Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat!: Support enabling NAU metrics in "aws_vpc" resource #838

Merged

Conversation

tcharewicz
Copy link
Contributor

@tcharewicz tcharewicz commented Oct 11, 2022

Description

List of backwards incompatible changes

Additional changes

Modified

  • map_public_ip_on_launch now defaults to false
  • enable_dns_hostnames now defaults to true
  • enable_dns_support now defaults to true
  • manage_default_security_group now defaults to true
  • manage_default_route_table now defaults to true
  • manage_default_network_acl now defaults to true
  • The default name for the default security group, route table, and network ACL has changed to fallback to append -default to the VPC name if a specific name is not provided
  • The default fallback value for outputs has changed from an empty string to null

Motivation and Context

Breaking Changes

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

Copy link

@jczerniak jczerniak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks fine

@lorengordon
Copy link
Contributor

Looks like 4.35.0 was just released, so this should be good to go now?

@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.73"
version = ">= 4.35"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is now a breaking change

@antonbabenko antonbabenko changed the title feat: Support enabling NAU metrics in "aws_vpc" resource feat!: Support enabling NAU metrics in "aws_vpc" resource Oct 21, 2022
@tcharewicz
Copy link
Contributor Author

What can I do to get this PR reviewed?

@github-actions
Copy link

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

@github-actions github-actions bot added the stale label Nov 27, 2022
@tcharewicz
Copy link
Contributor Author

@antonbabenko What can I do to get this PR reviewed?

@github-actions github-actions bot removed the stale label Nov 28, 2022
@hopkinsnji
Copy link

Any eta on this?

@jonathan-mothership
Copy link

@antonbabenko 🙏

@lorengordon
Copy link
Contributor

Could this be updated to also support this attribute on the aws_default_vpc resource, probably through a separate variable, default_vpc_enable_network_address_usage_metrics? For reasoning, see hashicorp/terraform-provider-aws#27841...

@yotixify
Copy link

Is there any update on when this could be merged?

@bryantbiggs
Copy link
Member

apologies that this hasn't been addressed earlier. I was holding out for https://github.com/clowdhaus/terraform-aws-vpc-v4 but I have not had the time recently to dedicate to finishing and plotting the path from v3 to v4. However, I think its time we unblock some of these newer features for VPC and I will revisit the larger, architectural changes after

Let me check over a few of the past issues/PRs and see what else we might want to incorporate in this breaking change. The goal will be a "light" breaking change where state moves are not required - mostly just a breaking change because the min required versions of Terraform and AWS provider have been raised and some default values changed. Once I have gone through that I'll pass it over to Anton for a final review and we should be able to get this shipped out. Thank you all for your patience!

@bryantbiggs bryantbiggs marked this pull request as draft February 10, 2023 01:20
@bryantbiggs bryantbiggs marked this pull request as ready for review February 11, 2023 21:35
@Constantin07
Copy link

Hi @antonbabenko, conscious you are busy but please could you review this PR ?

Copy link
Member

@antonbabenko antonbabenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

examples/complete works well, including the upgrade phase.

examples/secondary-cidr-blocks/main.tf Outdated Show resolved Hide resolved
examples/secondary-cidr-blocks/main.tf Outdated Show resolved Hide resolved
examples/secondary-cidr-blocks/main.tf Outdated Show resolved Hide resolved
examples/simple/main.tf Outdated Show resolved Hide resolved
main.tf Outdated Show resolved Hide resolved
UPGRADE-4.0.md Show resolved Hide resolved
main.tf Outdated Show resolved Hide resolved
outputs.tf Outdated Show resolved Hide resolved
outputs.tf Outdated Show resolved Hide resolved
UPGRADE-4.0.md Show resolved Hide resolved
@bryantbiggs
Copy link
Member

@antonbabenko if you get some time would you mind taking another look at this PR - thank you 🙏🏽

@antonbabenko
Copy link
Member

@bryantbiggs I plan to review this one and the one in the ECS module during the live stream tomorrow (Friday, 7th of April).

Thank you very much for the work on all of these!

Copy link
Member

@antonbabenko antonbabenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Please merge whenever you can or want.

@bryantbiggs bryantbiggs merged commit 44e6eaa into terraform-aws-modules:master Apr 7, 2023
antonbabenko pushed a commit that referenced this pull request Apr 7, 2023
## [4.0.0](v3.19.0...v4.0.0) (2023-04-07)

### ⚠ BREAKING CHANGES

* Support enabling NAU metrics in "aws_vpc" resource (#838)

### Features

* Support enabling NAU metrics in "aws_vpc" resource ([#838](#838)) ([44e6eaa](44e6eaa))
@antonbabenko
Copy link
Member

This PR is included in version 4.0.0 🎉

@adamretter
Copy link

adamretter commented May 4, 2023

I am not sure if this is the correct place, but I just want to add a note that we have been severely bitten by the change of the default value of:

manage_default_security_group now defaults to true

Previously we were using version 3.16.1 of terraform-aws-modules/vpc/aws (where the default for manage_default_security_group was false).

We bumped the version number to 4.0.1 and ran terraform init -upgrade. All went well.

We later ran terraform apply and I don't recall seeing any concerning messages in the plan about changes to the default Security Group. However, after that we found out that we could no longer send traffic between the subnets in our VPC.

With version 3.16.1, when the VPC is created by Terraform, the default Security Group for the VPC (named -) has one Inbound rule:

Name Security group rule ID IP version Type Protocol Port range Source Description
sgr-09f96200588e82c90 - All traffic All All sg-0a72e8cefc737b2e8 / default

and one Outbound rule:

Name Security group rule ID IP version Type Protocol Port range Destination Description
sgr-05e09415ca9a9246e IPv4 All traffic All All 0.0.0.0/0 -

After upgrading to version 4.0.1 the default Security Group for the VPC (now named my_vpc-default) has exactly zero Inbound and Outbound rules.

Flipping the manage_default_security_group from true to false and back again makes no difference, the default Security Group for the VPC remains with zero inbound and outbound rules.


Whilst I don't mind the default value of manage_default_security_group changing per-se, I did not however expect Terraform to delete the default Inbound and Outbound rules (that it previously created via the VPC module) for the default Security Group of the default VPC - thus breaking our operations until I was able to diagnose the problem.


I was able to reinstate the default Security Groups that Terraform had previously created for us in VPC Module 3.16.1 by adding the following to our VPC Module Config:

  manage_default_security_group = true

  default_security_group_ingress = [
    {
      description = "Allow all"
      protocol = -1
      self = true
    }
  ]

  default_security_group_egress = [
    {
      description = "Allow all"
      protocol = -1
      from_port = 0
      to_port = 0
      cidr_blocks = "0.0.0.0/0"
    }
  ]

p.s. the documentation shows that I should write cidr_blocks = ["0.0.0.0/0"]. However this raises a type error at runtime:

The given value is not suitable for module.vpc.var.default_security_group_egress declared at .terraform/modules/vpc/variables.tf:1345,1-41: element 0: element "cidr_blocks": string required

adamretter referenced this pull request in nationalarchives/ctd-omega-infrastructure May 4, 2023
@github-actions
Copy link

github-actions bot commented Jun 4, 2023

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 4, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
10 participants