Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

r/networkfirewall: new resources #16277

Merged
merged 11 commits into from
Nov 18, 2020
Merged

r/networkfirewall: new resources #16277

merged 11 commits into from
Nov 18, 2020

Conversation

anGie44
Copy link
Contributor

@anGie44 anGie44 commented Nov 18, 2020

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates #16270

Release note for CHANGELOG:

provider: add networkfirewall service and tagging support
resource/networkfirewall_firewall: new resource
resource/networkfirewall_firewall_policy: new resource
resource/networkfirewall_logging_configuration: new resource
resource/networkfirewall_rule_group: new resource

Output from acceptance testing:

Firewall (us-east-1):

--- PASS: TestAccAwsNetworkFirewallFirewall_basic (655.79s)
--- PASS: TestAccAwsNetworkFirewallFirewall_disappears (722.92s)
--- PASS: TestAccAwsNetworkFirewallFirewall_subnetMappings_updateSubnet (1120.94s)
--- PASS: TestAccAwsNetworkFirewallFirewall_deleteProtection (1168.60s)
--- PASS: TestAccAwsNetworkFirewallFirewall_description (1173.95s)
--- PASS: TestAccAwsNetworkFirewallFirewall_tags (1185.27s)
--- PASS: TestAccAwsNetworkFirewallFirewall_subnetMappings_updateMultipleSubnets (1584.54s)

FirewallPolicy (us-west-2):

--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_disappears (907.28s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_statelessRuleGroupReference (915.16s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_basic (918.62s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_statefulRuleGroupReference (949.17s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_tags (953.45s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_updateStatefulRuleGroupReference (989.54s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_updateStatelessRuleGroupReference (991.40s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_multipleStatefulRuleGroupReferences (1041.78s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_statefulRuleGroupReferenceAndCustomAction (1042.63s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_updateStatelessCustomAction (1257.49s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_multipleStatelessRuleGroupReferences (151.44s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_multipleStatelessCustomActions (266.97s)

RuleGroup (us-west-2):

--- PASS: TestAccAwsNetworkFirewallRuleGroup_statelessRuleWithCustomAction (330.20s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_basic_statelessRule (331.34s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_basic_rulesSourceList (362.86s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_basic_rules (135.25s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_basic_statefulRule (363.38s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_disappears (372.77s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_updateRulesSourceList (398.35s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_updateStatelessRule (454.06s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_updateStatefulRule (486.64s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_tags (508.16s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_rulesSourceAndRuleVariables (135.91s)

LoggingConfiguration(us-west-2):

In progress...

@ghost ghost added size/XXL Managed by automation to categorize the size of a PR. provider Pertains to the provider itself, rather than any interaction with AWS. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Nov 18, 2020
@anGie44 anGie44 force-pushed the f-network-firewall-support branch from 5f88c19 to 70cc538 Compare November 18, 2020 15:12
@anGie44 anGie44 marked this pull request as ready for review November 18, 2020 15:13
@anGie44 anGie44 requested a review from a team as a code owner November 18, 2020 15:13
@anGie44 anGie44 marked this pull request as draft November 18, 2020 15:15
@anGie44 anGie44 marked this pull request as ready for review November 18, 2020 15:17
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small documentation tweaks -- running the acceptance testing now!

website/docs/r/networkfirewall_firewall.html.markdown Outdated Show resolved Hide resolved
website/docs/r/networkfirewall_firewall.html.markdown Outdated Show resolved Hide resolved
@bflad bflad added the new-resource Introduces a new resource. label Nov 18, 2020
@bflad bflad self-assigned this Nov 18, 2020
@bflad bflad added this to the v3.16.0 milestone Nov 18, 2020
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Output from acceptance testing in AWS Commercial (failures are okay for followup):

--- PASS: TestAccAwsNetworkFirewallFirewall_basic (682.96s)
--- PASS: TestAccAwsNetworkFirewallFirewall_deleteProtection (828.41s)
--- PASS: TestAccAwsNetworkFirewallFirewall_description (818.33s)
--- PASS: TestAccAwsNetworkFirewallFirewall_disappears (674.46s)
--- PASS: TestAccAwsNetworkFirewallFirewall_subnetMappings_updateSubnet (707.14s)
--- PASS: TestAccAwsNetworkFirewallFirewall_tags (656.22s)

--- FAIL: TestAccAwsNetworkFirewallFirewallPolicy_updateStatefulRuleGroupReference (651.38s)
--- FAIL: TestAccAwsNetworkFirewallFirewallPolicy_updateStatelessRuleGroupReference (653.68s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_basic (132.62s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_disappears (135.82s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_multipleStatefulRuleGroupReferences (154.42s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_multipleStatelessCustomActions (271.64s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_multipleStatelessRuleGroupReferences (157.69s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_statefulRuleGroupReference (140.22s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_statefulRuleGroupReferenceAndCustomAction (273.10s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_statelessCustomAction (136.21s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_statelessRuleGroupReference (151.81s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_tags (166.62s)
--- PASS: TestAccAwsNetworkFirewallFirewallPolicy_updateStatelessCustomAction (525.95s)

--- PASS: TestAccAwsNetworkFirewallLoggingConfiguration_disappears (650.91s)
--- PASS: TestAccAwsNetworkFirewallLoggingConfiguration_cloudwatchLogDestination_logGroup (713.43s)
--- PASS: TestAccAwsNetworkFirewallLoggingConfiguration_s3LogDestination_logType (713.64s)
--- PASS: TestAccAwsNetworkFirewallLoggingConfiguration_updateLogDestinationType (741.83s)
--- PASS: TestAccAwsNetworkFirewallLoggingConfiguration_updateToSingleFlowTypeLogDestinationConfig (663.42s)

--- PASS: TestAccAwsNetworkFirewallRuleGroup_basic_rules (134.09s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_basic_rulesSourceList (140.74s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_basic_statefulRule (133.49s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_basic_statelessRule (133.96s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_disappears (146.39s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_rulesSourceAndRuleVariables (157.24s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_statelessRuleWithCustomAction (128.79s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_tags (168.07s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_updateRulesSourceList (148.84s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_updateStatefulRule (277.54s)
--- PASS: TestAccAwsNetworkFirewallRuleGroup_updateStatelessRule (152.95s)

Output from acceptance testing in AWS GovCloud (US):

Service unavailable (as followup: tests need PreCheck added to skip)

Output from sweeper in AWS Commercial:

2020/11/18 11:42:56 [DEBUG] Running Sweepers for region (us-west-2):
2020/11/18 11:42:56 [DEBUG] Running Sweeper (aws_networkfirewall_logging_configuration) in region (us-west-2)
2020/11/18 11:42:57 [DEBUG] Running Sweeper (aws_networkfirewall_firewall) in region (us-west-2)
2020/11/18 11:42:57 [DEBUG] Running Sweeper (aws_networkfirewall_firewall_policy) in region (us-west-2)
2020/11/18 11:42:58 [DEBUG] Running Sweeper (aws_networkfirewall_rule_group) in region (us-west-2)
2020/11/18 11:42:58 Sweeper Tests ran successfully:
    - aws_networkfirewall_firewall_policy
    - aws_networkfirewall_rule_group
    - aws_networkfirewall_logging_configuration
    - aws_networkfirewall_firewall
2020/11/18 11:42:58 [DEBUG] Running Sweepers for region (us-east-1):
2020/11/18 11:42:58 [DEBUG] Running Sweeper (aws_networkfirewall_logging_configuration) in region (us-east-1)
2020/11/18 11:43:00 [DEBUG] Running Sweeper (aws_networkfirewall_firewall) in region (us-east-1)
2020/11/18 11:43:00 [DEBUG] Running Sweeper (aws_networkfirewall_firewall_policy) in region (us-east-1)
2020/11/18 11:43:00 [DEBUG] Running Sweeper (aws_networkfirewall_rule_group) in region (us-east-1)
2020/11/18 11:43:00 [INFO] Deleting NetworkFirewall Rule Group: arn:aws:network-firewall:us-east-1:--OMITTED--:stateful-rulegroup/tf-test-123
2020/11/18 11:43:00 [DEBUG] Deleting NetworkFirewall Rule Group arn:aws:network-firewall:us-east-1:--OMITTED--:stateful-rulegroup/tf-test-123
2020/11/18 11:43:07 Sweeper Tests ran successfully:
    - aws_networkfirewall_rule_group
    - aws_networkfirewall_logging_configuration
    - aws_networkfirewall_firewall
    - aws_networkfirewall_firewall_policy
ok      github.com/terraform-providers/terraform-provider-aws/aws   14.077s

Output from sweeper in AWS GovCloud (US):

2020/11/18 11:45:24 [DEBUG] Running Sweepers for region (us-gov-west-1):
2020/11/18 11:45:24 [DEBUG] Running Sweeper (aws_networkfirewall_logging_configuration) in region (us-gov-west-1)
2020/11/18 11:45:27 [WARN] Skipping NetworkFirewall Logging Configuration sweep for us-gov-west-1: RequestError: send request failed
caused by: Post "https://network-firewall.us-gov-west-1.amazonaws.com/": dial tcp: lookup network-firewall.us-gov-west-1.amazonaws.com: no such host
2020/11/18 11:45:27 [DEBUG] Running Sweeper (aws_networkfirewall_firewall) in region (us-gov-west-1)
2020/11/18 11:45:28 [WARN] Skipping NetworkFirewall Firewall sweep for us-gov-west-1: RequestError: send request failed
caused by: Post "https://network-firewall.us-gov-west-1.amazonaws.com/": dial tcp: lookup network-firewall.us-gov-west-1.amazonaws.com: no such host
2020/11/18 11:45:28 [DEBUG] Running Sweeper (aws_networkfirewall_firewall_policy) in region (us-gov-west-1)
2020/11/18 11:45:30 [WARN] Skipping NetworkFirewall Firewall Policy sweep for us-gov-west-1: RequestError: send request failed
caused by: Post "https://network-firewall.us-gov-west-1.amazonaws.com/": dial tcp: lookup network-firewall.us-gov-west-1.amazonaws.com: no such host
2020/11/18 11:45:30 [DEBUG] Running Sweeper (aws_networkfirewall_rule_group) in region (us-gov-west-1)
2020/11/18 11:45:31 [WARN] Skipping NetworkFirewall Rule Group sweep for us-gov-west-1: RequestError: send request failed
caused by: Post "https://network-firewall.us-gov-west-1.amazonaws.com/": dial tcp: lookup network-firewall.us-gov-west-1.amazonaws.com: no such host
2020/11/18 11:45:31 Sweeper Tests ran successfully:
    - aws_networkfirewall_logging_configuration
    - aws_networkfirewall_firewall
    - aws_networkfirewall_firewall_policy
    - aws_networkfirewall_rule_group
ok      github.com/terraform-providers/terraform-provider-aws/aws   9.618s

Comment on lines +174 to +181
tags, err := keyvaluetags.NetworkfirewallListTags(conn, arn)
if err != nil {
return diag.FromErr(fmt.Errorf("error listing tags for NetworkFirewall Firewall (%s): %w", arn, err))
}

if err := d.Set("tags", tags.IgnoreAws().IgnoreConfig(ignoreTagsConfig).Map()); err != nil {
return diag.FromErr(fmt.Errorf("error setting tags: %w", err))
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Followup note: We'll want to see if the production API includes tag information via firewall.Tags now to remove the extra API call 👍

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created: #16300

Comment on lines +173 to +180
tags, err := keyvaluetags.NetworkfirewallListTags(conn, arn)
if err != nil {
return diag.FromErr(fmt.Errorf("error listing tags for NetworkFirewall Firewall Policy (%s): %w", arn, err))
}

if err := d.Set("tags", tags.IgnoreAws().IgnoreConfig(ignoreTagsConfig).Map()); err != nil {
return diag.FromErr(fmt.Errorf("error setting tags: %w", err))
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Followup note: Check if resp.Tags is filled in with production API to save the extra API call

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created: #16300

vpcResourceName := "aws_vpc.test"

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Followup note: We'll need to create a PreCheck (or use testAccPartitionHasServicePreCheck(networkfirewall.EndpointsID, t)) in all the new Network Firewall testing so GovCloud skips these 👍

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created: #16301

Comment on lines +482 to +489
tags, err := keyvaluetags.NetworkfirewallListTags(conn, arn)
if err != nil {
return diag.FromErr(fmt.Errorf("error listing tags for NetworkFirewall Rule Group (%s): %w", arn, err))
}

if err := d.Set("tags", tags.IgnoreAws().IgnoreConfig(ignoreTagsConfig).Map()); err != nil {
return diag.FromErr(fmt.Errorf("error setting tags: %w", err))
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Followup note: check if resp.Tags is now populated in production API to save the extra API call

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created: #16300

resource.TestCheckResourceAttr(resourceName, "description", ""),
),
},
{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Followup note: we should move this ImportState checking step below where description is set to ensure it imports (it likely does so 👍 for now)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created: #16301

resource.TestCheckResourceAttr(resourceName, "delete_protection", "false"),
),
},
{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Followup note: we should move this ImportState checking step below where delete_protection is set to ensure it imports (it likely does so 👍 for now)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created: #16301

resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
),
},
{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Followup note: we should move this ImportState checking step below where tags are set to ensure it imports (it likely does so 👍 for now)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created: #16301

aws/resource_aws_networkfirewall_firewall.go Outdated Show resolved Hide resolved
)

func init() {
resource.AddTestSweepers("aws_networkfirewall_firewall", &resource.Sweeper{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Followup note: we'll want to ensure aws_subnet sweeper depends on this one since the resource will create in-use ENIs 👍

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created: #16301

Co-authored-by: Brian Flad <bflad417@gmail.com>
@anGie44 anGie44 merged commit 74793b2 into master Nov 18, 2020
@anGie44 anGie44 deleted the f-network-firewall-support branch November 18, 2020 19:08
anGie44 added a commit that referenced this pull request Nov 18, 2020
@ghost
Copy link

ghost commented Nov 18, 2020

This has been released in version 3.16.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@bflad bflad added the service/networkfirewall Issues and PRs that pertain to the networkfirewall service. label Nov 18, 2020
@ghost
Copy link

ghost commented Dec 19, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Dec 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
new-resource Introduces a new resource. provider Pertains to the provider itself, rather than any interaction with AWS. service/networkfirewall Issues and PRs that pertain to the networkfirewall service. size/XXL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants