Added option to avoid DNS record overwrite #2926
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The current behavior of the aws_route53_record resource is to overwrite the record if one already exists. For example, we suppose that the notexample.com CNAME to foo.bar is added by hand via the CLI. If the new Terraform resource with the same name but with a different CNAME value is added, the record is going to be overridden. This might be a big problem: a record might be changed by mistake. So this PR proposes to add an option named allow_overwrite on the resource to protect overwrite. When the option is true the CREATE mode is used instead of UPSERT in the change batch. This means that if an added record already exists on route53, the application will fail. By default, the overwrite is permitted to avoid compatibility issue.
bflad
added
enhancement
|
@Erouan50 thanks for this contribution! I have definitely gotten bit with this behavior in the past. Do you have time to implement an acceptance test for this as well? e.g. func TestAccAWSRoute53Record_allowOverwrite(t *testing.T) {
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
IDRefreshName: "aws_route53_record.default",
Providers: testAccProviders,
CheckDestroy: testAccCheckRoute53RecordDestroy,
Steps: []resource.TestStep{
{
PreConfig: func() {
// Create new Route53 record ahead of time with AWS SDK and wait until its ready
},
Config: testAccRoute53RecordConfig_allowOverride(false),
ExpectError: regexp.MustCompile("... expected AWS error here ..."),
},
{
Config: testAccRoute53RecordConfig_allowOverride(true),
Check: resource.ComposeTestCheckFunc(
testAccCheckRoute53RecordExists("aws_route53_record.default"),
),
},
},
})
}
func testAccRoute53RecordConfig_allowOverride(allowOverride bool) string {
return fmt.Sprintf(`
resource "aws_route53_zone" "main" {
name = "notexample.com"
}
resource "aws_route53_record" "default" {
allow_override = %v
zone_id = "${aws_route53_zone.main.zone_id}"
name = "www.notexample.com"
type = "A"
ttl = "30"
records = ["127.0.0.1"]
}
`, allowOverride)
} |
bflad
added
the
waiting-response
|
@bflad I just added it: |
Erouan50
force-pushed
the
allow_override
branch
from
3576a14
to
d200824
Compare
bflad
removed
the
waiting-response
…nning parallelized testing
ghost
added
size/M
bflad
approved these changes
Feb 15, 2018
There was a problem hiding this comment.
Thanks for this contribution and creating the extra acceptance test!
Tests passed: 21
=== RUN TestAccAWSRoute53Record_txtSupport
--- PASS: TestAccAWSRoute53Record_txtSupport (198.78s)
=== RUN TestAccAWSRoute53Record_multivalue_answer_basic
--- PASS: TestAccAWSRoute53Record_multivalue_answer_basic (199.46s)
=== RUN TestAccAWSRoute53Record_latency_basic
--- PASS: TestAccAWSRoute53Record_latency_basic (204.06s)
=== RUN TestAccAWSRoute53Record_generatesSuffix
--- PASS: TestAccAWSRoute53Record_generatesSuffix (212.36s)
=== RUN TestAccAWSRoute53Record_s3_alias
--- PASS: TestAccAWSRoute53Record_s3_alias (250.28s)
=== RUN TestAccAWSRoute53Record_failover
--- PASS: TestAccAWSRoute53Record_failover (251.02s)
=== RUN TestAccAWSRoute53Record_spfSupport
--- PASS: TestAccAWSRoute53Record_spfSupport (254.37s)
=== RUN TestAccAWSRoute53Record_caaSupport
--- PASS: TestAccAWSRoute53Record_caaSupport (254.52s)
=== RUN TestAccAWSRoute53Record_geolocation_basic
--- PASS: TestAccAWSRoute53Record_geolocation_basic (268.55s)
=== RUN TestAccAWSRoute53Record_basic
--- PASS: TestAccAWSRoute53Record_basic (271.87s)
=== RUN TestAccAWSRoute53Record_basic_fqdn
--- PASS: TestAccAWSRoute53Record_basic_fqdn (274.43s)
=== RUN TestAccAWSRoute53Record_weighted_basic
--- PASS: TestAccAWSRoute53Record_weighted_basic (276.17s)
=== RUN TestAccAWSRoute53Record_empty
--- PASS: TestAccAWSRoute53Record_empty (278.52s)
=== RUN TestAccAWSRoute53Record_wildcard
--- PASS: TestAccAWSRoute53Record_wildcard (299.59s)
=== RUN TestAccAWSRoute53Record_alias
--- PASS: TestAccAWSRoute53Record_alias (299.83s)
=== RUN TestAccAWSRoute53Record_AliasChange
--- PASS: TestAccAWSRoute53Record_AliasChange (302.04s)
=== RUN TestAccAWSRoute53Record_SetIdentiferChange
--- PASS: TestAccAWSRoute53Record_SetIdentiferChange (319.42s)
=== RUN TestAccAWSRoute53Record_longTXTrecord
--- PASS: TestAccAWSRoute53Record_longTXTrecord (324.94s)
=== RUN TestAccAWSRoute53Record_TypeChange
--- PASS: TestAccAWSRoute53Record_TypeChange (327.58s)
=== RUN TestAccAWSRoute53Record_weighted_alias
--- PASS: TestAccAWSRoute53Record_weighted_alias (409.37s)
=== RUN TestAccAWSRoute53Record_allowOverwrite
--- PASS: TestAccAWSRoute53Record_allowOverwrite (226.51s)
FYI, I pushed one extra commit in there because the acceptance test (while it was written fantastically!) wouldn't work in our parallelized acceptance testing environment that we run regularly. This is due to colliding notexample.com zone names for the aws_route53_zone data source. This is a problem we wouldn't have expected you to know or care about so I went ahead and fixed it to fast track merging this. I hope you don't mind. We'll eventually fix the hardcoded testing. 😢
bflad
added a commit
that referenced
this pull request
Feb 15, 2018
|
No worries! Thank you for accepting my contribution! |
|
This has been released in version 1.10.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
bflad
added a commit
that referenced
this pull request
Feb 26, 2019
… to false References: * #3895 * #2926 Previously, the `aws_route53_record` resource did not follow standard Terraform conventions of requiring existing infrastructure to be imported into Terraform's state for management, which meant operators could unexpectedly affect that existing infrastructure. In version 1.10.0, we introduced the `allow_overwrite` argument so operators could opt into the upcoming import requirement and force the Terraform resource during resource creation to error if it attempted to create a Route53 record that previously existed. Here we make the breaking change to switch the default resource behavior to error on creation for existing records. Operators can opt out of the new behavior by enabling the flag, but it is marked as deprecated for removal in the next major version and will display the deprecation warning when used to signal that workflows should be adjusted if necessary. Output from acceptance testing: ``` --- PASS: TestAccAWSRoute53Record_Alias_Elb (319.83s) --- PASS: TestAccAWSRoute53Record_Alias_S3 (123.47s) --- PASS: TestAccAWSRoute53Record_Alias_Uppercase (184.67s) --- PASS: TestAccAWSRoute53Record_Alias_VpcEndpoint (450.17s) --- PASS: TestAccAWSRoute53Record_AliasChange (157.29s) --- PASS: TestAccAWSRoute53Record_allowOverwrite (365.48s) --- PASS: TestAccAWSRoute53Record_basic (130.53s) --- PASS: TestAccAWSRoute53Record_basic_fqdn (146.30s) --- PASS: TestAccAWSRoute53Record_caaSupport (177.87s) --- PASS: TestAccAWSRoute53Record_disappears (107.58s) --- PASS: TestAccAWSRoute53Record_disappears_MultipleRecords (247.77s) --- PASS: TestAccAWSRoute53Record_empty (115.48s) --- PASS: TestAccAWSRoute53Record_failover (204.75s) --- PASS: TestAccAWSRoute53Record_generatesSuffix (180.48s) --- PASS: TestAccAWSRoute53Record_geolocation_basic (196.58s) --- PASS: TestAccAWSRoute53Record_importBasic (174.28s) --- PASS: TestAccAWSRoute53Record_importUnderscored (114.40s) --- PASS: TestAccAWSRoute53Record_latency_basic (173.99s) --- PASS: TestAccAWSRoute53Record_longTXTrecord (114.97s) --- PASS: TestAccAWSRoute53Record_multivalue_answer_basic (197.09s) --- PASS: TestAccAWSRoute53Record_SetIdentifierChange (206.47s) --- PASS: TestAccAWSRoute53Record_spfSupport (152.57s) --- PASS: TestAccAWSRoute53Record_txtSupport (170.00s) --- PASS: TestAccAWSRoute53Record_TypeChange (220.81s) --- PASS: TestAccAWSRoute53Record_weighted_alias (278.61s) --- PASS: TestAccAWSRoute53Record_weighted_basic (112.68s) --- PASS: TestAccAWSRoute53Record_wildcard (216.04s) ```
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current behavior of the aws_route53_record resource is to overwrite the record if one already exists. For example, we suppose that the notexample.com CNAME to foo.bar is added by hand via the CLI. If the new Terraform resource with the same name but with a different CNAME value is added, the record is going to be overridden. This might be a big problem: a record might be changed by mistake.
So this PR proposes to add an option named allow_overwrite on the resource to protect overwrite. When the option is true the CREATE mode is used instead of UPSERT in the change batch. This means that if an added record already exists on route53, the application will fail. By default, the overwrite is permitted to avoid compatibility issue.