Fixes#2439
Port used to ForceNew, it has now been changed to allow it to be
updated. 2 changes were needed:
1. Setting the port back to state
2. Adding the wait for state function to the Update func
```
make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSDBInstance_portUpdate'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v
-run=TestAccAWSDBInstance_portUpdate -timeout 120m
=== RUN TestAccAWSDBInstance_portUpdate
--- PASS: TestAccAWSDBInstance_portUpdate (699.84s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 699.861s
```
Previously, the `stage_key` were not being set back to state in the Read
func. Changing this means the tests now run as follows:
```
make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSAPIGatewayApiKey_'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v
-run=TestAccAWSAPIGatewayApiKey_ -timeout 120m
=== RUN TestAccAWSAPIGatewayApiKey_importBasic
--- PASS: TestAccAWSAPIGatewayApiKey_importBasic (42.42s)
=== RUN TestAccAWSAPIGatewayApiKey_basic
--- PASS: TestAccAWSAPIGatewayApiKey_basic (42.11s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 84.549s
```
We were not setting all the values in the read Func. One other issue, we
were setting the *wrong* db_parameter_name value to state
```
make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSRDSClusterInstance_import'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v
-run=TestAccAWSRDSClusterInstance_import -timeout 120m
=== RUN TestAccAWSRDSClusterInstance_importBasic
--- PASS: TestAccAWSRDSClusterInstance_importBasic (1201.80s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws
1201.814s
```
Fixes#7543 where creating a CloudWatch Group, then deleting it from the
console will cause no action on refresh / plan
```
% make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSCloudWatchLogGroup_'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v
-run=TestAccAWSCloudWatchLogGroup_ -timeout 120m
=== RUN TestAccAWSCloudWatchLogGroup_importBasic
--- PASS: TestAccAWSCloudWatchLogGroup_importBasic (18.10s)
=== RUN TestAccAWSCloudWatchLogGroup_basic
--- PASS: TestAccAWSCloudWatchLogGroup_basic (17.34s)
=== RUN TestAccAWSCloudWatchLogGroup_retentionPolicy
--- PASS: TestAccAWSCloudWatchLogGroup_retentionPolicy (49.81s)
=== RUN TestAccAWSCloudWatchLogGroup_multiple
--- PASS: TestAccAWSCloudWatchLogGroup_multiple (23.74s)
=== RUN TestAccAWSCloudWatchLogGroup_disappears
--- PASS: TestAccAWSCloudWatchLogGroup_disappears (15.78s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 124.789s
```
Previously, any old HTTP error would be treated as the security_group_rule being
deleted. In reality there are only a few cases where this is the right
assumption.
This workaround is originally from 71b30c633f.
According to the commit message from Mitchell Hashimoto:
So I think the AWS API is just broken here. In the case that the state
doesn't update, just assume it did after 5 seconds.
Based on my experience, this AWS API is still broken in the same way.
The timeout was later increased from 5 seconds to 10 seconds in
265cc4fffa.
The timeout (but not the timer) was removed inexplicably in GH-1325.
The symptom is this error from `terraform apply`:
aws_internet_gateway.test: Error waiting for internet gateway (igw-553b4731) to attach: timeout while waiting for state to become '[available]'
followed by all subsequent `terraform apply` commands failing with this error:
aws_internet_gateway.test: Resource.AlreadyAssociated: resource igw-553b4731 is already attached to network vpc-61bc7606
```
make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSRedshiftCluster_importBasic'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v
-run=TestAccAWSRedshiftCluster_importBasic -timeout 120m
=== RUN TestAccAWSRedshiftCluster_importBasic
--- PASS: TestAccAWSRedshiftCluster_importBasic (623.52s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 623.546s
```
```
% make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSSESReceiptFilter_'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v
-run=TestAccAWSSESReceiptFilter_ -timeout 120m
=== RUN TestAccAWSSESReceiptFilter_importBasic
--- PASS: TestAccAWSSESReceiptFilter_importBasic (18.18s)
=== RUN TestAccAWSSESReceiptFilter_basic
--- PASS: TestAccAWSSESReceiptFilter_basic (18.42s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 36.633s
```
```
make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSSESReceiptRuleSet_'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v
-run=TestAccAWSSESReceiptRuleSet_ -timeout 120m
=== RUN TestAccAWSSESReceiptRuleSet_importBasic
--- PASS: TestAccAWSSESReceiptRuleSet_importBasic (18.60s)
=== RUN TestAccAWSSESReceiptRuleSet_basic
--- PASS: TestAccAWSSESReceiptRuleSet_basic (26.92s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 45.550s
```
JUst needed some rejigging of the skip_final_snapshot work as that isn't
returned by the API and skipping it means the destroy fails due to
missing final_snapshot_identifier
```
% make testacc TEST=./builtin/providers/aws
% TESTARGS='-run=TestAccAWSDBInstance_' ✹ ✭
==> Checking that code complies with gofmt requirements...
/Users/stacko/Code/go/bin/stringer
go generate $(go list ./... | grep -v /vendor/)
2016/07/07 15:28:31 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSDBInstance_
-timeout 120m
=== RUN TestAccAWSDBInstance_importBasic
--- PASS: TestAccAWSDBInstance_importBasic (588.70s)
=== RUN TestAccAWSDBInstance_basic
--- PASS: TestAccAWSDBInstance_basic (595.71s)
=== RUN TestAccAWSDBInstance_kmsKey
--- PASS: TestAccAWSDBInstance_kmsKey (726.46s)
=== RUN TestAccAWSDBInstance_optionGroup
--- PASS: TestAccAWSDBInstance_optionGroup (681.78s)
=== RUN TestAccAWSDBInstance_iops_update
--- PASS: TestAccAWSDBInstance_iops_update
(590.81s)
```
Please note that I cannot run the enhanced monitoring test in my
environment as I have already got it attached to an IAM role. Running
that test gives me this result:
```
```
The symptom is that a route "fails" to create, then every subsequent
`terraform apply` fails with RouteAlreadyExists.
CreateRoute was succeeding but the very next DescribeRouteTables
was not listing the new route.
This fixes#7157. It doesn't change the way aws_ami works
```
make testacc TEST=./builtin/providers/aws
TESTARGS='-run=TestAccAWSAMICopy'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSAMICopy
-timeout 120m
=== RUN TestAccAWSAMICopy
--- PASS: TestAccAWSAMICopy (479.75s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 479.769s
```
Fixes#7433
When an EFS File System is created via Terraform, Deleted from the AWS
console, then Terraform would give us as error as:
```
* aws_efs_file_system.file_system: FileSystemNotFound: File system
'fs-9d739e54' does not exist.
status code: 404, request id:
d505a682-3ec7-11e6-81d3-1d41202f0881
```
On a 404, we now remove the EFS File System from state so that Terraform
can recreate it as expected
allows load balancer policies and their assignment to backend servers or listeners to be configured independently.
this gives flexibility to configure additional policies on aws elastic load balancers aside from the already provided "convenience" wrappers for cookie stickiness
This test function tests both VPC and Classic EC2 modes, but not
all accounts have support for both. Splitting them makes it
easier to understand why a test fails when an account only
supports the VPC mode.
* Added support for redshift destination to firehose delivery streams
* Small documentation fix
* go fmt after rebase
* small fixes after rebase
* provider/aws: Firehose test cleanups
* provider/aws: Update docs
* Convert Redshift and S3 blocks to TypeList
* provider/aws: Add migration for S3 Configuration in Kinesis firehose
* providers/aws: Safety first when building Redshift config options
* restore commented out log statements in the migration
* provider/aws: use MaxItems in schema
* fixed go vet issues on aws provider in master
* added support for dns, dns options and dns search for docker container.
On docker container resource you can specify dns_opts nad dns_search
which maps directly to docker --dns_opt and --dns_search parameters.
Allowing users to setup the embedded dns settings for their containers.
* fixed the asserts for the new features in tests.
fixed tests around DNS, DNS_OPTS and DNS_SEARCH
Fixes an issue where terraform plan or apply will always have a diff.
The Elastic Beanstalk API returns data for the `resource` attribute for
some settings that are not documented. This limits the `resource`
attribute to settings in the `aws:autoscaling:scheduledaction`
namespace.
```
make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSVPCPeeringConnection_'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSVPCPeeringConnection_ -timeout 120m
=== RUN TestAccAWSVPCPeeringConnection_importBasic
--- PASS: TestAccAWSVPCPeeringConnection_importBasic (42.58s)
=== RUN TestAccAWSVPCPeeringConnection_basic
--- PASS: TestAccAWSVPCPeeringConnection_basic (45.00s)
=== RUN TestAccAWSVPCPeeringConnection_plan
--- PASS: TestAccAWSVPCPeeringConnection_plan (40.92s)
=== RUN TestAccAWSVPCPeeringConnection_tags
--- SKIP: TestAccAWSVPCPeeringConnection_tags (0.00s)
resource_aws_vpc_peering_connection_test.go:85: Error: TestAccAWSVPCPeeringConnection_tags requires a peer id to be set
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 128.517s
```
```
make testacc TEST=./builtin/providers/aws
TESTARGS='-run=TestAccAWSAPIGatewayAccount_importBasic'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSAPIGatewayAccount_importBasic -timeout 120m
=== RUN TestAccAWSAPIGatewayAccount_importBasic
--- PASS: TestAccAWSAPIGatewayAccount_importBasic (16.43s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 16.450s
```
FYI @catsby
The acceptance test was throwing the error:
```
* aws_elb.main: DuplicateLoadBalancerName: Load Balancer named
* foobar-terraform-elb already exists and it is configured with
* different parameters.
```
So randomized the name and the test still passes as expected:
```
make testacc TEST=./builtin/providers/aws
TESTARGS='-run=TestAccAWSRoute53Record_alias'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSRoute53Record_alias -timeout 120m
=== RUN TestAccAWSRoute53Record_alias
--- PASS: TestAccAWSRoute53Record_alias (97.70s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 97.722s
```
```
make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSVpnConnection_'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSVpnConnection_ -timeout 120m
=== RUN TestAccAWSVpnConnection_importBasic
--- PASS: TestAccAWSVpnConnection_importBasic (201.02s)
=== RUN TestAccAWSVpnConnection_basic
--- PASS: TestAccAWSVpnConnection_basic (336.38s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 537.426s
```
Had to change the way that the tests were working to include a random sqs-queue name due to this error:
```
`aws_sqs_queue.test_queue: Error creating SQS queue: AWS.SimpleQueueService.QueueDeletedRecently: You must wait 60 seconds after deleting a queue before you can create another with the same name.
status code: 400, request id: b58e800a-ae27-556e-b6de-cfe1bbf9dc09``
```
make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSSNSTopicSubscription_'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSSNSTopicSubscription_ -timeout 120m
=== RUN TestAccAWSSNSTopicSubscription_importBasic
--- PASS: TestAccAWSSNSTopicSubscription_importBasic (24.44s)
=== RUN TestAccAWSSNSTopicSubscription_basic
--- PASS: TestAccAWSSNSTopicSubscription_basic (25.26s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 49.722s
```
* Add SES resource
* Detect ReceiptRule deletion outside of Terraform
* Handle order of rule actions
* Add position field to docs
* Fix hashes, add log messages, and other small cleanup
* Fix rebase issue
* Fix formatting
```
make testacc TEST=./builtin/providers/aws
TESTARGS='-run=TestAccAWSIAMAccountPasswordPolicy_'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v
-run=TestAccAWSIAMAccountPasswordPolicy_ -timeout 120m
=== RUN TestAccAWSIAMAccountPasswordPolicy_importBasic
--- PASS: TestAccAWSIAMAccountPasswordPolicy_importBasic (14.75s)
=== RUN TestAccAWSIAMAccountPasswordPolicy_basic
--- PASS: TestAccAWSIAMAccountPasswordPolicy_basic (26.06s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 40.831s
```
Small change to the test as it was failing sometimes as it was using the
same identifier. The small change has made it more stable when running
it in quick succession as it isn't an update
```
make testacc TEST=./builtin/providers/aws
TESTARGS='-run=TestAccAWSIAMGroup_'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSIAMGroup_
-timeout 120m
=== RUN TestAccAWSIAMGroup_importBasic
--- PASS: TestAccAWSIAMGroup_importBasic (14.14s)
=== RUN TestAccAWSIAMGroup_basic
--- PASS: TestAccAWSIAMGroup_basic (22.88s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 37.040s
```
The Id wasn't being set until after the Read func returned from the API.
I needed to move that Id set up until just after the Create response
returned
The same Id's have been set - username
```
make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSUser_'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSUser_
-timeout 120m
=== RUN TestAccAWSUser_importBasic
--- PASS: TestAccAWSUser_importBasic (14.24s)
=== RUN TestAccAWSUser_basic
--- PASS: TestAccAWSUser_basic (24.99s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 39.261s
```
Changes required:
* ECR Read func doesn't need to take ``registry_id` as it uses the
current account Id
* `name` wasn't being set in the ECR Read so the import was failing as
name wasn't found
```
make testacc TEST=./builtin/providers/aws
TESTARGS='-run=TestAccAWSEcrRepository_'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v
-run=TestAccAWSEcrRepository_ -timeout 120m
=== RUN TestAccAWSEcrRepository_importBasic
--- PASS: TestAccAWSEcrRepository_importBasic (17.37s)
=== RUN TestAccAWSEcrRepository_basic
--- PASS: TestAccAWSEcrRepository_basic (16.05s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 33.437s
```
this datasource allows terraform to work with externally modified state, e.g.
when you're using an ECS service which is continously updated by your CI via the
AWS CLI.
right now you'd have to wrap terraform into a shell script which looks up the
current image digest, so running terraform won't change the updated service.
using the aws_ecs_container_definition data source you can now leverage
terraform, removing the wrapper entirely.
If an AWS Cookie Stickiness Policy is removed from the listener in
the AWS console the policy isn't deleted. Cross reference the policy
name with those assigned to the listener to determine if the policy
is actually being used.
Since this resource produces a list it feels more intuitive to give its
attribute a plural name, and since the noun "instance" already means
something specific in the AWS provider that doesn't apply here we use
"names" to indicate that these are availability zone names.
Also includes updating the docs to not show a dynamic count example for
now, since we don't support that yet.
When reading an AppCookieStickinessPolicy check for LoadBalancerNotFound
as well as PolicyNotFound. This prevents errors when when destroying a
policy on an ELB that no longer exists.
false
Fixes#7035
A known issue in Terraform means that d.GetOk() on a bool which is false
will mean it doesn't get evaulated. Therefore, when people set
publicly_accessible to false, it will never get evaluated on the Create
We are going to make it default to false now
Fixed the problem where the root_block_device could cause an apply error
by reading back an "encrypted" parameter that was meant for an
ebs_block_device. "encrypted" is not part of the root_block_device
schema, since it can't be set explicitly.
Added a check in Create to fail when the root device is incorrectly
specified as an ebs_block_device, as this causes continual refreshing
due to mismatched state between root_block_device and ebs_block_device.
"encrypted" and "snapshot_id" should be guarded with ConflictsWith, but
that doesn't appear to work on nested resources despite #1926.
Fixes#7062
make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSElasticacheSubnetGroup'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSElasticacheSubnetGroup -timeout 120m
=== RUN TestAccAWSElasticacheSubnetGroup_basic
--- PASS: TestAccAWSElasticacheSubnetGroup_basic (44.62s)
=== RUN TestAccAWSElasticacheSubnetGroup_update
--- PASS: TestAccAWSElasticacheSubnetGroup_update (73.74s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 118.379s
* pr-6865:
provider/aws: Add db_param group to RDS Cluster Instance test
remove status attribute
support aurora instance's parameter group and modifyinstance
When VPC is detached from VPN gateway, its VpcAttachment stays in place
just with state changed to "detached". Since terraform was not checking
attachment state, it used to think VPC gateway was still attached.
Add the iam_arn attribute to aws_cloudfront_origin_access_identity,
which computes the IAM ARN for a certain CloudFront origin access
identity.
This is necessary because S3 modifies the bucket policy if CanonicalUser
is sent, causing spurious diffs with aws_s3_bucket resources.
This brings over the work done by @apparentlymart and @radeksimko in
PR #3124, and converts it into a data source for the AWS provider:
This commit adds a helper to construct IAM policy documents using
familiar Terraform concepts. It makes Terraform-style interpolations
easier and resolves the syntax conflict between Terraform interpolations
and IAM policy variables by changing the latter to use &{...} for its
interpolations.
Its use is completely optional and users are free to go on using literal
heredocs, file interpolations or whatever else; this just adds another
option that fits more naturally into a Terraform config.
This an effort to address hashicorp/terraform#516.
Adding the Sensitive attribute to the resource schema, opening up the
ability for resource maintainers to mark some fields as sensitive.
Sensitive fields are hidden in the output, and, possibly in the future,
could be encrypted.
Closing off my other AWS availability zone branch, I'm adding tests for
the existing aws_availability_zones data source.
This closeshashicorp/terraform#4848.
This data source allows one to look up the most recent AMI for a specific
set of parameters, much like aws ec2 describe-images in the AWS CLI.
Basically a refresh of hashicorp/terraform#4396, in data source form.
* Add per user, role and group policy attachment
* Add docs for new IAM policy attachment resources.
* Make policy attachment resources manage only 1 entity<->policy attachment
* provider/aws: Tidy up IAM Group/User/Role attachments
When two rules differ only in source security group, EC2 APIs return
them as a single rule, but Terraform requires separate
aws_security_group_rule resources.
6bdab07174 changed Read to set source_security_group_id (and
cidr_blocks) from the rule returned from EC2 and chose the first
source_security_group_id arbitrarily, which is wrong.
Makes TestAccAWSSecurityGroupRule_PartialMatching_Source pass again.
Also adds a comment noting that there is a bug in the new resource
importing feature.
Fixes#6728.
This commit adds a data source with a single list, `instance` for the
schema which gets populated with the availability zones to which an
account has access.
resource
We had a line on the Update func that said:
```
Hash key can only be specified at creation, you cannot modify it.
```
The resource has now been changed to ForceNew on the hashkey
```
aws_dynamodb_table.demo-user-table: Refreshing state... (ID: Users)
aws_dynamodb_table.demo-user-table: Destroying...
aws_dynamodb_table.demo-user-table: Destruction complete
aws_dynamodb_table.demo-user-table: Creating...
aws_dynamodb_table.demo-user-table: Creation complete
```
When stage_name is not passed to the resource
aws_api_gateway_deployment a terraform apply will fail. This is
because the stage_name is required and not optional.
By default, group membership queries return pages of 100 users at a
time. Because of this, if there are more than 100 users in an
aws_iam_group_membership resource, the resource always reports as
needing to be changed (because it only sees 100 of the users as
existing in the group).
The group membership now queries all pages.
Fixes#6722
As requested in #4822, add support for a KMS Key ID (ARN) for Db
Instance
```
make testacc TEST=./builtin/providers/aws
TESTARGS='-run=TestAccAWSDBInstance_kmsKey' 2>~/tf.log
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /vendor/)
TF_ACC=1 go test ./builtin/providers/aws -v
-run=TestAccAWSDBInstance_kmsKey -timeout 120m
=== RUN TestAccAWSDBInstance_basic
--- PASS: TestAccAWSDBInstance_basic (587.37s)
=== RUN TestAccAWSDBInstance_kmsKey
--- PASS: TestAccAWSDBInstance_kmsKey (625.31s)
PASS
ok github.com/hashicorp/terraform/builtin/providers/aws 1212.684s
```
missing
Fixes#6625
When an SNS topic subscription was created with TF and then removed via
the AWS Console, Terraform threw an error:
```
* aws_sns_topic_subscription.testme: NotFound: Subscription does not
* exist
status code: 404, request id: a22e7ed7-3630-5a8a-b767-317ac1440e24
```
This PR will remove the topic subscription from state on a NotFound and
will then readd the subscripton
`on_premises_instance_tag_filter`
When setting `on_premises_instance_tag_filter`, Terraform was not
pushing the changes on the cReate (due to a spelling mistake). A second
apply would push the tags and then cause a panic. Terraform was building
a ec2.Tagfilter struct without checking for optional values. When the
TagFilter was being dereferenced, it caused a panic
The `name` attribute will always be normalized to a FQDN, with a trailing "dot"
at the end when returned from the API.
We store the name as it's provided in the configuration, so "www" stays as "www"
and "www.terraformtesting.io." stays as "www.terraformtesting.io.".
The problem here is that if we use a full name as above, and the configuraiton
does *not* include the trailing dot, the API will return a version that does,
and we'll have a conflict.
This is particularly bad when we have a lifecycle block with
`create_before_destroy`; the record will get an update posted (which ends up
being a no-op on AWS's side), but then we'll delete the same record immediately
after, resulting in no record at all.
This PR addresses that by trimming the trailing dot from the `name` when saving
to state. We migrate existing state to match, to avoid false-positive diffs.
* New top level AWS resource aws_eip_association
* Add documentation for aws_eip_association
* Add tests for aws_eip_association
* provider/aws: Change `aws_elastic_ip_association` to have computed
parameters
The AWS API was send ing more parameters than we had set. Therefore,
Terraform was showing constant changes when plans were being formed
Added the hosted_zone_id attribute, which aliases to the Route 53
zone ID that can be used to route Alias Resource Record Sets to.
This fixeshashicorp/terraform#6489.
Change the AWS DB Instance to now include the DB Option Group param. Adds a test to prove that it works
Add acceptance tests for the AWS DB Option Group work. This ensures that Options can be added and updated
Documentation for the AWS DB Option resource
automated_snapshot_retention_period
The default value for `automated_snapshot_retention_period` is 1.
Therefore, it can be included in the `CreateClusterInput` without
needing to check that it is set.
This was actually stopping people from setting the value to 0 (disabling
the snapshots) as there is an issue in `d.GetOk()` evaluating 0 for int
- Addresses the issue when local state file has logging_config populated and the user
disables the configuration via the UI (or in this case an
application of the TF config). This will now properly set the
logging_config during the read operation and identify the state as
diverging
Fixes#6390
* TF-6256 - SG Rule Retry
- Preferring slower but consistent runs when AWS API calls do not properly return the SG Rule in the list of ingress/egress rules.
- Testing has shown that several times that we had to exceed 20 attempts
before the SG was actually returned
* TF-6256 - Refactor of rule lookup
- Adjusting to use resource.Retry
- Extract lookup method for matching ipPermissions set
* provider/aws - CloudFront custom_error_response fixes for missing
- Omit custom_error_response response_* fields when not explicitly set via config for
SDK call
- Adding a test case to ensure that the response_error gets converted
to an empty string properly, versus "0". (Thanks @vancluever)
Fixes#6342
* - Fixing ACC test case resource names
When an SQS queue was deleted from the AWS Console, an error was thrown
to say that the Queue could not be found. This is now fixed to remove
the queue from the state on a specific not found exception
The "find route in table" helper code was not properly handling routes
with no destination CIDR block - like vpc_endpoint routes - so if one of
those routes would come up before the target route in the loop, we'd get
a crash.
Fixes#6337
* Updated `aws_elastic_beanstalk_environment` to update environment when the `template_name` attribute has a change. Consildated update functions to use a single update call and added state change conf to wait until environment is in a "Ready" state.
* Adding tests for `aws_elastic_beanstalk_configuration_template` use with the `aws_elastic_beanstalk_environment` resource.
* Verifies option settings from an `aws_elastic_beanstalk_configuration_template` resource are applied to the associated `aws_elastic_beanstalk_environment` resource
* Verifies updated name of an `aws_elastic_beanstalk_configuration_template` resource triggers an update for the associated `aws_elastic_beanstalk_environment` resource
* Verifies that option settings set in the `aws_elastic_beanstalk_environment` resource override settings in the `aws_elastic_beanstalk_configuration_template` resource
Currently, the number of nodes was broken due to not passing the
node_type with the update. This PR adds the correct parameters and a
test to prove this works as expected
The validation as part of #6330 was only for length. This PR adds the
rules for alphanumeric, not having -- within, not ending with a - and
that the id must start with a letter.
The PR also adds tests for these rules
When a directory service was not found, Terraform was panicking due to
`dir := out.DirectoryDescriptions[0]`. The AWS API doesn't throw an
Error in this case. IT just return s0 results. Therefore, we should
check for 0 results in the return and remove the directory from the
state
* provider/aws: Fix hashing on CloudFront certificate parameters
Adding necessary type assertion to values on the viewer_certificate hash
function to ensure that certain fields are indeed not zero string
values, versus simply zero interface{} values (aka nil, as is such for a
map[string]interface{}).
* provider/aws: CloudFront complex structure error handling
Handle errors better on calls to d.Set() in the
aws_cloudfront_distribution, namely in flattenDistributionConfig(). Also
caught a bug in the setting of the origin attribute, was incorrectly
attempting to set origins.
* provider/aws: Pass pointers to set CloudFront primitives
Change a few d.Set() for primitives in aws_cloudfront_distribution and
aws_cloudfront_origin_access_identity to use the pointer versus a
dereference.
* docs: Fix CloudFront examples formatting
Ran each example thru terraform fmt to fix indentation.
* provider/aws: Remove delete retention on CloudFront tests
To play better with Travis and not bloat the test account with disabled
distributions.
Disable-only functionality has been retained - one can enable it with
the TF_TEST_CLOUDFRONT_RETAIN environment variable.
* provider/aws: CloudFront delete waiter error handling
The call to resourceAwsCloudFrontDistributionWaitUntilDeployed() on
deletion of CloudFront distributions was not trapping error messages,
causing issues with waiter failure.
* provider/aws: Default Network ACL resource
Provides a resource to manage the default AWS Network ACL. VPC Only.
* Remove subnet_id update, mark as computed value. Remove extra tag update
* refactor default rule number to be a constant
* refactor revokeRulesForType to be revokeAllNetworkACLEntries
Refactor method to delete all network ACL entries, regardless of type. The
previous implementation was under the assumption that we may only eliminate some
rule types and possibly not others, so the split was necessary.
We're now removing them all, so the logic isn't necessary
Several doc and test cleanups are here as well
* smite subnet_id, improve docs
As with several other sensitive values in Opsworks, the API returns a
placeholder value rather than a nil. To avoid writing the placeholder
value into the state we just skip updating the password on read, letting
whatever value was in the state persist.
This means that Terraform can't detect configuration drift where someone
has changed the password via some other means, but Terraform will still
be able to recognize changes to the password made within Terraform itself
due to the "last-written" value in the state.
This fixes#6192.
Other separate changes to testAccOpsworksStackConfigNoVpcCreate caused
this to begin failing because it was attempting to create a stack with
an empty name.
Previously in Update we would only set req.CustomJson if a non-empty
value was provided in the config. It seems that the Opsworks API considers
a null CustomJson to mean "do not change" rather than "set to empty",
so we need to explicitly set the empty string in the request body in
order to successfully remove an already-configured custom JSON.
* CloudFront implementation v3
* Update tests
* Refactor - new resource: aws_cloudfront_distribution
* Includes a complete re-write of the old aws_cloudfront_web_distribution
resource to bring it to feature parity with API and CloudFormation.
* Also includes the aws_cloudfront_origin_access_identity resource to generate
origin access identities for use with S3.
* Improve testing of CodeDeploy DeploymentGroup Trigger Configs
- ensure updates to trigger_events are applied
- assert changes to trigger_target_arn
* Retry CodeDeploy DeploymentGroup when Trigger Config SNS Topic is not available
- increase retries from 2 => 5
* Don't Base64-encode EC2 userdata if it is already Base64 encoded
The user data may be Base64 encoded already - for example, if it has been
generated by a template_cloudinit_config resource.
* Add encoded user_data to aws_instance acceptance test
* Issue #2174 Check that InternetGateway exists before returning from creation
Fix some random InvalidInternetGatewayID.NotFound errors
* Issue #2174 Reuse IGStateRefreshFunc
* Issue #2174 Need to wait for creation before setting tags
* provider/aws: CodeDeploy Deployment Group Triggers
- Create a Trigger to Send Notifications for AWS CodeDeploy Events
- Update aws_codedeploy_deployment_group docs
* Refactor validateTriggerEvent function and test
- also rename TestAccAWSCodeDeployDeploymentGroup_triggerConfiguration test
* Enhance existing Deployment Group integration tests
- by using built in resource attribute helpers
- these can get quite verbose and repetitive, so passing the resource to a function might be better
- can't use these (yet) to assert trigger configuration state
* Unit tests for conversions between aws TriggerConfig and terraform resource schema
- buildTriggerConfigs
- triggerConfigsToMap
* provider/aws: Add more Randomization to DB Parameter Group Tests, to avoid collisions
* provider/aws: Add more randomization to Autoscaling group tests
* provider/aws: test empty plan with sns_topic policy with random order
If we setup a sns_topic policy with a policy with a different order
to the one set by the AWS API, terraform plan will be not empty between
runs.
* provider/aws: normalize json policy for sns topic
For the policy attribute of the resource aws_sns_topic, AWS returns the policy
in JSON format with the fields in a different order.
If we store and compare the values without normalizing, terraform
will unnecesary trigger and update of the resource.
To avoid that, we must add a normalization function in the StateFunc of
the policy attribute and also when we read the attribute from AWS.
When calling AssociateAddress, the PrivateIpAddress parameter must be
used to select which private IP the EIP should associate with, otherwise
the EIP always associates with the _first_ private IP.
Without this parameter, multiple EIPs couldn't be assigned to a single
ENI. Includes covering test and docs update.
Fixes#2997
Previously the format string was using %#v, which prints the whole data structure given.
Instead we want to use %s to get the string representation of the error.
This fixes#6038.
Normalise the event_pattern of the aws_cloudwatch_event_rule resource
before uploading it to AWS.
AWS seems to accept a event_pattern with a JSON with new lines, but then
the rule does not seem to work. Creating the rule in the AWS console works,
but will setup the pattern as a json without newlines or spaces, and
display a formatted JSON.
Fix retry after removing associations by correctly checking and returning an
error. This should patch the VPC/Resource leak in our nightly acceptance tests.
The provider should, when working on a new repository without branches:
* Able to create a new repository even with default_branch defined.
* Able to create a new repository without default_branch, and do not fail
if default_branch is defined.
In AWS codecommit the default branch must have a value unless there are
no branches created, in which case it is not possible to set it to any value.
We query the existing branches and do not update the default branch
if there are none defined remotely.
This solves the issue of the initial creation of the repository with a
resource with `default_branch` defined.
AWS changed their error message, which was being used for detection of
the specific error that indicates we need to wait for IAM propagation.
Behavior is covered by a test now.
Fixes#5862
Unlike SimpleScaling policies, StepScaling policies require one or more
"steps", which are interval ranges in which a tracked metric can lie.
Policies can then execute scaling adjustments wedded to these steps.
This commit also adds a slew of additional policy attributes which are
only applicable to step policies.
Needed to truncate the identifier for SQL Server engines to keep it at
max 15 chars per the docs. Not a full UUID going into it, but should be
"unique enough" to not matter in practice.
Modified the basic test to use the generated value. Other tests are
still working w/ explicitly specified identifiers.
`publicly_accessible` to be changed
Also updated the AWS Go SDK from 1.1.9 -> 1.1.12 as this was required to
allow the new behavior for the Redshift API
Usage of a helper function was assuming that an error would be returned
in a not found condition, when in fact a nil pointer was
returned.
Attached test crashes w/o fix, passes with it.
Fixes#5350
Refs #5418
This should be quite helpful in debugging aws-sdk-go operations.
Required some tweaking around the `helper/logging` functions to expose an
`IsDebugOrHigher()` helper for us to use.
Change the `RetryFunc` from a plain `error` return type to a
specialized `RetryError` which must decide whether it is
retryable or not.
Add `RetryableError` / `NonRetryableError` factory functions that
callers are meant to use to build up these errors.
This makes it eminently clear whether or not a given error is
retryable from inside the client code.
Goal here is to _not_ change any behavior, simply reflect the
existing behavior with the new, clearer, API.
All of these RetryErrors were meant to fail right away, but instead
caused retry looping because the typecheck in the implementation of
`resource.Retry()` only catches the value type, and not the pointer
type.
Refs #5537
- ASG placement tests
- Randomize DynamoDB names in tests
- tag the sg created in this test to help identify in the console
- randomize policy and role names
Paul Stack