Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adds an event bus policy resource #16874

Merged
merged 20 commits into from Jun 22, 2021
Merged

adds an event bus policy resource #16874

merged 20 commits into from Jun 22, 2021

Conversation

cohen990
Copy link
Contributor

@cohen990 cohen990 commented Dec 22, 2020

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #16838

Release note for CHANGELOG:

Adds support for resource policies on cloudwatch eventbridge

Output from acceptance testing:


==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=CloudwatchEventBusPolicy -timeout 120m
=== RUN   TestAccAWSCloudwatchEventBusPolicy_basic
=== PAUSE TestAccAWSCloudwatchEventBusPolicy_basic
=== CONT  TestAccAWSCloudwatchEventBusPolicy_basic
--- PASS: TestAccAWSCloudwatchEventBusPolicy_basic (19.01s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	24.990s

@cohen990 cohen990 requested a review from a team as a code owner December 22, 2020 12:24
@ghost ghost added size/L Managed by automation to categorize the size of a PR. provider Pertains to the provider itself, rather than any interaction with AWS. service/cloudwatchevents tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Dec 22, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Dec 22, 2020
@cohen990
Copy link
Contributor Author

cohen990 commented Dec 22, 2020

Hi, I was hoping to get some guidance on why the acceptance test is failing. I can't figure out where the whitespace difference may have been introduced nor can I figure out where the plan is actually being run.

From what I can tell, I'm storing everything correctly into the state.

@cohen990
Copy link
Contributor Author

Managed to get the diff suppression working!

@ghost ghost added size/XL Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. and removed size/L Managed by automation to categorize the size of a PR. labels Dec 22, 2020
@cohen990 cohen990 changed the title [WIP] adds an event bus policy resource adds an event bus policy resource Dec 23, 2020
@ghost ghost added size/XXL Managed by automation to categorize the size of a PR. and removed size/XL Managed by automation to categorize the size of a PR. labels Jan 13, 2021
@github-actions
Copy link

Thank you for your contribution! 🚀

Please note that typically Go dependency changes are handled in this repository by dependabot or the maintainers. This is to prevent pull request merge conflicts and further delay reviews of contributions. Remove any changes to the go.mod or go.sum files and commit them into this pull request.

Additional details:

  • Check open pull requests with the dependencies label to view other dependency updates.
  • If this pull request includes an update the AWS Go SDK (or any other dependency) version, only updates submitted via dependabot will be merged. This pull request will need to remove these changes and will need to be rebased after the existing dependency update via dependabot has been merged for this pull request to be reviewed.
  • If this pull request is for supporting a new AWS service:
    • Ensure the new AWS service changes are following the Contributing Guide section on new services, in particular that the dependency addition and initial provider support are in a separate pull request from other changes (e.g. new resources). Contributions not following this item will not be reviewed until the changes are split.
    • If this pull request is already a separate pull request from the above item, you can ignore this message.

@github-actions
Copy link

Thank you for your contribution! 🚀

Please note that the CHANGELOG.md file contents are handled by the maintainers during merge. This is to prevent pull request merge conflicts, especially for contributions which may not be merged immediately. Please see the Contributing Guide for additional pull request review items.

Remove any changes to the CHANGELOG.md file and commit them in this pull request to prevent delays with reviewing and potentially merging this pull request.

@ghost ghost added size/XL Managed by automation to categorize the size of a PR. and removed size/XXL Managed by automation to categorize the size of a PR. labels Jan 13, 2021
Base automatically changed from master to main January 23, 2021 01:00
@bflad bflad added new-resource Introduces a new resource. and removed needs-triage Waiting for first response or review from a maintainer. labels Mar 4, 2021
@heitorlessa heitorlessa self-assigned this Jun 2, 2021
@heitorlessa
Copy link
Collaborator

Thanks a lot for the contribution @cohen990 - This is the last feature to complete EventBridge feature parity with CloudFormation. I'll look into it early next week.

At a first glance, it looks straightforward enough, so might be able to finish triaging next week the latest

Copy link
Collaborator

@heitorlessa heitorlessa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks mostly good - missing tests on update/delete, and check on policy properties for safety update.

We also updated validateFunc since this PR was created so you can simply accept the suggestion as tests are broken now.

After these happy to send to prioritization so we can complete EventBridge feature coverage on TF

Thanks a lot for the hard work on this!

aws/resource_aws_cloudwatch_event_bus_policy.go Outdated Show resolved Hide resolved
aws/resource_aws_cloudwatch_event_bus_policy.go Outdated Show resolved Hide resolved
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName),
),
},
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add an extra step to test for updates?

e.g.

Config: testAccIAMGroupPolicyConfigUpdate(rInt),

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

testAccAWSCloudwatchEventBusPolicyConfigUpdate added.

Steps: []resource.TestStep{
{
Config: testAccAWSCloudwatchEventBusPolicyConfig(rstring),
Check: resource.ComposeTestCheckFunc(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you check for properties in the policy to confirm they match key details like principal and statement sid?

e.g. resource.TestCheckResourceAttr(resourceName1, "principal", principal),

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return fmt.Errorf("Creating CloudWatch Events policy failed: %w", err)
}

d.SetId(eventBusName)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I might be wrong, but I'm on the fence about this not being a combination of eventBus + policy statement ID (unique), like in the event_permission resource.

I'd defer to core maintainers on this one

return output.Policy, nil
}

func resourceAwsCloudWatchEventBusPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you create a test updating a policy?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

testAccAWSCloudwatchEventBusPolicyConfigUpdate added.

return resourceAwsCloudWatchEventBusPolicyRead(d, meta)
}

func resourceAwsCloudWatchEventBusPolicyDelete(d *schema.ResourceData, meta interface{}) error {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you create a test for deletion?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TestAccAWSCloudwatchEventBusPolicy_disappears added.

return fmt.Errorf("Creating CloudWatch Events policy failed: %w", err)
}

d.SetId(eventBusName)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm on the fence of this not being a combination of bus name + statement Id - I suspect it's okay given you can have a single resource policy per bus, so I'll defer to core maintainers on that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Considering the "aws_cloudwatch_event_bus_policy" resource supports multiple statements we think that making it unique for each event bus won't introduce limitations. Also this implementation appears to be consistent with the SDK/CLI, which don't model event bus permissions as independent resources.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't disagree. I don't just understand what the rationale was behind aws_cloudwatch_event_permission to create an unique ID back then: https://github.com/hashicorp/terraform-provider-aws/blob/fafcf78238182983aa8a5238c326f9049448aa70/aws/resource_aws_cloudwatch_event_permission.go#L103-L102

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "aws_cloudwatch_event_permission" resource only defines one statement in the policy, and it's therefore identified by it. The resource "aws_cloudwatch_event_policy" defines the complete policy for the event bus (possibly with multiple statements) and it's intended to be unique for each event bus.

Config: testAccAWSCloudwatchEventBusPolicyConfig(rstring),
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName),
),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you check for policy properties like statement_id and principal? e.g. check whether policy matches what's being created

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This now does a deep diff from TF state and what's available in the bus. It does the job and run through the entire logic IMHO and state.

https://github.com/hashicorp/terraform-provider-aws/pull/16874/files?file-filters%5B%5D=.go#diff-23812e233d355579267c55e833a81e4aa3a286298ee1477b978cbcd22ec7ad0cR141

Deferring to Hashicorp core team if they want to be nitpick and check whether X key has changed.


```hcl
resource "aws_cloudwatch_event_bus_policy" "test" {
policy = data.aws_iam_policy_document.access.json
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add this sample policy as part of the example to improve docs experience?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docs added with multiple examples. LGTM

@heitorlessa
Copy link
Collaborator

heitorlessa commented Jun 15, 2021 via email

@heitorlessa
Copy link
Collaborator

heitorlessa commented Jun 17, 2021 via email

…s. Fix linting for TF configuration defined in tests. Add "attributes reference" paragraph in resource docs.
@heitorlessa
Copy link
Collaborator

heitorlessa commented Jun 22, 2021 via email

Extend tests for the "aws_cloudwatch_event_bus_policy" resource as suggested from the Terraform maintainers.
@cohen990
Copy link
Contributor Author

@heitorlessa this should be ready for another review :)

Copy link
Collaborator

@heitorlessa heitorlessa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - Hashicorp core team might want to check whether it needs a attribute check on update test or whether the current deep value check of what's in TF state vs what's available in the Cloud suffice.

Sending to Hashicorp folks to prioritize it ;) Thanks a lot for those changes @cohen990 !


Latest test results

make testacc TESTARGS='-run=TestAccAWSCloudwatchEventBusPolicy'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSCloudwatchEventBusPolicy -timeout 180m
=== RUN   TestAccAWSCloudwatchEventBusPolicy_basic
=== PAUSE TestAccAWSCloudwatchEventBusPolicy_basic
=== RUN   TestAccAWSCloudwatchEventBusPolicy_disappears
=== PAUSE TestAccAWSCloudwatchEventBusPolicy_disappears
=== CONT  TestAccAWSCloudwatchEventBusPolicy_basic
=== CONT  TestAccAWSCloudwatchEventBusPolicy_disappears
--- PASS: TestAccAWSCloudwatchEventBusPolicy_basic (51.69s)
--- PASS: TestAccAWSCloudwatchEventBusPolicy_disappears (146.29s)
PASS
ok      github.com/terraform-providers/terraform-provider-aws/aws       149.018s

return resourceAwsCloudWatchEventBusPolicyRead(d, meta)
}

func resourceAwsCloudWatchEventBusPolicyDelete(d *schema.ResourceData, meta interface{}) error {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TestAccAWSCloudwatchEventBusPolicy_disappears added.

Config: testAccAWSCloudwatchEventBusPolicyConfig(rstring),
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName),
),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This now does a deep diff from TF state and what's available in the bus. It does the job and run through the entire logic IMHO and state.

https://github.com/hashicorp/terraform-provider-aws/pull/16874/files?file-filters%5B%5D=.go#diff-23812e233d355579267c55e833a81e4aa3a286298ee1477b978cbcd22ec7ad0cR141

Deferring to Hashicorp core team if they want to be nitpick and check whether X key has changed.

Check: resource.ComposeTestCheckFunc(
testAccCheckAWSCloudwatchEventBusPolicyExists(resourceName),
),
},
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

testAccAWSCloudwatchEventBusPolicyConfigUpdate added.

Steps: []resource.TestStep{
{
Config: testAccAWSCloudwatchEventBusPolicyConfig(rstring),
Check: resource.ComposeTestCheckFunc(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return output.Policy, nil
}

func resourceAwsCloudWatchEventBusPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

testAccAWSCloudwatchEventBusPolicyConfigUpdate added.

@heitorlessa
Copy link
Collaborator

heitorlessa commented Jun 22, 2021

Actually, @cohen990, it seems that the changelog vanished in the last merge - Could you re-add it? If it wasn't there in the first place and I dreamed it :D, here's what the file should look like so CI is happy about it.

File: ./changelog/16874.txt

Content: triple backsticks with release-note:new-resource as the source language for highlighting.

aws_cloudwatch_event_bus_policy

Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

Commercial
% make testacc TEST=./aws TESTARGS='-run=TestAccAWSCloudwatchEventBusPolicy_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSCloudwatchEventBusPolicy_ -timeout 180m
=== RUN   TestAccAWSCloudwatchEventBusPolicy_basic
=== PAUSE TestAccAWSCloudwatchEventBusPolicy_basic
=== RUN   TestAccAWSCloudwatchEventBusPolicy_disappears
=== PAUSE TestAccAWSCloudwatchEventBusPolicy_disappears
=== CONT  TestAccAWSCloudwatchEventBusPolicy_basic
=== CONT  TestAccAWSCloudwatchEventBusPolicy_disappears
--- PASS: TestAccAWSCloudwatchEventBusPolicy_basic (25.64s)
--- PASS: TestAccAWSCloudwatchEventBusPolicy_disappears (133.16s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	136.188s
GovCloud
% make testacc TEST=./aws TESTARGS='-run=TestAccAWSCloudwatchEventBusPolicy_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSCloudwatchEventBusPolicy_ -timeout 180m
=== RUN   TestAccAWSCloudwatchEventBusPolicy_basic
=== PAUSE TestAccAWSCloudwatchEventBusPolicy_basic
=== RUN   TestAccAWSCloudwatchEventBusPolicy_disappears
=== PAUSE TestAccAWSCloudwatchEventBusPolicy_disappears
=== CONT  TestAccAWSCloudwatchEventBusPolicy_basic
=== CONT  TestAccAWSCloudwatchEventBusPolicy_disappears
--- PASS: TestAccAWSCloudwatchEventBusPolicy_basic (35.24s)
--- PASS: TestAccAWSCloudwatchEventBusPolicy_disappears (138.06s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	141.106s

@ewbankkit ewbankkit merged commit 13bbcc8 into hashicorp:main Jun 22, 2021
@github-actions github-actions bot added this to the v3.47.0 milestone Jun 22, 2021
ewbankkit added a commit that referenced this pull request Jun 22, 2021
ewbankkit added a commit that referenced this pull request Jun 22, 2021
@github-actions
Copy link

This functionality has been released in v3.47.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 25, 2021
@cohen990 cohen990 deleted the f-event_bus_resource_policy branch October 3, 2021 21:06
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
documentation Introduces or discusses updates to documentation. new-resource Introduces a new resource. provider Pertains to the provider itself, rather than any interaction with AWS. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

AWS EventBridge bus resource policy
7 participants