-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
r/networkfirewall: new resources #16277
Conversation
5f88c19
to
70cc538
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small documentation tweaks -- running the acceptance testing now!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Output from acceptance testing in AWS Commercial (failures are okay for followup):
--- PASS: TestAccAwsNetworkFirewallFirewall_basic (682.96s)
--- PASS: TestAccAwsNetworkFirewallFirewall_deleteProtection (828.41s)
--- PASS: TestAccAwsNetworkFirewallFirewall_description (818.33s)
--- PASS: TestAccAwsNetworkFirewallFirewall_disappears (674.46s)
--- PASS: TestAccAwsNetworkFirewallFirewall_subnetMappings_updateSubnet (707.14s)
--- PASS: TestAccAwsNetworkFirewallFirewall_tags (656.22s)
--- FAIL: TestAccAwsNetworkFirewallFirewallPolicy_updateStatefulRuleGroupReference (651.38s)
--- FAIL: TestAccAwsNetworkFirewallFirewallPolicy_updateStatelessRuleGroupReference (653.68s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_basic (132.62s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_disappears (135.82s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_multipleStatefulRuleGroupReferences (154.42s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_multipleStatelessCustomActions (271.64s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_multipleStatelessRuleGroupReferences (157.69s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_statefulRuleGroupReference (140.22s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_statefulRuleGroupReferenceAndCustomAction (273.10s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_statelessCustomAction (136.21s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_statelessRuleGroupReference (151.81s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_tags (166.62s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_updateStatelessCustomAction (525.95s)
--- PASS: TestAccAwsNetworkFirewallLoggingConfiguration_disappears (650.91s)
--- PASS: TestAccAwsNetworkFirewallLoggingConfiguration_cloudwatchLogDestination_logGroup (713.43s)
--- PASS: TestAccAwsNetworkFirewallLoggingConfiguration_s3LogDestination_logType (713.64s)
--- PASS: TestAccAwsNetworkFirewallLoggingConfiguration_updateLogDestinationType (741.83s)
--- PASS: TestAccAwsNetworkFirewallLoggingConfiguration_updateToSingleFlowTypeLogDestinationConfig (663.42s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_basic_rules (134.09s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_basic_rulesSourceList (140.74s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_basic_statefulRule (133.49s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_basic_statelessRule (133.96s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_disappears (146.39s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_rulesSourceAndRuleVariables (157.24s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_statelessRuleWithCustomAction (128.79s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_tags (168.07s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_updateRulesSourceList (148.84s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_updateStatefulRule (277.54s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_updateStatelessRule (152.95s)
Output from acceptance testing in AWS GovCloud (US):
Service unavailable (as followup: tests need PreCheck added to skip)
Output from sweeper in AWS Commercial:
2020/11/18 11:42:56 [DEBUG] Running Sweepers for region (us-west-2):
2020/11/18 11:42:56 [DEBUG] Running Sweeper (aws_networkfirewall_logging_configuration) in region (us-west-2)
2020/11/18 11:42:57 [DEBUG] Running Sweeper (aws_networkfirewall_firewall) in region (us-west-2)
2020/11/18 11:42:57 [DEBUG] Running Sweeper (aws_networkfirewall_firewall_policy) in region (us-west-2)
2020/11/18 11:42:58 [DEBUG] Running Sweeper (aws_networkfirewall_rule_group) in region (us-west-2)
2020/11/18 11:42:58 Sweeper Tests ran successfully:
- aws_networkfirewall_firewall_policy
- aws_networkfirewall_rule_group
- aws_networkfirewall_logging_configuration
- aws_networkfirewall_firewall
2020/11/18 11:42:58 [DEBUG] Running Sweepers for region (us-east-1):
2020/11/18 11:42:58 [DEBUG] Running Sweeper (aws_networkfirewall_logging_configuration) in region (us-east-1)
2020/11/18 11:43:00 [DEBUG] Running Sweeper (aws_networkfirewall_firewall) in region (us-east-1)
2020/11/18 11:43:00 [DEBUG] Running Sweeper (aws_networkfirewall_firewall_policy) in region (us-east-1)
2020/11/18 11:43:00 [DEBUG] Running Sweeper (aws_networkfirewall_rule_group) in region (us-east-1)
2020/11/18 11:43:00 [INFO] Deleting NetworkFirewall Rule Group: arn:aws:network-firewall:us-east-1:--OMITTED--:stateful-rulegroup/tf-test-123
2020/11/18 11:43:00 [DEBUG] Deleting NetworkFirewall Rule Group arn:aws:network-firewall:us-east-1:--OMITTED--:stateful-rulegroup/tf-test-123
2020/11/18 11:43:07 Sweeper Tests ran successfully:
- aws_networkfirewall_rule_group
- aws_networkfirewall_logging_configuration
- aws_networkfirewall_firewall
- aws_networkfirewall_firewall_policy
ok github.com/terraform-providers/terraform-provider-aws/aws 14.077s
Output from sweeper in AWS GovCloud (US):
2020/11/18 11:45:24 [DEBUG] Running Sweepers for region (us-gov-west-1):
2020/11/18 11:45:24 [DEBUG] Running Sweeper (aws_networkfirewall_logging_configuration) in region (us-gov-west-1)
2020/11/18 11:45:27 [WARN] Skipping NetworkFirewall Logging Configuration sweep for us-gov-west-1: RequestError: send request failed
caused by: Post "https://network-firewall.us-gov-west-1.amazonaws.com/": dial tcp: lookup network-firewall.us-gov-west-1.amazonaws.com: no such host
2020/11/18 11:45:27 [DEBUG] Running Sweeper (aws_networkfirewall_firewall) in region (us-gov-west-1)
2020/11/18 11:45:28 [WARN] Skipping NetworkFirewall Firewall sweep for us-gov-west-1: RequestError: send request failed
caused by: Post "https://network-firewall.us-gov-west-1.amazonaws.com/": dial tcp: lookup network-firewall.us-gov-west-1.amazonaws.com: no such host
2020/11/18 11:45:28 [DEBUG] Running Sweeper (aws_networkfirewall_firewall_policy) in region (us-gov-west-1)
2020/11/18 11:45:30 [WARN] Skipping NetworkFirewall Firewall Policy sweep for us-gov-west-1: RequestError: send request failed
caused by: Post "https://network-firewall.us-gov-west-1.amazonaws.com/": dial tcp: lookup network-firewall.us-gov-west-1.amazonaws.com: no such host
2020/11/18 11:45:30 [DEBUG] Running Sweeper (aws_networkfirewall_rule_group) in region (us-gov-west-1)
2020/11/18 11:45:31 [WARN] Skipping NetworkFirewall Rule Group sweep for us-gov-west-1: RequestError: send request failed
caused by: Post "https://network-firewall.us-gov-west-1.amazonaws.com/": dial tcp: lookup network-firewall.us-gov-west-1.amazonaws.com: no such host
2020/11/18 11:45:31 Sweeper Tests ran successfully:
- aws_networkfirewall_logging_configuration
- aws_networkfirewall_firewall
- aws_networkfirewall_firewall_policy
- aws_networkfirewall_rule_group
ok github.com/terraform-providers/terraform-provider-aws/aws 9.618s
tags, err := keyvaluetags.NetworkfirewallListTags(conn, arn) | ||
if err != nil { | ||
return diag.FromErr(fmt.Errorf("error listing tags for NetworkFirewall Firewall (%s): %w", arn, err)) | ||
} | ||
|
||
if err := d.Set("tags", tags.IgnoreAws().IgnoreConfig(ignoreTagsConfig).Map()); err != nil { | ||
return diag.FromErr(fmt.Errorf("error setting tags: %w", err)) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Followup note: We'll want to see if the production API includes tag information via firewall.Tags
now to remove the extra API call 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created: #16300
tags, err := keyvaluetags.NetworkfirewallListTags(conn, arn) | ||
if err != nil { | ||
return diag.FromErr(fmt.Errorf("error listing tags for NetworkFirewall Firewall Policy (%s): %w", arn, err)) | ||
} | ||
|
||
if err := d.Set("tags", tags.IgnoreAws().IgnoreConfig(ignoreTagsConfig).Map()); err != nil { | ||
return diag.FromErr(fmt.Errorf("error setting tags: %w", err)) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Followup note: Check if resp.Tags
is filled in with production API to save the extra API call
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created: #16300
vpcResourceName := "aws_vpc.test" | ||
|
||
resource.ParallelTest(t, resource.TestCase{ | ||
PreCheck: func() { testAccPreCheck(t) }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Followup note: We'll need to create a PreCheck
(or use testAccPartitionHasServicePreCheck(networkfirewall.EndpointsID, t)
) in all the new Network Firewall testing so GovCloud skips these 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created: #16301
tags, err := keyvaluetags.NetworkfirewallListTags(conn, arn) | ||
if err != nil { | ||
return diag.FromErr(fmt.Errorf("error listing tags for NetworkFirewall Rule Group (%s): %w", arn, err)) | ||
} | ||
|
||
if err := d.Set("tags", tags.IgnoreAws().IgnoreConfig(ignoreTagsConfig).Map()); err != nil { | ||
return diag.FromErr(fmt.Errorf("error setting tags: %w", err)) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Followup note: check if resp.Tags
is now populated in production API to save the extra API call
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created: #16300
resource.TestCheckResourceAttr(resourceName, "description", ""), | ||
), | ||
}, | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Followup note: we should move this ImportState checking step below where description is set to ensure it imports (it likely does so 👍 for now)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created: #16301
resource.TestCheckResourceAttr(resourceName, "delete_protection", "false"), | ||
), | ||
}, | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Followup note: we should move this ImportState checking step below where delete_protection is set to ensure it imports (it likely does so 👍 for now)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created: #16301
resource.TestCheckResourceAttr(resourceName, "tags.%", "0"), | ||
), | ||
}, | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Followup note: we should move this ImportState checking step below where tags are set to ensure it imports (it likely does so 👍 for now)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created: #16301
) | ||
|
||
func init() { | ||
resource.AddTestSweepers("aws_networkfirewall_firewall", &resource.Sweeper{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Followup note: we'll want to ensure aws_subnet
sweeper depends on this one since the resource will create in-use ENIs 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created: #16301
Co-authored-by: Brian Flad <bflad417@gmail.com>
This has been released in version 3.16.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Relates #16270
Release note for CHANGELOG:
Output from acceptance testing:
Firewall (
us-east-1
):FirewallPolicy (
us-west-2
):RuleGroup (
us-west-2
):LoggingConfiguration(
us-west-2
):