Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Force vpc endpoint type to gateway in govcloud partition. #3317

Merged
merged 4 commits into from
Mar 12, 2018

Conversation

jmcarp
Copy link
Contributor

@jmcarp jmcarp commented Feb 10, 2018

The aws govcloud partition only supports gateway type vpc endpoints
and doesn't return a type when listing connections. To fix, temporarily
force vpc endpoint types to gateway if partition is govcloud.

After vpc endpoint types were added in 1.9, govcloud vpc endpoints
want to destroy and recreate on every apply, since the aws api doesn't
return an endpoint type.

cc @wjwoodson

@ghost ghost added the size/S Managed by automation to categorize the size of a PR. label Feb 10, 2018
@jmcarp
Copy link
Contributor Author

jmcarp commented Feb 10, 2018

By the way, it might be useful to add an integration test that creates a resource, then verifies that the plan is empty, for all resource types. That should help catch regressions like this, where a resource is recreated every apply.

@radeksimko radeksimko added bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service. labels Feb 11, 2018
if isGovCloud {
d.Set("vpc_endpoint_type", ec2.VpcEndpointTypeGateway)
} else {
vpceType := aws.StringValue(vpce.VpcEndpointType)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to call aws.StringValue on the VPC endpoint type as d.Set will handle *string parameters. I only call it above for the service name as the value is used later.

@@ -341,14 +341,18 @@ func vpcEndpointWaitUntilAvailable(d *schema.ResourceData, conn *ec2.EC2) error
return nil
}

func vpcEndpointAttributes(d *schema.ResourceData, vpce *ec2.VpcEndpoint, conn *ec2.EC2) error {
func vpcEndpointAttributes(d *schema.ResourceData, vpce *ec2.VpcEndpoint, conn *ec2.EC2, isGovCloud bool) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider changing the function signature to
func vpcEndpointAttributes(d *schema.ResourceData, meta interface{}, vpce *ec2.VpcEndpoint) error
as both conn and isGovCloud can be derived from meta?

@ghost ghost added the size/S Managed by automation to categorize the size of a PR. label Feb 12, 2018
@jmcarp
Copy link
Contributor Author

jmcarp commented Feb 16, 2018

Updated. WDYT @ewbankkit ?

@jmcarp
Copy link
Contributor Author

jmcarp commented Feb 19, 2018

Pinging @radeksimko or @bflad for review when you have time.

@jmcarp
Copy link
Contributor Author

jmcarp commented Mar 7, 2018

ping @bflad

@bflad
Copy link
Contributor

bflad commented Mar 7, 2018

Can you provide a previously failing configuration and the outputs from plan/apply?

@jmcarp
Copy link
Contributor Author

jmcarp commented Mar 7, 2018

@bflad: terraform plan/apply doesn't fail because of this issue--it recreates the endpoint on every apply. Every plan says something like module.stack.module.base.module.vpc.aws_vpc_endpoint.private-s3 (new resource required) because it wants to change the endpoint type: vpc_endpoint_type: "" => "Gateway" (forces new resource). Every apply recreates the resource, but since govcloud ignores the endpoint type parameter, we repeat the cycle on the next plan.

@jmcarp
Copy link
Contributor Author

jmcarp commented Mar 9, 2018

@bflad: does that description make sense? Let me know if more output would be helpful.

Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's simplify this PR and make it a little future proof if/when AWS updates US Gov to join Standard functionality. 👍

@@ -341,14 +341,17 @@ func vpcEndpointWaitUntilAvailable(d *schema.ResourceData, conn *ec2.EC2) error
return nil
}

func vpcEndpointAttributes(d *schema.ResourceData, vpce *ec2.VpcEndpoint, conn *ec2.EC2) error {
func vpcEndpointAttributes(d *schema.ResourceData, vpce *ec2.VpcEndpoint, meta interface{}) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's revert this, I'll explain below. 😄

d.Set("state", vpce.State)
d.Set("vpc_id", vpce.VpcId)

serviceName := aws.StringValue(vpce.ServiceName)
d.Set("service_name", serviceName)
vpceType := aws.StringValue(vpce.VpcEndpointType)
d.Set("vpc_endpoint_type", vpceType)
if meta.(*AWSClient).IsGovCloud() && aws.StringValue(vpce.VpcEndpointType) == "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of relying on a meta.(*AWSClient).IsGovCloud() check, which one day may become obsolete, let's just perform the second check aws.StringValue(vpce.VpcEndpointType) == "" with a comment above it why the logic is in place. 👍

@ghost ghost added size/XS Managed by automation to categorize the size of a PR. and removed size/S Managed by automation to categorize the size of a PR. labels Mar 9, 2018
jmcarp added 3 commits March 9, 2018 17:30
The aws govcloud partition only supports gateway type vpc endpoints
and doesn't return a type when listing connections. To fix, temporarily
force vpc endpoint types to gateway if partition is govcloud.
Once govcloud implements multiple vpc endpoint types, we should stop
forcing the endpoint type to gateway.

h/t @wjwoodson
@jmcarp jmcarp force-pushed the govcloud-vpc-endpoint-type branch from 6d43ed9 to 5b7080e Compare March 9, 2018 22:31
@ghost ghost added the size/XS Managed by automation to categorize the size of a PR. label Mar 9, 2018
@jmcarp
Copy link
Contributor Author

jmcarp commented Mar 9, 2018

Sounds good, updated.

@jmcarp jmcarp force-pushed the govcloud-vpc-endpoint-type branch from 5b7080e to e7b035c Compare March 9, 2018 22:37
@ghost ghost added the size/XS Managed by automation to categorize the size of a PR. label Mar 9, 2018
@bflad bflad added the partition/aws-us-gov Pertains to the aws-us-gov partition. label Mar 12, 2018
@bflad bflad added this to the v1.12.0 milestone Mar 12, 2018
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 🚀

Standard partition (test failure unrelated):

Tests failed: 1, passed: 14
=== RUN   TestAccAWSVpcEndpoint_gatewayBasic
--- PASS: TestAccAWSVpcEndpoint_gatewayBasic (81.58s)
=== RUN   TestAccAWSVpcEndpointSubnetAssociation_basic
--- PASS: TestAccAWSVpcEndpointSubnetAssociation_basic (86.20s)
=== RUN   TestAccAWSVpcEndpointRouteTableAssociation_basic
--- PASS: TestAccAWSVpcEndpointRouteTableAssociation_basic (87.36s)
=== RUN   TestAccAWSVpcEndpoint_interfaceBasic
--- PASS: TestAccAWSVpcEndpoint_interfaceBasic (89.52s)
=== RUN   TestAccAWSVpcEndpoint_removed
--- PASS: TestAccAWSVpcEndpoint_removed (90.47s)
=== RUN   TestAccAWSVpcEndpoint_importBasic
--- PASS: TestAccAWSVpcEndpoint_importBasic (104.60s)
=== RUN   TestAccAWSVpcEndpoint_gatewayWithRouteTableAndPolicy
--- PASS: TestAccAWSVpcEndpoint_gatewayWithRouteTableAndPolicy (131.70s)
=== RUN   TestAccAWSVpcEndpoint_interfaceNonAWSService
--- PASS: TestAccAWSVpcEndpoint_interfaceNonAWSService (245.79s)
=== RUN   TestAccAWSVpcEndpoint_interfaceWithSubnetAndSecurityGroup
--- PASS: TestAccAWSVpcEndpoint_interfaceWithSubnetAndSecurityGroup (280.00s)
=== RUN   TestAccAWSVpcEndpointConnectionNotification_importBasic
--- PASS: TestAccAWSVpcEndpointConnectionNotification_importBasic (331.16s)
=== RUN   TestAccAWSVpcEndpointService_importBasic
--- PASS: TestAccAWSVpcEndpointService_importBasic (362.66s)
=== RUN   TestAccAWSVpcEndpointConnectionNotification_basic
--- FAIL: TestAccAWSVpcEndpointConnectionNotification_basic (428.44s)
=== RUN   TestAccAWSVpcEndpointServiceAllowedPrincipal_basic
--- PASS: TestAccAWSVpcEndpointServiceAllowedPrincipal_basic (447.05s)
=== RUN   TestAccAWSVpcEndpointService_basic
--- PASS: TestAccAWSVpcEndpointService_basic (481.79s)
=== RUN   TestAccAWSVpcEndpointService_removed
--- PASS: TestAccAWSVpcEndpointService_removed (1145.25s)

US Gov partition (manually):

terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

aws_vpc.main: Refreshing state... (ID: vpc-410c6524)
aws_vpc_endpoint.test: Refreshing state... (ID: vpce-06fd0c6f)

------------------------------------------------------------------------

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.

@bflad
Copy link
Contributor

bflad commented Mar 23, 2018

This has been released in version 1.12.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@lorengordon
Copy link
Contributor

Thanks @bflad, tested and it does indeed solve the problem I was having.

@ghost
Copy link

ghost commented Apr 7, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 7, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. partition/aws-us-gov Pertains to the aws-us-gov partition. service/ec2 Issues and PRs that pertain to the ec2 service. size/XS Managed by automation to categorize the size of a PR.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants