aws_dx_connection: Add `encryption_mode` and `request_macsec` arguments and `macsec_capable` and `port_encryption_status` attributes in support of [MACsec](https://docs.aws.amazon.com/directconnect/latest/UserGuide/MACsec.html)
+```
+
+```release-note:enhancement
+resource/aws_dx_connection: Add `skip_destroy` argument
+```
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -1304,6 +1304,7 @@ func New(_ context.Context) (*schema.Provider, error) {
 			"aws_dx_hosted_transit_virtual_interface":          directconnect.ResourceHostedTransitVirtualInterface(),
 			"aws_dx_hosted_transit_virtual_interface_accepter": directconnect.ResourceHostedTransitVirtualInterfaceAccepter(),
 			"aws_dx_lag":                       directconnect.ResourceLag(),
+			"aws_dx_macsec_key_association":    directconnect.ResourceMacSecKeyAssociation(),
 			"aws_dx_private_virtual_interface": directconnect.ResourcePrivateVirtualInterface(),
 			"aws_dx_public_virtual_interface":  directconnect.ResourcePublicVirtualInterface(),
 			"aws_dx_transit_virtual_interface": directconnect.ResourceTransitVirtualInterface(),

diff --git a/internal/service/directconnect/connection.go b/internal/service/directconnect/connection.go
@@ -9,6 +9,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/directconnect"
 	"github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
 	tftags "github.com/hashicorp/terraform-provider-aws/internal/tags"
 	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
@@ -40,6 +41,13 @@ func ResourceConnection() *schema.Resource {
 				ForceNew:     true,
 				ValidateFunc: validConnectionBandWidth(),
 			},
+			// The MAC Security (MACsec) connection encryption mode.
+			"encryption_mode": {
+				Type:         schema.TypeString,
+				Computed:     true,
+				Optional:     true,
+				ValidateFunc: validation.StringInSlice([]string{"no_encrypt", "should_encrypt", "must_encrypt"}, false),
+			},
 			"has_logical_redundancy": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -53,6 +61,18 @@ func ResourceConnection() *schema.Resource {
 				Required: true,
 				ForceNew: true,
 			},
+			// Indicates whether the connection supports MAC Security (MACsec).
+			"macsec_capable": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
+			// Enable or disable MAC Security (MACsec) on this connection.
+			"request_macsec": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+				ForceNew: true,
+			},
 			"name": {
 				Type:     schema.TypeString,
 				Required: true,
@@ -62,12 +82,22 @@ func ResourceConnection() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			// The MAC Security (MACsec) port link status of the connection.
+			"port_encryption_status": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"provider_name": {
 				Type:     schema.TypeString,
 				Optional: true,
 				Computed: true,
 				ForceNew: true,
 			},
+			"skip_destroy": {
+				Type:     schema.TypeBool,
+				Default:  false,
+				Optional: true,
+			},
 			"tags":     tftags.TagsSchema(),
 			"tags_all": tftags.TagsSchemaComputed(),
 			"vlan_id": {
@@ -90,6 +120,7 @@ func resourceConnectionCreate(d *schema.ResourceData, meta interface{}) error {
 		Bandwidth:      aws.String(d.Get("bandwidth").(string)),
 		ConnectionName: aws.String(name),
 		Location:       aws.String(d.Get("location").(string)),
+		RequestMACSec:  aws.Bool(d.Get("request_macsec").(bool)),
 	}
 
 	if v, ok := d.GetOk("provider_name"); ok {
@@ -139,14 +170,23 @@ func resourceConnectionRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("arn", arn)
 	d.Set("aws_device", connection.AwsDeviceV2)
 	d.Set("bandwidth", connection.Bandwidth)
+	d.Set("encryption_mode", connection.EncryptionMode)
 	d.Set("has_logical_redundancy", connection.HasLogicalRedundancy)
 	d.Set("jumbo_frame_capable", connection.JumboFrameCapable)
 	d.Set("location", connection.Location)
+	d.Set("macsec_capable", connection.MacSecCapable)
 	d.Set("name", connection.ConnectionName)
 	d.Set("owner_account_id", connection.OwnerAccount)
+	d.Set("port_encryption_status", connection.PortEncryptionStatus)
 	d.Set("provider_name", connection.ProviderName)
 	d.Set("vlan_id", connection.Vlan)
 
+	// d.Set("request_macsec", d.Get("request_macsec").(bool))
+
+	if !d.IsNewResource() && !d.Get("request_macsec").(bool) {
+		d.Set("request_macsec", aws.Bool(false))
+	}
+
 	tags, err := ListTags(conn, arn)
 
 	if err != nil {
@@ -170,9 +210,26 @@ func resourceConnectionRead(d *schema.ResourceData, meta interface{}) error {
 func resourceConnectionUpdate(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*conns.AWSClient).DirectConnectConn
 
-	arn := d.Get("arn").(string)
+	// Update encryption mode
+	if d.HasChange("encryption_mode") {
+		input := &directconnect.UpdateConnectionInput{
+			ConnectionId:   aws.String(d.Id()),
+			EncryptionMode: aws.String(d.Get("encryption_mode").(string)),
+		}
+		log.Printf("[DEBUG] Modifying Direct Connect connection attributes: %s", input)
+		_, err := conn.UpdateConnection(input)
+		if err != nil {
+			return fmt.Errorf("error modifying Direct Connect connection (%s) attributes: %s", d.Id(), err)
+		}
+
+		if _, err := waitConnectionConfirmed(conn, d.Id()); err != nil {
+			return fmt.Errorf("error waiting for Direct Connect connection (%s) to become available: %w", d.Id(), err)
+		}
+	}
+
 	if d.HasChange("tags_all") {
 		o, n := d.GetChange("tags_all")
+		arn := d.Get("arn").(string)
 
 		if err := UpdateTags(conn, arn, o, n); err != nil {
 			return fmt.Errorf("error updating Direct Connect Connection (%s) tags: %w", arn, err)
@@ -183,6 +240,11 @@ func resourceConnectionUpdate(d *schema.ResourceData, meta interface{}) error {
 }
 
 func resourceConnectionDelete(d *schema.ResourceData, meta interface{}) error {
+	if v, ok := d.GetOk("skip_destroy"); ok && v.(bool) {
+		log.Printf("[DEBUG] Retaining Direct Connect Connection: %s", d.Id())
+		return nil
+	}
+
 	conn := meta.(*conns.AWSClient).DirectConnectConn
 
 	return deleteConnection(conn, d.Id(), waitConnectionDeleted)