Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] Second half of support for Gateway Association Proposals #8455

Closed
wants to merge 4 commits into from

Conversation

ewbankkit
Copy link
Contributor

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Fixes #8100.
Follows on from:

@ghost ghost added size/XL Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. provider Pertains to the provider itself, rather than any interaction with AWS. service/directconnect Issues and PRs that pertain to the directconnect service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Apr 26, 2019
@ewbankkit
Copy link
Contributor Author

Changing tack and modifying aws_dx_gateway_association instead - #8100 (comment).

@ewbankkit
Copy link
Contributor Author

Third time lucky.
Adding resource aws_dx_cross_account_gateway_association - #8100 (comment).

@ewbankkit
Copy link
Contributor Author

Current state of acceptance tests:

$ AWS_ALTERNATE_ACCESS_KEY_ID=AAAAAAAAAAAAAAAAAAAA AWS_ALTERNATE_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx make testacc TEST=./aws/ TESTARGS='-run=TestAccAwsDxCrossAccountGatewayAssociation_basic'==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAwsDxCrossAccountGatewayAssociation_basic -timeout 120m
=== RUN   TestAccAwsDxCrossAccountGatewayAssociation_basic
=== PAUSE TestAccAwsDxCrossAccountGatewayAssociation_basic
=== CONT  TestAccAwsDxCrossAccountGatewayAssociation_basic
--- FAIL: TestAccAwsDxCrossAccountGatewayAssociation_basic (36.60s)
    testing.go:568: Step 0 error: errors during apply:
        
        Error: error accepting Direct Connect gateway association proposal: DirectConnectClientException: Could not find a Direct Connect Gateway Association Proposal for the provided combination of Direct Connect Gateway ID, Virtual Gateway Owner Account, and Proposal ID
        	status code: 400, request id: ffb47e9e-6872-11e9-911f-4d247d966a1c
        
          on /tmp/tf-test395757204/main.tf line 47:
          (source code not available)
        
        
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	36.614s
GNUmakefile:20: recipe for target 'testacc' failed
make: *** [testacc] Error 1

@ewbankkit
Copy link
Contributor Author

Acceptance tests:

aws_dx_cross_account_gateway_association

$ AWS_ALTERNATE_ACCESS_KEY_ID=AAAAAAAAAAAAAAAAAAAA AWS_ALTERNATE_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx make testacc TEST=./aws/ TESTARGS='-run=TestAccAwsDxCrossAccountGatewayAssociation_basic'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAwsDxCrossAccountGatewayAssociation_basic -timeout 120m
=== RUN   TestAccAwsDxCrossAccountGatewayAssociation_basic
=== PAUSE TestAccAwsDxCrossAccountGatewayAssociation_basic
=== CONT  TestAccAwsDxCrossAccountGatewayAssociation_basic
--- PASS: TestAccAwsDxCrossAccountGatewayAssociation_basic (1269.86s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	1269.894s
$ AWS_ALTERNATE_ACCESS_KEY_ID=AAAAAAAAAAAAAAAAAAAA AWS_ALTERNATE_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx make testacc TEST=./aws/ TESTARGS='-run=TestAccAwsDxCrossAccountGatewayAssociation_allowedPrefixes'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAwsDxCrossAccountGatewayAssociation_allowedPrefixes -timeout 120m
=== RUN   TestAccAwsDxCrossAccountGatewayAssociation_allowedPrefixes
=== PAUSE TestAccAwsDxCrossAccountGatewayAssociation_allowedPrefixes
=== CONT  TestAccAwsDxCrossAccountGatewayAssociation_allowedPrefixes
--- PASS: TestAccAwsDxCrossAccountGatewayAssociation_allowedPrefixes (1647.82s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	1647.874s

aws_dx_gateway_association_proposal

$ AWS_ALTERNATE_ACCESS_KEY_ID=AAAAAAAAAAAAAAAAAAAA AWS_ALTERNATE_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx make testacc TEST=./aws/ TESTARGS='-run=TestAccAwsDxGatewayAssociationProposal_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAwsDxGatewayAssociationProposal_ -timeout 120m
=== RUN   TestAccAwsDxGatewayAssociationProposal_basic
=== PAUSE TestAccAwsDxGatewayAssociationProposal_basic
=== RUN   TestAccAwsDxGatewayAssociationProposal_disappears
=== PAUSE TestAccAwsDxGatewayAssociationProposal_disappears
=== RUN   TestAccAwsDxGatewayAssociationProposal_allowedPrefixes
=== PAUSE TestAccAwsDxGatewayAssociationProposal_allowedPrefixes
=== CONT  TestAccAwsDxGatewayAssociationProposal_basic
=== CONT  TestAccAwsDxGatewayAssociationProposal_allowedPrefixes
=== CONT  TestAccAwsDxGatewayAssociationProposal_disappears
--- PASS: TestAccAwsDxGatewayAssociationProposal_disappears (70.28s)
--- PASS: TestAccAwsDxGatewayAssociationProposal_basic (75.87s)
--- PASS: TestAccAwsDxGatewayAssociationProposal_allowedPrefixes (94.45s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	94.510s

Removing WIP.
Ready for review

@ewbankkit ewbankkit changed the title [WIP] Second half of support for Gateway Association Proposals Second half of support for Gateway Association Proposals Apr 29, 2019
@@ -18,12 +19,29 @@ func resourceAwsDxGatewayAssociationProposal() *schema.Resource {
State: schema.ImportStatePassthrough,
},

CustomizeDiff: customdiff.Sequence(
Copy link
Contributor Author

@ewbankkit ewbankkit Apr 29, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Accepting the proposal with overridden prefixes changes the returned RequestedAllowedPrefixesToDirectConnectGateway value.
We only want to force a new resource if this value changes and the current proposal state is requested.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would be helpful to add as a comment within the code base.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do (once the changes are made in #8528).

resource.TestCheckResourceAttr(resourceName, "allowed_prefixes.#", "1"),
resource.TestCheckResourceAttr(resourceName, "allowed_prefixes.1642241106", "10.255.255.8/29"),
),
ExpectNonEmptyPlan: true,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@@ -153,45 +171,3 @@ func describeDirectConnectGatewayAssociationProposal(conn *directconnect.DirectC

return nil, nil
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use the equivalent functionality in structure.go.

@ewbankkit ewbankkit force-pushed the issue-8100.accepter branch from 835f931 to 43ee094 Compare April 29, 2019 16:38
@ewbankkit
Copy link
Contributor Author

Rebased to fix conflicts.

@ewbankkit ewbankkit changed the title Second half of support for Gateway Association Proposals [WIP] Second half of support for Gateway Association Proposals May 5, 2019
@ewbankkit
Copy link
Contributor Author

@ewbankkit ewbankkit force-pushed the issue-8100.accepter branch from 43ee094 to 2ea6419 Compare May 6, 2019 19:01
@nywilken nywilken added this to the v2.10.0 milestone May 6, 2019
@nywilken
Copy link
Contributor

nywilken commented May 6, 2019

Hi @ewbankkit sorry for the delay on this review. I see that you’ve flipped this back into a WIP PR but I want to leave a quick suggestion and ask a question about the approach.

@@ -153,45 +171,3 @@ func describeDirectConnectGatewayAssociationProposal(conn *directconnect.DirectC

return nil, nil
}

func expandDirectConnectGatewayAssociationProposalAllowedPrefixes(allowedPrefixes []interface{}) []*directconnect.RouteFilterPrefix {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's actually preferred to keep these functions defined within the resource and not in structure.go. While I understand the rationale, shared functions within structure.go has actually become an antipattern for the provider and it is a convention that we are moving away from. The CONTRIBUTING guide will be updated to reflect this as well.

Moving forward the preference is to have code duplicated across similar resources with a smaller defined scope, then having one or two functions (in a high-touch file) shared across multiple resources.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I'll keep these routines once the changes are made in #8528.

"github.com/hashicorp/terraform/helper/schema"
)

func resourceAwsDxCrossAccountGatewayAssociation() *schema.Resource {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ewbankkit in the original issue #8100 you mentioned updating the existing dx_gateway_association resource with the new attributesvpn_gateway_owner_account_id and proposal_id

But then you mention implementing a new resource as the path forward. I don't see a clear explanation why you found this approach to be the better option. Did you run into issues adding the additional schema attributes?

I'm concerned that having two resources that do the same thing with a slight twist may be confusing to the operator so I am wondering if your first approach is a viable option.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nywilken Two main reasons I am thinking of a separate resource (and I'm totally open to changing):

  • When I thought about the changes required to aws_dx_gateway_association, the creation functionality would basically have to be split in two, one for the current case with dx_gateway_id and vpn_gateway_id and one for proposal_id and vpn_gateway_owner_account_id and most of the current Required attributes would have to be made Optional and runtime checking done to make sure that the right combinations of attributes were set
  • In the AWS API the association is actually visible from "both ends", proposer and accepter although this resource applies only to the accepter end

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But given the work in #8528 to support transit gateways I will take another look (for example vpn_gateway_id has had to go from Required to Optional as we now have another attribute associated_gateway_id that can accept both VGW and Transit Gateway IDs).

@ewbankkit
Copy link
Contributor Author

@nywilken / @bflad Given the changes I am making to aws_dx_gateway_association to add the transit gateway support, the additional changes to support the cross-account/proposal acceptance scenario are now relatively small and I am now convinced that the least confusing solution is to go back to #8100 (comment) and make the changes to the aws_dx_gateway_association resource.
Given that are you OK for me to incorporate the relevant changes from this PR into #8528 and close this one?

BTW, the current status on #8528 is that I just have to run the acceptance tests but kept getting failures on the terraform destroy part with error like

$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAwsDxGatewayAssociation_deprecated'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAwsDxGatewayAssociation_deprecated -timeout 120m
=== RUN   TestAccAwsDxGatewayAssociation_deprecated
=== PAUSE TestAccAwsDxGatewayAssociation_deprecated
=== CONT  TestAccAwsDxGatewayAssociation_deprecated
--- FAIL: TestAccAwsDxGatewayAssociation_deprecated (1212.63s)
    testing.go:629: Error destroying resource! WARNING: Dangling resources
        may exist. The full state and error is shown below.
        
        Error: errors during apply: IncorrectState: The VPN gateway is in use.
        	status code: 400, request id: 1419626e-9204-4349-b2eb-0a913508f4a5
        
        State: aws_vpn_gateway.test:
          ID = vgw-0000000000000000
          provider = provider.aws
          amazon_side_asn = 64512
          tags.% = 1
          tags.Name = terraform-testacc-dxgwassoc-3462434342993075499
          vpc_id = vpc-0000000000000000
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	1212.695s
make: *** [testacc] Error 1

but I have just found the problem that causes this (and probably also the issues mentioned in #8222 (review)), this code https://github.com/terraform-providers/terraform-provider-aws/blob/3471582595cb9cd20d20abe2ca7f7463499edf6a/aws/resource_aws_vpn_gateway.go#L333-L340
which doesn't take into account the detaching state 😄.

@ewbankkit
Copy link
Contributor Author

Closing this PR in favor of consolidating the changes into #8528.

@ewbankkit ewbankkit closed this May 9, 2019
@ghost
Copy link

ghost commented Mar 30, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
documentation Introduces or discusses updates to documentation. provider Pertains to the provider itself, rather than any interaction with AWS. service/directconnect Issues and PRs that pertain to the directconnect service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Direct Connect gateway multi-account support
2 participants