Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws_flow_log - adding support for sending to S3 #5509

Merged
merged 1 commit into from
Oct 25, 2018
Merged

aws_flow_log - adding support for sending to S3 #5509

merged 1 commit into from
Oct 25, 2018

Conversation

ryandeivert
Copy link
Contributor

@ryandeivert ryandeivert commented Aug 10, 2018

Fixes #5482

Changes proposed in this pull request:

  • Updating aws_flow_log resource for s3 delivery support, also improving schema validation.
  • Adding state migration for aws_flow_log resource from v0 to v1
  • Adding test for aws_flow_log state migration
  • Updating docs for new arguments in aws_flow_log resource
  • Updates to the 1-to-2 upgrade guide for this resource (thanks @ewbankkit)
  • Way better tests from @ewbankkit

Output from acceptance testing (from @ewbankkit):

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSFlowLog_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -parallel 20 -run=TestAccAWSFlowLog_ -timeout 120m
=== RUN   TestAccAWSFlowLog_VPCID
=== PAUSE TestAccAWSFlowLog_VPCID
=== RUN   TestAccAWSFlowLog_SubnetID
--- PASS: TestAccAWSFlowLog_SubnetID (30.24s)
=== RUN   TestAccAWSFlowLog_LogDestinationType_CloudWatchLogs
--- PASS: TestAccAWSFlowLog_LogDestinationType_CloudWatchLogs (24.43s)
=== RUN   TestAccAWSFlowLog_LogDestinationType_S3
--- PASS: TestAccAWSFlowLog_LogDestinationType_S3 (28.18s)
=== CONT  TestAccAWSFlowLog_VPCID
--- PASS: TestAccAWSFlowLog_VPCID (40.73s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	124.117s

@ghost ghost added the size/L Managed by automation to categorize the size of a PR. label Aug 10, 2018
Optional: true,
ForceNew: true,
ConflictsWith: []string{"eni_id", "vpc_id"},
"resource_id": &schema.Schema{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be named resource_ids as potentially multiple IDs can be specified?

Copy link
Contributor Author

@ryandeivert ryandeivert Aug 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did this to conform to the AWS cli argument name*, but will make the change

LogGroupName: aws.String(d.Get("log_group_name").(string)),
ResourceIds: []*string{aws.String(resourceId)},
ResourceType: aws.String(resourceType),
ResourceIds: aws.StringSlice(d.Get("resource_id").([]string)),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As resource_id is declared as schema.TypeSet, d.Get("resource_id") is I think of type *schema.Set, so some manipulation is required to pass to aws.StringSlice.


var resourceKey string
if strings.HasPrefix(*fl.ResourceId, "vpc-") {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have been thinking of various places this kind of code is used/useful (e.g. I've been thinking about solutions for #26).
Do you think we should add some generic EC2 resource ID parsing function that returns the resource type from the ID (e.g. based on rules here)?

@ewbankkit
Copy link
Contributor

Do we need to consider a diff suppression for the case

resource "aws_flow_log" "foo" {
  log_group_name = "bar"
}

=>

resource "aws_flow_log" "foo" {
  log_destination_type = "cloud-watch-logs"
  log_destination      = "bar"
}

and vice-versa?

},

"vpc_id": &schema.Schema{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing existing attributes will require a deprecation warning and support of the attributes until deprecation.

@radeksimko radeksimko added enhancement Requests to existing resources that expand the functionality or scope. service/ec2 Issues and PRs that pertain to the ec2 service. labels Aug 13, 2018
@ghost ghost added size/L Managed by automation to categorize the size of a PR. labels Aug 13, 2018
@ryandeivert
Copy link
Contributor Author

thanks @ewbankkit I've addressed some of your suggestions. going to take a look at the diff suppression. I'm not sure how to address your suggestion of generic ec2 resource parsing but can look later as well

@ghost ghost added size/L Managed by automation to categorize the size of a PR. labels Aug 14, 2018
@ryandeivert
Copy link
Contributor Author

ryandeivert commented Aug 14, 2018

@ewbankkit I addressed the diff suppression for log destination, do you think I also have to add diff suppression to check if the old format matches the new format.. ie:

old format:

resource "aws_flow_log" "foo" {
  vpc_id = "vpc-foo"
}

vs new format:

resource "aws_flow_log" "foo" {
  resource_ids = ["vpc-foo"]
  resource_type = "VPC"
}

@ewbankkit
Copy link
Contributor

@ryandeivert RE #5509 (comment), don't worry; I was just noodling some thoughts.

@ryandeivert
Copy link
Contributor Author

thanks @ewbankkit - I'm running acceptance tests and fixing some more things. will update soon

@ewbankkit
Copy link
Contributor

Yes, strictly speaking those resource_type diffs should be suppressed also.
The deprecations should get onto the Terraform AWS Provider Version 2 Upgrade Guide also. Not sure where the source for that is.

@ryandeivert
Copy link
Contributor Author

good to know - I'll hunt for it. thanks for the pointers

@mikecook
Copy link

aws/resource_aws_flow_log.go now has conflicts, could you rebase please?

@tomelliff
Copy link
Contributor

Upgrade guide is at website/docs/guides/version-2-upgrade.html.md.

@mikecook
Copy link

@ryandeivert aws/resource_aws_flow_log.go now has conflicts, could you rebase please?

@ryandeivert
Copy link
Contributor Author

hey @mikecook sorry I haven't gotten to touch this in a bit. I have some local changes I hope to get upstream soon and will rebase when I take care of that

@ewbankkit
Copy link
Contributor

@ryandeivert I can help with running acceptance tests when you're ready.

@ryandeivert
Copy link
Contributor Author

thanks @ewbankkit I've actually been running them now, trying to sort out issues. will follow up soon

@uovobw
Copy link

uovobw commented Sep 5, 2018

greetings, this might turn out to be very useful, any way i can help? if not, is there an estimated release date? thanks all for the great work!

@ryandeivert
Copy link
Contributor Author

hi @uovobw I'm going to try to dedicate some time to this later today. I'm having some issues with acceptance tests (thinking related to the diff suppression) so I'll probably just commit what I have and outsource some assistance from someone here. thanks for your patience!

@uovobw
Copy link

uovobw commented Sep 5, 2018

@ryandeivert ok, in the coming days i'll provide what help i can, thanks for the update and for your work.

@AzCii
Copy link

AzCii commented Sep 11, 2018

exactly what i'm looking for :-) any ETA on this?

@ghost ghost added the size/L Managed by automation to categorize the size of a PR. label Sep 13, 2018
@vmartin01
Copy link

I'm interested in this as well, VPC Flow Logs through cloudwatch are very costly and would reduce the cost tremendously.

@bflad
Copy link
Contributor

bflad commented Oct 5, 2018

This will get a first review next week. 👍

@bflad bflad self-assigned this Oct 5, 2018
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @ryandeivert and @ewbankkit 👋 Thanks for submitting this and thanks everyone for your patience. This took longer to review because there are two sets of changes occurring here with the usage of some more advanced resource functionality (state migrations and customizing the difference). We will keep the feedback loop tight on this going forward.

I'm a little curious why the resource_id and resource_type changes need to be included with the addition of log_destination and log_destination_type arguments? While they help the resource look more like the EC2 API, I'm not sure the change is necessary either. I feel like we can treat those changes separately (or not at all) since they complicate this PR review and are unrelated, but I will defer to the authors if they can adjust given the feedback or would like to treat them separately.

That said, I did find some items below that required me to mark this as breaking-change since it will affect existing configurations, mostly the Read function nil'ing out the old attributes. Resources should continue to have existing attributes available, even after deprecation, so configuration references to those attributes continue working.

Please let me know how you would like to proceed here or if you have any questions regarding any of these items, thanks.

Partition: meta.(*AWSClient).partition,
Region: meta.(*AWSClient).region,
Service: "logs",
AccountID: meta.(*AWSClient).accountid,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For environments that use skip_requesting_account_id this could silently break the configuration.

Partition: meta.(*AWSClient).partition,
Region: meta.(*AWSClient).region,
Service: "logs",
AccountID: meta.(*AWSClient).accountid,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have the same problem here, that configurations using skip_requesting_account_id may not work in this scenario.

Partition: meta.(*AWSClient).partition,
Region: meta.(*AWSClient).region,
Service: "logs",
AccountID: meta.(*AWSClient).accountid,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have the same problem here, that configurations using skip_requesting_account_id may not work in this scenario.

Partition: meta.(*AWSClient).partition,
Region: meta.(*AWSClient).region,
Service: "logs",
AccountID: meta.(*AWSClient).accountid,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have the same problem here, that configurations using skip_requesting_account_id may not work in this scenario.

@@ -18,45 +20,114 @@ func resourceAwsFlowLog() *schema.Resource {
Importer: &schema.ResourceImporter{
State: schema.ImportStatePassthrough,
},
CustomizeDiff: resourceAwsLogFlowCustomizeDiff,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just noting here that CustomizeDiff is not the most reliable method to work with in Terraform resources. It will silently skip computed values (e.g. Computed attributes from references like aws_vpc.XXX.id). If we can avoid its usage here, I think we should.

d.SetId("")
return nil
}

fl := resp.FlowLogs[0]
d.Set("traffic_type", fl.TrafficType)
d.Set("log_group_name", fl.LogGroupName)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to keep this for backwards compatibility. See note below.

}
if resourceKey != "" {
d.Set(resourceKey, fl.ResourceId)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to keep this for backwards compatibility. See note below.

Providers: testAccProviders,
CheckDestroy: testAccCheckFlowLogDestroy,
Steps: []resource.TestStep{
{
Config: testAccFlowLogConfig_basic(rInt),
Config: testAccFlowLogConfig_vpcOldSyntaxCloudWatch(rInt),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For configurations using the "old" syntax, we should ensure that the "old" attributes are still available as expected. The same can also be used to verify it available in the "new" attribute. e.g.

resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "log_group_name", "aws_cloudwatch_log_group.foobar", "name"),

resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "resource_id", "aws_vpc.default", "id"),
resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "vpc_id", "aws_vpc.default", "id"),

@@ -68,16 +104,152 @@ func TestAccAWSFlowLog_subnet(t *testing.T) {
CheckDestroy: testAccCheckFlowLogDestroy,
Steps: []resource.TestStep{
{
Config: testAccFlowLogConfig_subnet(rInt),
Config: testAccFlowLogConfig_subnetOldSyntaxCloudWatch(rInt),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here -- especially for configurations using the "old" syntax, we should ensure that the "old" attributes are still available as expected. The same can also be used to verify it available in the "new" attribute. e.g.

resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "log_group_name", "aws_cloudwatch_log_group.foobar", "name"),
resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "resource_id", "aws_subnet.test_subnet", "id"),
resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "subnet_id", "aws_subnet.test_subnet", "id"),

CheckDestroy: testAccCheckFlowLogDestroy,
Steps: []resource.TestStep{
{
Config: testAccFlowLogConfig_eniOldSyntaxCloudWatch(rInt),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here -- especially for configurations using the "old" syntax, we should ensure that the "old" attributes are still available as expected. The same can also be used to verify it available in the "new" attribute. e.g.

resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "log_group_name", "aws_cloudwatch_log_group.foobar", "name"),
resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "eni_id", "aws_network_interface.test_eni", "id"),
resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "resource_id", "aws_network_interface.test_eni", "id"),

@bflad bflad added waiting-response Maintainers are waiting on response from community or contributor. breaking-change Introduces a breaking change in current functionality; usually deferred to the next major release. labels Oct 15, 2018
@bflad
Copy link
Contributor

bflad commented Oct 15, 2018

For a sample of the minimum required changes to support S3 logging, please see: https://github.com/terraform-providers/terraform-provider-aws/compare/f-aws_flow_log-log_destination?expand=1

@ewbankkit
Copy link
Contributor

@bflad Agreed that the currently proposed changes are large and a more lightweight approach may be more appropriate to land this much-requested feature as soon as makes sense.
The proposed alternative changes look sensible.
I'll let @ryandeivert make the call as he's the owner of the PR.

@ryandeivert
Copy link
Contributor Author

@bflad / @ewbankkit I'm more than happy with a more minimal approach to this. would you suggest that I modify this PR or open a new one with those changes?

@bflad
Copy link
Contributor

bflad commented Oct 19, 2018

@ryandeivert I'll leave that up to you, but I'm sure folks here would probably appreciate whatever is quickest -- you can steal any of my branch if you wish or you/I can just create a new PR 😄

@ghost ghost added size/XL Managed by automation to categorize the size of a PR. and removed size/XXL Managed by automation to categorize the size of a PR. labels Oct 19, 2018
* Add `log_destination` and `log_destination_type` arguments
* Deprecate `log_group_name` and conflict it with `log_destination`
* Mark `iam_role_arn` as Optional

```
$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSFlowLog_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccAWSFlowLog_ -timeout 120m
=== RUN   TestAccAWSFlowLog_VPCID
--- PASS: TestAccAWSFlowLog_VPCID (75.46s)
=== RUN   TestAccAWSFlowLog_SubnetID
--- PASS: TestAccAWSFlowLog_SubnetID (28.62s)
=== RUN   TestAccAWSFlowLog_LogDestinationType_CloudWatchLogs
--- PASS: TestAccAWSFlowLog_LogDestinationType_CloudWatchLogs (28.68s)
=== RUN   TestAccAWSFlowLog_LogDestinationType_S3
--- PASS: TestAccAWSFlowLog_LogDestinationType_S3 (153.81s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	287.945s
```
@ryandeivert
Copy link
Contributor Author

thanks @bflad I just reset my commits here and cherry picked your commit. output of acceptance tests:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSFlowLog_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -parallel 20 -run=TestAccAWSFlowLog_ -timeout 120m
=== RUN   TestAccAWSFlowLog_VPCID
=== PAUSE TestAccAWSFlowLog_VPCID
=== RUN   TestAccAWSFlowLog_SubnetID
--- PASS: TestAccAWSFlowLog_SubnetID (30.24s)
=== RUN   TestAccAWSFlowLog_LogDestinationType_CloudWatchLogs
--- PASS: TestAccAWSFlowLog_LogDestinationType_CloudWatchLogs (24.43s)
=== RUN   TestAccAWSFlowLog_LogDestinationType_S3
--- PASS: TestAccAWSFlowLog_LogDestinationType_S3 (28.18s)
=== CONT  TestAccAWSFlowLog_VPCID
--- PASS: TestAccAWSFlowLog_VPCID (40.73s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	124.117s

@bflad bflad removed breaking-change Introduces a breaking change in current functionality; usually deferred to the next major release. waiting-response Maintainers are waiting on response from community or contributor. labels Oct 24, 2018
@bflad bflad added this to the v1.42.0 milestone Oct 25, 2018
@bflad bflad merged commit 18aa08b into hashicorp:master Oct 25, 2018
bflad added a commit that referenced this pull request Oct 25, 2018
@amine250
Copy link

Hi, when can we expect a Terraform release that's having this change?

@bflad
Copy link
Contributor

bflad commented Oct 29, 2018

@amine250 we typically release on Wednesdays, see also: https://github.com/terraform-providers/terraform-provider-aws/blob/master/CHANGELOG.md

@bflad
Copy link
Contributor

bflad commented Nov 1, 2018

This has been released in version 1.42.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@amine250
Copy link

amine250 commented Nov 6, 2018

How can I make use of a aws_flow_log that logs on S3 inside a aws_subnet resource?
I have multiple subnets like:

resource "aws_subnet" "webapp" {
  availability_zone = "${data.aws_region.current.name}a"
  tags {
    Name               = "MyWebAppSubnetName"
  }
}

Shouldn't there be an argument for aws_subnet such as :

resource "aws_subnet" "webapp" {
  flow_logs {
    log_destination      = "${aws_s3_bucket.example.arn}"
    log_destination_type = "s3"
    traffic_type         = "ALL"
    vpc_id               = "${aws_vpc.example.id}"
  }
}

@tomelliff
Copy link
Contributor

@amine250 What makes you think it should be a configuration option on the aws_subnet resource instead of just being created in the aws_flow_log resource?

@amine250
Copy link

@tomelliff I'm new to Terraform so I could be saying BS.
Would you please show me a working example? Thanks.

@tomelliff
Copy link
Contributor

flow_logs isn't a parameter for the aws_subnet resource. If you want to add a flow log for a subnet then you should use the aws_flow_log resource and specify a subnet_id to point to your subnet.

If you're running into issues with that then you should raise a separate issue rather than reply to this pull request which added the S3 support for the aws_flow_log resource.

@amine250
Copy link

amine250 commented Nov 13, 2018

@tomelliff I think we are missing an attribute to specify S3 prefix for an aws_flow_log resource.

@ghost
Copy link

ghost commented Apr 2, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 2, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
documentation Introduces or discusses updates to documentation. enhancement Requests to existing resources that expand the functionality or scope. service/ec2 Issues and PRs that pertain to the ec2 service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

aws_flow_log - add support for sending to S3