Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add default values to aws_vpn_connection #17031

Merged
merged 64 commits into from
Jan 26, 2022
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
64 commits
Select commit Hold shift + click to select a range
715856c
Add default values to aws_vpn_connection
shoekstra Jan 8, 2021
4f2950c
Fix data source aws_vpc_peering_connections
Feb 1, 2021
85e8830
Prevent potential panics
borancar Feb 11, 2021
82867a1
Re-add fmt
borancar Feb 11, 2021
929adb3
r/route and r/route_table: deprecate 'instance_id'
anGie44 Jan 19, 2022
d1116cc
Update CHANGELOG for #22664
anGie44 Jan 19, 2022
4cb8d32
Update CHANGELOG.md
anGie44 Jan 19, 2022
06d4dd1
add acceptance test coverage
anGie44 Jan 20, 2022
014c543
Add resource aws_s3_bucket_versioning
devonbleak Jul 9, 2018
cd485f7
CR updates: align with API and update overall provider design patterns
anGie44 Jan 21, 2022
fa892a0
Update CHANGELOG for #5132
anGie44 Jan 21, 2022
4b4ba07
first draft
dirk39 Dec 14, 2021
89ef24b
ok
dirk39 Dec 14, 2021
a7e4283
test ok. manage destroy
dirk39 Dec 15, 2021
efeeafa
test ok. destroy ok
dirk39 Dec 15, 2021
4ead8c4
test ok. destroy ok
dirk39 Dec 15, 2021
7081296
updated doc
dirk39 Dec 16, 2021
9efb223
Revert "updated doc"
ewbankkit Jan 18, 2022
cf3aa75
Revert "test ok. destroy ok"
ewbankkit Jan 18, 2022
6aad5c8
Revert "test ok. destroy ok"
ewbankkit Jan 18, 2022
dfa49c7
Revert "test ok. manage destroy"
ewbankkit Jan 18, 2022
41d6293
Revert "ok"
ewbankkit Jan 18, 2022
23b4ad2
Revert "first draft"
ewbankkit Jan 18, 2022
ec7a894
r/aws_default_subnet: Full resource life cycle. First baby steps.
ewbankkit Jan 11, 2022
8a47012
r/aws_default_subnet: Full resource life cycle. Playing with some ide…
ewbankkit Jan 11, 2022
1a7e808
r/aws_default_subnet: 'map_public_ip_on_launch' has a Default of true.
ewbankkit Jan 12, 2022
bfdc5f5
Additional 'modifySubnetAttriute' functions.
ewbankkit Jan 12, 2022
a430617
r/aws_default_subnet: Complete 'modifySubnetAttributesOnCreate'.
ewbankkit Jan 12, 2022
e8c1ebb
r/aws_default_subnet: Set tags on resource Create.
ewbankkit Jan 13, 2022
032d221
r/aws_default_subnet: Corrections after some testing.
ewbankkit Jan 13, 2022
f5b3c9f
'setting' -> 'modifying' in error messages.
ewbankkit Jan 14, 2022
a488c43
r/aws_default_vpc: Don't reuse ResourceVPC's schema.
ewbankkit Jan 19, 2022
6392c5e
Tidy up subnet and VPC sweepers.
ewbankkit Jan 19, 2022
8ad66f3
r/aws_default_vpc: IPv6 changes.
ewbankkit Jan 19, 2022
4a753d1
r/aws_default_vpc: Test IPv6 changes.
ewbankkit Jan 19, 2022
f6b8080
r/aws_default_vpc and r/aws_default_subnet: Serialize tests.
ewbankkit Jan 19, 2022
8607515
Store any new IPv6 CIDR block association ID to state.
ewbankkit Jan 19, 2022
e25e316
Add 'testAccPreCheckDefaultVPCAvailable'.
ewbankkit Jan 20, 2022
4f71d54
Add 'testAccPreCheckDefaultSubnetAvailable'.
ewbankkit Jan 20, 2022
148faa8
r/aws_default_vpc and r/aws_default_subnet: Check existence in TestCa…
ewbankkit Jan 20, 2022
7c2672b
Add CHANGELOG entry.
ewbankkit Jan 20, 2022
76a4ef2
d/aws_vpcs: Return empty list when no VPCs match.
ewbankkit Jan 20, 2022
8364e13
EC2: 'testCheckResourceAttrGreaterThanValue' -> 'acctest.CheckResourc…
ewbankkit Jan 20, 2022
560608c
EKS: 'testCheckResourceAttrGreaterThanValue' -> 'acctest.CheckResourc…
ewbankkit Jan 20, 2022
40c026b
r/aws_default_subnet: Add 'testAccEC2DefaultSubnet_privateDnsNameOpti…
ewbankkit Jan 20, 2022
1c98f56
r/aws_default_vpc: Add `force_destroy` and create new tests.
ewbankkit Jan 20, 2022
681707e
r/aws_default_subnet: Additional tests.
ewbankkit Jan 20, 2022
14272a4
r/aws_default_subnet: Ensure default subnets are recreated.
ewbankkit Jan 21, 2022
02574a0
r/aws_default_subnet & r/aws_default_vpc: Don't run acceptance tests …
ewbankkit Jan 21, 2022
dfd36ba
Documentation updates.
ewbankkit Jan 21, 2022
bf37eb4
Revert "Add default values to aws_vpn_connection"
ewbankkit Jan 24, 2022
e406153
Merge branch 'release/4.x' into HEAD
ewbankkit Jan 24, 2022
a41fae0
r/aws_vpn_connection: Add documented default values for tunnel options.
ewbankkit Jan 24, 2022
7c5ba15
r/aws_vpn_connection: Don't add default values for tunnel options to …
ewbankkit Jan 24, 2022
06dc01d
r/aws_vpn_connection: Send nil when updating tunnel options to defaul…
ewbankkit Jan 24, 2022
22f2bd6
Revert "r/aws_vpn_connection: Send nil when updating tunnel options t…
ewbankkit Jan 24, 2022
b6285a3
r/aws_vpn_connection: Test resetting tunnel options to default values.
ewbankkit Jan 25, 2022
16d2ca1
r/aws_vpn_connection: Rename default VPN tunnel options values.
ewbankkit Jan 25, 2022
83fb94b
r/aws_vpn_connection: Suppress diffs for simple tunnel option attribu…
ewbankkit Jan 25, 2022
63f7a36
r/aws_vpn_connection: Additional tunnel option attribute validations.
ewbankkit Jan 25, 2022
af9526c
r/aws_vpn_connection: Attempt to use a CustomizeDiffFunc rather than …
ewbankkit Jan 25, 2022
0b0f932
Revert "r/aws_vpn_connection: Attempt to use a CustomizeDiffFunc rath…
ewbankkit Jan 25, 2022
918103e
r/aws_vpn_connection: Expect a non-empty plan afte resetting to defau…
ewbankkit Jan 25, 2022
c7d5f80
Merge branch 'release/4.x' into HEAD
ewbankkit Jan 26, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions aws/resource_aws_vpn_connection.go
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,7 @@ func resourceAwsVpnConnection() *schema.Resource {
"tunnel1_dpd_timeout_seconds": {
Type: schema.TypeInt,
Optional: true,
Default: 30,
ValidateFunc: validateVpnConnectionTunnelDpdTimeoutSeconds(),
},

Expand Down Expand Up @@ -197,6 +198,7 @@ func resourceAwsVpnConnection() *schema.Resource {
"tunnel1_phase1_lifetime_seconds": {
Type: schema.TypeInt,
Optional: true,
Default: 28800,
ValidateFunc: validateVpnConnectionTunnelPhase1LifetimeSeconds(),
},

Expand All @@ -221,24 +223,28 @@ func resourceAwsVpnConnection() *schema.Resource {
"tunnel1_phase2_lifetime_seconds": {
Type: schema.TypeInt,
Optional: true,
Default: 3600,
ValidateFunc: validateVpnConnectionTunnelPhase2LifetimeSeconds(),
},

"tunnel1_rekey_fuzz_percentage": {
Type: schema.TypeInt,
Optional: true,
Default: 100,
ValidateFunc: validateVpnConnectionTunnelRekeyFuzzPercentage(),
},

"tunnel1_rekey_margin_time_seconds": {
Type: schema.TypeInt,
Optional: true,
Default: 540,
ValidateFunc: validateVpnConnectionTunnelRekeyMarginTimeSeconds(),
},

"tunnel1_replay_window_size": {
Type: schema.TypeInt,
Optional: true,
Default: 1024,
ValidateFunc: validateVpnConnectionTunnelReplayWindowSize(),
},

Expand Down Expand Up @@ -283,6 +289,7 @@ func resourceAwsVpnConnection() *schema.Resource {
"tunnel2_dpd_timeout_seconds": {
Type: schema.TypeInt,
Optional: true,
Default: 30,
ValidateFunc: validateVpnConnectionTunnelDpdTimeoutSeconds(),
},

Expand Down Expand Up @@ -313,6 +320,7 @@ func resourceAwsVpnConnection() *schema.Resource {
"tunnel2_phase1_lifetime_seconds": {
Type: schema.TypeInt,
Optional: true,
Default: 28800,
ValidateFunc: validateVpnConnectionTunnelPhase1LifetimeSeconds(),
},

Expand All @@ -337,24 +345,28 @@ func resourceAwsVpnConnection() *schema.Resource {
"tunnel2_phase2_lifetime_seconds": {
Type: schema.TypeInt,
Optional: true,
Default: 3600,
ValidateFunc: validateVpnConnectionTunnelPhase2LifetimeSeconds(),
},

"tunnel2_rekey_fuzz_percentage": {
Type: schema.TypeInt,
Optional: true,
Default: 100,
ValidateFunc: validateVpnConnectionTunnelRekeyFuzzPercentage(),
},

"tunnel2_rekey_margin_time_seconds": {
Type: schema.TypeInt,
Optional: true,
Default: 540,
ValidateFunc: validateVpnConnectionTunnelRekeyMarginTimeSeconds(),
},

"tunnel2_replay_window_size": {
Type: schema.TypeInt,
Optional: true,
Default: 1024,
ValidateFunc: validateVpnConnectionTunnelReplayWindowSize(),
},

Expand Down
245 changes: 245 additions & 0 deletions aws/resource_aws_vpn_connection_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,166 @@ func TestAccAWSVpnConnection_TransitGatewayID(t *testing.T) {
})
}

func TestAccAWSVpnConnection_tunnelDefaults(t *testing.T) {
badCidrRangeErr := regexp.MustCompile(`expected \w+ to not be any of \[[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/30\s?]+\]`)
rBgpAsn := acctest.RandIntRange(64512, 65534)
resourceName := "aws_vpn_connection.test"
var vpn ec2.VpnConnection

tunnel1 := TunnelOptions{
psk: "12345678",
tunnelCidr: "169.254.8.0/30",
dpdTimeoutAction: "clear",
dpdTimeoutSeconds: 30,
ikeVersions: "\"ikev1\", \"ikev2\"",
phase1DhGroupNumbers: "2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24",
phase1EncryptionAlgorithms: "\"AES128\", \"AES256\", \"AES128-GCM-16\", \"AES256-GCM-16\"",
phase1IntegrityAlgorithms: "\"SHA1\", \"SHA2-256\", \"SHA2-384\", \"SHA2-512\"",
phase1LifetimeSeconds: 28800,
phase2DhGroupNumbers: "2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24",
phase2EncryptionAlgorithms: "\"AES128\", \"AES256\", \"AES128-GCM-16\", \"AES256-GCM-16\"",
phase2IntegrityAlgorithms: "\"SHA1\", \"SHA2-256\", \"SHA2-384\", \"SHA2-512\"",
phase2LifetimeSeconds: 3600,
rekeyFuzzPercentage: 100,
rekeyMarginTimeSeconds: 540,
replayWindowSize: 1024,
startupAction: "add",
}

tunnel2 := TunnelOptions{
psk: "abcdefgh",
tunnelCidr: "169.254.9.0/30",
dpdTimeoutAction: "clear",
dpdTimeoutSeconds: 30,
ikeVersions: "\"ikev1\", \"ikev2\"",
phase1DhGroupNumbers: "2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24",
phase1EncryptionAlgorithms: "\"AES128\", \"AES256\", \"AES128-GCM-16\", \"AES256-GCM-16\"",
phase1IntegrityAlgorithms: "\"SHA1\", \"SHA2-256\", \"SHA2-384\", \"SHA2-512\"",
phase1LifetimeSeconds: 28800,
phase2DhGroupNumbers: "2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24",
phase2EncryptionAlgorithms: "\"AES128\", \"AES256\", \"AES128-GCM-16\", \"AES256-GCM-16\"",
phase2IntegrityAlgorithms: "\"SHA1\", \"SHA2-256\", \"SHA2-384\", \"SHA2-512\"",
phase2LifetimeSeconds: 3600,
rekeyFuzzPercentage: 100,
rekeyMarginTimeSeconds: 540,
replayWindowSize: 1024,
startupAction: "add",
}

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
IDRefreshName: resourceName,
Providers: testAccProviders,
CheckDestroy: testAccAwsVpnConnectionDestroy,
Steps: []resource.TestStep{
// Checking CIDR blocks
{
Config: testAccAwsVpnConnectionConfigSingleTunnelOptions(rBgpAsn, "12345678", "not-a-cidr"),
ExpectError: regexp.MustCompile(`invalid CIDR address: not-a-cidr`),
},
{
Config: testAccAwsVpnConnectionConfigSingleTunnelOptions(rBgpAsn, "12345678", "169.254.254.0/31"),
ExpectError: regexp.MustCompile(`expected "\w+" to contain a network Value with between 30 and 30 significant bits`),
},
{
Config: testAccAwsVpnConnectionConfigSingleTunnelOptions(rBgpAsn, "12345678", "172.16.0.0/30"),
ExpectError: regexp.MustCompile(`must be within 169.254.0.0/16`),
},
{
Config: testAccAwsVpnConnectionConfigSingleTunnelOptions(rBgpAsn, "12345678", "169.254.0.0/30"),
ExpectError: badCidrRangeErr,
},
{
Config: testAccAwsVpnConnectionConfigSingleTunnelOptions(rBgpAsn, "12345678", "169.254.1.0/30"),
ExpectError: badCidrRangeErr,
},
{
Config: testAccAwsVpnConnectionConfigSingleTunnelOptions(rBgpAsn, "12345678", "169.254.2.0/30"),
ExpectError: badCidrRangeErr,
},
{
Config: testAccAwsVpnConnectionConfigSingleTunnelOptions(rBgpAsn, "12345678", "169.254.3.0/30"),
ExpectError: badCidrRangeErr,
},
{
Config: testAccAwsVpnConnectionConfigSingleTunnelOptions(rBgpAsn, "12345678", "169.254.4.0/30"),
ExpectError: badCidrRangeErr,
},
{
Config: testAccAwsVpnConnectionConfigSingleTunnelOptions(rBgpAsn, "12345678", "169.254.5.0/30"),
ExpectError: badCidrRangeErr,
},
{
Config: testAccAwsVpnConnectionConfigSingleTunnelOptions(rBgpAsn, "12345678", "169.254.169.252/30"),
ExpectError: badCidrRangeErr,
},

// Checking PreShared Key
{
Config: testAccAwsVpnConnectionConfigSingleTunnelOptions(rBgpAsn, "1234567", "169.254.254.0/30"),
ExpectError: regexp.MustCompile(`expected length of \w+ to be in the range \(8 - 64\)`),
},
{
Config: testAccAwsVpnConnectionConfigSingleTunnelOptions(rBgpAsn, acctest.RandStringFromCharSet(65, acctest.CharSetAlpha), "169.254.254.0/30"),
ExpectError: regexp.MustCompile(`expected length of \w+ to be in the range \(8 - 64\)`),
},
{
Config: testAccAwsVpnConnectionConfigSingleTunnelOptions(rBgpAsn, "01234567", "169.254.254.0/30"),
ExpectError: regexp.MustCompile(`cannot start with zero character`),
},
{
Config: testAccAwsVpnConnectionConfigSingleTunnelOptions(rBgpAsn, "1234567!", "169.254.254.0/30"),
ExpectError: regexp.MustCompile(`can only contain alphanumeric, period and underscore characters`),
},

// Should pre-check:
// - local_ipv4_network_cidr
// - local_ipv6_network_cidr
// - remote_ipv4_network_cidr
// - remote_ipv6_network_cidr
// - tunnel_inside_ip_version
// - tunnel1_dpd_timeout_action
// - tunnel1_dpd_timeout_seconds
// - tunnel1_phase1_lifetime_seconds
// - tunnel1_phase2_lifetime_seconds
// - tunnel1_rekey_fuzz_percentage
// - tunnel1_rekey_margin_time_seconds
// - tunnel1_replay_window_size
// - tunnel1_startup_action
// - tunnel1_inside_cidr
// - tunnel1_inside_ipv6_cidr

//Try actual building
{
Config: testAccAwsVpnConnectionConfigTunnelDefaults(rBgpAsn, "192.168.1.1/32", "192.168.1.2/32", tunnel1, tunnel2),
Check: resource.ComposeTestCheckFunc(
testAccAwsVpnConnectionExists(resourceName, &vpn),
resource.TestCheckResourceAttr(resourceName, "static_routes_only", "false"),

resource.TestCheckResourceAttr(resourceName, "tunnel1_dpd_timeout_seconds", "30"),
resource.TestCheckResourceAttr(resourceName, "tunnel1_inside_cidr", "169.254.8.0/30"),
resource.TestCheckResourceAttr(resourceName, "tunnel1_preshared_key", "12345678"),
resource.TestCheckResourceAttr(resourceName, "tunnel1_phase1_lifetime_seconds", "28800"),
resource.TestCheckResourceAttr(resourceName, "tunnel1_phase2_lifetime_seconds", "3600"),
resource.TestCheckResourceAttr(resourceName, "tunnel1_rekey_fuzz_percentage", "100"),
resource.TestCheckResourceAttr(resourceName, "tunnel1_rekey_margin_time_seconds", "540"),
resource.TestCheckResourceAttr(resourceName, "tunnel1_replay_window_size", "1024"),

resource.TestCheckResourceAttr(resourceName, "tunnel2_dpd_timeout_seconds", "30"),
resource.TestCheckResourceAttr(resourceName, "tunnel2_inside_cidr", "169.254.9.0/30"),
resource.TestCheckResourceAttr(resourceName, "tunnel2_preshared_key", "abcdefgh"),
resource.TestCheckResourceAttr(resourceName, "tunnel2_phase1_lifetime_seconds", "28800"),
resource.TestCheckResourceAttr(resourceName, "tunnel2_phase2_lifetime_seconds", "3600"),
resource.TestCheckResourceAttr(resourceName, "tunnel2_rekey_fuzz_percentage", "100"),
resource.TestCheckResourceAttr(resourceName, "tunnel2_rekey_margin_time_seconds", "540"),
resource.TestCheckResourceAttr(resourceName, "tunnel2_replay_window_size", "1024"),
),
},
// TODO: Once #396, #3359, #5809 are fixed, an import test step should be added here
},
})
}

func TestAccAWSVpnConnection_tunnelOptions(t *testing.T) {
badCidrRangeErr := regexp.MustCompile(`expected \w+ to not be any of \[[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/30\s?]+\]`)
rBgpAsn := acctest.RandIntRange(64512, 65534)
Expand Down Expand Up @@ -730,6 +890,91 @@ resource "aws_vpn_connection" "test" {
`, rBgpAsn)
}

func testAccAwsVpnConnectionConfigTunnelDefaults(
rBgpAsn int,
localIpv4NetworkCidr string,
remoteIpv4NetworkCidr string,
tunnel1 TunnelOptions,
tunnel2 TunnelOptions,
) string {
return fmt.Sprintf(`
resource "aws_vpn_gateway" "vpn_gateway" {
tags = {
Name = "vpn_gateway"
}
}

resource "aws_customer_gateway" "customer_gateway" {
bgp_asn = %d
ip_address = "178.0.0.1"
type = "ipsec.1"

tags = {
Name = "main-customer-gateway"
}
}

resource "aws_vpn_connection" "test" {
vpn_gateway_id = aws_vpn_gateway.vpn_gateway.id
customer_gateway_id = aws_customer_gateway.customer_gateway.id
type = "ipsec.1"
static_routes_only = false

local_ipv4_network_cidr = %[2]q
remote_ipv4_network_cidr = %[3]q

tunnel1_inside_cidr = %[4]q
tunnel1_preshared_key = %[5]q
tunnel1_dpd_timeout_action = %[6]q
tunnel1_ike_versions = [%[7]s]
tunnel1_phase1_dh_group_numbers = [%[8]s]
tunnel1_phase1_encryption_algorithms = [%[9]s]
tunnel1_phase1_integrity_algorithms = [%[10]s]
tunnel1_phase2_dh_group_numbers = [%[11]s]
tunnel1_phase2_encryption_algorithms = [%[12]s]
tunnel1_phase2_integrity_algorithms = [%[13]s]
tunnel1_startup_action = %[14]q

tunnel2_inside_cidr = %[15]q
tunnel2_preshared_key = %[16]q
tunnel2_dpd_timeout_action = %[17]q
tunnel2_ike_versions = [%[18]s]
tunnel2_phase1_dh_group_numbers = [%[19]s]
tunnel2_phase1_encryption_algorithms = [%[20]s]
tunnel2_phase1_integrity_algorithms = [%[21]s]
tunnel2_phase2_dh_group_numbers = [%[22]s]
tunnel2_phase2_encryption_algorithms = [%[23]s]
tunnel2_phase2_integrity_algorithms = [%[24]s]
tunnel2_startup_action = %[25]q
}
`,
rBgpAsn,
localIpv4NetworkCidr,
remoteIpv4NetworkCidr,
tunnel1.tunnelCidr,
tunnel1.psk,
tunnel1.dpdTimeoutAction,
tunnel1.ikeVersions,
tunnel1.phase1DhGroupNumbers,
tunnel1.phase1EncryptionAlgorithms,
tunnel1.phase1IntegrityAlgorithms,
tunnel1.phase2DhGroupNumbers,
tunnel1.phase2EncryptionAlgorithms,
tunnel1.phase2IntegrityAlgorithms,
tunnel1.startupAction,
tunnel2.tunnelCidr,
tunnel2.psk,
tunnel2.dpdTimeoutAction,
tunnel2.ikeVersions,
tunnel2.phase1DhGroupNumbers,
tunnel2.phase1EncryptionAlgorithms,
tunnel2.phase1IntegrityAlgorithms,
tunnel2.phase2DhGroupNumbers,
tunnel2.phase2EncryptionAlgorithms,
tunnel2.phase2IntegrityAlgorithms,
tunnel2.startupAction)
}

func testAccAwsVpnConnectionConfigTunnelOptions(
rBgpAsn int,
localIpv4NetworkCidr string,
Expand Down