-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SNS: Fixed the password-protected HTTPS endpoints autoconfirm #861
Conversation
Hey @Ninir how do we stand here, is this something you think you'll be able to wrap up? |
Hey @catsby |
49e5ca4
to
9f7d419
Compare
Here it is! I was able to work with a custom VM using custom code with htpasswd, to replicate this change. In order to test basic auth, AWS forces you to use https. Thus, I think we could probably set up a testacc using CloudFront pointing to an ELB with a VM... @radeksimko To better explain why I didn't implement DiffSuppressFunc: Response sns/ListSubscriptionsByTopic Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
-----------------------------------------------------
<ListSubscriptionsByTopicResponse xmlns="http://sns.amazonaws.com/doc/2010-03-31/">
<ListSubscriptionsByTopicResult>
<Subscriptions>
<member>
<Owner>123456789643</Owner>
<Endpoint>https://myuser:****@mydomain.com</Endpoint>
<Protocol>https</Protocol>
<SubscriptionArn>arn:aws:sns:eu-west-1:123456789643:terraform-test-topic:ed16f123-61e3-4cbe-a9er-hzv9fz8vh</SubscriptionArn>
<TopicArn>arn:aws:sns:eu-west-1:123456789643:terraform-test-topic</TopicArn>
</member>
</Subscriptions>
</ListSubscriptionsByTopicResult>
</ListSubscriptionsByTopicResponse> When the Read function is then called, Response sns/GetSubscriptionAttributes Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
-----------------------------------------------------
<GetSubscriptionAttributesResponse xmlns="http://sns.amazonaws.com/doc/2010-03-31/">
<GetSubscriptionAttributesResult>
<Attributes>
<entry>
<key>Owner</key>
<value>123456789643</value>
</entry>
<entry>
<key>RawMessageDelivery</key>
<value>false</value>
</entry>
<entry>
<key>TopicArn</key>
<value>arn:aws:sns:eu-west-1:123456789643:terraform-test-topic</value>
</entry>
<entry>
<key>Endpoint</key>
<value>https://myuser:[email protected]</value>
</entry>
<entry>
<key>EffectiveDeliveryPolicy</key>
<value>{"healthyRetryPolicy":{"minDelayTarget":20,"maxDelayTarget":20,"numRetries":3,"numMaxDelayRetries":0,"numNoDelayRetries":0,"numMinDelayRetries":0,"backoffFunction":"linear"},"sicklyRetryPolicy":null,"throttlePolicy":null,"guaranteed":false}</value>
</entry>
<entry>
<key>Protocol</key>
<value>https</value>
</entry>
<entry>
<key>ConfirmationWasAuthenticated</key>
<value>false</value>
</entry>
<entry>
<key>SubscriptionArn</key>
<value>arn:aws:sns:eu-west-1:123456789643:terraform-test-topic:ed16f123-61e3-4cbe-a9er-hzv9fz8vh</value>
</entry>
</Attributes>
</GetSubscriptionAttributesResult>
</GetSubscriptionAttributesResponse> In the end, the endpoint stored in the state is the correct one, and no diff is exposed. |
9f7d419
to
57e2ec9
Compare
Can't we just use the API Gateway + Lambda? Booting a VM for this purpose feels a bit heavy.
I see, so we only do this |
@radeksimko Well, I tried to build a Basic-protected API Gateway using API Gateway + a custom Authorizer (Lambda). Everything works as expected using the cli, but I can't get the subscription to pass it. Not sure what is issuing here... If you want, we can discuss it, and I can provide all the work i've made. |
@Ninir I built a few API Gateway integrations in the past using Terraform, none of them used custom authorizer, but I'm confident we can build it. Just ping me on Slack and/or share the config with me when you have a moment, I'm happy to pair up on this.
I'd prefer to have this covered by a test. |
57e2ec9
to
a615648
Compare
Using API GW+Lambda+SNS is the easiest way to test things, indeed. As discussed on Slack, it was not possible to set-up an acc test until we could specify headers on responses returned by API Gw. Here is what SNS does when requesting a HTTPS password-protected endpoint, like
The actual code is written in NodeJS, but could probably be rewritten in Python. @radeksimko Does it really matter? Also, here are the test results: $ make testacc TEST=./aws TESTARGS='-run=TestAccAWSSNSTopicSubscription_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccAWSSNSTopicSubscription_ -timeout 120m
=== RUN TestAccAWSSNSTopicSubscription_importBasic
--- PASS: TestAccAWSSNSTopicSubscription_importBasic (16.05s)
=== RUN TestAccAWSSNSTopicSubscription_basic
--- PASS: TestAccAWSSNSTopicSubscription_basic (14.39s)
=== RUN TestAccAWSSNSTopicSubscription_autoConfirmingEndpoint
--- PASS: TestAccAWSSNSTopicSubscription_autoConfirmingEndpoint (40.12s)
=== RUN TestAccAWSSNSTopicSubscription_autoConfirmingSecuredEndpoint
--- PASS: TestAccAWSSNSTopicSubscription_autoConfirmingSecuredEndpoint (66.68s)
PASS
ok github.com/terraform-providers/terraform-provider-aws/aws 137.276s |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is now looking good with the exception of one tiny issue which is causing the acceptance test to fail in our environment.
Regions... 🤷♂️ 😃
resource "aws_api_gateway_authorizer" "test" { | ||
name = "tf-acc-test-api-gw-authorizer-%d" | ||
rest_api_id = "${aws_api_gateway_rest_api.test.id}" | ||
authorizer_uri = "arn:aws:apigateway:eu-west-1:lambda:path/2015-03-31/functions/${aws_lambda_function.authorizer.arn}/invocations" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mind changing this to
${aws_lambda_function.authorizer.invoke_arn}
? That will make it a bit easier to read and (more importantly) make it work in us-west-2
region which we use for acceptance tests 😉
It doesn't matter at all here in this context, I think. |
Guh... @radeksimko Need holidays! 😄
|
No worries, thanks for all the effort in taking it to the finish line. 👍 😃 |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Description
Hi everyone,
Just suggesting a fix for the SNS autoconfirm for HTTPs endpoints having a Basic authentication.
The suggested change makes the user-defined endpoint obfuscating the password.
Migrated from hashicorp/terraform#9696
Related issues:
TODOs