Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Site to Site VPN logging #26637

Merged
merged 22 commits into from
Sep 7, 2022
+339 −3
Merged

Site to Site VPN logging #26637

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
cf2ffeb
WIP on VPN connection tunnel logs
bschaatsbergen Aug 21, 2022
b9a0726
Merge branch 'main' into f/site-to-site-vpn-logs
bschaatsbergen Sep 3, 2022
5c1e815
Merge branch 'main' into f/site-to-site-vpn-logs
bschaatsbergen Sep 3, 2022
46029fe
Set to `cloudwatch_log_options`
bschaatsbergen Sep 3, 2022
f078ebb
Compute the log options
bschaatsbergen Sep 3, 2022
28a66e4
WIP on a cloudWatchLogOptions test
bschaatsbergen Sep 3, 2022
af47f3a
fmt test config
bschaatsbergen Sep 4, 2022
75ad013
Add some guard clauses
bschaatsbergen Sep 4, 2022
dd4606b
fix expands, had some trouble passing down the interface
bschaatsbergen Sep 4, 2022
971224c
Remove irrelevant resource attribute checks
bschaatsbergen Sep 4, 2022
9db018c
remove schema set clauses
bschaatsbergen Sep 4, 2022
9b10c2e
Add log options to docs
bschaatsbergen Sep 4, 2022
a23ace3
tabs to spaces
bschaatsbergen Sep 4, 2022
d63f809
fmt cloudwatch log group
bschaatsbergen Sep 5, 2022
750c331
Offload possible log output formats to a values func
bschaatsbergen Sep 5, 2022
62ef470
Set log options to schema type list
bschaatsbergen Sep 5, 2022
3f51152
Add CHANGELOG entry.
ewbankkit Sep 6, 2022
2211802
r/aws_vpn_connection: Correct 'tunnel1_log_options' and 'tunnel2_log_…
ewbankkit Sep 6, 2022
2cc425e
r/aws_vpn_connection: Log options are Computed.
ewbankkit Sep 6, 2022
61ea349
'cloudwatch_log_options' is Optional.
ewbankkit Sep 6, 2022
733d8ed
Fix semgrep 'ci.caps2-in-const-name'.
ewbankkit Sep 6, 2022
b4c24ec
r/aws_vpn_connection: No log ARN or format if not enabled.
ewbankkit Sep 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/26637.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
resource/aws_vpn_connection: Add `tunnel1_log_options` and `tunnel2_log_options` arguments
```
12 changes: 12 additions & 0 deletions internal/service/ec2/consts.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,18 @@ func vpnTunnelOptionsIKEVersion_Values() []string {
}
}

const (
vpnTunnelCloudWatchLogOutputFormatJSON = "json"
vpnTunnelCloudWatchLogOutputFormatText = "text"
)

func vpnTunnelCloudWatchLogOutputFormat_Values() []string {
return []string{
vpnTunnelCloudWatchLogOutputFormatJSON,
vpnTunnelCloudWatchLogOutputFormatText,
}
}

const (
vpnTunnelOptionsPhase1EncryptionAlgorithmAES128 = "AES128"
vpnTunnelOptionsPhase1EncryptionAlgorithmAES256 = "AES256"
Expand Down
175 changes: 172 additions & 3 deletions internal/service/ec2/vpnsite_connection.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,39 @@ func ResourceVPNConnection() *schema.Resource {
ValidateFunc: validVPNConnectionTunnelInsideIPv6CIDR(),
RequiredWith: []string{"transit_gateway_id"},
},
"tunnel1_log_options": {
Type: schema.TypeList,
Optional: true,
Computed: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"cloudwatch_log_options": {
Type: schema.TypeList,
Optional: true,
Computed: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"log_enabled": {
Type: schema.TypeBool,
Optional: true,
},
"log_group_arn": {
Type: schema.TypeString,
Optional: true,
},
"log_output_format": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: validation.StringInSlice(vpnTunnelCloudWatchLogOutputFormat_Values(), false),
},
},
},
},
},
},
},
"tunnel1_phase1_dh_group_numbers": {
Type: schema.TypeSet,
Optional: true,
Expand Down Expand Up @@ -384,6 +417,39 @@ func ResourceVPNConnection() *schema.Resource {
ValidateFunc: validVPNConnectionTunnelInsideIPv6CIDR(),
RequiredWith: []string{"transit_gateway_id"},
},
"tunnel2_log_options": {
Type: schema.TypeList,
Optional: true,
Computed: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"cloudwatch_log_options": {
Type: schema.TypeList,
Optional: true,
Computed: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"log_enabled": {
Type: schema.TypeBool,
Optional: true,
},
"log_group_arn": {
Type: schema.TypeString,
Optional: true,
},
"log_output_format": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: validation.StringInSlice(vpnTunnelCloudWatchLogOutputFormat_Values(), false),
},
},
},
},
},
},
},
"tunnel2_phase1_dh_group_numbers": {
Type: schema.TypeSet,
Optional: true,
Expand Down Expand Up @@ -716,7 +782,9 @@ func resourceVPNConnectionRead(d *schema.ResourceData, meta interface{}) error {

for i, prefix := range []string{"tunnel1_", "tunnel2_"} {
if len(v.TunnelOptions) > i {
flattenTunnelOption(d, prefix, v.TunnelOptions[i])
if err := flattenTunnelOption(d, prefix, v.TunnelOptions[i]); err != nil {
return err
}
}
}
} else {
Expand Down Expand Up @@ -960,6 +1028,10 @@ func expandVPNTunnelOptionsSpecification(d *schema.ResourceData, prefix string)
}
}

if v, ok := d.GetOk(prefix + "log_options"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
apiObject.LogOptions = expandVPNTunnelLogOptionsSpecification(v.([]interface{})[0].(map[string]interface{}))
}

if v, ok := d.GetOk(prefix + "phase1_dh_group_numbers"); ok {
for _, v := range v.(*schema.Set).List() {
apiObject.Phase1DHGroupNumbers = append(apiObject.Phase1DHGroupNumbers, &ec2.Phase1DHGroupNumbersRequestListValue{Value: aws.Int64(int64(v.(int)))})
Expand Down Expand Up @@ -1035,6 +1107,45 @@ func expandVPNTunnelOptionsSpecification(d *schema.ResourceData, prefix string)
return apiObject
}

func expandVPNTunnelLogOptionsSpecification(tfMap map[string]interface{}) *ec2.VpnTunnelLogOptionsSpecification {
if tfMap == nil {
return nil
}

apiObject := &ec2.VpnTunnelLogOptionsSpecification{}

if v, ok := tfMap["cloudwatch_log_options"].([]interface{}); ok && len(v) > 0 && v[0] != nil {
apiObject.CloudWatchLogOptions = expandCloudWatchLogOptionsSpecification(v[0].(map[string]interface{}))
}

return apiObject
}

func expandCloudWatchLogOptionsSpecification(tfMap map[string]interface{}) *ec2.CloudWatchLogOptionsSpecification {
if tfMap == nil {
return nil
}

apiObject := &ec2.CloudWatchLogOptionsSpecification{}

if v, ok := tfMap["log_enabled"].(bool); ok {
apiObject.LogEnabled = aws.Bool(v)
}

// No ARN or format if not enabled.
if aws.BoolValue(apiObject.LogEnabled) {
if v, ok := tfMap["log_group_arn"].(string); ok && v != "" {
apiObject.LogGroupArn = aws.String(v)
}

if v, ok := tfMap["log_output_format"].(string); ok && v != "" {
apiObject.LogOutputFormat = aws.String(v)
}
}

return apiObject
}

func expandModifyVPNTunnelOptionsSpecification(d *schema.ResourceData, prefix string) *ec2.ModifyVpnTunnelOptionsSpecification {
apiObject := &ec2.ModifyVpnTunnelOptionsSpecification{}
hasChange := false
Expand Down Expand Up @@ -1073,6 +1184,14 @@ func expandModifyVPNTunnelOptionsSpecification(d *schema.ResourceData, prefix st
hasChange = true
}

if key := prefix + "log_options"; d.HasChange(key) {
if v, ok := d.GetOk(key); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
apiObject.LogOptions = expandVPNTunnelLogOptionsSpecification(v.([]interface{})[0].(map[string]interface{}))
}

hasChange = true
}

if key := prefix + "phase1_dh_group_numbers"; d.HasChange(key) {
if v, ok := d.GetOk(key); ok && v.(*schema.Set).Len() > 0 {
for _, v := range d.Get(key).(*schema.Set).List() {
Expand Down Expand Up @@ -1230,9 +1349,9 @@ func expandModifyVPNTunnelOptionsSpecification(d *schema.ResourceData, prefix st
return apiObject
}

func flattenTunnelOption(d *schema.ResourceData, prefix string, apiObject *ec2.TunnelOption) {
func flattenTunnelOption(d *schema.ResourceData, prefix string, apiObject *ec2.TunnelOption) error {
if apiObject == nil {
return
return nil
}

var s []*string
Expand All @@ -1247,6 +1366,14 @@ func flattenTunnelOption(d *schema.ResourceData, prefix string, apiObject *ec2.T
d.Set(prefix+"ike_versions", aws.StringValueSlice(s))
s = nil

if apiObject.LogOptions != nil {
if err := d.Set(prefix+"log_options", []interface{}{flattenVPNTunnelLogOptions(apiObject.LogOptions)}); err != nil {
return fmt.Errorf("setting %s: %w", prefix+"log_options", err)
}
} else {
d.Set(prefix+"log_options", nil)
}

for _, v := range apiObject.Phase1DHGroupNumbers {
i = append(i, v.Value)
}
Expand Down Expand Up @@ -1291,6 +1418,8 @@ func flattenTunnelOption(d *schema.ResourceData, prefix string, apiObject *ec2.T
d.Set(prefix+"startup_action", apiObject.StartupAction)
d.Set(prefix+"inside_cidr", apiObject.TunnelInsideCidr)
d.Set(prefix+"inside_ipv6_cidr", apiObject.TunnelInsideIpv6Cidr)

return nil
}

func flattenVPNStaticRoute(apiObject *ec2.VpnStaticRoute) map[string]interface{} {
Expand Down Expand Up @@ -1333,6 +1462,46 @@ func flattenVPNStaticRoutes(apiObjects []*ec2.VpnStaticRoute) []interface{} {
return tfList
}

func flattenVPNTunnelLogOptions(apiObject *ec2.VpnTunnelLogOptions) map[string]interface{} {
if apiObject == nil {
return nil
}

tfMap := map[string]interface{}{}

if v := apiObject.CloudWatchLogOptions; v != nil {
tfMap["cloudwatch_log_options"] = []interface{}{flattenCloudWatchLogOptions(v)}
}

return tfMap
}

func flattenCloudWatchLogOptions(apiObject *ec2.CloudWatchLogOptions) map[string]interface{} {
if apiObject == nil {
return nil
}

tfMap := map[string]interface{}{}

if v := apiObject.LogEnabled; v != nil {
enabled := aws.BoolValue(v)
tfMap["log_enabled"] = enabled

// No ARN or format if not enabled.
if enabled {
if v := apiObject.LogGroupArn; v != nil {
tfMap["log_group_arn"] = aws.StringValue(v)
}

if v := apiObject.LogOutputFormat; v != nil {
tfMap["log_output_format"] = aws.StringValue(v)
}
}
}

return tfMap
}

func flattenVGWTelemetry(apiObject *ec2.VgwTelemetry) map[string]interface{} {
if apiObject == nil {
return nil
Expand Down
Loading