Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

service/ec2: Handle read-after-write eventual consistency issues in Network ACL resources #18388

Merged
merged 2 commits into from
Mar 26, 2021

Conversation

bflad
Copy link
Contributor

@bflad bflad commented Mar 24, 2021

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Reference: #16796
Reference: https://github.com/hashicorp/terraform-provider-aws/blob/main/docs/contributing/retries-and-waiters.md#resource-lifecycle-retries

Output from acceptance testing in AWS Commercial:

--- PASS: TestAccAWSNetworkAcl_basic (55.36s)
--- PASS: TestAccAWSNetworkAcl_CaseSensitivityNoChanges (49.96s)
--- PASS: TestAccAWSNetworkAcl_disappears (32.88s)
--- PASS: TestAccAWSNetworkAcl_Egress_ConfigMode (86.30s)
--- PASS: TestAccAWSNetworkAcl_EgressAndIngressRules (43.19s)
--- PASS: TestAccAWSNetworkAcl_espProtocol (44.05s)
--- PASS: TestAccAWSNetworkAcl_Ingress_ConfigMode (83.59s)
--- PASS: TestAccAWSNetworkAcl_ipv6ICMPRules (40.67s)
--- PASS: TestAccAWSNetworkAcl_ipv6Rules (64.78s)
--- PASS: TestAccAWSNetworkAcl_ipv6VpcRules (52.74s)
--- PASS: TestAccAWSNetworkAcl_OnlyEgressRules (43.49s)
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_basic (50.78s)
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_update (72.14s)
--- PASS: TestAccAWSNetworkAcl_SubnetChange (74.65s)
--- PASS: TestAccAWSNetworkAcl_Subnets (87.92s)
--- PASS: TestAccAWSNetworkAcl_SubnetsDelete (81.74s)
--- PASS: TestAccAWSNetworkAcl_tags (74.60s)

--- PASS: TestAccAWSNetworkAclRule_allProtocol (69.48s)
--- PASS: TestAccAWSNetworkAclRule_basic (54.04s)
--- PASS: TestAccAWSNetworkAclRule_disappears (30.99s)
--- PASS: TestAccAWSNetworkAclRule_disappears_IngressEgressSameNumber (41.45s)
--- PASS: TestAccAWSNetworkAclRule_disappears_NetworkAcl (40.04s)
--- PASS: TestAccAWSNetworkAclRule_ipv6 (45.12s)
--- PASS: TestAccAWSNetworkAclRule_ipv6ICMP (47.00s)
--- PASS: TestAccAWSNetworkAclRule_ipv6VpcAssignGeneratedIpv6CidrBlockUpdate (72.25s)
--- PASS: TestAccAWSNetworkAclRule_tcpProtocol (61.69s)

Output from acceptance testing in AWS GovCloud (US):

--- PASS: TestAccAWSNetworkAcl_basic (58.57s)
--- PASS: TestAccAWSNetworkAcl_CaseSensitivityNoChanges (94.47s)
--- PASS: TestAccAWSNetworkAcl_disappears (60.54s)
--- PASS: TestAccAWSNetworkAcl_Egress_ConfigMode (99.32s)
--- PASS: TestAccAWSNetworkAcl_EgressAndIngressRules (74.30s)
--- PASS: TestAccAWSNetworkAcl_espProtocol (63.01s)
--- PASS: TestAccAWSNetworkAcl_Ingress_ConfigMode (129.73s)
--- PASS: TestAccAWSNetworkAcl_ipv6ICMPRules (64.84s)
--- PASS: TestAccAWSNetworkAcl_ipv6Rules (95.18s)
--- PASS: TestAccAWSNetworkAcl_ipv6VpcRules (61.43s)
--- PASS: TestAccAWSNetworkAcl_OnlyEgressRules (86.34s)
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_basic (87.57s)
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_update (129.92s)
--- PASS: TestAccAWSNetworkAcl_SubnetChange (144.88s)
--- PASS: TestAccAWSNetworkAcl_Subnets (144.73s)
--- PASS: TestAccAWSNetworkAcl_SubnetsDelete (120.00s)
--- PASS: TestAccAWSNetworkAcl_tags (122.44s)

--- PASS: TestAccAWSNetworkAclRule_allProtocol (72.14s)
--- PASS: TestAccAWSNetworkAclRule_basic (95.37s)
--- PASS: TestAccAWSNetworkAclRule_disappears (61.95s)
--- PASS: TestAccAWSNetworkAclRule_disappears_IngressEgressSameNumber (56.73s)
--- PASS: TestAccAWSNetworkAclRule_disappears_NetworkAcl (65.84s)
--- PASS: TestAccAWSNetworkAclRule_ipv6 (89.03s)
--- PASS: TestAccAWSNetworkAclRule_ipv6ICMP (81.90s)
--- PASS: TestAccAWSNetworkAclRule_ipv6VpcAssignGeneratedIpv6CidrBlockUpdate (123.78s)
--- PASS: TestAccAWSNetworkAclRule_missingParam (27.16s)
--- PASS: TestAccAWSNetworkAclRule_tcpProtocol (88.83s)

@bflad bflad added the bug Addresses a defect in current functionality. label Mar 24, 2021
@bflad bflad requested a review from a team as a code owner March 24, 2021 20:24
@ghost ghost added size/XL Managed by automation to categorize the size of a PR. service/ec2 Issues and PRs that pertain to the ec2 service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Mar 24, 2021
bflad added a commit that referenced this pull request Mar 24, 2021
Copy link
Contributor

@gdavison gdavison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One comment on where to handle not found cases, otherwise LGTM 🚀

--- PASS: TestResourceAWSNetworkAclRule_validateICMPArgumentValue (0.00s)
--- PASS: TestAccAWSNetworkAclRule_missingParam (37.74s)
--- PASS: TestAccAWSNetworkAclRule_disappears_NetworkAcl (53.46s)
--- PASS: TestAccAWSNetworkAclRule_ipv6 (65.02s)
--- PASS: TestAccAWSNetworkAclRule_disappears (67.38s)
--- PASS: TestAccAWSNetworkAclRule_disappears_IngressEgressSameNumber (67.83s)
--- PASS: TestAccAWSNetworkAclRule_ipv6ICMP (68.75s)
--- PASS: TestAccAWSNetworkAcl_basic (80.84s)
--- PASS: TestAccAWSNetworkAcl_disappears (81.05s)
--- PASS: TestAccAWSNetworkAcl_CaseSensitivityNoChanges (90.33s)
--- PASS: TestAccAWSNetworkAclRule_basic (96.30s)
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_basic (96.25s)
--- PASS: TestAccAWSNetworkAcl_OnlyEgressRules (97.74s)
--- PASS: TestAccAWSNetworkAcl_EgressAndIngressRules (99.16s)
--- PASS: TestAccAWSNetworkAclRule_ipv6VpcAssignGeneratedIpv6CidrBlockUpdate (106.16s)
--- PASS: TestAccAWSNetworkAclRule_tcpProtocol (106.36s)
--- PASS: TestAccAWSNetworkAclRule_allProtocol (107.24s)
--- PASS: TestAccAWSNetworkAcl_ipv6ICMPRules (50.59s)
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_update (126.98s)
--- PASS: TestAccAWSNetworkAcl_ipv6VpcRules (57.60s)
--- PASS: TestAccAWSNetworkAcl_espProtocol (47.63s)
--- PASS: TestAccAWSNetworkAcl_ipv6Rules (64.70s)
--- PASS: TestAccAWSNetworkAcl_tags (134.22s)
--- PASS: TestAccAWSNetworkAcl_Egress_ConfigMode (136.77s)
--- PASS: TestAccAWSNetworkAcl_SubnetChange (100.80s)
--- PASS: TestAccAWSNetworkAcl_Ingress_ConfigMode (139.71s)
--- PASS: TestAccAWSNetworkAcl_Subnets (86.90s)
--- PASS: TestAccAWSNetworkAcl_SubnetsDelete (78.23s)

Comment on lines +275 to +300
if d.IsNewResource() && tfawserr.ErrCodeEquals(err, "InvalidNetworkAclID.NotFound") {
return resource.RetryableError(err)
}

if err != nil {
return resource.NonRetryableError(err)
}

if d.IsNewResource() && networkAcl == nil {
return resource.RetryableError(&resource.NotFoundError{
LastError: fmt.Errorf("EC2 Network ACL (%s) not found", d.Id()),
})
}

return nil
})

if tfresource.TimedOut(err) {
networkAcl, err = finder.NetworkAclByID(conn, d.Id())
}

if !d.IsNewResource() && tfawserr.ErrCodeEquals(err, "InvalidNetworkAclID.NotFound") {
log.Printf("[WARN] EC2 Network ACL (%s) not found, removing from state", d.Id())
d.SetId("")
return nil
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If finder.NetworkAclByID() returns a resource.NotFoundError when the Network ACL is not found, we'd have to do a lot less checking for different not found cases at this level.

bflad added 2 commits March 25, 2021 20:09
…etwork ACL resources

Reference: #16796
Reference: https://github.com/hashicorp/terraform-provider-aws/blob/main/docs/contributing/retries-and-waiters.md#resource-lifecycle-retries

Output from acceptance testing in AWS Commercial:

```
--- PASS: TestAccAWSNetworkAcl_basic (55.36s)
--- PASS: TestAccAWSNetworkAcl_CaseSensitivityNoChanges (49.96s)
--- PASS: TestAccAWSNetworkAcl_disappears (32.88s)
--- PASS: TestAccAWSNetworkAcl_Egress_ConfigMode (86.30s)
--- PASS: TestAccAWSNetworkAcl_EgressAndIngressRules (43.19s)
--- PASS: TestAccAWSNetworkAcl_espProtocol (44.05s)
--- PASS: TestAccAWSNetworkAcl_Ingress_ConfigMode (83.59s)
--- PASS: TestAccAWSNetworkAcl_ipv6ICMPRules (40.67s)
--- PASS: TestAccAWSNetworkAcl_ipv6Rules (64.78s)
--- PASS: TestAccAWSNetworkAcl_ipv6VpcRules (52.74s)
--- PASS: TestAccAWSNetworkAcl_OnlyEgressRules (43.49s)
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_basic (50.78s)
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_update (72.14s)
--- PASS: TestAccAWSNetworkAcl_SubnetChange (74.65s)
--- PASS: TestAccAWSNetworkAcl_Subnets (87.92s)
--- PASS: TestAccAWSNetworkAcl_SubnetsDelete (81.74s)
--- PASS: TestAccAWSNetworkAcl_tags (74.60s)

--- PASS: TestAccAWSNetworkAclRule_allProtocol (69.48s)
--- PASS: TestAccAWSNetworkAclRule_basic (54.04s)
--- PASS: TestAccAWSNetworkAclRule_disappears (30.99s)
--- PASS: TestAccAWSNetworkAclRule_disappears_IngressEgressSameNumber (41.45s)
--- PASS: TestAccAWSNetworkAclRule_disappears_NetworkAcl (40.04s)
--- PASS: TestAccAWSNetworkAclRule_ipv6 (45.12s)
--- PASS: TestAccAWSNetworkAclRule_ipv6ICMP (47.00s)
--- PASS: TestAccAWSNetworkAclRule_ipv6VpcAssignGeneratedIpv6CidrBlockUpdate (72.25s)
--- PASS: TestAccAWSNetworkAclRule_tcpProtocol (61.69s)
```

Output from acceptance testing in AWS GovCloud (US):

```
--- PASS: TestAccAWSNetworkAcl_basic (58.57s)
--- PASS: TestAccAWSNetworkAcl_CaseSensitivityNoChanges (94.47s)
--- PASS: TestAccAWSNetworkAcl_disappears (60.54s)
--- PASS: TestAccAWSNetworkAcl_Egress_ConfigMode (99.32s)
--- PASS: TestAccAWSNetworkAcl_EgressAndIngressRules (74.30s)
--- PASS: TestAccAWSNetworkAcl_espProtocol (63.01s)
--- PASS: TestAccAWSNetworkAcl_Ingress_ConfigMode (129.73s)
--- PASS: TestAccAWSNetworkAcl_ipv6ICMPRules (64.84s)
--- PASS: TestAccAWSNetworkAcl_ipv6Rules (95.18s)
--- PASS: TestAccAWSNetworkAcl_ipv6VpcRules (61.43s)
--- PASS: TestAccAWSNetworkAcl_OnlyEgressRules (86.34s)
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_basic (87.57s)
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_update (129.92s)
--- PASS: TestAccAWSNetworkAcl_SubnetChange (144.88s)
--- PASS: TestAccAWSNetworkAcl_Subnets (144.73s)
--- PASS: TestAccAWSNetworkAcl_SubnetsDelete (120.00s)
--- PASS: TestAccAWSNetworkAcl_tags (122.44s)

--- PASS: TestAccAWSNetworkAclRule_allProtocol (72.14s)
--- PASS: TestAccAWSNetworkAclRule_basic (95.37s)
--- PASS: TestAccAWSNetworkAclRule_disappears (61.95s)
--- PASS: TestAccAWSNetworkAclRule_disappears_IngressEgressSameNumber (56.73s)
--- PASS: TestAccAWSNetworkAclRule_disappears_NetworkAcl (65.84s)
--- PASS: TestAccAWSNetworkAclRule_ipv6 (89.03s)
--- PASS: TestAccAWSNetworkAclRule_ipv6ICMP (81.90s)
--- PASS: TestAccAWSNetworkAclRule_ipv6VpcAssignGeneratedIpv6CidrBlockUpdate (123.78s)
--- PASS: TestAccAWSNetworkAclRule_missingParam (27.16s)
--- PASS: TestAccAWSNetworkAclRule_tcpProtocol (88.83s)
```
@bflad bflad force-pushed the b-aws_network_acl_rule-d.IsNewResource branch from 72888ab to 9a9b7be Compare March 26, 2021 00:10
@bflad
Copy link
Contributor Author

bflad commented Mar 26, 2021

Rebased to resolve finder.go merge conflict and reverified:

--- PASS: TestAccAWSNetworkAclRule_missingParam (17.66s)
--- PASS: TestAccAWSNetworkAclRule_ipv6ICMP (35.15s)
--- PASS: TestAccAWSNetworkAclRule_disappears_NetworkAcl (43.44s)
--- PASS: TestAccAWSNetworkAclRule_ipv6 (43.96s)
--- PASS: TestAccAWSNetworkAclRule_disappears (44.32s)
--- PASS: TestAccAWSNetworkAclRule_disappears_IngressEgressSameNumber (48.40s)
--- PASS: TestAccAWSNetworkAcl_disappears (51.43s)
--- PASS: TestAccAWSNetworkAcl_ipv6ICMPRules (33.84s)
--- PASS: TestAccAWSNetworkAcl_ipv6VpcRules (51.70s)
--- PASS: TestAccAWSNetworkAcl_espProtocol (51.72s)
--- PASS: TestAccAWSNetworkAclRule_basic (52.74s)
--- PASS: TestAccAWSNetworkAcl_basic (57.82s)
--- PASS: TestAccAWSNetworkAclRule_tcpProtocol (60.20s)
--- PASS: TestAccAWSNetworkAcl_ipv6Rules (62.51s)
--- PASS: TestAccAWSNetworkAcl_CaseSensitivityNoChanges (62.57s)
--- PASS: TestAccAWSNetworkAclRule_ipv6VpcAssignGeneratedIpv6CidrBlockUpdate (64.16s)
--- PASS: TestAccAWSNetworkAcl_tags (77.06s)
--- PASS: TestAccAWSNetworkAcl_Subnets (87.04s)
--- PASS: TestAccAWSNetworkAcl_EgressAndIngressRules (44.19s)
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_basic (53.63s)
--- PASS: TestAccAWSNetworkAcl_OnlyEgressRules (44.47s)
--- PASS: TestAccAWSNetworkAcl_Egress_ConfigMode (88.87s)
--- PASS: TestAccAWSNetworkAcl_Ingress_ConfigMode (90.75s)
--- PASS: TestAccAWSNetworkAclRule_allProtocol (46.34s)
--- PASS: TestAccAWSNetworkAcl_SubnetsDelete (68.61s)
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_update (72.50s)
--- PASS: TestAccAWSNetworkAcl_SubnetChange (67.39s)

@bflad bflad merged commit 43a4da2 into main Mar 26, 2021
@bflad bflad deleted the b-aws_network_acl_rule-d.IsNewResource branch March 26, 2021 00:20
@github-actions github-actions bot added this to the v3.34.0 milestone Mar 26, 2021
github-actions bot pushed a commit that referenced this pull request Mar 26, 2021
@ghost
Copy link

ghost commented Mar 26, 2021

This has been released in version 3.34.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Apr 25, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Apr 25, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants