resource/aws_ec2_client_vpn_endpoint: add self service portal options

[aidan-mundy]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #16019
Supersedes #17897

This MR obsoletes #17897. I created it because that MR is stale and the user is MIA from their GitHub account. This is a relatively simple MR, and the merge conflict was just a documentation problem.

[github-actions]

Welcome @aidan-mundy 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTING guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

[ewbankkit]

@aidan-mundy Thanks for the contribution 🎉 👏.

Testing this I get

% make testacc TESTARGS='-run=TestAccAwsEc2ClientVpn_serial/Endpoint'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAwsEc2ClientVpn_serial/Endpoint -timeout 180m
=== RUN   TestAccAwsEc2ClientVpn_serial
=== PAUSE TestAccAwsEc2ClientVpn_serial
=== CONT  TestAccAwsEc2ClientVpn_serial
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_mutualAuthAndMsAD
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_mutualAuthAndMsAD
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_federated
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_federated
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_tags
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_tags
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_splitTunnel
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_splitTunnel
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_disappears
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_disappears
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_msAD
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_msAD
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_withDNSServers
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_withDNSServers
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_selfServicePortal
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_selfServicePortal
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_basic
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_basic
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_withLogGroup
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_withLogGroup
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_mutualAuthAndMsAD
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_msAD
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_splitTunnel
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_selfServicePortal
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_tags
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_federated
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_basic
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_withLogGroup
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_disappears
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_withDNSServers
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_selfServicePortal
    resource_aws_ec2_client_vpn_endpoint_test.go:429: Step 1/3 error: Error running apply: exit status 1
        
        Error: Error creating Client VPN endpoint: InvalidParameterValue: Invalid SAML provider ARN format.
        	status code: 400, request id: 2ca53b8e-ed14-4f92-90a8-338a5d3f58c1
        
          with aws_ec2_client_vpn_endpoint.test,
          on terraform_plugin_test.tf line 12, in resource "aws_ec2_client_vpn_endpoint" "test":
          12: resource "aws_ec2_client_vpn_endpoint" "test" {
        
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_federated
    resource_aws_ec2_client_vpn_endpoint_test.go:248: Step 1/3 error: Error running apply: exit status 1
        
        Error: Error creating Client VPN endpoint: InvalidParameterValue: Invalid SAML provider ARN format.
        	status code: 400, request id: 687f0d90-ca0c-4a5b-84c2-28a982c08dfb
        
          with aws_ec2_client_vpn_endpoint.test,
          on terraform_plugin_test.tf line 12, in resource "aws_ec2_client_vpn_endpoint" "test":
          12: resource "aws_ec2_client_vpn_endpoint" "test" {
        
--- FAIL: TestAccAwsEc2ClientVpn_serial (2.46s)
    --- FAIL: TestAccAwsEc2ClientVpn_serial/Endpoint_selfServicePortal (13.82s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_basic (21.26s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_splitTunnel (37.12s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_tags (52.47s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_disappears (53.25s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_withLogGroup (55.06s)
    --- FAIL: TestAccAwsEc2ClientVpn_serial/Endpoint_federated (61.50s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_withDNSServers (82.18s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_msAD (1643.55s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_mutualAuthAndMsAD (1663.63s)
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	1669.271s
FAIL
make: *** [testacc] Error 1

I'm no expert here - Do you know what could be causing these errors?
Thanks.

[aidan-mundy]

Not entirely sure, but I can take a look. Haven't dug into the code changes for this MR beyond a brief glance, so it'll be good for me to get my hands a little dirty.

[aidan-mundy]

Ok I'm not sure that this is the source of the error and I don't have a test environment to try it out, but I found something in the code that appears to be a bit odd.

All of the ARN's in the Authentication block are treated as optional, but the only truly optional ARN is the SelfServiceSAMLProviderArn, the rest are only "optional" in the sense that they are only used with specific authentication types, but they MUST be present for those types. SelfServiceSAMLProviderArn is only used alongside federated authentication, but is not required. The original MR author appears to have followed the same format as the SAMLProviderArn (which assumes the variable is present any time federated auth is used), but SelfServiceSAMLProviderArn is not guaranteed to be present. I am not very familiar with this codebase (or go), but it appears to me that this line should only be set if data.GetOk("self_service_saml_provider_arn") says that the value has been set. That would cause an error with an invalid ARN for any test using federated authentication without a separate SelfServiceSAMLProviderArn (both of the failing tests do that, while none of the others would).

I will make a couple of quick updates to resolve this issue (give me 10/15 minutes) and I would appreciate it if someone else could rerun the acceptance tests (perhaps you @ewbankkit?). I would do it myself but my development environment is not configured at the moment.

[aidan-mundy]

I think that should fix it

[ewbankkit]

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccAwsEc2ClientVpn_serial/Endpoint'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAwsEc2ClientVpn_serial/Endpoint -timeout 180m
=== RUN   TestAccAwsEc2ClientVpn_serial
=== PAUSE TestAccAwsEc2ClientVpn_serial
=== CONT  TestAccAwsEc2ClientVpn_serial
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_msAD
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_msAD
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_mutualAuthAndMsAD
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_mutualAuthAndMsAD
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_tags
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_tags
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_splitTunnel
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_splitTunnel
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_selfServicePortal
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_selfServicePortal
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_basic
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_basic
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_disappears
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_disappears
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_federated
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_federated
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_withLogGroup
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_withLogGroup
=== RUN   TestAccAwsEc2ClientVpn_serial/Endpoint_withDNSServers
=== PAUSE TestAccAwsEc2ClientVpn_serial/Endpoint_withDNSServers
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_msAD
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_basic
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_withDNSServers
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_selfServicePortal
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_tags
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_splitTunnel
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_withLogGroup
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_federated
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_disappears
=== CONT  TestAccAwsEc2ClientVpn_serial/Endpoint_mutualAuthAndMsAD
--- PASS: TestAccAwsEc2ClientVpn_serial (2.10s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_basic (23.62s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_withDNSServers (41.82s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_selfServicePortal (42.71s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_tags (52.19s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_splitTunnel (56.55s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_disappears (60.07s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_withLogGroup (77.18s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_federated (92.97s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_msAD (1649.99s)
    --- PASS: TestAccAwsEc2ClientVpn_serial/Endpoint_mutualAuthAndMsAD (1737.41s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	1743.024s

[aidan-mundy]

Good stuff! Thanks for the assist @ewbankkit, LGTM! 🚀

[github-actions]

This functionality has been released in v3.59.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[connor-tyndall]

This works, but it requires a complete rebuild of the CVPN endpoint.... this is not ideal since the Client Configurations would need to be re-downloaded, etc. potentially across many different endpoints.

[aidan-mundy]

@connor-tyndall see my comment on #21207 for a brief explanation of the reasoning for this.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.