Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

resource/aws_route53_resolver_dnssec_config - new resource #17012

Merged

Conversation

shuheiktgw
Copy link
Collaborator

@shuheiktgw shuheiktgw commented Jan 7, 2021

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #16837

Release note for CHANGELOG:

* **New Resource:** `aws_route53_resolver_dnssec_config`

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccAWSRoute53ResolverDnssecConfig_*'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSRoute53ResolverDnssecConfig_* -timeout 120m
=== RUN   TestAccAWSRoute53ResolverDnssecConfig_basic
=== PAUSE TestAccAWSRoute53ResolverDnssecConfig_basic
=== RUN   TestAccAWSRoute53ResolverDnssecConfig_disappear
=== PAUSE TestAccAWSRoute53ResolverDnssecConfig_disappear
=== RUN   TestAccAWSRoute53ResolverDnssecConfig_disappear_VPC
=== PAUSE TestAccAWSRoute53ResolverDnssecConfig_disappear_VPC
=== CONT  TestAccAWSRoute53ResolverDnssecConfig_basic
=== CONT  TestAccAWSRoute53ResolverDnssecConfig_disappear_VPC
=== CONT  TestAccAWSRoute53ResolverDnssecConfig_disappear
--- PASS: TestAccAWSRoute53ResolverDnssecConfig_disappear_VPC (159.43s)
--- PASS: TestAccAWSRoute53ResolverDnssecConfig_basic (287.57s)
--- PASS: TestAccAWSRoute53ResolverDnssecConfig_disappear (289.48s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	291.487s

Thank you for your review! 👍

@ghost ghost added size/XL Managed by automation to categorize the size of a PR. provider Pertains to the provider itself, rather than any interaction with AWS. service/route53resolver Issues and PRs that pertain to the route53resolver service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Jan 7, 2021
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Jan 7, 2021
@shuheiktgw shuheiktgw force-pushed the add_route53_resolver_dnssec_config branch from 35e004f to d0a3545 Compare January 8, 2021 22:23
@ghost ghost added the documentation Introduces or discusses updates to documentation. label Jan 8, 2021
@shuheiktgw shuheiktgw marked this pull request as ready for review January 8, 2021 22:26
@shuheiktgw shuheiktgw requested a review from a team as a code owner January 8, 2021 22:26
@ewbankkit ewbankkit self-assigned this Jan 11, 2021
log.Printf("[DEBUG] Creating Route53 Resolver DNSSEC config: %#v", req)
resp, err := conn.UpdateResolverDnssecConfig(req)
if err != nil {
return fmt.Errorf("error creating Route53 Resolver DNSSEC config: %s", err)

This comment was marked as resolved.


vpc, err := vpcDescribe(ec2Conn, d.Id())
if err != nil {
return fmt.Errorf("error getting VPC associated with Route53 Resolver DNSSEC config (%s): %s", d.Id(), err)

This comment was marked as resolved.


raw, state, err := route53ResolverDnssecConfigRefresh(conn, d.Id())()
if err != nil {
return fmt.Errorf("error getting Route53 Resolver DNSSEC config (%s): %s", d.Id(), err)

This comment was marked as resolved.

return nil
}
if err != nil {
return fmt.Errorf("error deleting Route53 Resolver DNSSEC config (%s): %s", d.Id(), err)

This comment was marked as resolved.

MinTimeout: 5 * time.Second,
}
if _, err := stateConf.WaitForState(); err != nil {
return fmt.Errorf("error waiting for Route53 Resolver DNSSEC config (%s) to reach target state: %s", id, err)

This comment was marked as resolved.

@ewbankkit
Copy link
Contributor

@shuheiktgw Thanks for the contribution 👏. Overall it looks great.
I left a few nits on wrapping errors (I think the Error Handling guide was only merged yesterday 😄).

DNSSEC configs seem to have ARNs even though it's not returned in the API. Could you please add a Computed arn attribute (#13624), ensuring that the correct account ID is used: #16978? Thanks.

I need to think about the cross-service call to verify the VPC's existence. I see why it is being used but we usually try and avoid such calls.

@ewbankkit ewbankkit added thinking new-resource Introduces a new resource. and removed needs-triage Waiting for first response or review from a maintainer. provider Pertains to the provider itself, rather than any interaction with AWS. labels Jan 12, 2021
return fmt.Errorf("error creating Route53 Resolver DNSSEC config: %s", err)
}

d.SetId(aws.StringValue(resp.ResolverDNSSECConfig.ResourceId))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use ResolvedDNSSECConfig.Id as that is the actual resource's ID.
Agree that we should use the resource ID on import as that is what users would expect (as this is surfaced per-VPC in the AWS Console).

@ewbankkit
Copy link
Contributor

ewbankkit commented Jan 12, 2021

It seems that you can update a DNSSEC config even if the associated resource (VPC) has been deleted:

$ aws --region us-west-2 route53resolver list-resolver-dnssec-configs
{
    "ResolverDnssecConfigs": [
        {
            "Id": "rdsc-5a4960f0b41d3a5b",
            "OwnerId": "123456789012",
            "ResourceId": "vpc-0f2f5c603499f6c6b",
            "ValidationStatus": "DISABLED"
        },
        {
            "Id": "rdsc-9da58af749336ba",
            "OwnerId": "123456789012",
            "ResourceId": "vpc-0674233a9456aba43",
            "ValidationStatus": "DISABLED"
        },
        {
            "Id": "rdsc-be1866ecc1683e95",
            "OwnerId": "123456789012",
            "ResourceId": "vpc-0f993cbbf558be638",
            "ValidationStatus": "ENABLED"
        },
        {
            "Id": "rdsc-ca0760426d4a326b",
            "OwnerId": "123456789012",
            "ResourceId": "vpc-09925a270fdbb4206",
            "ValidationStatus": "ENABLED"
        }
    ]
}
$ aws --region us-west-2 route53resolver update-resolver-dnssec-config --resource-id "vpc-0f993cbbf558be638" --validation DISABLE
{
    "ResolverDNSSECConfig": {
        "Id": "rdsc-be1866ecc1683e95",
        "OwnerId": "123456789012",
        "ResourceId": "vpc-0f993cbbf558be638",
        "ValidationStatus": "DISABLING"
    }
}

I suggest moving the route53ResolverDnssecConfigRefresh and route53ResolverDnssecConfigWait functionality into ResolverDnssecConfigByID in aws/internal/service/route53resolver/finder/finder.go, DnssecConfigValidationStatus in aws/internal/service/route53resolver/waiter/status.go and DnssecConfigEnabled and DnssecConfigDisabled in aws/internal/service/route53resolver/waiter/waiter.go.
ResolverDnssecConfigByID should use the ListResolverDnssecConfigs method (which unfortunately doesn't seem to support any filters yet even though there's a field in the API) and find the DNSSEC config for the ID (as discussed above). Add a comment noting why we can't use GetResolverDnssecConfig. This will eliminate the need for the EC2 API call.

@ghost ghost added the provider Pertains to the provider itself, rather than any interaction with AWS. label Jan 12, 2021
@shuheiktgw shuheiktgw force-pushed the add_route53_resolver_dnssec_config branch from 06930aa to b2a8f22 Compare January 14, 2021 00:03
@shuheiktgw shuheiktgw force-pushed the add_route53_resolver_dnssec_config branch from b2a8f22 to e22f485 Compare January 14, 2021 00:22
@shuheiktgw
Copy link
Collaborator Author

@ewbankkit Thank you for your review! I believe I fixed them up so would you review the PR again? 🙏

Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSRoute53ResolverDnssecConfig_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSRoute53ResolverDnssecConfig_ -timeout 120m
=== RUN   TestAccAWSRoute53ResolverDnssecConfig_basic
=== PAUSE TestAccAWSRoute53ResolverDnssecConfig_basic
=== RUN   TestAccAWSRoute53ResolverDnssecConfig_disappear
=== PAUSE TestAccAWSRoute53ResolverDnssecConfig_disappear
=== CONT  TestAccAWSRoute53ResolverDnssecConfig_basic
=== CONT  TestAccAWSRoute53ResolverDnssecConfig_disappear
--- PASS: TestAccAWSRoute53ResolverDnssecConfig_disappear (397.50s)
--- PASS: TestAccAWSRoute53ResolverDnssecConfig_basic (399.44s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	399.527s

@breathingdust
Copy link
Member

LGTM 🚀 Thanks @shuheiktgw!

Verified Acceptance Tests in Commercial (us-west-2)

make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSRoute53ResolverDnssecConfig_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSRoute53ResolverDnssecConfig_ -timeout 120m
=== RUN   TestAccAWSRoute53ResolverDnssecConfig_basic
=== PAUSE TestAccAWSRoute53ResolverDnssecConfig_basic
=== RUN   TestAccAWSRoute53ResolverDnssecConfig_disappear
=== PAUSE TestAccAWSRoute53ResolverDnssecConfig_disappear
=== CONT  TestAccAWSRoute53ResolverDnssecConfig_basic
=== CONT  TestAccAWSRoute53ResolverDnssecConfig_disappear
--- PASS: TestAccAWSRoute53ResolverDnssecConfig_disappear (380.47s)
--- PASS: TestAccAWSRoute53ResolverDnssecConfig_basic (393.46s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	395.145s

Verified Acceptance Tests in GovCloud (us-gov-west-1)

make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSRoute53ResolverDnssecConfig_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSRoute53ResolverDnssecConfig_ -timeout 120m
=== RUN   TestAccAWSRoute53ResolverDnssecConfig_basic
=== PAUSE TestAccAWSRoute53ResolverDnssecConfig_basic
=== RUN   TestAccAWSRoute53ResolverDnssecConfig_disappear
=== PAUSE TestAccAWSRoute53ResolverDnssecConfig_disappear
=== CONT  TestAccAWSRoute53ResolverDnssecConfig_basic
=== CONT  TestAccAWSRoute53ResolverDnssecConfig_disappear
--- PASS: TestAccAWSRoute53ResolverDnssecConfig_disappear (121.67s)
--- PASS: TestAccAWSRoute53ResolverDnssecConfig_basic (123.07s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	124.742s

@breathingdust breathingdust merged commit 60dac14 into hashicorp:master Jan 14, 2021
@github-actions github-actions bot added this to the v3.24.0 milestone Jan 14, 2021
breathingdust added a commit that referenced this pull request Jan 14, 2021
@shuheiktgw shuheiktgw deleted the add_route53_resolver_dnssec_config branch January 14, 2021 22:24
@shuheiktgw
Copy link
Collaborator Author

Thank you all for your review!

@ghost
Copy link

ghost commented Jan 15, 2021

This has been released in version 3.24.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Feb 13, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Feb 13, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
documentation Introduces or discusses updates to documentation. new-resource Introduces a new resource. provider Pertains to the provider itself, rather than any interaction with AWS. service/route53resolver Issues and PRs that pertain to the route53resolver service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support for Route 53 Resolver DNSSEC validation
3 participants