resolve conflicts

hashicorp · Jun 12, 2023 · e37af24 · e37af24
2 parents c5fdf8a + f80101d
commit e37af24
Show file tree

Hide file tree

Showing 88 changed files with 2,585 additions and 1,807 deletions.
diff --git a/.changelog/28470.txt b/.changelog/28470.txt
@@ -0,0 +1,3 @@
+```release-note:new-resource
+aws_opensearchserverless_security_policy
+```
diff --git a/.changelog/31873.txt b/.changelog/31873.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_vpc_endpoint: Add `private_dns_only_for_inbound_resolver_endpoint` attribute to the `dns_options` configuration block
+```
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,7 @@ ENHANCEMENTS:
 
 * data-source/aws_redshift_cluster: Add `cluster_namespace_arn` attribute ([#31884](https://github.com/hashicorp/terraform-provider-aws/issues/31884))
 * resource/aws_redshift_cluster: Add `cluster_namespace_arn` attribute ([#31884](https://github.com/hashicorp/terraform-provider-aws/issues/31884))
+* resource/aws_vpc_endpoint: Add `private_dns_only_for_inbound_resolver_endpoint` attribute to the `dns_options` configuration block ([#31873](https://github.com/hashicorp/terraform-provider-aws/issues/31873))
 
 BUG FIXES:
 

diff --git a/go.mod b/go.mod
@@ -28,6 +28,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ivschat v1.4.5
 	github.com/aws/aws-sdk-go-v2/service/kendra v1.40.2
 	github.com/aws/aws-sdk-go-v2/service/lambda v1.35.0
+	github.com/aws/aws-sdk-go-v2/service/lightsail v1.26.6
 	github.com/aws/aws-sdk-go-v2/service/medialive v1.31.4
 	github.com/aws/aws-sdk-go-v2/service/oam v1.1.11
 	github.com/aws/aws-sdk-go-v2/service/opensearchserverless v1.2.4

diff --git a/go.sum b/go.sum
@@ -87,6 +87,8 @@ github.com/aws/aws-sdk-go-v2/service/kendra v1.40.2 h1:4oiWp0Y9BnBh0x7V4/h3u/qna
 github.com/aws/aws-sdk-go-v2/service/kendra v1.40.2/go.mod h1:00b/aokrZ0r4fUsMP9RSOL9bvxTCCRCOeUy5o0lyqrA=
 github.com/aws/aws-sdk-go-v2/service/lambda v1.35.0 h1:iNLsDIOju/bbqw0mNaEXh+9Ms6Mm0RjcHPP9z4k9lUY=
 github.com/aws/aws-sdk-go-v2/service/lambda v1.35.0/go.mod h1:i23nHcGEyswthctBfhEO1agGpM5Uyh83aSmSB6DmdCk=
+github.com/aws/aws-sdk-go-v2/service/lightsail v1.26.6 h1:QQE/ZcXSrPFGprrG8VFblHiMpenvzICT09YnaMmQEwk=
+github.com/aws/aws-sdk-go-v2/service/lightsail v1.26.6/go.mod h1:L+JqH2pSCvKnCVJNKnU/8TTUfuNuTXSmXiS3F0zMvzQ=
 github.com/aws/aws-sdk-go-v2/service/medialive v1.31.4 h1:EMIWrz5dNgkqAKUPe6xTLvzwLt2RIRN1P5D8Nrl4XkQ=
 github.com/aws/aws-sdk-go-v2/service/medialive v1.31.4/go.mod h1:3Ttv/NVxQ8CitwL/sZdxSJHzStb75XQO+gvBwOC3Sj8=
 github.com/aws/aws-sdk-go-v2/service/oam v1.1.11 h1:dRgn7qpyEtXcP0prnPyaTUTiCQsowO++Cu9B5wlZRtI=

diff --git a/internal/conns/awsclient_gen.go b/internal/conns/awsclient_gen.go
diff --git a/internal/conns/config.go b/internal/conns/config.go
@@ -4,9 +4,12 @@ import (
 	"context"
 	"log"
 	"strings"
+	"time"
 
 	awsv2 "github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/aws/retry"
 	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
+	"github.com/aws/aws-sdk-go-v2/service/lightsail"
 	"github.com/aws/aws-sdk-go-v2/service/route53domains"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/endpoints"
@@ -25,7 +28,6 @@ import (
 	"github.com/aws/aws-sdk-go/service/globalaccelerator"
 	"github.com/aws/aws-sdk-go/service/kafka"
 	"github.com/aws/aws-sdk-go/service/kinesis"
-	"github.com/aws/aws-sdk-go/service/lightsail"
 	"github.com/aws/aws-sdk-go/service/organizations"
 	"github.com/aws/aws-sdk-go/service/route53"
 	"github.com/aws/aws-sdk-go/service/route53recoverycontrolconfig"
@@ -46,6 +48,10 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/names"
 )
 
+const (
+	tenBackOff = 10
+)
+
 type Config struct {
 	AccessKey                      string
 	AllowedAccountIds              []string
@@ -460,20 +466,6 @@ func (c *Config) ConfigureProvider(ctx context.Context, client *AWSClient) (*AWS
 		}
 	})
 
-	client.lightsailConn.Handlers.Retry.PushBack(func(r *request.Request) {
-		switch r.Operation.Name {
-		case "CreateContainerService", "UpdateContainerService", "CreateContainerServiceDeployment":
-			if tfawserr.ErrMessageContains(r.Error, lightsail.ErrCodeInvalidInputException, "Please try again in a few minutes") {
-				r.Retryable = aws.Bool(true)
-			}
-		case "DeleteContainerService":
-			if tfawserr.ErrMessageContains(r.Error, lightsail.ErrCodeInvalidInputException, "Please try again in a few minutes") ||
-				tfawserr.ErrMessageContains(r.Error, lightsail.ErrCodeInvalidInputException, "Please wait for it to complete before trying again") {
-				r.Retryable = aws.Bool(true)
-			}
-		}
-	})
-
 	client.organizationsConn.Handlers.Retry.PushBack(func(r *request.Request) {
 		// Retry on the following error:
 		// ConcurrentModificationException: AWS Organizations can't complete your request because it conflicts with another attempt to modify the same entity. Try again later.
@@ -546,5 +538,24 @@ func (c *Config) ConfigureProvider(ctx context.Context, client *AWSClient) (*AWS
 		}
 	})
 
+	client.lightsailClient = lightsail.NewFromConfig(cfg, func(o *lightsail.Options) {
+		lightsailRetryable := retry.IsErrorRetryableFunc(func(e error) awsv2.Ternary {
+			if strings.Contains(e.Error(), "Please try again in a few minutes") || strings.Contains(e.Error(), "Please wait for it to complete before trying again") {
+				return awsv2.TrueTernary
+			}
+			return awsv2.UnknownTernary
+		})
+
+		if endpoint := c.Endpoints[names.Lightsail]; endpoint != "" {
+			o.EndpointResolver = lightsail.EndpointResolverFromURL(endpoint)
+		}
+
+		o.Retryer = retry.NewStandard(func(options *retry.StandardOptions) {
+			options.Retryables = append(options.Retryables, lightsailRetryable)
+			options.MaxAttempts = 18
+			options.Backoff = retry.NewExponentialJitterBackoff(time.Second * tenBackOff)
+		})
+	})
+
 	return client, nil
 }
diff --git a/internal/conns/config_gen.go b/internal/conns/config_gen.go
diff --git a/internal/service/cloudwatch/metric_stream_test.go b/internal/service/cloudwatch/metric_stream_test.go
@@ -623,9 +623,9 @@ EOF
 
 resource "aws_kinesis_firehose_delivery_stream" "s3_stream" {
   name        = %[1]q
-  destination = "s3"
+  destination = "extended_s3"
 
-  s3_configuration {
+  extended_s3_configuration {
     role_arn   = aws_iam_role.firehose_to_s3.arn
     bucket_arn = aws_s3_bucket.bucket.arn
   }

diff --git a/internal/service/connect/instance_storage_config_data_source_test.go b/internal/service/connect/instance_storage_config_data_source_test.go
@@ -175,11 +175,6 @@ resource "aws_s3_bucket" "bucket" {
   bucket = %[1]q
 }
 
-resource "aws_s3_bucket_acl" "test" {
-  bucket = aws_s3_bucket.bucket.id
-  acl    = "private"
-}
-
 resource "aws_iam_role_policy" "firehose" {
   name = %[1]q
   role = aws_iam_role.firehose.id
@@ -232,9 +227,9 @@ EOF
 resource "aws_kinesis_firehose_delivery_stream" "test" {
   depends_on  = [aws_iam_role_policy.firehose]
   name        = %[1]q
-  destination = "s3"
+  destination = "extended_s3"
 
-  s3_configuration {
+  extended_s3_configuration {
     role_arn   = aws_iam_role.firehose.arn
     bucket_arn = aws_s3_bucket.bucket.arn
   }

diff --git a/internal/service/connect/instance_storage_config_test.go b/internal/service/connect/instance_storage_config_test.go
@@ -610,11 +610,6 @@ resource "aws_s3_bucket" "bucket" {
   bucket = %[1]q
 }
 
-resource "aws_s3_bucket_acl" "test" {
-  bucket = aws_s3_bucket.bucket.id
-  acl    = "private"
-}
-
 resource "aws_iam_role_policy" "firehose" {
   name = %[1]q
   role = aws_iam_role.firehose.id
@@ -678,9 +673,9 @@ locals {
 resource "aws_kinesis_firehose_delivery_stream" "test" {
   depends_on  = [aws_iam_role_policy.firehose]
   name        = %[1]q
-  destination = "s3"
+  destination = "extended_s3"
 
-  s3_configuration {
+  extended_s3_configuration {
     role_arn   = aws_iam_role.firehose.arn
     bucket_arn = aws_s3_bucket.bucket.arn
   }
@@ -689,9 +684,9 @@ resource "aws_kinesis_firehose_delivery_stream" "test" {
 resource "aws_kinesis_firehose_delivery_stream" "test2" {
   depends_on  = [aws_iam_role_policy.firehose]
   name        = %[2]q
-  destination = "s3"
+  destination = "extended_s3"
 
-  s3_configuration {
+  extended_s3_configuration {
     role_arn   = aws_iam_role.firehose.arn
     bucket_arn = aws_s3_bucket.bucket.arn
   }

diff --git a/internal/service/ec2/vpc_endpoint.go b/internal/service/ec2/vpc_endpoint.go
@@ -87,6 +87,10 @@ func ResourceVPCEndpoint() *schema.Resource {
 							Optional:     true,
 							ValidateFunc: validation.StringInSlice(ec2.DnsRecordIpType_Values(), false),
 						},
+						"private_dns_only_for_inbound_resolver_endpoint": {
+							Type:     schema.TypeBool,
+							Optional: true,
+						},
 					},
 				},
 			},
@@ -209,7 +213,7 @@ func resourceVPCEndpointCreate(ctx context.Context, d *schema.ResourceData, meta
 		policy, err := structure.NormalizeJsonString(v)
 
 		if err != nil {
-			return sdkdiag.AppendErrorf(diags, "policy contains invalid JSON: %s", err)
+			return sdkdiag.AppendFromErr(diags, err)
 		}
 
 		input.PolicyDocument = aws.String(policy)
@@ -244,12 +248,12 @@ func resourceVPCEndpointCreate(ctx context.Context, d *schema.ResourceData, meta
 
 	if d.Get("auto_accept").(bool) && aws.StringValue(vpce.State) == vpcEndpointStatePendingAcceptance {
 		if err := vpcEndpointAccept(ctx, conn, d.Id(), aws.StringValue(vpce.ServiceName), d.Timeout(schema.TimeoutCreate)); err != nil {
-			return sdkdiag.AppendErrorf(diags, "creating EC2 VPC Endpoint (%s): %s", serviceName, err)
+			return sdkdiag.AppendFromErr(diags, err)
 		}
 	}
 
 	if _, err = WaitVPCEndpointAvailable(ctx, conn, d.Id(), d.Timeout(schema.TimeoutCreate)); err != nil {
-		return sdkdiag.AppendErrorf(diags, "creating EC2 VPC Endpoint (%s): waiting for completion: %s", serviceName, err)
+		return sdkdiag.AppendErrorf(diags, "waiting for EC2 VPC Endpoint (%s) create: %s", serviceName, err)
 	}
 
 	// For partitions not supporting tag-on-create, attempt tag after create.
@@ -293,7 +297,6 @@ func resourceVPCEndpointRead(ctx context.Context, d *schema.ResourceData, meta i
 		Resource:  fmt.Sprintf("vpc-endpoint/%s", d.Id()),
 	}.String()
 	serviceName := aws.StringValue(vpce.ServiceName)
-
 	d.Set("arn", arn)
 	if err := d.Set("dns_entry", flattenDNSEntries(vpce.DnsEntries)); err != nil {
 		return sdkdiag.AppendErrorf(diags, "setting dns_entry: %s", err)
@@ -337,13 +340,13 @@ func resourceVPCEndpointRead(ctx context.Context, d *schema.ResourceData, meta i
 	policyToSet, err := verify.SecondJSONUnlessEquivalent(d.Get("policy").(string), aws.StringValue(vpce.PolicyDocument))
 
 	if err != nil {
-		return sdkdiag.AppendErrorf(diags, "while setting policy (%s), encountered: %s", policyToSet, err)
+		return sdkdiag.AppendFromErr(diags, err)
 	}
 
 	policyToSet, err = structure.NormalizeJsonString(policyToSet)
 
 	if err != nil {
-		return sdkdiag.AppendErrorf(diags, "policy (%s) is invalid JSON: %s", policyToSet, err)
+		return sdkdiag.AppendFromErr(diags, err)
 	}
 
 	d.Set("policy", policyToSet)
@@ -359,18 +362,25 @@ func resourceVPCEndpointUpdate(ctx context.Context, d *schema.ResourceData, meta
 
 	if d.HasChange("auto_accept") && d.Get("auto_accept").(bool) && d.Get("state").(string) == vpcEndpointStatePendingAcceptance {
 		if err := vpcEndpointAccept(ctx, conn, d.Id(), d.Get("service_name").(string), d.Timeout(schema.TimeoutUpdate)); err != nil {
-			return sdkdiag.AppendErrorf(diags, "updating EC2 VPC Endpoint (%s): %s", d.Get("service_name").(string), err)
+			return sdkdiag.AppendFromErr(diags, err)
 		}
 	}
 
 	if d.HasChanges("dns_options", "ip_address_type", "policy", "private_dns_enabled", "security_group_ids", "route_table_ids", "subnet_ids") {
+		privateDNSEnabled := d.Get("private_dns_enabled").(bool)
 		input := &ec2.ModifyVpcEndpointInput{
 			VpcEndpointId: aws.String(d.Id()),
 		}
 
 		if d.HasChange("dns_options") {
 			if v, ok := d.GetOk("dns_options"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
-				input.DnsOptions = expandDNSOptionsSpecification(v.([]interface{})[0].(map[string]interface{}))
+				tfMap := v.([]interface{})[0].(map[string]interface{})
+				apiObject := expandDNSOptionsSpecification(tfMap)
+				if privateDNSEnabled {
+					// Always send PrivateDnsOnlyForInboundResolverEndpoint on update.
+					apiObject.PrivateDnsOnlyForInboundResolverEndpoint = aws.Bool(tfMap["private_dns_only_for_inbound_resolver_endpoint"].(bool))
+				}
+				input.DnsOptions = apiObject
 			}
 		}
 
@@ -379,7 +389,7 @@ func resourceVPCEndpointUpdate(ctx context.Context, d *schema.ResourceData, meta
 		}
 
 		if d.HasChange("private_dns_enabled") {
-			input.PrivateDnsEnabled = aws.Bool(d.Get("private_dns_enabled").(bool))
+			input.PrivateDnsEnabled = aws.Bool(privateDNSEnabled)
 		}
 
 		input.AddRouteTableIds, input.RemoveRouteTableIds = flattenAddAndRemoveStringLists(d, "route_table_ids")
@@ -393,7 +403,7 @@ func resourceVPCEndpointUpdate(ctx context.Context, d *schema.ResourceData, meta
 				policy, err := structure.NormalizeJsonString(d.Get("policy"))
 
 				if err != nil {
-					return sdkdiag.AppendErrorf(diags, "policy contains invalid JSON: %s", err)
+					return sdkdiag.AppendFromErr(diags, err)
 				}
 
 				if policy == "" {
@@ -482,6 +492,10 @@ func expandDNSOptionsSpecification(tfMap map[string]interface{}) *ec2.DnsOptions
 		apiObject.DnsRecordIpType = aws.String(v)
 	}
 
+	if v, ok := tfMap["private_dns_only_for_inbound_resolver_endpoint"].(bool); ok && v {
+		apiObject.PrivateDnsOnlyForInboundResolverEndpoint = aws.Bool(v)
+	}
+
 	return apiObject
 }
 
@@ -532,6 +546,10 @@ func flattenDNSOptions(apiObject *ec2.DnsOptions) map[string]interface{} {
 		tfMap["dns_record_ip_type"] = aws.StringValue(v)
 	}
 
+	if v := apiObject.PrivateDnsOnlyForInboundResolverEndpoint; v != nil {
+		tfMap["private_dns_only_for_inbound_resolver_endpoint"] = aws.BoolValue(v)
+	}
+
 	return tfMap
 }