Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix PrivateDnsOnlyForInboundResolverEndpoint for S3 interface endpoints #32355

Conversation

ddericco
Copy link
Contributor

@ddericco ddericco commented Jul 3, 2023

Description

  • This PR adds logic to check against the service_name attribute provided in the resource. If the service_name matches an S3 service name such as com.amazonaws.us-west-2.s3, the CREATE and UPDATE calls will include the PrivateDnsOnlyForInboundResolverEndpoint attribute. Otherwise, this attribute will not be included in the API calls. A new acceptance test is included to cover this use case.
    • Existing acceptance tests cover the scenario of enabling/disabling PrivateDnsOnlyForInboundResolverEndpoint on an interface endpoint resource with an existing gateway endpoint in the same VPC.

References

  • PrivateDnsOnlyForInboundResolverEndpoint is only supported for services that support BOTH gateway and interface endpoints. See: https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/[email protected]/types#DnsOptionsSpecification
  • Amazon S3 is the only service that meets these criteria today - DynamoDB supports gateway endpoints but not interface endpoints, and all other services use interface endpoints.
    • It is possible that DynamoDB could one day add support for interface endpoints, but that does not exist today. It’s also possible that additional services could add gateway endpoint support, but the trend for new AWS services since 2017 has been to rely on interface endpoints.
  • If you don't specify a value for PrivateDnsOnlyForInboundResolverEndpoint when creating an S3 interface endpoint, it will default to true. See: https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#s3-creating-vpc
  • If you specify a value for PrivateDnsOnlyForInboundResolverEndpoint when creating a non-S3 interface endpoint, it will fail with the error: PrivateDnsOnlyForInboundResolverEndpoint not supported for this service.
    • In other words, the only practical time this attribute should be used is when creating an S3 interface endpoint.

Relations

Closes #30041.
Relates #31117.
Closes #32021.
Relates #31873.

Output from Acceptance Testing

$ make testacc TESTARGS='-run=TestAccVPCEndpoint_' PKG=ec2 ACCTEST_PARALLELISM=2
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/ec2/... -v -count 1 -parallel 2  -run=TestAccVPCEndpoint_ -timeout 180m
=== RUN   TestAccVPCEndpoint_gatewayBasic
=== PAUSE TestAccVPCEndpoint_gatewayBasic
=== RUN   TestAccVPCEndpoint_interfaceBasic
=== PAUSE TestAccVPCEndpoint_interfaceBasic
=== RUN   TestAccVPCEndpoint_interfacePrivateDNS
=== PAUSE TestAccVPCEndpoint_interfacePrivateDNS
=== RUN   TestAccVPCEndpoint_interfacePrivateDNSNoGateway
=== PAUSE TestAccVPCEndpoint_interfacePrivateDNSNoGateway
=== RUN   TestAccVPCEndpoint_disappears
=== PAUSE TestAccVPCEndpoint_disappears
=== RUN   TestAccVPCEndpoint_tags
=== PAUSE TestAccVPCEndpoint_tags
=== RUN   TestAccVPCEndpoint_gatewayWithRouteTableAndPolicy
=== PAUSE TestAccVPCEndpoint_gatewayWithRouteTableAndPolicy
=== RUN   TestAccVPCEndpoint_gatewayPolicy
=== PAUSE TestAccVPCEndpoint_gatewayPolicy
=== RUN   TestAccVPCEndpoint_ignoreEquivalent
=== PAUSE TestAccVPCEndpoint_ignoreEquivalent
=== RUN   TestAccVPCEndpoint_ipAddressType
=== PAUSE TestAccVPCEndpoint_ipAddressType
=== RUN   TestAccVPCEndpoint_interfaceWithSubnetAndSecurityGroup
=== PAUSE TestAccVPCEndpoint_interfaceWithSubnetAndSecurityGroup
=== RUN   TestAccVPCEndpoint_interfaceNonAWSServiceAcceptOnCreate
=== PAUSE TestAccVPCEndpoint_interfaceNonAWSServiceAcceptOnCreate
=== RUN   TestAccVPCEndpoint_interfaceNonAWSServiceAcceptOnUpdate
=== PAUSE TestAccVPCEndpoint_interfaceNonAWSServiceAcceptOnUpdate
=== RUN   TestAccVPCEndpoint_VPCEndpointType_gatewayLoadBalancer
=== PAUSE TestAccVPCEndpoint_VPCEndpointType_gatewayLoadBalancer
=== CONT  TestAccVPCEndpoint_gatewayBasic
=== CONT  TestAccVPCEndpoint_gatewayPolicy
--- PASS: TestAccVPCEndpoint_gatewayBasic (37.72s)
=== CONT  TestAccVPCEndpoint_interfaceNonAWSServiceAcceptOnCreate
--- PASS: TestAccVPCEndpoint_gatewayPolicy (62.81s)
=== CONT  TestAccVPCEndpoint_VPCEndpointType_gatewayLoadBalancer
--- PASS: TestAccVPCEndpoint_interfaceNonAWSServiceAcceptOnCreate (283.52s)
=== CONT  TestAccVPCEndpoint_disappears
--- PASS: TestAccVPCEndpoint_disappears (31.88s)
=== CONT  TestAccVPCEndpoint_gatewayWithRouteTableAndPolicy
--- PASS: TestAccVPCEndpoint_gatewayWithRouteTableAndPolicy (58.80s)
=== CONT  TestAccVPCEndpoint_interfaceNonAWSServiceAcceptOnUpdate
--- PASS: TestAccVPCEndpoint_VPCEndpointType_gatewayLoadBalancer (396.50s)
=== CONT  TestAccVPCEndpoint_tags
--- PASS: TestAccVPCEndpoint_tags (81.66s)
=== CONT  TestAccVPCEndpoint_ipAddressType
--- PASS: TestAccVPCEndpoint_interfaceNonAWSServiceAcceptOnUpdate (344.07s)
=== CONT  TestAccVPCEndpoint_interfaceWithSubnetAndSecurityGroup
--- PASS: TestAccVPCEndpoint_ipAddressType (467.16s)
=== CONT  TestAccVPCEndpoint_interfacePrivateDNS
--- PASS: TestAccVPCEndpoint_interfaceWithSubnetAndSecurityGroup (326.49s)
=== CONT  TestAccVPCEndpoint_interfacePrivateDNSNoGateway
--- PASS: TestAccVPCEndpoint_interfacePrivateDNSNoGateway (415.36s)
=== CONT  TestAccVPCEndpoint_ignoreEquivalent
--- PASS: TestAccVPCEndpoint_interfacePrivateDNS (582.67s)
=== CONT  TestAccVPCEndpoint_interfaceBasic
--- PASS: TestAccVPCEndpoint_ignoreEquivalent (105.75s)
--- PASS: TestAccVPCEndpoint_interfaceBasic (159.93s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/ec2        1754.148s

@github-actions
Copy link

github-actions bot commented Jul 3, 2023

Community Note

Voting for Prioritization

  • Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/vpc Issues and PRs that pertain to the vpc service. size/M Managed by automation to categorize the size of a PR. needs-triage Waiting for first response or review from a maintainer. partner Contribution from a partner. and removed tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/vpc Issues and PRs that pertain to the vpc service. labels Jul 3, 2023
@github-actions github-actions bot added tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/vpc Issues and PRs that pertain to the vpc service. labels Jul 3, 2023
@ewbankkit ewbankkit removed the needs-triage Waiting for first response or review from a maintainer. label Jul 5, 2023
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccVPCEndpoint_' PKG=ec2 ACCTEST_PARALLELISM=2
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/ec2/... -v -count 1 -parallel 2  -run=TestAccVPCEndpoint_ -timeout 180m
=== RUN   TestAccVPCEndpoint_gatewayBasic
=== PAUSE TestAccVPCEndpoint_gatewayBasic
=== RUN   TestAccVPCEndpoint_interfaceBasic
=== PAUSE TestAccVPCEndpoint_interfaceBasic
=== RUN   TestAccVPCEndpoint_interfacePrivateDNS
=== PAUSE TestAccVPCEndpoint_interfacePrivateDNS
=== RUN   TestAccVPCEndpoint_interfacePrivateDNSNoGateway
=== PAUSE TestAccVPCEndpoint_interfacePrivateDNSNoGateway
=== RUN   TestAccVPCEndpoint_disappears
=== PAUSE TestAccVPCEndpoint_disappears
=== RUN   TestAccVPCEndpoint_tags
=== PAUSE TestAccVPCEndpoint_tags
=== RUN   TestAccVPCEndpoint_gatewayWithRouteTableAndPolicy
=== PAUSE TestAccVPCEndpoint_gatewayWithRouteTableAndPolicy
=== RUN   TestAccVPCEndpoint_gatewayPolicy
=== PAUSE TestAccVPCEndpoint_gatewayPolicy
=== RUN   TestAccVPCEndpoint_ignoreEquivalent
=== PAUSE TestAccVPCEndpoint_ignoreEquivalent
=== RUN   TestAccVPCEndpoint_ipAddressType
=== PAUSE TestAccVPCEndpoint_ipAddressType
=== RUN   TestAccVPCEndpoint_interfaceWithSubnetAndSecurityGroup
=== PAUSE TestAccVPCEndpoint_interfaceWithSubnetAndSecurityGroup
=== RUN   TestAccVPCEndpoint_interfaceNonAWSServiceAcceptOnCreate
=== PAUSE TestAccVPCEndpoint_interfaceNonAWSServiceAcceptOnCreate
=== RUN   TestAccVPCEndpoint_interfaceNonAWSServiceAcceptOnUpdate
=== PAUSE TestAccVPCEndpoint_interfaceNonAWSServiceAcceptOnUpdate
=== RUN   TestAccVPCEndpoint_VPCEndpointType_gatewayLoadBalancer
=== PAUSE TestAccVPCEndpoint_VPCEndpointType_gatewayLoadBalancer
=== CONT  TestAccVPCEndpoint_gatewayBasic
=== CONT  TestAccVPCEndpoint_gatewayPolicy
--- PASS: TestAccVPCEndpoint_gatewayBasic (41.95s)
=== CONT  TestAccVPCEndpoint_disappears
--- PASS: TestAccVPCEndpoint_gatewayPolicy (70.49s)
=== CONT  TestAccVPCEndpoint_gatewayWithRouteTableAndPolicy
--- PASS: TestAccVPCEndpoint_disappears (35.94s)
=== CONT  TestAccVPCEndpoint_tags
--- PASS: TestAccVPCEndpoint_gatewayWithRouteTableAndPolicy (67.16s)
=== CONT  TestAccVPCEndpoint_interfacePrivateDNS
--- PASS: TestAccVPCEndpoint_tags (78.96s)
=== CONT  TestAccVPCEndpoint_interfacePrivateDNSNoGateway
--- PASS: TestAccVPCEndpoint_interfacePrivateDNSNoGateway (384.20s)
=== CONT  TestAccVPCEndpoint_interfaceBasic
--- PASS: TestAccVPCEndpoint_interfaceBasic (94.87s)
=== CONT  TestAccVPCEndpoint_interfaceNonAWSServiceAcceptOnCreate
--- PASS: TestAccVPCEndpoint_interfacePrivateDNS (499.54s)
=== CONT  TestAccVPCEndpoint_VPCEndpointType_gatewayLoadBalancer
--- PASS: TestAccVPCEndpoint_interfaceNonAWSServiceAcceptOnCreate (318.58s)
=== CONT  TestAccVPCEndpoint_interfaceNonAWSServiceAcceptOnUpdate
--- PASS: TestAccVPCEndpoint_VPCEndpointType_gatewayLoadBalancer (412.20s)
=== CONT  TestAccVPCEndpoint_ipAddressType
--- PASS: TestAccVPCEndpoint_interfaceNonAWSServiceAcceptOnUpdate (331.56s)
=== CONT  TestAccVPCEndpoint_interfaceWithSubnetAndSecurityGroup
--- PASS: TestAccVPCEndpoint_ipAddressType (371.23s)
=== CONT  TestAccVPCEndpoint_ignoreEquivalent
--- PASS: TestAccVPCEndpoint_ignoreEquivalent (52.70s)
--- PASS: TestAccVPCEndpoint_interfaceWithSubnetAndSecurityGroup (414.33s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/ec2	1706.268s

@ewbankkit
Copy link
Contributor

@ddericco Thanks for the contribution 🎉 👏.

@ewbankkit ewbankkit merged commit 3e7fea1 into hashicorp:main Jul 5, 2023
@github-actions github-actions bot added this to the v5.7.0 milestone Jul 5, 2023
@github-actions
Copy link

github-actions bot commented Jul 7, 2023

This functionality has been released in v5.7.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@ddericco ddericco deleted the b-aws_vpc_endpoint-fix_private_dns_s3_interface branch July 12, 2023 14:47
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
partner Contribution from a partner. service/vpc Issues and PRs that pertain to the vpc service. size/M Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Private DNS options for VPC endpoints
3 participants