From 4f67f5cc3d643e9f11ed1f0944c025fa1c88d1c3 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 08:41:10 -0400 Subject: [PATCH 01/32] r/aws_db_security_group: Remove resource. --- .changelog/#####.txt | 3 + internal/service/rds/security_group.go | 316 ------------------ internal/service/rds/service_package_gen.go | 8 - .../docs/r/db_security_group.html.markdown | 61 ---- 4 files changed, 3 insertions(+), 385 deletions(-) create mode 100644 .changelog/#####.txt delete mode 100644 internal/service/rds/security_group.go delete mode 100644 website/docs/r/db_security_group.html.markdown diff --git a/.changelog/#####.txt b/.changelog/#####.txt new file mode 100644 index 00000000000..e35c354f37f --- /dev/null +++ b/.changelog/#####.txt @@ -0,0 +1,3 @@ +```release-note:breaking-change +provider: With the retirement of EC2-Classic the`aws_db_security_group` resource has been removed +``` \ No newline at end of file diff --git a/internal/service/rds/security_group.go b/internal/service/rds/security_group.go deleted file mode 100644 index c4afc8c981c..00000000000 --- a/internal/service/rds/security_group.go +++ /dev/null @@ -1,316 +0,0 @@ -package rds - -import ( - "bytes" - "context" - "fmt" - "log" - - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/rds" - "github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - "github.com/hashicorp/terraform-provider-aws/internal/conns" - "github.com/hashicorp/terraform-provider-aws/internal/create" - "github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag" - tftags "github.com/hashicorp/terraform-provider-aws/internal/tags" - "github.com/hashicorp/terraform-provider-aws/internal/verify" - "github.com/hashicorp/terraform-provider-aws/names" -) - -// @SDKResource("aws_db_security_group", name="DB Security Group") -// @Tags(identifierAttribute="arn") -func ResourceSecurityGroup() *schema.Resource { - return &schema.Resource{ - CreateWithoutTimeout: resourceSecurityGroupCreate, - ReadWithoutTimeout: resourceSecurityGroupRead, - UpdateWithoutTimeout: resourceSecurityGroupUpdate, - DeleteWithoutTimeout: resourceSecurityGroupDelete, - Importer: &schema.ResourceImporter{ - StateContext: schema.ImportStatePassthroughContext, - }, - - Schema: map[string]*schema.Schema{ - "arn": { - Type: schema.TypeString, - Computed: true, - }, - - "name": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - }, - - "description": { - Type: schema.TypeString, - Optional: true, - ForceNew: true, - Default: "Managed by Terraform", - }, - - "ingress": { - Type: schema.TypeSet, - Required: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "cidr": { - Type: schema.TypeString, - Optional: true, - }, - - "security_group_name": { - Type: schema.TypeString, - Optional: true, - Computed: true, - }, - - "security_group_id": { - Type: schema.TypeString, - Optional: true, - Computed: true, - }, - - "security_group_owner_id": { - Type: schema.TypeString, - Optional: true, - Computed: true, - }, - }, - }, - Set: resourceSecurityGroupIngressHash, - }, - - names.AttrTags: tftags.TagsSchema(), - names.AttrTagsAll: tftags.TagsSchemaComputed(), - }, - - CustomizeDiff: verify.SetTagsDiff, - - DeprecationMessage: `With the retirement of EC2-Classic the aws_db_security_group resource has been deprecated and will be removed in a future version.`, - } -} - -func resourceSecurityGroupCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - var diags diag.Diagnostics - return sdkdiag.AppendErrorf(diags, `with the retirement of EC2-Classic no new RDS DB Security Groups can be created`) -} - -func resourceSecurityGroupRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - var diags diag.Diagnostics - - sg, err := resourceSecurityGroupRetrieve(ctx, d, meta) - if err != nil { - return sdkdiag.AppendErrorf(diags, "reading RDS DB Security Group (%s): %s", d.Id(), err) - } - - d.Set("name", sg.DBSecurityGroupName) - d.Set("description", sg.DBSecurityGroupDescription) - - // Create an empty schema.Set to hold all ingress rules - rules := &schema.Set{ - F: resourceSecurityGroupIngressHash, - } - - for _, v := range sg.IPRanges { - rule := map[string]interface{}{"cidr": *v.CIDRIP} - rules.Add(rule) - } - - for _, g := range sg.EC2SecurityGroups { - rule := map[string]interface{}{} - if g.EC2SecurityGroupId != nil { - rule["security_group_id"] = aws.StringValue(g.EC2SecurityGroupId) - } - if g.EC2SecurityGroupName != nil { - rule["security_group_name"] = aws.StringValue(g.EC2SecurityGroupName) - } - if g.EC2SecurityGroupOwnerId != nil { - rule["security_group_owner_id"] = aws.StringValue(g.EC2SecurityGroupOwnerId) - } - rules.Add(rule) - } - - d.Set("ingress", rules) - - arn := aws.StringValue(sg.DBSecurityGroupArn) - d.Set("arn", arn) - - return diags -} - -func resourceSecurityGroupUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).RDSConn() - - if d.HasChange("ingress") { - sg, err := resourceSecurityGroupRetrieve(ctx, d, meta) - if err != nil { - return sdkdiag.AppendErrorf(diags, "updating RDS DB Security Group (%s): %s", d.Id(), err) - } - - oi, ni := d.GetChange("ingress") - if oi == nil { - oi = new(schema.Set) - } - if ni == nil { - ni = new(schema.Set) - } - - ois := oi.(*schema.Set) - nis := ni.(*schema.Set) - removeIngress := ois.Difference(nis).List() - newIngress := nis.Difference(ois).List() - - // DELETE old Ingress rules - for _, ing := range removeIngress { - err := resourceSecurityGroupRevokeRule(ctx, ing, *sg.DBSecurityGroupName, conn) - if err != nil { - return sdkdiag.AppendErrorf(diags, "updating RDS DB Security Group (%s): revoking ingress: %s", d.Id(), err) - } - } - - // ADD new/updated Ingress rules - for _, ing := range newIngress { - err := resourceSecurityGroupAuthorizeRule(ctx, ing, *sg.DBSecurityGroupName, conn) - if err != nil { - return sdkdiag.AppendErrorf(diags, "updating RDS DB Security Group (%s): authorizing ingress: %s", d.Id(), err) - } - } - } - - return append(diags, resourceSecurityGroupRead(ctx, d, meta)...) -} - -func resourceSecurityGroupDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).RDSConn() - - log.Printf("[DEBUG] DB Security Group destroy: %v", d.Id()) - - opts := rds.DeleteDBSecurityGroupInput{DBSecurityGroupName: aws.String(d.Id())} - - _, err := conn.DeleteDBSecurityGroupWithContext(ctx, &opts) - if err != nil { - if tfawserr.ErrCodeEquals(err, "InvalidDBSecurityGroup.NotFound") { - return diags - } - return sdkdiag.AppendErrorf(diags, "deleting RDS DB Security Group (%s): %s", d.Id(), err) - } - - return diags -} - -func resourceSecurityGroupRetrieve(ctx context.Context, d *schema.ResourceData, meta interface{}) (*rds.DBSecurityGroup, error) { - conn := meta.(*conns.AWSClient).RDSConn() - - opts := rds.DescribeDBSecurityGroupsInput{ - DBSecurityGroupName: aws.String(d.Id()), - } - - log.Printf("[DEBUG] DB Security Group describe configuration: %#v", opts) - - resp, err := conn.DescribeDBSecurityGroupsWithContext(ctx, &opts) - if err != nil { - return nil, fmt.Errorf("Error retrieving DB Security Groups: %s", err) - } - - if len(resp.DBSecurityGroups) != 1 || - aws.StringValue(resp.DBSecurityGroups[0].DBSecurityGroupName) != d.Id() { - return nil, fmt.Errorf("Unable to find DB Security Group: %#v", resp.DBSecurityGroups) - } - - return resp.DBSecurityGroups[0], nil -} - -// Authorizes the ingress rule on the db security group -func resourceSecurityGroupAuthorizeRule(ctx context.Context, ingress interface{}, dbSecurityGroupName string, conn *rds.RDS) error { - ing := ingress.(map[string]interface{}) - - opts := rds.AuthorizeDBSecurityGroupIngressInput{ - DBSecurityGroupName: aws.String(dbSecurityGroupName), - } - - if attr, ok := ing["cidr"]; ok && attr != "" { - opts.CIDRIP = aws.String(attr.(string)) - } - - if attr, ok := ing["security_group_name"]; ok && attr != "" { - opts.EC2SecurityGroupName = aws.String(attr.(string)) - } - - if attr, ok := ing["security_group_id"]; ok && attr != "" { - opts.EC2SecurityGroupId = aws.String(attr.(string)) - } - - if attr, ok := ing["security_group_owner_id"]; ok && attr != "" { - opts.EC2SecurityGroupOwnerId = aws.String(attr.(string)) - } - - log.Printf("[DEBUG] Authorize ingress rule configuration: %#v", opts) - - _, err := conn.AuthorizeDBSecurityGroupIngressWithContext(ctx, &opts) - if err != nil { - return fmt.Errorf("Error authorizing security group ingress: %s", err) - } - - return nil -} - -// Revokes the ingress rule on the db security group -func resourceSecurityGroupRevokeRule(ctx context.Context, ingress interface{}, dbSecurityGroupName string, conn *rds.RDS) error { - ing := ingress.(map[string]interface{}) - - opts := rds.RevokeDBSecurityGroupIngressInput{ - DBSecurityGroupName: aws.String(dbSecurityGroupName), - } - - if attr, ok := ing["cidr"]; ok && attr != "" { - opts.CIDRIP = aws.String(attr.(string)) - } - - if attr, ok := ing["security_group_name"]; ok && attr != "" { - opts.EC2SecurityGroupName = aws.String(attr.(string)) - } - - if attr, ok := ing["security_group_id"]; ok && attr != "" { - opts.EC2SecurityGroupId = aws.String(attr.(string)) - } - - if attr, ok := ing["security_group_owner_id"]; ok && attr != "" { - opts.EC2SecurityGroupOwnerId = aws.String(attr.(string)) - } - - log.Printf("[DEBUG] Revoking ingress rule configuration: %#v", opts) - - _, err := conn.RevokeDBSecurityGroupIngressWithContext(ctx, &opts) - if err != nil { - return fmt.Errorf("Error revoking security group ingress: %s", err) - } - - return nil -} - -func resourceSecurityGroupIngressHash(v interface{}) int { - var buf bytes.Buffer - m := v.(map[string]interface{}) - - if v, ok := m["cidr"]; ok { - buf.WriteString(fmt.Sprintf("%s-", v.(string))) - } - - if v, ok := m["security_group_name"]; ok { - buf.WriteString(fmt.Sprintf("%s-", v.(string))) - } - - if v, ok := m["security_group_id"]; ok { - buf.WriteString(fmt.Sprintf("%s-", v.(string))) - } - - if v, ok := m["security_group_owner_id"]; ok { - buf.WriteString(fmt.Sprintf("%s-", v.(string))) - } - - return create.StringHashcode(buf.String()) -} diff --git a/internal/service/rds/service_package_gen.go b/internal/service/rds/service_package_gen.go index 64f2a8c6e40..b1972b05fef 100644 --- a/internal/service/rds/service_package_gen.go +++ b/internal/service/rds/service_package_gen.go @@ -154,14 +154,6 @@ func (p *servicePackage) SDKResources(ctx context.Context) []*types.ServicePacka Factory: ResourceProxyTarget, TypeName: "aws_db_proxy_target", }, - { - Factory: ResourceSecurityGroup, - TypeName: "aws_db_security_group", - Name: "DB Security Group", - Tags: &types.ServicePackageResourceTags{ - IdentifierAttribute: "arn", - }, - }, { Factory: ResourceSnapshot, TypeName: "aws_db_snapshot", diff --git a/website/docs/r/db_security_group.html.markdown b/website/docs/r/db_security_group.html.markdown deleted file mode 100644 index cc05d7f9b71..00000000000 --- a/website/docs/r/db_security_group.html.markdown +++ /dev/null @@ -1,61 +0,0 @@ ---- -subcategory: "RDS (Relational Database)" -layout: "aws" -page_title: "AWS: aws_db_security_group" -description: |- - Provides an RDS security group resource. ---- - -# Resource: aws_db_security_group - -Provides an RDS security group resource. This is only for DB instances in the -EC2-Classic Platform. For instances inside a VPC, use the -[`aws_db_instance.vpc_security_group_ids`](/docs/providers/aws/r/db_instance.html#vpc_security_group_ids) -attribute instead. - -!> **WARNING:** With the retirement of EC2-Classic the `aws_db_security_group` resource has been deprecated and will be removed in a future version. Any existing resources can be removed from [Terraform state](https://www.terraform.io/language/state) using the [`terraform state rm`](https://www.terraform.io/cli/commands/state/rm#command-state-rm) command. - -## Example Usage - -```terraform -resource "aws_db_security_group" "default" { - name = "rds_sg" - - ingress { - cidr = "10.0.0.0/24" - } -} -``` - -## Argument Reference - -The following arguments are supported: - -* `name` - (Required) The name of the DB security group. -* `description` - (Optional) The description of the DB security group. Defaults to "Managed by Terraform". -* `ingress` - (Required) A list of ingress rules. -* `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level. - -Ingress blocks support the following: - -* `cidr` - The CIDR block to accept -* `security_group_name` - The name of the security group to authorize -* `security_group_id` - The ID of the security group to authorize -* `security_group_owner_id` - The owner Id of the security group provided - by `security_group_name`. - -## Attributes Reference - -In addition to all arguments above, the following attributes are exported: - -* `id` - The db security group ID. -* `arn` - The arn of the DB security group. -* `tags_all` - A map of tags assigned to the resource, including those inherited from the provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block). - -## Import - -DB Security groups can be imported using the `name`, e.g., - -``` -$ terraform import aws_db_security_group.default aws_rds_sg-1 -``` From d9dcae57c57a9c457e4ff69b4e3c54284a12b878 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 08:49:52 -0400 Subject: [PATCH 02/32] r/aws_elasticache_security_group: Remove resource. --- .changelog/#####.txt | 4 + .../service/elasticache/security_group.go | 127 ------------------ .../elasticache/service_package_gen.go | 4 - internal/service/elasticache/sweep.go | 51 ------- .../elasticache_security_group.html.markdown | 56 -------- 5 files changed, 4 insertions(+), 238 deletions(-) delete mode 100644 internal/service/elasticache/security_group.go delete mode 100644 website/docs/r/elasticache_security_group.html.markdown diff --git a/.changelog/#####.txt b/.changelog/#####.txt index e35c354f37f..0e846273221 100644 --- a/.changelog/#####.txt +++ b/.changelog/#####.txt @@ -1,3 +1,7 @@ ```release-note:breaking-change provider: With the retirement of EC2-Classic the`aws_db_security_group` resource has been removed +``` + +```release-note:breaking-change +provider: With the retirement of EC2-Classic the`aws_elasticache_security_group` resource has been removed ``` \ No newline at end of file diff --git a/internal/service/elasticache/security_group.go b/internal/service/elasticache/security_group.go deleted file mode 100644 index 22d907b7d45..00000000000 --- a/internal/service/elasticache/security_group.go +++ /dev/null @@ -1,127 +0,0 @@ -package elasticache - -import ( - "context" - "log" - "time" - - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/elasticache" - "github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - "github.com/hashicorp/terraform-provider-aws/internal/conns" - "github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag" - "github.com/hashicorp/terraform-provider-aws/internal/tfresource" -) - -// @SDKResource("aws_elasticache_security_group") -func ResourceSecurityGroup() *schema.Resource { - return &schema.Resource{ - CreateWithoutTimeout: resourceSecurityGroupCreate, - ReadWithoutTimeout: resourceSecurityGroupRead, - DeleteWithoutTimeout: resourceSecurityGroupDelete, - Importer: &schema.ResourceImporter{ - StateContext: schema.ImportStatePassthroughContext, - }, - - Schema: map[string]*schema.Schema{ - "description": { - Type: schema.TypeString, - Optional: true, - ForceNew: true, - Default: "Managed by Terraform", - }, - "name": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - }, - "security_group_names": { - Type: schema.TypeSet, - Required: true, - ForceNew: true, - Elem: &schema.Schema{Type: schema.TypeString}, - Set: schema.HashString, - }, - }, - - DeprecationMessage: `With the retirement of EC2-Classic the aws_elasticache_security_group resource has been deprecated and will be removed in a future version.`, - } -} - -func resourceSecurityGroupCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - var diags diag.Diagnostics - return sdkdiag.AppendErrorf(diags, `with the retirement of EC2-Classic no new ElastiCache Security Groups can be created`) -} - -func resourceSecurityGroupRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ElastiCacheConn() - req := &elasticache.DescribeCacheSecurityGroupsInput{ - CacheSecurityGroupName: aws.String(d.Id()), - } - - res, err := conn.DescribeCacheSecurityGroupsWithContext(ctx, req) - if err != nil { - return sdkdiag.AppendErrorf(diags, "reading ElastiCache Cache Security Group (%s): %s", d.Id(), err) - } - if len(res.CacheSecurityGroups) == 0 { - return sdkdiag.AppendErrorf(diags, "reading ElastiCache Cache Security Group (%s): empty response", d.Id()) - } - - var group *elasticache.CacheSecurityGroup - for _, g := range res.CacheSecurityGroups { - if aws.StringValue(g.CacheSecurityGroupName) == d.Id() { - group = g - } - } - if group == nil { - return sdkdiag.AppendErrorf(diags, "reading ElastiCache Cache Security Group (%s): not found", d.Id()) - } - - d.Set("name", group.CacheSecurityGroupName) - d.Set("description", group.Description) - - sgNames := make([]string, 0, len(group.EC2SecurityGroups)) - for _, sg := range group.EC2SecurityGroups { - sgNames = append(sgNames, *sg.EC2SecurityGroupName) - } - d.Set("security_group_names", sgNames) - - return diags -} - -func resourceSecurityGroupDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ElastiCacheConn() - - log.Printf("[DEBUG] Cache security group delete: %s", d.Id()) - - err := retry.RetryContext(ctx, 5*time.Minute, func() *retry.RetryError { - _, err := conn.DeleteCacheSecurityGroupWithContext(ctx, &elasticache.DeleteCacheSecurityGroupInput{ - CacheSecurityGroupName: aws.String(d.Id()), - }) - - if tfawserr.ErrCodeEquals(err, "InvalidCacheSecurityGroupState", "DependencyViolation") { - return retry.RetryableError(err) - } - - if err != nil { - return retry.RetryableError(err) - } - - return nil - }) - - if tfresource.TimedOut(err) { - _, err = conn.DeleteCacheSecurityGroupWithContext(ctx, &elasticache.DeleteCacheSecurityGroupInput{ - CacheSecurityGroupName: aws.String(d.Id()), - }) - } - if err != nil { - return sdkdiag.AppendErrorf(diags, "deleting ElastiCache Cache Security Group (%s): %s", d.Id(), err) - } - return diags -} diff --git a/internal/service/elasticache/service_package_gen.go b/internal/service/elasticache/service_package_gen.go index f283ad5f5c1..1ea8e199433 100644 --- a/internal/service/elasticache/service_package_gen.go +++ b/internal/service/elasticache/service_package_gen.go @@ -70,10 +70,6 @@ func (p *servicePackage) SDKResources(ctx context.Context) []*types.ServicePacka IdentifierAttribute: "arn", }, }, - { - Factory: ResourceSecurityGroup, - TypeName: "aws_elasticache_security_group", - }, { Factory: ResourceSubnetGroup, TypeName: "aws_elasticache_subnet_group", diff --git a/internal/service/elasticache/sweep.go b/internal/service/elasticache/sweep.go index f04eaf17e28..289eca1a5ef 100644 --- a/internal/service/elasticache/sweep.go +++ b/internal/service/elasticache/sweep.go @@ -55,15 +55,6 @@ func init() { }, }) - resource.AddTestSweepers("aws_elasticache_security_group", &resource.Sweeper{ - Name: "aws_elasticache_security_group", - F: sweepCacheSecurityGroups, - Dependencies: []string{ - "aws_elasticache_cluster", - "aws_elasticache_replication_group", - }, - }) - resource.AddTestSweepers("aws_elasticache_subnet_group", &resource.Sweeper{ Name: "aws_elasticache_subnet_group", F: sweepSubnetGroups, @@ -270,48 +261,6 @@ func sweepReplicationGroups(region string) error { return errs.ErrorOrNil() } -func sweepCacheSecurityGroups(region string) error { - ctx := sweep.Context(region) - client, err := sweep.SharedRegionalSweepClient(region) - if err != nil { - return fmt.Errorf("error getting client: %s", err) - } - conn := client.(*conns.AWSClient).ElastiCacheConn() - - err = conn.DescribeCacheSecurityGroupsPagesWithContext(ctx, &elasticache.DescribeCacheSecurityGroupsInput{}, func(page *elasticache.DescribeCacheSecurityGroupsOutput, lastPage bool) bool { - if len(page.CacheSecurityGroups) == 0 { - log.Print("[DEBUG] No ElastiCache Cache Security Groups to sweep") - return false - } - - for _, securityGroup := range page.CacheSecurityGroups { - name := aws.StringValue(securityGroup.CacheSecurityGroupName) - - if name == "default" { - log.Printf("[INFO] Skipping ElastiCache Cache Security Group: %s", name) - continue - } - - log.Printf("[INFO] Deleting ElastiCache Cache Security Group: %s", name) - _, err := conn.DeleteCacheSecurityGroupWithContext(ctx, &elasticache.DeleteCacheSecurityGroupInput{ - CacheSecurityGroupName: aws.String(name), - }) - if err != nil { - log.Printf("[ERROR] Failed to delete ElastiCache Cache Security Group (%s): %s", name, err) - } - } - return !lastPage - }) - if err != nil { - if sweep.SkipSweepError(err) { - log.Printf("[WARN] Skipping ElastiCache Cache Security Group sweep for %s: %s", region, err) - return nil - } - return fmt.Errorf("Error retrieving ElastiCache Cache Security Groups: %s", err) - } - return nil -} - func sweepSubnetGroups(region string) error { ctx := sweep.Context(region) client, err := sweep.SharedRegionalSweepClient(region) diff --git a/website/docs/r/elasticache_security_group.html.markdown b/website/docs/r/elasticache_security_group.html.markdown deleted file mode 100644 index 1ee2f5e7d43..00000000000 --- a/website/docs/r/elasticache_security_group.html.markdown +++ /dev/null @@ -1,56 +0,0 @@ ---- -subcategory: "ElastiCache" -layout: "aws" -page_title: "AWS: aws_elasticache_security_group" -description: |- - Provides an ElastiCache Security Group to control access to one or more cache clusters. ---- - -# Resource: aws_elasticache_security_group - -Provides an ElastiCache Security Group to control access to one or more cache -clusters. - -~> **NOTE:** ElastiCache Security Groups are for use only when working with an -ElastiCache cluster **outside** of a VPC. If you are using a VPC, see the -[ElastiCache Subnet Group resource](elasticache_subnet_group.html). - -!> **WARNING:** With the retirement of EC2-Classic the `aws_elasticache_security_group` resource has been deprecated and will be removed in a future version. Any existing resources can be removed from [Terraform state](https://www.terraform.io/language/state) using the [`terraform state rm`](https://www.terraform.io/cli/commands/state/rm#command-state-rm) command. - -## Example Usage - -```terraform -resource "aws_security_group" "bar" { - name = "security-group" -} - -resource "aws_elasticache_security_group" "bar" { - name = "elasticache-security-group" - security_group_names = [aws_security_group.bar.name] -} -``` - -## Argument Reference - -The following arguments are supported: - -* `name` – (Required) Name for the cache security group. This value is stored as a lowercase string. -* `description` – (Optional) description for the cache security group. Defaults to "Managed by Terraform". -* `security_group_names` – (Required) List of EC2 security group names to be -authorized for ingress to the cache security group - -## Attributes Reference - -In addition to all arguments above, the following attributes are exported: - -* `description` -* `name` -* `security_group_names` - -## Import - -ElastiCache Security Groups can be imported by name, e.g., - -``` -$ terraform import aws_elasticache_security_group.my_ec_security_group ec-security-group-1 -``` From 18bc3955c16044ac2f587c77249f60fda906c1ed Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 08:51:57 -0400 Subject: [PATCH 03/32] r/aws_redshift_security_group: Remove resource. --- .changelog/#####.txt | 4 + internal/service/redshift/security_group.go | 291 ------------------ .../service/redshift/service_package_gen.go | 4 - .../r/redshift_security_group.html.markdown | 54 ---- 4 files changed, 4 insertions(+), 349 deletions(-) delete mode 100644 internal/service/redshift/security_group.go delete mode 100644 website/docs/r/redshift_security_group.html.markdown diff --git a/.changelog/#####.txt b/.changelog/#####.txt index 0e846273221..0c2f05c0caa 100644 --- a/.changelog/#####.txt +++ b/.changelog/#####.txt @@ -4,4 +4,8 @@ provider: With the retirement of EC2-Classic the`aws_db_security_group` resource ```release-note:breaking-change provider: With the retirement of EC2-Classic the`aws_elasticache_security_group` resource has been removed +``` + +```release-note:breaking-change +provider: With the retirement of EC2-Classic the`aws_redshift_security_group` resource has been removed ``` \ No newline at end of file diff --git a/internal/service/redshift/security_group.go b/internal/service/redshift/security_group.go deleted file mode 100644 index bc859c8e7ed..00000000000 --- a/internal/service/redshift/security_group.go +++ /dev/null @@ -1,291 +0,0 @@ -package redshift - -import ( - "bytes" - "context" - "fmt" - "log" - "regexp" - - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/redshift" - "github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" - "github.com/hashicorp/terraform-provider-aws/internal/conns" - "github.com/hashicorp/terraform-provider-aws/internal/create" - "github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag" - "github.com/hashicorp/terraform-provider-aws/internal/tfresource" -) - -// @SDKResource("aws_redshift_security_group") -func ResourceSecurityGroup() *schema.Resource { - return &schema.Resource{ - CreateWithoutTimeout: resourceSecurityGroupCreate, - ReadWithoutTimeout: resourceSecurityGroupRead, - UpdateWithoutTimeout: resourceSecurityGroupUpdate, - DeleteWithoutTimeout: resourceSecurityGroupDelete, - Importer: &schema.ResourceImporter{ - StateContext: schema.ImportStatePassthroughContext, - }, - - Schema: map[string]*schema.Schema{ - "name": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - ValidateFunc: validation.All( - validation.StringLenBetween(1, 255), - validation.StringNotInSlice([]string{"default"}, false), - validation.StringMatch(regexp.MustCompile(`^[0-9a-z-]+$`), "must contain only lowercase alphanumeric characters and hyphens"), - ), - }, - - "description": { - Type: schema.TypeString, - Optional: true, - ForceNew: true, - Default: "Managed by Terraform", - }, - - "ingress": { - Type: schema.TypeSet, - Required: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "cidr": { - Type: schema.TypeString, - Optional: true, - }, - - "security_group_name": { - Type: schema.TypeString, - Optional: true, - Computed: true, - }, - - "security_group_owner_id": { - Type: schema.TypeString, - Optional: true, - Computed: true, - }, - }, - }, - Set: resourceSecurityGroupIngressHash, - }, - }, - - DeprecationMessage: `With the retirement of EC2-Classic the aws_redshift_security_group resource has been deprecated and will be removed in a future version.`, - } -} - -func resourceSecurityGroupCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - var diags diag.Diagnostics - return sdkdiag.AppendErrorf(diags, `with the retirement of EC2-Classic no new Redshift Security Groups can be created`) -} - -func resourceSecurityGroupRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - var diags diag.Diagnostics - sg, err := resourceSecurityGroupRetrieve(ctx, d, meta) - if err != nil { - return sdkdiag.AppendErrorf(diags, "reading Redshift Security Group (%s): %s", d.Id(), err) - } - - rules := &schema.Set{ - F: resourceSecurityGroupIngressHash, - } - - for _, v := range sg.IPRanges { - rule := map[string]interface{}{"cidr": aws.StringValue(v.CIDRIP)} - rules.Add(rule) - } - - for _, g := range sg.EC2SecurityGroups { - rule := map[string]interface{}{ - "security_group_name": aws.StringValue(g.EC2SecurityGroupName), - "security_group_owner_id": aws.StringValue(g.EC2SecurityGroupOwnerId), - } - rules.Add(rule) - } - - d.Set("ingress", rules) - d.Set("name", sg.ClusterSecurityGroupName) - d.Set("description", sg.Description) - - return diags -} - -func resourceSecurityGroupUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).RedshiftConn() - - if d.HasChange("ingress") { - o, n := d.GetChange("ingress") - if o == nil { - o = new(schema.Set) - } - if n == nil { - n = new(schema.Set) - } - - os := o.(*schema.Set) - ns := n.(*schema.Set) - - removeIngressRules := expandSGRevokeIngress(os.Difference(ns).List()) - if len(removeIngressRules) > 0 { - for _, r := range removeIngressRules { - r.ClusterSecurityGroupName = aws.String(d.Id()) - - _, err := conn.RevokeClusterSecurityGroupIngressWithContext(ctx, &r) - if err != nil { - return sdkdiag.AppendErrorf(diags, "updating Redshift Security Group (%s): revoking ingress: %s", d.Id(), err) - } - } - } - - addIngressRules := expandSGAuthorizeIngress(ns.Difference(os).List()) - if len(addIngressRules) > 0 { - for _, r := range addIngressRules { - r.ClusterSecurityGroupName = aws.String(d.Id()) - - _, err := conn.AuthorizeClusterSecurityGroupIngressWithContext(ctx, &r) - if err != nil { - return sdkdiag.AppendErrorf(diags, "updating Redshift Security Group (%s): authorizing ingress: %s", d.Id(), err) - } - } - } - } - return append(diags, resourceSecurityGroupRead(ctx, d, meta)...) -} - -func resourceSecurityGroupDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).RedshiftConn() - - log.Printf("[DEBUG] Redshift Security Group destroy: %v", d.Id()) - opts := redshift.DeleteClusterSecurityGroupInput{ - ClusterSecurityGroupName: aws.String(d.Id()), - } - - _, err := conn.DeleteClusterSecurityGroupWithContext(ctx, &opts) - - if tfawserr.ErrCodeEquals(err, "InvalidRedshiftSecurityGroup.NotFound") { - return diags - } - - if err != nil { - return sdkdiag.AppendErrorf(diags, "deleting Redshift Security Group (%s): %s", d.Id(), err) - } - - return diags -} - -func resourceSecurityGroupRetrieve(ctx context.Context, d *schema.ResourceData, meta interface{}) (*redshift.ClusterSecurityGroup, error) { - conn := meta.(*conns.AWSClient).RedshiftConn() - - opts := redshift.DescribeClusterSecurityGroupsInput{ - ClusterSecurityGroupName: aws.String(d.Id()), - } - - resp, err := conn.DescribeClusterSecurityGroupsWithContext(ctx, &opts) - if err != nil { - return nil, &retry.NotFoundError{ - LastError: err, - LastRequest: opts, - } - } - - if len(resp.ClusterSecurityGroups) == 0 || resp.ClusterSecurityGroups[0] == nil { - return nil, tfresource.NewEmptyResultError(opts) - } - - if l := len(resp.ClusterSecurityGroups); l > 1 { - return nil, tfresource.NewTooManyResultsError(l, opts) - } - - result := resp.ClusterSecurityGroups[0] - if aws.StringValue(result.ClusterSecurityGroupName) != d.Id() { - return nil, &retry.NotFoundError{ - LastRequest: opts, - } - } - - return result, nil -} - -func resourceSecurityGroupIngressHash(v interface{}) int { - var buf bytes.Buffer - m := v.(map[string]interface{}) - - if v, ok := m["cidr"]; ok { - buf.WriteString(fmt.Sprintf("%s-", v.(string))) - } - - if v, ok := m["security_group_name"]; ok { - buf.WriteString(fmt.Sprintf("%s-", v.(string))) - } - - if v, ok := m["security_group_owner_id"]; ok { - buf.WriteString(fmt.Sprintf("%s-", v.(string))) - } - - return create.StringHashcode(buf.String()) -} - -func expandSGAuthorizeIngress(configured []interface{}) []redshift.AuthorizeClusterSecurityGroupIngressInput { - var ingress []redshift.AuthorizeClusterSecurityGroupIngressInput - - // Loop over our configured parameters and create - // an array of aws-sdk-go compatible objects - for _, pRaw := range configured { - data := pRaw.(map[string]interface{}) - - i := redshift.AuthorizeClusterSecurityGroupIngressInput{} - - if v, ok := data["cidr"]; ok { - i.CIDRIP = aws.String(v.(string)) - } - - if v, ok := data["security_group_name"]; ok { - i.EC2SecurityGroupName = aws.String(v.(string)) - } - - if v, ok := data["security_group_owner_id"]; ok { - i.EC2SecurityGroupOwnerId = aws.String(v.(string)) - } - - ingress = append(ingress, i) - } - - return ingress -} - -func expandSGRevokeIngress(configured []interface{}) []redshift.RevokeClusterSecurityGroupIngressInput { - var ingress []redshift.RevokeClusterSecurityGroupIngressInput - - // Loop over our configured parameters and create - // an array of aws-sdk-go compatible objects - for _, pRaw := range configured { - data := pRaw.(map[string]interface{}) - - i := redshift.RevokeClusterSecurityGroupIngressInput{} - - if v, ok := data["cidr"]; ok { - i.CIDRIP = aws.String(v.(string)) - } - - if v, ok := data["security_group_name"]; ok { - i.EC2SecurityGroupName = aws.String(v.(string)) - } - - if v, ok := data["security_group_owner_id"]; ok { - i.EC2SecurityGroupOwnerId = aws.String(v.(string)) - } - - ingress = append(ingress, i) - } - - return ingress -} diff --git a/internal/service/redshift/service_package_gen.go b/internal/service/redshift/service_package_gen.go index 0f0c4482504..826d1bb73b1 100644 --- a/internal/service/redshift/service_package_gen.go +++ b/internal/service/redshift/service_package_gen.go @@ -118,10 +118,6 @@ func (p *servicePackage) SDKResources(ctx context.Context) []*types.ServicePacka Factory: ResourceScheduledAction, TypeName: "aws_redshift_scheduled_action", }, - { - Factory: ResourceSecurityGroup, - TypeName: "aws_redshift_security_group", - }, { Factory: ResourceSnapshotCopyGrant, TypeName: "aws_redshift_snapshot_copy_grant", diff --git a/website/docs/r/redshift_security_group.html.markdown b/website/docs/r/redshift_security_group.html.markdown deleted file mode 100644 index e152e7fb2dd..00000000000 --- a/website/docs/r/redshift_security_group.html.markdown +++ /dev/null @@ -1,54 +0,0 @@ ---- -subcategory: "Redshift" -layout: "aws" -page_title: "AWS: aws_redshift_security_group" -description: |- - Provides a Redshift security group resource. ---- - -# Resource: aws_redshift_security_group - -Creates a new Amazon Redshift security group. You use security groups to control access to non-VPC clusters. - -!> **WARNING:** With the retirement of EC2-Classic the `aws_redshift_security_group` resource has been deprecated and will be removed in a future version. Any existing resources can be removed from [Terraform state](https://www.terraform.io/language/state) using the [`terraform state rm`](https://www.terraform.io/cli/commands/state/rm#command-state-rm) command. - -## Example Usage - -```terraform -resource "aws_redshift_security_group" "default" { - name = "redshift-sg" - - ingress { - cidr = "10.0.0.0/24" - } -} -``` - -## Argument Reference - -The following arguments are supported: - -* `name` - (Required) The name of the Redshift security group. -* `description` - (Optional) The description of the Redshift security group. Defaults to "Managed by Terraform". -* `ingress` - (Optional) A list of ingress rules. - -Ingress blocks support the following: - -* `cidr` - The CIDR block to accept -* `security_group_name` - The name of the security group to authorize -* `security_group_owner_id` - The owner Id of the security group provided - by `security_group_name`. - -## Attributes Reference - -In addition to all arguments above, the following attributes are exported: - -* `id` - The Redshift security group ID. - -## Import - -Redshift security groups can be imported using the `name`, e.g., - -``` -$ terraform import aws_redshift_security_group.testgroup1 redshift_test_group -``` From 491377d145697aafa2b99da4c3cf4dad6f534df0 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 11:54:13 -0400 Subject: [PATCH 04/32] r/aws_db_instance: Remove 'security_group_names'. --- .changelog/#####.txt | 4 ++++ internal/service/rds/instance.go | 22 ---------------------- website/docs/r/db_instance.html.markdown | 3 --- 3 files changed, 4 insertions(+), 25 deletions(-) diff --git a/.changelog/#####.txt b/.changelog/#####.txt index 0c2f05c0caa..ae195ede2a6 100644 --- a/.changelog/#####.txt +++ b/.changelog/#####.txt @@ -8,4 +8,8 @@ provider: With the retirement of EC2-Classic the`aws_elasticache_security_group` ```release-note:breaking-change provider: With the retirement of EC2-Classic the`aws_redshift_security_group` resource has been removed +``` + +```release-note:breaking-change +resource/aws_db_instance: With the retirement of EC2-Classic the`security_group_names` attribute has been removed ``` \ No newline at end of file diff --git a/internal/service/rds/instance.go b/internal/service/rds/instance.go index 6973a477a14..859b397c4bd 100644 --- a/internal/service/rds/instance.go +++ b/internal/service/rds/instance.go @@ -544,12 +544,6 @@ func ResourceInstance() *schema.Resource { }, }, }, - "security_group_names": { - Type: schema.TypeSet, - Optional: true, - Elem: &schema.Schema{Type: schema.TypeString}, - Deprecated: `With the retirement of EC2-Classic the security_group_names attribute has been deprecated and will be removed in a future version.`, - }, "skip_final_snapshot": { Type: schema.TypeBool, Optional: true, @@ -636,10 +630,6 @@ func resourceInstanceCreate(ctx context.Context, d *schema.ResourceData, meta in var diags diag.Diagnostics conn := meta.(*conns.AWSClient).RDSConn() - if v, ok := d.GetOk("security_group_names"); ok && v.(*schema.Set).Len() > 0 { - return sdkdiag.AppendErrorf(diags, `with the retirement of EC2-Classic no new RDS DB Instances can be created referencing RDS DB Security Groups`) - } - // Some API calls (e.g. CreateDBInstanceReadReplica and // RestoreDBInstanceFromDBSnapshot do not support all parameters to // correctly apply all settings in one pass. For missing parameters or @@ -1526,10 +1516,6 @@ func resourceInstanceCreate(ctx context.Context, d *schema.ResourceData, meta in input.Port = aws.Int64(int64(v.(int))) } - if v := d.Get("security_group_names").(*schema.Set); v.Len() > 0 { - input.DBSecurityGroups = flex.ExpandStringSet(v) - } - if v, ok := d.GetOk("storage_throughput"); ok { input.StorageThroughput = aws.Int64(int64(v.(int))) } @@ -1708,7 +1694,6 @@ func resourceInstanceRead(ctx context.Context, d *schema.ResourceData, meta inte for _, v := range v.DBSecurityGroups { securityGroupNames = append(securityGroupNames, aws.StringValue(v.DBSecurityGroupName)) } - d.Set("security_group_names", securityGroupNames) d.Set("status", v.DBInstanceStatus) d.Set("storage_encrypted", v.StorageEncrypted) d.Set("storage_throughput", v.StorageThroughput) @@ -2141,13 +2126,6 @@ func dbInstancePopulateModify(input *rds_sdkv2.ModifyDBInstanceInput, d *schema. input.ReplicaMode = types.ReplicaMode(d.Get("replica_mode").(string)) } - if d.HasChange("security_group_names") { - if v := d.Get("security_group_names").(*schema.Set); v.Len() > 0 { - needsModify = true - input.DBSecurityGroups = flex.ExpandStringValueSet(v) - } - } - if d.HasChange("storage_throughput") { needsModify = true input.StorageThroughput = aws.Int32(int32(d.Get("storage_throughput").(int))) diff --git a/website/docs/r/db_instance.html.markdown b/website/docs/r/db_instance.html.markdown index 999ed9a2b28..37789ad7072 100644 --- a/website/docs/r/db_instance.html.markdown +++ b/website/docs/r/db_instance.html.markdown @@ -236,9 +236,6 @@ PostgreSQL and MySQL Read Replicas](https://docs.aws.amazon.com/AmazonRDS/latest for more information on using Replication. * `restore_to_point_in_time` - (Optional, Forces new resource) A configuration block for restoring a DB instance to an arbitrary point in time. Requires the `identifier` argument to be set with the name of the new DB instance to be created. See [Restore To Point In Time](#restore-to-point-in-time) below for details. * `s3_import` - (Optional) Restore from a Percona Xtrabackup in S3. See [Importing Data into an Amazon RDS MySQL DB Instance](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/MySQL.Procedural.Importing.html) -* `security_group_names` - (Optional/Deprecated) List of DB Security Groups to -associate. Only used for [DB Instances on the _EC2-Classic_ -Platform](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html#USER_VPC.FindDefaultVPC). * `skip_final_snapshot` - (Optional) Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB From 04394188703d21811d2cd63cf09671696b4f49fc Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 12:00:35 -0400 Subject: [PATCH 05/32] d/aws_db_instance: Remove 'db_security_groups'. --- .changelog/#####.txt | 4 ++++ internal/service/rds/instance_data_source.go | 6 ------ website/docs/d/db_instance.html.markdown | 1 - 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/.changelog/#####.txt b/.changelog/#####.txt index ae195ede2a6..b26f9daabd7 100644 --- a/.changelog/#####.txt +++ b/.changelog/#####.txt @@ -12,4 +12,8 @@ provider: With the retirement of EC2-Classic the`aws_redshift_security_group` re ```release-note:breaking-change resource/aws_db_instance: With the retirement of EC2-Classic the`security_group_names` attribute has been removed +``` + +```release-note:breaking-change +data-source/aws_db_instance: With the retirement of EC2-Classic the`db_security_groups` attribute has been removed ``` \ No newline at end of file diff --git a/internal/service/rds/instance_data_source.go b/internal/service/rds/instance_data_source.go index e54ac9e9952..e601bb5de59 100644 --- a/internal/service/rds/instance_data_source.go +++ b/internal/service/rds/instance_data_source.go @@ -74,11 +74,6 @@ func DataSourceInstance() *schema.Resource { Computed: true, Elem: &schema.Schema{Type: schema.TypeString}, }, - "db_security_groups": { - Type: schema.TypeList, - Computed: true, - Elem: &schema.Schema{Type: schema.TypeString}, - }, "db_subnet_group": { Type: schema.TypeString, Computed: true, @@ -241,7 +236,6 @@ func dataSourceInstanceRead(ctx context.Context, d *schema.ResourceData, meta in for _, v := range v.DBSecurityGroups { securityGroupNames = append(securityGroupNames, aws.StringValue(v.DBSecurityGroupName)) } - d.Set("db_security_groups", securityGroupNames) if v.DBSubnetGroup != nil { d.Set("db_subnet_group", v.DBSubnetGroup.DBSubnetGroupName) } else { diff --git a/website/docs/d/db_instance.html.markdown b/website/docs/d/db_instance.html.markdown index fea67df5541..c86f1326cab 100644 --- a/website/docs/d/db_instance.html.markdown +++ b/website/docs/d/db_instance.html.markdown @@ -38,7 +38,6 @@ In addition to all arguments above, the following attributes are exported: * `db_instance_class` - Contains the name of the compute and memory capacity class of the DB instance. * `db_name` - Contains the name of the initial database of this instance that was provided at create time, if one was specified when the DB instance was created. This same name is returned for the life of the DB instance. * `db_parameter_groups` - Provides the list of DB parameter groups applied to this DB instance. -* `db_security_groups` - Provides List of DB security groups associated to this DB instance. * `db_subnet_group` - Name of the subnet group associated with the DB instance. * `db_instance_port` - Port that the DB instance listens on. * `enabled_cloudwatch_logs_exports` - List of log types to export to cloudwatch. From a2d67ef2bd1821b6b18655d2e37b4d03d73cbd39 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 12:21:55 -0400 Subject: [PATCH 06/32] r/aws_elasticache_cluster: Remove 'security_group_names'. --- .changelog/#####.txt | 4 ++++ internal/service/elasticache/cluster.go | 16 ---------------- website/docs/r/elasticache_cluster.html.markdown | 1 - 3 files changed, 4 insertions(+), 17 deletions(-) diff --git a/.changelog/#####.txt b/.changelog/#####.txt index b26f9daabd7..80d14ae0619 100644 --- a/.changelog/#####.txt +++ b/.changelog/#####.txt @@ -16,4 +16,8 @@ resource/aws_db_instance: With the retirement of EC2-Classic the`security_group_ ```release-note:breaking-change data-source/aws_db_instance: With the retirement of EC2-Classic the`db_security_groups` attribute has been removed +``` + +```release-note:breaking-change +resource/aws_elasticache_cluster: With the retirement of EC2-Classic the`security_group_names` attribute has been removed ``` \ No newline at end of file diff --git a/internal/service/elasticache/cluster.go b/internal/service/elasticache/cluster.go index 8f0ea3be310..3e7655fc198 100644 --- a/internal/service/elasticache/cluster.go +++ b/internal/service/elasticache/cluster.go @@ -273,7 +273,6 @@ func ResourceCluster() *schema.Resource { "parameter_group_name", "port", "security_group_ids", - "security_group_names", "snapshot_arns", "snapshot_name", "snapshot_retention_limit", @@ -287,14 +286,6 @@ func ResourceCluster() *schema.Resource { Computed: true, Elem: &schema.Schema{Type: schema.TypeString}, }, - "security_group_names": { - Type: schema.TypeSet, - Optional: true, - Computed: true, - ForceNew: true, - Elem: &schema.Schema{Type: schema.TypeString}, - Deprecated: `With the retirement of EC2-Classic the security_group_names attribute has been deprecated and will be removed in a future version.`, - }, "snapshot_arns": { Type: schema.TypeList, MaxItems: 1, @@ -350,10 +341,6 @@ func resourceClusterCreate(ctx context.Context, d *schema.ResourceData, meta int var diags diag.Diagnostics conn := meta.(*conns.AWSClient).ElastiCacheConn() - if v, ok := d.GetOk("security_group_names"); ok && v.(*schema.Set).Len() > 0 { - return sdkdiag.AppendErrorf(diags, `with the retirement of EC2-Classic no new ElastiCache Clusters can be created referencing ElastiCache Security Groups`) - } - input := &elasticache.CreateCacheClusterInput{ Tags: GetTagsIn(ctx), } @@ -571,9 +558,6 @@ func setFromCacheCluster(d *schema.ResourceData, c *elasticache.CacheCluster) er d.Set("auto_minor_version_upgrade", strconv.FormatBool(aws.BoolValue(c.AutoMinorVersionUpgrade))) d.Set("subnet_group_name", c.CacheSubnetGroupName) - if err := d.Set("security_group_names", flattenSecurityGroupNames(c.CacheSecurityGroups)); err != nil { - return fmt.Errorf("setting security_group_names: %w", err) - } if err := d.Set("security_group_ids", flattenSecurityGroupIDs(c.SecurityGroups)); err != nil { return fmt.Errorf("setting security_group_ids: %w", err) } diff --git a/website/docs/r/elasticache_cluster.html.markdown b/website/docs/r/elasticache_cluster.html.markdown index 2b711f45bb1..b683d44c438 100644 --- a/website/docs/r/elasticache_cluster.html.markdown +++ b/website/docs/r/elasticache_cluster.html.markdown @@ -174,7 +174,6 @@ The minimum maintenance window is a 60 minute period. Example: `sun:05:00-sun:09 * `preferred_outpost_arn` - (Optional, Required if `outpost_mode` is specified) The outpost ARN in which the cache cluster will be created. * `replication_group_id` - (Optional, Required if `engine` is not specified) ID of the replication group to which this cluster should belong. If this parameter is specified, the cluster is added to the specified replication group as a read replica; otherwise, the cluster is a standalone primary that is not part of any replication group. * `security_group_ids` – (Optional, VPC only) One or more VPC security groups associated with the cache cluster -* `security_group_names` – (Optional, EC2 Classic only) List of security group names to associate with this cache cluster. Changing this value will re-create the resource. * `snapshot_arns` – (Optional, Redis only) Single-element string list containing an Amazon Resource Name (ARN) of a Redis RDB snapshot file stored in Amazon S3. The object name cannot contain any commas. Changing `snapshot_arns` forces a new resource. * `snapshot_name` - (Optional, Redis only) Name of a snapshot from which to restore data into the new node group. Changing `snapshot_name` forces a new resource. * `snapshot_retention_limit` - (Optional, Redis only) Number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. For example, if you set SnapshotRetentionLimit to 5, then a snapshot that was taken today will be retained for 5 days before being deleted. If the value of SnapshotRetentionLimit is set to zero (0), backups are turned off. Please note that setting a `snapshot_retention_limit` is not supported on cache.t1.micro cache nodes From 6a2def143ec689c1eed31e94789cffcd44b67e10 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 12:29:20 -0400 Subject: [PATCH 07/32] Correct CHANGELOG file name. --- .changelog/{#####.txt => 30966.txt} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .changelog/{#####.txt => 30966.txt} (100%) diff --git a/.changelog/#####.txt b/.changelog/30966.txt similarity index 100% rename from .changelog/#####.txt rename to .changelog/30966.txt From ede2b395750d835482625277abb80cab992f7e64 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 12:38:53 -0400 Subject: [PATCH 08/32] Remove mention of 'EC2 Classic' and dead link. --- website/docs/r/elasticache_subnet_group.html.markdown | 4 ---- 1 file changed, 4 deletions(-) diff --git a/website/docs/r/elasticache_subnet_group.html.markdown b/website/docs/r/elasticache_subnet_group.html.markdown index dc244305957..a9ff48588ed 100644 --- a/website/docs/r/elasticache_subnet_group.html.markdown +++ b/website/docs/r/elasticache_subnet_group.html.markdown @@ -10,10 +10,6 @@ description: |- Provides an ElastiCache Subnet Group resource. -~> **NOTE:** ElastiCache Subnet Groups are only for use when working with an -ElastiCache cluster **inside** of a VPC. If you are on EC2 Classic, see the -[ElastiCache Security Group resource](elasticache_security_group.html). - ## Example Usage ```terraform From dde358356a9ad48b86b5938268b797d09d9cf404 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 12:43:19 -0400 Subject: [PATCH 09/32] d/aws_elasticache_cluster: Remove 'security_group_names'. --- .changelog/30966.txt | 16 ++++++++++------ .../service/elasticache/cluster_data_source.go | 6 ------ .../elasticache/cluster_data_source_test.go | 2 +- internal/service/elasticache/flex.go | 10 ---------- website/docs/d/elasticache_cluster.html.markdown | 1 - 5 files changed, 11 insertions(+), 24 deletions(-) diff --git a/.changelog/30966.txt b/.changelog/30966.txt index 80d14ae0619..01512ee2420 100644 --- a/.changelog/30966.txt +++ b/.changelog/30966.txt @@ -1,23 +1,27 @@ ```release-note:breaking-change -provider: With the retirement of EC2-Classic the`aws_db_security_group` resource has been removed +provider: With the retirement of EC2-Classic the `aws_db_security_group` resource has been removed ``` ```release-note:breaking-change -provider: With the retirement of EC2-Classic the`aws_elasticache_security_group` resource has been removed +provider: With the retirement of EC2-Classic the `aws_elasticache_security_group` resource has been removed ``` ```release-note:breaking-change -provider: With the retirement of EC2-Classic the`aws_redshift_security_group` resource has been removed +provider: With the retirement of EC2-Classic the `aws_redshift_security_group` resource has been removed ``` ```release-note:breaking-change -resource/aws_db_instance: With the retirement of EC2-Classic the`security_group_names` attribute has been removed +resource/aws_db_instance: With the retirement of EC2-Classic the `security_group_names` attribute has been removed ``` ```release-note:breaking-change -data-source/aws_db_instance: With the retirement of EC2-Classic the`db_security_groups` attribute has been removed +data-source/aws_db_instance: With the retirement of EC2-Classic the `db_security_groups` attribute has been removed ``` ```release-note:breaking-change -resource/aws_elasticache_cluster: With the retirement of EC2-Classic the`security_group_names` attribute has been removed +resource/aws_elasticache_cluster: With the retirement of EC2-Classic the `security_group_names` attribute has been removed +``` + +```release-note:breaking-change +data-source/aws_elasticache_cluster: With the retirement of EC2-Classic the `security_group_names` attribute has been removed ``` \ No newline at end of file diff --git a/internal/service/elasticache/cluster_data_source.go b/internal/service/elasticache/cluster_data_source.go index 128aab3fe52..56bdc756b87 100644 --- a/internal/service/elasticache/cluster_data_source.go +++ b/internal/service/elasticache/cluster_data_source.go @@ -151,11 +151,6 @@ func DataSourceCluster() *schema.Resource { Computed: true, Elem: &schema.Schema{Type: schema.TypeString}, }, - "security_group_names": { - Type: schema.TypeSet, - Computed: true, - Elem: &schema.Schema{Type: schema.TypeString}, - }, "snapshot_retention_limit": { Type: schema.TypeInt, Computed: true, @@ -198,7 +193,6 @@ func dataSourceClusterRead(ctx context.Context, d *schema.ResourceData, meta int d.Set("ip_discovery", cluster.IpDiscovery) d.Set("network_type", cluster.NetworkType) d.Set("preferred_outpost_arn", cluster.PreferredOutpostArn) - d.Set("security_group_names", flattenSecurityGroupNames(cluster.CacheSecurityGroups)) d.Set("security_group_ids", flattenSecurityGroupIDs(cluster.SecurityGroups)) if cluster.CacheParameterGroup != nil { diff --git a/internal/service/elasticache/cluster_data_source_test.go b/internal/service/elasticache/cluster_data_source_test.go index 9fb26eeecaf..66933858e75 100644 --- a/internal/service/elasticache/cluster_data_source_test.go +++ b/internal/service/elasticache/cluster_data_source_test.go @@ -10,7 +10,7 @@ import ( "github.com/hashicorp/terraform-provider-aws/internal/acctest" ) -func TestAccElastiCacheClusterDataSource_Data_basic(t *testing.T) { +func TestAccElastiCacheClusterDataSource_basic(t *testing.T) { ctx := acctest.Context(t) if testing.Short() { t.Skip("skipping long-running test in short mode") diff --git a/internal/service/elasticache/flex.go b/internal/service/elasticache/flex.go index 582ca3f6991..87fa713d7f5 100644 --- a/internal/service/elasticache/flex.go +++ b/internal/service/elasticache/flex.go @@ -15,16 +15,6 @@ func flattenSecurityGroupIDs(securityGroups []*elasticache.SecurityGroupMembersh return result } -func flattenSecurityGroupNames(securityGroups []*elasticache.CacheSecurityGroupMembership) []string { - result := make([]string, 0, len(securityGroups)) - for _, sg := range securityGroups { - if sg.CacheSecurityGroupName != nil { - result = append(result, *sg.CacheSecurityGroupName) - } - } - return result -} - func flattenLogDeliveryConfigurations(logDeliveryConfiguration []*elasticache.LogDeliveryConfiguration) []map[string]interface{} { if len(logDeliveryConfiguration) == 0 { return nil diff --git a/website/docs/d/elasticache_cluster.html.markdown b/website/docs/d/elasticache_cluster.html.markdown index 9718dcfc6a3..b10e4f347b5 100644 --- a/website/docs/d/elasticache_cluster.html.markdown +++ b/website/docs/d/elasticache_cluster.html.markdown @@ -35,7 +35,6 @@ In addition to all arguments above, the following attributes are exported: * `ip_discovery` - The IP version advertised in the discovery protocol. * `network_type` - The IP versions for cache cluster connections. * `subnet_group_name` – Name of the subnet group associated to the cache cluster. -* `security_group_names` – List of security group names associated with this cache cluster. * `security_group_ids` – List VPC security groups associated with the cache cluster. * `parameter_group_name` – Name of the parameter group associated with this cache cluster. * `replication_group_id` - The replication group to which this cache cluster belongs. From dea5e9134fd7bae095250891c4ad11a54c4dc7df Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 13:38:59 -0400 Subject: [PATCH 10/32] r/aws_redshift_cluster: Remove 'cluster_security_groups'. --- .changelog/30966.txt | 4 ++++ internal/service/redshift/cluster.go | 22 ------------------- website/docs/r/redshift_cluster.html.markdown | 2 -- 3 files changed, 4 insertions(+), 24 deletions(-) diff --git a/.changelog/30966.txt b/.changelog/30966.txt index 01512ee2420..eb9957d7325 100644 --- a/.changelog/30966.txt +++ b/.changelog/30966.txt @@ -24,4 +24,8 @@ resource/aws_elasticache_cluster: With the retirement of EC2-Classic the `securi ```release-note:breaking-change data-source/aws_elasticache_cluster: With the retirement of EC2-Classic the `security_group_names` attribute has been removed +``` + +```release-note:breaking-change +resource/aws_redshift_cluster: With the retirement of EC2-Classic the `cluster_security_groups` attribute has been removed ``` \ No newline at end of file diff --git a/internal/service/redshift/cluster.go b/internal/service/redshift/cluster.go index c158355e0de..da9e65126b8 100644 --- a/internal/service/redshift/cluster.go +++ b/internal/service/redshift/cluster.go @@ -126,13 +126,6 @@ func ResourceCluster() *schema.Resource { Optional: true, Computed: true, }, - "cluster_security_groups": { - Type: schema.TypeSet, - Optional: true, - Computed: true, - Elem: &schema.Schema{Type: schema.TypeString}, - Deprecated: `With the retirement of EC2-Classic the cluster_security_groups attribute has been deprecated and will be removed in a future version.`, - }, "cluster_subnet_group_name": { Type: schema.TypeString, Optional: true, @@ -393,10 +386,6 @@ func resourceClusterCreate(ctx context.Context, d *schema.ResourceData, meta int var diags diag.Diagnostics conn := meta.(*conns.AWSClient).RedshiftConn() - if v, ok := d.GetOk("cluster_security_groups"); ok && v.(*schema.Set).Len() > 0 { - return sdkdiag.AppendErrorf(diags, `with the retirement of EC2-Classic no new Redshift Clusters can be created referencing Redshift Security Groups`) - } - clusterID := d.Get("cluster_identifier").(string) backupInput := &redshift.RestoreFromClusterSnapshotInput{ AllowVersionUpgrade: aws.Bool(d.Get("allow_version_upgrade").(bool)), @@ -664,13 +653,6 @@ func resourceClusterRead(ctx context.Context, d *schema.ResourceData, meta inter var apiList []*string - for _, clusterSecurityGroup := range rsc.ClusterSecurityGroups { - apiList = append(apiList, clusterSecurityGroup.ClusterSecurityGroupName) - } - d.Set("cluster_security_groups", aws.StringValueSlice(apiList)) - - apiList = nil - for _, iamRole := range rsc.IamRoles { apiList = append(apiList, iamRole.IamRoleArn) } @@ -713,10 +695,6 @@ func resourceClusterUpdate(ctx context.Context, d *schema.ResourceData, meta int input.ClusterParameterGroupName = aws.String(d.Get("cluster_parameter_group_name").(string)) } - if d.HasChange("cluster_security_groups") { - input.ClusterSecurityGroups = flex.ExpandStringSet(d.Get("cluster_security_groups").(*schema.Set)) - } - if d.HasChange("maintenance_track_name") { input.MaintenanceTrackName = aws.String(d.Get("maintenance_track_name").(string)) } diff --git a/website/docs/r/redshift_cluster.html.markdown b/website/docs/r/redshift_cluster.html.markdown index 6dcf81d6095..d0340cd9fb0 100644 --- a/website/docs/r/redshift_cluster.html.markdown +++ b/website/docs/r/redshift_cluster.html.markdown @@ -45,7 +45,6 @@ The following arguments are supported: Note that this may show up in logs, and it will be stored in the state file. Password must contain at least 8 chars and contain at least one uppercase letter, one lowercase letter, and one number. * `master_username` - (Required unless a `snapshot_identifier` is provided) Username for the master DB user. -* `cluster_security_groups` - (Optional) A list of security groups to be associated with this cluster. * `vpc_security_group_ids` - (Optional) A list of Virtual Private Cloud (VPC) security groups to be associated with the cluster. * `cluster_subnet_group_name` - (Optional) The name of a cluster subnet group to be associated with this cluster. If this parameter is not provided the resulting cluster will be deployed outside virtual private cloud (VPC). * `availability_zone` - (Optional) The EC2 Availability Zone (AZ) in which you want Amazon Redshift to provision the cluster. For example, if you have several EC2 instances running in a specific Availability Zone, then you might want the cluster to be provisioned in the same zone in order to decrease network latency. Can only be changed if `availability_zone_relocation_enabled` is `true`. @@ -113,7 +112,6 @@ In addition to all arguments above, the following attributes are exported: * `preferred_maintenance_window` - The backup window * `endpoint` - The connection endpoint * `encrypted` - Whether the data in the cluster is encrypted -* `cluster_security_groups` - The security groups associated with the cluster * `vpc_security_group_ids` - The VPC security group Ids associated with the cluster * `dns_name` - The DNS name of the cluster * `port` - The Port the cluster responds on From abae10869008f1c5c4e71a71591ba13b2f8b639d Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 13:41:02 -0400 Subject: [PATCH 11/32] d/aws_redshift_cluster: Remove 'cluster_security_groups'. --- .changelog/30966.txt | 4 ++++ internal/service/redshift/cluster_data_source.go | 12 ------------ website/docs/d/redshift_cluster.html.markdown | 1 - 3 files changed, 4 insertions(+), 13 deletions(-) diff --git a/.changelog/30966.txt b/.changelog/30966.txt index eb9957d7325..c0bae8c3cfd 100644 --- a/.changelog/30966.txt +++ b/.changelog/30966.txt @@ -28,4 +28,8 @@ data-source/aws_elasticache_cluster: With the retirement of EC2-Classic the `sec ```release-note:breaking-change resource/aws_redshift_cluster: With the retirement of EC2-Classic the `cluster_security_groups` attribute has been removed +``` + +```release-note:breaking-change +data-source/aws_redshift_cluster: With the retirement of EC2-Classic the `cluster_security_groups` attribute has been removed ``` \ No newline at end of file diff --git a/internal/service/redshift/cluster_data_source.go b/internal/service/redshift/cluster_data_source.go index ac35f4868df..6049eb5f857 100644 --- a/internal/service/redshift/cluster_data_source.go +++ b/internal/service/redshift/cluster_data_source.go @@ -85,11 +85,6 @@ func DataSourceCluster() *schema.Resource { Type: schema.TypeString, Computed: true, }, - "cluster_security_groups": { - Type: schema.TypeList, - Computed: true, - Elem: &schema.Schema{Type: schema.TypeString}, - }, "cluster_subnet_group_name": { Type: schema.TypeString, Computed: true, @@ -241,13 +236,6 @@ func dataSourceClusterRead(ctx context.Context, d *schema.ResourceData, meta int d.Set("cluster_public_key", rsc.ClusterPublicKey) d.Set("cluster_revision_number", rsc.ClusterRevisionNumber) - - var csg []string - for _, g := range rsc.ClusterSecurityGroups { - csg = append(csg, aws.StringValue(g.ClusterSecurityGroupName)) - } - d.Set("cluster_security_groups", csg) - d.Set("cluster_subnet_group_name", rsc.ClusterSubnetGroupName) if len(rsc.ClusterNodes) > 1 { diff --git a/website/docs/d/redshift_cluster.html.markdown b/website/docs/d/redshift_cluster.html.markdown index 74f85cebc8e..f1a0cf4ded3 100644 --- a/website/docs/d/redshift_cluster.html.markdown +++ b/website/docs/d/redshift_cluster.html.markdown @@ -63,7 +63,6 @@ In addition to all arguments above, the following attributes are exported: * `cluster_parameter_group_name` - The name of the parameter group to be associated with this cluster * `cluster_public_key` - Public key for the cluster * `cluster_revision_number` - The cluster revision number -* `cluster_security_groups` - The security groups associated with the cluster * `cluster_subnet_group_name` - The name of a cluster subnet group to be associated with this cluster * `cluster_type` - Cluster type * `database_name` - Name of the default database in the cluster From 9c6469aa13773cc28acc8f495da52d5ae0a5a273 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 14:04:40 -0400 Subject: [PATCH 12/32] r/aws_launch_configuration: Remove 'vpc_classic_link_id' and 'vpc_classic_link_security_groups'. --- .changelog/30966.txt | 4 ++++ .../autoscaling/launch_configuration.go | 23 ------------------- .../autoscaling/launch_configuration_test.go | 2 -- .../docs/r/launch_configuration.html.markdown | 2 -- 4 files changed, 4 insertions(+), 27 deletions(-) diff --git a/.changelog/30966.txt b/.changelog/30966.txt index c0bae8c3cfd..085df562397 100644 --- a/.changelog/30966.txt +++ b/.changelog/30966.txt @@ -32,4 +32,8 @@ resource/aws_redshift_cluster: With the retirement of EC2-Classic the `cluster_s ```release-note:breaking-change data-source/aws_redshift_cluster: With the retirement of EC2-Classic the `cluster_security_groups` attribute has been removed +``` + +```release-note:breaking-change +resource/aws_launch_configuration: With the retirement of EC2-Classic the `vpc_classic_link_id` and `vpc_classic_link_security_groups` attributes hav been removed ``` \ No newline at end of file diff --git a/internal/service/autoscaling/launch_configuration.go b/internal/service/autoscaling/launch_configuration.go index d53dab6ec3d..567ffca83ec 100644 --- a/internal/service/autoscaling/launch_configuration.go +++ b/internal/service/autoscaling/launch_configuration.go @@ -309,19 +309,6 @@ func ResourceLaunchConfiguration() *schema.Resource { return }, }, - "vpc_classic_link_id": { - Type: schema.TypeString, - Optional: true, - ForceNew: true, - Deprecated: `With the retirement of EC2-Classic the vpc_classic_link_id attribute has been deprecated and will be removed in a future version.`, - }, - "vpc_classic_link_security_groups": { - Type: schema.TypeSet, - Optional: true, - ForceNew: true, - Elem: &schema.Schema{Type: schema.TypeString}, - Deprecated: `With the retirement of EC2-Classic the vpc_classic_link_security_groups attribute has been deprecated and will be removed in a future version.`, - }, }, } } @@ -331,14 +318,6 @@ func resourceLaunchConfigurationCreate(ctx context.Context, d *schema.ResourceDa autoscalingconn := meta.(*conns.AWSClient).AutoScalingConn() ec2conn := meta.(*conns.AWSClient).EC2Conn() - if _, ok := d.GetOk("vpc_classic_link_id"); ok { - return sdkdiag.AppendErrorf(diags, `with the retirement of EC2-Classic no new Auto Scaling Launch Configurations can be created referencing ClassicLink`) - } - - if v, ok := d.GetOk("vpc_classic_link_security_groups"); ok && v.(*schema.Set).Len() > 0 { - return sdkdiag.AppendErrorf(diags, `with the retirement of EC2-Classic no new Auto Scaling Launch Configurations can be created referencing ClassicLink`) - } - lcName := create.Name(d.Get("name").(string), d.Get("name_prefix").(string)) input := autoscaling.CreateLaunchConfigurationInput{ EbsOptimized: aws.Bool(d.Get("ebs_optimized").(bool)), @@ -497,8 +476,6 @@ func resourceLaunchConfigurationRead(ctx context.Context, d *schema.ResourceData d.Set("user_data", userDataHashSum(v)) } } - d.Set("vpc_classic_link_id", lc.ClassicLinkVPCId) - d.Set("vpc_classic_link_security_groups", aws.StringValueSlice(lc.ClassicLinkVPCSecurityGroups)) rootDeviceName, err := findImageRootDeviceName(ctx, ec2conn, d.Get("image_id").(string)) diff --git a/internal/service/autoscaling/launch_configuration_test.go b/internal/service/autoscaling/launch_configuration_test.go index 6f7c50d87ea..72b3083907b 100644 --- a/internal/service/autoscaling/launch_configuration_test.go +++ b/internal/service/autoscaling/launch_configuration_test.go @@ -54,8 +54,6 @@ func TestAccAutoScalingLaunchConfiguration_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "spot_price", ""), resource.TestCheckNoResourceAttr(resourceName, "user_data"), resource.TestCheckNoResourceAttr(resourceName, "user_data_base64"), - resource.TestCheckResourceAttr(resourceName, "vpc_classic_link_id", ""), - resource.TestCheckResourceAttr(resourceName, "vpc_classic_link_security_groups.#", "0"), ), }, { diff --git a/website/docs/r/launch_configuration.html.markdown b/website/docs/r/launch_configuration.html.markdown index b460764f4c9..6a5f96c9ba3 100644 --- a/website/docs/r/launch_configuration.html.markdown +++ b/website/docs/r/launch_configuration.html.markdown @@ -163,8 +163,6 @@ The following arguments are optional: * `spot_price` - (Optional; Default: On-demand price) The maximum price to use for reserving spot instances. * `user_data` - (Optional) The user data to provide when launching the instance. Do not pass gzip-compressed data via this argument; see `user_data_base64` instead. * `user_data_base64` - (Optional) Can be used instead of `user_data` to pass base64-encoded binary data directly. Use this instead of `user_data` whenever the value is not a valid UTF-8 string. For example, gzip-encoded user data must be base64-encoded and passed via this argument to avoid corruption. -* `vpc_classic_link_id` - (Optional) The ID of a ClassicLink-enabled VPC. Only applies to EC2-Classic instances. (eg. `vpc-2730681a`) -* `vpc_classic_link_security_groups` - (Optional) The IDs of one or more security groups for the specified ClassicLink-enabled VPC (eg. `sg-46ae3d11`). ## Block devices From 2f3c827125a6003f638e4972ce45a267a08acf42 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 14:06:40 -0400 Subject: [PATCH 13/32] d/aws_launch_configuration: Remove 'vpc_classic_link_id' and 'vpc_classic_link_security_groups'. --- .changelog/30966.txt | 4 ++++ .../autoscaling/launch_configuration_data_source.go | 11 ----------- .../launch_configuration_data_source_test.go | 2 -- website/docs/d/launch_configuration.html.markdown | 2 -- 4 files changed, 4 insertions(+), 15 deletions(-) diff --git a/.changelog/30966.txt b/.changelog/30966.txt index 085df562397..b3bac1782d8 100644 --- a/.changelog/30966.txt +++ b/.changelog/30966.txt @@ -36,4 +36,8 @@ data-source/aws_redshift_cluster: With the retirement of EC2-Classic the `cluste ```release-note:breaking-change resource/aws_launch_configuration: With the retirement of EC2-Classic the `vpc_classic_link_id` and `vpc_classic_link_security_groups` attributes hav been removed +``` + +```release-note:breaking-change +data-source/aws_launch_configuration: With the retirement of EC2-Classic the `vpc_classic_link_id` and `vpc_classic_link_security_groups` attributes hav been removed ``` \ No newline at end of file diff --git a/internal/service/autoscaling/launch_configuration_data_source.go b/internal/service/autoscaling/launch_configuration_data_source.go index 70cc492e6c9..054f66eb68e 100644 --- a/internal/service/autoscaling/launch_configuration_data_source.go +++ b/internal/service/autoscaling/launch_configuration_data_source.go @@ -181,15 +181,6 @@ func DataSourceLaunchConfiguration() *schema.Resource { Type: schema.TypeString, Computed: true, }, - "vpc_classic_link_id": { - Type: schema.TypeString, - Computed: true, - }, - "vpc_classic_link_security_groups": { - Type: schema.TypeSet, - Computed: true, - Elem: &schema.Schema{Type: schema.TypeString}, - }, }, } } @@ -232,8 +223,6 @@ func dataSourceLaunchConfigurationRead(ctx context.Context, d *schema.ResourceDa d.Set("security_groups", aws.StringValueSlice(lc.SecurityGroups)) d.Set("spot_price", lc.SpotPrice) d.Set("user_data", lc.UserData) - d.Set("vpc_classic_link_id", lc.ClassicLinkVPCId) - d.Set("vpc_classic_link_security_groups", aws.StringValueSlice(lc.ClassicLinkVPCSecurityGroups)) rootDeviceName, err := findImageRootDeviceName(ctx, ec2conn, d.Get("image_id").(string)) diff --git a/internal/service/autoscaling/launch_configuration_data_source_test.go b/internal/service/autoscaling/launch_configuration_data_source_test.go index 7db166a5030..205fb4f4979 100644 --- a/internal/service/autoscaling/launch_configuration_data_source_test.go +++ b/internal/service/autoscaling/launch_configuration_data_source_test.go @@ -41,8 +41,6 @@ func TestAccAutoScalingLaunchConfigurationDataSource_basic(t *testing.T) { resource.TestCheckResourceAttrPair(datasourceName, "spot_price", resourceName, "spot_price"), // Resource and data source user_data have differing representations in state. resource.TestCheckResourceAttrSet(datasourceName, "user_data"), - resource.TestCheckResourceAttrPair(datasourceName, "vpc_classic_link_id", resourceName, "vpc_classic_link_id"), - resource.TestCheckResourceAttrPair(datasourceName, "vpc_classic_link_security_groups.#", resourceName, "vpc_classic_link_security_groups.#"), ), }, }, diff --git a/website/docs/d/launch_configuration.html.markdown b/website/docs/d/launch_configuration.html.markdown index d5ebc69c2af..1570179bc7d 100644 --- a/website/docs/d/launch_configuration.html.markdown +++ b/website/docs/d/launch_configuration.html.markdown @@ -41,8 +41,6 @@ In addition to all arguments above, the following attributes are exported: * `http_put_response_hop_limit` - The desired HTTP PUT response hop limit for instance metadata requests. * `security_groups` - List of associated Security Group IDS. * `associate_public_ip_address` - Whether a Public IP address is associated with the instance. -* `vpc_classic_link_id` - ID of a ClassicLink-enabled VPC. -* `vpc_classic_link_security_groups` - The IDs of one or more Security Groups for the specified ClassicLink-enabled VPC. * `user_data` - User Data of the instance. * `enable_monitoring` - Whether Detailed Monitoring is Enabled. * `ebs_optimized` - Whether the launched EC2 instance will be EBS-optimized. From 06b157caacfe3cf18035f2c4710007d6a336aa23 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 14:52:57 -0400 Subject: [PATCH 14/32] r/aws_vpc_peering_connection: Remove 'allow_classic_link_to_remote_vpc' and 'allow_vpc_to_remote_classic_link'. --- .changelog/30966.txt | 8 ++- .../service/ec2/vpc_peering_connection.go | 61 +------------------ .../ec2/vpc_peering_connection_test.go | 50 --------------- .../r/vpc_peering_connection.html.markdown | 6 -- 4 files changed, 9 insertions(+), 116 deletions(-) diff --git a/.changelog/30966.txt b/.changelog/30966.txt index b3bac1782d8..7b853d0209d 100644 --- a/.changelog/30966.txt +++ b/.changelog/30966.txt @@ -35,9 +35,13 @@ data-source/aws_redshift_cluster: With the retirement of EC2-Classic the `cluste ``` ```release-note:breaking-change -resource/aws_launch_configuration: With the retirement of EC2-Classic the `vpc_classic_link_id` and `vpc_classic_link_security_groups` attributes hav been removed +resource/aws_launch_configuration: With the retirement of EC2-Classic the `vpc_classic_link_id` and `vpc_classic_link_security_groups` attributes have been removed ``` ```release-note:breaking-change -data-source/aws_launch_configuration: With the retirement of EC2-Classic the `vpc_classic_link_id` and `vpc_classic_link_security_groups` attributes hav been removed +data-source/aws_launch_configuration: With the retirement of EC2-Classic the `vpc_classic_link_id` and `vpc_classic_link_security_groups` attributes have been removed +``` + +```release-note:breaking-change +resource/aws_vpc_peering_connection: With the retirement of EC2-Classic the `allow_classic_link_to_remote_vpc` and `allow_vpc_to_remote_classic_link` attributes have been removed ``` \ No newline at end of file diff --git a/internal/service/ec2/vpc_peering_connection.go b/internal/service/ec2/vpc_peering_connection.go index 71b0ae854f1..9db71be65ee 100644 --- a/internal/service/ec2/vpc_peering_connection.go +++ b/internal/service/ec2/vpc_peering_connection.go @@ -89,23 +89,11 @@ var vpcPeeringConnectionOptionsSchema = &schema.Schema{ MaxItems: 1, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ - "allow_classic_link_to_remote_vpc": { - Type: schema.TypeBool, - Optional: true, - Default: false, - Deprecated: `With the retirement of EC2-Classic the allow_classic_link_to_remote_vpc attribute has been deprecated and will be removed in a future version.`, - }, "allow_remote_vpc_dns_resolution": { Type: schema.TypeBool, Optional: true, Default: false, }, - "allow_vpc_to_remote_classic_link": { - Type: schema.TypeBool, - Optional: true, - Default: false, - Deprecated: `With the retirement of EC2-Classic the allow_vpc_to_remote_classic_link attribute has been deprecated and will be removed in a future version.`, - }, }, }, } @@ -114,10 +102,6 @@ func resourceVPCPeeringConnectionCreate(ctx context.Context, d *schema.ResourceD var diags diag.Diagnostics conn := meta.(*conns.AWSClient).EC2Conn() - if peeringConnectionOptionsAllowsClassicLink(d) { - return sdkdiag.AppendErrorf(diags, `with the retirement of EC2-Classic no new VPC Peering Connections can be created with ClassicLink options enabled`) - } - input := &ec2.CreateVpcPeeringConnectionInput{ PeerVpcId: aws.String(d.Get("peer_vpc_id").(string)), TagSpecifications: getTagSpecificationsIn(ctx, ec2.ResourceTypeVpcPeeringConnection), @@ -296,17 +280,16 @@ func acceptVPCPeeringConnection(ctx context.Context, conn *ec2.EC2, vpcPeeringCo func modifyVPCPeeringConnectionOptions(ctx context.Context, conn *ec2.EC2, d *schema.ResourceData, vpcPeeringConnection *ec2.VpcPeeringConnection, checkActive bool) error { var accepterPeeringConnectionOptions, requesterPeeringConnectionOptions *ec2.PeeringConnectionOptionsRequest - crossRegionPeering := aws.StringValue(vpcPeeringConnection.RequesterVpcInfo.Region) != aws.StringValue(vpcPeeringConnection.AccepterVpcInfo.Region) if key := "accepter"; d.HasChange(key) { if v, ok := d.GetOk(key); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil { - accepterPeeringConnectionOptions = expandPeeringConnectionOptionsRequest(v.([]interface{})[0].(map[string]interface{}), crossRegionPeering) + accepterPeeringConnectionOptions = expandPeeringConnectionOptionsRequest(v.([]interface{})[0].(map[string]interface{})) } } if key := "requester"; d.HasChange(key) { if v, ok := d.GetOk(key); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil { - requesterPeeringConnectionOptions = expandPeeringConnectionOptionsRequest(v.([]interface{})[0].(map[string]interface{}), crossRegionPeering) + requesterPeeringConnectionOptions = expandPeeringConnectionOptionsRequest(v.([]interface{})[0].(map[string]interface{})) } } @@ -373,7 +356,7 @@ func vpcPeeringConnectionOptionsEqual(o1 *ec2.VpcPeeringConnectionOptionsDescrip aws.BoolValue(o1.AllowEgressFromLocalVpcToRemoteClassicLink) == aws.BoolValue(o2.AllowEgressFromLocalVpcToRemoteClassicLink) } -func expandPeeringConnectionOptionsRequest(tfMap map[string]interface{}, crossRegionPeering bool) *ec2.PeeringConnectionOptionsRequest { +func expandPeeringConnectionOptionsRequest(tfMap map[string]interface{}) *ec2.PeeringConnectionOptionsRequest { if tfMap == nil { return nil } @@ -384,16 +367,6 @@ func expandPeeringConnectionOptionsRequest(tfMap map[string]interface{}, crossRe apiObject.AllowDnsResolutionFromRemoteVpc = aws.Bool(v) } - if !crossRegionPeering { - if v, ok := tfMap["allow_classic_link_to_remote_vpc"].(bool); ok { - apiObject.AllowEgressFromLocalClassicLinkToRemoteVpc = aws.Bool(v) - } - - if v, ok := tfMap["allow_vpc_to_remote_classic_link"].(bool); ok { - apiObject.AllowEgressFromLocalVpcToRemoteClassicLink = aws.Bool(v) - } - } - return apiObject } @@ -408,33 +381,5 @@ func flattenVPCPeeringConnectionOptionsDescription(apiObject *ec2.VpcPeeringConn tfMap["allow_remote_vpc_dns_resolution"] = aws.BoolValue(v) } - if v := apiObject.AllowEgressFromLocalClassicLinkToRemoteVpc; v != nil { - tfMap["allow_classic_link_to_remote_vpc"] = aws.BoolValue(v) - } - - if v := apiObject.AllowEgressFromLocalVpcToRemoteClassicLink; v != nil { - tfMap["allow_vpc_to_remote_classic_link"] = aws.BoolValue(v) - } - return tfMap } - -func peeringConnectionOptionsAllowsClassicLink(d *schema.ResourceData) bool { - fn := func(key string) bool { - if v, ok := d.GetOk(key); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil { - tfMap := v.([]interface{})[0].(map[string]interface{}) - - if v, ok := tfMap["allow_classic_link_to_remote_vpc"].(bool); ok && v { - return true - } - - if v, ok := tfMap["allow_vpc_to_remote_classic_link"].(bool); ok && v { - return true - } - } - - return false - } - - return fn("accepter") || fn("requester") -} diff --git a/internal/service/ec2/vpc_peering_connection_test.go b/internal/service/ec2/vpc_peering_connection_test.go index c7d41153088..369583cf640 100644 --- a/internal/service/ec2/vpc_peering_connection_test.go +++ b/internal/service/ec2/vpc_peering_connection_test.go @@ -166,16 +166,6 @@ func TestAccVPCPeeringConnection_options(t *testing.T) { "requester.0.allow_remote_vpc_dns_resolution", "false", ), - resource.TestCheckResourceAttr( - resourceName, - "requester.0.allow_classic_link_to_remote_vpc", - "false", - ), - resource.TestCheckResourceAttr( - resourceName, - "requester.0.allow_vpc_to_remote_classic_link", - "false", - ), // Accepter's view: resource.TestCheckResourceAttr( resourceName, @@ -187,16 +177,6 @@ func TestAccVPCPeeringConnection_options(t *testing.T) { "accepter.0.allow_remote_vpc_dns_resolution", "true", ), - resource.TestCheckResourceAttr( - resourceName, - "accepter.0.allow_classic_link_to_remote_vpc", - "false", - ), - resource.TestCheckResourceAttr( - resourceName, - "accepter.0.allow_vpc_to_remote_classic_link", - "false", - ), testAccepterChange, ), ExpectNonEmptyPlan: true, @@ -226,16 +206,6 @@ func TestAccVPCPeeringConnection_options(t *testing.T) { "requester.0.allow_remote_vpc_dns_resolution", "false", ), - resource.TestCheckResourceAttr( - resourceName, - "requester.0.allow_classic_link_to_remote_vpc", - "false", - ), - resource.TestCheckResourceAttr( - resourceName, - "requester.0.allow_vpc_to_remote_classic_link", - "false", - ), // Accepter's view: resource.TestCheckResourceAttr( resourceName, @@ -247,16 +217,6 @@ func TestAccVPCPeeringConnection_options(t *testing.T) { "accepter.0.allow_remote_vpc_dns_resolution", "true", ), - resource.TestCheckResourceAttr( - resourceName, - "accepter.0.allow_classic_link_to_remote_vpc", - "false", - ), - resource.TestCheckResourceAttr( - resourceName, - "accepter.0.allow_vpc_to_remote_classic_link", - "false", - ), ), }, }, @@ -590,11 +550,6 @@ resource "aws_vpc_peering_connection" "test" { accepter { allow_remote_vpc_dns_resolution = true } - - requester { - allow_vpc_to_remote_classic_link = false - allow_classic_link_to_remote_vpc = false - } } `, rName) } @@ -722,11 +677,6 @@ resource "aws_vpc_peering_connection" "test" { accepter { allow_remote_vpc_dns_resolution = true } - - requester { - allow_vpc_to_remote_classic_link = false - allow_classic_link_to_remote_vpc = false - } } `, rName) } diff --git a/website/docs/r/vpc_peering_connection.html.markdown b/website/docs/r/vpc_peering_connection.html.markdown index 7fe0ddb2d1d..64a0983d9a8 100644 --- a/website/docs/r/vpc_peering_connection.html.markdown +++ b/website/docs/r/vpc_peering_connection.html.markdown @@ -125,12 +125,6 @@ must have support for the DNS hostnames enabled. This can be done using the [`en * `allow_remote_vpc_dns_resolution` - (Optional) Allow a local VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the peer VPC. -* `allow_classic_link_to_remote_vpc` - (Optional) Allow a local linked EC2-Classic instance to communicate -with instances in a peer VPC. This enables an outbound communication from the local ClassicLink connection -to the remote VPC. -* `allow_vpc_to_remote_classic_link` - (Optional) Allow a local VPC to communicate with a linked EC2-Classic -instance in a peer VPC. This enables an outbound communication from the local VPC to the remote ClassicLink -connection. ## Attributes Reference From 065c0c76029f6068bf03c85ac3886dfd2669efdf Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 14:55:35 -0400 Subject: [PATCH 15/32] r/aws_vpc_peering_connection_accepter: Remove 'allow_classic_link_to_remote_vpc' and 'allow_vpc_to_remote_classic_link'. --- .changelog/30966.txt | 4 ++++ internal/service/ec2/vpc_peering_connection_accepter.go | 4 ---- website/docs/r/vpc_peering_connection_accepter.html.markdown | 4 ---- 3 files changed, 4 insertions(+), 8 deletions(-) diff --git a/.changelog/30966.txt b/.changelog/30966.txt index 7b853d0209d..6a7ae5b0f02 100644 --- a/.changelog/30966.txt +++ b/.changelog/30966.txt @@ -44,4 +44,8 @@ data-source/aws_launch_configuration: With the retirement of EC2-Classic the `vp ```release-note:breaking-change resource/aws_vpc_peering_connection: With the retirement of EC2-Classic the `allow_classic_link_to_remote_vpc` and `allow_vpc_to_remote_classic_link` attributes have been removed +``` + +```release-note:breaking-change +resource/aws_vpc_peering_connection_accepter: With the retirement of EC2-Classic the `allow_classic_link_to_remote_vpc` and `allow_vpc_to_remote_classic_link` attributes have been removed ``` \ No newline at end of file diff --git a/internal/service/ec2/vpc_peering_connection_accepter.go b/internal/service/ec2/vpc_peering_connection_accepter.go index 2e93e86d97c..d3e9623fcaf 100644 --- a/internal/service/ec2/vpc_peering_connection_accepter.go +++ b/internal/service/ec2/vpc_peering_connection_accepter.go @@ -88,10 +88,6 @@ func resourceVPCPeeringAccepterCreate(ctx context.Context, d *schema.ResourceDat var diags diag.Diagnostics conn := meta.(*conns.AWSClient).EC2Conn() - if peeringConnectionOptionsAllowsClassicLink(d) { - return sdkdiag.AppendErrorf(diags, `with the retirement of EC2-Classic no VPC Peering Connections can be accepted with ClassicLink options enabled`) - } - vpcPeeringConnectionID := d.Get("vpc_peering_connection_id").(string) vpcPeeringConnection, err := FindVPCPeeringConnectionByID(ctx, conn, vpcPeeringConnectionID) diff --git a/website/docs/r/vpc_peering_connection_accepter.html.markdown b/website/docs/r/vpc_peering_connection_accepter.html.markdown index 396fa7582a8..1b4f0671ee8 100644 --- a/website/docs/r/vpc_peering_connection_accepter.html.markdown +++ b/website/docs/r/vpc_peering_connection_accepter.html.markdown @@ -107,10 +107,6 @@ In addition to all arguments above, the following attributes are exported: * `allow_remote_vpc_dns_resolution` - Indicates whether a local VPC can resolve public DNS hostnames to private IP addresses when queried from instances in a peer VPC. -* `allow_classic_link_to_remote_vpc` - Indicates whether a local ClassicLink connection can communicate -with the peer VPC over the VPC Peering Connection. -* `allow_vpc_to_remote_classic_link` - Indicates whether a local VPC can communicate with a ClassicLink -connection in the peer VPC over the VPC Peering Connection. ## Import From 7973386d268a9ba02ab8cb5cdf3740f70dc59ba8 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 15:03:18 -0400 Subject: [PATCH 16/32] r/aws_vpc_peering_connection_options: Remove 'allow_classic_link_to_remote_vpc' and 'allow_vpc_to_remote_classic_link'. --- .changelog/30966.txt | 4 ++ .../ec2/vpc_peering_connection_options.go | 4 -- .../vpc_peering_connection_options_test.go | 58 ++++--------------- ...c_peering_connection_options.html.markdown | 11 ---- 4 files changed, 15 insertions(+), 62 deletions(-) diff --git a/.changelog/30966.txt b/.changelog/30966.txt index 6a7ae5b0f02..4f2642227b6 100644 --- a/.changelog/30966.txt +++ b/.changelog/30966.txt @@ -48,4 +48,8 @@ resource/aws_vpc_peering_connection: With the retirement of EC2-Classic the `all ```release-note:breaking-change resource/aws_vpc_peering_connection_accepter: With the retirement of EC2-Classic the `allow_classic_link_to_remote_vpc` and `allow_vpc_to_remote_classic_link` attributes have been removed +``` + +```release-note:breaking-change +resource/aws_vpc_peering_connection_options: With the retirement of EC2-Classic the `allow_classic_link_to_remote_vpc` and `allow_vpc_to_remote_classic_link` attributes have been removed ``` \ No newline at end of file diff --git a/internal/service/ec2/vpc_peering_connection_options.go b/internal/service/ec2/vpc_peering_connection_options.go index 6582065d5ec..8050b045ca3 100644 --- a/internal/service/ec2/vpc_peering_connection_options.go +++ b/internal/service/ec2/vpc_peering_connection_options.go @@ -38,10 +38,6 @@ func resourceVPCPeeringConnectionOptionsCreate(ctx context.Context, d *schema.Re var diags diag.Diagnostics conn := meta.(*conns.AWSClient).EC2Conn() - if peeringConnectionOptionsAllowsClassicLink(d) { - return sdkdiag.AppendErrorf(diags, `with the retirement of EC2-Classic no new VPC Peering Connection Options can be created with ClassicLink options enabled`) - } - vpcPeeringConnectionID := d.Get("vpc_peering_connection_id").(string) vpcPeeringConnection, err := FindVPCPeeringConnectionByID(ctx, conn, vpcPeeringConnectionID) diff --git a/internal/service/ec2/vpc_peering_connection_options_test.go b/internal/service/ec2/vpc_peering_connection_options_test.go index 34c2f7e5bf5..c690767e9e2 100644 --- a/internal/service/ec2/vpc_peering_connection_options_test.go +++ b/internal/service/ec2/vpc_peering_connection_options_test.go @@ -7,7 +7,6 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/ec2" - "github.com/google/go-cmp/cmp" sdkacctest "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" @@ -35,27 +34,19 @@ func TestAccVPCPeeringConnectionOptions_basic(t *testing.T) { // Requester's view: resource.TestCheckResourceAttr(resourceName, "requester.#", "1"), resource.TestCheckResourceAttr(resourceName, "requester.0.allow_remote_vpc_dns_resolution", "false"), - resource.TestCheckResourceAttr(resourceName, "requester.0.allow_classic_link_to_remote_vpc", "false"), - resource.TestCheckResourceAttr(resourceName, "requester.0.allow_vpc_to_remote_classic_link", "false"), testAccCheckVPCPeeringConnectionOptions(ctx, pcxResourceName, "requester", &ec2.VpcPeeringConnectionOptionsDescription{ - AllowDnsResolutionFromRemoteVpc: aws.Bool(false), - AllowEgressFromLocalClassicLinkToRemoteVpc: aws.Bool(false), - AllowEgressFromLocalVpcToRemoteClassicLink: aws.Bool(false), + AllowDnsResolutionFromRemoteVpc: aws.Bool(false), }, ), // Accepter's view: resource.TestCheckResourceAttr(resourceName, "accepter.#", "1"), resource.TestCheckResourceAttr(resourceName, "accepter.0.allow_remote_vpc_dns_resolution", "true"), - resource.TestCheckResourceAttr(resourceName, "accepter.0.allow_classic_link_to_remote_vpc", "false"), - resource.TestCheckResourceAttr(resourceName, "accepter.0.allow_vpc_to_remote_classic_link", "false"), testAccCheckVPCPeeringConnectionOptions(ctx, pcxResourceName, "accepter", &ec2.VpcPeeringConnectionOptionsDescription{ - AllowDnsResolutionFromRemoteVpc: aws.Bool(true), - AllowEgressFromLocalClassicLinkToRemoteVpc: aws.Bool(false), - AllowEgressFromLocalVpcToRemoteClassicLink: aws.Bool(false), + AllowDnsResolutionFromRemoteVpc: aws.Bool(true), }, ), ), @@ -77,9 +68,7 @@ func TestAccVPCPeeringConnectionOptions_basic(t *testing.T) { testAccCheckVPCPeeringConnectionOptions(ctx, pcxResourceName, "requester", &ec2.VpcPeeringConnectionOptionsDescription{ - AllowDnsResolutionFromRemoteVpc: aws.Bool(false), - AllowEgressFromLocalClassicLinkToRemoteVpc: aws.Bool(false), - AllowEgressFromLocalVpcToRemoteClassicLink: aws.Bool(false), + AllowDnsResolutionFromRemoteVpc: aws.Bool(false), }, ), // Accepter's view: @@ -91,9 +80,7 @@ func TestAccVPCPeeringConnectionOptions_basic(t *testing.T) { testAccCheckVPCPeeringConnectionOptions(ctx, pcxResourceName, "accepter", &ec2.VpcPeeringConnectionOptionsDescription{ - AllowDnsResolutionFromRemoteVpc: aws.Bool(false), - AllowEgressFromLocalClassicLinkToRemoteVpc: aws.Bool(false), - AllowEgressFromLocalVpcToRemoteClassicLink: aws.Bool(false), + AllowDnsResolutionFromRemoteVpc: aws.Bool(false), }, ), ), @@ -126,27 +113,19 @@ func TestAccVPCPeeringConnectionOptions_differentRegionSameAccount(t *testing.T) // Requester's view: resource.TestCheckResourceAttr(resourceName, "requester.#", "1"), resource.TestCheckResourceAttr(resourceName, "requester.0.allow_remote_vpc_dns_resolution", "true"), - resource.TestCheckResourceAttr(resourceName, "requester.0.allow_classic_link_to_remote_vpc", "false"), - resource.TestCheckResourceAttr(resourceName, "requester.0.allow_vpc_to_remote_classic_link", "false"), testAccCheckVPCPeeringConnectionOptions(ctx, pcxResourceName, "requester", &ec2.VpcPeeringConnectionOptionsDescription{ - AllowDnsResolutionFromRemoteVpc: aws.Bool(true), - AllowEgressFromLocalClassicLinkToRemoteVpc: aws.Bool(false), - AllowEgressFromLocalVpcToRemoteClassicLink: aws.Bool(false), + AllowDnsResolutionFromRemoteVpc: aws.Bool(true), }, ), // Accepter's view: resource.TestCheckResourceAttr(resourceNamePeer, "accepter.#", "1"), resource.TestCheckResourceAttr(resourceNamePeer, "accepter.0.allow_remote_vpc_dns_resolution", "true"), - resource.TestCheckResourceAttr(resourceNamePeer, "accepter.0.allow_classic_link_to_remote_vpc", "false"), - resource.TestCheckResourceAttr(resourceNamePeer, "accepter.0.allow_vpc_to_remote_classic_link", "false"), testAccCheckVPCPeeringConnectionOptionsWithProvider(ctx, pcxResourceNamePeer, "accepter", &ec2.VpcPeeringConnectionOptionsDescription{ - AllowDnsResolutionFromRemoteVpc: aws.Bool(true), - AllowEgressFromLocalClassicLinkToRemoteVpc: aws.Bool(false), - AllowEgressFromLocalVpcToRemoteClassicLink: aws.Bool(false), + AllowDnsResolutionFromRemoteVpc: aws.Bool(true), }, acctest.RegionProviderFunc(acctest.AlternateRegion(), &providers), ), @@ -170,9 +149,7 @@ func TestAccVPCPeeringConnectionOptions_differentRegionSameAccount(t *testing.T) testAccCheckVPCPeeringConnectionOptions(ctx, pcxResourceName, "requester", &ec2.VpcPeeringConnectionOptionsDescription{ - AllowDnsResolutionFromRemoteVpc: aws.Bool(false), - AllowEgressFromLocalClassicLinkToRemoteVpc: aws.Bool(false), - AllowEgressFromLocalVpcToRemoteClassicLink: aws.Bool(false), + AllowDnsResolutionFromRemoteVpc: aws.Bool(false), }, ), // Accepter's view: @@ -184,9 +161,7 @@ func TestAccVPCPeeringConnectionOptions_differentRegionSameAccount(t *testing.T) testAccCheckVPCPeeringConnectionOptionsWithProvider(ctx, pcxResourceNamePeer, "accepter", &ec2.VpcPeeringConnectionOptionsDescription{ - AllowDnsResolutionFromRemoteVpc: aws.Bool(false), - AllowEgressFromLocalClassicLinkToRemoteVpc: aws.Bool(false), - AllowEgressFromLocalVpcToRemoteClassicLink: aws.Bool(false), + AllowDnsResolutionFromRemoteVpc: aws.Bool(false), }, acctest.RegionProviderFunc(acctest.AlternateRegion(), &providers), ), @@ -218,21 +193,15 @@ func TestAccVPCPeeringConnectionOptions_sameRegionDifferentAccount(t *testing.T) // Requester's view: resource.TestCheckResourceAttr(resourceName, "requester.#", "1"), resource.TestCheckResourceAttr(resourceName, "requester.0.allow_remote_vpc_dns_resolution", "true"), - resource.TestCheckResourceAttr(resourceName, "requester.0.allow_classic_link_to_remote_vpc", "false"), - resource.TestCheckResourceAttr(resourceName, "requester.0.allow_vpc_to_remote_classic_link", "false"), testAccCheckVPCPeeringConnectionOptions(ctx, pcxResourceName, "requester", &ec2.VpcPeeringConnectionOptionsDescription{ - AllowDnsResolutionFromRemoteVpc: aws.Bool(true), - AllowEgressFromLocalClassicLinkToRemoteVpc: aws.Bool(false), - AllowEgressFromLocalVpcToRemoteClassicLink: aws.Bool(false), + AllowDnsResolutionFromRemoteVpc: aws.Bool(true), }, ), // Accepter's view: resource.TestCheckResourceAttr(resourceNamePeer, "accepter.#", "1"), resource.TestCheckResourceAttr(resourceNamePeer, "accepter.0.allow_remote_vpc_dns_resolution", "true"), - resource.TestCheckResourceAttr(resourceNamePeer, "accepter.0.allow_classic_link_to_remote_vpc", "false"), - resource.TestCheckResourceAttr(resourceNamePeer, "accepter.0.allow_vpc_to_remote_classic_link", "false"), ), }, { @@ -273,8 +242,8 @@ func testAccCheckVPCPeeringConnectionOptionsWithProvider(ctx context.Context, n, o = output.RequesterVpcInfo } - if diff := cmp.Diff(options, o.PeeringOptions); diff != "" { - return fmt.Errorf("VPC Peering Connection Options mismatch (-want +got):\n%s", diff) + if got, want := aws.BoolValue(o.PeeringOptions.AllowDnsResolutionFromRemoteVpc), aws.BoolValue(options.AllowDnsResolutionFromRemoteVpc); got != want { + return fmt.Errorf("VPC Peering Connection Options AllowDnsResolutionFromRemoteVpc =%v, want = %v", got, want) } return nil @@ -316,11 +285,6 @@ resource "aws_vpc_peering_connection_options" "test" { accepter { allow_remote_vpc_dns_resolution = %[2]t } - - requester { - allow_vpc_to_remote_classic_link = false - allow_classic_link_to_remote_vpc = false - } } `, rName, accepterDnsResolution) } diff --git a/website/docs/r/vpc_peering_connection_options.html.markdown b/website/docs/r/vpc_peering_connection_options.html.markdown index 0b3bdce583e..6aea4f38c7e 100644 --- a/website/docs/r/vpc_peering_connection_options.html.markdown +++ b/website/docs/r/vpc_peering_connection_options.html.markdown @@ -44,11 +44,6 @@ resource "aws_vpc_peering_connection_options" "foo" { accepter { allow_remote_vpc_dns_resolution = true } - - requester { - allow_vpc_to_remote_classic_link = true - allow_classic_link_to_remote_vpc = true - } } ``` @@ -159,12 +154,6 @@ must have support for the DNS hostnames enabled. This can be done using the [`en * `allow_remote_vpc_dns_resolution` - (Optional) Allow a local VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the peer VPC. -* `allow_classic_link_to_remote_vpc` - (Optional) Allow a local linked EC2-Classic instance to communicate -with instances in a peer VPC. This enables an outbound communication from the local ClassicLink connection -to the remote VPC. This option is not supported for inter-region VPC peering. -* `allow_vpc_to_remote_classic_link` - (Optional) Allow a local VPC to communicate with a linked EC2-Classic -instance in a peer VPC. This enables an outbound communication from the local VPC to the remote ClassicLink -connection. This option is not supported for inter-region VPC peering. ## Attributes Reference From 0f5d3d690dd14a4359e6e05da740844b58eb30ac Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 15:05:57 -0400 Subject: [PATCH 17/32] d/aws_vpc_peering_connection: Remove 'allow_classic_link_to_remote_vpc' and 'allow_vpc_to_remote_classic_link'. --- .changelog/30966.txt | 4 ++++ website/docs/d/vpc_peering_connection.html.markdown | 6 ------ 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.changelog/30966.txt b/.changelog/30966.txt index 4f2642227b6..1a656e45e68 100644 --- a/.changelog/30966.txt +++ b/.changelog/30966.txt @@ -52,4 +52,8 @@ resource/aws_vpc_peering_connection_accepter: With the retirement of EC2-Classic ```release-note:breaking-change resource/aws_vpc_peering_connection_options: With the retirement of EC2-Classic the `allow_classic_link_to_remote_vpc` and `allow_vpc_to_remote_classic_link` attributes have been removed +``` + +```release-note:breaking-change +data-source/aws_vpc_peering_connection: With the retirement of EC2-Classic the `allow_classic_link_to_remote_vpc` and `allow_vpc_to_remote_classic_link` attributes have been removed ``` \ No newline at end of file diff --git a/website/docs/d/vpc_peering_connection.html.markdown b/website/docs/d/vpc_peering_connection.html.markdown index aef77738e0e..9e30a6e3fa6 100644 --- a/website/docs/d/vpc_peering_connection.html.markdown +++ b/website/docs/d/vpc_peering_connection.html.markdown @@ -91,12 +91,6 @@ All of the argument attributes except `filter` are also exported as result attri * `allow_remote_vpc_dns_resolution` - Indicates whether a local VPC can resolve public DNS hostnames to private IP addresses when queried from instances in a peer VPC. -* `allow_classic_link_to_remote_vpc` - Indicates whether a local ClassicLink connection can communicate -with the peer VPC over the VPC peering connection. - -* `allow_vpc_to_remote_classic_link` - Indicates whether a local VPC can communicate with a ClassicLink -connection in the peer VPC over the VPC peering connection. - #### CIDR block set Attributes Reference * `cidr_block` - CIDR block associated to the VPC of the specific VPC Peering Connection. From 80e964b1a3858829f16e0b91f86336776a68946b Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 15:18:23 -0400 Subject: [PATCH 18/32] r/aws_vpc_peering_connection: Check Options is not nil before calling 'vpcPeeringConnectionOptionsEqual'. --- .changelog/30966.txt | 4 ++++ internal/service/ec2/vpc_peering_connection.go | 8 +++----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.changelog/30966.txt b/.changelog/30966.txt index 1a656e45e68..a7dd00fd05e 100644 --- a/.changelog/30966.txt +++ b/.changelog/30966.txt @@ -56,4 +56,8 @@ resource/aws_vpc_peering_connection_options: With the retirement of EC2-Classic ```release-note:breaking-change data-source/aws_vpc_peering_connection: With the retirement of EC2-Classic the `allow_classic_link_to_remote_vpc` and `allow_vpc_to_remote_classic_link` attributes have been removed +``` + +```release-note:bug +resource/aws_vpc_peering_connection: Fix crash in `vpcPeeringConnectionOptionsEqual` ``` \ No newline at end of file diff --git a/internal/service/ec2/vpc_peering_connection.go b/internal/service/ec2/vpc_peering_connection.go index 9db71be65ee..1b3a2117b8a 100644 --- a/internal/service/ec2/vpc_peering_connection.go +++ b/internal/service/ec2/vpc_peering_connection.go @@ -328,13 +328,13 @@ func modifyVPCPeeringConnectionOptions(ctx context.Context, conn *ec2.EC2, d *sc return retry.NonRetryableError(err) } - if v := vpcPeeringConnection.AccepterVpcInfo; v != nil && accepterPeeringConnectionOptions != nil { + if v := vpcPeeringConnection.AccepterVpcInfo; v != nil && v.PeeringOptions != nil && accepterPeeringConnectionOptions != nil { if !vpcPeeringConnectionOptionsEqual(v.PeeringOptions, accepterPeeringConnectionOptions) { return retry.RetryableError(errors.New("Accepter Options not stable")) } } - if v := vpcPeeringConnection.RequesterVpcInfo; v != nil && requesterPeeringConnectionOptions != nil { + if v := vpcPeeringConnection.RequesterVpcInfo; v != nil && v.PeeringOptions != nil && requesterPeeringConnectionOptions != nil { if !vpcPeeringConnectionOptionsEqual(v.PeeringOptions, requesterPeeringConnectionOptions) { return retry.RetryableError(errors.New("Requester Options not stable")) } @@ -351,9 +351,7 @@ func modifyVPCPeeringConnectionOptions(ctx context.Context, conn *ec2.EC2, d *sc } func vpcPeeringConnectionOptionsEqual(o1 *ec2.VpcPeeringConnectionOptionsDescription, o2 *ec2.PeeringConnectionOptionsRequest) bool { - return aws.BoolValue(o1.AllowDnsResolutionFromRemoteVpc) == aws.BoolValue(o2.AllowDnsResolutionFromRemoteVpc) && - aws.BoolValue(o1.AllowEgressFromLocalClassicLinkToRemoteVpc) == aws.BoolValue(o2.AllowEgressFromLocalClassicLinkToRemoteVpc) && - aws.BoolValue(o1.AllowEgressFromLocalVpcToRemoteClassicLink) == aws.BoolValue(o2.AllowEgressFromLocalVpcToRemoteClassicLink) + return aws.BoolValue(o1.AllowDnsResolutionFromRemoteVpc) == aws.BoolValue(o2.AllowDnsResolutionFromRemoteVpc) } func expandPeeringConnectionOptionsRequest(tfMap map[string]interface{}) *ec2.PeeringConnectionOptionsRequest { From b857b6c3959baab00566d609789a089a5e1f2247 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 15:36:20 -0400 Subject: [PATCH 19/32] r/aws_vpc: Remove 'enable_classiclink' and 'enable_classiclink_dns_support'. --- .changelog/30966.txt | 4 ++ internal/service/ec2/vpc_.go | 106 ------------------------------- internal/service/ec2/vpc_test.go | 2 - website/docs/r/vpc.html.markdown | 8 --- 4 files changed, 4 insertions(+), 116 deletions(-) diff --git a/.changelog/30966.txt b/.changelog/30966.txt index a7dd00fd05e..342090141a3 100644 --- a/.changelog/30966.txt +++ b/.changelog/30966.txt @@ -60,4 +60,8 @@ data-source/aws_vpc_peering_connection: With the retirement of EC2-Classic the ` ```release-note:bug resource/aws_vpc_peering_connection: Fix crash in `vpcPeeringConnectionOptionsEqual` +``` + +```release-note:breaking-change +resource/aws_vpc: With the retirement of EC2-Classic the `enable_classiclink` and `enable_classiclink_dns_support` attributes have been removed ``` \ No newline at end of file diff --git a/internal/service/ec2/vpc_.go b/internal/service/ec2/vpc_.go index 2c267b6e477..e7c6ce0578d 100644 --- a/internal/service/ec2/vpc_.go +++ b/internal/service/ec2/vpc_.go @@ -90,18 +90,6 @@ func ResourceVPC() *schema.Resource { Type: schema.TypeString, Computed: true, }, - "enable_classiclink": { - Type: schema.TypeBool, - Optional: true, - Computed: true, - Deprecated: `With the retirement of EC2-Classic the enable_classiclink attribute has been deprecated and will be removed in a future version.`, - }, - "enable_classiclink_dns_support": { - Type: schema.TypeBool, - Optional: true, - Computed: true, - Deprecated: `With the retirement of EC2-Classic the enable_classiclink_dns_support attribute has been deprecated and will be removed in a future version.`, - }, "enable_dns_hostnames": { Type: schema.TypeBool, Optional: true, @@ -186,10 +174,6 @@ func resourceVPCCreate(ctx context.Context, d *schema.ResourceData, meta interfa var diags diag.Diagnostics conn := meta.(*conns.AWSClient).EC2Conn() - if _, ok := d.GetOk("enable_classiclink"); ok { - return sdkdiag.AppendErrorf(diags, `with the retirement of EC2-Classic no new VPCs can be created with ClassicLink enabled`) - } - input := &ec2.CreateVpcInput{ AmazonProvidedIpv6CidrBlock: aws.Bool(d.Get("assign_generated_ipv6_cidr_block").(bool)), InstanceTenancy: aws.String(d.Get("instance_tenancy").(string)), @@ -255,8 +239,6 @@ func resourceVPCCreate(ctx context.Context, d *schema.ResourceData, meta interfa vpcInfo := vpcInfo{ vpc: vpc, - enableClassicLink: false, - enableClassicLinkDNSSupport: false, enableDnsHostnames: false, enableDnsSupport: true, enableNetworkAddressUsageMetrics: false, @@ -303,26 +285,6 @@ func resourceVPCRead(ctx context.Context, d *schema.ResourceData, meta interface d.Set("instance_tenancy", vpc.InstanceTenancy) d.Set("owner_id", ownerID) - if v, err := FindVPCClassicLinkEnabled(ctx, conn, d.Id()); err != nil { - if tfresource.NotFound(err) { - d.Set("enable_classiclink", nil) - } else { - return sdkdiag.AppendErrorf(diags, "reading EC2 VPC (%s) ClassicLinkEnabled: %s", d.Id(), err) - } - } else { - d.Set("enable_classiclink", v) - } - - if v, err := FindVPCClassicLinkDNSSupported(ctx, conn, d.Id()); err != nil { - if tfresource.NotFound(err) { - d.Set("enable_classiclink_dns_support", nil) - } else { - return sdkdiag.AppendErrorf(diags, "reading EC2 VPC (%s) ClassicLinkDnsSupported: %s", d.Id(), err) - } - } else { - d.Set("enable_classiclink_dns_support", v) - } - if v, err := FindVPCAttribute(ctx, conn, d.Id(), ec2.VpcAttributeNameEnableDnsHostnames); err != nil { return sdkdiag.AppendErrorf(diags, "reading EC2 VPC (%s) Attribute (%s): %s", d.Id(), ec2.VpcAttributeNameEnableDnsHostnames, err) } else { @@ -429,18 +391,6 @@ func resourceVPCUpdate(ctx context.Context, d *schema.ResourceData, meta interfa } } - if d.HasChange("enable_classiclink") { - if err := modifyVPCClassicLink(ctx, conn, d.Id(), d.Get("enable_classiclink").(bool)); err != nil { - return sdkdiag.AppendErrorf(diags, "updating EC2 VPC (%s): %s", d.Id(), err) - } - } - - if d.HasChange("enable_classiclink_dns_support") { - if err := modifyVPCClassicLinkDNSSupport(ctx, conn, d.Id(), d.Get("enable_classiclink_dns_support").(bool)); err != nil { - return sdkdiag.AppendErrorf(diags, "updating EC2 VPC (%s): %s", d.Id(), err) - } - } - if d.HasChange("instance_tenancy") { if err := modifyVPCTenancy(ctx, conn, d.Id(), d.Get("instance_tenancy").(string)); err != nil { return sdkdiag.AppendErrorf(diags, "updating EC2 VPC (%s): %s", d.Id(), err) @@ -623,62 +573,6 @@ func modifyVPCAttributesOnCreate(ctx context.Context, conn *ec2.EC2, d *schema.R } } - if new, old := d.Get("enable_classiclink").(bool), vpcInfo.enableClassicLink; old != new { - if err := modifyVPCClassicLink(ctx, conn, d.Id(), new); err != nil { - return err - } - } - - if new, old := d.Get("enable_classiclink_dns_support").(bool), vpcInfo.enableClassicLinkDNSSupport; old != new { - if err := modifyVPCClassicLinkDNSSupport(ctx, conn, d.Id(), new); err != nil { - return err - } - } - - return nil -} - -func modifyVPCClassicLink(ctx context.Context, conn *ec2.EC2, vpcID string, v bool) error { - if v { - input := &ec2.EnableVpcClassicLinkInput{ - VpcId: aws.String(vpcID), - } - - if _, err := conn.EnableVpcClassicLinkWithContext(ctx, input); err != nil { - return fmt.Errorf("enabling EnableDnsHostnames: %w", err) - } - } else { - input := &ec2.DisableVpcClassicLinkInput{ - VpcId: aws.String(vpcID), - } - - if _, err := conn.DisableVpcClassicLinkWithContext(ctx, input); err != nil { - return fmt.Errorf("disabling EnableDnsHostnames: %w", err) - } - } - - return nil -} - -func modifyVPCClassicLinkDNSSupport(ctx context.Context, conn *ec2.EC2, vpcID string, v bool) error { - if v { - input := &ec2.EnableVpcClassicLinkDnsSupportInput{ - VpcId: aws.String(vpcID), - } - - if _, err := conn.EnableVpcClassicLinkDnsSupportWithContext(ctx, input); err != nil { - return fmt.Errorf("enabling ClassicLinkDnsSupport: %w", err) - } - } else { - input := &ec2.DisableVpcClassicLinkDnsSupportInput{ - VpcId: aws.String(vpcID), - } - - if _, err := conn.DisableVpcClassicLinkDnsSupportWithContext(ctx, input); err != nil { - return fmt.Errorf("disabling ClassicLinkDnsSupport: %w", err) - } - } - return nil } diff --git a/internal/service/ec2/vpc_test.go b/internal/service/ec2/vpc_test.go index 938b3842dd2..9625e794889 100644 --- a/internal/service/ec2/vpc_test.go +++ b/internal/service/ec2/vpc_test.go @@ -41,8 +41,6 @@ func TestAccVPC_basic(t *testing.T) { resource.TestCheckResourceAttrSet(resourceName, "default_route_table_id"), resource.TestCheckResourceAttrSet(resourceName, "default_security_group_id"), resource.TestCheckResourceAttrSet(resourceName, "dhcp_options_id"), - resource.TestCheckResourceAttr(resourceName, "enable_classiclink", "false"), - resource.TestCheckResourceAttr(resourceName, "enable_classiclink_dns_support", "false"), resource.TestCheckResourceAttr(resourceName, "enable_dns_hostnames", "false"), resource.TestCheckResourceAttr(resourceName, "enable_dns_support", "true"), resource.TestCheckResourceAttr(resourceName, "enable_network_address_usage_metrics", "false"), diff --git a/website/docs/r/vpc.html.markdown b/website/docs/r/vpc.html.markdown index 6f0b9b26e9e..89ef582e825 100644 --- a/website/docs/r/vpc.html.markdown +++ b/website/docs/r/vpc.html.markdown @@ -79,11 +79,6 @@ The following arguments are supported: * `enable_dns_support` - (Optional) A boolean flag to enable/disable DNS support in the VPC. Defaults to true. * `enable_network_address_usage_metrics` - (Optional) Indicates whether Network Address Usage metrics are enabled for your VPC. Defaults to false. * `enable_dns_hostnames` - (Optional) A boolean flag to enable/disable DNS hostnames in the VPC. Defaults false. -* `enable_classiclink` - (Optional) A boolean flag to enable/disable ClassicLink - for the VPC. Only valid in regions and accounts that support EC2 Classic. - See the [ClassicLink documentation][1] for more information. Defaults false. -* `enable_classiclink_dns_support` - (Optional) A boolean flag to enable/disable ClassicLink DNS Support for the VPC. - Only valid in regions and accounts that support EC2 Classic. * `assign_generated_ipv6_cidr_block` - (Optional) Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. Default is `false`. Conflicts with `ipv6_ipam_pool_id` * `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level. @@ -97,7 +92,6 @@ In addition to all arguments above, the following attributes are exported: * `enable_dns_support` - Whether or not the VPC has DNS support * `enable_network_address_usage_metrics` - Whether Network Address Usage metrics are enabled for the VPC * `enable_dns_hostnames` - Whether or not the VPC has DNS hostname support -* `enable_classiclink` - Whether or not the VPC has Classiclink enabled * `main_route_table_id` - The ID of the main route table associated with this VPC. Note that you can change a VPC's main route table by using an [`aws_main_route_table_association`](/docs/providers/aws/r/main_route_table_association.html). @@ -109,8 +103,6 @@ In addition to all arguments above, the following attributes are exported: * `owner_id` - The ID of the AWS account that owns the VPC. * `tags_all` - A map of tags assigned to the resource, including those inherited from the provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block). -[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/vpc-classiclink.html - ## Import VPCs can be imported using the `vpc id`, e.g., From 7843210a5811ea0b742fffdbd6c0a815e2379e9e Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 15:40:05 -0400 Subject: [PATCH 20/32] r/aws_default_vpc: Remove 'enable_classiclink' and 'enable_classiclink_dns_support'. --- .changelog/30966.txt | 4 + internal/service/ec2/find.go | 77 -------------------- internal/service/ec2/vpc_.go | 2 - internal/service/ec2/vpc_default_vpc.go | 34 --------- internal/service/ec2/vpc_default_vpc_test.go | 12 --- 5 files changed, 4 insertions(+), 125 deletions(-) diff --git a/.changelog/30966.txt b/.changelog/30966.txt index 342090141a3..1468277d52e 100644 --- a/.changelog/30966.txt +++ b/.changelog/30966.txt @@ -64,4 +64,8 @@ resource/aws_vpc_peering_connection: Fix crash in `vpcPeeringConnectionOptionsEq ```release-note:breaking-change resource/aws_vpc: With the retirement of EC2-Classic the `enable_classiclink` and `enable_classiclink_dns_support` attributes have been removed +``` + +```release-note:breaking-change +resource/aws_default_vpc: With the retirement of EC2-Classic the `enable_classiclink` and `enable_classiclink_dns_support` attributes have been removed ``` \ No newline at end of file diff --git a/internal/service/ec2/find.go b/internal/service/ec2/find.go index cc4b9f5dc67..69a63e0a878 100644 --- a/internal/service/ec2/find.go +++ b/internal/service/ec2/find.go @@ -2796,83 +2796,6 @@ func FindVPCAttribute(ctx context.Context, conn *ec2.EC2, vpcID string, attribut return aws.BoolValue(v.Value), nil } -func FindVPCClassicLinkEnabled(ctx context.Context, conn *ec2.EC2, vpcID string) (bool, error) { - input := &ec2.DescribeVpcClassicLinkInput{ - VpcIds: aws.StringSlice([]string{vpcID}), - } - - output, err := conn.DescribeVpcClassicLinkWithContext(ctx, input) - - if tfawserr.ErrCodeEquals(err, errCodeInvalidVPCIDNotFound, errCodeUnsupportedOperation) { - return false, &retry.NotFoundError{ - LastError: err, - LastRequest: input, - } - } - - if err != nil { - return false, err - } - - if output == nil || len(output.Vpcs) == 0 || output.Vpcs[0] == nil { - return false, tfresource.NewEmptyResultError(input) - } - - if count := len(output.Vpcs); count > 1 { - return false, tfresource.NewTooManyResultsError(count, input) - } - - vpc := output.Vpcs[0] - - // Eventual consistency check. - if aws.StringValue(vpc.VpcId) != vpcID { - return false, &retry.NotFoundError{ - LastRequest: input, - } - } - - return aws.BoolValue(vpc.ClassicLinkEnabled), nil -} - -func FindVPCClassicLinkDNSSupported(ctx context.Context, conn *ec2.EC2, vpcID string) (bool, error) { - input := &ec2.DescribeVpcClassicLinkDnsSupportInput{ - VpcIds: aws.StringSlice([]string{vpcID}), - } - - output, err := conn.DescribeVpcClassicLinkDnsSupportWithContext(ctx, input) - - if tfawserr.ErrCodeEquals(err, errCodeInvalidVPCIDNotFound, errCodeUnsupportedOperation) || - tfawserr.ErrMessageContains(err, errCodeAuthFailure, "This request has been administratively disabled") { - return false, &retry.NotFoundError{ - LastError: err, - LastRequest: input, - } - } - - if err != nil { - return false, err - } - - if output == nil || len(output.Vpcs) == 0 || output.Vpcs[0] == nil { - return false, tfresource.NewEmptyResultError(input) - } - - if count := len(output.Vpcs); count > 1 { - return false, tfresource.NewTooManyResultsError(count, input) - } - - vpc := output.Vpcs[0] - - // Eventual consistency check. - if aws.StringValue(vpc.VpcId) != vpcID { - return false, &retry.NotFoundError{ - LastRequest: input, - } - } - - return aws.BoolValue(vpc.ClassicLinkDnsSupported), nil -} - func FindVPC(ctx context.Context, conn *ec2.EC2, input *ec2.DescribeVpcsInput) (*ec2.Vpc, error) { output, err := FindVPCs(ctx, conn, input) diff --git a/internal/service/ec2/vpc_.go b/internal/service/ec2/vpc_.go index e7c6ce0578d..ff1a0f04e7e 100644 --- a/internal/service/ec2/vpc_.go +++ b/internal/service/ec2/vpc_.go @@ -545,8 +545,6 @@ func defaultIPv6CIDRBlockAssociation(vpc *ec2.Vpc, associationID string) *ec2.Vp type vpcInfo struct { vpc *ec2.Vpc - enableClassicLink bool - enableClassicLinkDNSSupport bool enableDnsHostnames bool enableDnsSupport bool enableNetworkAddressUsageMetrics bool diff --git a/internal/service/ec2/vpc_default_vpc.go b/internal/service/ec2/vpc_default_vpc.go index 0ac248b2bb2..045e0edcb9c 100644 --- a/internal/service/ec2/vpc_default_vpc.go +++ b/internal/service/ec2/vpc_default_vpc.go @@ -75,18 +75,6 @@ func ResourceDefaultVPC() *schema.Resource { Type: schema.TypeString, Computed: true, }, - "enable_classiclink": { - Type: schema.TypeBool, - Optional: true, - Computed: true, - Deprecated: `With the retirement of EC2-Classic the enable_classiclink attribute has been deprecated and will be removed in a future version.`, - }, - "enable_classiclink_dns_support": { - Type: schema.TypeBool, - Optional: true, - Computed: true, - Deprecated: `With the retirement of EC2-Classic the enable_classiclink_dns_support attribute has been deprecated and will be removed in a future version.`, - }, "enable_dns_hostnames": { Type: schema.TypeBool, Optional: true, @@ -183,26 +171,6 @@ func resourceDefaultVPCCreate(ctx context.Context, d *schema.ResourceData, meta vpcInfo.vpc = vpc - if v, err := FindVPCClassicLinkEnabled(ctx, conn, d.Id()); err != nil { - if tfresource.NotFound(err) { - vpcInfo.enableClassicLink = false - } else { - return sdkdiag.AppendErrorf(diags, "reading EC2 VPC (%s) ClassicLinkEnabled: %s", d.Id(), err) - } - } else { - vpcInfo.enableClassicLink = v - } - - if v, err := FindVPCClassicLinkDNSSupported(ctx, conn, d.Id()); err != nil { - if tfresource.NotFound(err) { - vpcInfo.enableClassicLinkDNSSupport = false - } else { - return sdkdiag.AppendErrorf(diags, "reading EC2 VPC (%s) ClassicLinkDnsSupported: %s", d.Id(), err) - } - } else { - vpcInfo.enableClassicLinkDNSSupport = v - } - if v, err := FindVPCAttribute(ctx, conn, d.Id(), ec2.VpcAttributeNameEnableDnsHostnames); err != nil { return sdkdiag.AppendErrorf(diags, "reading EC2 VPC (%s) Attribute (%s): %s", d.Id(), ec2.VpcAttributeNameEnableDnsHostnames, err) } else { @@ -241,8 +209,6 @@ func resourceDefaultVPCCreate(ctx context.Context, d *schema.ResourceData, meta } vpcInfo.vpc = vpc - vpcInfo.enableClassicLink = false - vpcInfo.enableClassicLinkDNSSupport = false vpcInfo.enableDnsHostnames = true vpcInfo.enableDnsSupport = true vpcInfo.enableNetworkAddressUsageMetrics = false diff --git a/internal/service/ec2/vpc_default_vpc_test.go b/internal/service/ec2/vpc_default_vpc_test.go index 0492f576098..b2331ed0b53 100644 --- a/internal/service/ec2/vpc_default_vpc_test.go +++ b/internal/service/ec2/vpc_default_vpc_test.go @@ -98,8 +98,6 @@ func testAccDefaultVPC_Existing_basic(t *testing.T) { resource.TestCheckResourceAttrSet(resourceName, "default_route_table_id"), resource.TestCheckResourceAttrSet(resourceName, "default_security_group_id"), resource.TestCheckResourceAttrSet(resourceName, "dhcp_options_id"), - resource.TestCheckResourceAttr(resourceName, "enable_classiclink", "false"), - resource.TestCheckResourceAttr(resourceName, "enable_classiclink_dns_support", "false"), resource.TestCheckResourceAttr(resourceName, "enable_dns_hostnames", "true"), resource.TestCheckResourceAttr(resourceName, "enable_dns_support", "true"), resource.TestCheckResourceAttr(resourceName, "enable_network_address_usage_metrics", "false"), @@ -147,8 +145,6 @@ func testAccDefaultVPC_Existing_assignGeneratedIPv6CIDRBlock(t *testing.T) { resource.TestCheckResourceAttrSet(resourceName, "default_route_table_id"), resource.TestCheckResourceAttrSet(resourceName, "default_security_group_id"), resource.TestCheckResourceAttrSet(resourceName, "dhcp_options_id"), - resource.TestCheckResourceAttr(resourceName, "enable_classiclink", "false"), - resource.TestCheckResourceAttr(resourceName, "enable_classiclink_dns_support", "false"), resource.TestCheckResourceAttr(resourceName, "enable_dns_hostnames", "true"), resource.TestCheckResourceAttr(resourceName, "enable_dns_support", "true"), resource.TestCheckResourceAttr(resourceName, "enable_network_address_usage_metrics", "false"), @@ -224,8 +220,6 @@ func testAccDefaultVPC_NotFound_basic(t *testing.T) { resource.TestCheckResourceAttrSet(resourceName, "default_route_table_id"), resource.TestCheckResourceAttrSet(resourceName, "default_security_group_id"), resource.TestCheckResourceAttrSet(resourceName, "dhcp_options_id"), - resource.TestCheckResourceAttr(resourceName, "enable_classiclink", "false"), - resource.TestCheckResourceAttr(resourceName, "enable_classiclink_dns_support", "false"), resource.TestCheckResourceAttr(resourceName, "enable_dns_hostnames", "true"), resource.TestCheckResourceAttr(resourceName, "enable_dns_support", "true"), resource.TestCheckResourceAttr(resourceName, "enable_network_address_usage_metrics", "false"), @@ -273,8 +267,6 @@ func testAccDefaultVPC_NotFound_assignGeneratedIPv6CIDRBlock(t *testing.T) { resource.TestCheckResourceAttrSet(resourceName, "default_route_table_id"), resource.TestCheckResourceAttrSet(resourceName, "default_security_group_id"), resource.TestCheckResourceAttrSet(resourceName, "dhcp_options_id"), - resource.TestCheckResourceAttr(resourceName, "enable_classiclink", "false"), - resource.TestCheckResourceAttr(resourceName, "enable_classiclink_dns_support", "false"), resource.TestCheckResourceAttr(resourceName, "enable_dns_hostnames", "true"), resource.TestCheckResourceAttr(resourceName, "enable_dns_support", "true"), resource.TestCheckResourceAttr(resourceName, "enable_network_address_usage_metrics", "false"), @@ -351,8 +343,6 @@ func testAccDefaultVPC_NotFound_assignGeneratedIPv6CIDRBlockAdoption(t *testing. resource.TestCheckResourceAttrSet(resourceName, "default_route_table_id"), resource.TestCheckResourceAttrSet(resourceName, "default_security_group_id"), resource.TestCheckResourceAttrSet(resourceName, "dhcp_options_id"), - resource.TestCheckResourceAttr(resourceName, "enable_classiclink", "false"), - resource.TestCheckResourceAttr(resourceName, "enable_classiclink_dns_support", "false"), resource.TestCheckResourceAttr(resourceName, "enable_dns_hostnames", "true"), resource.TestCheckResourceAttr(resourceName, "enable_dns_support", "true"), resource.TestCheckResourceAttr(resourceName, "enable_network_address_usage_metrics", "false"), @@ -395,8 +385,6 @@ func testAccDefaultVPC_NotFound_assignGeneratedIPv6CIDRBlockAdoption(t *testing. resource.TestCheckResourceAttrSet(resourceName, "default_route_table_id"), resource.TestCheckResourceAttrSet(resourceName, "default_security_group_id"), resource.TestCheckResourceAttrSet(resourceName, "dhcp_options_id"), - resource.TestCheckResourceAttr(resourceName, "enable_classiclink", "false"), - resource.TestCheckResourceAttr(resourceName, "enable_classiclink_dns_support", "false"), resource.TestCheckResourceAttr(resourceName, "enable_dns_hostnames", "true"), resource.TestCheckResourceAttr(resourceName, "enable_dns_support", "true"), resource.TestCheckResourceAttr(resourceName, "enable_network_address_usage_metrics", "false"), From ba76461d3c9dc49fe6198745dd7b907f40916428 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 15:58:04 -0400 Subject: [PATCH 21/32] r/aws_default_vpc: Fix crash 'panic: interface conversion: interface {} is nil, not string'. --- internal/service/ec2/vpc_.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/internal/service/ec2/vpc_.go b/internal/service/ec2/vpc_.go index ff1a0f04e7e..d346abd5e9c 100644 --- a/internal/service/ec2/vpc_.go +++ b/internal/service/ec2/vpc_.go @@ -462,9 +462,14 @@ func resourceVPCDelete(ctx context.Context, d *schema.ResourceData, meta interfa } // If the VPC's CIDR block was allocated from an IPAM pool, wait for the allocation to disappear. - ipamPoolID := d.Get("ipv4_ipam_pool_id").(string) + var ipamPoolID string + if v, ok := d.GetOk("ipv4_ipam_pool_id"); ok { + ipamPoolID = v.(string) + } if ipamPoolID == "" { - ipamPoolID = d.Get("ipv6_ipam_pool_id").(string) + if v, ok := d.GetOk("ipv6_ipam_pool_id"); ok { + ipamPoolID = v.(string) + } } if ipamPoolID != "" && ipamPoolID != amazonIPv6PoolID { const ( From 009c81481650d58efc342368d0ac6133d7e5123d Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 25 Apr 2023 17:03:04 -0400 Subject: [PATCH 22/32] Fix 'TestAccVPC_assignGeneratedIPv6CIDRBlockWithNetworkBorderGroup'. --- .../ec2/ec2_availability_zone_data_source_test.go | 10 +++++++++- internal/service/ec2/vpc_test.go | 14 +++++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/internal/service/ec2/ec2_availability_zone_data_source_test.go b/internal/service/ec2/ec2_availability_zone_data_source_test.go index 63c59956bea..867126648b6 100644 --- a/internal/service/ec2/ec2_availability_zone_data_source_test.go +++ b/internal/service/ec2/ec2_availability_zone_data_source_test.go @@ -6,6 +6,7 @@ import ( "regexp" "testing" + "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/ec2" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-provider-aws/internal/acctest" @@ -187,7 +188,7 @@ func TestAccEC2AvailabilityZoneDataSource_zoneID(t *testing.T) { }) } -func testAccPreCheckLocalZoneAvailable(ctx context.Context, t *testing.T) { +func testAccPreCheckLocalZoneAvailable(ctx context.Context, t *testing.T, groupNames ...string) { conn := acctest.Provider.Meta().(*conns.AWSClient).EC2Conn() input := &ec2.DescribeAvailabilityZonesInput{ @@ -197,6 +198,13 @@ func testAccPreCheckLocalZoneAvailable(ctx context.Context, t *testing.T) { }), } + if len(groupNames) > 0 { + input.Filters = append(input.Filters, &ec2.Filter{ + Name: aws.String("group-name"), + Values: aws.StringSlice(groupNames), + }) + } + output, err := tfec2.FindAvailabilityZones(ctx, conn, input) if acctest.PreCheckSkipError(err) { diff --git a/internal/service/ec2/vpc_test.go b/internal/service/ec2/vpc_test.go index 9625e794889..86a1bbbed20 100644 --- a/internal/service/ec2/vpc_test.go +++ b/internal/service/ec2/vpc_test.go @@ -896,7 +896,14 @@ func TestAccVPC_assignGeneratedIPv6CIDRBlockWithNetworkBorderGroup(t *testing.T) rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { acctest.PreCheck(ctx, t); testAccPreCheckLocalZoneAvailable(ctx, t) }, + PreCheck: func() { + acctest.PreCheck(ctx, t) + acctest.PreCheckRegion(t, endpoints.UsWest2RegionID) + // https://docs.aws.amazon.com/vpc/latest/userguide/Extend_VPCs.html#local-zone: + // "You can request the IPv6 Amazon-provided IP addresses and associate them with the network border group + // for a new or existing VPCs only for us-west-2-lax-1a and use-west-2-lax-1b. All other Local Zones don't support IPv6." + testAccPreCheckLocalZoneAvailable(ctx, t, "us-west-2-lax-1") + }, ErrorCheck: acctest.ErrorCheck(t, ec2.EndpointsID), ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, CheckDestroy: testAccCheckVPCDestroy(ctx), @@ -1203,6 +1210,11 @@ data "aws_availability_zones" "available" { name = "opt-in-status" values = ["opted-in"] } + + filter { + name = "group-name" + values = ["us-west-2-lax-1"] + } } data "aws_availability_zone" "test" { From e176e9be908e65c61772d456b249c7cd0775d79d Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 26 Apr 2023 10:31:04 -0400 Subject: [PATCH 23/32] Fix providerlint 'AWSAR003'. --- internal/service/ec2/vpc_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/service/ec2/vpc_test.go b/internal/service/ec2/vpc_test.go index 86a1bbbed20..f45a6eae41d 100644 --- a/internal/service/ec2/vpc_test.go +++ b/internal/service/ec2/vpc_test.go @@ -902,7 +902,7 @@ func TestAccVPC_assignGeneratedIPv6CIDRBlockWithNetworkBorderGroup(t *testing.T) // https://docs.aws.amazon.com/vpc/latest/userguide/Extend_VPCs.html#local-zone: // "You can request the IPv6 Amazon-provided IP addresses and associate them with the network border group // for a new or existing VPCs only for us-west-2-lax-1a and use-west-2-lax-1b. All other Local Zones don't support IPv6." - testAccPreCheckLocalZoneAvailable(ctx, t, "us-west-2-lax-1") + testAccPreCheckLocalZoneAvailable(ctx, t, "us-west-2-lax-1") //lintignore:AWSAT003 }, ErrorCheck: acctest.ErrorCheck(t, ec2.EndpointsID), ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, @@ -1194,7 +1194,7 @@ resource "aws_vpc" "test" { `, rName, assignGeneratedIpv6CidrBlock) } -func testAccVPCConfig_assignGeneratedIPv6CIDRBlockOptionalNetworkBorderGroup(rName string, localZoneNetworkBorderGroup bool) string { +func testAccVPCConfig_assignGeneratedIPv6CIDRBlockOptionalNetworkBorderGroup(rName string, localZoneNetworkBorderGroup bool) string { // lintignore:AWSAT003 return fmt.Sprintf(` data "aws_region" "current" {} From f8bdac6cc33e9ed8b6ffd2cea313eda657ac7af3 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 26 Apr 2023 10:57:41 -0400 Subject: [PATCH 24/32] r/aws_eip: Remove support for standard domain. --- .changelog/30966.txt | 4 + internal/service/ec2/ec2_eip.go | 133 +++++++++++---------------- internal/service/ec2/ec2_eip_test.go | 18 +--- internal/service/ec2/find.go | 1 + 4 files changed, 63 insertions(+), 93 deletions(-) diff --git a/.changelog/30966.txt b/.changelog/30966.txt index 1468277d52e..e0ebdc703a6 100644 --- a/.changelog/30966.txt +++ b/.changelog/30966.txt @@ -68,4 +68,8 @@ resource/aws_vpc: With the retirement of EC2-Classic the `enable_classiclink` an ```release-note:breaking-change resource/aws_default_vpc: With the retirement of EC2-Classic the `enable_classiclink` and `enable_classiclink_dns_support` attributes have been removed +``` + +```release-note:breaking-change +resource/aws_eip: With the retirement of EC2-Classic the `standard` domain is no longer supported ``` \ No newline at end of file diff --git a/internal/service/ec2/ec2_eip.go b/internal/service/ec2/ec2_eip.go index 55b511a85e7..8778eab8690 100644 --- a/internal/service/ec2/ec2_eip.go +++ b/internal/service/ec2/ec2_eip.go @@ -140,10 +140,6 @@ func resourceEIPCreate(ctx context.Context, d *schema.ResourceData, meta interfa TagSpecifications: getTagSpecificationsIn(ctx, ec2.ResourceTypeElasticIp), } - if v := d.Get("vpc"); v != nil && v.(bool) { - input.Domain = aws.String(ec2.DomainTypeVpc) - } - if v, ok := d.GetOk("address"); ok { input.Address = aws.String(v.(string)) } @@ -152,6 +148,10 @@ func resourceEIPCreate(ctx context.Context, d *schema.ResourceData, meta interfa input.CustomerOwnedIpv4Pool = aws.String(v.(string)) } + if v := d.Get("vpc"); v != nil && v.(bool) { + input.Domain = aws.String(ec2.DomainTypeVpc) + } + if v, ok := d.GetOk("network_border_group"); ok { input.NetworkBorderGroup = aws.String(v.(string)) } @@ -176,17 +176,14 @@ func resourceEIPCreate(ctx context.Context, d *schema.ResourceData, meta interfa return sdkdiag.AppendErrorf(diags, "waiting for EC2 EIP (%s) create: %s", d.Id(), err) } - instanceID := d.Get("instance").(string) - eniID := d.Get("network_interface").(string) - - if instanceID != "" || eniID != "" { + if instanceID, eniID := d.Get("instance").(string), d.Get("network_interface").(string); instanceID != "" || eniID != "" { _, err := tfresource.RetryWhenAWSErrCodeEquals(ctx, d.Timeout(schema.TimeoutCreate), func() (interface{}, error) { return nil, associateEIP(ctx, conn, d.Id(), instanceID, eniID, d.Get("associate_with_private_ip").(string)) }, errCodeInvalidAllocationIDNotFound) if err != nil { - return sdkdiag.AppendErrorf(diags, "creating EC2 EIP (%s): %s", d.Id(), err) + return sdkdiag.AppendFromErr(diags, err) } } @@ -197,15 +194,12 @@ func resourceEIPRead(ctx context.Context, d *schema.ResourceData, meta interface var diags diag.Diagnostics conn := meta.(*conns.AWSClient).EC2Conn() - var err error - var address *ec2.Address - - if eipID(d.Id()).IsVPC() { - address, err = FindEIPByAllocationID(ctx, conn, d.Id()) - } else { - address, err = FindEIPByPublicIP(ctx, conn, d.Id()) + if !eipID(d.Id()).IsVPC() { + return sdkdiag.AppendErrorf(diags, `with the retirement of EC2-Classic %s domain EC2 EIPs are no longer supported`, ec2.DomainTypeStandard) } + address, err := FindEIPByAllocationID(ctx, conn, d.Id()) + if !d.IsNewResource() && tfresource.NotFound(err) { log.Printf("[WARN] EC2 EIP (%s) not found, removing from state", d.Id()) d.SetId("") @@ -256,19 +250,16 @@ func resourceEIPUpdate(ctx context.Context, d *schema.ResourceData, meta interfa if d.HasChanges("associate_with_private_ip", "instance", "network_interface") { o, n := d.GetChange("instance") oldInstanceID, newInstanceID := o.(string), n.(string) - associationID := d.Get("association_id").(string) - if oldInstanceID != "" || associationID != "" { - if err := disassociateEIP(ctx, conn, d.Id(), associationID); err != nil { - return sdkdiag.AppendErrorf(diags, "updating EC2 EIP (%s): %s", d.Id(), err) + if associationID := d.Get("association_id").(string); oldInstanceID != "" || associationID != "" { + if err := disassociateEIP(ctx, conn, associationID); err != nil { + return sdkdiag.AppendFromErr(diags, err) } } - newNetworkInterfaceID := d.Get("network_interface").(string) - - if newInstanceID != "" || newNetworkInterfaceID != "" { + if newNetworkInterfaceID := d.Get("network_interface").(string); newInstanceID != "" || newNetworkInterfaceID != "" { if err := associateEIP(ctx, conn, d.Id(), newInstanceID, newNetworkInterfaceID, d.Get("associate_with_private_ip").(string)); err != nil { - return sdkdiag.AppendErrorf(diags, "updating EC2 EIP (%s): %s", d.Id(), err) + return sdkdiag.AppendFromErr(diags, err) } } } @@ -280,25 +271,26 @@ func resourceEIPDelete(ctx context.Context, d *schema.ResourceData, meta interfa var diags diag.Diagnostics conn := meta.(*conns.AWSClient).EC2Conn() + if !eipID(d.Id()).IsVPC() { + return sdkdiag.AppendErrorf(diags, `with the retirement of EC2-Classic %s domain EC2 EIPs are no longer supported`, ec2.DomainTypeStandard) + } + // If we are attached to an instance or interface, detach first. if associationID := d.Get("association_id").(string); associationID != "" || d.Get("instance").(string) != "" { - if err := disassociateEIP(ctx, conn, d.Id(), associationID); err != nil { - return sdkdiag.AppendErrorf(diags, "deleting EC2 EIP (%s): %s", d.Id(), err) + if err := disassociateEIP(ctx, conn, associationID); err != nil { + return sdkdiag.AppendFromErr(diags, err) } } - input := &ec2.ReleaseAddressInput{} - - if eipID(d.Id()).IsVPC() { - input.AllocationId = aws.String(d.Id()) + input := &ec2.ReleaseAddressInput{ + AllocationId: aws.String(d.Id()), + } - if v, ok := d.GetOk("network_border_group"); ok { - input.NetworkBorderGroup = aws.String(v.(string)) - } - } else { - input.PublicIp = aws.String(d.Id()) + if v, ok := d.GetOk("network_border_group"); ok { + input.NetworkBorderGroup = aws.String(v.(string)) } + log.Printf("[INFO] Deleting EC2 EIP: %s", d.Id()) _, err := conn.ReleaseAddressWithContext(ctx, input) if tfawserr.ErrCodeEquals(err, errCodeInvalidAllocationIDNotFound) { @@ -319,13 +311,9 @@ func (id eipID) IsVPC() bool { return strings.HasPrefix(string(id), "eipalloc-") } -func associateEIP(ctx context.Context, conn *ec2.EC2, id, instanceID, networkInterfaceID, privateIPAddress string) error { - input := &ec2.AssociateAddressInput{} - - if eipID(id).IsVPC() { - input.AllocationId = aws.String(id) - } else { - input.PublicIp = aws.String(id) +func associateEIP(ctx context.Context, conn *ec2.EC2, allocationID, instanceID, networkInterfaceID, privateIPAddress string) error { + input := &ec2.AssociateAddressInput{ + AllocationId: aws.String(allocationID), } if instanceID != "" { @@ -343,51 +331,41 @@ func associateEIP(ctx context.Context, conn *ec2.EC2, id, instanceID, networkInt output, err := conn.AssociateAddressWithContext(ctx, input) if err != nil { - return fmt.Errorf("associating: %w", err) + return fmt.Errorf("associating EC2 EIP (%s): %w", allocationID, err) } - if associationID := aws.StringValue(output.AssociationId); associationID != "" { - _, err := tfresource.RetryWhen(ctx, propagationTimeout, - func() (interface{}, error) { - return FindEIPByAssociationID(ctx, conn, associationID) - }, - func(err error) (bool, error) { - if tfresource.NotFound(err) { - return true, err - } + _, err = tfresource.RetryWhen(ctx, propagationTimeout, + func() (interface{}, error) { + return FindEIPByAssociationID(ctx, conn, aws.StringValue(output.AssociationId)) + }, + func(err error) (bool, error) { + if tfresource.NotFound(err) { + return true, err + } - // "InvalidInstanceID: The pending instance 'i-0504e5b44ea06d599' is not in a valid state for this operation." - if tfawserr.ErrMessageContains(err, errCodeInvalidInstanceID, "pending instance") { - return true, err - } + // "InvalidInstanceID: The pending instance 'i-0504e5b44ea06d599' is not in a valid state for this operation." + if tfawserr.ErrMessageContains(err, errCodeInvalidInstanceID, "pending instance") { + return true, err + } - return false, err - }, - ) + return false, err + }, + ) - if err != nil { - return fmt.Errorf("associating: waiting for completion: %w", err) - } - } else { - if err := waitForAddressAssociationClassic(ctx, conn, id, instanceID); err != nil { - return fmt.Errorf("associating: waiting for completion: %w", err) - } + if err != nil { + return fmt.Errorf("waiting for EC2 EIP (%s) association: %w", allocationID, err) } return nil } -func disassociateEIP(ctx context.Context, conn *ec2.EC2, id, associationID string) error { - input := &ec2.DisassociateAddressInput{} - - if eipID(id).IsVPC() { - if associationID == "" { - return nil - } +func disassociateEIP(ctx context.Context, conn *ec2.EC2, associationID string) error { + if associationID == "" { + return nil + } - input.AssociationId = aws.String(associationID) - } else { - input.PublicIp = aws.String(id) + input := &ec2.DisassociateAddressInput{ + AssociationId: aws.String(associationID), } _, err := conn.DisassociateAddressWithContext(ctx, input) @@ -397,7 +375,7 @@ func disassociateEIP(ctx context.Context, conn *ec2.EC2, id, associationID strin } if err != nil { - return fmt.Errorf("disassociating: %w", err) + return fmt.Errorf("disassociating EC2 EIP (%s): %w", associationID, err) } return nil @@ -406,6 +384,7 @@ func disassociateEIP(ctx context.Context, conn *ec2.EC2, id, associationID strin // waitForAddressAssociationClassic ensures the correct Instance is associated with an Address // // This can take a few seconds to appear correctly for EC2-Classic addresses. +// TODO Delete me. func waitForAddressAssociationClassic(ctx context.Context, conn *ec2.EC2, publicIP, instanceID string) error { err := retry.RetryContext(ctx, addressAssociationClassicTimeout, func() *retry.RetryError { address, err := FindEIPByPublicIP(ctx, conn, publicIP) diff --git a/internal/service/ec2/ec2_eip_test.go b/internal/service/ec2/ec2_eip_test.go index 891326fd96f..f705c0d0d61 100644 --- a/internal/service/ec2/ec2_eip_test.go +++ b/internal/service/ec2/ec2_eip_test.go @@ -5,7 +5,6 @@ import ( "fmt" "os" "regexp" - "strings" "testing" "github.com/aws/aws-sdk-go/service/ec2" @@ -654,14 +653,7 @@ func testAccCheckEIPExists(ctx context.Context, n string, v *ec2.Address) resour conn := acctest.Provider.Meta().(*conns.AWSClient).EC2Conn() - var err error - var output *ec2.Address - - if strings.HasPrefix(rs.Primary.ID, "eipalloc-") { - output, err = tfec2.FindEIPByAllocationID(ctx, conn, rs.Primary.ID) - } else { - output, err = tfec2.FindEIPByPublicIP(ctx, conn, rs.Primary.ID) - } + output, err := tfec2.FindEIPByAllocationID(ctx, conn, rs.Primary.ID) if err != nil { return err @@ -682,13 +674,7 @@ func testAccCheckEIPDestroy(ctx context.Context) resource.TestCheckFunc { continue } - var err error - - if strings.HasPrefix(rs.Primary.ID, "eipalloc-") { - _, err = tfec2.FindEIPByAllocationID(ctx, conn, rs.Primary.ID) - } else { - _, err = tfec2.FindEIPByPublicIP(ctx, conn, rs.Primary.ID) - } + _, err := tfec2.FindEIPByAllocationID(ctx, conn, rs.Primary.ID) if tfresource.NotFound(err) { continue diff --git a/internal/service/ec2/find.go b/internal/service/ec2/find.go index 69a63e0a878..93f836c907c 100644 --- a/internal/service/ec2/find.go +++ b/internal/service/ec2/find.go @@ -792,6 +792,7 @@ func FindEIPByAssociationID(ctx context.Context, conn *ec2.EC2, id string) (*ec2 return output, nil } +// TODO Delete me. func FindEIPByPublicIP(ctx context.Context, conn *ec2.EC2, ip string) (*ec2.Address, error) { input := &ec2.DescribeAddressesInput{ PublicIps: aws.StringSlice([]string{ip}), From fce8e751b998b072bf554a64d9417ae5765772e3 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 26 Apr 2023 11:28:54 -0400 Subject: [PATCH 25/32] r/aws_eip_association: Remove support for standard domain. --- .changelog/30966.txt | 4 ++ internal/service/ec2/ec2_eip.go | 37 ---------- internal/service/ec2/ec2_eip_association.go | 69 ++++++++----------- .../service/ec2/ec2_eip_association_test.go | 18 +---- internal/service/ec2/find.go | 22 ------ 5 files changed, 33 insertions(+), 117 deletions(-) diff --git a/.changelog/30966.txt b/.changelog/30966.txt index e0ebdc703a6..b2a4800cb48 100644 --- a/.changelog/30966.txt +++ b/.changelog/30966.txt @@ -72,4 +72,8 @@ resource/aws_default_vpc: With the retirement of EC2-Classic the `enable_classic ```release-note:breaking-change resource/aws_eip: With the retirement of EC2-Classic the `standard` domain is no longer supported +``` + +```release-note:breaking-change +resource/aws_eip_association: With the retirement of EC2-Classic the `standard` domain is no longer supported ``` \ No newline at end of file diff --git a/internal/service/ec2/ec2_eip.go b/internal/service/ec2/ec2_eip.go index 8778eab8690..0251b90e8d2 100644 --- a/internal/service/ec2/ec2_eip.go +++ b/internal/service/ec2/ec2_eip.go @@ -2,7 +2,6 @@ package ec2 import ( "context" - "errors" "fmt" "log" "net" @@ -13,7 +12,6 @@ import ( "github.com/aws/aws-sdk-go/service/ec2" "github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-provider-aws/internal/conns" "github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag" @@ -23,11 +21,6 @@ import ( "github.com/hashicorp/terraform-provider-aws/names" ) -const ( - // Maximum amount of time to wait for EIP association with EC2-Classic instances - addressAssociationClassicTimeout = 2 * time.Minute -) - // @SDKResource("aws_eip", name="EIP") // @Tags(identifierAttribute="id") func ResourceEIP() *schema.Resource { @@ -381,36 +374,6 @@ func disassociateEIP(ctx context.Context, conn *ec2.EC2, associationID string) e return nil } -// waitForAddressAssociationClassic ensures the correct Instance is associated with an Address -// -// This can take a few seconds to appear correctly for EC2-Classic addresses. -// TODO Delete me. -func waitForAddressAssociationClassic(ctx context.Context, conn *ec2.EC2, publicIP, instanceID string) error { - err := retry.RetryContext(ctx, addressAssociationClassicTimeout, func() *retry.RetryError { - address, err := FindEIPByPublicIP(ctx, conn, publicIP) - - if tfresource.NotFound(err) { - return retry.RetryableError(err) - } - - if err != nil { - return retry.NonRetryableError(err) - } - - if aws.StringValue(address.InstanceId) != instanceID { - return retry.RetryableError(errors.New("not associated")) - } - - return nil - }) - - if tfresource.TimedOut(err) { // nosemgrep:ci.helper-schema-TimeoutError-check-doesnt-return-output - _, err = FindEIPByPublicIP(ctx, conn, publicIP) - } - - return err -} - func ConvertIPToDashIP(ip string) string { return strings.Replace(ip, ".", "-", -1) } diff --git a/internal/service/ec2/ec2_eip_association.go b/internal/service/ec2/ec2_eip_association.go index 7d087285f4d..2cd762a0d95 100644 --- a/internal/service/ec2/ec2_eip_association.go +++ b/internal/service/ec2/ec2_eip_association.go @@ -96,46 +96,34 @@ func resourceEIPAssociationCreate(ctx context.Context, d *schema.ResourceData, m input.PublicIp = aws.String(v.(string)) } - log.Printf("[DEBUG] Creating EC2 EIP Association: %s", input) output, err := conn.AssociateAddressWithContext(ctx, input) if err != nil { return sdkdiag.AppendErrorf(diags, "creating EC2 EIP Association: %s", err) } - if output.AssociationId != nil { - d.SetId(aws.StringValue(output.AssociationId)) + d.SetId(aws.StringValue(output.AssociationId)) - _, err = tfresource.RetryWhen(ctx, propagationTimeout, - func() (interface{}, error) { - return FindEIPByAssociationID(ctx, conn, d.Id()) - }, - func(err error) (bool, error) { - if tfresource.NotFound(err) { - return true, err - } + _, err = tfresource.RetryWhen(ctx, propagationTimeout, + func() (interface{}, error) { + return FindEIPByAssociationID(ctx, conn, d.Id()) + }, + func(err error) (bool, error) { + if tfresource.NotFound(err) { + return true, err + } - // "InvalidInstanceID: The pending instance 'i-0504e5b44ea06d599' is not in a valid state for this operation." - if tfawserr.ErrMessageContains(err, errCodeInvalidInstanceID, "pending instance") { - return true, err - } + // "InvalidInstanceID: The pending instance 'i-0504e5b44ea06d599' is not in a valid state for this operation." + if tfawserr.ErrMessageContains(err, errCodeInvalidInstanceID, "pending instance") { + return true, err + } - return false, err - }, - ) - - if err != nil { - return sdkdiag.AppendErrorf(diags, "waiting for EC2 EIP Association (%s) create: %s", d.Id(), err) - } - } else { - // EC2-Classic. - publicIP := aws.StringValue(input.PublicIp) - d.SetId(publicIP) + return false, err + }, + ) - instanceID := aws.StringValue(input.InstanceId) - if err := waitForAddressAssociationClassic(ctx, conn, publicIP, instanceID); err != nil { - return sdkdiag.AppendErrorf(diags, "waiting for EC2 EIP (%s) to associate with EC2-Classic Instance (%s): %s", publicIP, instanceID, err) - } + if err != nil { + return sdkdiag.AppendErrorf(diags, "waiting for EC2 EIP Association (%s) create: %s", d.Id(), err) } return append(diags, resourceEIPAssociationRead(ctx, d, meta)...) @@ -145,15 +133,12 @@ func resourceEIPAssociationRead(ctx context.Context, d *schema.ResourceData, met var diags diag.Diagnostics conn := meta.(*conns.AWSClient).EC2Conn() - var err error - var address *ec2.Address - - if eipAssociationID(d.Id()).IsVPC() { - address, err = FindEIPByAssociationID(ctx, conn, d.Id()) - } else { - address, err = FindEIPByPublicIP(ctx, conn, d.Id()) + if !eipAssociationID(d.Id()).IsVPC() { + return sdkdiag.AppendErrorf(diags, `with the retirement of EC2-Classic %s domain EC2 EIPs are no longer supported`, ec2.DomainTypeStandard) } + address, err := FindEIPByAssociationID(ctx, conn, d.Id()) + if !d.IsNewResource() && tfresource.NotFound(err) { log.Printf("[WARN] EC2 EIP Association (%s) not found, removing from state", d.Id()) d.SetId("") @@ -177,12 +162,12 @@ func resourceEIPAssociationDelete(ctx context.Context, d *schema.ResourceData, m var diags diag.Diagnostics conn := meta.(*conns.AWSClient).EC2Conn() - input := &ec2.DisassociateAddressInput{} + if !eipAssociationID(d.Id()).IsVPC() { + return sdkdiag.AppendErrorf(diags, `with the retirement of EC2-Classic %s domain EC2 EIPs are no longer supported`, ec2.DomainTypeStandard) + } - if eipAssociationID(d.Id()).IsVPC() { - input.AssociationId = aws.String(d.Id()) - } else { - input.PublicIp = aws.String(d.Id()) + input := &ec2.DisassociateAddressInput{ + AssociationId: aws.String(d.Id()), } log.Printf("[DEBUG] Deleting EC2 EIP Association: %s", d.Id()) diff --git a/internal/service/ec2/ec2_eip_association_test.go b/internal/service/ec2/ec2_eip_association_test.go index 229076eb165..6eede43c6fe 100644 --- a/internal/service/ec2/ec2_eip_association_test.go +++ b/internal/service/ec2/ec2_eip_association_test.go @@ -3,7 +3,6 @@ package ec2_test import ( "context" "fmt" - "strings" "testing" "github.com/aws/aws-sdk-go/service/ec2" @@ -164,14 +163,7 @@ func testAccCheckEIPAssociationExists(ctx context.Context, n string, v *ec2.Addr conn := acctest.Provider.Meta().(*conns.AWSClient).EC2Conn() - var err error - var output *ec2.Address - - if strings.HasPrefix(rs.Primary.ID, "eipassoc-") { - output, err = tfec2.FindEIPByAssociationID(ctx, conn, rs.Primary.ID) - } else { - output, err = tfec2.FindEIPByPublicIP(ctx, conn, rs.Primary.ID) - } + output, err := tfec2.FindEIPByAssociationID(ctx, conn, rs.Primary.ID) if err != nil { return err @@ -192,13 +184,7 @@ func testAccCheckEIPAssociationDestroy(ctx context.Context) resource.TestCheckFu continue } - var err error - - if strings.HasPrefix(rs.Primary.ID, "eipassoc-") { - _, err = tfec2.FindEIPByAssociationID(ctx, conn, rs.Primary.ID) - } else { - _, err = tfec2.FindEIPByPublicIP(ctx, conn, rs.Primary.ID) - } + _, err := tfec2.FindEIPByAssociationID(ctx, conn, rs.Primary.ID) if tfresource.NotFound(err) { continue diff --git a/internal/service/ec2/find.go b/internal/service/ec2/find.go index 93f836c907c..10f36f418d2 100644 --- a/internal/service/ec2/find.go +++ b/internal/service/ec2/find.go @@ -792,28 +792,6 @@ func FindEIPByAssociationID(ctx context.Context, conn *ec2.EC2, id string) (*ec2 return output, nil } -// TODO Delete me. -func FindEIPByPublicIP(ctx context.Context, conn *ec2.EC2, ip string) (*ec2.Address, error) { - input := &ec2.DescribeAddressesInput{ - PublicIps: aws.StringSlice([]string{ip}), - } - - output, err := FindEIP(ctx, conn, input) - - if err != nil { - return nil, err - } - - // Eventual consistency check. - if aws.StringValue(output.PublicIp) != ip { - return nil, &retry.NotFoundError{ - LastRequest: input, - } - } - - return output, nil -} - func FindHostByID(ctx context.Context, conn *ec2.EC2, id string) (*ec2.Host, error) { input := &ec2.DescribeHostsInput{ HostIds: aws.StringSlice([]string{id}), From c27c6a0add353da1b7425e8767cb98da6ab7deda Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 26 Apr 2023 12:23:50 -0400 Subject: [PATCH 26/32] r/aws_security_group: Remove support for non-VPC security groups. --- .changelog/30966.txt | 4 + internal/service/ec2/vpc_security_group.go | 152 ++++++------------ .../service/ec2/vpc_security_group_test.go | 24 --- 3 files changed, 57 insertions(+), 123 deletions(-) diff --git a/.changelog/30966.txt b/.changelog/30966.txt index b2a4800cb48..e6243dbe86e 100644 --- a/.changelog/30966.txt +++ b/.changelog/30966.txt @@ -76,4 +76,8 @@ resource/aws_eip: With the retirement of EC2-Classic the `standard` domain is no ```release-note:breaking-change resource/aws_eip_association: With the retirement of EC2-Classic the `standard` domain is no longer supported +``` + +```release-note:breaking-change +resource/aws_security_group: With the retirement of EC2-Classic non-VPC security groups are no longer supported ``` \ No newline at end of file diff --git a/internal/service/ec2/vpc_security_group.go b/internal/service/ec2/vpc_security_group.go index 4f2bcf2202c..c41a17e2e9d 100644 --- a/internal/service/ec2/vpc_security_group.go +++ b/internal/service/ec2/vpc_security_group.go @@ -182,20 +182,20 @@ func resourceSecurityGroupCreate(ctx context.Context, d *schema.ResourceData, me conn := meta.(*conns.AWSClient).EC2Conn() name := create.Name(d.Get("name").(string), d.Get("name_prefix").(string)) - input := &ec2.CreateSecurityGroupInput{ + inputC := &ec2.CreateSecurityGroupInput{ GroupName: aws.String(name), TagSpecifications: getTagSpecificationsIn(ctx, ec2.ResourceTypeSecurityGroup), } if v := d.Get("description"); v != nil { - input.Description = aws.String(v.(string)) + inputC.Description = aws.String(v.(string)) } if v, ok := d.GetOk("vpc_id"); ok { - input.VpcId = aws.String(v.(string)) + inputC.VpcId = aws.String(v.(string)) } - output, err := conn.CreateSecurityGroupWithContext(ctx, input) + output, err := conn.CreateSecurityGroupWithContext(ctx, inputC) if err != nil { return diag.Errorf("creating Security Group (%s): %s", name, err) @@ -204,57 +204,52 @@ func resourceSecurityGroupCreate(ctx context.Context, d *schema.ResourceData, me d.SetId(aws.StringValue(output.GroupId)) // Wait for the security group to truly exist - group, err := WaitSecurityGroupCreated(ctx, conn, d.Id(), d.Timeout(schema.TimeoutCreate)) - - if err != nil { + if _, err := WaitSecurityGroupCreated(ctx, conn, d.Id(), d.Timeout(schema.TimeoutCreate)); err != nil { return diag.Errorf("waiting for Security Group (%s) create: %s", d.Id(), err) } // AWS defaults all Security Groups to have an ALLOW ALL egress rule. // Here we revoke that rule, so users don't unknowingly have/use it. - // This will only be false for Security Groups in EC2-Classic - if aws.StringValue(group.VpcId) != "" { - input := &ec2.RevokeSecurityGroupEgressInput{ - GroupId: aws.String(d.Id()), - IpPermissions: []*ec2.IpPermission{ - { - FromPort: aws.Int64(0), - ToPort: aws.Int64(0), - IpRanges: []*ec2.IpRange{ - { - CidrIp: aws.String("0.0.0.0/0"), - }, + inputR := &ec2.RevokeSecurityGroupEgressInput{ + GroupId: aws.String(d.Id()), + IpPermissions: []*ec2.IpPermission{ + { + FromPort: aws.Int64(0), + ToPort: aws.Int64(0), + IpRanges: []*ec2.IpRange{ + { + CidrIp: aws.String("0.0.0.0/0"), }, - IpProtocol: aws.String("-1"), }, + IpProtocol: aws.String("-1"), }, - } + }, + } - if _, err := conn.RevokeSecurityGroupEgressWithContext(ctx, input); err != nil { - return diag.Errorf("revoking default IPv4 egress rule for Security Group (%s): %s", d.Id(), err) - } + if _, err := conn.RevokeSecurityGroupEgressWithContext(ctx, inputR); err != nil { + return diag.Errorf("revoking default IPv4 egress rule for Security Group (%s): %s", d.Id(), err) + } - input = &ec2.RevokeSecurityGroupEgressInput{ - GroupId: aws.String(d.Id()), - IpPermissions: []*ec2.IpPermission{ - { - FromPort: aws.Int64(0), - ToPort: aws.Int64(0), - Ipv6Ranges: []*ec2.Ipv6Range{ - { - CidrIpv6: aws.String("::/0"), - }, + inputR = &ec2.RevokeSecurityGroupEgressInput{ + GroupId: aws.String(d.Id()), + IpPermissions: []*ec2.IpPermission{ + { + FromPort: aws.Int64(0), + ToPort: aws.Int64(0), + Ipv6Ranges: []*ec2.Ipv6Range{ + { + CidrIpv6: aws.String("::/0"), }, - IpProtocol: aws.String("-1"), }, + IpProtocol: aws.String("-1"), }, - } + }, + } - if _, err := conn.RevokeSecurityGroupEgressWithContext(ctx, input); err != nil { - // If we have a NotFound or InvalidParameterValue, then we are trying to remove the default IPv6 egress of a non-IPv6 enabled SG. - if !tfawserr.ErrCodeEquals(err, errCodeInvalidPermissionNotFound) && !tfawserr.ErrMessageContains(err, errCodeInvalidParameterValue, "remote-ipv6-range") { - return diag.Errorf("revoking default IPv6 egress rule for Security Group (%s): %s", d.Id(), err) - } + if _, err := conn.RevokeSecurityGroupEgressWithContext(ctx, inputR); err != nil { + // If we have a NotFound or InvalidParameterValue, then we are trying to remove the default IPv6 egress of a non-IPv6 enabled SG. + if !tfawserr.ErrCodeEquals(err, errCodeInvalidPermissionNotFound) && !tfawserr.ErrMessageContains(err, errCodeInvalidParameterValue, "remote-ipv6-range") { + return diag.Errorf("revoking default IPv6 egress rule for Security Group (%s): %s", d.Id(), err) } } @@ -330,13 +325,10 @@ func resourceSecurityGroupUpdate(ctx context.Context, d *schema.ResourceData, me return diag.Errorf("updating Security Group (%s) %s rules: %s", d.Id(), securityGroupRuleTypeIngress, err) } - // This will only be false for Security Groups in EC2-Classic - if d.Get("vpc_id") != nil { - err = updateSecurityGroupRules(ctx, conn, d, securityGroupRuleTypeEgress, group) + err = updateSecurityGroupRules(ctx, conn, d, securityGroupRuleTypeEgress, group) - if err != nil { - return diag.Errorf("updating Security Group (%s) %s rules: %s", d.Id(), securityGroupRuleTypeEgress, err) - } + if err != nil { + return diag.Errorf("updating Security Group (%s) %s rules: %s", d.Id(), securityGroupRuleTypeEgress, err) } return resourceSecurityGroupRead(ctx, d, meta) @@ -759,8 +751,6 @@ func updateSecurityGroupRules(ctx context.Context, conn *ec2.EC2, d *schema.Reso // adding is easier here, and Terraform should be fast enough to // not have service issues. - isVPC := aws.StringValue(group.VpcId) != "" - if len(del) > 0 { if ruleType == securityGroupRuleTypeEgress { input := &ec2.RevokeSecurityGroupEgressInput{ @@ -771,15 +761,10 @@ func updateSecurityGroupRules(ctx context.Context, conn *ec2.EC2, d *schema.Reso _, err = conn.RevokeSecurityGroupEgressWithContext(ctx, input) } else { input := &ec2.RevokeSecurityGroupIngressInput{ + GroupId: group.GroupId, IpPermissions: del, } - if isVPC { - input.GroupId = group.GroupId - } else { - input.GroupName = group.GroupName - } - _, err = conn.RevokeSecurityGroupIngressWithContext(ctx, input) } @@ -798,15 +783,10 @@ func updateSecurityGroupRules(ctx context.Context, conn *ec2.EC2, d *schema.Reso _, err = conn.AuthorizeSecurityGroupEgressWithContext(ctx, input) } else { input := &ec2.AuthorizeSecurityGroupIngressInput{ + GroupId: group.GroupId, IpPermissions: add, } - if isVPC { - input.GroupId = group.GroupId - } else { - input.GroupName = group.GroupName - } - _, err = conn.AuthorizeSecurityGroupIngressWithContext(ctx, input) } @@ -823,7 +803,6 @@ func updateSecurityGroupRules(ctx context.Context, conn *ec2.EC2, d *schema.Reso // if it finds invalid permissions input, namely a protocol of "-1" with either // to_port or from_port set to a non-zero value. func ExpandIPPerms(group *ec2.SecurityGroup, configured []interface{}) ([]*ec2.IpPermission, error) { - vpc := aws.StringValue(group.VpcId) != "" perms := make([]*ec2.IpPermission, len(configured)) for i, mRaw := range configured { @@ -854,11 +833,7 @@ func ExpandIPPerms(group *ec2.SecurityGroup, configured []interface{}) ([]*ec2.I } } if v, ok := m["self"]; ok && v.(bool) { - if vpc { - groups = append(groups, *group.GroupId) - } else { - groups = append(groups, *group.GroupName) - } + groups = append(groups, aws.StringValue(group.GroupId)) } if len(groups) > 0 { @@ -876,11 +851,6 @@ func ExpandIPPerms(group *ec2.SecurityGroup, configured []interface{}) ([]*ec2.I if ownerId != "" { perm.UserIdGroupPairs[i].UserId = aws.String(ownerId) } - - if !vpc { - perm.UserIdGroupPairs[i].GroupId = nil - perm.UserIdGroupPairs[i].GroupName = aws.String(id) - } } } @@ -942,41 +912,25 @@ type GroupIdentifier struct { // Flattens an array of UserSecurityGroups into a []*GroupIdentifier func FlattenSecurityGroups(list []*ec2.UserIdGroupPair, ownerId *string) []*GroupIdentifier { result := make([]*GroupIdentifier, 0, len(list)) + for _, g := range list { - var userId *string + var userID string if aws.StringValue(g.UserId) != "" && (ownerId == nil || aws.StringValue(ownerId) != aws.StringValue(g.UserId)) { - userId = g.UserId + userID = aws.StringValue(g.UserId) } // userid nil here for same vpc groups - vpc := aws.StringValue(g.GroupName) == "" - var id *string - if vpc { - id = g.GroupId - } else { - id = g.GroupName + id := aws.StringValue(g.GroupId) + if userID != "" { + id = userID + "/" + id } - // id is groupid for vpcs - // id is groupname for non vpc (classic) - - if userId != nil { - id = aws.String(*userId + "/" + *id) - } - - if vpc { - result = append(result, &GroupIdentifier{ - GroupId: id, - Description: g.Description, - }) - } else { - result = append(result, &GroupIdentifier{ - GroupId: g.GroupId, - GroupName: id, - Description: g.Description, - }) - } + result = append(result, &GroupIdentifier{ + GroupId: aws.String(id), + Description: g.Description, + }) } + return result } diff --git a/internal/service/ec2/vpc_security_group_test.go b/internal/service/ec2/vpc_security_group_test.go index 1f4bca2b47b..efde81ef986 100644 --- a/internal/service/ec2/vpc_security_group_test.go +++ b/internal/service/ec2/vpc_security_group_test.go @@ -915,8 +915,6 @@ func TestFlattenSecurityGroups(t *testing.T) { }, }, }, - // include the owner id, but keep it consitent with the same account. Tests - // EC2 classic situation { ownerId: aws.String("user1234"), pairs: []*ec2.UserIdGroupPair{ @@ -931,28 +929,6 @@ func TestFlattenSecurityGroups(t *testing.T) { }, }, }, - - // include the owner id, but from a different account. This is reflects - // EC2 Classic when referring to groups by name - { - ownerId: aws.String("user1234"), - pairs: []*ec2.UserIdGroupPair{ - { - GroupId: aws.String("sg-12345"), - GroupName: aws.String("somegroup"), // GroupName is only included in Classic - UserId: aws.String("user4321"), - }, - }, - expected: []*tfec2.GroupIdentifier{ - { - GroupId: aws.String("sg-12345"), - GroupName: aws.String("user4321/somegroup"), - }, - }, - }, - - // include the owner id, but from a different account. This reflects in - // EC2 VPC when referring to groups by id { ownerId: aws.String("user1234"), pairs: []*ec2.UserIdGroupPair{ From 04f4a702553fedae5b170792a849975a7ac945ba Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 26 Apr 2023 12:24:28 -0400 Subject: [PATCH 27/32] r/aws_security_group_rule: Remove support for non-VPC security groups. --- .changelog/30966.txt | 4 + .../service/ec2/vpc_security_group_rule.go | 128 ++++++------------ 2 files changed, 42 insertions(+), 90 deletions(-) diff --git a/.changelog/30966.txt b/.changelog/30966.txt index e6243dbe86e..fd9cdecf2fe 100644 --- a/.changelog/30966.txt +++ b/.changelog/30966.txt @@ -80,4 +80,8 @@ resource/aws_eip_association: With the retirement of EC2-Classic the `standard` ```release-note:breaking-change resource/aws_security_group: With the retirement of EC2-Classic non-VPC security groups are no longer supported +``` + +```release-note:breaking-change +resource/aws_security_group_rule: With the retirement of EC2-Classic non-VPC security groups are no longer supported ``` \ No newline at end of file diff --git a/internal/service/ec2/vpc_security_group_rule.go b/internal/service/ec2/vpc_security_group_rule.go index 99d8c207b1a..bdd14abe4bc 100644 --- a/internal/service/ec2/vpc_security_group_rule.go +++ b/internal/service/ec2/vpc_security_group_rule.go @@ -163,22 +163,16 @@ func resourceSecurityGroupRuleCreate(ctx context.Context, d *schema.ResourceData ipPermission := expandIPPermission(d, sg) ruleType := d.Get("type").(string) - isVPC := aws.StringValue(sg.VpcId) != "" id := SecurityGroupRuleCreateID(securityGroupID, ruleType, ipPermission) switch ruleType { case securityGroupRuleTypeIngress: input := &ec2.AuthorizeSecurityGroupIngressInput{ + GroupId: sg.GroupId, IpPermissions: []*ec2.IpPermission{ipPermission}, } var output *ec2.AuthorizeSecurityGroupIngressOutput - if isVPC { - input.GroupId = sg.GroupId - } else { - input.GroupName = sg.GroupName - } - output, err = conn.AuthorizeSecurityGroupIngressWithContext(ctx, input) if err == nil { @@ -234,7 +228,7 @@ information and instructions for recovery. Error: %s`, securityGroupID, err) rules = sg.IpPermissionsEgress } - rule, _ := findRuleMatch(ipPermission, rules, isVPC) + rule, _ := findRuleMatch(ipPermission, rules) if rule == nil { return nil, &retry.NotFoundError{} @@ -270,7 +264,6 @@ func resourceSecurityGroupRuleRead(ctx context.Context, d *schema.ResourceData, } ipPermission := expandIPPermission(d, sg) - isVPC := aws.StringValue(sg.VpcId) != "" var rules []*ec2.IpPermission @@ -280,7 +273,7 @@ func resourceSecurityGroupRuleRead(ctx context.Context, d *schema.ResourceData, rules = sg.IpPermissionsEgress } - rule, description := findRuleMatch(ipPermission, rules, isVPC) + rule, description := findRuleMatch(ipPermission, rules) if rule == nil { if !d.IsNewResource() { @@ -293,7 +286,7 @@ func resourceSecurityGroupRuleRead(ctx context.Context, d *schema.ResourceData, return diag.Errorf("reading Security Group (%s) Rule (%s): %s", securityGroupID, d.Id(), &retry.NotFoundError{}) } - flattenIpPermission(d, ipPermission, isVPC) + flattenIpPermission(d, ipPermission) d.Set("description", description) d.Set("type", ruleType) @@ -303,17 +296,15 @@ func resourceSecurityGroupRuleRead(ctx context.Context, d *schema.ResourceData, d.SetId(id) } - if isVPC { - // Attempt to find the single matching AWS Security Group Rule resource ID. - securityGroupRules, err := FindSecurityGroupRulesBySecurityGroupID(ctx, conn, securityGroupID) + // Attempt to find the single matching AWS Security Group Rule resource ID. + securityGroupRules, err := FindSecurityGroupRulesBySecurityGroupID(ctx, conn, securityGroupID) - if err != nil { - return diag.Errorf("reading Security Group (%s) Rules: %s", securityGroupID, err) - } - - d.Set("security_group_rule_id", findSecurityGroupRuleMatch(ipPermission, securityGroupRules, ruleType)) + if err != nil { + return diag.Errorf("reading Security Group (%s) Rules: %s", securityGroupID, err) } + d.Set("security_group_rule_id", findSecurityGroupRuleMatch(ipPermission, securityGroupRules, ruleType)) + return nil } @@ -334,20 +325,14 @@ func resourceSecurityGroupRuleUpdate(ctx context.Context, d *schema.ResourceData ipPermission := expandIPPermission(d, sg) ruleType := d.Get("type").(string) - isVPC := aws.StringValue(sg.VpcId) != "" switch ruleType { case securityGroupRuleTypeIngress: input := &ec2.UpdateSecurityGroupRuleDescriptionsIngressInput{ + GroupId: sg.GroupId, IpPermissions: []*ec2.IpPermission{ipPermission}, } - if isVPC { - input.GroupId = sg.GroupId - } else { - input.GroupName = sg.GroupName - } - _, err = conn.UpdateSecurityGroupRuleDescriptionsIngressWithContext(ctx, input) case securityGroupRuleTypeEgress: @@ -382,20 +367,14 @@ func resourceSecurityGroupRuleDelete(ctx context.Context, d *schema.ResourceData ipPermission := expandIPPermission(d, sg) ruleType := d.Get("type").(string) - isVPC := aws.StringValue(sg.VpcId) != "" switch ruleType { case securityGroupRuleTypeIngress: input := &ec2.RevokeSecurityGroupIngressInput{ + GroupId: sg.GroupId, IpPermissions: []*ec2.IpPermission{ipPermission}, } - if isVPC { - input.GroupId = sg.GroupId - } else { - input.GroupName = sg.GroupName - } - _, err = conn.RevokeSecurityGroupIngressWithContext(ctx, input) case securityGroupRuleTypeEgress: @@ -515,7 +494,7 @@ func resourceSecurityGroupRuleImport(_ context.Context, d *schema.ResourceData, return []*schema.ResourceData{d}, nil } -func findRuleMatch(p *ec2.IpPermission, rules []*ec2.IpPermission, isVPC bool) (*ec2.IpPermission, string) { +func findRuleMatch(p *ec2.IpPermission, rules []*ec2.IpPermission) (*ec2.IpPermission, string) { var rule *ec2.IpPermission var description string @@ -595,27 +574,14 @@ func findRuleMatch(p *ec2.IpPermission, rules []*ec2.IpPermission, isVPC bool) ( remaining = len(p.UserIdGroupPairs) for _, v1 := range p.UserIdGroupPairs { for _, v2 := range r.UserIdGroupPairs { - if isVPC { - if v1.GroupId == nil || v2.GroupId == nil { - continue - } - if aws.StringValue(v1.GroupId) == aws.StringValue(v2.GroupId) { - remaining-- - - if v := aws.StringValue(v2.Description); v != "" && description == "" { - description = v - } - } - } else { - if v1.GroupName == nil || v2.GroupName == nil { - continue - } - if aws.StringValue(v1.GroupName) == aws.StringValue(v2.GroupName) { - remaining-- + if v1.GroupId == nil || v2.GroupId == nil { + continue + } + if aws.StringValue(v1.GroupId) == aws.StringValue(v2.GroupId) { + remaining-- - if v := aws.StringValue(v2.Description); v != "" && description == "" { - description = v - } + if v := aws.StringValue(v2.Description); v != "" && description == "" { + description = v } } } @@ -808,39 +774,25 @@ func expandIPPermission(d *schema.ResourceData, sg *ec2.SecurityGroup) *ec2.IpPe } var self string - vpc := aws.StringValue(sg.VpcId) != "" if _, ok := d.GetOk("self"); ok { - if vpc { - self = aws.StringValue(sg.GroupId) - apiObject.UserIdGroupPairs = append(apiObject.UserIdGroupPairs, &ec2.UserIdGroupPair{ - GroupId: aws.String(self), - }) - } else { - self = aws.StringValue(sg.GroupName) - apiObject.UserIdGroupPairs = append(apiObject.UserIdGroupPairs, &ec2.UserIdGroupPair{ - GroupName: aws.String(self), - }) - } + self = aws.StringValue(sg.GroupId) + apiObject.UserIdGroupPairs = append(apiObject.UserIdGroupPairs, &ec2.UserIdGroupPair{ + GroupId: aws.String(self), + }) } if v, ok := d.GetOk("source_security_group_id"); ok { if v := v.(string); v != self { - if vpc { - // [OwnerID/]SecurityGroupID. - if parts := strings.Split(v, "/"); len(parts) == 1 { - apiObject.UserIdGroupPairs = append(apiObject.UserIdGroupPairs, &ec2.UserIdGroupPair{ - GroupId: aws.String(v), - }) - } else { - apiObject.UserIdGroupPairs = append(apiObject.UserIdGroupPairs, &ec2.UserIdGroupPair{ - GroupId: aws.String(parts[1]), - UserId: aws.String(parts[0]), - }) - } + // [OwnerID/]SecurityGroupID. + if parts := strings.Split(v, "/"); len(parts) == 1 { + apiObject.UserIdGroupPairs = append(apiObject.UserIdGroupPairs, &ec2.UserIdGroupPair{ + GroupId: aws.String(v), + }) } else { apiObject.UserIdGroupPairs = append(apiObject.UserIdGroupPairs, &ec2.UserIdGroupPair{ - GroupName: aws.String(v), + GroupId: aws.String(parts[1]), + UserId: aws.String(parts[0]), }) } } @@ -869,7 +821,7 @@ func expandIPPermission(d *schema.ResourceData, sg *ec2.SecurityGroup) *ec2.IpPe return apiObject } -func flattenIpPermission(d *schema.ResourceData, apiObject *ec2.IpPermission, isVPC bool) { // nosemgrep:ci.caps5-in-func-name +func flattenIpPermission(d *schema.ResourceData, apiObject *ec2.IpPermission) { // nosemgrep:ci.caps5-in-func-name if apiObject == nil { return } @@ -911,17 +863,13 @@ func flattenIpPermission(d *schema.ResourceData, apiObject *ec2.IpPermission, is if v := apiObject.UserIdGroupPairs; len(v) > 0 { v := v[0] - if isVPC { - if old, ok := d.GetOk("source_security_group_id"); ok { - // [OwnerID/]SecurityGroupID. - if parts := strings.Split(old.(string), "/"); len(parts) == 1 || aws.StringValue(v.UserId) == "" { - d.Set("source_security_group_id", v.GroupId) - } else { - d.Set("source_security_group_id", strings.Join([]string{aws.StringValue(v.UserId), aws.StringValue(v.GroupId)}, "/")) - } + if old, ok := d.GetOk("source_security_group_id"); ok { + // [OwnerID/]SecurityGroupID. + if parts := strings.Split(old.(string), "/"); len(parts) == 1 || aws.StringValue(v.UserId) == "" { + d.Set("source_security_group_id", v.GroupId) + } else { + d.Set("source_security_group_id", strings.Join([]string{aws.StringValue(v.UserId), aws.StringValue(v.GroupId)}, "/")) } - } else { - d.Set("source_security_group_id", v.GroupName) } } } From ea9eb1d9dad091ef0415789bd99d41169a883af4 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 26 Apr 2023 12:28:38 -0400 Subject: [PATCH 28/32] Remove 'TestExpandIPPerms_nonVPC'. --- .../service/ec2/vpc_security_group_test.go | 100 ------------------ 1 file changed, 100 deletions(-) diff --git a/internal/service/ec2/vpc_security_group_test.go b/internal/service/ec2/vpc_security_group_test.go index efde81ef986..bd41547e139 100644 --- a/internal/service/ec2/vpc_security_group_test.go +++ b/internal/service/ec2/vpc_security_group_test.go @@ -793,106 +793,6 @@ func TestExpandIPPerms_AllProtocol(t *testing.T) { } } -func TestExpandIPPerms_nonVPC(t *testing.T) { - t.Parallel() - - hash := schema.HashString - - expanded := []interface{}{ - map[string]interface{}{ - "protocol": "icmp", - "from_port": 1, - "to_port": -1, - "cidr_blocks": []interface{}{"0.0.0.0/0"}, - "security_groups": schema.NewSet(hash, []interface{}{ - "sg-11111", - "foo/sg-22222", - }), - }, - map[string]interface{}{ - "protocol": "icmp", - "from_port": 1, - "to_port": -1, - "self": true, - }, - } - group := &ec2.SecurityGroup{ - GroupName: aws.String("foo"), - } - perms, err := tfec2.ExpandIPPerms(group, expanded) - if err != nil { - t.Fatalf("error expanding perms: %v", err) - } - - expected := []ec2.IpPermission{ - { - IpProtocol: aws.String("icmp"), - FromPort: aws.Int64(1), - ToPort: aws.Int64(int64(-1)), - IpRanges: []*ec2.IpRange{{CidrIp: aws.String("0.0.0.0/0")}}, - UserIdGroupPairs: []*ec2.UserIdGroupPair{ - { - GroupName: aws.String("sg-22222"), - }, - { - GroupName: aws.String("sg-11111"), - }, - }, - }, - { - IpProtocol: aws.String("icmp"), - FromPort: aws.Int64(1), - ToPort: aws.Int64(int64(-1)), - UserIdGroupPairs: []*ec2.UserIdGroupPair{ - { - GroupName: aws.String("foo"), - }, - }, - }, - } - - exp := expected[0] - perm := perms[0] - - if aws.Int64Value(exp.FromPort) != aws.Int64Value(perm.FromPort) { - t.Fatalf( - "Got:\n\n%#v\n\nExpected:\n\n%#v\n", - aws.Int64Value(perm.FromPort), - aws.Int64Value(exp.FromPort)) - } - - if aws.StringValue(exp.IpRanges[0].CidrIp) != aws.StringValue(perm.IpRanges[0].CidrIp) { - t.Fatalf( - "Got:\n\n%#v\n\nExpected:\n\n%#v\n", - aws.StringValue(perm.IpRanges[0].CidrIp), - aws.StringValue(exp.IpRanges[0].CidrIp)) - } - - if aws.StringValue(exp.UserIdGroupPairs[0].GroupName) != aws.StringValue(perm.UserIdGroupPairs[0].GroupName) { - t.Fatalf( - "Got:\n\n%#v\n\nExpected:\n\n%#v\n", - aws.StringValue(perm.UserIdGroupPairs[0].GroupName), - aws.StringValue(exp.UserIdGroupPairs[0].GroupName)) - } - - if aws.StringValue(exp.UserIdGroupPairs[1].GroupName) != aws.StringValue(perm.UserIdGroupPairs[1].GroupName) { - t.Fatalf( - "Got:\n\n%#v\n\nExpected:\n\n%#v\n", - aws.StringValue(perm.UserIdGroupPairs[1].GroupName), - aws.StringValue(exp.UserIdGroupPairs[1].GroupName)) - } - - exp = expected[1] - perm = perms[1] - - if aws.StringValue(exp.UserIdGroupPairs[0].GroupName) != aws.StringValue(perm.UserIdGroupPairs[0].GroupName) { - t.Fatalf( - "Got:\n\n%#v\n\nExpected:\n\n%#v\n", - aws.StringValue(perm.UserIdGroupPairs[0].GroupName), - aws.StringValue(exp.UserIdGroupPairs[0].GroupName)) - } -} - func TestFlattenSecurityGroups(t *testing.T) { t.Parallel() From acc0171afe76303620a7a57c87fca78f63a61000 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 26 Apr 2023 14:02:12 -0400 Subject: [PATCH 29/32] r/aws_elastic_beanstalk_environment: Remove support for non-VPC security groups. --- .../service/elasticbeanstalk/environment.go | 51 +++++-------------- 1 file changed, 12 insertions(+), 39 deletions(-) diff --git a/internal/service/elasticbeanstalk/environment.go b/internal/service/elasticbeanstalk/environment.go index 3018b701aeb..5079f51a987 100644 --- a/internal/service/elasticbeanstalk/environment.go +++ b/internal/service/elasticbeanstalk/environment.go @@ -23,6 +23,7 @@ import ( // nosemgrep:ci.aws-sdk-go-multiple-service-imports "github.com/hashicorp/terraform-provider-aws/internal/create" "github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag" "github.com/hashicorp/terraform-provider-aws/internal/sdktypes" + tfec2 "github.com/hashicorp/terraform-provider-aws/internal/service/ec2" tftags "github.com/hashicorp/terraform-provider-aws/internal/tags" "github.com/hashicorp/terraform-provider-aws/internal/tfresource" "github.com/hashicorp/terraform-provider-aws/internal/verify" @@ -391,14 +392,14 @@ func resourceEnvironmentRead(ctx context.Context, d *schema.ResourceData, meta i m["resource"] = aws.StringValue(optionSetting.ResourceName) } - if optionSetting.Value != nil { + if value := aws.StringValue(optionSetting.Value); value != "" { switch aws.StringValue(optionSetting.OptionName) { case "SecurityGroups": - m["value"] = dropGeneratedSecurityGroup(ctx, aws.StringValue(optionSetting.Value), meta) + m["value"] = dropGeneratedSecurityGroup(ctx, meta.(*conns.AWSClient).EC2Conn(), value) case "Subnets", "ELBSubnets": - m["value"] = sortValues(aws.StringValue(optionSetting.Value)) + m["value"] = sortValues(value) default: - m["value"] = aws.StringValue(optionSetting.Value) + m["value"] = value } } @@ -825,49 +826,21 @@ func extractOptionSettings(s *schema.Set) []*elasticbeanstalk.ConfigurationOptio return settings } -func dropGeneratedSecurityGroup(ctx context.Context, settingValue string, meta interface{}) string { - conn := meta.(*conns.AWSClient).EC2Conn() - - groups := strings.Split(settingValue, ",") - - // Check to see if groups are ec2-classic or vpc security groups - ec2Classic := true - beanstalkSGRegexp := regexp.MustCompile("sg-[0-9a-fA-F]{8}") - for _, g := range groups { - if beanstalkSGRegexp.MatchString(g) { - ec2Classic = false - break - } +func dropGeneratedSecurityGroup(ctx context.Context, conn *ec2.EC2, settingValue string) string { + input := &ec2.DescribeSecurityGroupsInput{ + GroupIds: aws.StringSlice(strings.Split(settingValue, ",")), } - var resp *ec2.DescribeSecurityGroupsOutput - var err error - - if ec2Classic { - resp, err = conn.DescribeSecurityGroupsWithContext(ctx, &ec2.DescribeSecurityGroupsInput{ - GroupNames: aws.StringSlice(groups), - }) - } else { - resp, err = conn.DescribeSecurityGroupsWithContext(ctx, &ec2.DescribeSecurityGroupsInput{ - GroupIds: aws.StringSlice(groups), - }) - } + securityGroup, err := tfec2.FindSecurityGroups(ctx, conn, input) if err != nil { - log.Printf("[DEBUG] Elastic Beanstalk error describing SecurityGroups: %v", err) return settingValue } - log.Printf("[DEBUG] Elastic Beanstalk using ec2-classic security-groups: %t", ec2Classic) var legitGroups []string - for _, group := range resp.SecurityGroups { - log.Printf("[DEBUG] Elastic Beanstalk SecurityGroup: %v", *group.GroupName) - if !strings.HasPrefix(*group.GroupName, "awseb") { - if ec2Classic { - legitGroups = append(legitGroups, *group.GroupName) - } else { - legitGroups = append(legitGroups, *group.GroupId) - } + for _, group := range securityGroup { + if !strings.HasPrefix(aws.StringValue(group.GroupName), "awseb") { + legitGroups = append(legitGroups, aws.StringValue(group.GroupId)) } } From 307a934ebd643673a4a03ce6fd94da301cfae7cf Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 26 Apr 2023 14:49:11 -0400 Subject: [PATCH 30/32] Tweak documentation for 'aws_autoscaling_group.availability_zones'. --- website/docs/r/autoscaling_group.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/r/autoscaling_group.html.markdown b/website/docs/r/autoscaling_group.html.markdown index 7291e77a095..dd356c295b4 100644 --- a/website/docs/r/autoscaling_group.html.markdown +++ b/website/docs/r/autoscaling_group.html.markdown @@ -383,7 +383,7 @@ The following arguments are supported: * `max_size` - (Required) Maximum size of the Auto Scaling Group. * `min_size` - (Required) Minimum size of the Auto Scaling Group. (See also [Waiting for Capacity](#waiting-for-capacity) below.) -* `availability_zones` - (Optional) List of one or more availability zones for the group. Used for EC2-Classic, attaching a network interface via id from a launch template and default subnets when not specified with `vpc_zone_identifier` argument. Conflicts with `vpc_zone_identifier`. +* `availability_zones` - (Optional) A list of Availability Zones where instances in the Auto Scaling group can be created. Used for launching into the default VPC subnet in each Availability Zone when not using the `vpc_zone_identifier` attribute, or for attaching a network interface when an existing network interface ID is specified in a launch template. Conflicts with `vpc_zone_identifier`. * `capacity_rebalance` - (Optional) Whether capacity rebalance is enabled. Otherwise, capacity rebalance is disabled. * `context` - (Optional) Reserved. * `default_cooldown` - (Optional) Amount of time, in seconds, after a scaling activity completes before another scaling activity can start. From ed3910ad528fe2be5dd5f5c5941818a489a1c578 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 26 Apr 2023 17:03:25 -0400 Subject: [PATCH 31/32] Fix golangci-lint 'whitespace'. --- internal/service/ec2/vpc_security_group.go | 1 - 1 file changed, 1 deletion(-) diff --git a/internal/service/ec2/vpc_security_group.go b/internal/service/ec2/vpc_security_group.go index c41a17e2e9d..2d7d00102ec 100644 --- a/internal/service/ec2/vpc_security_group.go +++ b/internal/service/ec2/vpc_security_group.go @@ -803,7 +803,6 @@ func updateSecurityGroupRules(ctx context.Context, conn *ec2.EC2, d *schema.Reso // if it finds invalid permissions input, namely a protocol of "-1" with either // to_port or from_port set to a non-zero value. func ExpandIPPerms(group *ec2.SecurityGroup, configured []interface{}) ([]*ec2.IpPermission, error) { - perms := make([]*ec2.IpPermission, len(configured)) for i, mRaw := range configured { var perm ec2.IpPermission From 77c50a2fd2540e505c4ac7b4a7e00a7f6d6d9e59 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 26 Apr 2023 17:05:15 -0400 Subject: [PATCH 32/32] Fix golangci-lint 'staticcheck'. --- internal/service/rds/instance.go | 4 ---- internal/service/rds/instance_data_source.go | 4 ---- 2 files changed, 8 deletions(-) diff --git a/internal/service/rds/instance.go b/internal/service/rds/instance.go index 859b397c4bd..da375537a91 100644 --- a/internal/service/rds/instance.go +++ b/internal/service/rds/instance.go @@ -1690,10 +1690,6 @@ func resourceInstanceRead(ctx context.Context, d *schema.ResourceData, meta inte d.Set("replicas", aws.StringValueSlice(v.ReadReplicaDBInstanceIdentifiers)) d.Set("replicate_source_db", v.ReadReplicaSourceDBInstanceIdentifier) d.Set("resource_id", v.DbiResourceId) - var securityGroupNames []string - for _, v := range v.DBSecurityGroups { - securityGroupNames = append(securityGroupNames, aws.StringValue(v.DBSecurityGroupName)) - } d.Set("status", v.DBInstanceStatus) d.Set("storage_encrypted", v.StorageEncrypted) d.Set("storage_throughput", v.StorageThroughput) diff --git a/internal/service/rds/instance_data_source.go b/internal/service/rds/instance_data_source.go index e601bb5de59..66c07689db1 100644 --- a/internal/service/rds/instance_data_source.go +++ b/internal/service/rds/instance_data_source.go @@ -232,10 +232,6 @@ func dataSourceInstanceRead(ctx context.Context, d *schema.ResourceData, meta in parameterGroupNames = append(parameterGroupNames, aws.StringValue(v.DBParameterGroupName)) } d.Set("db_parameter_groups", parameterGroupNames) - var securityGroupNames []string - for _, v := range v.DBSecurityGroups { - securityGroupNames = append(securityGroupNames, aws.StringValue(v.DBSecurityGroupName)) - } if v.DBSubnetGroup != nil { d.Set("db_subnet_group", v.DBSubnetGroup.DBSubnetGroupName) } else {