HVN routes support (#139)

* HCCP-91 HVN route resource (#122) * added create, scaffolded read and delete for hvn route resource * Adds delete for HVN route resource * Adds hvn route import function * Handle both peering and tgw attachment resource types in HVN route resources * Regenerate docs, add example s for hvn route resource * Re-run go generate after adding example * ACreate hvn route function checks for target existence before proceeding * Add peering to example for hvn route, regenerate docs * Resolves comments - better logging and commenting for HVN route resource * removed unnecessary validation * removed todos * removed tgw attachment from hvn route example * added examples of the hvn route target * moved hvn route creation into clients * simplified parsing target_link for the hvn route resource * dropped checking for hvn route existance * fixed hvn routes import * gofmt hvn_route.go * redo hvn route import to use route ID * go mod tidy * redo hvn route datasource to use route ID * renamed hvn -> hvn_link * refactored WaitForHVNRouteToBeActive * unified hvn route errors/logs * small refactoring * improved logs * messages improvements * regenarated docs * HCCP-138 breaking changes for Peering and TGW attachment (#128) * HCCP-138 required id and removed cidr from peering * HCCP-138 fixed tgw-attachment resource import * HCCP-138 removed cidrs from tgw-attachment * bonus: drop deleted guide example * update peering examples in guides * HVN route migration guide (#129) * add note to changelog * update readme * add hvn route migration guide * id -> ID * bonus: fix error typo * go gen * add context to HVN route intro * update link in banner to registry migration guide * update changelog * update version in examples * add warning banner to hvn route doc * added handling 404 when deleting hvn route (#137) * HCCP-184 acceptance tests for HVN route, TGW attachment and network peering (#130) * HCCP-184 added acceptance tests for HVN route resource * HCCP-184 added acceptance tests for TGW attachment resource * HCCP-184 added acceptance tests for network peering resource * HCCP-138 added clarification about AWS credentials * HCCP-184 renamed tgw attachment acceptance test resource * HCCP-184 improved tests doc * HCCP-184 fixed test after rebasing * added dedicated timeout for hvn route delete (#138) Co-authored-by: Ti Zhang <[email protected]> Co-authored-by: Anton Panferov <[email protected]> Co-authored-by: Brenna Hewer-Darroch <[email protected]>
hashicorp · Jun 7, 2021 · 19f14ca · 19f14ca
1 parent 7304bc1
commit 19f14ca
Show file tree

Hide file tree

Showing 52 changed files with 1,747 additions and 195 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,19 @@
+## 0.7.0 (Unreleased)
+
+⚠️ Note: This version contains breaking changes to the `hcp_aws_transit_gateway_attachment` and `hcp_aws_network_peering` resources and data sources. Please pin to the previous version and follow [this migration guide](https://github.com/hashicorp/terraform-provider-hcp/pull/128) when you're ready to migrate. ⚠️
+
+FEATURES:
+* **New resource** `hcp_hvn_route` (#122)
+
+IMPROVEMENTS:
+* resource/hcp_aws_transit_gateway_attachment: released as Generally Available (#121)
+
+BREAKING CHANGES:
+* resource/hcp_aws_network_peering: now requires `peering_id` to be specified and doesn't accept `peer_vpc_cidr_block` as input (#128)
+* datasource/hcp_aws_network_peering: no longer returns `peer_vpc_cidr_block` as output (#128)
+* resource/hcp_aws_transit_gateway_attachment: doesn't accept `destination_cidrs` as input (#128)
+* datasource/hcp_aws_transit_gateway_attachment: no longer returns `destination_cidrs` as output (#128)
+
 ## 0.6.1 (June 03, 2021)
 
 IMPROVEMENTS:

diff --git a/README.md b/README.md
@@ -61,7 +61,14 @@ resource "hcp_aws_network_peering" "example" {
   peer_vpc_id         = aws_vpc.peer.id
   peer_account_id     = aws_vpc.peer.owner_id
   peer_vpc_region     = "us-west-2"
-  peer_vpc_cidr_block = aws_vpc.peer.cidr_block
+}
+
+// Create an HVN route that targets your HCP network peering and matches your AWS VPC's CIDR block.
+resource "hcp_hvn_route" "example" {
+  hvn_link         = hcp_hvn.hvn.self_link
+  hvn_route_id     = "peer-route-id"
+  destination_cidr = aws_vpc.peer.cidr_block
+  target_link      = hcp_aws_network_peering.example.self_link
 }
 
 // Accept the VPC peering within your AWS account.

diff --git a/contributing/writing-tests.md b/contributing/writing-tests.md
@@ -30,6 +30,18 @@ export HCP_CLIENT_ID=...
 export HCP_CLIENT_SECRET=...
 ```
 
+For some tests AWS credentials are also required in order to create "customer"
+resources for testing certain HCP features (network peerings and TGW attachments):
+
+```sh
+export AWS_ACCESS_KEY_ID=...
+export AWS_SECRET_ACCESS_KEY=...
+export AWS_SESSION_TOKEN=...
+```
+
+**Note for HCP developers**: this AWS account **MUST NOT** be the same AWS account that is being used by
+your HCP organization (dataplane) otherwise tests would fail.
+
 Tests can then be run by specifying a regular expression defining the tests to run:
 
 ```sh

diff --git a/docs/data-sources/aws_network_peering.md b/docs/data-sources/aws_network_peering.md
@@ -38,7 +38,6 @@ data "hcp_aws_network_peering" "test" {
 - **expires_at** (String) The time after which the network peering will be considered expired if it hasn't transitioned into `ACCEPTED` or `ACTIVE` state.
 - **organization_id** (String) The ID of the HCP organization where the network peering is located. Always matches the HVN's organization.
 - **peer_account_id** (String) The account ID of the peer VPC in AWS.
-- **peer_vpc_cidr_block** (String) The CIDR range of the peer VPC in AWS.
 - **peer_vpc_id** (String) The ID of the peer VPC in AWS.
 - **peer_vpc_region** (String) The region of the peer VPC in AWS.
 - **project_id** (String) The ID of the HCP project where the network peering is located. Always matches the HVN's project.

diff --git a/docs/data-sources/aws_transit_gateway_attachment.md b/docs/data-sources/aws_transit_gateway_attachment.md
@@ -36,7 +36,6 @@ data "hcp_aws_transit_gateway_attachment" "test" {
 ### Read-Only
 
 - **created_at** (String) The time that the transit gateway attachment was created.
-- **destination_cidrs** (List of String) The list of associated CIDR ranges. Traffic from these CIDRs will be allowed for all resources in the HVN. Traffic to these CIDRs will be routed into this transit gateway attachment.
 - **expires_at** (String) The time after which the transit gateway attachment will be considered expired if it hasn't transitioned into `ACCEPTED` or `ACTIVE` state.
 - **organization_id** (String) The ID of the HCP organization where the transit gateway attachment is located. Always matches the HVN's organization.
 - **project_id** (String) The ID of the HCP project where the transit gateway attachment is located. Always matches the HVN's project.

diff --git a/docs/data-sources/hvn_route.md b/docs/data-sources/hvn_route.md
@@ -15,8 +15,8 @@ The HVN route data source provides information about an existing HVN route.
 
 ```terraform
 data "hcp_hvn_route" "example" {
-  hvn              = var.hvn
-  destination_cidr = var.destination_cidr
+  hvn_link         = var.hvn_link
+  destination_cidr = var.hvn_route_id
 }
 ```
 
@@ -25,8 +25,8 @@ data "hcp_hvn_route" "example" {
 
 ### Required
 
-- **destination_cidr** (String) The destination CIDR of the HVN route
-- **hvn** (String) The `self_link` of the HashiCorp Virtual Network (HVN).
+- **hvn_link** (String) The `self_link` of the HashiCorp Virtual Network (HVN).
+- **hvn_route_id** (String) The ID of the HVN route.
 
 ### Optional
 
@@ -36,6 +36,7 @@ data "hcp_hvn_route" "example" {
 ### Read-Only
 
 - **created_at** (String) The time that the HVN route was created.
+- **destination_cidr** (String) The destination CIDR of the HVN route.
 - **self_link** (String) A unique URL identifying the HVN route.
 - **state** (String) The state of the HVN route.
 - **target_link** (String) A unique URL identifying the target of the HVN route.

diff --git a/docs/guides/hvn-route-migration-guide.md b/docs/guides/hvn-route-migration-guide.md
@@ -0,0 +1,162 @@
+---
+subcategory: ""
+page_title: "HVN Route Migration Guide - HCP Provider"
+description: |-
+    An guide to migrating HCP networking resources to use HVN routes.
+---
+
+# Introducing HVN routes
+
+The HVN route is a new resource that belongs to an HVN. It contains a CIDR block and targets a networking connection: 
+either a peering or transit gateway attachment.
+
+HVN routes provide a general view on how an HVN's traffic is routed across all networking connections and create a flexible way of managing these routing rules.
+
+## Migrating existing peerings and transit gateway attachments
+
+There are two ways to migrate existing peerings and transit gateway attachments managed by Terraform:
+
+ 1. Recreate Resources with Updated Schema
+    * This option is quicker but will result in downtime and possible data loss. Best for test environments. Will allow you to specify human-readable ids for the resources.
+    * Comment out all `hcp_aws_network_peering` and `hcp_aws_transit_gateway_attachment` resources.
+    * Run `terraform apply` to destroy currently existing connections.
+    * Uncomment and update all `hcp_aws_network_peering` and `hcp_aws_transit_gateway_attachment` resource definitions to match the new schema. 
+    * Add corresponding `hcp_hvn_route` resources for each CIDR targeting corresponding peering connections or transit gateway attachment.
+    * Run `terraform apply` to recreate connections.
+
+ 2. Re-Import with Updated Syntax:
+    * This option allows you to avoid downtime or data loss.
+    * Update any `hcp_aws_network_peering` and `hcp_aws_transit_gateway_attachment` resource definitions to match the new schema. All values needed can be found on the details pages of Peerings and TGW attachment in the HCP Portal.
+    * Add corresponding `hcp_hvn_route` resources for each CIDR targeting corresponding peering connections or transit gateway attachments.
+    * Run `terraform import hcp_hvn_route.<route-name> <hvn-id>:<hvn-route-id>` for each `hcp_hvn_route`. The `<hvn-route-id>` can be found on the details pages of the corresponding HVN connection in the HCP Portal.
+    * Run `terraform plan` and make sure that there are no changes detected by the Terraform.
+
+The examples below walk through the schema upgrade and re-import steps.
+
+### Peering example
+
+Given:
+```terraform
+resource "hcp_hvn" "hvn" {
+  hvn_id         = "prod-hvn"
+  region         = "us-west-2"
+  cloud_provider = "aws"
+}
+
+resource "hcp_aws_network_peering" "peering" {
+  hvn_id              = hcp_hvn.hvn.hvn_id
+  peer_vpc_id         = "vpc-845f29fc"
+  peer_account_id     = "572816266891"
+  peer_vpc_region     = "us-west-2"
+  peer_vpc_cidr_block = "172.31.0.0/16"
+}
+```
+
+Rewrite it to the new schema and add corresponding HVN route:
+```terraform
+resource "hcp_hvn" "hvn" {
+  hvn_id         = "prod-hvn"
+  region         = "us-west-2"
+  cloud_provider = "aws"
+}
+
+resource "hcp_aws_network_peering" "peering" {
+  hvn_id = hcp_hvn.hvn.hvn_id
+  // add `peering_id` that you can find in the HCP Portal
+  peering_id      = "f03324a9-4377-4a54-9c15-958fd07ad77b"
+  peer_vpc_id     = "vpc-845f29fc"
+  peer_account_id = "572816266891"
+  peer_vpc_region = "us-west-2"
+  // remove `peer_vpc_cidr_block`
+  // peer_vpc_cidr_block = "172.31.0.0/16"
+}
+
+// Add a `hcp_hvn_route` resource for the peering's CIDR
+resource "hcp_hvn_route" "peering-route" {
+  hvn_link = hcp_hvn.hvn.self_link
+  // you can find this ID in the HCP Portal in the peering details page in the list of routes
+  hvn_route_id     = "a8dda9a8-0f69-4fa0-b38c-55be302fdddb"
+  destination_cidr = "172.31.0.0/16"
+  target_link      = hcp_aws_network_peering.peering.self_link
+}
+```
+
+Run `import` for the `hcp_hvn_route`:
+```shell
+$ terraform import hcp_hvn_route.peering-route prod-hvn:a8dda9a8-0f69-4fa0-b38c-55be302fdddb
+```
+
+Run `terraform plan` to make sure there are no changes detected by the Terraform:
+```shell
+$ terraform plan
+No changes. Infrastructure is up-to-date.
+```
+
+### Transit gateway attachment example
+
+Given:
+```terraform
+resource "hcp_hvn" "hvn" {
+  hvn_id         = "prod-hvn"
+  region         = "us-west-2"
+  cloud_provider = "aws"
+}
+
+resource "hcp_aws_transit_gateway_attachment" "prod" {
+  hvn_id                        = hcp_hvn.hvn.hvn_id
+  transit_gateway_attachment_id = "prod-tgw-attachment"
+  transit_gateway_id            = "tgw-0ee94b1a1167cf89d"
+  resource_share_arn            = "arn:aws:ram:us-west-2:..."
+  destination_cidrs             = ["10.1.0.0/24", "10.2.0.0/24"]
+}
+```
+
+Rewrite it to the new schema and add corresponding HVN route:
+```terraform
+resource "hcp_hvn" "hvn" {
+  hvn_id         = "prod-hvn"
+  region         = "us-west-2"
+  cloud_provider = "aws"
+}
+
+resource "hcp_aws_transit_gateway_attachment" "prod" {
+  hvn_id                        = hcp_hvn.hvn.hvn_id
+  transit_gateway_attachment_id = "prod-tgw-attachment"
+  transit_gateway_id            = "tgw-0ee94b1a1167cf89d"
+  resource_share_arn            = "arn:aws:ram:us-west-2:..."
+  // remove `destination_cidrs`
+  // destination_cidrs             = ["10.1.0.0/24", "10.2.0.0/24"]
+}
+
+// add a new `hcp_hvn_route` for each CIDR associated with the transit gateway attachment
+resource "hcp_hvn_route" "tgw-route-1" {
+  hvn_link = hcp_hvn.hvn.self_link
+  // you can find this ID in the HCP Portal in the TGW attachment details page in the list of Routes
+  hvn_route_id     = "35392425-215a-44ec-bbd0-051bb777ce5f"
+  destination_cidr = "10.1.0.0/24"
+  target_link      = hcp_aws_transit_gateway_attachment.prod.self_link
+}
+
+resource "hcp_hvn_route" "tgw-route-2" {
+  hvn_link = hcp_hvn.hvn.self_link
+  // you can find this ID in the HCP Portal in the transit gateway attachment details page in the list of routes
+  hvn_route_id     = "9867959a-d81b-4e52-ae8e-ca56f9dd06fc"
+  destination_cidr = "10.2.0.0/24"
+  target_link      = hcp_aws_transit_gateway_attachment.prod.self_link
+}
+```
+
+Run `import` for each `hcp_hvn_route` you've added:
+```shell
+$ terraform import hcp_hvn_route.tgw-route-1 prod-hvn:35392425-215a-44ec-bbd0-051bb777ce5f
+...
+
+$ terraform import hcp_hvn_route.tgw-route-2 prod-hvn:9867959a-d81b-4e52-ae8e-ca56f9dd06fc
+...
+```
+
+Run `terraform plan` to make sure there are no changes detected by the Terraform:
+```shell
+$ terraform plan
+No changes. Infrastructure is up-to-date.
+```
diff --git a/docs/guides/peering.md b/docs/guides/peering.md
@@ -41,12 +41,19 @@ resource "aws_vpc" "peer" {
 
 // Create an HCP network peering to peer your HVN with your AWS VPC.
 resource "hcp_aws_network_peering" "example" {
-  peering_id          = var.peer_id
-  hvn_id              = hcp_hvn.example.hvn_id
-  peer_vpc_id         = aws_vpc.peer.id
-  peer_account_id     = aws_vpc.peer.owner_id
-  peer_vpc_region     = var.region
-  peer_vpc_cidr_block = aws_vpc.peer.cidr_block
+  peering_id      = var.peer_id
+  hvn_id          = hcp_hvn.example.hvn_id
+  peer_vpc_id     = aws_vpc.peer.id
+  peer_account_id = aws_vpc.peer.owner_id
+  peer_vpc_region = var.region
+}
+
+// Create an HVN route that targets your HCP network peering and matches your AWS VPC's CIDR block
+resource "hcp_hvn_route" "example" {
+  hvn_link         = hcp_hvn.hvn.self_link
+  hvn_route_id     = var.route_id
+  destination_cidr = aws_vpc.peer.cidr_block
+  target_link      = hcp_aws_network_peering.example.self_link
 }
 
 // Accept the VPC peering within your AWS account.

diff --git a/docs/index.md b/docs/index.md
@@ -9,8 +9,8 @@ description: |-
 
 The HCP provider provides resources to manage [HashiCorp Cloud Platform](https://cloud.hashicorp.com/) (HCP) resources.
 
-~> **Upcoming Migration:** The upcoming release of HVN Routes will include breaking changes that affect `hcp_aws_network_peering` and `hcp_aws_transit_gateway_attachment`. [This PR](https://github.com/hashicorp/terraform-provider-hcp/pull/128) contains a migration guide.
-Please pin to the current version to avoid disruption until you are ready to migrate.
+~> **Upcoming Migration:** The upcoming release of HVN Routes in v0.7.0 will include breaking changes that affect `hcp_aws_network_peering` and `hcp_aws_transit_gateway_attachment`. [This guide](https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/guides/hvn-route-migration-guide) walks through how to migrate to the new resource syntax.
+Please pin to the previous version to avoid disruption until you are ready to migrate.
 
 -> **Note:** Please refer to the provider's [Release Notes](https://github.com/hashicorp/terraform-provider-hcp/releases) for critical fixes.
 
@@ -37,7 +37,7 @@ terraform {
   required_providers {
     hcp = {
       source  = "hashicorp/hcp"
-      version = "~> 0.6.0"
+      version = "~> 0.7.0"
     }
   }
 }
@@ -73,12 +73,20 @@ resource "aws_vpc_peering_connection_accepter" "main" {
 }
 
 // Create a network peering between the HVN and the AWS VPC
-resource "hcp_aws_network_peering" "example_peering" {
-  hvn_id              = hcp_hvn.example_hvn.hvn_id
-  peer_vpc_id         = aws_vpc.main.id
-  peer_account_id     = aws_vpc.main.owner_id
-  peer_vpc_region     = data.aws_arn.main.region
-  peer_vpc_cidr_block = aws_vpc.main.cidr_block
+resource "hcp_aws_network_peering" "example" {
+  hvn_id          = hcp_hvn.example_hvn.hvn_id
+  peering_id      = "hcp-tf-example-peering"
+  peer_vpc_id     = aws_vpc.main.id
+  peer_account_id = aws_vpc.main.owner_id
+  peer_vpc_region = data.aws_arn.main.region
+}
+
+// Create an HVN route that targets your HCP network peering and matches your AWS VPC's CIDR block
+resource "hcp_hvn_route" "example" {
+  hvn_link         = hcp_hvn.hvn.self_link
+  hvn_route_id     = "hcp-tf-example-hvn-route"
+  destination_cidr = aws_vpc.main.cidr_block
+  target_link      = hcp_aws_network_peering.example.self_link
 }
 
 // Create a Consul cluster in the same region and cloud provider as the HVN

diff --git a/docs/resources/aws_network_peering.md b/docs/resources/aws_network_peering.md
@@ -32,16 +32,23 @@ data "aws_arn" "peer" {
   arn = aws_vpc.peer.arn
 }
 
-resource "hcp_aws_network_peering" "peer" {
-  hvn_id              = hcp_hvn.main.hvn_id
-  peer_vpc_id         = aws_vpc.peer.id
-  peer_account_id     = aws_vpc.peer.owner_id
-  peer_vpc_region     = data.aws_arn.peer.region
-  peer_vpc_cidr_block = aws_vpc.peer.cidr_block
+resource "hcp_aws_network_peering" "dev" {
+  hvn_id          = hcp_hvn.main.hvn_id
+  peering_id      = "dev"
+  peer_vpc_id     = aws_vpc.peer.id
+  peer_account_id = aws_vpc.peer.owner_id
+  peer_vpc_region = data.aws_arn.peer.region
+}
+
+resource "hcp_hvn_route" "main-to-dev" {
+  hvn_link         = hcp_hvn.main.self_link
+  hvn_route_id     = "main-to-dev"
+  destination_cidr = "172.31.0.0/16"
+  target_link      = hcp_aws_network_peering.dev.self_link
 }
 
 resource "aws_vpc_peering_connection_accepter" "peer" {
-  vpc_peering_connection_id = hcp_aws_network_peering.peer.provider_peering_id
+  vpc_peering_connection_id = hcp_aws_network_peering.dev.provider_peering_id
   auto_accept               = true
 }
 ```
@@ -53,14 +60,13 @@ resource "aws_vpc_peering_connection_accepter" "peer" {
 
 - **hvn_id** (String) The ID of the HashiCorp Virtual Network (HVN).
 - **peer_account_id** (String) The account ID of the peer VPC in AWS.
-- **peer_vpc_cidr_block** (String) The CIDR range of the peer VPC in AWS.
 - **peer_vpc_id** (String) The ID of the peer VPC in AWS.
 - **peer_vpc_region** (String) The region of the peer VPC in AWS.
+- **peering_id** (String) The ID of the network peering.
 
 ### Optional
 
 - **id** (String) The ID of this resource.
-- **peering_id** (String) The ID of the network peering.
 - **timeouts** (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
 
 ### Read-Only