hashicorp · ewbankkit · Mar 12, 2024 · Mar 12, 2024 · Mar 12, 2024 · Mar 12, 2024
@@ -0,0 +1,15 @@
+```release-note:bug
+resource/aws_network_acl_rule: Prevent creation of duplicate Terraform resources
+```
+
+```release-note:bug
+resource/aws_network_acl_rule: Fix `InvalidNetworkAclID.NotFound` errors on resource Delete
+```
+
+```release-note:bug
+resource/aws_route: Prevent creation of duplicate Terraform resources
+```
+
+```release-note:bug
+resource/aws_route_table: Fix `couldn't find resource` errors on resource Delete
+```
@@ -115,9 +115,11 @@ const (
  errCodeInvalidVPNGatewayAttachmentNotFound = "InvalidVpnGatewayAttachment.NotFound"
  errCodeInvalidVPNGatewayIDNotFound = "InvalidVpnGatewayID.NotFound"
  errCodeNatGatewayNotFound = "NatGatewayNotFound"
+ errCodeNetworkACLEntryAlreadyExists = "NetworkAclEntryAlreadyExists"
  errCodeOperationNotPermitted = "OperationNotPermitted"
  errCodePrefixListVersionMismatch = "PrefixListVersionMismatch"
  errCodeResourceNotReady = "ResourceNotReady"
+ errCodeRouteAlreadyExists = "RouteAlreadyExists"
  errCodeSnapshotCreationPerVolumeRateExceeded = "SnapshotCreationPerVolumeRateExceeded"
  errCodeUnsupportedOperation = "UnsupportedOperation"
  errCodeVolumeInUse = "VolumeInUse"
@@ -188,3 +190,11 @@ func UnsuccessfulItemsError(apiObjects []*ec2.UnsuccessfulItem) error {
 
  return errors.Join(errs...)
 }
+
+func networkACLEntryAlreadyExistsError(naclID string, egress bool, ruleNumber int) error {
+ return awserr.New(errCodeNetworkACLEntryAlreadyExists, fmt.Sprintf("EC2 Network ACL (%s) Rule (egress: %t)(%d) already exists", naclID, egress, ruleNumber), nil)
+}
+
+func routeAlreadyExistsError(routeTableID, destination string) error {
+ return awserr.New(errCodeRouteAlreadyExists, fmt.Sprintf("Route in Route Table (%s) with destination (%s) already exists", routeTableID, destination), nil)
+}
@@ -6,9 +6,13 @@ package ec2
 // Exports for use in tests only.
 var (
  ResourceDefaultNetworkACL = resourceDefaultNetworkACL
+ ResourceDefaultRouteTable = resourceDefaultRouteTable
  ResourceEBSFastSnapshotRestore = newResourceEBSFastSnapshotRestore
  ResourceInstanceConnectEndpoint = newResourceInstanceConnectEndpoint
  ResourceNetworkACL = resourceNetworkACL
+ ResourceNetworkACLRule = resourceNetworkACLRule
+ ResourceRoute = resourceRoute
+ ResourceRouteTable = resourceRouteTable
  ResourceSecurityGroupEgressRule = newResourceSecurityGroupEgressRule
  ResourceSecurityGroupIngressRule = newResourceSecurityGroupIngressRule
  ResourceTag = resourceTag

@@ -22,7 +22,7 @@ import (
 
 // @SDKResource("aws_default_route_table", name="Route Table")
 // @Tags(identifierAttribute="id")
-func ResourceDefaultRouteTable() *schema.Resource {
+func resourceDefaultRouteTable() *schema.Resource {
  return &schema.Resource{
  CreateWithoutTimeout: resourceDefaultRouteTableCreate,
  ReadWithoutTimeout: resourceDefaultRouteTableRead,

@@ -402,7 +402,7 @@ func TestAccVPCDefaultRouteTable_conditionalCIDRBlock(t *testing.T) {
  PreCheck: func() { acctest.PreCheck(ctx, t) },
  ErrorCheck: acctest.ErrorCheck(t, names.EC2ServiceID),
  ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
- CheckDestroy: testAccCheckRouteDestroy(ctx),
+ CheckDestroy: testAccCheckRouteTableDestroy(ctx),
  Steps: []resource.TestStep{
  {
  Config: testAccVPCDefaultRouteTableConfig_conditionalIPv4v6(rName, destinationCidr, destinationIpv6Cidr, false),

@@ -23,8 +23,8 @@ import (
  "github.com/hashicorp/terraform-provider-aws/internal/tfresource"
 )
 
-// @SDKResource("aws_network_acl_rule")
-func ResourceNetworkACLRule() *schema.Resource {
+// @SDKResource("aws_network_acl_rule", name="Network ACL Rule")
+func resourceNetworkACLRule() *schema.Resource {
  return &schema.Resource{
  CreateWithoutTimeout: resourceNetworkACLRuleCreate,
  ReadWithoutTimeout: resourceNetworkACLRuleRead,
@@ -126,14 +126,23 @@ func resourceNetworkACLRuleCreate(ctx context.Context, d *schema.ResourceData, m
 
  protocol := d.Get("protocol").(string)
  protocolNumber, err := networkACLProtocolNumber(protocol)
-
  if err != nil {
  return sdkdiag.AppendErrorf(diags, "creating EC2 Network ACL Rule: %s", err)
  }
 
- egress := d.Get("egress").(bool)
- naclID := d.Get("network_acl_id").(string)
- ruleNumber := d.Get("rule_number").(int)
+ naclID, egress, ruleNumber := d.Get("network_acl_id").(string), d.Get("egress").(bool), d.Get("rule_number").(int)
+
+ // CreateNetworkAclEntry succeeds if there is an existing rule with identical attributes.
+ _, err = FindNetworkACLEntryByThreePartKey(ctx, conn, naclID, egress, ruleNumber)
+
+ switch {
+ case err == nil:
+ return sdkdiag.AppendFromErr(diags, networkACLEntryAlreadyExistsError(naclID, egress, ruleNumber))
+ case tfresource.NotFound(err):
+ break
+ default:
+ return sdkdiag.AppendErrorf(diags, "reading EC2 Network ACL Rule: %s", err)
+ }
 
  input := &ec2.CreateNetworkAclEntryInput{
  Egress: aws.Bool(egress),
@@ -242,7 +251,7 @@ func resourceNetworkACLRuleDelete(ctx context.Context, d *schema.ResourceData, m
  RuleNumber: aws.Int64(int64(d.Get("rule_number").(int))),
  })
 
- if tfawserr.ErrCodeEquals(err, errCodeInvalidNetworkACLEntryNotFound) {
+ if tfawserr.ErrCodeEquals(err, errCodeInvalidNetworkACLIDNotFound, errCodeInvalidNetworkACLEntryNotFound) {
  return diags
  }
 

@@ -338,6 +338,24 @@ func TestAccVPCNetworkACLRule_tcpProtocol(t *testing.T) {
  })
 }
 
+func TestAccVPCNetworkACLRule_duplicate(t *testing.T) {
+ ctx := acctest.Context(t)
+ rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+
+ resource.ParallelTest(t, resource.TestCase{
+ PreCheck: func() { acctest.PreCheck(ctx, t) },
+ ErrorCheck: acctest.ErrorCheck(t, names.EC2ServiceID),
+ ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+ CheckDestroy: testAccCheckNetworkACLRuleDestroy(ctx),
+ Steps: []resource.TestStep{
+ {
+ Config: testAccVPCNetworkACLRuleConfig_duplicate(rName),
+ ExpectError: regexache.MustCompile(`NetworkAclEntryAlreadyExists: EC2 Network ACL .* already exists`),
+ },
+ },
+ })
+}
+
 func testAccCheckNetworkACLRuleDestroy(ctx context.Context) resource.TestCheckFunc {
  return func(s *terraform.State) error {
  conn := acctest.Provider.Meta().(*conns.AWSClient).EC2Conn(ctx)
@@ -739,6 +757,48 @@ resource "aws_network_acl" "test" {
 }`, rName)
 }
 
+func testAccVPCNetworkACLRuleConfig_duplicate(rName string) string {
+ return fmt.Sprintf(`
+resource "aws_vpc" "test" {
+ cidr_block = "10.3.0.0/16"
+
+ tags = {
+ Name = %[1]q
+ }
+}
+
+resource "aws_network_acl" "test" {
+ vpc_id = aws_vpc.test.id
+
+ tags = {
+ Name = %[1]q
+ }
+}
+
+resource "aws_network_acl_rule" "test1" {
+ network_acl_id = aws_network_acl.test.id
+ rule_number = 200
+ egress = false
+ protocol = "tcp"
+ rule_action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 22
+ to_port = 22
+}
+
+resource "aws_network_acl_rule" "test2" {
+ network_acl_id = aws_network_acl_rule.test1.network_acl_id
+ rule_number = 200
+ egress = false
+ protocol = "tcp"
+ rule_action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 22
+ to_port = 22
+}
+`, rName)
+}
+
 func testAccNetworkACLRuleImportStateIdFunc(resourceName, resourceProtocol string) resource.ImportStateIdFunc {
  return func(s *terraform.State) (string, error) {
  rs, ok := s.RootModule().Resources[resourceName]

@@ -46,8 +46,8 @@ var routeValidTargets = []string{
  "vpc_peering_connection_id",
 }
 
-// @SDKResource("aws_route")
-func ResourceRoute() *schema.Resource {
+// @SDKResource("aws_route", name="Route")
+func resourceRoute() *schema.Resource {
  return &schema.Resource{
  CreateWithoutTimeout: resourceRouteCreate,
  ReadWithoutTimeout: resourceRouteRead,
@@ -184,13 +184,11 @@ func resourceRouteCreate(ctx context.Context, d *schema.ResourceData, meta inter
  conn := meta.(*conns.AWSClient).EC2Conn(ctx)
 
  destinationAttributeKey, destination, err := routeDestinationAttribute(d)
-
  if err != nil {
  return sdkdiag.AppendFromErr(diags, err)
  }
 
  targetAttributeKey, target, err := routeTargetAttribute(d)
-
  if err != nil {
  return sdkdiag.AppendFromErr(diags, err)
  }
@@ -241,6 +239,17 @@ func resourceRouteCreate(ctx context.Context, d *schema.ResourceData, meta inter
  return sdkdiag.AppendErrorf(diags, "creating Route: unexpected route target attribute: %q", targetAttributeKey)
  }
 
+ _, err = routeFinder(ctx, conn, routeTableID, destination)
+
+ switch {
+ case err == nil:
+ return sdkdiag.AppendFromErr(diags, routeAlreadyExistsError(routeTableID, destination))
+ case tfresource.NotFound(err):
+ break
+ default:
+ return sdkdiag.AppendErrorf(diags, "reading Route: %s", err)
+ }
+
  _, err = tfresource.RetryWhenAWSErrCodeEquals(ctx, d.Timeout(schema.TimeoutCreate),
  func() (interface{}, error) {
  return conn.CreateRouteWithContext(ctx, input)

@@ -68,7 +68,6 @@ func TestAccVPCRouteDataSource_transitGatewayID(t *testing.T) {
  PreCheck: func() { acctest.PreCheck(ctx, t) },
  ErrorCheck: acctest.ErrorCheck(t, names.EC2ServiceID),
  ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
- CheckDestroy: testAccCheckRouteDestroy(ctx),
  Steps: []resource.TestStep{
  {
  Config: testAccVPCRouteDataSourceConfig_ipv4TransitGateway(rName),
@@ -92,7 +91,6 @@ func TestAccVPCRouteDataSource_ipv6DestinationCIDR(t *testing.T) {
  PreCheck: func() { acctest.PreCheck(ctx, t) },
  ErrorCheck: acctest.ErrorCheck(t, names.EC2ServiceID),
  ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
- CheckDestroy: testAccCheckRouteDestroy(ctx),
  Steps: []resource.TestStep{
  {
  Config: testAccVPCRouteDataSourceConfig_ipv6EgressOnlyInternetGateway(rName),
@@ -115,7 +113,6 @@ func TestAccVPCRouteDataSource_localGatewayID(t *testing.T) {
  PreCheck: func() { acctest.PreCheck(ctx, t); acctest.PreCheckOutpostsOutposts(ctx, t) },
  ErrorCheck: acctest.ErrorCheck(t, names.EC2ServiceID),
  ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
- CheckDestroy: testAccCheckRouteDestroy(ctx),
  Steps: []resource.TestStep{
  {
  Config: testAccVPCRouteDataSourceConfig_ipv4LocalGateway(rName),
@@ -139,7 +136,6 @@ func TestAccVPCRouteDataSource_carrierGatewayID(t *testing.T) {
  PreCheck: func() { acctest.PreCheck(ctx, t); testAccPreCheckWavelengthZoneAvailable(ctx, t) },
  ErrorCheck: acctest.ErrorCheck(t, names.EC2ServiceID),
  ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
- CheckDestroy: testAccCheckRouteDestroy(ctx),
  Steps: []resource.TestStep{
  {
  Config: testAccVPCRouteDataSourceConfig_ipv4CarrierGateway(rName),
@@ -163,7 +159,6 @@ func TestAccVPCRouteDataSource_destinationPrefixListID(t *testing.T) {
  PreCheck: func() { acctest.PreCheck(ctx, t); testAccPreCheckManagedPrefixList(ctx, t) },
  ErrorCheck: acctest.ErrorCheck(t, names.EC2ServiceID),
  ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
- CheckDestroy: testAccCheckRouteDestroy(ctx),
  Steps: []resource.TestStep{
  {
  Config: testAccVPCRouteDataSourceConfig_prefixListNATGateway(rName),
@@ -189,7 +184,6 @@ func TestAccVPCRouteDataSource_gatewayVPCEndpoint(t *testing.T) {
  PreCheck: func() { acctest.PreCheck(ctx, t) },
  ErrorCheck: acctest.ErrorCheck(t, names.EC2ServiceID),
  ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
- CheckDestroy: testAccCheckRouteDestroy(ctx),
  Steps: []resource.TestStep{
  {
  Config: testAccVPCRouteDataSourceConfig_gatewayEndpointNo(rName),

@@ -49,12 +49,13 @@ var routeTableValidTargets = []string{
 
 // @SDKResource("aws_route_table", name="Route Table")
 // @Tags(identifierAttribute="id")
-func ResourceRouteTable() *schema.Resource {
+func resourceRouteTable() *schema.Resource {
  return &schema.Resource{
  CreateWithoutTimeout: resourceRouteTableCreate,
  ReadWithoutTimeout: resourceRouteTableRead,
  UpdateWithoutTimeout: resourceRouteTableUpdate,
  DeleteWithoutTimeout: resourceRouteTableDelete,
+
  Importer: &schema.ResourceImporter{
  StateContext: schema.ImportStatePassthroughContext,
  },
@@ -353,6 +354,10 @@ func resourceRouteTableDelete(ctx context.Context, d *schema.ResourceData, meta
 
  routeTable, err := FindRouteTableByID(ctx, conn, d.Id())
 
+ if tfresource.NotFound(err) {
+ return diags
+ }
+
  if err != nil {
  return sdkdiag.AppendErrorf(diags, "reading Route Table (%s): %s", d.Id(), err)
  }