The AWS free tier allows up to 750 hours on t2.micro
instance types. It's better to use cheaper instances
in case the resources are not cleaned up if a tests
is canceled or crashes.
There can only be a single health_check configuration per load balancer
so choosing to use a list over a set is only relevant when comparing
changes during a plan. A list makes it much easier to compare updates
since the index is stable (0 vs. computed hash).
Removes overspecified config that is unrelated to testing the auto scaling
group's autogenerated name. The test is only concerned with checking that
the auto scaling group was created successfully with an autogenerated name
matching a specific pattern.
Removes overspecified config that is unrelated to the auto scaling
group's availability zone and VPC identifier acceptance tests. The
created auto scaling groups do not need to spin up any hosts since
the acceptance tests are only concerned with checking the existence
of the associated availability zones and VPC identifiers.
Fixes a diff calculation error when only a VPC zone
identifiers is provided. In this case the associated
availability zones are computed from the subnets per
the AWS documentation.
This is a follow up on #4892 with tests that demonstrate creating a record and a zone, then destroying said record, and confirming that a new plan is generated, using the ExpectNonEmptyPlan flag
This simulates the bug reported in #4641 by mimicking the state file that one would have if they created a record with Terraform v0.6.6, which is to say a weight = 0 for a default value.
When upgrading, there would be an expected plan change to get that to -1. To mimic the statefile we apply the record and then in a follow up step change the attributes directly. We then try to delete the record.
I tested this by grabbing the source of aws_resource_route53.go from Terraform v0.6.9 and running the included test, which fails. The test will pass with #4892 , because we no longer reconstruct what the record should be based on the state (instead finding via the API and elimination/matching)
throw an error:
* aws_sns_topic_subscription.checker: NotFound: Subscription does not
* exist
status code: 404, request id: b8ca0c27-1a62-57b3-8b96-43038a0ead86
Terraform wasn't refreshing the state when the topic gave a 404
It was a mistake to switched fully to `==` when activating waiting for
capacity on updates in #3947. Users that didn't set `min_elb_capacity ==
desired_capacity` and instead treated it as an actual "minimum" would
see timeouts for every create, since their target numbers would never be
reached exactly.
Here, we fix that regression by restoring the minimum waiting behavior
during creates.
In order to preserve all the stated behavior, I had to split out
different criteria for create and update, criteria which are now
exhaustively unit tested.
The set of fields that affect capacity waiting behavior has become a bit
of a mess. Next major release I'd like to rework all of these into a
more consistently named block of config. For now, just getting the
behavior correct and documented.
(Also removes all the fixed names from the ASG tests as I was hitting
collision issues running them over here.)
Fixes#4792
of the database after creation. So we need to be able to
set the CharacterSetName on creation.
This is an option and will automagically default to
AL32UTF8.
The AWS SDK will give you an error message if you try to
apply this setting to other engines. The patch will only
report the character_set_name attribute, if CharacterSetName
is set on the instance.
Signed-off-by: Lars Bahner <lars.bahner@gmail.com>
Fixes#4721. It seems there may be some eventual consistency in the API
for network ACLs. This fix doesn't use resource.WaitForState() as there
the NACL is not something that can be looked up by ID and has a
property which determines if it is present.
Instead we reuse the findNetworkAclRule function which the Read function
exhibiting the problem uses, and retry over a 3 minute period, returning
an error message informing the user that running `terraform apply` again
will likely allow them to continue.
http and https SNS topic subscription endpoints require confirmation to set a valid arn otherwise
arn would be set to "pending confirmation". If the endpoints auto confirm then arn is set
asynchronously but if we try to create another subscription with same parameters then api returns
"pending subscription" as arn but does not create another a duplicate subscription. In order to
solve this we should be fetching the subscription list for the topic and identify the subscription
with same parameters i.e., protocol, topic_arn, endpoint and extract the subscription arn.
Following changes were made to support the http/https endpoints that auto confirms
1. Added 3 extra parameters i.e.,
1. endpoint_auto_confirms -> boolean indicates if end points auto confirms
2. max_fetch_retries -> number of times to fetch subscription list for the topic to get the subscription arn
3. fetch_retry_delay -> delay b/w fetch subscription list call as the confirmation is done asynchronously.
With these parameters help added support http and https protocol based endpoints that auto confirm.
2. Update website doc appropriately
This allows specification of the profile for the shared credentials
provider for AWS to be specified in Terraform configuration. This is
useful if defining providers with aliases, or if you don't want to set
environment variables. Example:
$ aws configure --profile this_is_dog
... enter keys
$ cat main.tf
provider "aws" {
profile = "this_is_dog"
# Optionally also specify the path to the credentials file
shared_credentials_file = "/tmp/credentials"
}
This is equivalent to specifying AWS_PROFILE or
AWS_SHARED_CREDENTIALS_FILE in the environment.
When spinning up from a snapshot or a read replica, these fields are
now optional:
* allocated_storage
* engine
* password
* username
Some validation logic is added to make these fields required when
starting a database from scratch.
The documentation is updated accordingly.
This fixes create aws_route_table resources in regions which do not
support the NAT Gateway yet (e.g. eu-central) - unless a value is
explicitly set in which case the API call will fail until such time as
NAT Gateway is supported.
Fixes#4499.
This commit adds the various states (taken from the RDS documentation
here: http://amzn.to/1OHqi6g) to the list of allowable pending states
when creating an RDS instance.
In particular, `resetting-master-credentials` is returned when creating
an `aws_db_instance` from a snapshot. Fixes#4477.
Can only assert that the load balancer is gone, since the test suite
deletes everything, and the load balancer is the way you get to the
proxy protocol policy.
* Fixup Exists and CheckDestroy assertions
* Make ingress/egress computed on network_acl, otherwise you could
never use network_acl_rule with a managed network_acl without a
perpetual diff.
As I was fixing up the AccTests to not depend on a single existing IAM
role (which this commit does), I noticed that without some sleeping that
the kinesis_firehose_delivery_stream would often come back with:
```
msg: Firehose is unable to assume role {{arn}}. Please check the role provided.
code: InvalidArgumentException
```
Similar to the strategy taken in aws_instance with IAM Instance Profile errors,
I dropped in a simple retry loop which seemed to take care of the issue. Seems
that the same permission propagation delays apply here too.
also removed the notion of tags from the redshift security group and
parameter group documentation until that has been implemented
Redshift Cluster CRUD and acceptance tests
Removing the Acceptance test for the Cluster Updates. You cannot delete
a cluster immediately after performing an operation on it. We would need
to add a lot of retry logic to the system to get this test to work
Adding some schema validation for RedShift cluster
Adding the last of the pieces of a first draft of the Redshift work - this is the documentation
Changed the aws_redshift_security_group and aws_redshift_parameter_group
to remove the tags from the schema. Tags are a little bit more
complicated than originally though - I will revisit this later
Then added the schema, CRUD functionality and basic acceptance tests for
aws_redshift_subnet_group
Adding an acceptance test for the Update of subnet_ids in AWS Redshift Subnet Group
This action is almost exactly the same as creating a SimpleAD so we
reuse this resource and allow the user to specify the type when creating
the directory (ignoring the size if the type is MicrosoftAD).
Each call to the Kinesis DescribeStream API returns a limited number of
shards. When interrogating AWS for the state of a Kinesis stream, the
client needs to page through the API's responses to get the true number
of shards.
Fixes#3635
This follows the suggestion of @apparentlymart in
https://github.com/hashicorp/terraform/issues/3635#issuecomment-151000068
to fix the issue of OpsWorks stacks always complaining about the custom
cookbooks SSH key needing to be changed.
Functional tests:
* Created a new stack and gave it an SSH key. The key was written to
OpsWorks properly.
* Ran "plan" again and terraform indicated it needed to change the SSH
key, which is expected since terraform cannot read what the existing
SSH is.
* Removed the key from my resource and this time, "plan" did not have
any changes. The `tfstate` file indicated the SSH key was "" (empty
string).
* Changed an unrelated property of the stack. Previously this was not
working for me due to terraform attempting to change the SSH key.
DB Replica can be of a different storage type, but we were skipping that part.
Note that they are created as the default (or as the primary?) initially,
and then modified to be of the correct type
AWS provider was not checking whether DeleteMarkers are left in S3
bucket causing s3.DeleteObjectsInput to send empty XML which resulted in
400 error and MalformedXML message.
This addresses the case where `compact` has not been used on a list
passed into security group as cidr_block. See #3786. Compact is still
the correct answer there, but we should prefer returning an error to
a panic. Fixes#3786.
Some error-checking was omitted.
Specifically, the cloudTrailSetLogging call in the Create function was
ignoring the return and cloudTrailGetLoggingStatus could crash on a
nil-dereference during the return. Fixed both.
Fixed some needless casting in cloudTrailGetLoggingStatus.
Clarified error message in acceptance tests.
Removed needless option from example in docs.
The default for `enable_logging`, which defines whether CloudTrail
actually logs events was originally written as defaulting to `false`,
since that's how AWS creates trails.
`true` is likely a better default for Terraform users.
Changed the default and updated the docs.
Changed the acceptance tests to verify new default behavior.
Previously we assumed the existence of some default objects that most
Opsworks users have because the Opsworks console creates them by default
when a new stack is created.
However, that meant that these tests wouldn't work correctly for anyone
who either had never used Opsworks via the UI or who had never accepted
the default of having the console create some predefined IAM objects to
use. It may also have led to some weird failures if a particular user had
customized the settings for these default objects.
Now the tests create suitable IAM roles, a policy and an instance profile
and use these when creating Opsworks stacks, avoiding any dependency
on any pre-existing objects.
This fixes#3998.
The AWS CloudTrail resource is capable of creating CloudTrail resources,
but AWS defaults the actual logging of the trails to `false`, and
Terraform has no method to enable or monitor the status of logging.
CloudTrail trails that are inactive aren't very useful, and it's a
surprise to discover they aren't logging on creation.
Added an `enable_logging` parameter to resource_aws_cloudtrail to enable
logging. This requires some extra API calls, which are wrapped in new
internal functions.
For compatibility with AWS, the default of `enable_logging` is set to
`false`.
Because `aws_security_group_rule` resources are an abstraction on top of
Security Groups, they must interact with the AWS Security Group APIs in
a pattern that often results in lots of parallel requests interacting
with the same security group.
We've found that this pattern can trigger race conditions resulting in
inconsistent behavior, including:
* Rules that report as created but don't actually exist on AWS's side
* Rules that show up in AWS but don't register as being created
locally, resulting in follow up attempts to authorize the rule
failing w/ Duplicate errors
Here, we introduce a per-SG mutex that must be held by any security
group before it is allowed to interact with AWS APIs. This protects the
space between `DescribeSecurityGroup` and `Authorize*` / `Revoke*`
calls, ensuring that no other rules interact with the SG during that
span.
The included test exposes the race by applying a security group with
lots of rules, which based on the dependency graph can all be handled in
parallel. This fails most of the time without the new locking behavior.
I've omitted the mutex from `Read`, since it is only called during the
Refresh walk when no changes are being made, meaning a bunch of parallel
`DescribeSecurityGroup` API calls should be consistent in that case.
It's a bit confusing to have Terraform poll until instances come up on
ASG creation but not on update. This changes update to also poll if
min_size or desired_capacity are changed.
This changes the waiting behavior to wait for precisely the desired
number of instances instead of that number as a "minimum". I believe
this shouldn't have any undue side effects, and the behavior can still
be opted out of by setting `wait_for_capacity_timeout` to 0.
This will retry deleting a server cert
if it throws an error about being in use with an ELB (that we've likely just
deleted)
Includes test for ELB+IAM SSL cert bug dependency violation
* master: (95 commits)
Update CHANGELOG.md
Update CHANGELOG.md
Update CHANGELOG.md
Update CHANGELOG.md
upgrade a warning to error
add some logging around create/update requests for IAM user
Update CHANGELOG.md
Update CHANGELOG.md
Build using `make test` on Travis CI
Update CHANGELOG.md
provider/aws: Fix error format in Kinesis Firehose
Update CHANGELOG.md
Changes to Aws Kinesis Firehouse Docs
Update CHANGELOG.md
modify aws_iam_user_test to correctly check username and path for initial and changed username/path
Update CHANGELOG.md
Update CHANGELOG.md
Prompt for input variables before context validate
Removing the AWS DBInstance Acceptance Test for withoutEngine as this is now part of the checkInstanceAttributes func
Making engine_version be computed in the db_instance provider
...
See #2911.
This adds a `name_prefix` option to `aws_launch_configuration` resources.
When specified, it is used instead of `terraform-` as the prefix for the
launch configuration. It conflicts with `name`, so existing
functionality is unchanged. `name` still sets the name explicitly.
Added an acceptance test, and updated the site documentation.
* pr-3707:
config updates for ElastiCache test
Removing the instance_type check in the ElastiCache cluster creation. We now allow the error to bubble up to the userr when the wrong instance type is used. The limitation for t2 instance types now allowing snapshotting is also now documented
Making the changes to the snapshotting for Elasticache Redis as per @catsby's findings
Added an extra test for the Elasticache Cluster to show that updates work. Also added some debugging to show that the API returns the Elasticache retention period info
When I was setting the update parameters for the Snapshotting, I didn't update the copy/pasted params
Adding the ability to specify a snapshot window and retention limit for Redis ElastiCache clusters
Previously it would fail if a Terraform-managed ElastiCache cluster were
deleted outside of Terraform. Now it marks it as deleted in the state so that
Terraform can know it doesn't need to be destroyed, and can potentially
recreate it if asked.
* master: (335 commits)
Update CHANGELOG.md
config: return to the go1.5 generated lang/y.go
Update CHANGELOG.md
Allow cluster name, not only ARN for aws_ecs_service
Update CHANGELOG.md
Add check errors on reading CORS rules
Update CHANGELOG.md
website: docs for null_resource
dag: use hashcodes to as map key to edge sets
Update CHANGELOG.md
Update CHANGELOG.md
Update CHANGELOG.md
Use hc-releases
provider/google: Added scheduling block to compute_instance
Use vendored fastly logo
Use releases for releases
Update CHANGELOG.md
Update CHANGELOG.md
Update vpn.tf
Update CHANGELOG.md
...
Fixing basic acceptance test.
Adding warning to website about mixed mode.
Adding exists to aws_route.
Adding acceptance test for changing destination_cidr_block.
The `ForceDelete` parameter was getting sent to the upstream API call,
but only after we had already finished draining instances from
Terraform, so it was a moot point by then.
This fixes that by skipping the drain when force_delete is true, and it
also simplifies the field config a bit:
* set a default of false to simplify the logic
* remove `ForceNew` since there's no need to replace the resource to
flip this value
* pull a detail comment from code into the docs
A "Layer" is a particular service that forms part of the infrastructure for
a set of applications. Some layers are application servers and others are
pure infrastructure, like MySQL servers or load balancers.
Although the AWS API only has one type called "Layer", it actually has
a number of different "soft" types that each have slightly different
validation rules and extra properties that are packed into the Attributes
map.
To make the validation rule differences explicit in Terraform, and to make
the Terraform structure more closely resemble the OpsWorks UI than its
API, we use a separate resource type per layer type, with the common code
factored out into a shared struct type.
"Stack" is the root concept in OpsWorks, and acts as a container for a number
of different "layers" that each provide some service for an application.
A stack isn't very interesting on its own, but it needs to be created before
any layers can be created.
Here we add an OpsWorks client instance to the central client bundle and
establish a new documentation section, both of which will be fleshed out in
subsequent commits that add some OpsWorks resources.
There are several AWS services that are global in scope and thus need to
be accessed via the us-east-1 endpoints, so we'll make the us-east-1
variant of the config available as a variable we can reuse between multiple
clients as we add support for new services.
It seems there are 4 locations left that use the `helper/multierror`
package, where the rest is TF settled on the `hashicorp/go-multierror`
package.
Functionally this doesn’t change anything, so I suggest to delete the
builtin version as it can only cause confusion (both packages have the
same name, but are still different types according to Go’s type system.
AWS provides three different ways to create AMIs that each have different
inputs, but once they are complete the same management operations apply.
Thus these three resources each have a different "Create" implementation
but then share the same "Read", "Update" and "Delete" implementations.
The Elasticache API accepts a mixed-case subnet name on create, but
normalizes it to lowercase before storing it. When retrieving a subnet,
the name is treated as case-sensitive, so the lowercase version must be
used.
Given that case within subnet names is not significant, the new StateFunc
on the name attribute causes the state to reflect the lowercase version
that the API uses, and changes in case alone will not show as a diff.
Given that we must look up subnet names in lower case, we set the
instance id to be a lowercase version of the user's provided name. This
then allows a later Refresh call to succeed even if the user provided
a mixed-case name.
Previously users could work around this by just avoiding putting uppercase
letters in the name, but that is often inconvenient if e.g. the name is
being constructed from variables defined elsewhere that may already have
uppercase letters present.
* master: (84 commits)
provider/aws: Update to aws-sdk 0.9.0 rc1
use name instead of id - launch configs use the name and not ID
Fix typo on heroku_cert example
provider/aws: add value into ELB name validation message
tests: fix missed test update from last merge
update prevent_destroy error message
Update CHANGELOG.md
Update CHANGELOG.md
providers/aws: Update Launch Config. docs to detail naming and lifecycle recommendation
release: cleanup after v0.6.3
v0.6.3
Update CHANGELOG.md
core: fix deadlock when dependable node replaced with non-dependable one
tests: extract deadlock checking test helper
core: log every 5s while waiting for dependencies
Fixed indentation in a code sample
state/remote/s3: match with upstream changes
provider/aws: match with upstream changes
google: Add example of two-tier app
Updating Launch Config Docs for Name attribute
...
using limit: 1 on DescribeStream will always return 1 shard no matter how many shards there actually are when we call `len()`. so i've removed the limit parameter to get the actual shard list returned
remove limits
* upstream/master:
Update CHANGELOG.md
Update CHANGELOG.md
provider/aws: allow external ENI attachments
Update AWS provider documentation
docs/aws: Fix example of aws_iam_role_policy
provider/aws: S3 bucket test that should fail
provider/aws: Return if Bucket not found
Update CHANGELOG.md
Update CHANGELOG.md
helper/schema: record schema version when destroy fails
settings file is not required
provider/azure: Allow settings_file to accept XML string
add note to aws_iam_policy_attachment explaining its use/limitations
docs: clarify template_file path information
google: Sort resources by alphabet in docs
Support go get in go 1.5
Update CHANGELOG.md
aws_network_interface attachment block is not required
provider/aws: Fix issue in Security Group Rules where the Security Group is not found
If Terraform creates an ENI and it's attached out of band, Terraform
should not attempt to remove the attachment on subsequent runs.
fixes#2436fixes#2881
This commit exports the `arn` as well as the `id`, since IAM
roles require the full resource name rather than just the table
name. I'd even be in favor or having `arn` as the `id` since the
<region, tablename> pair is the uniqueness constraint, but this
will keep backwards compatibility:
http://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_CreateTable.html
* master: (720 commits)
Update CHANGELOG.md
Update CHANGELOG.md
dynamodb-local Update AWS config https://github.com/hashicorp/terraform/pull/2825#issuecomment-126353610
Make target_pools optional
Update CHANGELOG.md
code formatting
Update CHANGELOG.md
providers/google: Fix reading account_file path
providers/google: Fix error appending
providers/google: Return if we could parse JSON
providers/google: Change account_file to JSON
providers/google: Default account_file* to empty
providers/google: Add account_file/account_file_contents ConflictsWith
providers/google: Document account_file_contents
providers/google: Use account_file_contents if provided
providers/google: Add account_file_contents to provider
Update CHANGELOG.md
Update CHANGELOG.md
dynamodb-local Use ` instead of : to refer region to keep the consistency with the provider docs
dynamodb-local Update aws provider docs to include the `dynamodb_endpoint` argument
...
The initial commit of AWS autoscaling group termination policy was
unfinished. It only worked on "create", and so had a needless ForceNew
that would rebuild autoscaling groups on any change. It also used a
HashString set, so it didn't preserve ordering of multiple policies
correctly.
Added the "update" operation, and converted to a TypeList to preserve
ordering. In addition, removing the policy or setting it to a null list
will reset the policy to "Default", the standard AWS policy.
Updated the acceptance tests to verify the update, but the null case is
difficult to test.
* master: (86 commits)
providers/google: Fix reading account_file path
providers/google: Fix error appending
providers/google: Return if we could parse JSON
providers/google: Change account_file to JSON
providers/google: Default account_file* to empty
providers/google: Add account_file/account_file_contents ConflictsWith
providers/google: Document account_file_contents
providers/google: Use account_file_contents if provided
providers/google: Add account_file_contents to provider
Update CHANGELOG.md
Update CHANGELOG.md
use d.Id()
Update CHANGELOG.md
Update CHANGELOG.md
scripts: change website_push to push from HEAD
update analytics
core: fix crash on provider warning
provider/aws: Update source to comply with upstream breaking change
Update CHANGELOG.
provider/aws: Fix issue with IAM Server Certificates and Chains
...
* master: (33 commits)
Update CHANGELOG.md
Update CHANGELOG.md
scripts: change website_push to push from HEAD
update analytics
provider/aws: Update source to comply with upstream breaking change
Update CHANGELOG.
provider/aws: Fix issue with IAM Server Certificates and Chains
Increase timeout, IGM delete can be slow
Make failure of "basic" test not interfere with success of "update" test
Update CHANGELOG.md
Use new autoscaler / instance group manager APIs.
Compute private ip addresses of ENIs if they are not specified
Update CHANGELOG.md
Update CHANGELOG.md
provider/aws: Error when unable to find a Root Block Device name
Update CHANGELOG.md
aws_db_instance: Add mixed-case engine test to ensure StateFunc works.
aws_db_instance: Only write lowercase engines to the state file.
Update CHANGELOG.md
Split AWS provider topics by service.
...
Amazon accepts mixed-case engines, but only returns lowercase. Without
the proper StateFunc, every apply of a mixed-case engine will result in
a new db instance. Standardize on lowercase.
An attempt to converge the tests into a standard naming scheme
- TestAccAWS for aws tests
- a `_basic` test for each suite, save a few that are quick (Network ACLs, for
example)
The RDS API reference doesn't say dots are allowed, but they are. For
the sake of people who have preexisting resources with dots in the
names, we should allow them also. Fixes#2664.
* 'master' of github.com:reverbdotcom/terraform: (524 commits)
docs: tweaks to RELEASING
Minor change to docs
Update CHANGELOG.md
Update DynamoDB example docs to remove non-key attributes; update test to remove non-key attribute from attribute set to prevent infinite planning loops
Update CHANGELOG.md
use /usr/bin/env bash
provider/aws: fix go vet
provider/aws: ignore providers with Meta nil
update CHANGELOG
provider/aws: Code cleanups for Spot Requests
provider/aws: fix db_subnet acc test
Fixing the tests
Fixes issue #2568
Update CHANGELOG.md
Update CHANGELOG.md
fixes typo
Fixed void Azure network config bug.
provider/aws: ecs task definition is deregistered correctly
provider/azure: fixup storage service test
provider/docker: [tests] change images
...
We changed the way validation works for providers so that they aren't
always configured if they have computed attributes. The result is that
sometimes the Configure won't be called, hence Meta is nil
AWS accepts uppercase DB Subnet Group names - it just automatically
downcases them. We already had logic to handle that - so we
intentionally had an acctest with uppercase characters that was now
failing.
Loosening the regexp to allow uppercase letters for now - we can discuss
if we want to tighten the validation as a separate question.
/cc @radeksimko @catsby
Fixes crash in #2431
Decided that `findResourceSecurityGroup` should return an error when
the SG is not found, since the callers cannot happily continue with a
`nil` SG
Also passes through a few error cases that were being swallowed.
/cc @catsby
Some AMIs have a RootDeviceName like "/dev/sda1" that does not appear as a
DeviceName in the BlockDeviceMapping list (which will instead have
something like "/dev/sda")
While this seems like it breaks an invariant of AMIs, it ends up working
on the AWS side, and AMIs like this are common enough that we need to
special case it so Terraform does the right thing.
Our heuristic is: if the RootDeviceName does not appear in the
BlockDeviceMapping, assume that the DeviceName of the first
BlockDeviceMapping entry serves as the root device.
fixes#2224
* master:
Update CHANGELOG.md
Update CHANGELOG.md
Added affinity group resource.
update link to actually work
provider/azure: Fix SQL client name to match upstream
add warning message to explain scenario of conflicting rules
typo
remove debugging
Update CHANGELOG.md
provider/aws: Add docs for autoscaling_policy + cloudwatch_metric_alarm
provider/aws: Add autoscaling_policy
provider/aws: Add cloudwatch_metric_alarm
rename method, update docs
clean up some conflicts with
clean up old, incompatible test
update tests with another example
update test
remove meta usage, stub test
fix existing tests
Consider security groups with source security groups when hashing
* master: (23 commits)
typo
Update CHANGELOG.md
provider/aws: Add docs for autoscaling_policy + cloudwatch_metric_alarm
provider/aws: Add autoscaling_policy
provider/aws: Add cloudwatch_metric_alarm
Update CHANGELOG.md
Update CHANGELOG.md
provider/template: don't error when rendering fails in Exists
Update CHANGELOG.md
Added Azure SQL server and service support.
Update CHANGELOG.md
docs: clarify wording around destroy/apply args
Getting Started: Added a Next Step upon finishing install.
docs: add description of archive format to download page
docs: snapshot plugin dependencies when releasing
add v0.5.3 transitory deps
Fixes support for changing just the read / write capacity of a GSI
Change sleep time for DynamoDB table waits from 3 seconds to 5 seconds
Remove request for attribute changes
Fix AWS SDK imports
...
Previously they would conflict you had multiple security group rules
with the same ingress or egress ports but different source security
groups because only the CIDR blocks were considered (which are empty
when using source security groups).
Updated to include migrations (from clint@ctshryock.com)
Signed-off-by: Clint Shryock <clint@ctshryock.com>
I snuck this in with #2263 because thought it was simply a stylistic
clarity thing, but it actually generates a resource-replacement-forcing
diff for existing resources that don't have this set in the config.
Definitely don't want that. :P
/cc @catsby
* master: (91 commits)
update CHANGELOG
update CHANGELOG
state/remote: more canonical Go for skip TLS verify
update CHANGELOG
update CHANGELOG
command/apply: flatten multierrors
provider/aws: improve iam_policy err msgs
acc tests: ensure each resource has a _basic test
aws/provider convert _normal tests to _basic
go fmt
Enpoint type configuration for OpenStack provider
Fix page title for aws_elasticache_cluster
Update CHANGELOG.md
Corrected Frankfurt S3 Website Endpoint fixes#2258
Only run Swift tests when Swift is available
Implement OpenStack/Swift remote
Minor correction to aws_s3_bucket docs
docs: Fix wrong title (aws_autoscaling_notification)
provider/aws: clarify scaling timeout error
Update CHANGELOG.md
...
This is an iteration on the great work done by @dalehamel in PRs #2095
and #2109.
The core team went back and forth on how to best model Spot Instance
Requests, requesting and then rejecting a separate-resource
implementation in #2109.
After more internal discussion, we landed once again on a separate
resource to model Spot Instance Requests. Out of respect for
@dalehamel's already-significant donated time, with this I'm attempting
to pick up the work to take this across the finish line.
Important architectural decisions represented here:
* Spot Instance Requests are always of type "persistent", to properly
match Terraform's declarative model.
* The spot_instance_request resource exports several attributes that
are expected to be constantly changing as the spot market changes:
spot_bid_status, spot_request_state, and instance_id. Creating
additional resource dependencies based on these attributes is not
recommended, as Terraform diffs will be continually generated to keep
up with the live changes.
* When a Spot Instance Request is deleted/canceled, an attempt is made
to terminate the last-known attached spot instance. Race conditions
dictate that this attempt cannot guarantee that the associated spot
instance is terminated immediately.
Implementation notes:
* This version of aws_spot_instance_request borrows a lot of common
code from aws_instance.
* In order to facilitate borrowing, we introduce `awsInstanceOpts`, an
internal representation of instance details that's meant to be shared
between resources. The goal here would be to refactor ASG Launch
Configurations to use the same struct.
* The new aws_spot_instance_request acc. test is passing.
* All aws_instance acc. tests remain passing.
When a user tried to create an `aws_network_interface` resource without specifying the `private_ips` or `security_groups` attributes the API call to AWS would fail with a 500 HTTP error. Length checks have been put in place for both of these attributes before they are added to the `ec2.CreateNetworkInterfaceInput` struct.
Documentation was also added for the `aws_network_interface` resource.
While cidr_block is required for static route creation, there are
apparently cases (involving some combination of VPNs, Customer Gateways,
and automatic route propogation) where the cidr_block can come back nil.
This means we cannot assume it's there in the set hash calculation.
Set Elasticache Port number to not be set by default, and require
Elasticache Port number to be specified.
Also updated acceptance tests to supply port number upon resource
declaration
Fixes#2084
* upstream/master: (21 commits)
fix typo
fix typo, use awslabs/aws-sdk-go
Update CHANGELOG.md
More internal links in template documentation.
providers/aws: Requires ttl and records attributes if there isn't an ALIAS block.
Condense switch fallthroughs into expr lists
Fix docs for aws_route53_record params
Update CHANGELOG.md
provider/aws: Add IAM Server Certificate resource
aws_db_instance docs updated per #2070
providers/aws: Adds link to AWS docs about RDS parameters.
Downgrade middleman to 3.3.12 as 3.3.13 does not exist
providers/aws: Clarifies db_security_group usage.
"More more" no more!
Indentation issue
Export ARN in SQS queue and SNS topic / subscription; updated tests for new AWS SDK errors; updated documentation.
Changed Required: false to Optional: true in the SNS topic schema
Initial SNS support
correct resource name in example
added attributes reference section for AWS_EBS_VOLUME
...
commit a92fe29b909af033c4c57257ddcb6793bfb694aa
Author: Michael Austin <m_austin@me.com>
Date: Wed May 20 16:35:38 2015 -0400
updated to new style of awserr
commit 428271c9b9ca01ed2add1ffa608ab354f520bfa0
Merge: b3bae0e 883e284
Author: Michael Austin <m_austin@me.com>
Date: Wed May 20 16:29:00 2015 -0400
Merge branch 'master' into 2544-terraform-s3-forceDelete
commit b3bae0efdac81adf8bb448d11cc1ca62eae75d94
Author: Michael Austin <m_austin@me.com>
Date: Wed May 20 12:06:36 2015 -0400
removed extra line
commit 85eb40fc7ce24f5eb01af10eadde35ebac3c8223
Author: Michael Austin <m_austin@me.com>
Date: Tue May 19 14:27:19 2015 -0400
stray [
commit d8a405f7d6880c350ab9fccb70b833d2239d9915
Author: Michael Austin <m_austin@me.com>
Date: Tue May 19 14:24:01 2015 -0400
addressed feedback concerning parsing of aws error in a more standard way
commit 5b9a5ee613af78e466d89ba772959bb38566f50e
Author: Michael Austin <m_austin@me.com>
Date: Tue May 19 10:55:22 2015 -0400
clarify comment to highlight recursion
commit 91043781f4ba08b075673cd4c7c01792975c2402
Author: Michael Austin <m_austin@me.com>
Date: Tue May 19 10:51:13 2015 -0400
addressed feedback about reusing err variable and unneeded parens
commit 95e9c3afbd34d4d09a6355b0aaeb52606917b6dc
Merge: 2637edf db095e2
Author: Michael Austin <m_austin@me.com>
Date: Mon May 18 19:15:36 2015 -0400
Merge branch 'master' into 2544-terraform-s3-forceDelete
commit 2637edfc48a23b2951032b1e974d7097602c4715
Author: Michael Austin <m_austin@me.com>
Date: Fri May 15 15:12:41 2015 -0400
optimize delete to delete up to 1000 at once instead of one at a time
commit 1441eb2ccf13fa34f4d8c43257c2e471108738e4
Author: Michael Austin <m_austin@me.com>
Date: Fri May 15 12:34:53 2015 -0400
Revert "hook new resource provider into configuration"
This reverts commit e14a1ade5315e3276e039b745a40ce69a64518b5.
commit b532fa22022e34e4a8ea09024874bb0e8265f3ac
Author: Michael Austin <m_austin@me.com>
Date: Fri May 15 12:34:49 2015 -0400
this file should not be in this branch
commit 645c0b66c6f000a6da50ebeca1d867a63e5fd9f1
Author: Michael Austin <m_austin@me.com>
Date: Thu May 14 21:15:29 2015 -0400
buckets tagged force_destroy will delete all files and then delete buckets
commit ac50cae214ce88e22bb1184386c56b8ba8c057f7
Author: Michael Austin <m_austin@me.com>
Date: Thu May 14 12:41:40 2015 -0400
added code to delete policy from s3 bucket
commit cd45e45d6d04a3956fe35c178d5e816ba18d1051
Author: Michael Austin <m_austin@me.com>
Date: Thu May 14 12:27:13 2015 -0400
added code to read bucket policy from bucket, however, it's not working as expected currently
commit 0d3d51abfddec9c39c60d8f7b81e8fcd88e117b9
Merge: 31ffdea 8a3b75d
Author: Michael Austin <m_austin@me.com>
Date: Thu May 14 08:38:06 2015 -0400
Merge remote-tracking branch 'hashi_origin/master' into 2544-terraform-s3-policy
commit 31ffdea96ba3d5ddf5d42f862e68c1c133e49925
Author: Michael Austin <m_austin@me.com>
Date: Wed May 13 16:01:52 2015 -0400
add name for use with resouce id
commit b41c7375dbd9ae43ee0d421cf2432c1eb174b5b0
Author: Michael Austin <m_austin@me.com>
Date: Wed May 13 14:48:24 2015 -0400
Revert "working policy assignment"
This reverts commit 0975a70c37eaa310d2bdfe6f77009253c5e450c7.
commit b926b11521878f1527bdcaba3c1b7c0b973e89e5
Author: Michael Austin <m_austin@me.com>
Date: Wed May 13 14:35:02 2015 -0400
moved policy to it's own provider
commit 233a5f443c13d71f3ddc06cf034d07cb8231b4dd
Merge: e14a1ad c003e96
Author: Michael Austin <m_austin@me.com>
Date: Wed May 13 12:39:14 2015 -0400
merged origin/master
commit e14a1ade5315e3276e039b745a40ce69a64518b5
Author: Michael Austin <m_austin@me.com>
Date: Wed May 13 12:26:51 2015 -0400
hook new resource provider into configuration
commit 455b409cb853faae3e45a0a3d4e2859ffc4ed865
Author: Michael Austin <m_austin@me.com>
Date: Wed May 13 12:26:15 2015 -0400
dummy resource provider
commit 0975a70c37eaa310d2bdfe6f77009253c5e450c7
Author: Michael Austin <m_austin@me.com>
Date: Wed May 13 09:42:31 2015 -0400
working policy assignment
commit 3ab901d6b3ab605adc0a8cb703aa047a513b68d4
Author: Michael Austin <m_austin@me.com>
Date: Tue May 12 10:39:56 2015 -0400
added policy string to schema
This landed in aws-sdk-go yesterday, breaking the AWS provider in many places:
3c259c9586
Here, with much sedding, grepping, and manual massaging, we attempt to
catch Terraform up to the new `awserr.Error` interface world.
- rename test to have _basic suffix, so we can run it individually
- use us-east-1 for basic test, since that's probably the only region that has
Classic
- update the indexing of nodes; cache nodes are 4 digits
Needs to wait for len(cluster.CacheNodes) == cluster.NumCacheNodes, since
apparently that takes a bit of time and the initial response always has
an empty collection of nodes
* ctiwald/ct/fix-protocol-problem:
aws: Document the odd protocol = "-1" behavior in security groups.
aws: Fixup structure_test to handle new expandIPPerms behavior.
aws: Add security group acceptance tests for protocol -1 fixes.
aws: error on expndIPPerms(...) if our ports and protocol conflict.
Users can input a limited number of protocol names (e.g. "tcp") as
inputs to network ACL rules, but the API only supports valid protocol
number:
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
Preserve the convenience of protocol names and simultaneously support
numbers by only writing numbers to the state file. Also use numbers
when hashing the rules, to keep everything consistent.
AWS will accept any overly-specific IP/mask combination, such as
10.1.2.2/24, but will store it by its implied network: 10.1.2.0/24.
This results in hashing errors, because the remote API will return
hashing results out of sync with the local configuration file.
Enforce a stricter API rule than AWS. Force users to use valid masks,
and run a quick calculation on their input to discover their intent.
AWS doesn't store ports for -1 protocol rules, thus the read from the
API will always come up with a different hash. Force the user to make a
deliberate port choice when enabling -1 protocol rules. All from_port
and to_port's on these rules must be 0.
AWS includes default rules with all network ACL resources which cannot
be modified by the user. Don't attempt to store them locally or change
them remotely if they are already stored -- it'll consistently result
in hashing problems.
resourceAwsNetworkAclRead swallowed these errors resulting in rules
that never properly updated. Implement an entry-to-maplist function
that'll allow us to write something that Set knows how to read.
aws hides its credentials in many places:
multiple env vars, config files,
ec2 metadata.
Terraform currently recognizes only the env vars;
to use the other options, you had to put in a
dummy empty value for access_key and secret_key.
Rather than duplicate all aws checks, ask the
aws sdk to fetch credentials earlier.
If an AutoScalingGroup is in the middle of performing a Scaling
Activity, it cannot be deleted, and yields a ScalingActivityInProgress
error.
Retry the delete for up to 5m so we don't choke on this error. It's
telling us something's in progress, so we'll keep trying until the
scaling activity completed.
On ASG creation, waits for up to 10m for desired_capacity or min_size
healthy nodes to show up in the group before continuing.
With CBD and proper HealthCheck tuning, this allows us guarantee safe
ASG replacement.
* 'master' of github.com:hashicorp/terraform:
provider/aws: detach VPN gateway with proper ID
update CHANGELOG
provider/aws: Update ARN in instanceProfileReadResult
provider/aws: remove placement_group from acctest
core: module targeting
Added support for more complexly images repos such as images on a private registry that are stored as namespace/name
Depends on there being an existing placement group in the account called
"terraform-placement-group" - we'll need to circle back around to cover
this with AccTests after TF gets an `aws_placement_group` resource.
- Users
- Groups
- Roles
- Inline policies for the above three
- Instance profiles
- Managed policies
- Access keys
This is most of the data types provided by IAM. There are a few things
missing, but the functionality here is probably sufficient for 95% of
the cases. Makes a dent in #28.
Ingress and egress rules given a "-1" protocol don't have ports when
Read out of AWS. This results in hashing problems, as a local
config file might contain port declarations AWS can't ever return.
Rather than making ports optional fields, which carries with it a huge
headache trying to distinguish between zero-value attributes (e.g.
'to_port = 0') and attributes that are simply omitted, simply force the
user to opt-in when using the "-1" protocol. If they choose to use it,
they must now specify "0" for both to_port and from_port. Any other
configuration will error.
As a module author, I'd like to be able to create a module that includes
a key_pair. I don't care about the name, I only know I don't want it to
collide with anything else in the account.
This allows my module to be used multiple times in the same account
without having to do anything funky like adding a user-specified unique
name parameter.
Currently, we weren't correctly setting the ids, and are setting both
`security_groups` and `vpc_security_group_ids`. As a result, we really only use
the former.
We also don't actually update the latter in the `update` method.
This PR fixes both issues, correctly reading `security_groups` vs.
`vpc_security_group_ids` and allows users to update the latter without
destroying the Instance when in a VPC.
As we've seen elsewhere, the SDK now wants nils instead of empty arrays
for collections
fixes#1696
thanks @jstremick for pointing me in the right direction
The upstream behavior here changed, and the request needs a `nil`
instead of an empty slice to indicate that we _don't_ want to filter on
Network ACL IDs.
fixes#1634
Adds an "alias" field to the provider which allows creating multiple instances
of a provider under different names. This provides support for configurations
such as multiple AWS providers for different regions. In each resource, the
provider can be set with the "provider" field.
(thanks to Cisco Cloud for their support)
If reading an S3 bucket's state, and that bucket has been deleted, don't
fail with a 404 error. Instead, update the state to reflect that the
bucket does not exist. Fixes#1574.
EIP with VPC only returns an allocationID. However, for standard we need
to lookup for PublicIP. When we use an example for standard EC2 instance
(here `t1.micro`):
```
resource "aws_instance" "example" {
ami = "ami-25773a24"
instance_type = "t1.micro"
}
resource "aws_eip" "ip" {
instance = "${aws_instance.example.id}"
}
```
then in this case, allocationID will be nil, but publicIP will be non
nil (which is used later for association the IP). So check for
allocationId only if it's of domain `VPC`.
* master: (511 commits)
Update CHANGELOG.md
core: avoid diff mismatch on NewRemoved fields during -/+
Update CHANGELOG.md
update CHANGELOG
Fix minor error in index/count docs
terraform: remove debug
terraform: when pruning destroy, only match exact nodes, or exact counts
up version for dev
update CHANGELOG
terraform: prune tainted destroys if no tainted in state [GH-1475]
update CHANGELOG
config/lang: support math on variables through implicits
update CHANGELOG
update cHANGELOG
update cHANGELOG
providers/aws: set id outside if/esle
providers/aws: set ID after creation
core: remove dead code from pre-deposed refactor
website: update LC docs to note name is optional
security_groups field expects a list of Security Group Group Names, not IDs
...
Fixes#1409
Resource set hash calculation is a bit of a devil's bargain when it
comes to optional, computed attributes.
If you omit the optional, computed attribute from the hash function,
changing it in an existing config is not properly detected.
If you include the optional, computed attribute in the hash and do not
specify a value for it in the config, then you'll end up with a
perpetual, unresolvable diff.
We'll need to think about how to get the best of both worlds, here, but
for now I'm switching us to the latter and documenting the fact that
changing these attributes requires manual `terraform taint` to apply.
These bugs were found by additional check added in #1443
* Reversed nil err check meant that block devices were broken :(
* Fixing the err check revealed a few missed pointer derefs
* Unlike instances, ephemeral block devices do come back in
`BlockDeviceMappings` from `DescribeLaunchConfigurations` calls, so
we need to recognize them and filter them properly. Even though
they're not set as computed, I'm doing a `d.Set` since it doesn't
hurt and it gives us the benefit of basic drift detection.
Route 53 records were silently erroring out when saving the records returned
from AWS, because they weren't being presented as an array of strings like we
expected.
Turns out AssociatePublicIPAddress was always being set, but the AWS
APIs don't like that when you're launching into EC2 Classic and return a
validation error at ASG launch time.
Fixes#1410
This removes `ForceNew` from `records` and `ttl`, and introduces a
`resourceAwsRoute53RecordUpdate` function. The `resourceAwsRoute53RecordUpdate`
falls through to the `resourceAwsRoute53RecordCreate` function, which utilizes
AWS `UPSERT` behavior and diffs for us.
`Name` and `Type` are used by AWS in the `UPSERT`, so only records with matching
`name` and `type` can be updated. Others are created as new, so we leave the
`ForceNew` behavior here.
These changes should fix#1367:
* `ebs_optimized` gets `Computed: true` and set from `Read`
* `ephemeral_block_device` loses `Computed: true`
* explicitly set `root_block_device` to empty from `Read`
While I was in there (tm):
* Send pointers to `d.Set` so we can use its internal nil check.
If a given resource does not define an `Update` function, then all of
its attributes must be specified as `ForceNew`, lest Applys fail with
"doesn't support update" like #1367.
This is something we can detect automatically, so this adds a check for
it when we validate provider implementations.
* upstream/master: (295 commits)
Update CHANGELOG.md
provider/aws: Allow DB Parameter group to change in RDS
return error if failed to set tags on Route 53 zone
core: [tests] fix order dependent test
Fix hashcode for ASG test
provider/aws: Fix issue with tainted ASG groups failing to re-create
Don't error when reading s3 bucket with no tags
Avoid panics when DBName is not set
Add floating IP association in aceptance tests
Use env var OS_POOL_NAME as default for pool attribute
providers/heroku: Add heroku-postgres to example
docs: resource addressing
providers/heroku: Document environment variables
providers/heroku: Add region to example
Bugfix on floating IP assignment
Update CHANGELOG.md
update CHANGELOG
website: note on docker
core: formalize resource addressing
core: fill out context tests for targeted ops
...
* master: (167 commits)
return error if failed to set tags on Route 53 zone
core: [tests] fix order dependent test
Fix hashcode for ASG test
provider/aws: Fix issue with tainted ASG groups failing to re-create
Don't error when reading s3 bucket with no tags
Avoid panics when DBName is not set
Add floating IP association in aceptance tests
Use env var OS_POOL_NAME as default for pool attribute
providers/heroku: Add heroku-postgres to example
docs: resource addressing
providers/heroku: Document environment variables
providers/heroku: Add region to example
Bugfix on floating IP assignment
Update CHANGELOG.md
update CHANGELOG
website: note on docker
core: formalize resource addressing
core: fill out context tests for targeted ops
core: docs for targeted operations
core: targeted operations
...
* upstream/master:
return error if failed to set tags on Route 53 zone
cleanups
provider/aws: Finish Tag support for Route 53 zone
provider/aws: Add tags to Route53 hosted zones
* master: (172 commits)
core: [tests] fix order dependent test
Fix hashcode for ASG test
provider/aws: Fix issue with tainted ASG groups failing to re-create
Don't error when reading s3 bucket with no tags
Avoid panics when DBName is not set
Add floating IP association in aceptance tests
Use env var OS_POOL_NAME as default for pool attribute
providers/heroku: Add heroku-postgres to example
docs: resource addressing
providers/heroku: Document environment variables
providers/heroku: Add region to example
Bugfix on floating IP assignment
Update CHANGELOG.md
update CHANGELOG
website: note on docker
core: formalize resource addressing
core: fill out context tests for targeted ops
core: docs for targeted operations
core: targeted operations
user_data support
...
* master: (172 commits)
core: [tests] fix order dependent test
Fix hashcode for ASG test
provider/aws: Fix issue with tainted ASG groups failing to re-create
Don't error when reading s3 bucket with no tags
Avoid panics when DBName is not set
Add floating IP association in aceptance tests
Use env var OS_POOL_NAME as default for pool attribute
providers/heroku: Add heroku-postgres to example
docs: resource addressing
providers/heroku: Document environment variables
providers/heroku: Add region to example
Bugfix on floating IP assignment
Update CHANGELOG.md
update CHANGELOG
website: note on docker
core: formalize resource addressing
core: fill out context tests for targeted ops
core: docs for targeted operations
core: targeted operations
user_data support
...
* d.Set has a pointer nil check we can lean on
* need to be a bit more conservative about nil checks on nested structs;
(this fixes the RDS acceptance tests)
/cc @fanhaf
s3.GetBucketTagging returns an error if there are no tags associated
with a bucket. Consequently, any configuration with a tagless s3 bucket
would fail with an error, "the TagSet does not exist".
Handle that error more appropriately, interpreting it as an empty set of
tags.
* f-aws-rds-tags:
fix index out of range error
fix formatting
upgrade VPC Ids and DB Subnet to be optionally computed
fix typo
provider/aws: Introduce IAM connection
* master:
provider/aws: Fix dependency violation when deleting Internet Gateways
command/remote-config: failing tests
update CHANGELOG
command/remote-config: do a pull with `terraform remote config`
command/remote-{pull,push}: colorize and show success output
command/remote-config: lowercase the type so that Atlas works, for example
command/remote-config: show flag parse errors
command/remote-config: remove weird error case that shows no error message
command: when setting up state, only write back if local is newer
* master: (66 commits)
provider/aws: Fix dependency violation when deleting Internet Gateways
command/remote-config: failing tests
update CHANGELOG
command/remote-config: do a pull with `terraform remote config`
command/remote-{pull,push}: colorize and show success output
command/remote-config: lowercase the type so that Atlas works, for example
command/remote-config: show flag parse errors
command/remote-config: remove weird error case that shows no error message
command: when setting up state, only write back if local is newer
minor code cleanups to get acceptance tests passing
update CHANGELOG
providers/digitalocean: add dot in GET response
providers/digitalocean: force fqdn in dns rr value
update CHANGELOG
small code cleanup
Add proper reading/updating of tags for S3
provider/aws: Add tags to S3
Documentation for ASG Tags added
Tags support added for AWS ASG
command/output: don't panic if no root module in state [GH-1263]
...
* master:
update CHANGELOG
providers/digitalocean: add dot in GET response
providers/digitalocean: force fqdn in dns rr value
update CHANGELOG
Add disk size to google_compute_instance disk blocks.
'project' should be set to the project's ID, not its name.
Don't error when enabling DNS hostnames in a VPC
Correct AWS VPC or route table read functions
Updates to GCE Instances and Instance Templates to allow for false values to be set for the auto_delete setting.
Update GCE Instance Template tests now that existing disk must exist prior to template creation.
Update Google API import to point to the new location.
add network field to the network_interface
I was working on building a validation to check the user-provided
"device_name" for "root_block_device" on AWS Instances, when I realized
that if I can check it, I might as well just derive it automatically!
So that's what we do here - when you customize the details of the root
block device, device name is just comes from the selected AMI.
The AWS API call ModifyVpcAttribute will allow only one attribute to be
modified at a time. Modifying both results in the error:
Fields for multiple attribute types specified: enableDnsHostnames, enableDnsSupport
Retructure the provider to honor this restriction.
Also, enable DNS support before attempting to enable DNS hostnames,
since the former is a prerequisite of the latter.
Additionally, fix what must have been a copy&paste error, setting
enable_dns_support to the value of enable_dns_hostnames.
If the state file contained a VPC or a route table which no longer
exists, Terraform would fail to create the correct plan, which is to
recreate them.
In the case of VPCs, this was due to incorrect error handling. The AWS
SDK returns a aws.APIError, not a *aws.APIError on error. When the VPC
no longer exists, upon attempting to refresh state Terraform would
simply exit with an error.
For route tables, the provider would recognize that the route table no
longer existed, but would not make the appropriate call to update the
state as such. Thus there'd be no crash, but also no plan to re-create
the route table.
Though not directly connected, trying to delete a subnet and security group in
parallel can cause a dependency violation from the subnet, claiming there are
dependencies.
This commit fixes that by allowing subnet deletion to tolerate failure with a
retry / refresh function.
Fixes#934
Instance block devices are now managed by three distinct sub-resources:
* `root_block_device` - introduced previously
* `ebs_block_device` - all additional ebs-backed volumes
* `ephemeral_block_device` - instance store / ephemeral devices
The AWS API support around BlockDeviceMapping is pretty confusing. It's
a single collection type that supports these three members each of which
has different fields and different behavior.
My biggest hiccup came from the fact that Instance Store volumes do not
show up in any response BlockDeviceMapping for any EC2 `Describe*` API
calls. They're only available from the instance meta-data service as
queried from inside the node.
This removes `block_device` altogether for a clean break from old
configs. New configs will need to sort their `block_device`
declarations into the three new types. The field has been marked
`Removed` to indicate this to users.
With the new block device format being introduced, we need to ensure
Terraform is able to properly read statefiles written in the old format.
So we use the new `helper/schema` facility of "state migrations" to
transform statefiles in the old format to something that the current
version of the schema can use.
Fixes#858
Fixes a bug in Route53 and wildcard entries. Refs #501.
Also fixes:
- an issue in the library where we don't fully wait for the results, because the
error code/condition changed with the migration to aws-sdk-go
- a limitation in the test, where we only consider the first record returned
* master:
provider/aws: Fix encoding bug with AWS Instance
minor style cleanups
Tags Schema
Added Tagging
Added vpc refactor in aws sdk go
Removed additional variable for print, added for debugging
Using hashicorp/aws-sdk-go
Changed things around as suggested by @catsby
Refactor with Acceptance Tests
VPC Refactor
First refactor
Added Connection to config
* master: (69 commits)
upgrade tests and remove ICMPTypeCode for now
helper/ssh: update import location
clean up
provider/aws: Convert AWS Network ACL to aws-sdk-go
Update website docs on AWS RDS encryption field
more test updates
provider/aws update Network ACL tests
code cleanup on subnet check
restore IOPS positioning
Code cleanup
Update CHANGELOG.md
Bugfix: Add tags on AWS IG creation, not just on update
fix nit-pick from go vet
remove duplicated function
provider/aws: Convert AWS Route Table Association to aws-sdk-go
Cleansup: Restore expandIPPerms, remove flattenIPPerms
clean up debug output to make go vet happy
providers/aws: Convert AWS VPC Peering to aws-sdk-go
provider/aws: Add env default for AWS_ACCOUNT_ID in VPC Peering connection
convert route table tests to aws-sdk-go
...
* master:
Code cleanup
Update CHANGELOG.md
fix nit-pick from go vet
remove duplicated function
provider/aws: Convert AWS Route Table Association to aws-sdk-go
Cleansup: Restore expandIPPerms, remove flattenIPPerms
clean up debug output to make go vet happy
providers/aws: Convert AWS VPC Peering to aws-sdk-go
provider/aws: Add env default for AWS_ACCOUNT_ID in VPC Peering connection
convert route table tests to aws-sdk-go
provider/aws: Convert AWS Route Table to aws-sdk-go
providers/aws: iops in root device skipped when output state
Give route table assoc it's own copy of this method for now
provider/aws: Convert Main Route Table assoc. to aws-sdk-go
aws/Route53 record creation timeout 10->30 mins
provider/aws: Convert AWS Security Group to aws-sdk-go
Fixing up the tests to make them pass correctly
Fixing a corner case while retrieving a template UUID
Adding tests and docs for the new VPN resources
Adding a few new resources
Removing `ForceNew` from `final_snapshot_identifier` - it's a parameter
that's _only_ passed during the DeleteDBInstance API call, so it's perfectly
valid to change the attribute for an existing DB Instance.
fixes#1138
This allows you to set lifecycle create_before_destroy = true
and fixes#532 as then we'll make a new launch config, change
the launch config on the ASG, and *then* delete the old launch
config.
Also tried adding tests which unfortunately don't seem to fail...
* master:
providers/aws: Convert Launch Configurations to awslabs/aws-sdk-go
update CHANGELOG
terraform: test post state update is called
command: StateHook for continous state updates
terraform: more state tests, fix a bug
state: deep copies are required
terraform: make DeepCopy public
state/remote: increment serial properly
state: only change serial if changed
terraform: call the EvalUpdateStateHook strategically
terraform: PostStateUpdate hook and EvalUpdateStateHook
- Remove check on password for AWS RDS Instance
- Update documentation on AWS RDS Instance regarding DB Security Groups
- Change error handling to check error code from AWS API [ci skip]
The `SourceDestCheck` attribute can only be changed via
`ModifyInstance`, so the AWS instance resource's `Create` function calls
out to `Update` before it returns to take care of applying
`source_dest_check` properly.
The `Update` function originally guarded against unnecessary API calls
with `GetOk`, which worked fine until #993 when we changed the `GetOk`
semantics to no longer distinguish between "configured and zero-value"
and "not configured".
I attempted in #1003 to fix this by switching to `HasChange` for the
guard, but this does not work in the `Create` case.
I played around with a few different ideas, none of which worked:
(a) Setting `Default: true` on `source_dest_check' has no effect
(b) Setting `Computed: true` on `source_dest_check' and adding a `d.Set`
call in the `Read` function (which will initially set the value to `true`
after instance creation). I really thought I could get this to work,
but it results in the following:
```go
d.Get('source_dest_check') // true
d.HasChange('source_dest_check') // false
d.GetChange('source_dest_check') // old: false, new: false
```
I couldn't figure out a way of coherently dealing with that result, so I
ended up throwing up my hands and giving up on the guard altogether.
We'll call `ModifyInstance` more than we have to, but this at least
yields expected behavior for both Creates and Updates.
Fixes#1020
library.
This commit updates the Route 53 Zone resource to use AWS Labs aws-sdk-go
library instead of mitchellh/goamz.
- hard code us-east-1 for Route53 region, since it's a global endpoint
- add some units test for CleanZoneID
Unfortunately, the acceptance tests here were improperly passing, and
allowing Subnet updates on ELBs is not as straightfoward as simply
removing `ForceNew`.
Subnets on ELBs need to be managed by two explicit API calls:
* `AttachLoadBalancerToSubnets` - http://bit.ly/elbattachsubnet
* `DetachLoadBalanceFromSubnets` - http://bit.ly/elbdetachsubnet
We'll need to circle back and use these APIs to explicitly add support.
This fixes the failure of `TestAccAWSELB_AddSubnet` by removing the
test.
This reverts commit 61e91017be, reversing
changes made to 49b3afe452.
Was relying on old behavior of GetOk and therefore never properly seeing
a change from true -> false.
This fixes the acceptance test failure of
`TestAccAWSInstance_sourceDestCheck`.
AWS provides a single `BlockDeviceMapping` to manage three different
kinds of block devices:
(a) The root volume
(b) Ephemeral storage
(c) Additional EBS volumes
Each of these types has slightly different semantics [1].
(a) The root volume is defined by the AMI; it can only be customized
with `volume_size`, `volume_type`, and `delete_on_termination`.
(b) Ephemeral storage is made available based on instance type [2]. It's
attached automatically if _no_ block device mappings are specified, and
must otherwise be defined with block device mapping entries that contain
only DeviceName set to a device like "/dev/sdX" and VirtualName set to
"ephemeralN".
(c) Additional EBS volumes are controlled by mappings that omit
`virtual_name` and can specify `volume_size`, `volume_type`,
`delete_on_termination`, `snapshot_id`, and `encryption`.
After deciding to ignore root block devices to fix#859, we had users
with configurations that were attempting to manage the root block device chime
in on #913.
Terraform does not have the primitives to be able to properly handle a
single collection of resources that is partially managed and partially
computed, so our strategy here is to break out logical sub-resources for
Terraform and hide the BlockDeviceMapping inside the provider
implementation.
Now (a) is supported by the `root_block_device` sub-resource, and (b)
and (c) are still both merged together under `block_device`, though I
have yet to see ephemeral block devices working properly.
Looking into possibly separating out `ephemeral_block_device` and
`ebs_block_device` sub-resources as well, which seem like the logical
next step. We'll wait until the next big release for this, though, since
it will break backcompat.
[1] http://bit.ly/ec2bdmap
[2] http://bit.ly/instancestorebytypeFixes#913
Refs #858
Right now we yield a perpetual diff on ASGs because we're not reading
termination policies back out in the provider.
This depends on https://github.com/mitchellh/goamz/pull/218 and fixes
it.
An `InstanceDiff` will include `ResourceAttrDiff` entries for the
"length" / `#` field of maps. This makes sense, since for something like
`terraform plan` it's useful to see when counts are changing.
The `DiffFieldReader` was not taking these entries into account when
reading maps out, and was therefore incorrectly returning maps that
included an extra `'#'` field, which was causing all sorts of havoc
for providers (extra tags on AWS instances, broken google compute
instance launch, possibly others).
* fixes#914 - extra tags on AWS instances
* fixes#883 - general core issue sprouted from #757
* removes the hack+TODO from #757
This resource allows an existing Route Table to be assigned as the
"main" Route Table of a VPC. This means that the Route Table will be
used for any subnets within the VPC without an explicit Route Table
assigned [1].
This is particularly useful in getting an Internet Gateway in place as
the default for a VPC, since the automatically created Main Route Table
does not have one [2].
Note that this resource is an abstraction over an association and does not
map directly to a CRUD-able object in AWS. In order to retain a coherent
"Delete" operation for this resource, we remember the ID of the AWS-created
Route Table and reset the VPC's main Route Table to it when this
resource is deleted.
refs #843, #748
[1] http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html#RouteTableDetails
[2] http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html#Add_IGW_Routing
If map_public_ip_on_launch was not specified, AWS picks a default of
"0", which is different than the "" in the state file, triggerinng an
update each time. Mark that parameter as Computed, avoiding the update.
This is necessary to support creating parameter groups with parameters
that require a reboot, since the RDS API will return an error when
attempting to set those parameters with ApplyMethod "immediate".
If a subnet exists in the state file and a refresh is performed, the
read function for subnets would return an error. Now it updates the
state to indicate that the subnet no longer exists, so Terraform can
plan to recreate it.
Several of the arguments were optional, and if omitted, they are
calculated. Mark them as such in the schema to avoid triggering an
update.
Go back to storing the password in the state file. Without doing so,
there's no way for Terraform to know the password has changed. It should
be hashed, but then interpolating the password yields a hash instead of
the password.
Make the `name` parameter optional. It's not required in any engine, and
in some (MS SQL Server) it's not allowed at all.
Drop the `skip_final_snapshot` argument. If `final_snapshot_identifier`
isn't specified, then don't make a final snapshot. As things were, it
was possible to create a resource with neither of these arguments
specified which would later fail when it was to be deleted since the RDS
API requires exactly one of the two.
Resolves issue #689.
- 5.6.17 is no longer a valid mysql engine version, bumping to 5.6.21
- updating security_group_names assertion to match new set structure
introduce in #663
When DeleteInternetGateway is successful it returns a nil error value.
However, for a nil error value, the RetryFunc returns an error yielding a
unnecessary second call to DeleteInternetGateway in the retry logic.
The logic works because DeleteInternetGateway eventually returns an ec2.Error
with error code InvalidInternetGatewayID.NotFound since the internet gateway
has been deleted in the previous call. The return value of nil breaks the
retry logic and the deletion is deemed successful.
Fix the unnecessary second call to DeleteInternetGateway by short circuiting
with a nil error value when deletion of the internet gateway is successful on
the first try.
Add an acceptance test for internet gateway deletion and remove unreachable
code while here.
If not suppling the `availability_zones`, they will be computed
(meaning an update/refresh will retrieve the info and update the values
to the state file).
So without the `Computed = true` the diff will always flag this as a
change, even when it’s not.
Some instance types have a block device by default. So when selecting
such an instance type, you will not set a config for the block device,
but the update/refresh func will notice one and update the state
nonetheless.
So in those cases the `block_device` becomes a `computed` field.
1. The schema contained a few fields that where not marked as
`computed`, while they were updated inside the resource.
2. While updating the `volume_size` it was doing so with a `string`,
but in the schema this field is set as `int`.
3. The set func for calculating the hashes for the `block` set items,
also used computed values to calculate the hash. As these values will
not be in the config, but only in the state, this will always show as a
diff. The solution is to only use the fields that aren’t computed in
order to get consistent hashes.
These where all issues before, but weren’t visible as such. All should
be good again now.
For now this only supports importing a key pair (by specifying a
public_key) property. In the future it'd be fairly trivial to support
key pair creation, with the private key returned as a computed property.
In real world usage you'd probably want to provide that public_key
property via a variable rather than hard-coding it into a terraform
config that'd end up in source control.
Fixes the following vet reports:
builtin/providers/aws/resource_aws_network_acl.go:191: wrong number of args for format in Errorf call: 2 needed but 3 args
builtin/providers/aws/resource_aws_network_acl.go:264: wrong number of args for format in Errorf call: 1 needed but 2 args
builtin/providers/aws/resource_aws_network_acl.go:268: wrong number of args for format in Errorf call: 1 needed but 2 args
builtin/providers/aws/resource_aws_network_acl.go:286: arg m[to_port].(int) for printf verb %s of wrong type: int
builtin/providers/aws/resource_aws_network_acl_test.go:277: arg r.NetworkAcls for printf verb %s of wrong type: []github.com/mitchellh/goamz/ec2.NetworkAcl
builtin/providers/aws/resource_aws_subnet_test.go:21: arg v.MapPublicIpOnLaunch for printf verb %s of wrong type: bool
There was an error in the goamz package the prevented updating the
availability zones correctly. So PR #181 should be merged before this
one can be merged…
By using a set for the availability zones, you can use things like
`availability_zones = ["${aws_instance.web.*.availability_zone}"]`
where is very likely multiple of the same zones will be added to the
set. If you use a list here, the list will say it’s changed (even if
you add the same zone) which will force a new resource.
clint shryock