From 3dc01014b34c2e5700d699427cfc0661bbff0ad7 Mon Sep 17 00:00:00 2001 From: Dan Lutsch Date: Wed, 5 Nov 2025 14:54:52 +0900 Subject: [PATCH 1/2] feat: Add automatic discovery of RAM-shared Service Networks - Modified FindServiceNetwork() to use two-step discovery process - Added findServiceNetworkViaVPCAssociation() to discover RAM-shared networks - Added buildServiceNetworkInfo() helper for tag fetching - Added isLocalServiceNetwork() to detect local vs RAM-shared networks - Modified UpsertVpcAssociation() to skip ownership checks for RAM-shared networks - Maintains backward compatibility with existing local network discovery - No additional IAM permissions required --- pkg/aws/services/vpclattice.go | 71 ++++++++++++++++++- pkg/deploy/lattice/service_network_manager.go | 56 ++++++++++++--- 2 files changed, 116 insertions(+), 11 deletions(-) diff --git a/pkg/aws/services/vpclattice.go b/pkg/aws/services/vpclattice.go index dbe69381..85d994de 100644 --- a/pkg/aws/services/vpclattice.go +++ b/pkg/aws/services/vpclattice.go @@ -366,6 +366,7 @@ func (d *defaultLattice) FindServiceNetwork(ctx context.Context, nameOrId string nameOrId = config.DefaultServiceNetwork } + // Step 1: Try to find in local (owned) service networks input := &vpclattice.ListServiceNetworksInput{} allSn, err := d.ListServiceNetworksAsList(ctx, input) if err != nil { @@ -373,26 +374,43 @@ func (d *defaultLattice) FindServiceNetwork(ctx context.Context, nameOrId string } snMatch, err := d.serviceNetworkMatch(allSn, nameOrId) - if err != nil { + + // If found locally, return it with tags + if err == nil { + return d.buildServiceNetworkInfo(ctx, snMatch) + } + + // If error is not "not found", return the error + if !errors.Is(err, ErrNotFound) { return nil, err } - // try to fetch tags only if SN in the same aws account with controller's config + // Step 2: Not found locally, try RAM-shared networks via VPC associations + return d.findServiceNetworkViaVPCAssociation(ctx, nameOrId) +} + +// buildServiceNetworkInfo constructs ServiceNetworkInfo from a matched +// service network, attempting to fetch tags if the network is local. +func (d *defaultLattice) buildServiceNetworkInfo(ctx context.Context, snMatch *vpclattice.ServiceNetworkSummary) (*ServiceNetworkInfo, error) { tags := Tags{} + + // Try to fetch tags only if SN is in the same AWS account isLocal, err := d.isLocalResource(aws.StringValue(snMatch.Arn)) if err != nil { return nil, err } + if isLocal { tagsInput := vpclattice.ListTagsForResourceInput{ResourceArn: snMatch.Arn} tagsOutput, err := d.ListTagsForResourceWithContext(ctx, &tagsInput) if err != nil { aerr, ok := err.(awserr.Error) - // In case ownAccount is not set, we cant tell if SN is foreign. + // In case ownAccount is not set, we can't tell if SN is foreign. // In this case access denied is expected. if !ok || aerr.Code() != vpclattice.ErrCodeAccessDeniedException { return nil, err } + // If access denied, proceed without tags } else { tags = tagsOutput.Tags } @@ -404,6 +422,53 @@ func (d *defaultLattice) FindServiceNetwork(ctx context.Context, nameOrId string }, nil } +// findServiceNetworkViaVPCAssociation attempts to find a service network +// by examining VPC associations. This is used to discover RAM-shared +// service networks that don't appear in ListServiceNetworks. +func (d *defaultLattice) findServiceNetworkViaVPCAssociation(ctx context.Context, nameOrId string) (*ServiceNetworkInfo, error) { + // List all VPC-to-Service Network associations for the controller's VPC + associations, err := d.ListServiceNetworkVpcAssociationsAsList(ctx, + &vpclattice.ListServiceNetworkVpcAssociationsInput{ + VpcIdentifier: aws.String(config.VpcID), + }) + if err != nil { + return nil, fmt.Errorf("failed to list VPC associations while searching for service network %s: %w", nameOrId, err) + } + + // Find matching service network by name or ID + var matches []*vpclattice.ServiceNetworkVpcAssociationSummary + for _, assoc := range associations { + // Only consider active associations + if aws.StringValue(assoc.Status) != vpclattice.ServiceNetworkVpcAssociationStatusActive { + continue + } + + if aws.StringValue(assoc.ServiceNetworkName) == nameOrId || + aws.StringValue(assoc.ServiceNetworkId) == nameOrId { + matches = append(matches, assoc) + } + } + + switch len(matches) { + case 0: + return nil, NewNotFoundError("Service network", nameOrId) + case 1: + assoc := matches[0] + return &ServiceNetworkInfo{ + SvcNetwork: vpclattice.ServiceNetworkSummary{ + Id: assoc.ServiceNetworkId, + Arn: assoc.ServiceNetworkArn, + Name: assoc.ServiceNetworkName, + }, + Tags: nil, // Cannot read tags for cross-account resources + }, nil + default: + // Multiple matches - this shouldn't happen but handle defensively + return nil, fmt.Errorf("%w, multiple VPC associations found for service network %s", + ErrNameConflict, nameOrId) + } +} + // see utils.LatticeServiceName func (d *defaultLattice) FindService(ctx context.Context, latticeServiceName string) (*vpclattice.ServiceSummary, error) { input := vpclattice.ListServicesInput{} diff --git a/pkg/deploy/lattice/service_network_manager.go b/pkg/deploy/lattice/service_network_manager.go index feddaa76..9a74baf7 100644 --- a/pkg/deploy/lattice/service_network_manager.go +++ b/pkg/deploy/lattice/service_network_manager.go @@ -11,6 +11,7 @@ import ( "github.com/aws/aws-application-networking-k8s/pkg/utils/gwlog" "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/arn" "github.com/aws/aws-sdk-go/service/vpclattice" pkg_aws "github.com/aws/aws-application-networking-k8s/pkg/aws" @@ -52,18 +53,35 @@ func (m *defaultServiceNetworkManager) UpsertVpcAssociation(ctx context.Context, } if snva != nil { // association is active - owned, err := m.cloud.TryOwn(ctx, *snva.Arn) + // Check if this is a RAM-shared network by examining the service network ARN + isLocal, err := m.isLocalServiceNetwork(sn.SvcNetwork.Arn) if err != nil { return "", err } - if !owned { - return "", services.NewConflictError("snva", snName, - fmt.Sprintf("Found existing vpc association not owned by controller: %s", *snva.Arn)) - } - _, err = m.updateServiceNetworkVpcAssociation(ctx, &sn.SvcNetwork, sgIds, snva.Id, additionalTags) - if err != nil { - return "", err + + if isLocal { + // For local networks, check ownership as before + owned, err := m.cloud.TryOwn(ctx, *snva.Arn) + if err != nil { + return "", err + } + if !owned { + return "", services.NewConflictError("snva", snName, + fmt.Sprintf("Found existing vpc association not owned by controller: %s", *snva.Arn)) + } + + // Update if needed + _, err = m.updateServiceNetworkVpcAssociation(ctx, &sn.SvcNetwork, sgIds, snva.Id, additionalTags) + if err != nil { + return "", err + } + } else { + // For RAM-shared networks, we can't modify the association + // Just return the existing ARN and log + m.log.Infof(ctx, "Using existing VPC association for RAM-shared service network %s: %s", + snName, *snva.Arn) } + return *snva.Arn, nil } else { tags := m.cloud.MergeTags(m.cloud.DefaultTags(), additionalTags) @@ -87,6 +105,28 @@ func (m *defaultServiceNetworkManager) UpsertVpcAssociation(ctx context.Context, } } +// isLocalServiceNetwork determines if a service network belongs to the current AWS account +func (m *defaultServiceNetworkManager) isLocalServiceNetwork(arnStr *string) (bool, error) { + if arnStr == nil { + return false, fmt.Errorf("service network ARN is nil") + } + + parsedArn, err := arn.Parse(*arnStr) + if err != nil { + return false, fmt.Errorf("failed to parse service network ARN %s: %w", *arnStr, err) + } + + // Compare with controller's account + controllerAccount := m.cloud.Config().AccountId + if controllerAccount == "" { + // If controller account is not set, assume it's local (backward compatibility) + m.log.Debugf(context.Background(), "Controller account ID not set, assuming service network %s is local", *arnStr) + return true, nil + } + + return parsedArn.AccountID == controllerAccount, nil +} + func (m *defaultServiceNetworkManager) DeleteVpcAssociation(ctx context.Context, snName string) error { sn, err := m.cloud.Lattice().FindServiceNetwork(ctx, snName) if err != nil { From f0c1efec4cd3fda857f08d5faa400cfefa892d42 Mon Sep 17 00:00:00 2001 From: Dan Lutsch Date: Wed, 5 Nov 2025 18:28:57 +0900 Subject: [PATCH 2/2] Add unit tests for RAM-shared network feature - Fixed existing tests with valid ARN formats - Added comprehensive RAM-shared network test coverage - All tests passing (100% success rate) --- ...service_network_manager_ram_shared_test.go | 269 ++++++++++++++++++ .../lattice/service_network_manager_test.go | 28 +- 2 files changed, 283 insertions(+), 14 deletions(-) create mode 100644 pkg/deploy/lattice/service_network_manager_ram_shared_test.go diff --git a/pkg/deploy/lattice/service_network_manager_ram_shared_test.go b/pkg/deploy/lattice/service_network_manager_ram_shared_test.go new file mode 100644 index 00000000..cbcbd144 --- /dev/null +++ b/pkg/deploy/lattice/service_network_manager_ram_shared_test.go @@ -0,0 +1,269 @@ +package lattice + +import ( + "context" + "testing" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/vpclattice" + "github.com/golang/mock/gomock" + "github.com/stretchr/testify/assert" + + pkg_aws "github.com/aws/aws-application-networking-k8s/pkg/aws" + mocks "github.com/aws/aws-application-networking-k8s/pkg/aws/services" + "github.com/aws/aws-application-networking-k8s/pkg/config" + "github.com/aws/aws-application-networking-k8s/pkg/utils/gwlog" +) + +// Test_isLocalServiceNetwork_LocalNetwork tests detection of local service networks +func Test_isLocalServiceNetwork_LocalNetwork(t *testing.T) { + c := gomock.NewController(t) + defer c.Finish() + + mockLattice := mocks.NewMockLattice(c) + cloud := pkg_aws.NewDefaultCloud(mockLattice, TestCloudConfig) + + snMgr := NewDefaultServiceNetworkManager(gwlog.FallbackLogger, cloud) + + // Local network ARN with same account ID as TestCloudConfig + localArn := aws.String("arn:aws:vpc-lattice:us-west-2:account-id:servicenetwork/sn-12345678") + + isLocal, err := snMgr.isLocalServiceNetwork(localArn) + + assert.Nil(t, err) + assert.True(t, isLocal, "Network with same account ID should be detected as local") +} + +// Test_isLocalServiceNetwork_RAMSharedNetwork tests detection of RAM-shared service networks +func Test_isLocalServiceNetwork_RAMSharedNetwork(t *testing.T) { + c := gomock.NewController(t) + defer c.Finish() + + mockLattice := mocks.NewMockLattice(c) + cloud := pkg_aws.NewDefaultCloud(mockLattice, TestCloudConfig) + + snMgr := NewDefaultServiceNetworkManager(gwlog.FallbackLogger, cloud) + + // RAM-shared network ARN with different account ID + ramSharedArn := aws.String("arn:aws:vpc-lattice:us-west-2:248189924968:servicenetwork/sn-12345678") + + isLocal, err := snMgr.isLocalServiceNetwork(ramSharedArn) + + assert.Nil(t, err) + assert.False(t, isLocal, "Network with different account ID should be detected as RAM-shared") +} + +// Test_isLocalServiceNetwork_InvalidARN tests handling of invalid ARN format +func Test_isLocalServiceNetwork_InvalidARN(t *testing.T) { + c := gomock.NewController(t) + defer c.Finish() + + mockLattice := mocks.NewMockLattice(c) + cloud := pkg_aws.NewDefaultCloud(mockLattice, TestCloudConfig) + + snMgr := NewDefaultServiceNetworkManager(gwlog.FallbackLogger, cloud) + + // Invalid ARN format + invalidArn := aws.String("not-a-valid-arn") + + isLocal, err := snMgr.isLocalServiceNetwork(invalidArn) + + assert.NotNil(t, err) + assert.Contains(t, err.Error(), "failed to parse") + assert.False(t, isLocal, "Invalid ARN should return false for safety") +} + +// Test_isLocalServiceNetwork_NilARN tests handling of nil ARN +func Test_isLocalServiceNetwork_NilARN(t *testing.T) { + c := gomock.NewController(t) + defer c.Finish() + + mockLattice := mocks.NewMockLattice(c) + cloud := pkg_aws.NewDefaultCloud(mockLattice, TestCloudConfig) + + snMgr := NewDefaultServiceNetworkManager(gwlog.FallbackLogger, cloud) + + isLocal, err := snMgr.isLocalServiceNetwork(nil) + + assert.NotNil(t, err) + assert.Contains(t, err.Error(), "ARN is nil") + assert.False(t, isLocal, "Nil ARN should return false for safety") +} + +// Test_UpsertVpcAssociation_RAMSharedNetwork_ExistingAssociation tests that RAM-shared networks skip ownership checks +func Test_UpsertVpcAssociation_RAMSharedNetwork_ExistingAssociation(t *testing.T) { + securityGroupIds := []*string{aws.String("sg-123456789"), aws.String("sg-987654321")} + + // RAM-shared network with different account ID + snId := "sn-12345678912345678" + snArn := "arn:aws:vpc-lattice:us-west-2:248189924968:servicenetwork/sn-12345678912345678" + snvaArn := "arn:aws:vpc-lattice:us-west-2:248189924968:servicenetworkvpcassociation/snva-12345678912345678" + name := "ram-shared-network" + vpcId := config.VpcID + + item := vpclattice.ServiceNetworkSummary{ + Arn: &snArn, + Id: &snId, + Name: &name, + } + + status := vpclattice.ServiceNetworkVpcAssociationStatusActive + items := vpclattice.ServiceNetworkVpcAssociationSummary{ + ServiceNetworkArn: &snArn, + ServiceNetworkId: &snId, + ServiceNetworkName: &snId, + Status: &status, + VpcId: &vpcId, + Arn: &snvaArn, + } + statusServiceNetworkVPCOutput := []*vpclattice.ServiceNetworkVpcAssociationSummary{&items} + + c := gomock.NewController(t) + defer c.Finish() + ctx := context.TODO() + mockLattice := mocks.NewMockLattice(c) + cloud := pkg_aws.NewDefaultCloud(mockLattice, TestCloudConfig) + + mockLattice.EXPECT().FindServiceNetwork(ctx, gomock.Any()).Return( + &mocks.ServiceNetworkInfo{ + SvcNetwork: item, + Tags: nil, + }, nil) + mockLattice.EXPECT().ListServiceNetworkVpcAssociationsAsList(ctx, gomock.Any()).Return(statusServiceNetworkVPCOutput, nil) + + // Critical: For RAM-shared networks, we should NOT call GetServiceNetworkVpcAssociationWithContext, + // TryOwn, or UpdateServiceNetworkVpcAssociation - they return early + mockLattice.EXPECT().GetServiceNetworkVpcAssociationWithContext(ctx, gomock.Any()).Times(0) + mockLattice.EXPECT().UpdateServiceNetworkVpcAssociationWithContext(ctx, gomock.Any()).Times(0) + + snMgr := NewDefaultServiceNetworkManager(gwlog.FallbackLogger, cloud) + resp, err := snMgr.UpsertVpcAssociation(ctx, name, securityGroupIds, nil) + + assert.Nil(t, err) + assert.Equal(t, snvaArn, resp, "Should return existing VPC association ARN for RAM-shared network") +} + +// Test_UpsertVpcAssociation_RAMSharedNetwork_ReadOnly tests that RAM-shared networks are read-only +func Test_UpsertVpcAssociation_RAMSharedNetwork_ReadOnly(t *testing.T) { + newSecurityGroupIds := []*string{aws.String("sg-999999999")} + + // RAM-shared network with different account ID + snId := "sn-12345678912345678" + snArn := "arn:aws:vpc-lattice:us-west-2:248189924968:servicenetwork/sn-12345678912345678" + snvaArn := "arn:aws:vpc-lattice:us-west-2:248189924968:servicenetworkvpcassociation/snva-12345678912345678" + name := "ram-shared-network" + vpcId := config.VpcID + + item := vpclattice.ServiceNetworkSummary{ + Arn: &snArn, + Id: &snId, + Name: &name, + } + + status := vpclattice.ServiceNetworkVpcAssociationStatusActive + items := vpclattice.ServiceNetworkVpcAssociationSummary{ + ServiceNetworkArn: &snArn, + ServiceNetworkId: &snId, + ServiceNetworkName: &snId, + Status: &status, + VpcId: &vpcId, + Arn: &snvaArn, + } + statusServiceNetworkVPCOutput := []*vpclattice.ServiceNetworkVpcAssociationSummary{&items} + + c := gomock.NewController(t) + defer c.Finish() + ctx := context.TODO() + mockLattice := mocks.NewMockLattice(c) + cloud := pkg_aws.NewDefaultCloud(mockLattice, TestCloudConfig) + + mockLattice.EXPECT().FindServiceNetwork(ctx, gomock.Any()).Return( + &mocks.ServiceNetworkInfo{ + SvcNetwork: item, + Tags: nil, + }, nil) + mockLattice.EXPECT().ListServiceNetworkVpcAssociationsAsList(ctx, gomock.Any()).Return(statusServiceNetworkVPCOutput, nil) + + // Even though security groups are different, RAM-shared networks should NOT be updated + // and should not even check the existing association + mockLattice.EXPECT().GetServiceNetworkVpcAssociationWithContext(ctx, gomock.Any()).Times(0) + mockLattice.EXPECT().UpdateServiceNetworkVpcAssociationWithContext(ctx, gomock.Any()).Times(0) + + snMgr := NewDefaultServiceNetworkManager(gwlog.FallbackLogger, cloud) + resp, err := snMgr.UpsertVpcAssociation(ctx, name, newSecurityGroupIds, nil) + + assert.Nil(t, err) + assert.Equal(t, snvaArn, resp, "Should return existing VPC association ARN without modifications") +} + +// Test_UpsertVpcAssociation_LocalNetwork_WithUpdates tests that local networks CAN be updated +func Test_UpsertVpcAssociation_LocalNetwork_WithUpdates(t *testing.T) { + existingSecurityGroupIds := []*string{aws.String("sg-111111111")} + newSecurityGroupIds := []*string{aws.String("sg-222222222"), aws.String("sg-333333333")} + + // Local network with same account ID + snId := "sn-12345678912345678" + snArn := "arn:aws:vpc-lattice:us-west-2:account-id:servicenetwork/sn-12345678912345678" + snvaArn := "arn:aws:vpc-lattice:us-west-2:account-id:servicenetworkvpcassociation/snva-12345678912345678" + name := "local-network" + vpcId := config.VpcID + + item := vpclattice.ServiceNetworkSummary{ + Arn: &snArn, + Id: &snId, + Name: &name, + } + + status := vpclattice.ServiceNetworkVpcAssociationStatusActive + items := vpclattice.ServiceNetworkVpcAssociationSummary{ + ServiceNetworkArn: &snArn, + ServiceNetworkId: &snId, + ServiceNetworkName: &snId, + Status: &status, + VpcId: &vpcId, + Arn: &snvaArn, + } + statusServiceNetworkVPCOutput := []*vpclattice.ServiceNetworkVpcAssociationSummary{&items} + + c := gomock.NewController(t) + defer c.Finish() + ctx := context.TODO() + mockLattice := mocks.NewMockLattice(c) + mockTagging := mocks.NewMockTagging(c) + cloud := pkg_aws.NewDefaultCloudWithTagging(mockLattice, mockTagging, TestCloudConfig) + + mockLattice.EXPECT().FindServiceNetwork(ctx, gomock.Any()).Return( + &mocks.ServiceNetworkInfo{ + SvcNetwork: item, + Tags: nil, + }, nil) + mockLattice.EXPECT().GetServiceNetworkVpcAssociationWithContext(ctx, gomock.Any()).Return(&vpclattice.GetServiceNetworkVpcAssociationOutput{ + Arn: &snvaArn, + ServiceNetworkArn: &snArn, + ServiceNetworkId: &snId, + ServiceNetworkName: &name, + Status: &status, + VpcId: &vpcId, + SecurityGroupIds: existingSecurityGroupIds, + }, nil) + mockLattice.EXPECT().ListServiceNetworkVpcAssociationsAsList(ctx, gomock.Any()).Return(statusServiceNetworkVPCOutput, nil) + mockLattice.EXPECT().ListTagsForResourceWithContext(ctx, gomock.Any()).Return(&vpclattice.ListTagsForResourceOutput{ + Tags: cloud.DefaultTags(), + }, nil) + + mockTagging.EXPECT().UpdateTags(ctx, gomock.Any(), gomock.Any(), nil).Return(nil) + + // Local networks SHOULD be updated when security groups change + mockLattice.EXPECT().UpdateServiceNetworkVpcAssociationWithContext(ctx, gomock.Any()).Return(&vpclattice.UpdateServiceNetworkVpcAssociationOutput{ + Arn: &snvaArn, + Id: &snId, + SecurityGroupIds: newSecurityGroupIds, + Status: &status, + }, nil) + + snMgr := NewDefaultServiceNetworkManager(gwlog.FallbackLogger, cloud) + resp, err := snMgr.UpsertVpcAssociation(ctx, name, newSecurityGroupIds, nil) + + assert.Nil(t, err) + assert.Equal(t, snvaArn, resp, "Should return VPC association ARN after successful update") +} diff --git a/pkg/deploy/lattice/service_network_manager_test.go b/pkg/deploy/lattice/service_network_manager_test.go index ed086bf9..c27260e6 100644 --- a/pkg/deploy/lattice/service_network_manager_test.go +++ b/pkg/deploy/lattice/service_network_manager_test.go @@ -479,9 +479,9 @@ func Test_CreateSn_SnNotExist_SnCreateFailed(t *testing.T) { func Test_defaultServiceNetworkManager_CreateOrUpdate_SnExists_SnvaExists_UpdateSNVASecurityGroups(t *testing.T) { securityGroupIds := []*string{aws.String("sg-123456789"), aws.String("sg-987654321")} - snId := "12345678912345678912" - snArn := "12345678912345678912" - snvaArn := "12345678912345678912" + snId := "sn-12345678912345678" + snArn := "arn:aws:vpc-lattice:region:account-id:servicenetwork/sn-12345678912345678" + snvaArn := "arn:aws:vpc-lattice:region:account-id:servicenetworkvpcassociation/snva-12345678912345678" name := "test" vpcId := config.VpcID item := vpclattice.ServiceNetworkSummary{ @@ -539,14 +539,14 @@ func Test_defaultServiceNetworkManager_CreateOrUpdate_SnExists_SnvaExists_Update resp, err := snMgr.UpsertVpcAssociation(ctx, name, securityGroupIds, nil) assert.Equal(t, err, nil) - assert.Equal(t, resp, snArn) + assert.Equal(t, resp, snvaArn) } func Test_defaultServiceNetworkManager_CreateOrUpdate_SnExists_SnvaExists_SecurityGroupsDoNotNeedToBeUpdated(t *testing.T) { securityGroupIds := []*string{aws.String("sg-123456789"), aws.String("sg-987654321")} - snId := "12345678912345678912" - snArn := "12345678912345678912" - snvaArn := "12345678912345678912" + snId := "sn-12345678912345678" + snArn := "arn:aws:vpc-lattice:region:account-id:servicenetwork/sn-12345678912345678" + snvaArn := "arn:aws:vpc-lattice:region:account-id:servicenetworkvpcassociation/snva-12345678912345678" name := "test" vpcId := config.VpcID item := vpclattice.ServiceNetworkSummary{ @@ -600,7 +600,7 @@ func Test_defaultServiceNetworkManager_CreateOrUpdate_SnExists_SnvaExists_Securi resp, err := snMgr.UpsertVpcAssociation(ctx, name, securityGroupIds, nil) assert.Equal(t, err, nil) - assert.Equal(t, resp, snArn) + assert.Equal(t, resp, snvaArn) } func Test_defaultServiceNetworkManager_CreateOrUpdate_SnExists_SnvaCreateInProgress_WillNotInvokeLatticeUpdateSNVA(t *testing.T) { securityGroupIds := []*string{aws.String("sg-123456789"), aws.String("sg-987654321")} @@ -649,9 +649,9 @@ func Test_defaultServiceNetworkManager_CreateOrUpdate_SnExists_SnvaCreateInProgr func Test_defaultServiceNetworkManager_CreateOrUpdate_SnExists_SnvaExists_CannotUpdateSecurityGroupsFromNonemptyToEmpty(t *testing.T) { securityGroupIds := []*string{aws.String("sg-123456789"), aws.String("sg-987654321")} - snId := "12345678912345678912" - snArn := "12345678912345678912" - snvaArn := "12345678912345678912" + snId := "sn-12345678912345678" + snArn := "arn:aws:vpc-lattice:region:account-id:servicenetwork/sn-12345678912345678" + snvaArn := "arn:aws:vpc-lattice:region:account-id:servicenetworkvpcassociation/snva-12345678912345678" name := "test" item := vpclattice.ServiceNetworkSummary{ Arn: &snArn, @@ -709,9 +709,9 @@ func Test_defaultServiceNetworkManager_CreateOrUpdate_SnExists_SnvaExists_Cannot func Test_UpsertVpcAssociation_WithAdditionalTags_ExistingAssociation(t *testing.T) { securityGroupIds := []*string{aws.String("sg-123456789"), aws.String("sg-987654321")} - snId := "12345678912345678912" - snArn := "12345678912345678912" - snvaArn := "12345678912345678912" + snId := "sn-12345678912345678" + snArn := "arn:aws:vpc-lattice:region:account-id:servicenetwork/sn-12345678912345678" + snvaArn := "arn:aws:vpc-lattice:region:account-id:servicenetworkvpcassociation/snva-12345678912345678" name := "test" vpcId := config.VpcID item := vpclattice.ServiceNetworkSummary{