Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

r/aws_api_gateway_domain_name: Support mutual TLS authentication #15258

Merged
merged 4 commits into from
Jan 13, 2021
Merged

r/aws_api_gateway_domain_name: Support mutual TLS authentication #15258

merged 4 commits into from
Jan 13, 2021

Conversation

ewbankkit
Copy link
Contributor

@ewbankkit ewbankkit commented Sep 21, 2020
edited
Loading

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates #15220.

Release note for CHANGELOG:

resource/aws_api_gateway_domain_name: Add `mutual_tls_authentication` attribute to support mutual TLS authentication

Output from acceptance testing:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication -timeout 120m
=== RUN   TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
=== PAUSE TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
    resource_aws_api_gateway_domain_name_test.go:305: Step 1/4 error: terraform failed: exit status 1
        
        stderr:
        
        Error: Error creating API Gateway Domain Name: BadRequestException: The certificate provided must be issued by ACM and not imported. (Service: APIGateway; Status Code: 400; Error Code: BadRequestException; Request ID: TYsupAJTvHcEJbQ=; Proxy: null)
        
        
--- FAIL: TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication (17.49s)
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	17.528s
FAIL
GNUmakefile:27: recipe for target 'testacc' failed
make: *** [testacc] Error 1

@ewbankkit ewbankkit requested a review from a team September 21, 2020 21:45
@ghost ghost added size/M Managed by automation to categorize the size of a PR. service/apigateway Issues and PRs that pertain to the apigateway service. documentation Introduces or discusses updates to documentation. labels Sep 21, 2020
@ewbankkit ewbankkit force-pushed the f-aws_api_gateway-mutual-tls-authentication branch from 86bb3ff to 4593244 Compare September 24, 2020 19:42
@ghost ghost added tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. size/L Managed by automation to categorize the size of a PR. and removed size/M Managed by automation to categorize the size of a PR. labels Sep 24, 2020
@ewbankkit ewbankkit force-pushed the f-aws_api_gateway-mutual-tls-authentication branch from 4593244 to 2faf8e7 Compare September 24, 2020 19:46
@ghost ghost added the provider Pertains to the provider itself, rather than any interaction with AWS. label Oct 10, 2020
@ewbankkit
Copy link
Contributor Author

Mutual TLS requires that the API Gateway domain name be configured with an Amazon Issued ACM certificate.
To run the acceptance test specify the domain name of such a certificate:

$ AWS_API_GATEWAY_CERTIFICATE_DOMAIN_NAME=<domain name> make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication -timeout 120m
=== RUN   TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
=== PAUSE TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
--- PASS: TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication (87.75s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	87.797s

@ewbankkit ewbankkit changed the title [WIP] r/aws_api_gateway_domain_name: Support mutual TLS authentication r/aws_api_gateway_domain_name: Support mutual TLS authentication Oct 10, 2020
@ewbankkit
Copy link
Contributor Author

Investigate creating public ACM certificates in acceptance tests: #16139, #16140.

@ewbankkit ewbankkit requested a review from a team as a code owner November 11, 2020 23:03
@ewbankkit ewbankkit force-pushed the f-aws_api_gateway-mutual-tls-authentication branch from 90dc01b to 4a7197b Compare November 11, 2020 23:12
@ewbankkit
Copy link
Contributor Author

Refactored acceptance test to create a public ACM certificate (similar to #16139).

$ ACM_CERTIFICATE_ROOT_DOMAIN=<domain name> make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayDomainName_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayDomainName_ -timeout 120m
=== RUN   TestAccAWSAPIGatewayDomainName_CertificateArn
    resource_aws_api_gateway_domain_name_test.go:19: Environment variable AWS_API_GATEWAY_DOMAIN_NAME_CERTIFICATE_ARN is not set. This environment variable must be set to the ARN of an ISSUED ACM certificate in us-east-1 to enable this test.
--- SKIP: TestAccAWSAPIGatewayDomainName_CertificateArn (0.00s)
=== RUN   TestAccAWSAPIGatewayDomainName_CertificateName
    resource_aws_api_gateway_domain_name_test.go:57: Environment variable AWS_API_GATEWAY_DOMAIN_NAME_CERTIFICATE_BODY is not set. This environment variable must be set to any non-empty value with a publicly trusted certificate body to enable the test.
--- SKIP: TestAccAWSAPIGatewayDomainName_CertificateName (0.00s)
=== RUN   TestAccAWSAPIGatewayDomainName_RegionalCertificateArn
=== PAUSE TestAccAWSAPIGatewayDomainName_RegionalCertificateArn
=== RUN   TestAccAWSAPIGatewayDomainName_RegionalCertificateName
    resource_aws_api_gateway_domain_name_test.go:151: Environment variable AWS_API_GATEWAY_DOMAIN_NAME_REGIONAL_CERTIFICATE_NAME_ENABLED is not set. This environment variable must be set to any non-empty value in a region where uploading REGIONAL certificates is allowed to enable the test.
--- SKIP: TestAccAWSAPIGatewayDomainName_RegionalCertificateName (0.00s)
=== RUN   TestAccAWSAPIGatewayDomainName_SecurityPolicy
=== PAUSE TestAccAWSAPIGatewayDomainName_SecurityPolicy
=== RUN   TestAccAWSAPIGatewayDomainName_Tags
=== PAUSE TestAccAWSAPIGatewayDomainName_Tags
=== RUN   TestAccAWSAPIGatewayDomainName_disappears
=== PAUSE TestAccAWSAPIGatewayDomainName_disappears
=== RUN   TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
=== PAUSE TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayDomainName_RegionalCertificateArn
=== CONT  TestAccAWSAPIGatewayDomainName_disappears
=== CONT  TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayDomainName_Tags
=== CONT  TestAccAWSAPIGatewayDomainName_SecurityPolicy
=== CONT  TestAccAWSAPIGatewayDomainName_disappears
--- PASS: TestAccAWSAPIGatewayDomainName_disappears (24.99s)
--- PASS: TestAccAWSAPIGatewayDomainName_RegionalCertificateArn (88.53s)
--- PASS: TestAccAWSAPIGatewayDomainName_Tags (124.71s)
--- PASS: TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication (193.38s)
--- PASS: TestAccAWSAPIGatewayDomainName_SecurityPolicy (358.53s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	359.309s

@ewbankkit ewbankkit mentioned this pull request Nov 11, 2020
Merged
@ewbankkit
r/aws_api_gateway_domain_name: Add 'mutual_tls_authentication' attrib…
eb17458 
…ute.

Acceptance test output:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication -timeout 120m
=== RUN   TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
=== PAUSE TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
    resource_aws_api_gateway_domain_name_test.go:305: Step 1/4 error: terraform failed: exit status 1

        stderr:

        Error: Error creating API Gateway Domain Name: BadRequestException: The certificate provided must be issued by ACM and not imported. (Service: APIGateway; Status Code: 400; Error Code: BadRequestException; Request ID: TYsupAJTvHcEJbQ=; Proxy: null)

--- FAIL: TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication (17.49s)
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	17.528s
FAIL
GNUmakefile:27: recipe for target 'testacc' failed
make: *** [testacc] Error 1
@ewbankkit
r/aws_api_gateway_domain_name: Use Amazon Issued ACM certificate for …
cc47207 
…mutual TLS acceptance test.
@ewbankkit
r/aws_api_gateway_domain_name: Create public ACM certificate for test…
2e016b5 
…ing mutual TLS (relates: hashicorp#16139).

Acceptance test output:

$ ACM_CERTIFICATE_ROOT_DOMAIN=<domain name> make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication -timeout 120m
=== RUN   TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
=== PAUSE TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
--- PASS: TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication (151.06s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	151.102s
@ewbankkit
Use 'testAccAWSAPIGatewayDomainNameConfigPublicCert' in 'testAccAWSAP…
14682e6 
…IGatewayDomainNameConfig_CertificateArn'.
@ewbankkit ewbankkit force-pushed the f-aws_api_gateway-mutual-tls-authentication branch from 4a7197b to 14682e6 Compare November 13, 2020 00:19
@ewbankkit
Copy link
Contributor Author

ewbankkit commented Nov 13, 2020
edited
Loading

  • Rebase and fix merge conflicts
  • Use testAccAWSAPIGatewayDomainNameConfigPublicCert in testAccAWSAPIGatewayDomainNameConfig_CertificateArn
$ ACM_CERTIFICATE_ROOT_DOMAIN=<domain name> make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication -timeout 120m
=== RUN   TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
=== PAUSE TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication
--- PASS: TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication (132.05s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	132.107s
$ ACM_CERTIFICATE_ROOT_DOMAIN=<domain name> make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayDomainName_CertificateArn'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayDomainName_CertificateArn -timeout 120m
=== RUN   TestAccAWSAPIGatewayDomainName_CertificateArn
=== PAUSE TestAccAWSAPIGatewayDomainName_CertificateArn
=== CONT  TestAccAWSAPIGatewayDomainName_CertificateArn
--- PASS: TestAccAWSAPIGatewayDomainName_CertificateArn (968.53s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	968.599s

@ewbankkit ewbankkit mentioned this pull request Nov 13, 2020
Closed
DrFaust92
DrFaust92 approved these changes Nov 14, 2020
View reviewed changes
Copy link
Collaborator

@DrFaust92 DrFaust92 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

--- PASS: TestAccAWSAPIGatewayDomainName_disappears (135.09s)
--- PASS: TestAccAWSAPIGatewayDomainName_SecurityPolicy (141.36s)
--- PASS: TestAccAWSAPIGatewayDomainName_Tags (146.63s)
--- PASS: TestAccAWSAPIGatewayDomainName_RegionalCertificateArn (223.05s)

@bflad bflad self-assigned this Jan 13, 2021
@bflad bflad added the enhancement Requests to existing resources that expand the functionality or scope. label Jan 13, 2021
@bflad bflad added this to the v3.24.0 milestone Jan 13, 2021
bflad
bflad approved these changes Jan 13, 2021
View reviewed changes
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks, @ewbankkit 🚀

Output from acceptance testing:

--- PASS: TestAccAWSAPIGatewayDomainName_CertificateArn (965.23s)
--- PASS: TestAccAWSAPIGatewayDomainName_disappears (198.12s)
--- PASS: TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication (160.02s)
--- PASS: TestAccAWSAPIGatewayDomainName_RegionalCertificateArn (364.00s)
--- PASS: TestAccAWSAPIGatewayDomainName_SecurityPolicy (58.65s)
--- PASS: TestAccAWSAPIGatewayDomainName_Tags (151.50s)

@bflad bflad merged commit 616f493 into hashicorp:master Jan 13, 2021
bflad added a commit that referenced this pull request Jan 13, 2021
@bflad
Update CHANGELOG for #15258
9b338a5
@ewbankkit ewbankkit deleted the f-aws_api_gateway-mutual-tls-authentication branch January 13, 2021 13:22
@ghost
Copy link

ghost commented Jan 15, 2021

This has been released in version 3.24.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Feb 12, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Feb 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@DrFaust92 DrFaust92 DrFaust92 approved these changes

@bflad bflad bflad approved these changes

Assignees

@bflad bflad

Labels
documentation Introduces or discusses updates to documentation. enhancement Requests to existing resources that expand the functionality or scope. provider Pertains to the provider itself, rather than any interaction with AWS. service/apigateway Issues and PRs that pertain to the apigateway service. size/L Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
v3.24.0
Development

Successfully merging this pull request may close these issues.
3 participants
@ewbankkit @bflad @DrFaust92