feat(ec2): add aws_vpc_security_group_ingress/egress_rule resource #685
Conversation
|
|
|
/test-examples="examples/vpc/securitygroupegressrule.yaml,examples/vpc/securitygroupingressrule.yaml" |
There was a problem hiding this comment.
@huynhsontung, thanks for the contribution. Two small changes please to clean up the examples.
|
/test-examples="examples/vpc/securitygroupegressrule.yaml,examples/vpc/securitygroupingressrule.yaml" |
1 similar comment
|
/test-examples="examples/vpc/securitygroupegressrule.yaml,examples/vpc/securitygroupingressrule.yaml" |
The package was built and deployed successfully but could not find the API resource. I'm not sure what is missing. |
Hi @huynhsontung thank you for this PR, for resources to be uptestable, dependent resources should be added to the example manifest. In this case But first of all, it would be good if you have tested it successfully in your local environment and add a description under the heading I gave it a try in my local environment but I could not figure it out and I get the following error: Also, I'm not sure if these two resources should be in the |
huynhsontung
force-pushed
the
add-vpc-sgr
branch
2 times, most recently
from
de897ed
to
4469a40
Compare
|
@turkenf Sorry for the late followup. I went back and updated some missing codegen configs to reference external resources correctly. However, I still get this error message regardless of what config I change. terraform.tfstate {
"version": 4,
"terraform_version": "1.2.1",
"serial": 1,
"lineage": "1f43bf65-2d6d-4b97-af92-4e2d55b6f815",
"outputs": null,
"resources": [
{
"mode": "managed",
"type": "aws_vpc_security_group_egress_rule",
"name": "egressrule-test",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"cidr_ipv4": "10.0.0.0/8",
"from_port": 80,
"id": "",
"ip_protocol": "tcp",
"security_group_id": "sg-0123456789abc",
"tags": {
"crossplane-kind": "securitygroupegressrule.vpc.aws.upbound.io",
"crossplane-name": "egressrule-test",
"crossplane-providerconfig": "default"
},
"to_port": 8080
}
}
]
}
]
}It seems that on the first reconciliation, the provider generates a stub tfstate file with an empty I am not aware of any way to customize the provider tfstate generation behaviour and am not sure where to go from here. I would appreciate some guidance on this issue. |
|
@huynhsontung thank you for your observations, my observation with provider-aws v0.36.0 is also the same as yours: I keep getting the same error: When I create the The attributes.id in the tfstate file comes as In our example, the @ulucinar, what could be the reason why the id transferred empty to Terraform, do you have any suggestions about this? |
huynhsontung
force-pushed
the
add-vpc-sgr
branch
from
4469a40
to
0648256
Compare
|
/test-examples="examples/vpc/securitygroupegressrule.yaml,examples/vpc/securitygroupingressrule.yaml" |
config/vpc/config.go
Outdated
| ) | ||
|
|
||
| // Configure adds configurations for vpc group. | ||
| func Configure(p *config.Provider) { |
There was a problem hiding this comment.
Hi @turkenf,
We had better understand whether we still need the SecurityGroupRule.ec2 resource as two separate ingress and egress rules are being introduced. Looking at https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule, Terraform has not deprecated this resource but we may still mark it as deprecated if there are not configurations not covered by these new two resources (for instance, are there any other rule types other than ingress and egress, etc.)?
Please also see the following from Terraform docs:
...
Both of these resource were added before AWS assigned a [security group rule unique ID](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules.html), and they do not work well in all scenarios using thedescription and tags attributes, which rely on the unique ID.
Could this be the reason Terraform is not deprecating aws_security_group_rule?
huynhsontung
force-pushed
the
add-vpc-sgr
branch
from
0648256
to
aa620c3
Compare
huynhsontung
force-pushed
the
add-vpc-sgr
branch
from
aa620c3
to
51fb249
Compare
|
@turkenf @ulucinar I have found a solution for the malformed ID issue. Terraform performs state validation so when the rule's ID is empty, it raises an error and exits. I found out that by providing a fake ID value that has I also moved the resources into the |
|
/test-examples="examples/vpc/securitygroupegressrule.yaml" |
|
/test-examples="examples/vpc/securitygroupingressrule.yaml" |
|
/test-examples="examples/ec2/vpcsecuritygroupegressrule.yaml" |
|
/test-examples="examples/ec2/vpcsecuritygroupingressrule.yaml" |
huynhsontung
changed the title
huynhsontung
changed the title
|
@turkenf any ETA for this ? |
|
/test-examples="examples/ec2/vpcsecuritygroupingressrule.yaml" |
There was a problem hiding this comment.
Thank you for your effort in this PR @huynhsontung, I left a few comments for you to consider.
Also could you please rebase PR to main?
config/ec2/config.go
Outdated
| @@ -217,6 +217,30 @@ func Configure(p *config.Provider) { | |||
| } | |||
| }) | |||
|
|
|||
| p.AddResourceConfigurator("aws_vpc_security_group_ingress_rule", func(r *config.Resource) { | |||
| r.References["security_group_id"] = config.Reference{ | |||
| Type: "github.com/upbound/provider-aws/apis/ec2/v1beta1.SecurityGroup", | |||
There was a problem hiding this comment.
| Type: "github.com/upbound/provider-aws/apis/ec2/v1beta1.SecurityGroup", | |
| TerraformName: "aws_security_group", |
nit: it could be better to use the above conf for all references.
There was a problem hiding this comment.
I missed updating these references when moving the resources from the vpc to ec2 group. I think we can use Type: "SecurityGroup" now that they are all in the same ec2 group, similar to other configs in this file.
There was a problem hiding this comment.
It can stay this way, but the safest way to set references is to use TerraformName.
Signed-off-by: Tung Huynh <[email protected]>
Signed-off-by: Tung Huynh <[email protected]>
Signed-off-by: Tung Huynh <[email protected]>
Signed-off-by: Tung Huynh <[email protected]>
huynhsontung
force-pushed
the
add-vpc-sgr
branch
from
63090d1
to
ab323f4
Compare
Signed-off-by: Tung Huynh <[email protected]>
huynhsontung
force-pushed
the
add-vpc-sgr
branch
from
ab323f4
to
5d825b2
Compare
|
/test-examples="examples/ec2/vpcsecuritygroupingressrule.yaml" |
|
/test-examples="examples/ec2/securitygroupingressrule.yaml" |
|
/test-examples="examples/ec2/securitygroupegressrule.yaml" |
|
Apply is failing after rebase. I will debug this on my end. Not sure why import didn't pass. |
Signed-off-by: Tung Huynh <[email protected]>
|
@turkenf To speed up the debug process, would you mind rerunning the uptest on one of the resources? |
With the latest uptest update, update and import tests were added to automatic testing, these were not tested before. Have you done the import test of the resources locally? |
|
/test-examples="examples/ec2/securitygroupingressrule.yaml" |
I tested import before rebase. I can see from the log that the |
|
@huynhsontung, could you please rebase again after this PR merged and revert the external name change? |
Signed-off-by: Fatih Türken <[email protected]>
|
/test-examples="examples/ec2/securitygroupingressrule.yaml" |
|
/test-examples="examples/ec2/securitygroupegressrule.yaml" |
There was a problem hiding this comment.
Thank you so much for your effort in this PR @huynhsontung, LGTM.
Description of your changes
Fixes #683
Generated code for
aws_vpc_security_group_ingress_ruleandaws_vpc_security_group_egress_rule.I have:
make reviewable testto ensure this PR is ready for review.How has this code been tested
Tested in a personal cluster