When VPC is detached from VPN gateway, its VpcAttachment stays in place
just with state changed to "detached". Since terraform was not checking
attachment state, it used to think VPC gateway was still attached.
Add the iam_arn attribute to aws_cloudfront_origin_access_identity,
which computes the IAM ARN for a certain CloudFront origin access
identity.
This is necessary because S3 modifies the bucket policy if CanonicalUser
is sent, causing spurious diffs with aws_s3_bucket resources.
This brings over the work done by @apparentlymart and @radeksimko in
PR #3124, and converts it into a data source for the AWS provider:
This commit adds a helper to construct IAM policy documents using
familiar Terraform concepts. It makes Terraform-style interpolations
easier and resolves the syntax conflict between Terraform interpolations
and IAM policy variables by changing the latter to use &{...} for its
interpolations.
Its use is completely optional and users are free to go on using literal
heredocs, file interpolations or whatever else; this just adds another
option that fits more naturally into a Terraform config.
This an effort to address hashicorp/terraform#516.
Adding the Sensitive attribute to the resource schema, opening up the
ability for resource maintainers to mark some fields as sensitive.
Sensitive fields are hidden in the output, and, possibly in the future,
could be encrypted.
Closing off my other AWS availability zone branch, I'm adding tests for
the existing aws_availability_zones data source.
This closeshashicorp/terraform#4848.
This data source allows one to look up the most recent AMI for a specific
set of parameters, much like aws ec2 describe-images in the AWS CLI.
Basically a refresh of hashicorp/terraform#4396, in data source form.
This commit adds the newly required OS_EXT_GW environment variable to
the devstack acceptance environment build suite. It also fixes some
space formatting in a test.
* Add per user, role and group policy attachment
* Add docs for new IAM policy attachment resources.
* Make policy attachment resources manage only 1 entity<->policy attachment
* provider/aws: Tidy up IAM Group/User/Role attachments
When two rules differ only in source security group, EC2 APIs return
them as a single rule, but Terraform requires separate
aws_security_group_rule resources.
6bdab07174 changed Read to set source_security_group_id (and
cidr_blocks) from the rule returned from EC2 and chose the first
source_security_group_id arbitrarily, which is wrong.
Makes TestAccAWSSecurityGroupRule_PartialMatching_Source pass again.
Also adds a comment noting that there is a bug in the new resource
importing feature.
Fixes#6728.
This commit adds a data source with a single list, `instance` for the
schema which gets populated with the availability zones to which an
account has access.
Allow a cloud admin to target a specific tenant in which to allocate
a floating IP. This is useful when the cloud admin does not want to
delegate network privileges to the tenants or various Q&A scenarios.
resource
We had a line on the Update func that said:
```
Hash key can only be specified at creation, you cannot modify it.
```
The resource has now been changed to ForceNew on the hashkey
```
aws_dynamodb_table.demo-user-table: Refreshing state... (ID: Users)
aws_dynamodb_table.demo-user-table: Destroying...
aws_dynamodb_table.demo-user-table: Destruction complete
aws_dynamodb_table.demo-user-table: Creating...
aws_dynamodb_table.demo-user-table: Creation complete
```
The changes to allow for testing ID-only refresh conflict with passing
in "" as Config for tests. In this case we instead construct a config
with a known-non-existent bucket name.
Changed schema type for disks to support dynamic non-ordered disk
swapping. All Disk attributes have been made non ForceNew since
any changes should be handled in the upgrade() function.
Added 'name' attribute to disks to act as a unique
identifier for when users request for new disks. It is also used as
the filename for the new disk. Templates are considered immutable.
The openstack_networking_subnet_v2 resource was originally designed
to have DHCP disabled by default; however, a bug in the original
implementation caused DHCP to always be enabled and never be
disabled. This bug was fixed in #6052.
Recent discussions have shown that users prefer if DHCP is enabled
by default. This commit implements makes the change.
When stage_name is not passed to the resource
aws_api_gateway_deployment a terraform apply will fail. This is
because the stage_name is required and not optional.
* Grafana provider
* grafana_data_source resource.
Allows data sources to be created in Grafana. Supports all data source
types that are accepted in the current version of Grafana, and will
support any future ones that fit into the existing structure.
* Vendoring of apparentlymart/go-grafana-api
This is in anticipation of adding a Grafana provider plugin.
* grafana_dashboard resource
* Website documentation for the Grafana provider.
apply
The IP COnfiguration block of `azurerm_network_interface` didn't have a
hash created in a way that changes to the optional params were being
picked up:
```
~ azurerm_network_interface.test
ip_configuration.273485505.name: "testconfiguration1" => ""
ip_configuration.273485505.private_ip_address_allocation: "dynamic" => ""
ip_configuration.273485505.subnet_id: "/subscriptions/34ca515c-4629-458e-bf7c-738d77e0d0ea/resourceGroups/acctestrg/providers/Microsoft.Network/virtualNetworks/acctvn/subnets/acctsub" => ""
ip_configuration.~273485505.load_balancer_backend_address_pools_ids.#: "" => "<computed>"
ip_configuration.~273485505.load_balancer_inbound_nat_rules_ids.#: "" => "<computed>"
ip_configuration.~273485505.name: "" => "testconfiguration1"
ip_configuration.~273485505.private_ip_address: "" => "<computed>"
ip_configuration.~273485505.private_ip_address_allocation: "" => "dynamic"
ip_configuration.~273485505.public_ip_address_id: "" => "${azurerm_public_ip.test.id}"
ip_configuration.~273485505.subnet_id: "" => "/subscriptions/34ca515c-4629-458e-bf7c-738d77e0d0ea/resourceGroups/acctestrg/providers/Microsoft.Network/virtualNetworks/acctvn/subnets/acctsub"
```
This caused the following error:
```
Error applying plan:
1 error(s) occurred:
* azurerm_network_interface.test: diffs didn't match during apply. This is a bug with Terraform and should be reported as a GitHub Issue.
Please include the following information in your report:
```
Notice that the hash didn't change. This change adds the remaining optional params to the hash so that the hash id will change.
```
~ azurerm_network_interface.test
ip_configuration.4255411321.load_balancer_backend_address_pools_ids.#: "" => "<computed>"
ip_configuration.4255411321.load_balancer_inbound_nat_rules_ids.#: "" => "<computed>"
ip_configuration.4255411321.name: "" => "testconfiguration1"
ip_configuration.4255411321.private_ip_address: "" => "<computed>"
ip_configuration.4255411321.private_ip_address_allocation: "" => "dynamic"
ip_configuration.4255411321.public_ip_address_id: "" => "/subscriptions/34ca515c-4629-458e-bf7c-738d77e0d0ea/resourceGroups/acctestrg/providers/Microsoft.Network/publicIPAddresses/public-ip"
ip_configuration.4255411321.subnet_id: "" => "/subscriptions/34ca515c-4629-458e-bf7c-738d77e0d0ea/resourceGroups/acctestrg/providers/Microsoft.Network/virtualNetworks/acctvn/subnets/acctsub"
ip_configuration.966273186.name: "testconfiguration1" => ""
ip_configuration.966273186.private_ip_address_allocation: "dynamic" => ""
ip_configuration.966273186.subnet_id: "/subscriptions/34ca515c-4629-458e-bf7c-738d77e0d0ea/resourceGroups/acctestrg/providers/Microsoft.Network/virtualNetworks/acctvn/subnets/acctsub" => ""
```
This allows the Update to work as expected :)
```
azurerm_network_interface.test: Modifications complete
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
```
* provider/datadog Update go-datadog-api.
* provider/datadog Add support for "require_full_window" and "locked".
* provider/datadog Update tests, update doco, gofmt.
* provider/datadog Add options to update resource.
* provider/datadog "require_full_window" defaults to True, "locked" to False. Use
those initial values as the starting configuration.
* provider/datadog Update notify_audit tests to use the default value for
testAccCheckDatadogMonitorConfig and a custom value for
testAccCheckDatadogMonitorConfigUpdated.
This catches a situation where the code ignores setting the option on creation,
and the update function merely asserts the default value, versus actually changing
the value.
This commit forward ports the changes made for 0.6.17, in order to store
the type and sensitive flag against outputs.
It also refactors the logic of the import for V0 to V1 state, and
fixes up the call sites of the new format for outputs in V2 state.
Finally we fix up tests which did not previously set a state version
where one is required.
`azurerm_storage_account` access keys
Please note that we do NOT have the ability to manage the access keys -
we are just getting the keys that the account creates for us. To manage
the keys, you would need to use the azure portal still
By default, group membership queries return pages of 100 users at a
time. Because of this, if there are more than 100 users in an
aws_iam_group_membership resource, the resource always reports as
needing to be changed (because it only sees 100 of the users as
existing in the group).
The group membership now queries all pages.
Fixes#6722
random_shuffle takes a list of strings and returns a new list with the
same items in a random permutation.
Optionally allows the result list to be a different length than the
input list. A shorter result than input results in some items being
excluded. A longer result than input results in some items being
repeated, but never more often than the number of input items.
This resource generates a cryptographically-strong set of bytes and
provides them as base64, hexadecimal and decimal string representations.
It is intended to be used for generating unique ids for resources
elsewhere in the configuration, and thus the "keepers" would be set to
any ForceNew attributes of the target resources, so that a new id is
generated each time a new resource is generated.
This provider will have logical resources that allow Terraform to "manage"
randomness as a resource, producing random numbers on create and then
retaining the outcome in the state so that it will remain consistent
until something explicitly triggers generating new values.
Managing randomness in this way allows configurations to do things like
random distributions and ids without causing "perma-diffs".
A companion to the null_resource resource, this is here primarily to
enable manual quick testing of data sources workflows without depending
on any external services.
The "inputs" map gets copied to the computed "outputs" map on read,
"rand" gives a random number to exercise cases with constantly-changing
values (an anti-pattern!), and "has_computed_default" is settable in
config but computed if not set.
For backward compatibility we will continue to support using the data
sources that were formerly logical resources as resources for the moment,
but we want to warn the user about it since this support is likely to
be removed in future.
This is done by adding a new "deprecation message" feature to
schema.Resource, but for the moment this is done as an internal feature
(not usable directly by plugins) so that we can collect additional
use-cases and design a more general interface before creating a
compatibility constraint.
As a first example of a real-world data source, the pre-existing
terraform_remote_state resource is adapted to be a data source. The
original resource is shimmed to wrap the data source for backward
compatibility.
As requested in #4822, add support for a KMS Key ID (ARN) for Db
Instance
```
make testacc TEST=./builtin/providers/aws
TESTARGS='-run=TestAccAWSDBInstance_kmsKey' 2>~/tf.log
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v
-run=TestAccAWSDBInstance_kmsKey -timeout 120m
=== RUN TestAccAWSDBInstance_basic
--- PASS: TestAccAWSDBInstance_basic (587.37s)
=== RUN TestAccAWSDBInstance_kmsKey
--- PASS: TestAccAWSDBInstance_kmsKey (625.31s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 1212.684s
```
missing
Fixes#6625
When an SNS topic subscription was created with TF and then removed via
the AWS Console, Terraform threw an error:
```
* aws_sns_topic_subscription.testme: NotFound: Subscription does not
* exist
status code: 404, request id: a22e7ed7-3630-5a8a-b767-317ac1440e24
```
This PR will remove the topic subscription from state on a NotFound and
will then readd the subscripton
Auto-generating an Instance Template name (or just its suffix) allows the
create_before_destroy lifecycle option to function correctly on the
Instance Template resource. This in turn allows Instance Group Managers
to be updated without being destroyed.
`on_premises_instance_tag_filter`
When setting `on_premises_instance_tag_filter`, Terraform was not
pushing the changes on the cReate (due to a spelling mistake). A second
apply would push the tags and then cause a panic. Terraform was building
a ec2.Tagfilter struct without checking for optional values. When the
TagFilter was being dereferenced, it caused a panic
This commit adds the groundwork for supporting module outputs of types
other than string. In order to do so, the state version is increased
from 1 to 2 (though the "public-facing" state version is actually as the
first state file was binary).
Tests are added to ensure that V2 (1) state is upgraded to V3 (2) state,
though no separate read path is required since the V2 JSON will
unmarshal correctly into the V3 structure.
Outputs in a ModuleState are now of type map[string]interface{}, and a
test covers round-tripping string, []string and map[string]string, which
should cover all of the types in question.
Type switches have been added where necessary to deal with the
interface{} value, but they currently default to panicking when the input
is not a string.
The `name` attribute will always be normalized to a FQDN, with a trailing "dot"
at the end when returned from the API.
We store the name as it's provided in the configuration, so "www" stays as "www"
and "www.terraformtesting.io." stays as "www.terraformtesting.io.".
The problem here is that if we use a full name as above, and the configuraiton
does *not* include the trailing dot, the API will return a version that does,
and we'll have a conflict.
This is particularly bad when we have a lifecycle block with
`create_before_destroy`; the record will get an update posted (which ends up
being a no-op on AWS's side), but then we'll delete the same record immediately
after, resulting in no record at all.
This PR addresses that by trimming the trailing dot from the `name` when saving
to state. We migrate existing state to match, to avoid false-positive diffs.
* provider/fastly: Add support for Conditions for Fastly Services
Docs here:
- https://docs.fastly.com/guides/conditions/
Also Bump go-fastly version for domain support in S3 Logging
* New top level AWS resource aws_eip_association
* Add documentation for aws_eip_association
* Add tests for aws_eip_association
* provider/aws: Change `aws_elastic_ip_association` to have computed
parameters
The AWS API was send ing more parameters than we had set. Therefore,
Terraform was showing constant changes when plans were being formed
* Adding private ip address reference
* adding private ip address reference
* Updating the docs.
* Removing optional attrib from private_ip_address
Removing optional attribute from private_ip_address, this element is only being used in the read.
* Selecting the first element instead of using a loop for now.
Change this to a loop when https://github.com/Azure/azure-sdk-for-go/issues/259 is fixed
The `storage_data_disk` was trying to use vhd_url rather than vhd_uri.
This was causing an error on creating a new data_disk as part of a VM
Also added validation as data_disks can only be 1 - 1023 GB in size
Added the hosted_zone_id attribute, which aliases to the Route 53
zone ID that can be used to route Alias Resource Record Sets to.
This fixeshashicorp/terraform#6489.
ssh_keys were throwing an error similar to this:
```
* azurerm_virtual_machine.test: [DEBUG] Error setting Virtual Machine
* Storage OS Profile Linux Configuration: &errors.errorString{s:"Invalid
* address to set: []string{\"os_profile_linux_config\", \"0\",
* \"ssh_keys\"}"}
```
This was because of nesting of Set within a Set in the schema. By
changing this to a List within a Set, the schema works as expected. This
means we can now set SSH Keys on VMs. This has been tested using a
remote-exec and a connection block with the ssh key
```
azurerm_virtual_machine.test: Still creating... (2m10s elapsed)
azurerm_virtual_machine.test (remote-exec): Connected!
azurerm_virtual_machine.test (remote-exec): CONNECTED!
```
Change the AWS DB Instance to now include the DB Option Group param. Adds a test to prove that it works
Add acceptance tests for the AWS DB Option Group work. This ensures that Options can be added and updated
Documentation for the AWS DB Option resource
automated_snapshot_retention_period
The default value for `automated_snapshot_retention_period` is 1.
Therefore, it can be included in the `CreateClusterInput` without
needing to check that it is set.
This was actually stopping people from setting the value to 0 (disabling
the snapshots) as there is an issue in `d.GetOk()` evaluating 0 for int
adminPassword
The Azure API never returns the AdminPAssword (as is correct) from the
Read API call. Therefore on Create, we do not set the AdminPassword of
the vm as part of the state. The Same func is used for Create & Update,
therefore when we changed anything on the VM, we were getting the
following error:
```
statusCode:Conflict
serviceRequestId:f498a6c8-6e7a-420f-9788-400f18078921
statusMessage:{"error":{"code":"PropertyChangeNotAllowed","target":"adminPassword","message":"Changing property 'adminPassword' is not allowed."}}
```
To fix this, we need to excldue the AdminPassword from the Update func
if it is empty
On Create, notify_no_data was being ignored.
On Read and Update, no_data_timeframe was being misused.
There was also a redundant read of escalation_message on Create.
For a long time now, the diff logic has relied on the behavior of
`mapstructure.WeakDecode` to determine how various primitives are
converted into strings. The `schema.DiffString` function is used for
all primitive field types: TypeBool, TypeInt, TypeFloat, and TypeString.
The `mapstructure` library's string representation of booleans is "0"
and "1", which differs from `strconv.FormatBool`'s "false" and "true"
(which is used in writing out boolean fields to the state).
Because of this difference, diffs have long had the potential for
cosmetically odd but semantically neutral output like:
"true" => "1"
"false" => "0"
So long as `mapstructure.Decode` or `strconv.ParseBool` are used to
interpret these strings, there's no functional problem.
We had our first clear functional problem with #6005 and friends, where
users noticed diffs like the above showing up unexpectedly and causing
troubles when `ignore_changes` was in play.
This particular bug occurs down in Terraform core's EvalIgnoreChanges.
There, the diff is modified to account for ignored attributes, and
special logic attempts to handle properly the situation where the
ignored attribute was going to trigger a resource replacement. That
logic relies on the string representations of the Old and New fields in
the diff to be the same so that it filters properly.
So therefore, we now get a bug when a diff includes `Old: "0", New:
"false"` since the strings do not match, and `ignore_changes` is not
properly handled.
Here, we introduce `TypeBool`-specific normalizing into `finalizeDiff`.
I spiked out a full `diffBool` function, but figuring out which pieces
of `diffString` to duplicate there got hairy. This seemed like a simpler
and more direct solution.
Fixes#6005 (and potentially others!)
- Addresses the issue when local state file has logging_config populated and the user
disables the configuration via the UI (or in this case an
application of the TF config). This will now properly set the
logging_config during the read operation and identify the state as
diverging
Fixes#6390
* TF-6256 - SG Rule Retry
- Preferring slower but consistent runs when AWS API calls do not properly return the SG Rule in the list of ingress/egress rules.
- Testing has shown that several times that we had to exceed 20 attempts
before the SG was actually returned
* TF-6256 - Refactor of rule lookup
- Adjusting to use resource.Retry
- Extract lookup method for matching ipPermissions set
Here is an example that will setup the following:
+ An SSH key resource.
+ A virtual server resource that uses an existing SSH key.
+ A virtual server resource using an existing SSH key and a Terraform managed SSH key (created as "test_key_1" in the example below).
(create this as sl.tf and run terraform commands from this directory):
```hcl
provider "softlayer" {
username = ""
api_key = ""
}
resource "softlayer_ssh_key" "test_key_1" {
name = "test_key_1"
public_key = "${file(\"~/.ssh/id_rsa_test_key_1.pub\")}"
# Windows Example:
# public_key = "${file(\"C:\ssh\keys\path\id_rsa_test_key_1.pub\")}"
}
resource "softlayer_virtual_guest" "my_server_1" {
name = "my_server_1"
domain = "example.com"
ssh_keys = ["123456"]
image = "DEBIAN_7_64"
region = "ams01"
public_network_speed = 10
cpu = 1
ram = 1024
}
resource "softlayer_virtual_guest" "my_server_2" {
name = "my_server_2"
domain = "example.com"
ssh_keys = ["123456", "${softlayer_ssh_key.test_key_1.id}"]
image = "CENTOS_6_64"
region = "ams01"
public_network_speed = 10
cpu = 1
ram = 1024
}
```
You'll need to provide your SoftLayer username and API key,
so that Terraform can connect. If you don't want to put
credentials in your configuration file, you can leave them
out:
```
provider "softlayer" {}
```
...and instead set these environment variables:
- **SOFTLAYER_USERNAME**: Your SoftLayer username
- **SOFTLAYER_API_KEY**: Your API key
IPv6 support added.
We support 1 IPv6 address per interface. It seems like the vSphere SDK supports more than one, since it's provided as a list.
I can change it to support more than one address. I decided to stick with one for now since that's how the configuration parameters
had been set up by other developers.
The global gateway configuration option has been removed. Instead the user should specify a gateway on NIC level (ipv4_gateway and ipv6_gateway).
For now, the global gateway will be used as a fallback for every NICs ipv4_gateway.
The global gateway configuration option has been marked as deprecated.
* added update function with support for vcpu and memory
* waiting for vmware tools redundant with WaitForIP
* proper error handling of PowerOn task
* added test cases for update memory and vcpu
* reboot flag
this implements two new resource types:
* openstack_networking_secgroup_v2 - create a neutron security group
* openstack_networking_secgroup_rule_v2 - create a newutron security
group rule
Unlike their nova counterparts the neutron security groups allow a user
to specify the target tenant_id allowing a cloud admin to create per
tenant resources.
* Adding File Resource for vSphere provider
Allows for file upload to vSphere at specified location. This also
includes update for moving or renaming of file resources.
* Ensuring required parameters are provided
If any of the entries in `commands` on `docker_container` resources was
empty, the assertion to string panic'd. Since we can't use ValidateFunc
on list elements, we can only really check this at apply time. If any
value is nil (resolves to empty string during conversion), we fail with
an error prior to creating the container.
Fixes#6409.
We were passing in a disk path of `[datastore] `, which the createDisk
call would create a file named `.vmdk` on the datastore, which is not
the expected behavior. This make sure that if the user did not pass in
a vmdk path, that we call CreateDisk with an empty string like it
expects.
* provider/fastly: Add S3 Log Streaming to Fastly Service
Adds streaming logs to an S3 bucket to Fastly Service V1
* provider/fastly: Bump go-fastly version for domain support in S3 Logging
* provider/aws - CloudFront custom_error_response fixes for missing
- Omit custom_error_response response_* fields when not explicitly set via config for
SDK call
- Adding a test case to ensure that the response_error gets converted
to an empty string properly, versus "0". (Thanks @vancluever)
Fixes#6342
* - Fixing ACC test case resource names
When an SQS queue was deleted from the AWS Console, an error was thrown
to say that the Queue could not be found. This is now fixed to remove
the queue from the state on a specific not found exception
This commit should fix the following acceptance test failures:
=== RUN TestAccAzureDnsServerBasic
--- FAIL: TestAccAzureDnsServerBasic (2.17s)
testing.go:172: Step 0 error: Error applying: 1 error(s) occurred:
* azure_dns_server.foo: Failed issuing update to network
configuration: Error response from Azure. Code: BadRequest,
Message: Multiple DNS servers specified with the same name
'terraform-dns-server'.
=== RUN TestAccAzureDnsServerUpdate
--- FAIL: TestAccAzureDnsServerUpdate (2.04s)
testing.go:172: Step 0 error: Error applying: 1 error(s) occurred:
* azure_dns_server.foo: Failed issuing update to network
configuration: Error response from Azure. Code: BadRequest,
Message: Multiple DNS servers specified with the same name
'terraform-dns-server'.
This change adds the support for the proxied configuration option for a
record which enables origin protection for CloudFlare records.
In order to do so the golang library needed to be changed as the old did
not support the option and was using and outdated API version.
Open issues which ask for this (#5049, #3805).
User may specify a vmdk in their disk definition.
The options size, template, and vmdk are considered
to be mutually exclusive. User may also set whether each disk
associated with the vm should try to boot after creation.
Todo: Enforce mutual exclusivity, validate the bootable_vmdk_path
The "find route in table" helper code was not properly handling routes
with no destination CIDR block - like vpc_endpoint routes - so if one of
those routes would come up before the target route in the loop, we'd get
a crash.
Fixes#6337
* Updated `aws_elastic_beanstalk_environment` to update environment when the `template_name` attribute has a change. Consildated update functions to use a single update call and added state change conf to wait until environment is in a "Ready" state.
* Adding tests for `aws_elastic_beanstalk_configuration_template` use with the `aws_elastic_beanstalk_environment` resource.
* Verifies option settings from an `aws_elastic_beanstalk_configuration_template` resource are applied to the associated `aws_elastic_beanstalk_environment` resource
* Verifies updated name of an `aws_elastic_beanstalk_configuration_template` resource triggers an update for the associated `aws_elastic_beanstalk_environment` resource
* Verifies that option settings set in the `aws_elastic_beanstalk_environment` resource override settings in the `aws_elastic_beanstalk_configuration_template` resource
Currently, the number of nodes was broken due to not passing the
node_type with the update. This PR adds the correct parameters and a
test to prove this works as expected
The validation as part of #6330 was only for length. This PR adds the
rules for alphanumeric, not having -- within, not ending with a - and
that the id must start with a letter.
The PR also adds tests for these rules
The azure tests relating to cdn endpoints (TestAccAzureRMCdnEndpoint_basic
etc) are breaking because ARM is not accepting port values of 0. The
following error is received:
statusCode:BadRequest
statusMessage:{"error":{"code":"BadRequest","message":"Invalid port \"0\". Port value must be a number between 1 and 65535."}}
This patch sets the ports for example.com to 443 and 80.
When a directory service was not found, Terraform was panicking due to
`dir := out.DirectoryDescriptions[0]`. The AWS API doesn't throw an
Error in this case. IT just return s0 results. Therefore, we should
check for 0 results in the return and remove the directory from the
state
This commit uses Riviera to register the Microsoft.Compute provider as a
canary for whether or not the Azure account credentials are set up. It
used to use the MS client, but that appeared to panic internally if the
credentials were bad. It's possible that we were using it wrong, but
there are no docs so ¯\_(ツ)_/¯.
As part of this, we parellelise the registration of the other providers.
This shaves the latency of each provider request times the number of
providers minus 1 off the "startup" time of the AzureRM provider. The
result is quite noticeable.
Official OpenStack clients commonly support specifing a client
certificate/key to enable SSL client authentication when communicating
with OpenStack services. This patch enables such feature in Terraform
with new parameters and environment variables:
* 'cert' provider parameter or OS_CERT env variable to specify client
certificate file,
* 'key' provider parameter or OS_KEY env variable to specify client
certificate private key file.
* Add Triton Metadata modification AccTest.
The test starts the basic machine and then adds the metadata field
user_data.
Test fails if the user_data field does not match what we expect
OR it times out.
Related to hashicorp/terraform#6148
* Fix the non-convergence of Triton metadata changes
The code waiting for the entire Machine Metadata to "deep equal" the Terraform
metadata modifications. These two sets will only be the same if the user
changes all metadata fields of the resource before calling `apply`.
Closeshashicorp/terraform#6148
It can come in handy to be able to mount ISOs programmatically.
For instance if you're developing a custom appliance (that automatically installs itself on the hard drive volume)
that you want to automatically test on every successful build (given the ISO is uploaded to the vmware datastore).
There are probably lots of other reasons for using this functionality.
* provider/aws: Fix hashing on CloudFront certificate parameters
Adding necessary type assertion to values on the viewer_certificate hash
function to ensure that certain fields are indeed not zero string
values, versus simply zero interface{} values (aka nil, as is such for a
map[string]interface{}).
* provider/aws: CloudFront complex structure error handling
Handle errors better on calls to d.Set() in the
aws_cloudfront_distribution, namely in flattenDistributionConfig(). Also
caught a bug in the setting of the origin attribute, was incorrectly
attempting to set origins.
* provider/aws: Pass pointers to set CloudFront primitives
Change a few d.Set() for primitives in aws_cloudfront_distribution and
aws_cloudfront_origin_access_identity to use the pointer versus a
dereference.
* docs: Fix CloudFront examples formatting
Ran each example thru terraform fmt to fix indentation.
* provider/aws: Remove delete retention on CloudFront tests
To play better with Travis and not bloat the test account with disabled
distributions.
Disable-only functionality has been retained - one can enable it with
the TF_TEST_CLOUDFRONT_RETAIN environment variable.
* provider/aws: CloudFront delete waiter error handling
The call to resourceAwsCloudFrontDistributionWaitUntilDeployed() on
deletion of CloudFront distributions was not trapping error messages,
causing issues with waiter failure.
hil.Eval() now returns (hil.EvaluationResult, error) instead of (value,
type, error). This commit updates the call sites, but retains all
previous behaviour. Tests are also updated.
This commit patches a few acceptance tests in order to get them to
pass under OpenStack Mitaka.
The devstack dev environment script has also been updated to reflect
OpenStack Mitaka as well as the new Terraform dependency vendoring.
* provider/fastly: Add support for managing Headers
Adds support for managing Headers in a Fastly configuration.
* update acc test
* update website with example of adding a header block
* provider/aws: Default Network ACL resource
Provides a resource to manage the default AWS Network ACL. VPC Only.
* Remove subnet_id update, mark as computed value. Remove extra tag update
* refactor default rule number to be a constant
* refactor revokeRulesForType to be revokeAllNetworkACLEntries
Refactor method to delete all network ACL entries, regardless of type. The
previous implementation was under the assumption that we may only eliminate some
rule types and possibly not others, so the split was necessary.
We're now removing them all, so the logic isn't necessary
Several doc and test cleanups are here as well
* smite subnet_id, improve docs
According to the libpq documentation, "prefer" is the default in the
underlying library and so setting a different default in the Terraform
layer would be a breaking change for existing users of this provider
whose servers do not have TLS correctly configured.
The docs now link to the libpq manual's discussion of the security
implications of each of the ssl_mode options, so the user can understand
the limitations of the "prefer" default and can make an informed decision
about which setting is appropriate for their situation.
As with several other sensitive values in Opsworks, the API returns a
placeholder value rather than a nil. To avoid writing the placeholder
value into the state we just skip updating the password on read, letting
whatever value was in the state persist.
This means that Terraform can't detect configuration drift where someone
has changed the password via some other means, but Terraform will still
be able to recognize changes to the password made within Terraform itself
due to the "last-written" value in the state.
This fixes#6192.
Other separate changes to testAccOpsworksStackConfigNoVpcCreate caused
this to begin failing because it was attempting to create a stack with
an empty name.
Previously in Update we would only set req.CustomJson if a non-empty
value was provided in the config. It seems that the Opsworks API considers
a null CustomJson to mean "do not change" rather than "set to empty",
so we need to explicitly set the empty string in the request body in
order to successfully remove an already-configured custom JSON.
This introduces a provider for Cobbler. Cobbler manages bare-metal
deployments and, to some extent, virtual machines. This initial
commit supports the following resources: distros, profiles, systems,
kickstart files, and snippets.
* CloudFront implementation v3
* Update tests
* Refactor - new resource: aws_cloudfront_distribution
* Includes a complete re-write of the old aws_cloudfront_web_distribution
resource to bring it to feature parity with API and CloudFormation.
* Also includes the aws_cloudfront_origin_access_identity resource to generate
origin access identities for use with S3.
* Improve testing of CodeDeploy DeploymentGroup Trigger Configs
- ensure updates to trigger_events are applied
- assert changes to trigger_target_arn
* Retry CodeDeploy DeploymentGroup when Trigger Config SNS Topic is not available
- increase retries from 2 => 5
* Don't Base64-encode EC2 userdata if it is already Base64 encoded
The user data may be Base64 encoded already - for example, if it has been
generated by a template_cloudinit_config resource.
* Add encoded user_data to aws_instance acceptance test
* Issue #2174 Check that InternetGateway exists before returning from creation
Fix some random InvalidInternetGatewayID.NotFound errors
* Issue #2174 Reuse IGStateRefreshFunc
* Issue #2174 Need to wait for creation before setting tags
Update github.com/joyent/gosdc/...
Test does the minimum described in hashicorp/terraform#6109, i.e.
- Start a small instance, t4-standard-128M
- Check firewall is enabled
- Change configuration to disable firewall
- Check firewall is disabled.
Fixes#6119.
* provider/aws: CodeDeploy Deployment Group Triggers
- Create a Trigger to Send Notifications for AWS CodeDeploy Events
- Update aws_codedeploy_deployment_group docs
* Refactor validateTriggerEvent function and test
- also rename TestAccAWSCodeDeployDeploymentGroup_triggerConfiguration test
* Enhance existing Deployment Group integration tests
- by using built in resource attribute helpers
- these can get quite verbose and repetitive, so passing the resource to a function might be better
- can't use these (yet) to assert trigger configuration state
* Unit tests for conversions between aws TriggerConfig and terraform resource schema
- buildTriggerConfigs
- triggerConfigsToMap
* provider/aws: Add more Randomization to DB Parameter Group Tests, to avoid collisions
* provider/aws: Add more randomization to Autoscaling group tests
We have a curtesy function in place allowing you to specify both a
`name` of `ID`. But in order for the graph to be build correctly when
you recreate or taint stuff that other resources depend on, we need to
reference the `ID` and *not* the `name`.
So in order to enforce this and by that help people to not make this
mistake unknowingly, I deprecated all the parameters this allies to and
changed the logic, docs and tests accordingly.
Added the ability to set the "privacy" of a github_team resource so all teams won't automatically set to private.
* Added the privacy argument to github_team
* Refactored parameter validation to be general for any argument
* Updated testing
This is the first step in removing the config dependency on "project".
This change is backwards-compatible because the value for this new
attribute defaults to the value from the provider.
This commit enables the ability to authenticate to OpenStack by way
of a Keystone Token. Tokens can provide a way to use Terraform and
OpenStack with an expiring, temporary credential. The token will need
to be generated out of band from Terraform.
* provider/aws: test empty plan with sns_topic policy with random order
If we setup a sns_topic policy with a policy with a different order
to the one set by the AWS API, terraform plan will be not empty between
runs.
* provider/aws: normalize json policy for sns topic
For the policy attribute of the resource aws_sns_topic, AWS returns the policy
in JSON format with the fields in a different order.
If we store and compare the values without normalizing, terraform
will unnecesary trigger and update of the resource.
To avoid that, we must add a normalization function in the StateFunc of
the policy attribute and also when we read the attribute from AWS.
This commit adds a no_gateway attribute. When set, the subnet will
not have a gateway. This is different than not specifying a
gateway_ip since that will cause a default gateway of .1 to be used.
This behavior mirrors the OpenStack Neutron command-line tool.
Fixes#6031
When calling AssociateAddress, the PrivateIpAddress parameter must be
used to select which private IP the EIP should associate with, otherwise
the EIP always associates with the _first_ private IP.
Without this parameter, multiple EIPs couldn't be assigned to a single
ENI. Includes covering test and docs update.
Fixes#2997
Previously the format string was using %#v, which prints the whole data structure given.
Instead we want to use %s to get the string representation of the error.
This fixes#6038.
Normalise the event_pattern of the aws_cloudwatch_event_rule resource
before uploading it to AWS.
AWS seems to accept a event_pattern with a JSON with new lines, but then
the rule does not seem to work. Creating the rule in the AWS console works,
but will setup the pattern as a json without newlines or spaces, and
display a formatted JSON.
Previously, resizing would only work if the flavor_id changed and
would create an error if the flavor_name changes. This commit fixes
this behavior.
It also quickly refactors the getFlavorID function to use
Gophercloud's IDFromName function. getFlavorID was the basis of
IDFromName so the exact same code is used.
Fixes#5780
Fix retry after removing associations by correctly checking and returning an
error. This should patch the VPC/Resource leak in our nightly acceptance tests.
It turns out all other providers use `ip_address` where the CloudStack
provider uses `ipaddress`. To make this more consistent this PR
deprecates `ipaddress` and adds `ip_address` where needed…
This new resource is an alternative to consul_keys that manages all keys
under a given prefix, rather than arbitrary single keys across the entire
store.
The key advantage of this resource over consul_keys is that it is able to
detect and delete keys that are added outside of Terraform, whereas
consul_keys is only able to detect changes to keys it is explicitly
managing.
The provider should, when working on a new repository without branches:
* Able to create a new repository even with default_branch defined.
* Able to create a new repository without default_branch, and do not fail
if default_branch is defined.
In AWS codecommit the default branch must have a value unless there are
no branches created, in which case it is not possible to set it to any value.
We query the existing branches and do not update the default branch
if there are none defined remotely.
This solves the issue of the initial creation of the repository with a
resource with `default_branch` defined.
AWS changed their error message, which was being used for detection of
the specific error that indicates we need to wait for IAM propagation.
Behavior is covered by a test now.
Fixes#5862
Unlike SimpleScaling policies, StepScaling policies require one or more
"steps", which are interval ranges in which a tracked metric can lie.
Policies can then execute scaling adjustments wedded to these steps.
This commit also adds a slew of additional policy attributes which are
only applicable to step policies.
The ignore_changes diff filter was stripping out attributes on Create
but the diff was still making it down to the provider, so Create would
end up missing attributes, causing a full failure if any required
attributes were being ignored.
In addition, any changes that required a replacement of the resource
were causing problems with `ignore_chages`, which didn't properly filter
out the replacement when the triggering attributes were filtered out.
Refs #5627
The script cleanup step added in #5577 was positioned before the
`cmd.Wait()` call to ensure the command completes. This was causing
non-deterministic failures, especially for longer running scripts.
Fixes#5699Fixes#5737
This applies the same fix to `digitalocean_ssh_key` as #5588 applies to
droplets. Fixes#5402. The report there gives weight to my theory that
this occurs when there are transport issues.
Here we also introduce a `test` provider meant as an aid to exposing
via automated tests issues involving interactions between
`helper/schema` and Terraform core.
This has been helpful so far in diagnosing `ignore_changes` problems,
and I imagine it will be helpful in other contexts as well.
We'll have to be careful to prevent the `test` provider from becoming a
dumping ground for poorly specified tests that have a clear home
elsewhere. But for bug exposure I think it's useful to have.
This brings across the following resources for Triton from the
joyent/triton-terraform repository, and converts them to the canonical
Terraform style, introducing Terraform-style documentation and
acceptance tests which run against the live API rather than the local
APIs:
- triton_firewall_rule
- triton_machine
- triton_key
This brings across the following resources for Triton from the
joyent/triton-terraform repository, and converts them to the canonical
Terraform style, introducing Terraform-style documentation and
acceptance tests which run against the live API rather than the local
APIs:
- triton_firewall_rule
- triton_machine
- triton_key
Needed to truncate the identifier for SQL Server engines to keep it at
max 15 chars per the docs. Not a full UUID going into it, but should be
"unique enough" to not matter in practice.
Modified the basic test to use the generated value. Other tests are
still working w/ explicitly specified identifiers.
`publicly_accessible` to be changed
Also updated the AWS Go SDK from 1.1.9 -> 1.1.12 as this was required to
allow the new behavior for the Redshift API
Usage of a helper function was assuming that an error would be returned
in a not found condition, when in fact a nil pointer was
returned.
Attached test crashes w/o fix, passes with it.
Fixes#5350
Refs #5418
This should be quite helpful in debugging aws-sdk-go operations.
Required some tweaking around the `helper/logging` functions to expose an
`IsDebugOrHigher()` helper for us to use.
Turns out the BC code allowed users to move from `filename` to
`template` to squash the warning without having to switch from template
paths to template contents.
Here we warn when `template` is specified as a path so we can remove the
functionality in the future and remove this source of confusion.
refs #3732
Previously this resource managed the set of keys as a whole rather than
the individual keys, and so it was unable to recognize when a particular
managed key is removed and delete just that one key from Consul.
Here this is addressed by recognizing that each key actually has its own
lifecycle, and detecting when individual keys are added and removed
without replacing the entire consul_keys instance.
Additionally this restores the behavior of updating the "value" attribute
on read, but restricts it only to blocks that already had a value so as
to avoid the quirkiness seen previously when we updated blocks that were
intended to be read-only. Updating the value is important now, because we
rely on this to detect and repair discrepancies between values stored in
Consul and values given in the configuration.
This change produces a change in the handling of the "delete" attribute.
Before it was considered only when the entire consul_keys resource was
deleted, but now it is considered also when a particular key block is
removed from within a resource.
This deals with some of the quirks of interacting with the Consul API,
with the goal of making the consul_keys resource implementation, and
later the consul_keys data source, less noisy to read.
Change the `RetryFunc` from a plain `error` return type to a
specialized `RetryError` which must decide whether it is
retryable or not.
Add `RetryableError` / `NonRetryableError` factory functions that
callers are meant to use to build up these errors.
This makes it eminently clear whether or not a given error is
retryable from inside the client code.
Goal here is to _not_ change any behavior, simply reflect the
existing behavior with the new, clearer, API.
All of these RetryErrors were meant to fail right away, but instead
caused retry looping because the typecheck in the implementation of
`resource.Retry()` only catches the value type, and not the pointer
type.
Refs #5537
- ASG placement tests
- Randomize DynamoDB names in tests
- tag the sg created in this test to help identify in the console
- randomize policy and role names
Acceptance tests for GCS that do rapid create/delete/create
on GCS buckets using the same name sometimes fail as the
bucket namespace is eventually consistent. This change makes
tests use a random bucket name for each test (adapted from
the existing ACL tests).
This adds support for Elastic Beanstalk Applications, Configuration Templates,
and Environments.
This is a combined work of @catsby, @dharrisio, @Bowbaq, and @jen20
Acceptance tests for Pubsub topics and subscriptions failed after
incorrectly determining that resources were not deleted in the
CheckDestroy phase.
Fixes 5437
The GCE API for creating VPN tunnels began validating the `peerIp` field
and rejecting RFC5735 addresses. The previous test was using one of
these addresses and failing as a result. This commit uses 8.8.8.8
for the peerIp.
The description field for a managed-zone is now a required field when using the Cloud API.
This commit defaults the field to use the text "Managed by Terraform" to minimize required boilerplate for Terraform users.
Ref: https://cloud.google.com/sdk/gcloud/reference/dns/managed-zones/create
This is to just catch possible breakage in the future. The actual
support was done in Gophercloud.
Previously, values of 0 were not allowed since there's no such port
as 0. However, there are ICMP codes of 0.
GH-4812 removed reading server.AccessIPv4 and server.AccessIPv6
because, AFAICT, they are not set by Nova. After removal, a user
reported that they were no longer able to read IPs from access_ip_v4
and access_ip_v6 on Rackspace. It's possible that Rackspace sets
the AccessIPv* attributes, and if that's true, other cloud providers
might as well through custom extensions.
The priority of how access_ip_v* is set might require some tweaks in
the future.
This commit allows "detaching" to be a valid pending state when
detaching a volume. Despite being obvious pending state, it also
helps in race situations when a volume is implicitly being detached
by Nova.
This commit fixes and cleans up instance block_device configuration.
Reverts #5354 in that `volume_size` is only required in certain
block_device configuration combinations. Therefore, the actual
attribute must be set to Optional and later checks done.
Doc upates, too.
This commit adds the ability to create instances with multiple
ephemeral disks. The ephemeral disks will appear as local block
devices to the instance.
The `volume_size` of a `block_device` was originally set to Optional,
but it's a required parameter in the OpenStack/Nova API. While it's
possible to infer a default size of the block device, making it required
more closely matches the Nova CLI client as well as provides consistent
experience when working with multiple block_devices.
This commit uses Group Name in preference to Group ID where appropriate
in the aws_security_group_rule resource. This fixes the crash reported
in #5310.
Fixes#5310.
```
go tool vet -all .
builtin/providers/aws/resource_aws_elasticache_security_group.go:130: arg apierr.Code in printf call is a function value, not a function call
builtin/providers/aws/resource_aws_elasticache_subnet_group.go:155: arg apierr.Code in printf call is a function value, not a function call
```
Pull CIDR block validation into a shared func ready to be used elsewhere
Example of new err message:
```
Errors:
* aws_vpc.foo: "cidr_block" must contain a valid network CIDR,
expected "10.0.0.0/16", got "10.0.1.0/16"
```
- Don't drop wildcard if it's the only one.
- Remove monitor resource, it's been replaced by metric_alert,
outlier_alert and service_check
- Refactor to be closer to the API; each resource creates exactly *one*
resource, not 2, this removes much unneeded complexity. A warning
threshold is now supported by the API.
- Remove fuzzy resources like graph, and resources that used them for
dashboard and screenboards. I'd welcome these resources, but the
current state of Terraform and the Datadog API does not allow these to
be implemented in a clean way.
- Support multiple thresholds for metric alerts, remove notify argument.
There can only be a single access_log configuration per load balancer
so choosing to use a list over a set is only relevant when comparing
changes during a plan. A list makes it much easier to compare updates
since the index is stable (0 vs. computed hash).
This test presents itself in an awkward manner as part of the AWS test
suite rather than the core test suite - this is because you cannot use
real providers in context tests because of circular references, and
simplistic test providers in that package do not demonstrate the issue.
In the interests of getting this fix in quickly and still having
regression coverage for it, it was agreed to include the change here
instead.
Running the test TestAccAWSVPC_coreMismatchedDiffs without the changes
in d95ab75 applied leads to the following output:
```
$ make testacc TEST=./builtin/providers/aws TESTARGS="-run TestAccAWSVPC_coreMismatchedDiffs"
==> Checking that code complies with gofmt requirements...
/Users/James/Code/go/bin/stringer
GO15VENDOREXPERIMENT=1 go generate $(GO15VENDOREXPERIMENT=1 go list ./... | grep -v /vendor/)
TF_ACC=1 GO15VENDOREXPERIMENT=1 go test ./builtin/providers/aws -v -run TestAccAWSVPC_coreMismatchedDiffs -timeout 120m
=== RUN TestAccAWSVPC_coreMismatchedDiffs
--- FAIL: TestAccAWSVPC_coreMismatchedDiffs (2.26s)
testing.go:148: Step 0 error: Error applying: 1 error(s) occurred:
* aws_vpc.test: diffs didn't match during apply. This is a bug with Terraform and should be reported.
FAIL
exit status 1
FAIL github.com/hashicorp/terraform/builtin/providers/aws 2.281s
make: *** [testacc] Error 1
```
Applying the changes in d95ab75 (pull request GH-4965) yields the
following result when running the test:
```
$ make testacc TEST=./builtin/providers/aws TESTARGS="-run TestAccAWSVPC_coreMismatchedDiffs"
==> Checking that code complies with gofmt requirements...
/Users/James/Code/go/bin/stringer
GO15VENDOREXPERIMENT=1 go generate $(GO15VENDOREXPERIMENT=1 go list ./... | grep -v /vendor/)
TF_ACC=1 GO15VENDOREXPERIMENT=1 go test ./builtin/providers/aws -v -run TestAccAWSVPC_coreMismatchedDiffs -timeout 120m
=== RUN TestAccAWSVPC_coreMismatchedDiffs
--- PASS: TestAccAWSVPC_coreMismatchedDiffs (15.17s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 15.183s
```
The test has a rather misleading name ("AWS") such that it is actually run as
part of the nightly acceptance testing. The VPC resource is quick and free to
create, hence the selection.
Official OpenStack clients support specifing custom CA certificate file
that should be used when communicating with OpenStack server. This patch
adds similar behavior to Terraform OpenStack provider, by:
- Using OS_CACERT environmental variable, if available
- Using cacert_file provider parameter, if configured
Fixes issue #4985 by correcting copy/paste error that caused the
max_utilization attribute to be read from the max_rate_per_instance
attribute.
N.B. There is still no test coverage for this issue.
The AWS free tier allows up to 750 hours on t2.micro
instance types. It's better to use cheaper instances
in case the resources are not cleaned up if a tests
is canceled or crashes.
There can only be a single health_check configuration per load balancer
so choosing to use a list over a set is only relevant when comparing
changes during a plan. A list makes it much easier to compare updates
since the index is stable (0 vs. computed hash).
Removes overspecified config that is unrelated to testing the auto scaling
group's autogenerated name. The test is only concerned with checking that
the auto scaling group was created successfully with an autogenerated name
matching a specific pattern.
Removes overspecified config that is unrelated to the auto scaling
group's availability zone and VPC identifier acceptance tests. The
created auto scaling groups do not need to spin up any hosts since
the acceptance tests are only concerned with checking the existence
of the associated availability zones and VPC identifiers.
Fixes a diff calculation error when only a VPC zone
identifiers is provided. In this case the associated
availability zones are computed from the subnets per
the AWS documentation.
* Randomize app name in test
* Return error and don't panic when there is a problem
It's possible there may still be an underlying problem that caused the
error that made the cert leak in the first place - this should help us
diagnose it.
This should address the failures seen in Travis Build Run #8774. It is
likely there are others which also need addressing - they will be
addressed on a case-by-case basis as they come up.
This is a follow up on #4892 with tests that demonstrate creating a record and a zone, then destroying said record, and confirming that a new plan is generated, using the ExpectNonEmptyPlan flag
This simulates the bug reported in #4641 by mimicking the state file that one would have if they created a record with Terraform v0.6.6, which is to say a weight = 0 for a default value.
When upgrading, there would be an expected plan change to get that to -1. To mimic the statefile we apply the record and then in a follow up step change the attributes directly. We then try to delete the record.
I tested this by grabbing the source of aws_resource_route53.go from Terraform v0.6.9 and running the included test, which fails. The test will pass with #4892 , because we no longer reconstruct what the record should be based on the state (instead finding via the API and elimination/matching)
This resource is the first which makes use of the new Riviera library
(at https://github.com/jen20/riviera), so there is some additional set
up work to add the provider to the client which gets passed among
resources.
This commit adds the ability to associate a Floating IP to a specific
network. Previously, there only existed a top-level floating IP
attribute which was automatically associated with either the first
defined network or the default network (when no network block was
used).
Now floating IPs can be associated with networks beyond the first
defined network as well as each network being able to have their own
floating IP.
Specifying the floating IP by using the top-level floating_ip
attribute and the per-network floating IP attribute is not possible.
Additionally, an `access_network` attribute has been added in order
to easily specify which network should be used for provisioning.
See the updated docs for more details and examples, but in short this
enables the `attributes` param from the Chef provisioner to accept a
raw JSON string.
Fixes#3074Fixes#3572
Using EnvDefaultFunc with a default of empty string causes the
validation which would ordinarily be performed by `Required: true` in
the schema to not have any effect. Instead validate the configuration
used to produce the ARM client before attempting to use it during
provider configuration.
throw an error:
* aws_sns_topic_subscription.checker: NotFound: Subscription does not
* exist
status code: 404, request id: b8ca0c27-1a62-57b3-8b96-43038a0ead86
Terraform wasn't refreshing the state when the topic gave a 404
This fix prevents tests incorrectly reporting dangling resources. It is
not sufficient to check just whether or not an error occurred when
iterating over the listed resources - checking the bool returned is also
required.
Remove the mime type validation since the part handler type allows for
custom types.
http://cloudinit.readthedocs.org/en/latest/topics/format.html#part-handler
The docs specify that if a part handler type is specified, one could use
custom mime types
Signed-off-by: Simon Thulbourn <simon+github@thulbourn.com>
It was a mistake to switched fully to `==` when activating waiting for
capacity on updates in #3947. Users that didn't set `min_elb_capacity ==
desired_capacity` and instead treated it as an actual "minimum" would
see timeouts for every create, since their target numbers would never be
reached exactly.
Here, we fix that regression by restoring the minimum waiting behavior
during creates.
In order to preserve all the stated behavior, I had to split out
different criteria for create and update, criteria which are now
exhaustively unit tested.
The set of fields that affect capacity waiting behavior has become a bit
of a mess. Next major release I'd like to rework all of these into a
more consistently named block of config. For now, just getting the
behavior correct and documented.
(Also removes all the fixed names from the ASG tests as I was hitting
collision issues running them over here.)
Fixes#4792
of the database after creation. So we need to be able to
set the CharacterSetName on creation.
This is an option and will automagically default to
AL32UTF8.
The AWS SDK will give you an error message if you try to
apply this setting to other engines. The patch will only
report the character_set_name attribute, if CharacterSetName
is set on the instance.
Signed-off-by: Lars Bahner <lars.bahner@gmail.com>
Implementation notes:
* The hash implementation was not considering key value, causing "diffs
did not match" errors when a value was updated. Switching to default
HashResource implementation fixes this
* Using HashResource as a default exposed a bug in helper/schema that
needed to be fixed so the Set function is picked up properly during
Read
* Stop writing back values into the `key` attribute; it triggers extra
diffs when `default` is used. Computed values all just go into `var`.
* Includes a state migration to prevent unnecessary diffs based on
"key" attribute hashcodes changing.
In the tests:
* Switch from leaning on the public demo Consul instance to requiring a
CONSUL_HTTP_ADDR variable be set pointing to a `consul agent -dev`
instance to be used only for testing.
* Add a test that exposes the updating issues and covers the fixes
Fixes#774Fixes#1866Fixes#3023
These resources use ARM to get keys for the storage API, but then use
the storage REST API as per the ASM provider. The code is significantly
reworked with better logging and error handling. The key functions can
be reused for queues and file storage resources when they get added.
Just some cosmetics and some cleaning up to make the code fit in a
little better with the existing code. Functionally no changes are made
and the existing tests still pass.
Test failures indicate that this operation doesn't always take effect
immediately:
https://travis-ci.org/hashicorp/terraform/builds/103764466
Add a simple poll to retry a few times until it does.
```
--- PASS: TestAccMailgunDomain_Basic (1.51s)
```
Verified that this does the trick by looping the test and watching the
logs for the retry behavior to kick in.
This is an unusual resource (so far) in that it cannot be created in one
call, and instead must be created and the modified to set some of the
parameters.
We use the pollIndefinitelyWhileNeeded function which will continue to
poll Azure RM operation monitoring endpoints until an error is reported
or the operation meets one of the given status codes. The function was
originally part of this feature but was separated out in order to
unblock other work.
Currently there is no support for the "custom_domain" section of the
storage account API. This was originally present and was later taken out
of the scope of the storage account resource in order that the following
workflow can be used:
1. Create storage account
2. Create DNS CNAME entry once the account name is known
3. Create custom domain mapping
This adds a pollIndefinitelyWhileNeeded function which will continue to
poll Azure RM operation monitoring endpoints until an error is reported
or the operation meets one of the given status codes. This may need
revisiting at some point in the future.
When parsing resource IDs (probably incorrectly since they are URIs and
should therefore be opaque), we need to look for "resourcegroups" in
addition to "resourceGroups" because the Azure CDN resources return that
in their URIs.
Unfortunately the casing semantics of the rest of the string are not
clear, so downcasing the entire URI is probably best avoided. This is a
fix for a single case.
Fixes#4721. It seems there may be some eventual consistency in the API
for network ACLs. This fix doesn't use resource.WaitForState() as there
the NACL is not something that can be looked up by ID and has a
property which determines if it is present.
Instead we reuse the findNetworkAclRule function which the Read function
exhibiting the problem uses, and retry over a 3 minute period, returning
an error message informing the user that running `terraform apply` again
will likely allow them to continue.
http and https SNS topic subscription endpoints require confirmation to set a valid arn otherwise
arn would be set to "pending confirmation". If the endpoints auto confirm then arn is set
asynchronously but if we try to create another subscription with same parameters then api returns
"pending subscription" as arn but does not create another a duplicate subscription. In order to
solve this we should be fetching the subscription list for the topic and identify the subscription
with same parameters i.e., protocol, topic_arn, endpoint and extract the subscription arn.
Following changes were made to support the http/https endpoints that auto confirms
1. Added 3 extra parameters i.e.,
1. endpoint_auto_confirms -> boolean indicates if end points auto confirms
2. max_fetch_retries -> number of times to fetch subscription list for the topic to get the subscription arn
3. fetch_retry_delay -> delay b/w fetch subscription list call as the confirmation is done asynchronously.
With these parameters help added support http and https protocol based endpoints that auto confirm.
2. Update website doc appropriately
In most cases private keys are used to produce certs and cert requests,
but there are some less-common cases where the PEM-formatted keypair is
used alone. The public_key_pem attribute supports such cases.
This also includes a public_key_openssh attribute, which allows this
resource to be used to generate temporary OpenSSH credentials, so that
e.g. a Terraform configuration could generate its own keypair to use
with the aws_key_pair resource. This has the same caveats as all cases
where we generate private keys in Terraform, but could be useful for
temporary/throwaway environments where the state either doesn't live for
long or is stored securely.
This builds on work started by Simarpreet Singh in #4441 .
The render code path in `template_file` was doing unsynchronized access
to a shared mapping of functions in `config.Func`.
This caused a race condition that was most often triggered when a
`template_file` had a `count` of more than one, and expressed itself as
a panic in the plugin followed by a cascade of "unexpected EOF" errors
through the plugin system.
Here, we simply turn the FuncMap from shared state into a generated
value, which avoids the race. We do more re-initialization of the data
structure, but the performance implications are minimal, and we can
always revisit with a perf pass later now that the race is fixed.
This adds acceptance tests for specifying extra hosts on Docker
containers. It also renames the repeating block from `hosts` to `host`,
which reads more naturally in the schema when multiple instances of the
block are declared.
When a Packet provision exceeds our time limit, we move the device to an
internal project for Packet staff to investigate. When this happens, the
original user no longer has access to the device, and they get a 403.
These changes make that and other external state changes more pleasant for
users of Terraform.
This allows specification of the profile for the shared credentials
provider for AWS to be specified in Terraform configuration. This is
useful if defining providers with aliases, or if you don't want to set
environment variables. Example:
$ aws configure --profile this_is_dog
... enter keys
$ cat main.tf
provider "aws" {
profile = "this_is_dog"
# Optionally also specify the path to the credentials file
shared_credentials_file = "/tmp/credentials"
}
This is equivalent to specifying AWS_PROFILE or
AWS_SHARED_CREDENTIALS_FILE in the environment.
Asserting on the value of `latest` on an image is prone to failing
because of new images being pushed upstream. Instead of asserting on a
hash, we assert that the value matches a regular expression for the
format of an image hash.
When spinning up from a snapshot or a read replica, these fields are
now optional:
* allocated_storage
* engine
* password
* username
Some validation logic is added to make these fields required when
starting a database from scratch.
The documentation is updated accordingly.
Some resources can only be queried via the network configuration - if
the network configuration does not exist we were failing, however that
is a desirable state since without a network configuration for the
subscription the resources in question cannot exist.
Generate bucket names and object names per test instead of once at the
top level. Should help avoid failures like this one:
https://travis-ci.org/hashicorp/terraform/jobs/100254008
All storage tests checked on this commit:
```
TF_ACC=1 go test -v ./builtin/providers/google -run TestAccGoogleStorage
=== RUN TestAccGoogleStorageBucketAcl_basic
--- PASS: TestAccGoogleStorageBucketAcl_basic (8.90s)
=== RUN TestAccGoogleStorageBucketAcl_upgrade
--- PASS: TestAccGoogleStorageBucketAcl_upgrade (14.18s)
=== RUN TestAccGoogleStorageBucketAcl_downgrade
--- PASS: TestAccGoogleStorageBucketAcl_downgrade (12.83s)
=== RUN TestAccGoogleStorageBucketAcl_predefined
--- PASS: TestAccGoogleStorageBucketAcl_predefined (4.51s)
=== RUN TestAccGoogleStorageObject_basic
--- PASS: TestAccGoogleStorageObject_basic (3.77s)
=== RUN TestAccGoogleStorageObjectAcl_basic
--- PASS: TestAccGoogleStorageObjectAcl_basic (4.85s)
=== RUN TestAccGoogleStorageObjectAcl_upgrade
--- PASS: TestAccGoogleStorageObjectAcl_upgrade (7.68s)
=== RUN TestAccGoogleStorageObjectAcl_downgrade
--- PASS: TestAccGoogleStorageObjectAcl_downgrade (7.37s)
=== RUN TestAccGoogleStorageObjectAcl_predefined
--- PASS: TestAccGoogleStorageObjectAcl_predefined (4.16s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/google 68.275s
```
* Add SSH Keys to all droplets in tests, this prevents acctests from
spamming account owner email with root password details
* Add a new helper/acctest package to be a home for random string / int
implementations used in tests.
* Insert some random details into record tests to prevent collisions
* Normalize config style in tests to hclfmt conventions
This fixes create aws_route_table resources in regions which do not
support the NAT Gateway yet (e.g. eu-central) - unless a value is
explicitly set in which case the API call will fail until such time as
NAT Gateway is supported.
Fixes#4499.
This commit adds the various states (taken from the RDS documentation
here: http://amzn.to/1OHqi6g) to the list of allowable pending states
when creating an RDS instance.
In particular, `resetting-master-credentials` is returned when creating
an `aws_db_instance` from a snapshot. Fixes#4477.
vmutils.ConfigureDeploymentFromVMImage has been changed to
vmutils.ConfigureDeploymentFromPublishedVMImage in the upstream library
- this allows us to build.
This diff represents the changes necessary to make local network
gateway tests pass:
- Parse the resource ID instead of relying on attributes
- Remove unecessary logging (which is handled via the autorest wrapper)
- Resource GUID is removed - if this is actually required for anything
we may need to find a way to supress it during apply, as we get
spurious diffs in plans otherwise.
- Various typos fixed.
Can only assert that the load balancer is gone, since the test suite
deletes everything, and the load balancer is the way you get to the
proxy protocol policy.
* Fixup Exists and CheckDestroy assertions
* Make ingress/egress computed on network_acl, otherwise you could
never use network_acl_rule with a managed network_acl without a
perpetual diff.
As I was fixing up the AccTests to not depend on a single existing IAM
role (which this commit does), I noticed that without some sleeping that
the kinesis_firehose_delivery_stream would often come back with:
```
msg: Firehose is unable to assume role {{arn}}. Please check the role provided.
code: InvalidArgumentException
```
Similar to the strategy taken in aws_instance with IAM Instance Profile errors,
I dropped in a simple retry loop which seemed to take care of the issue. Seems
that the same permission propagation delays apply here too.
The original implmentation was missing headers to denote mime version &
content transfer encoding, this caused issues with EC2.
Signed-off-by: Simon Thulbourn <simon+github@thulbourn.com>
This adds a new resource to template to generate multipart cloudinit
configurations to be used with other providers/resources.
The resource has the ability gzip and base64 encode the parts.
also removed the notion of tags from the redshift security group and
parameter group documentation until that has been implemented
Redshift Cluster CRUD and acceptance tests
Removing the Acceptance test for the Cluster Updates. You cannot delete
a cluster immediately after performing an operation on it. We would need
to add a lot of retry logic to the system to get this test to work
Adding some schema validation for RedShift cluster
Adding the last of the pieces of a first draft of the Redshift work - this is the documentation
Changed the aws_redshift_security_group and aws_redshift_parameter_group
to remove the tags from the schema. Tags are a little bit more
complicated than originally though - I will revisit this later
Then added the schema, CRUD functionality and basic acceptance tests for
aws_redshift_subnet_group
Adding an acceptance test for the Update of subnet_ids in AWS Redshift Subnet Group
This action is almost exactly the same as creating a SimpleAD so we
reuse this resource and allow the user to specify the type when creating
the directory (ignoring the size if the type is MicrosoftAD).
This commit adds the openstack_lb_member_v1 resource. This resource models a
load balancing member which was previously coupled to the openstack_lb_pool_v1
resource.
By creating an actual member resource, load balancing members can now be
dynamically managed through terraform.
- Add documentation for resources
- Rename files to match standard patterns
- Add acceptance tests for resource groups
- Add acceptance tests for vnets
- Remove ARM_CREDENTIALS file - as discussed this does not appear to be
an Azure standard, and there is scope for confusion with the
azureProfile.json file which the CLI generates. If a standard emerges
we can reconsider this.
- Validate credentials in the schema
- Remove storage testing artefacts
- Use ARM IDs as Terraform IDs
- Use autorest hooks for logging
This commit cleans up some of the work on the Azure ARM provider
following review by @phinze. Specifically:
- Unnecessary ASM-targeted tests are removed
- Validation is added to the `resource_group` resource
- `dns_servers_names` -> `dns_servers` as per the API documentation
- AZURE_SUBSCRIPTION_ID environment variable is renamed to be
ARM_SUBSCRIPTION_ID in order to match the other environment variables
This commit brings some of the work over from #3808, but rearchitects to
use a separate provider for Azure Resource Manager. This is in line with
the decisions made by the Azure Powershell Cmdlets, and is important for
usability since the sets of required fields change between the ASM and
ARM APIs.
Currently `azurerm_resource_group` and `azurerm_virtual_network` are
implemented, more resources will follow.
Each call to the Kinesis DescribeStream API returns a limited number of
shards. When interrogating AWS for the state of a Kinesis stream, the
client needs to page through the API's responses to get the true number
of shards.
It seems that not all Rundeck servers consistently return the project name
when retrieving a job. Not yet sure in what situations it is or isn't
returned, but since jobs are not allowed to move between projects anyway
it doesn't hurt to just skip refreshing it if the server provides no
value.
vmImageClient.ListVirtualMachineImages takes a parameter as of
68d50cb53a73edfeb7f17f5e86cdc8eb359a9528 in Azure/azure-sdk-for-go .
Passing in a parameters object whose members are all empty strings seems
to restore the previous behavior.
This change better reflects how block devices are passed to the Nova API
and allows for future enablement of block_device features. It also resolves
an interpolation bug.