New Resource: aws_vpc_ipv4_cidr_block_association #3723
Conversation
|
The |
radeksimko
added
service/ec2
radeksimko
changed the title
|
Any idea if this may get merged anytime soon? There seems to be a lot of interest based on comments in #1568, and I know my teams could use this functionality. |
|
I will work on resolving the conflicts tomorrow (hopefully). |
|
Rebased and resolved the merge conflict. |
|
Just want to thank @stack72 and @ewbankkit for the effort, as well as give my +1 on this thing being merged, it would definitely be usable for us! |
|
This being explicitly |
There was a problem hiding this comment.
Thanks for your work here @ewbankkit 👍 Overall I think this resource makes the most sense for this situation. I left some little feedback below. Please let us know if you have any questions or do not have time to implement the feedback.
Existing acceptance testing is passing for me as well:
make testacc TEST=./aws TESTARGS='-run=TestAccAwsVpcSecondaryIpv4CidrBlock_basic'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccAwsVpcSecondaryIpv4CidrBlock_basic -timeout 120m
=== RUN TestAccAwsVpcSecondaryIpv4CidrBlock_basic
--- PASS: TestAccAwsVpcSecondaryIpv4CidrBlock_basic (25.84s)
PASS
ok github.com/terraform-providers/terraform-provider-aws/aws 25.888s
aws/provider.go
Outdated
| @@ -570,6 +570,7 @@ func Provider() terraform.ResourceProvider { | |||
| "aws_vpc_endpoint_subnet_association": resourceAwsVpcEndpointSubnetAssociation(), | |||
| "aws_vpc_endpoint_service": resourceAwsVpcEndpointService(), | |||
| "aws_vpc_endpoint_service_allowed_principal": resourceAwsVpcEndpointServiceAllowedPrincipal(), | |||
| "aws_vpc_secondary_ipv4_cidr_block": resourceAwsVpcSecondaryIpv4CidrBlock(), | |||
There was a problem hiding this comment.
Due to the API naming, I perosnally lean towards naming this aws_vpc_ipv4_cidr_block_association. I think out of context, the word secondary implies there can only be one of these added which is not the case (even though the EC2 User Guide refers to them that way. Either way it can be confusing. 😕
| for _, cidrAssociation := range vpc.CidrBlockAssociationSet { | ||
| if aws.StringValue(cidrAssociation.AssociationId) == d.Id() { | ||
| found = true | ||
| d.Set("cidr_block", cidrAssociation.CidrBlock) |
There was a problem hiding this comment.
We should call break after this to stop looping through the CidrBlockAssociationSet
| AssociationId: aws.String(d.Id()), | ||
| }) | ||
| if err != nil { | ||
| return fmt.Errorf("Error deleting VPC secondary IPv4 CIDR block: %s", err.Error()) |
There was a problem hiding this comment.
We should ignore VPC not found errors here.
if isAWSErr(err, "InvalidVpcID.NotFound", "") {
return nil
}
There was a problem hiding this comment.
Also of note, we should probably add some documentation within the aws_subnet resource that suggests using the vpc_id of this resource when creating subnets under this new block, e.g.
When working with subnets under VPC secondary CIDR blocks created with the aws_vpc_ipv4_cidr_block_association resource, it is recommended to reference its vpc_id attribute to setup proper dependency ordering.
resource "aws_subnet" "example" {
# ... other configuration ...
vpc_id = "${aws_vpc_ipv4_cidr_block_association.example.vpc_id}"
}| } | ||
|
|
||
| d.SetId(aws.StringValue(resp.CidrBlockAssociation.AssociationId)) | ||
|
|
There was a problem hiding this comment.
Do we need to handle this scenario described in the VPC User Guide?
When you add or remove a CIDR block, it can go through various states:
associating|associated|disassociating|disassociated|failing|failed. The CIDR block is ready for you to use when it's in theassociatedstate.
It seems like we should have waiter logic implemented here to prevent downstream errors when trying to use the CIDR block immediately in Terraform configurations.
There was a problem hiding this comment.
OK, I'll address.
|
I have been following #1568 for 8 months and can see it have been closed now in favor of this one. Are there any ETA on this? |
|
I should be able to get to the suggested changes over the next couple of days. |
Adds the ability to associate extra IPv4 or IPv6 CIDR Blocks with a VPC. In order to avoid getting into the same issue as security_group and security_group_rule, we added a diffSuppressFunc that stops people enabling `ipv6` for an existant AWS VPC. We added a note to the documentation to talk about this ``` % make testacc TEST=./aws TESTARGS='-run=TestAccAWSVpc_' ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./aws -v -run=TestAccAWSVpc_ -timeout 120m === RUN TestAccAWSVpc_importBasic --- PASS: TestAccAWSVpc_importBasic (54.16s) === RUN TestAccAWSVpc_basic --- PASS: TestAccAWSVpc_basic (45.26s) === RUN TestAccAWSVpc_enableIpv6 --- PASS: TestAccAWSVpc_enableIpv6 (87.40s) === RUN TestAccAWSVpc_dedicatedTenancy --- PASS: TestAccAWSVpc_dedicatedTenancy (45.51s) === RUN TestAccAWSVpc_tags --- PASS: TestAccAWSVpc_tags (84.80s) === RUN TestAccAWSVpc_update --- PASS: TestAccAWSVpc_update (97.12s) === RUN TestAccAWSVpc_bothDnsOptionsSet --- PASS: TestAccAWSVpc_bothDnsOptionsSet (19.82s) === RUN TestAccAWSVpc_DisabledDnsSupport --- PASS: TestAccAWSVpc_DisabledDnsSupport (44.93s) === RUN TestAccAWSVpc_classiclinkOptionSet --- PASS: TestAccAWSVpc_classiclinkOptionSet (46.18s) === RUN TestAccAWSVpc_classiclinkDnsSupportOptionSet --- PASS: TestAccAWSVpc_classiclinkDnsSupportOptionSet (47.51s) PASS ok github.com/terraform-providers/terraform-provider-aws/aws 572.738s ``` ``` % make testacc TEST=./aws TESTARGS='-run=TestAccAWSVpcAssociat' ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./aws -v -run=TestAccAWSVpcAssociat -timeout 120m === RUN TestAccAWSVpcAssociateIpv4CidrBlock --- PASS: TestAccAWSVpcAssociateIpv4CidrBlock (51.48s) === RUN TestAccAWSVpcAssociateIpv6CidrBlock --- PASS: TestAccAWSVpcAssociateIpv6CidrBlock (50.16s) === RUN TestAccAWSVpcAssociateIpv4AndIpv6CidrBlock --- PASS: TestAccAWSVpcAssociateIpv4AndIpv6CidrBlock (2.13s) PASS ok github.com/terraform-providers/terraform-provider-aws/aws 103.802s ```
|
@bflad All review comments addressed. Rebased to remove conflict. $ make testacc TEST=./aws TESTARGS='-run=TestAccAwsVpcIpv4CidrBlockAssociation_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccAwsVpcIpv4CidrBlockAssociation_ -timeout 120m
=== RUN TestAccAwsVpcIpv4CidrBlockAssociation_basic
--- PASS: TestAccAwsVpcIpv4CidrBlockAssociation_basic (56.97s)
PASS
ok github.com/terraform-providers/terraform-provider-aws/aws 71.440s |
|
|
||
| // vpcDescribe returns EC2 API information about the specified VPC. | ||
| // If the VPC doesn't exist, return nil. | ||
| func vpcDescribe(conn *ec2.EC2, vpcId string) (*ec2.Vpc, error) { |
There was a problem hiding this comment.
Added vpcDescribe here to be reused in future refactorings.
bflad
changed the title
There was a problem hiding this comment.
Looks great @ewbankkit! Thanks so much to you and @stack72 for your work! 🚀
1 test passed (all tests)
=== RUN TestAccAwsVpcIpv4CidrBlockAssociation_basic
--- PASS: TestAccAwsVpcIpv4CidrBlockAssociation_basic (29.45s)
|
This has been released in version 1.26.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Fixes #1539.
Replaces #1568 with the implementation described here.
New resource
aws_vpc_secondary_ipv4_cidr_blockassociates a secondary IPv4 CIDR block with a VPC.Only the first of the rules for adding a CIDR block to a VPC is checked: The allowed block size is between a /28 netmask and /16 netmask.
Acceptance tests:
Regression tests for the
aws_vpcresource: