New resources: Traffic mirroring

[johnthedev97]

Adding support for AWS Traffic mirroring resources

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Fixes #9140

Release note for CHANGELOG:

Added the following resources to support AWS Traffic mirroring
* aws_vpc_traffic_mirror_filter
* aws_vpc_traffic_mirror_filter_rule
* aws_vpc_traffic_mirror_session
* aws_vpc_traffic_mirror_target

Output from acceptance testing:

make testacc TESTARGS="-run=TestAccAWSTrafficMirror"
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./... -v -parallel 20 -run=TestAccAWSTrafficMirror -timeout 120m
?   	github.com/terraform-providers/terraform-provider-aws	[no test files]
=== RUN   TestAccAWSTrafficMirrorFilterRule_basic
=== PAUSE TestAccAWSTrafficMirrorFilterRule_basic
=== RUN   TestAccAWSTrafficMirrorFilter_basic
=== PAUSE TestAccAWSTrafficMirrorFilter_basic
=== RUN   TestAccAWSTrafficMirrorSession_basic
=== PAUSE TestAccAWSTrafficMirrorSession_basic
=== RUN   TestAccAWSTrafficMirrorTarget_nlb
=== PAUSE TestAccAWSTrafficMirrorTarget_nlb
=== RUN   TestAccAWSTrafficMirrorTarget_eni
=== PAUSE TestAccAWSTrafficMirrorTarget_eni
=== CONT  TestAccAWSTrafficMirrorFilterRule_basic
=== CONT  TestAccAWSTrafficMirrorTarget_eni
=== CONT  TestAccAWSTrafficMirrorSession_basic
=== CONT  TestAccAWSTrafficMirrorTarget_nlb
=== CONT  TestAccAWSTrafficMirrorFilter_basic
--- PASS: TestAccAWSTrafficMirrorFilter_basic (47.58s)
--- PASS: TestAccAWSTrafficMirrorFilterRule_basic (50.55s)
--- PASS: TestAccAWSTrafficMirrorTarget_eni (111.66s)
--- PASS: TestAccAWSTrafficMirrorTarget_nlb (290.85s)
--- PASS: TestAccAWSTrafficMirrorSession_basic (295.84s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	295.927s

...

[johnthedev97]

This became a little larger and longer than I thought. I have taken the [WIP] as I assume this will get reviewed only after that.

One thing I myself was not certain is regarding virtual_network_id in aws_traffic_mirror_session. The AWS API has set this field as optional, but if not passed AWS selects a random value for this. If I read this value and save in state it causes a change in every plan as the value from config comes by default as "0". So as a workaround I am reading this value into state only if it is set in config as well. If there is a better way to handle this let me know. I also had to set this field to ignore in import verify test.

Another doubt I had was regarding the state management. While writing tests I noticed that for many fields which AWS allows removal terraform doesn't remove those attributes from state, rather keep the attribute with Zero value in the state. This made me write many tests to use TestCheckResourceAttr with zero value though logically it made sense to use TestCheckNoResourceAttr. If terraform is by design storing removed attributes in state with Zero vale, I was wondering it would be a good idea to re-write TestCheckNoResourceAttr such that it passes even if the attribute is present but with Zero value.

[johnthedev97]

@bflad Sorry to ping you directly, but since you are the one who merged my previous PR, I thought of asking you what does it take to get this merged?

[pbartruff]

Folks,

Is there reason this is lingering? It doesn't seem to cause and conflicts or is there a different effort underway to address the issue?

R/
Paul

[aeschright]

Hi everyone, per our guidelines it will be much easier for us to review and test these changes if each resource is in its own PR. Long PRs tend to linger because we have so many things in the queue, so I recommend you split it and resubmit. Thanks so much for getting this started!

[pbartruff]

@aeschright Thanks!
I'm not the requester; however, I understand the need for "small bites" at a time. Sadly all of these resources would be required to mirror packets. Individually they don't provide much. Maybe @johnthedev97 will be able to break it up a bit.

[johnthedev97]

@aeschright , like @pbartruff has mentioned the resources are interdependent. traffic mirror filter rule tests will fail without traffic mirror filter. And the tests for session will fail without any of the other three resources. So I feel all these belong together, and should be reviewed together as well. Still if you think this needs to be broke into multiple PRs let me know, I will try my best to do it.

[chrislujan]

Just checking in, hoping we haven't forgot about this.

[stevesmoot]

It really doesnt seem like splitting and resubmitting will help here, even if better per guidelines.

[johnthedev97]

Thanks @bflad I will look into your comments.

[bflad]

Hi again @johnthedev97 👋 Thank you for the updates so far! Sorry for resubmitting the review items if you were still working through them, but I'm guessing GitHub marks them as outdated after files are moved 😖. I've resubmitted remaining items just so they still show up in the PR Files changed view (and not outdated). Please reach out with any questions or if you do not have time to finish any of them.

[johnthedev97]

@bflad I believe I have fixed all your comments.

[bflad]

Thank you for those updates, @johnthedev97 🚀 -- this should be the last batch. Since they're all one-liners, I'll try to auto-merge them via GitHub suggestions, but otherwise will handle these on merge and ensure acceptance testing passes. 👍

Output from acceptance testing:

--- PASS: TestAccAWSEc2TrafficMirrorFilter_basic (19.83s)
--- PASS: TestAccAWSEc2TrafficMirrorFilterRule_basic (20.80s)
--- PASS: TestAccAWSEc2TrafficMirrorTarget_eni (73.99s)
--- PASS: TestAccAWSEc2TrafficMirrorTarget_nlb (249.99s)
=== CONT  TestAccAWSEc2TrafficMirrorSession_basic

------- Stderr: -------
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x3e81ec7]

goroutine 1057 [running]:
github.com/terraform-providers/terraform-provider-aws/aws.resourceAwsEc2TrafficMirrorTargetRead(0xc000215490, 0x51bbae0, 0xc000975400, 0x0, 0x0)
	/opt/teamcity-agent/work/2e10e023da0c7520/src/github.com/terraform-providers/terraform-provider-aws/aws/resource_aws_ec2_traffic_mirror_target.go:99 +0x3e7
github.com/terraform-providers/terraform-provider-aws/aws.resourceAwsEc2TrafficMirrorTargetCreate(0xc000215490, 0x51bbae0, 0xc000975400, 0x2, 0xae9ae60)
	/opt/teamcity-agent/work/2e10e023da0c7520/src/github.com/terraform-providers/terraform-provider-aws/aws/resource_aws_ec2_traffic_mirror_target.go:71 +0x22a

[bflad]

Thank you so much for all your work on this, @johnthedev97. This will make so many people happy! 😄 LGTM with fixes for the one test, which will be handled on merge. 🚀

Output from acceptance testing:

--- PASS: TestAccAWSEc2TrafficMirrorFilter_basic (19.81s)
--- PASS: TestAccAWSEc2TrafficMirrorFilterRule_basic (20.82s)
--- PASS: TestAccAWSEc2TrafficMirrorTarget_eni (63.62s)
--- PASS: TestAccAWSEc2TrafficMirrorTarget_nlb (240.87s)
--- PASS: TestAccAWSEc2TrafficMirrorSession_basic (282.32s)

[bflad]

Now that virtual_network_id is always set in the Terraform state, the following allows this test to pass:

			//create
			{
				Config: testAccTrafficMirrorSessionConfig(lbName, session),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckAWSEc2TrafficMirrorSessionExists(resourceName),
					resource.TestCheckResourceAttr(resourceName, "description", ""),
					resource.TestCheckResourceAttr(resourceName, "packet_length", "0"),
					resource.TestCheckResourceAttr(resourceName, "session_number", strconv.Itoa(session)),
					resource.TestMatchResourceAttr(resourceName, "virtual_network_id", regexp.MustCompile(`\d+`)),
				),
			},
			// update of description, packet length and VNI
			{
				Config: testAccTrafficMirrorSessionConfigWithOptionals(description, lbName, session, pLen, vni),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckAWSEc2TrafficMirrorSessionExists(resourceName),
					resource.TestCheckResourceAttr(resourceName, "description", description),
					resource.TestCheckResourceAttr(resourceName, "packet_length", strconv.Itoa(pLen)),
					resource.TestCheckResourceAttr(resourceName, "session_number", strconv.Itoa(session)),
					resource.TestCheckResourceAttr(resourceName, "virtual_network_id", strconv.Itoa(vni)),
				),
			},
			// removal of description, packet length and VNI
			{
				Config: testAccTrafficMirrorSessionConfig(lbName, session),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckAWSEc2TrafficMirrorSessionExists(resourceName),
					resource.TestCheckResourceAttr(resourceName, "description", ""),
					resource.TestCheckResourceAttr(resourceName, "packet_length", "0"),
					resource.TestCheckResourceAttr(resourceName, "session_number", strconv.Itoa(session)),
					resource.TestMatchResourceAttr(resourceName, "virtual_network_id", regexp.MustCompile(`\d+`)),
				),
			},
			// import test without VNI
			{
				ResourceName:      resourceName,
				ImportState:       true,
				ImportStateVerify: true,
			},

Will handle on merge. 👍

--- PASS: TestAccAWSEc2TrafficMirrorSession_basic (282.32s)

[johnthedev97]

Thanks @bflad for all the valuable review comments, pointers and the last set of fixes :-)

[ghost]

This has been released in version 2.51.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!