r/aws_ec2_client_vpn_network_association: Adding resource to manage Client VPN network associations #7030
Conversation
…lient VPN network associations
ghost
added
size/XXL
|
This branch is based off #7009 since I need that functionality to run tests. |
|
@gazoakley Here's where your |
|
I am aware the documentation is missing at the moment. I'll be adding that tomorrow. |
|
When is this going to be merged into the master? |
|
@estein9825 this is currently waiting on #7009 and, once that is merged, a proper review by the maintainers. |
There was a problem hiding this comment.
Hey again @slapula 👋 Appreciate yet another good contribution! Left some initial review items below aside from rebasing with master since it now includes the aws_ec2_client_vpn_endpoint resource. Please reach out with any questions or let us know if you do not have time to implement the feedback.
| Create: resourceAwsEc2ClientVpnNetworkAssociationCreate, | ||
| Read: resourceAwsEc2ClientVpnNetworkAssociationRead, | ||
| Delete: resourceAwsEc2ClientVpnNetworkAssociationDelete, | ||
| Importer: &schema.ResourceImporter{ |
There was a problem hiding this comment.
This import support is missing:
- Acceptance testing in the form of a
TestStepthat includesImportState: trueandImportStateVerify: true - Documentation in the form of a
## Importsection in the resource documentation.
The support should be fully implemented or removed from the pull request. 👍
If you are opting to keep the support, you will notice that you will need to either implement a custom import function to that calls d.Set("client_vpn_endpoint_id", ...) and trims that part of the ID for d.SetId() (then use ImportStateIdFunc in acceptance testing) or switch the resource to implementing a "complex" ID that includes both IDs in its string, e.g. ENDPOINT/ASSOCIATION. For new implementations, we have generally preferred the latter form where we parse the complex ID and continue to use ImportStatePassthrough, but either form is acceptable.
There was a problem hiding this comment.
Oh, this is cruft from my copy/paste when I started working on this. I'm going to opt to not include import functionality here since I wasn't planning on adding it initially. I can be swayed to add it however because I can see the need for it.
ghost
added
size/XL
| log.Printf("[DEBUG] Waiting for Client VPN endpoint to disassociate with target network: %s", d.Id()) | ||
| _, err = stateConf.WaitForState() | ||
| if err != nil { | ||
| if strings.Contains(err.Error(), "couldn't find resource") != true { |
There was a problem hiding this comment.
@bflad This seems super janky to me. Is there a better way to handle this exception? I can't seem to find the specific error code that is tripping on this condition so that I can put it in the RefreshFunc (where this logic should actually live IMO).
There was a problem hiding this comment.
Great question! Yeah, don't fret too much about this as EC2 does things a bit differently than other AWS services for errors and they do not make the error codes available in the AWS Go SDK as constants. 🙁
For reference, they mostly (I've seen cases where they are missing for a long period of time) can be found here: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/errors-overview.html
Rather than guessing from the API reference though, I personally tend to look for the error codes by enabling debug logging in Terraform during an acceptance test run. For example, in this case, I ran the below:
$ rm -f aws/log.txt; TF_LOG_PATH=log.txt TF_LOG=debug TF_ACC=1 go test ./aws -v -timeout 120m -parallel 20 -run=TestAccAwsEc2ClientVpnNetworkAssociation_basic
=== RUN TestAccAwsEc2ClientVpnNetworkAssociation_basic
=== PAUSE TestAccAwsEc2ClientVpnNetworkAssociation_basic
=== CONT TestAccAwsEc2ClientVpnNetworkAssociation_basic
--- PASS: TestAccAwsEc2ClientVpnNetworkAssociation_basic (690.14s)
PASS
ok github.com/terraform-providers/terraform-provider-aws/aws 691.015sWhich tells Terraform to create a log file with the debug output (you can stick it anywhere, I'm just lazy with log.txt 😄) and keep the console output "normal". In the debug log it output this:
2019/02/07 21:22:56 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/DescribeClientVpnTargetNetworks Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 400 Bad Request
Connection: close
Transfer-Encoding: chunked
Date: Fri, 08 Feb 2019 02:22:55 GMT
Server: AmazonEC2
-----------------------------------------------------
2019/02/07 21:22:56 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>InvalidClientVpnEndpointId.NotFound</Code><Message>Endpoint cvpn-endpoint-0f2e85e16167a3465 does not exist</Message></Error></Errors><RequestID>31e4906a-8249-4e2d-9284-a03a2672ff86</RequestID></Response>
2019/02/07 21:22:56 [DEBUG] [aws-sdk-go] DEBUG: Validate Response ec2/DescribeClientVpnTargetNetworks failed, not retrying, error InvalidClientVpnEndpointId.NotFound: Endpoint cvpn-endpoint-0f2e85e16167a3465 does not exist
The InvalidClientVpnEndpointId.NotFound is the error code we can use for easily checking, e.g.
if isAWSErr(err, "InvalidClientVpnEndpointId.NotFound", "") {🎉
There was a problem hiding this comment.
Haha and after writing this I notice we should check for the above and InvalidClientVpnAssociationId.NotFound
|
@bflad This is ready for another look. |
| log.Printf("[DEBUG] Waiting for Client VPN endpoint to disassociate with target network: %s", d.Id()) | ||
| _, err = stateConf.WaitForState() | ||
| if err != nil { | ||
| if !strings.Contains(err.Error(), "couldn't find resource") { |
There was a problem hiding this comment.
Just so we can get this released today, I'm going to fix this last little bit up given my previous comment. I hope you don't mind. 😄
|
This has been released in version 1.58.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Fixes #6949
Changes proposed in this pull request:
aws_ec2_client_vpn_network_associationOutput from acceptance testing: