Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add pagination to aws_route53_resolver_rule data source #20642

Merged
merged 5 commits into from
Aug 20, 2021

Conversation

sheacloud
Copy link
Contributor

@sheacloud sheacloud commented Aug 20, 2021

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

What

Updated the aws_route53_resolver_rule data source to use pagination when looking for matching rules. Currently it only calls ListResolverRules once, and if there are no returned results, it assumes there is no matching rule, even if there is a NextToken returned alongside it.

Why

Recently the route53 API behavior changed when calling ListResolverRules in an account with a large number of rules (100s+) where it sometimes returns 0 results but a pagination NextToken. After discussing this with AWS support, it was concluded that it is expected, valid behavior. The same behavior can be seen with other APIs such as dynamodb or cloudwatch logs when filtering a large number of resources.

Reproducing

The following terraform can be used to create an example environment which can then be used to reproduce the error

provider "aws" {
    region = "us-east-1"
}

resource "aws_vpc" "test" {
    cidr_block = "10.0.0.0/24"
}

resource "aws_subnet" "test1" {
    vpc_id = aws_vpc.test.id
    cidr_block = "10.0.0.0/25"
    availability_zone = "us-east-1a"
}

resource "aws_subnet" "test2" {
    vpc_id = aws_vpc.test.id
    cidr_block = "10.0.0.128/25"
    availability_zone = "us-east-1b"
}

resource "aws_security_group" "test" {
  name        = "test"
  description = "route53 resolver testing"
  vpc_id      = aws_vpc.test.id
}

resource "aws_route53_resolver_endpoint" "test" {
  name      = "test"
  direction = "OUTBOUND"

  security_group_ids = [
    aws_security_group.test.id,
  ]

  ip_address {
    subnet_id = aws_subnet.test1.id
  }

  ip_address {
    subnet_id = aws_subnet.test2.id
  }
}

resource "aws_route53_resolver_rule" "test" {
  count = 250
  domain_name          = "${count.index}-example.com"
  name                 = "test"
  rule_type            = "FORWARD"
  resolver_endpoint_id = aws_route53_resolver_endpoint.test.id

  target_ip {
    ip = "123.45.67.89"
  }
}

The following template attempts to pull some of the rules as data sources, resulting in "no matching rules" errors

provider "aws" {
    region = "us-east-1"
}

data "aws_route53_resolver_rule" "test" {
    domain_name = "120-example.com"
}

data "aws_route53_resolver_rule" "test1" {
    domain_name = "121-example.com"
}

data "aws_route53_resolver_rule" "test2" {
    domain_name = "122-example.com"
}

data "aws_route53_resolver_rule" "test3" {
    domain_name = "123-example.com"
}

data "aws_route53_resolver_rule" "test4" {
    domain_name = "124-example.com"
}

You can also validate this using the AWS CLI with the 1st template deployed by running

$ aws route53resolver list-resolver-rules --filter="Name=DomainName,Values=111-example.com"

a few times, and eventually you should get a result like

{
    "NextToken": "V0001tvtOQSUoVeQKvRvZo7T56N5RBE7hqZsP7Yt59ZR8n984CYjL58T27bzWeDAUOHZ9ZYWxE/KT29A0bBp8TDR/SqqvSuK15h81Eh3VQ2BatSLuQ+mz9ednz14E3SdO8fojufpyAWBPRngEovMGVyG1aCw+ZeDGezMGCh7sSXNJhuRA0qoi2SG2xoVZy6dKMbMVYeEC/DzauOAc4KVPv1cMfpDBnflZLPZD1kOMWBqV3hUJp0/2uEe/4K+kotFQsx312rYOaQvlfX/yLFMR",
    "MaxResults": 30,
    "ResolverRules": []
}

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'

==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 2 -run=TestAccAWSRoute53ResolverRuleDataSource -timeout 180m
=== RUN   TestAccAWSRoute53ResolverRuleDataSource_basic
=== PAUSE TestAccAWSRoute53ResolverRuleDataSource_basic
=== RUN   TestAccAWSRoute53ResolverRuleDataSource_ResolverEndpointIdWithTags
=== PAUSE TestAccAWSRoute53ResolverRuleDataSource_ResolverEndpointIdWithTags
=== RUN   TestAccAWSRoute53ResolverRuleDataSource_SharedByMe
=== PAUSE TestAccAWSRoute53ResolverRuleDataSource_SharedByMe
=== RUN   TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe
=== PAUSE TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_basic
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe
--- PASS: TestAccAWSRoute53ResolverRuleDataSource_basic (33.18s)
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_SharedByMe
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe
    data_source_aws_route53_resolver_rule_test.go:146: Step 1/1 error: Error running apply: exit status 1
        
        Error: no Route53 Resolver rules matched
        
          on terraform_plugin_test.tf line 145, in data "aws_route53_resolver_rule" "by_resolver_endpoint_id":
         145: data "aws_route53_resolver_rule" "by_resolver_endpoint_id" {
        
        
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_SharedByMe
    data_source_aws_route53_resolver_rule_test.go:108: Step 1/1 error: Check failed: Check 9/13 error: data.aws_route53_resolver_rule.by_resolver_endpoint_id: Attribute 'share_status' expected "SHARED_BY_ME", got "NOT_SHARED"
--- FAIL: TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe (240.96s)
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_ResolverEndpointIdWithTags
--- FAIL: TestAccAWSRoute53ResolverRuleDataSource_SharedByMe (237.65s)
--- PASS: TestAccAWSRoute53ResolverRuleDataSource_ResolverEndpointIdWithTags (248.82s)
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	491.921s
FAIL
make: *** [testacc] Error 1

I'm having issues running the Shared* tests which interact with RAM in my accounts. I have RAM sharing at the org level enabled, so I'm not sure what is wrong, but I get the same errors when I run the tests against the code prior to my changes (i.e. checked out on the commit before my changes)

@sheacloud sheacloud requested a review from ewbankkit as a code owner August 20, 2021 17:30
@github-actions github-actions bot added service/route53resolver Issues and PRs that pertain to the route53resolver service. size/XS Managed by automation to categorize the size of a PR. needs-triage Waiting for first response or review from a maintainer. labels Aug 20, 2021
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @sheacloud 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTING guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

@sheacloud sheacloud changed the title [WIP] Add pagination to aws_route53_resolver_rule data source Add pagination to aws_route53_resolver_rule data source Aug 20, 2021
@ewbankkit ewbankkit removed the needs-triage Waiting for first response or review from a maintainer. label Aug 20, 2021
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccAWSRoute53ResolverRuleDataSource_'           
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSRoute53ResolverRuleDataSource_ -timeout 180m
=== RUN   TestAccAWSRoute53ResolverRuleDataSource_basic
=== PAUSE TestAccAWSRoute53ResolverRuleDataSource_basic
=== RUN   TestAccAWSRoute53ResolverRuleDataSource_ResolverEndpointIdWithTags
=== PAUSE TestAccAWSRoute53ResolverRuleDataSource_ResolverEndpointIdWithTags
=== RUN   TestAccAWSRoute53ResolverRuleDataSource_SharedByMe
=== PAUSE TestAccAWSRoute53ResolverRuleDataSource_SharedByMe
=== RUN   TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe
=== PAUSE TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_basic
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_SharedByMe
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_ResolverEndpointIdWithTags
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_SharedByMe
    provider_test.go:715: skipping test because at least one environment variable of [AWS_ALTERNATE_PROFILE AWS_ALTERNATE_ACCESS_KEY_ID] must be set. Usage: credentials for running acceptance testing in alternate AWS account.
=== CONT  TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe
    provider_test.go:715: skipping test because at least one environment variable of [AWS_ALTERNATE_PROFILE AWS_ALTERNATE_ACCESS_KEY_ID] must be set. Usage: credentials for running acceptance testing in alternate AWS account.
--- SKIP: TestAccAWSRoute53ResolverRuleDataSource_SharedByMe (0.81s)
--- SKIP: TestAccAWSRoute53ResolverRuleDataSource_SharedWithMe (0.82s)
--- PASS: TestAccAWSRoute53ResolverRuleDataSource_basic (38.68s)
--- PASS: TestAccAWSRoute53ResolverRuleDataSource_ResolverEndpointIdWithTags (267.64s)
PASS
ok      github.com/terraform-providers/terraform-provider-aws/aws       274.453s

@ewbankkit
Copy link
Contributor

@sheacloud Thanks for the contribution 🎉 👏.

@ewbankkit ewbankkit merged commit 2b12ec1 into hashicorp:main Aug 20, 2021
@github-actions github-actions bot added this to the v3.56.0 milestone Aug 20, 2021
@github-actions
Copy link

This functionality has been released in v3.56.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 24, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
service/route53resolver Issues and PRs that pertain to the route53resolver service. size/XS Managed by automation to categorize the size of a PR.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants