Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add client_ip_preservation_enabled to global accelerator #11476

Closed
wants to merge 2 commits into from
Closed

Add client_ip_preservation_enabled to global accelerator #11476

wants to merge 2 commits into from

Conversation

zsiddique
Copy link
Contributor

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #9940

Release note for CHANGELOG:

* Add client_ip_preservation_enabled to Global Accelerator Endpoint Group.  Note it must be used with EC2 or ALB.

Output from acceptance testing:
Ok, a little bit about acceptance testing. The current acceptance testing for the global accelerator endpoint only checks if the endpoint configuration exists but not the values. I expanded the test to be more detailed but hit a major roadblock. It seems to check client ip I needed to setup a VPC, ALBs and etc. No problem, but, if its set to true it seems tearing down the VPC causes AWS to throw error Error: errors during apply: Error deleting VPC: DependencyViolation: The vpc 'vpc-XXXX' has dependencies and cannot be deleted. I cant for the life of me figure out why or how does it tie back to my changes. Some googling seems to show in general VPC deletion can be flaky and its possible AWS has a race of some kind as deleting the VPC from AWSs UI works fine. Open to ideas on how to fix this, or is it fine testing that setting the value (in this case false) is fine.

$make testacc TEST=./aws TESTARGS='-run=TestAccAwsGlobalAcceleratorEndpointGroup_alb_clientip'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAwsGlobalAcceleratorEndpointGroup_alb_clientip -timeout 120m
=== RUN   TestAccAwsGlobalAcceleratorEndpointGroup_alb_clientip
=== PAUSE TestAccAwsGlobalAcceleratorEndpointGroup_alb_clientip
=== CONT  TestAccAwsGlobalAcceleratorEndpointGroup_alb_clientip
--- PASS: TestAccAwsGlobalAcceleratorEndpointGroup_alb_clientip (289.94s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	289.994s
...

@zsiddique zsiddique requested a review from a team January 4, 2020 02:26
@ghost ghost added size/XS Managed by automation to categorize the size of a PR. needs-triage Waiting for first response or review from a maintainer. service/globalaccelerator Issues and PRs that pertain to the globalaccelerator service. labels Jan 4, 2020
@ghost ghost added size/L Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. and removed size/XS Managed by automation to categorize the size of a PR. labels Jan 4, 2020
@bflad bflad added enhancement Requests to existing resources that expand the functionality or scope. and removed needs-triage Waiting for first response or review from a maintainer. labels Jan 6, 2020
@jakauppila
Copy link
Contributor

Is there anything holding up this PR?

@ewbankkit ewbankkit requested review from ewbankkit and removed request for a team July 21, 2020 15:42
@ewbankkit
Copy link
Contributor

@zsiddique Thanks for the contribution and apologies for the delay in getting to review.

  • Yes it does seem cheating to test the false case, so please could you add a step that tests the true case (and so will also test updating the flag)
  • If you start with true and update to false that may help with the lingering ENI issue
  • Could you update the documentation in website/docs/r/globalaccelerator_endpoint_group.html.markdown?

If you don't have cycles to make the changes please reply and I can take over your commits and enhance.

ewbankkit
ewbankkit reviewed Jul 22, 2020
View reviewed changes
aws/resource_aws_globalaccelerator_endpoint_group_test.go
type = "list"
}

data "aws_availability_zones" "available" {}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rebase or merge to the current HEAD and change to

data "aws_availability_zones" "available" {
  state = "available"

  filter {
    name   = "opt-in-status"
    values = ["opt-in-not-required"]
  }
}

otherwise the acceptance tests may fail with attempting to use any enabled Local Zone in us-west-2.

ewbankkit
ewbankkit reviewed Jul 22, 2020
View reviewed changes
aws/resource_aws_globalaccelerator_endpoint_group.go
@@ -87,6 +87,10 @@ func resourceAwsGlobalAcceleratorEndpointGroup() *schema.Resource {
Type: schema.TypeInt,
Optional: true,
},
"client_ip_preservation_enabled": {
Type: schema.TypeBool,
Optional: true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to add Computed: true, here as the flag is implicitly enabled for internal ALB or instances: https://docs.aws.amazon.com/global-accelerator/latest/dg/preserve-client-ip-address.how-to-enable-preservation.html.

@ewbankkit ewbankkit added the waiting-response Maintainers are waiting on response from community or contributor. label Jul 22, 2020
@zsiddique
Copy link
Contributor Author

@ewbankkit your welcome to try and make those improvements, i will make best effort as well but if you have more freecycle you are welcome to make the fixes.

@ghost ghost removed the waiting-response Maintainers are waiting on response from community or contributor. label Jul 28, 2020
@ewbankkit
Copy link
Contributor

@zsiddique Thanks for responding. I will include your commits in any PR that replaces this one so that you receive attribution.

@ewbankkit ewbankkit mentioned this pull request Aug 5, 2020
Merged
@ewbankkit
Copy link
Contributor

@zsiddique I have pulled over your commits into #14486 and am closing this PR. Thanks for your work on this.
The VPC deletion DependencyViolation error is caused by the security group that the Global Accelerator service adds into the VPC but doesn't delete: https://docs.aws.amazon.com/global-accelerator/latest/dg/best-practices-aga.html.
I modified the acceptance tests to explictly delete this security group before the VPC is deleted.

@ewbankkit ewbankkit closed this Aug 5, 2020
@ghost
Copy link

ghost commented Sep 5, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Sep 5, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ewbankkit ewbankkit ewbankkit left review comments

Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/globalaccelerator Issues and PRs that pertain to the globalaccelerator service. size/L Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Client IP Address Preservation for AWS Global Accelerator
4 participants
@zsiddique @jakauppila @ewbankkit @bflad