Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

resource/aws_network_acl_rule: Fix provider error when missing rule #11544

Merged
merged 1 commit into from
Feb 6, 2020
Merged

resource/aws_network_acl_rule: Fix provider error when missing rule #11544

merged 1 commit into from
Feb 6, 2020

Conversation

voanhduy1512
Copy link
Contributor

Ref: #2291

Even though
#9710
fixed one case of the problem, there is another case which is harder to
reproduce.

When a network acl has ingress and egress with same rule number, which
is valid per aws doc, if one of them missing (maybe manually deleted),
then terraform plan will stop working.

The main problem is there is a change in aws api and the egress filter
is not supported anymore.

Current doc: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkAcls.html
2017 doc: https://web.archive.org/web/20171216154650/http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkAcls.html

Noted entry.egress is gone. So the query return the nacl with same
number rule but not which correct type. Which make this for loop
https://github.com/terraform-providers/terraform-provider-aws/blob/5348ed3f1c47900f18c7f457a920de5f33cf7142/aws/resource_aws_network_acl_rule.go#L298
couldn't find the correct rule and fall down to the wrong return https://github.com/terraform-providers/terraform-provider-aws/blob/5348ed3f1c47900f18c7f457a920de5f33cf7142/aws/resource_aws_network_acl_rule.go#L304

The fix simple return nil, nil so the rule will be deleted

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #0000

Release note for CHANGELOG:

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccAWSNetworkAclRule_ingressEgressSameNumberDisappears'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSNetworkAclRule_ingressEgressSameNumberDisappears -timeout 120m
=== RUN   TestAccAWSNetworkAclRule_ingressEgressSameNumberDisappears
=== PAUSE TestAccAWSNetworkAclRule_ingressEgressSameNumberDisappears
=== CONT  TestAccAWSNetworkAclRule_ingressEgressSameNumberDisappears
--- PASS: TestAccAWSNetworkAclRule_ingressEgressSameNumberDisappears (60.61s)
PASS
ok      github.com/terraform-providers/terraform-provider-aws/aws       60.659s

@voanhduy1512
resource/aws_network_acl_rule: Fix provider error when missing rule
27cbada 
Ref: hashicorp#2291

Even though
hashicorp#9710
fixed one case of the problem, there is another case which is harder to
reproduce.

When a network acl has ingress and egress with same rule number, which
is valid per aws doc, if one of them missing (maybe manually deleted),
then terraform plan will stop working.

The main problem is there is a change in aws api and the egress filter
is not supported anymore.

Current doc: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkAcls.html
2017 doc: https://web.archive.org/web/20171216154650/http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkAcls.html

Noted `entry.egress` is gone. So the query return the nacl with same
number rule but not which correct type. Which make this for loop
https://github.com/terraform-providers/terraform-provider-aws/blob/5348ed3f1c47900f18c7f457a920de5f33cf7142/aws/resource_aws_network_acl_rule.go#L298
couldn't find the correct rule and fall down to the wrong return https://github.com/terraform-providers/terraform-provider-aws/blob/5348ed3f1c47900f18c7f457a920de5f33cf7142/aws/resource_aws_network_acl_rule.go#L304

The fix simple `return nil, nil` so the rule will be deleted
@voanhduy1512 voanhduy1512 requested a review from a team January 9, 2020 20:37
@ghost ghost added needs-triage Waiting for first response or review from a maintainer. size/S Managed by automation to categorize the size of a PR. service/ec2 Issues and PRs that pertain to the ec2 service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Jan 9, 2020
@bflad bflad added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Feb 6, 2020
bflad
bflad approved these changes Feb 6, 2020
View reviewed changes
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this fix, @voanhduy1512 🚀

Output from acceptance testing:

--- PASS: TestAccAWSNetworkAclRule_missingParam (10.12s)
--- PASS: TestAccAWSNetworkAclRule_disappears_NetworkAcl (15.26s)
--- PASS: TestAccAWSNetworkAclRule_ipv6ICMP (16.77s)
--- PASS: TestAccAWSNetworkAclRule_ipv6 (18.20s)
--- PASS: TestAccAWSNetworkAclRule_disappears (18.34s)
--- PASS: TestAccAWSNetworkAclRule_ingressEgressSameNumberDisappears (19.04s)
--- PASS: TestAccAWSNetworkAclRule_basic (23.17s)
--- PASS: TestAccAWSNetworkAclRule_tcpProtocol (25.58s)
--- PASS: TestAccAWSNetworkAclRule_allProtocol (26.55s)
--- PASS: TestAccAWSNetworkAclRule_ipv6VpcAssignGeneratedIpv6CidrBlockUpdate (29.09s)

@bflad bflad added this to the v2.48.0 milestone Feb 6, 2020
@bflad bflad merged commit b27d36e into hashicorp:master Feb 6, 2020
bflad added a commit that referenced this pull request Feb 6, 2020
@bflad
Update CHANGELOG for #11544
d0d4464
@ghost
Copy link

ghost commented Feb 7, 2020

This has been released in version 2.48.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Mar 27, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 27, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bflad bflad bflad approved these changes

Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service. size/S Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
v2.48.0
Development

Successfully merging this pull request may close these issues.
2 participants
@voanhduy1512 @bflad