With an EC2 instance that only had a single network interface, the primary interface, the Update function would call `ModifyInstanceAttribute()` on the target instance. This would only work if there was a single network interface attached to the EC2 instance. If, however, a secondary network interface was attached to the instance, the `ModifyInstanceAttribute()` API call would fail with the following error message:
> There are multiple interfaces attached to instance 'i-XXXXX'. Please specify an interface ID for the operation instead.
After this changeset, modifying instance security groups now makes the correct call to `ModifyNetworkInterfaceAttribute()` in order to modify the list of security groups on the primary network interface, as initially configured during the instances creation.
This change is also safe from an instance that has a non-default primary network interface, as the instance attribute `vpc_security_group_ids` conflicts with the new `network_interface` attribute.
Test Output:
```
$ make testacc TEST=./builtin/providers/aws TESTARGS="-run=TestAccAWSInstance_addSecurityGroupNetworkInterface"
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/05/08 17:52:42 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSInstance_addSecurityGroupNetworkInterface -timeout 120m
=== RUN TestAccAWSInstance_addSecurityGroupNetworkInterface
--- PASS: TestAccAWSInstance_addSecurityGroupNetworkInterface (327.75s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 327.756s
```
* provider/aws: Refresh ssm document from state on 404
Originally reported in #13976
When an SSM Document was deleted outside of Terraform, a terraform
refresh would return the following:
```
% terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
aws_ssm_document.foo: Refreshing state... (ID: test_document-stack72)
Error refreshing state: 1 error(s) occurred:
* aws_ssm_document.foo: aws_ssm_document.foo: [ERROR] Error describing SSM document: InvalidDocument:
status code: 400, request id: 70c9bed1-33bb-11e7-99aa-697e9b0914e9
```
On applying this patch, it now looks as follows:
```
% terraform plan
[WARN] /Users/stacko/Code/go/bin/terraform-provider-aws overrides an internal plugin for aws-provider.
If you did not expect to see this message you will need to remove the old plugin.
See https://www.terraform.io/docs/internals/internal-plugins.html
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
aws_ssm_document.foo: Refreshing state... (ID: test_document-stack72)
The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed. Cyan entries are data sources to be read.
Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.
+ aws_ssm_document.foo
arn: "<computed>"
content: " {\n \"schemaVersion\": \"1.2\",\n \"description\": \"Check ip configuration of a Linux instance.\",\n \"parameters\": {\n\n },\n \"runtimeConfig\": {\n \"aws:runShellScript\": {\n \"properties\": [\n {\n \"id\": \"0.aws:runShellScript\",\n \"runCommand\": [\"ifconfig\"]\n }\n ]\n }\n }\n }\n"
created_date: "<computed>"
default_version: "<computed>"
description: "<computed>"
document_type: "Command"
hash: "<computed>"
hash_type: "<computed>"
latest_version: "<computed>"
name: "test_document-stack72"
owner: "<computed>"
parameter.#: "<computed>"
platform_types.#: "<computed>"
schema_version: "<computed>"
status: "<computed>"
Plan: 1 to add, 0 to change, 0 to destroy.
```
* Update resource_aws_ssm_document.go
Adds computed `arn` to security group data source
```
$ make testacc TEST=./builtin/providers/aws TESTARGS="-run=TestAccDataSourceAwsSecurityGroup"
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/05/05 10:17:35 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccDataSourceAwsSecurityGroup -timeout 120m
=== RUN TestAccDataSourceAwsSecurityGroup
--- PASS: TestAccDataSourceAwsSecurityGroup (56.72s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 56.725s
```
* aws_route53_record: More consistent unquoting of TXT/SPF records.
Before, 'flatten' would remove the first two quotes. This results in
confusing behavior if the value contained two quoted strings.
Now, 'flatten' we only remove the surrounding qutoes, which is more
consistent with 'expand'.
Should improve hashicorp/terraform#8423, but more could still be done.
* aws/route53: Cover new bugfix with an acceptance test
Fixes: #14217
We now check to make sure that we have the correct number of parts when
we have split the resource ID. It isn't an elegant fix but it works as
expected. Also added some more documentation about what is required to
actually construct the Id needed for import
* provider/aws: Add support for aws_ssm_maintenance_window
Fixes: #14027
```
% make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSSSMMaintenanceWindow_basic'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/04/29 13:38:19 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSSSMMaintenanceWindow_basic -timeout 120m
=== RUN TestAccAWSSSMMaintenanceWindow_basic
--- PASS: TestAccAWSSSMMaintenanceWindow_basic (51.69s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 51.711s
```
* provider/aws: Add documentation for aws_ssm_maintenance_window
* provider/aws: Add support for aws_ssm_maintenance_window_target
```
% make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSSSMMaintenanceWindowTarget'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/04/29 16:38:22 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSSSMMaintenanceWindowTarget -timeout 120m
=== RUN TestAccAWSSSMMaintenanceWindowTarget_basic
--- PASS: TestAccAWSSSMMaintenanceWindowTarget_basic (34.68s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 34.701s
```
* provider/aws: Adding the documentation for aws_ssm_maintenance_window_target
* provider/aws: Add support for aws_ssm_maintenance_window_task
* provider/aws: Documentation for aws_ssm_maintenance_window_task
This is a fix for PR #11040. The code here lowercases the name and/or prefix before sending it to the AWS API and the terraform state. This means the state will match the actual resource name and be able to converge the diff.
* added emr security configurations
* gofmt after rebase
* provider/aws: Update EMR Cluster to support Security Configuration
* update test to create key
* update docs
The default value for `source_dest_check` needs to remain the same, so as not to break any backwards compatibility, however, adding a new `network_interface` parameter with a pre-configured network_interface that has `source_dest_check` set to false throws a diff after initial apply. Since we don't want to change `source_dest_check` to computed in order to not break sane defaults, ignore the diff thrown if `network_interface` attributes are configured on an instance.
```
$ make testacc TEST=./builtin/providers/aws TESTARGS="-run=TestAccAWSInstance_primaryNetworkInterfaceSourceDestCheck"
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/04/28 16:26:02 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSInstance_primaryNetworkInterfaceSourceDestCheck -timeout 120m
=== RUN TestAccAWSInstance_primaryNetworkInterfaceSourceDestCheck
--- PASS: TestAccAWSInstance_primaryNetworkInterfaceSourceDestCheck (134.20s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 134.211s
```
```
$ make testacc TEST=./builtin/providers/aws TESTARGS="-run=TestAccAWSInstance_sourceDestCheck"
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/04/28 16:15:14 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSInstance_sourceDestCheck -timeout 120m
=== RUN TestAccAWSInstance_sourceDestCheck
--- PASS: TestAccAWSInstance_sourceDestCheck (179.81s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 179.815s
```
Fixes: #14068
Fixes: #14049
The China and Gov regions do not support the new way of tagging
instances and volumes on creation. Therefore, we need to hack this to
make sure we don't try and set these on instance creation
The introduction of volume_tags was causing a ForceNew on
spot_instance_requests
This has now been treated the same way as tags
```
% make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSSpotInstanceRequest_'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/04/28 05:17:42 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSSpotInstanceRequest_ -timeout 120m
=== RUN TestAccAWSSpotInstanceRequest_basic
--- PASS: TestAccAWSSpotInstanceRequest_basic (213.75s)
=== RUN TestAccAWSSpotInstanceRequest_withBlockDuration
--- PASS: TestAccAWSSpotInstanceRequest_withBlockDuration (212.14s)
=== RUN TestAccAWSSpotInstanceRequest_vpc
--- PASS: TestAccAWSSpotInstanceRequest_vpc (130.44s)
=== RUN TestAccAWSSpotInstanceRequest_SubnetAndSG
--- PASS: TestAccAWSSpotInstanceRequest_SubnetAndSG (234.43s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 790.791s
```
Federated users calling `iam:GetUser` will get the error code `InvalidClientTokenId` so this shouldn't bail out but instead continue on to try `sts:GetCallerIdentity`.
Fixes: #14003
When an EBS volume was created and tags were specified on that resource
and NOT the aws_instance it was attached to, the tags would be removed
on subsequent Terraform runs.
We need to set volume_tags to be Computed to allow for changes to EBS
volumes not created as part of the instance but that are attached to the
instance
```
% make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSInstance_volumeTagsComputed'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/04/27 07:33:36 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSInstance_volumeTagsComputed -timeout 120m
=== RUN TestAccAWSInstance_volumeTagsComputed
--- PASS: TestAccAWSInstance_volumeTagsComputed (151.37s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 151.411s
```
Fixes: #12496
When an EBS volume was attached to an instance and the user tried to
resize, they would get an error as follows:
```
* aws_ebs_volume.ebs_data_volume: Error waiting for Volume (vol-027e83f7) to become available: unexpected state 'in-use', wanted target 'available'. last error: %!s(<nil>)
```
`available` is a state *only* when creating an EBS volume that is not attached. When an instance is attached, it will go into the state `in-use`. Therefore `in-use` is a valid state when modifying an EBS volume that is attached:
```
% make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSEBSVolume_' ✹ ✭
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/04/27 07:08:18 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSEBSVolume_ -timeout 120m
=== RUN TestAccAWSEBSVolume_importBasic
--- PASS: TestAccAWSEBSVolume_importBasic (41.10s)
=== RUN TestAccAWSEBSVolume_basic
--- PASS: TestAccAWSEBSVolume_basic (38.22s)
=== RUN TestAccAWSEBSVolume_updateAttachedEbsVolume
--- PASS: TestAccAWSEBSVolume_updateAttachedEbsVolume (199.11s)
=== RUN TestAccAWSEBSVolume_updateSize
--- PASS: TestAccAWSEBSVolume_updateSize (70.53s)
=== RUN TestAccAWSEBSVolume_updateType
--- PASS: TestAccAWSEBSVolume_updateType (69.75s)
=== RUN TestAccAWSEBSVolume_updateIops
--- PASS: TestAccAWSEBSVolume_updateIops (70.38s)
=== RUN TestAccAWSEBSVolume_kmsKey
--- PASS: TestAccAWSEBSVolume_kmsKey (76.64s)
=== RUN TestAccAWSEBSVolume_NoIops
--- PASS: TestAccAWSEBSVolume_NoIops (39.80s)
=== RUN TestAccAWSEBSVolume_withTags
--- PASS: TestAccAWSEBSVolume_withTags (38.04s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 643.609s
```
We can only ever have 5 cloudtrails in an AWS account so we want to make
sure we run these tests serially to make sure we don't exhaust limits
and get non-deterministic failures
This parameter is being validated using the wrong validation function, which means that we are incorrectly disallowing a `name_prefix` value ending with a dash.
Fixes: #13173
We now tag at instance creation and introduced `volume_tags` that can be
set so that all devices created on instance creation will receive those
tags
```
% make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSInstance_volumeTags' 2 ↵ ✚ ✭
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/04/26 06:30:48 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSInstance_volumeTags -timeout 120m
=== RUN TestAccAWSInstance_volumeTags
--- PASS: TestAccAWSInstance_volumeTags (214.31s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 214.332s
```
As a follow up to #13844, this pull request sorts the AMIs and snapshots returned from the aws_ami_ids and aws_ebs_snapshot_ids data sources, respectively.
This is the minimal amount of work needed to be able to create a list of a subset of subnet IDs in a VPC, allowing people to loop through them easily when creating EC2 instances or provide a list straight to an ELB.
Fixes: #13588
It was pointed out in #13588 that we don't need to ForceNew on a change
of IPv6 CIDR block. The logic I decided to implement here was to
disassociate then associate. We should only be able to be associated to
1 IPv6 CIDR block at once. This feels like a risky move. We can
disassociate and then error on the associate. This would leave us in a
situation where we have no IPv6 CIDR block associated
The alternative here would be that the failure of association, triggers
a reassociation with the old IPv6 CIDR block
I added a test to make sure that the subnet Ids don't change as the ipv6
block changes. Before removing the ForceNew from the ipv6_cidr_block,
the test results in the following:
```
=== RUN TestAccAWSSubnet_ipv6
--- FAIL: TestAccAWSSubnet_ipv6 (92.09s)
resource_aws_subnet_test.go:105: Expected SubnetIDs not to change, but both got before: subnet-0d2b6a6a and after: subnet-742c6d13
```
After the removal of ForceNew, the test result looks as follows:
```
=== RUN TestAccAWSSubnet_ipv6
--- PASS: TestAccAWSSubnet_ipv6 (188.34s)
```
```
% make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSSubnet_'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/04/24 21:26:36 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSSubnet_ -timeout 120m
=== RUN TestAccAWSSubnet_importBasic
--- PASS: TestAccAWSSubnet_importBasic (85.63s)
=== RUN TestAccAWSSubnet_basic
--- PASS: TestAccAWSSubnet_basic (80.28s)
=== RUN TestAccAWSSubnet_ipv6
--- PASS: TestAccAWSSubnet_ipv6 (188.34s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 354.283s
```
Fixes: #13829
When IPv6 support was added to subnets, we added a new parameter that
had a default value. This means that users are experiencing unexpected
changes in their configuration
We need a schema migration in place to make sure this isn't the case for
the users who have not upgraded yet
```
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/04/23 10:36:43 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAWSSubnetMigrateState -timeout 120m
=== RUN TestAWSSubnetMigrateState
2017/04/23 10:37:27 [INFO] Found AWS Subnet State v0; migrating to v1
2017/04/23 10:37:27 [DEBUG] Attributes before migration: map[string]string{}
2017/04/23 10:37:27 [DEBUG] Attributes after migration: map[string]string{"assign_ipv6_address_on_creation":"false"}
--- PASS: TestAWSSubnetMigrateState (0.00s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 0.021s
```
The conditional to ignore the deletion of NS and SOA records can fail to
match if the hostedZoneName already ends with a ".". When that happens,
terraform tries to delete those records which is not supported by AWS
and results in a 400 bad request. This fixes the conditional so that it
will work whether or not hostedZoneName ends with a ".".
fixes#12407
Fixes validation errors in GovCloud when passing a KMS ARN for
`kms_key_id` in `s3_bucket_object` and `db_instance`.
The region is `us-gov-west-1` which breaks the regexp. Just added the
optional `gov-` in the right place.
* Add an option to skip getting the EC2 platforms
Even through this call fails silently in case of an error (usually lack of rights), it’s still a pretty extensive call.
In our region (eu-west-1) this can take up to 3 seconds. And since we have a system that involves doing much planning with the option `-refresh=false` these additional 3 seconds are really very annoying and totally not needed.
So being able to choose to skip them would make our lives a little better 😉
* Update the docs accordingly
* add check destroy to subnet data source tests
* provider/aws: Fix TestAccAWSElasticacheCluster_snapshotsWithUpdates by waiting for snapshots
* provider/aws: Fix TestAccAWSRDSCluster_takeFinalSnapshot
* provider/aws: Fix TestAccAWSKinesisFirehoseDeliveryStream_ElasticsearchConfigUpdates by specifying instance type
* provider/aws: Add failing test for EMR Bootstrap Actions
* aws_emr_cluster: Fix bootstrap action parameter ordering
* provider/aws: Fix EMR Bootstrap arguments
* provider/aws: Args needs to be ForceNew, because we can't update them
Adds import capability to the `aws_codecommit_repository` resource.
Also fixes an issue in the Read function where both `description` and `resource_name` attributes weren't being updated and set in the Schema.
Fixes: #13559
```
$ make testacc TEST=./builtin/providers/aws TESTARGS="-run=TestAccAWSCodeCommitRepository"
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/04/12 10:14:44 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSCodeCommitRepository -timeout 120m
=== RUN TestAccAWSCodeCommitRepository_importBasic
--- PASS: TestAccAWSCodeCommitRepository_importBasic (16.11s)
=== RUN TestAccAWSCodeCommitRepository_basic
--- PASS: TestAccAWSCodeCommitRepository_basic (14.97s)
=== RUN TestAccAWSCodeCommitRepository_withChanges
--- PASS: TestAccAWSCodeCommitRepository_withChanges (26.71s)
=== RUN TestAccAWSCodeCommitRepository_create_default_branch
--- PASS: TestAccAWSCodeCommitRepository_create_default_branch (14.34s)
=== RUN TestAccAWSCodeCommitRepository_create_and_update_default_branch
--- PASS: TestAccAWSCodeCommitRepository_create_and_update_default_branch (27.90s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 100.071s
```
When creating an `aws_route_table`, if a `route` configuration block is left `nil`, Terraform would previously panic. This allows Terraform to catch a faulty interface conversion during the resource create. The resource will still fail to apply, however, since every item in the `route` element is `Optional` we cannot currently catch this error during plan time, via validation.
Fixes: #13545
* Add schema_version as computed ssm document attribute
* Update the SSM document itself if the content has changed and it has a schema >= 2.0
* Add default_version as DocumentVersion in SSM doc update
* Acceptance test for updating an SSM document
* Better error handling in updating SSM documents
* Add SSM document update documentation
* Better names for SSM input params
Launch permissions are implicitly nuked if an AMI is removed for any
reason - Terraform should not error on refresh in this case, but rather
just see the launch permissions as gone and react appropriately.