Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New resource: aws_verifiedaccess_group #33297

Merged
merged 24 commits into from
Oct 9, 2023

Conversation

sQu4rks
Copy link
Contributor

@sQu4rks sQu4rks commented Sep 4, 2023

Description

Adds support for the Verified Access Group resource.

This PR is a draft since, for proper acceptance testing, the verified access instance and verified access trust provider resources are required. Currently acceptance testing is done by deploying a trust provider and verified access instance in the console and then setting the id in the tests.

Relations

Relates #29689
Depends on #33195
Depends on #29742

References

Link to API reference

Output from Acceptance Testing

% make testacc TESTS="TestAccVerifiedAccessAccessGroup_*" PKG=ec2
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/ec2/... -v -count 1 -parallel 20 -run='TestAccVerifiedAccessAccessGroup_*'  -timeout 180m
=== RUN   TestAccVerifiedAccessAccessGroup_basic
=== PAUSE TestAccVerifiedAccessAccessGroup_basic
=== RUN   TestAccVerifiedAccessAccessGroup_policy
=== PAUSE TestAccVerifiedAccessAccessGroup_policy
=== RUN   TestAccVerifiedAccessAccessGroup_tags
=== PAUSE TestAccVerifiedAccessAccessGroup_tags
=== CONT  TestAccVerifiedAccessAccessGroup_basic
=== CONT  TestAccVerifiedAccessAccessGroup_tags
=== CONT  TestAccVerifiedAccessAccessGroup_policy
--- PASS: TestAccVerifiedAccessAccessGroup_tags (33.43s)
--- PASS: TestAccVerifiedAccessAccessGroup_basic (33.57s)
--- PASS: TestAccVerifiedAccessAccessGroup_policy (33.73s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/ec2        37.414s
...

@github-actions
Copy link

github-actions bot commented Sep 4, 2023

Community Note

Voting for Prioritization

  • Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added size/XL Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. generators Relates to code generators. labels Sep 4, 2023
@terraform-aws-provider terraform-aws-provider bot added needs-triage Waiting for first response or review from a maintainer. partner Contribution from a partner. labels Sep 4, 2023
@justinretzolk justinretzolk added new-resource Introduces a new resource. and removed needs-triage Waiting for first response or review from a maintainer. labels Sep 6, 2023
@ewbankkit ewbankkit changed the title F verified access group resource [WIP] aws_verifiedaccess_group Sep 11, 2023
@github-actions github-actions bot added the service/verifiedaccess Issues and PRs that pertain to the verifiedaccess service. label Sep 11, 2023
@ewbankkit
Copy link
Contributor

Requires #33459.

@ewbankkit
Copy link
Contributor

% make testacc TESTARGS='-run=TestAccVerifiedAccessGroup_basic' PKG=ec2
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/ec2/... -v -count 1 -parallel 20  -run=TestAccVerifiedAccessGroup_basic -timeout 180m
=== RUN   TestAccVerifiedAccessGroup_basic
=== PAUSE TestAccVerifiedAccessGroup_basic
=== CONT  TestAccVerifiedAccessGroup_basic
    verifiedaccess_group_test.go:25: Step 1/2 error: Error running apply: exit status 1
        
        Error: creating Verified Access Group: operation error EC2: CreateVerifiedAccessGroup, https response error StatusCode: 400, RequestID: 2312b462-547e-4588-9f1b-f00d9ffe30a7, api error InvalidParameterValue: Must attach a TrustProvider to Instance vai-0f22af219faae53fa before you can create a Group
        
          with aws_verifiedaccess_group.test,
          on terraform_plugin_test.tf line 8, in resource "aws_verifiedaccess_group" "test":
           8: resource "aws_verifiedaccess_group" "test" {
        
--- FAIL: TestAccVerifiedAccessGroup_basic (12.26s)
FAIL
FAIL	github.com/hashicorp/terraform-provider-aws/internal/service/ec2	17.603s
FAIL
make: *** [testacc] Error 1

@sQu4rks
Copy link
Contributor Author

sQu4rks commented Oct 3, 2023

Also requires #33734 since the verified access group can't be created without a trust provider being attached to the instance.

Relevant error message:

Error: creating Verified Access Group: 
operation error EC2: CreateVerifiedAccessGroup,
https response error StatusCode: 400,
RequestID: <REDACTED>,
api error InvalidParameterValue: Must attach a TrustProvider to Instance vai-<REDACTED> before you can create a Group

With the aws_verifiedaccess_trust_provider_attachment resource from #33734 the following config should work for the tests:

resource "aws_verifiedaccess_trust_provider" "test" {
  oidc_options {
	authorization_endpoint = "https://authorization.example.com"
	client_id              = "r4nd0mst1n9"
	client_secret          = "r4nd0ms3cr3t"
	issuer                 = "https://isser.example.com"
	scope                  = "r4nd0msc0p3"
	token_endpoint         = "https://token.example.com"
	user_info_endpoint     = "https://user.example.com"
  }
  policy_reference_name    = "test"
  trust_provider_type      = "user"
  user_trust_provider_type = "oidc"
}

resource "aws_verifiedaccess_instance" "test" {
	tags = {
	  Name = %[1]q
	}
}

resource "aws_verifiedaccess_trust_provider_attachment" "test" {
	instance_id       = aws_verifiedaccess_instance.test.id
	trust_provider_id = aws_verifiedaccess_trust_provider.test.id
}

resource "aws_verifiedaccess_group" "test" {
  verifiedaccess_instance_id = aws_verifiedaccess_instance.test.id
}

@ewbankkit ewbankkit changed the title [WIP] aws_verifiedaccess_group New resource: aws_verifiedaccess_group Oct 6, 2023
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccVerifiedAccessGroup_' PKG=ec2 ACCTEST_PARALLELISM=2
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/ec2/... -v -count 1 -parallel 2  -run=TestAccVerifiedAccessGroup_ -timeout 360m
=== RUN   TestAccVerifiedAccessGroup_basic
=== PAUSE TestAccVerifiedAccessGroup_basic
=== RUN   TestAccVerifiedAccessGroup_disappears
=== PAUSE TestAccVerifiedAccessGroup_disappears
=== RUN   TestAccVerifiedAccessGroup_tags
=== PAUSE TestAccVerifiedAccessGroup_tags
=== RUN   TestAccVerifiedAccessGroup_policy
=== PAUSE TestAccVerifiedAccessGroup_policy
=== CONT  TestAccVerifiedAccessGroup_basic
=== CONT  TestAccVerifiedAccessGroup_tags
--- PASS: TestAccVerifiedAccessGroup_basic (31.18s)
=== CONT  TestAccVerifiedAccessGroup_disappears
--- PASS: TestAccVerifiedAccessGroup_disappears (25.03s)
=== CONT  TestAccVerifiedAccessGroup_policy
--- PASS: TestAccVerifiedAccessGroup_tags (68.59s)
--- PASS: TestAccVerifiedAccessGroup_policy (28.41s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/ec2	90.212s

@ewbankkit ewbankkit merged commit a95cc85 into hashicorp:main Oct 9, 2023
41 checks passed
@github-actions github-actions bot added this to the v5.21.0 milestone Oct 9, 2023
@github-actions
Copy link

This functionality has been released in v5.21.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@evilr00t
Copy link

When a group is created and we want to add policy I have below error message:

  # aws_verifiedaccess_group.monitoring will be updated in-place
  ~ resource "aws_verifiedaccess_group" "monitoring" {
        id                         = "vagr-XYZ"
      + policy_document            = <<-EOT
            permit(principal,action,resource)
                  when {
                  context.test.groups has "XYZ" || context.test.user.email.address like "*@FOOBAR"
                };
        EOT
        tags                       = {
            "Environment" = "monitoring"
            "Name"        = "monitoring-ava-group"
            "system"      = "core"
        }
        # (7 unchanged attributes hidden)
    }

...

│ Error: updating Verified Access Group (vagr-043f49684c52f3afb) policy: operation error EC2: ModifyVerifiedAccessGroupPolicy, https response error StatusCode: 400, RequestID: ed72eee9-3fcc-4c2b-8a7b-d492d16d7a4e, api error InvalidParameterValue: Policy Document cannot be provided when Policy Enabled is false or missing

When I create group with policy already included, there is no problem. There is no variable to enable/disable policy so I'd assume it's a bug atm?

@sQu4rks
Copy link
Contributor Author

sQu4rks commented Oct 19, 2023

Having a look @evilr00t - I can reproduce the behavior.

@sQu4rks
Copy link
Contributor Author

sQu4rks commented Oct 20, 2023

@evilr00t Can you open up a bug report so that I can reference that in the PR for the fix?

@evilr00t
Copy link

@sQu4rks sure thing: #34052 here it is. Sorry for a delay.

Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
documentation Introduces or discusses updates to documentation. generators Relates to code generators. new-resource Introduces a new resource. partner Contribution from a partner. service/verifiedaccess Issues and PRs that pertain to the verifiedaccess service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants