Add Authorization Rules for Client VPN

aws/ec2_filters.go

@@ -2,13 +2,13 @@ package aws
 
 import (
 	"fmt"
-	"sort"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags"
+	tfec2 "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/ec2"
 )
 
 // buildEC2AttributeFilterList takes a flat map of scalar attributes (most
@@ -33,29 +33,7 @@ import (
 // the EC2 API, to aid in the implementation of Terraform data sources that
 // retrieve data about EC2 objects.
 func buildEC2AttributeFilterList(attrs map[string]string) []*ec2.Filter {
-	var filters []*ec2.Filter
-
-	// sort the filters by name to make the output deterministic
-	var names []string
-	for filterName := range attrs {
-		names = append(names, filterName)
-	}
-
-	sort.Strings(names)
-
-	for _, filterName := range names {
-		value := attrs[filterName]
-		if value == "" {
-			continue
-		}
-
-		filters = append(filters, &ec2.Filter{
-			Name:   aws.String(filterName),
-			Values: []*string{aws.String(value)},
-		})
-	}
-
-	return filters
+	return tfec2.BuildAttributeFilterList(attrs)
 }
 
 // buildEC2TagFilterList takes a []*ec2.Tag and produces a []*ec2.Filter that

aws/internal/experimental/sync/sync.go

@@ -0,0 +1,48 @@
+package sync
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+	"testing"
+)
+
+// Semaphore can be used to limit concurrent executions. This can be used to work with resources with low quotas
+type Semaphore chan struct{}
+
+// InitializeSemaphore initializes a semaphore with a default capacity or overrides it using an environment variable
+// NOTE: this is currently an experimental feature and is likely to change. DO NOT USE.
+func InitializeSemaphore(envvar string, defaultLimit int) Semaphore {
+	limit := defaultLimit
+	x := os.Getenv(envvar)
+	if x != "" {
+		var err error
+		limit, err = strconv.Atoi(x)
+		if err != nil {
+			panic(fmt.Errorf("could not parse %q: expected integer, got %q", envvar, x))
+		}
+	}
+	return make(Semaphore, limit)
+}
+
+// Wait waits for a semaphore before continuing
+// NOTE: this is currently an experimental feature and is likely to change. DO NOT USE.
+func (s Semaphore) Wait() {
+	s <- struct{}{}
+}
+
+// Notify releases a semaphore
+// NOTE: this is currently an experimental feature and is likely to change. DO NOT USE.
+func (s Semaphore) Notify() {
+	<-s
+}
+
+// TestAccPreCheckSyncronized waits for a semaphore and skips the test if there is no capacity
+// NOTE: this is currently an experimental feature and is likely to change. DO NOT USE.
+func TestAccPreCheckSyncronize(t *testing.T, semaphore Semaphore, resource string) {
+	if cap(semaphore) == 0 {
+		t.Skipf("concurrency for %s testing set to 0", resource)
+	}
+
+	semaphore.Wait()
+}

aws/internal/service/ec2/errors.go

@@ -0,0 +1,24 @@
+package ec2
+
+import (
+	"errors"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+)
+
+// Copied from aws-sdk-go-base
+// Can be removed when aws-sdk-go-base v0.6+ is merged
+// TODO:
+func ErrCodeEquals(err error, code string) bool {
+	var awsErr awserr.Error
+	if errors.As(err, &awsErr) {
+		return awsErr.Code() == code
+	}
+	return false
+}
+
+const ErrCodeClientVpnEndpointIdNotFound = "InvalidClientVpnEndpointId.NotFound"
+
+const ErrCodeClientVpnAuthorizationRuleNotFound = "InvalidClientVpnEndpointAuthorizationRuleNotFound"
+
+const ErrCodeClientVpnAssociationIdNotFound = "InvalidClientVpnAssociationId.NotFound"

aws/internal/service/ec2/filter.go

@@ -0,0 +1,55 @@
+package ec2
+
+import (
+	"sort"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/ec2"
+)
+
+// BuildAttributeFilterList takes a flat map of scalar attributes (most
+// likely values extracted from a *schema.ResourceData on an EC2-querying
+// data source) and produces a []*ec2.Filter representing an exact match
+// for each of the given non-empty attributes.
+//
+// The keys of the given attributes map are the attribute names expected
+// by the EC2 API, which are usually either in camelcase or with dash-separated
+// words. We conventionally map these to underscore-separated identifiers
+// with the same words when presenting these as data source query attributes
+// in Terraform.
+//
+// It's the callers responsibility to transform any non-string values into
+// the appropriate string serialization required by the AWS API when
+// encoding the given filter. Any attributes given with empty string values
+// are ignored, assuming that the user wishes to leave that attribute
+// unconstrained while filtering.
+//
+// The purpose of this function is to create values to pass in
+// for the "Filters" attribute on most of the "Describe..." API functions in
+// the EC2 API, to aid in the implementation of Terraform data sources that
+// retrieve data about EC2 objects.
+func BuildAttributeFilterList(attrs map[string]string) []*ec2.Filter {
+	var filters []*ec2.Filter
+
+	// sort the filters by name to make the output deterministic
+	var names []string
+	for filterName := range attrs {
+		names = append(names, filterName)
+	}
+
+	sort.Strings(names)
+
+	for _, filterName := range names {
+		value := attrs[filterName]
+		if value == "" {
+			continue
+		}
+
+		filters = append(filters, &ec2.Filter{
+			Name:   aws.String(filterName),
+			Values: []*string{aws.String(value)},
+		})
+	}
+
+	return filters
+}

aws/internal/service/ec2/finder/finder.go

@@ -0,0 +1,33 @@
+package finder
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/ec2"
+	tfec2 "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/ec2"
+)
+
+func ClientVpnAuthorizationRule(conn *ec2.EC2, endpointID, targetNetworkCidr, accessGroupID string) (*ec2.DescribeClientVpnAuthorizationRulesOutput, error) {
+	filters := map[string]string{
+		"destination-cidr": targetNetworkCidr,
+	}
+	if accessGroupID != "" {
+		filters["group-id"] = accessGroupID
+	}
+
+	input := &ec2.DescribeClientVpnAuthorizationRulesInput{
+		ClientVpnEndpointId: aws.String(endpointID),
+		Filters:             tfec2.BuildAttributeFilterList(filters),
+	}
+
+	return conn.DescribeClientVpnAuthorizationRules(input)
+
+}
+
+func ClientVpnAuthorizationRuleByID(conn *ec2.EC2, authorizationRuleID string) (*ec2.DescribeClientVpnAuthorizationRulesOutput, error) {
+	endpointID, targetNetworkCidr, accessGroupID, err := tfec2.ClientVpnAuthorizationRuleParseID(authorizationRuleID)
+	if err != nil {
+		return nil, err
+	}
+
+	return ClientVpnAuthorizationRule(conn, endpointID, targetNetworkCidr, accessGroupID)
+}

aws/internal/service/ec2/id.go

@@ -0,0 +1,32 @@
+package ec2
+
+import (
+	"fmt"
+	"strings"
+)
+
+const clientVpnAuthorizationRuleIDSeparator = ","
+
+func ClientVpnAuthorizationRuleCreateID(endpointID, targetNetworkCidr, accessGroupID string) string {
+	parts := []string{endpointID, targetNetworkCidr}
+	if accessGroupID != "" {
+		parts = append(parts, accessGroupID)
+	}
+	id := strings.Join(parts, clientVpnAuthorizationRuleIDSeparator)
+	return id
+}
+
+func ClientVpnAuthorizationRuleParseID(id string) (string, string, string, error) {
+	parts := strings.Split(id, clientVpnAuthorizationRuleIDSeparator)
+	if len(parts) == 2 && parts[0] != "" && parts[1] != "" {
+		return parts[0], parts[1], "", nil
+	}
+	if len(parts) == 3 && parts[0] != "" && parts[1] != "" && parts[2] != "" {
+		return parts[0], parts[1], parts[2], nil
+	}
+
+	return "", "", "",
+		fmt.Errorf("unexpected format for ID (%q), expected endpoint-id"+clientVpnAuthorizationRuleIDSeparator+
+			"target-network-cidr or endpoint-id"+clientVpnAuthorizationRuleIDSeparator+"target-network-cidr"+
+			clientVpnAuthorizationRuleIDSeparator+"group-id", id)
+}

aws/internal/service/ec2/waiter/status.go

@@ -1,9 +1,13 @@
 package waiter
 
 import (
+	"fmt"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+	tfec2 "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/ec2"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/ec2/finder"
 )
 
 // LocalGatewayRouteTableVpcAssociationState fetches the LocalGatewayRouteTableVpcAssociation and its State
@@ -39,3 +43,74 @@ func LocalGatewayRouteTableVpcAssociationState(conn *ec2.EC2, localGatewayRouteT
 		return association, aws.StringValue(association.State), nil
 	}
 }
+
+const (
+	ClientVpnEndpointStatusNotFound = "NotFound"
+
+	ClientVpnEndpointStatusUnknown = "Unknown"
+)
+
+// ClientVpnEndpointStatus fetches the Client VPN endpoint and its Status
+func ClientVpnEndpointStatus(conn *ec2.EC2, endpointID string) resource.StateRefreshFunc {
+	return func() (interface{}, string, error) {
+		result, err := conn.DescribeClientVpnEndpoints(&ec2.DescribeClientVpnEndpointsInput{
+			ClientVpnEndpointIds: aws.StringSlice([]string{endpointID}),
+		})
+		if tfec2.ErrCodeEquals(err, tfec2.ErrCodeClientVpnEndpointIdNotFound) {
+			return nil, ClientVpnEndpointStatusNotFound, nil
+		}
+		if err != nil {
+			return nil, ClientVpnEndpointStatusUnknown, err
+		}
+
+		if result == nil || len(result.ClientVpnEndpoints) == 0 || result.ClientVpnEndpoints[0] == nil {
+			return nil, ClientVpnEndpointStatusNotFound, nil
+		}
+
+		endpoint := result.ClientVpnEndpoints[0]
+		if endpoint.Status == nil || endpoint.Status.Code == nil {
+			return endpoint, ClientVpnEndpointStatusUnknown, nil
+		}
+
+		return endpoint, aws.StringValue(endpoint.Status.Code), nil
+	}
+}
+
+const (
+	ClientVpnAuthorizationRuleStatusNotFound = "NotFound"
+
+	ClientVpnAuthorizationRuleStatusUnknown = "Unknown"
+)
+
+// ClientVpnAuthorizationRuleStatus fetches the Client VPN authorization rule and its Status
+func ClientVpnAuthorizationRuleStatus(conn *ec2.EC2, authorizationRuleID string) resource.StateRefreshFunc {
+	return func() (interface{}, string, error) {
+		endpointID, targetNetworkCidr, accessGroupID, err := tfec2.ClientVpnAuthorizationRuleParseID(authorizationRuleID)
+		if err != nil {
+			return nil, ClientVpnAuthorizationRuleStatusUnknown, err
+		}
+
+		result, err := finder.ClientVpnAuthorizationRule(conn, endpointID, targetNetworkCidr, accessGroupID)
+		if tfec2.ErrCodeEquals(err, tfec2.ErrCodeClientVpnAuthorizationRuleNotFound) {
+			return nil, ClientVpnAuthorizationRuleStatusNotFound, nil
+		}
+		if err != nil {
+			return nil, ClientVpnAuthorizationRuleStatusUnknown, err
+		}
+
+		if result == nil || len(result.AuthorizationRules) == 0 || result.AuthorizationRules[0] == nil {
+			return nil, ClientVpnAuthorizationRuleStatusNotFound, nil
+		}
+
+		if len(result.AuthorizationRules) > 1 {
+			return nil, ClientVpnAuthorizationRuleStatusUnknown, fmt.Errorf("internal error: found %d results for Client VPN authorization rule (%s) status, need 1", len(result.AuthorizationRules), authorizationRuleID)
+		}
+
+		rule := result.AuthorizationRules[0]
+		if rule.Status == nil || rule.Status.Code == nil {
+			return rule, ClientVpnAuthorizationRuleStatusUnknown, nil
+		}
+
+		return rule, aws.StringValue(rule.Status.Code), nil
+	}
+}

aws/internal/service/ec2/waiter/waiter.go

@@ -50,3 +50,64 @@ func LocalGatewayRouteTableVpcAssociationDisassociated(conn *ec2.EC2, localGatew
 
 	return nil, err
 }
+
+const (
+	ClientVpnEndpointDeletedTimout = 5 * time.Minute
+)
+
+func ClientVpnEndpointDeleted(conn *ec2.EC2, id string) (*ec2.ClientVpnEndpoint, error) {
+	stateConf := &resource.StateChangeConf{
+		Pending: []string{ec2.ClientVpnEndpointStatusCodeDeleting},
+		Target:  []string{},
+		Refresh: ClientVpnEndpointStatus(conn, id),
+		Timeout: ClientVpnEndpointDeletedTimout,
+	}
+
+	outputRaw, err := stateConf.WaitForState()
+
+	if output, ok := outputRaw.(*ec2.ClientVpnEndpoint); ok {
+		return output, err
+	}
+
+	return nil, err
+}
+
+const (
+	ClientVpnAuthorizationRuleActiveTimeout = 1 * time.Minute
+
+	ClientVpnAuthorizationRuleRevokedTimeout = 1 * time.Minute
+)
+
+func ClientVpnAuthorizationRuleAuthorized(conn *ec2.EC2, authorizationRuleID string) (*ec2.AuthorizationRule, error) {
+	stateConf := &resource.StateChangeConf{
+		Pending: []string{ec2.ClientVpnAuthorizationRuleStatusCodeAuthorizing},
+		Target:  []string{ec2.ClientVpnAuthorizationRuleStatusCodeActive},
+		Refresh: ClientVpnAuthorizationRuleStatus(conn, authorizationRuleID),
+		Timeout: ClientVpnAuthorizationRuleActiveTimeout,
+	}
+
+	outputRaw, err := stateConf.WaitForState()
+
+	if output, ok := outputRaw.(*ec2.AuthorizationRule); ok {
+		return output, err
+	}
+
+	return nil, err
+}
+
+func ClientVpnAuthorizationRuleRevoked(conn *ec2.EC2, authorizationRuleID string) (*ec2.AuthorizationRule, error) {
+	stateConf := &resource.StateChangeConf{
+		Pending: []string{ec2.ClientVpnAuthorizationRuleStatusCodeRevoking},
+		Target:  []string{},
+		Refresh: ClientVpnAuthorizationRuleStatus(conn, authorizationRuleID),
+		Timeout: ClientVpnAuthorizationRuleRevokedTimeout,
+	}
+
+	outputRaw, err := stateConf.WaitForState()
+
+	if output, ok := outputRaw.(*ec2.AuthorizationRule); ok {
+		return output, err
+	}
+
+	return nil, err
+}