Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

r/aws_route, r/aws_route_table, r/aws_default_route_table: Validate CIDR blocks #13778

Merged
merged 12 commits into from
Jun 24, 2020
Merged

r/aws_route, r/aws_route_table, r/aws_default_route_table: Validate CIDR blocks #13778

merged 12 commits into from
Jun 24, 2020

Conversation

ewbankkit
Copy link
Contributor

@ewbankkit ewbankkit commented Jun 16, 2020
edited
Loading

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #338.
Closes #10666.
Closes #13003.

"Misaligned" CIDR blocks (where the IP address portion of the block is more specific than the netmask specifies) are accepted by the AWS API, but the DescribeRouteTable call returns the "aligned" CIDR and therefore routes are being reported as not found.

Also, re-allows empty strings for destination CIDR blocks.

Release note for CHANGELOG:

resource/aws_route: Validate CIDR blocks before attempting to create the route
resource/aws_route_table: Validate CIDR blocks before attempting to create the route
resource/aws_default_route_table: Validate CIDR blocks before attempting to create the route

Output from acceptance testing:

$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAwsWafv2IPSet_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -count 1 -parallel 20 -run=TestAccAwsWafv2IPSet_ -timeout 120m
=== RUN   TestAccAwsWafv2IPSet_Basic
=== PAUSE TestAccAwsWafv2IPSet_Basic
=== RUN   TestAccAwsWafv2IPSet_Disappears
=== PAUSE TestAccAwsWafv2IPSet_Disappears
=== RUN   TestAccAwsWafv2IPSet_IPv6
=== PAUSE TestAccAwsWafv2IPSet_IPv6
=== RUN   TestAccAwsWafv2IPSet_Minimal
=== PAUSE TestAccAwsWafv2IPSet_Minimal
=== RUN   TestAccAwsWafv2IPSet_ChangeNameForceNew
=== PAUSE TestAccAwsWafv2IPSet_ChangeNameForceNew
=== RUN   TestAccAwsWafv2IPSet_Tags
=== PAUSE TestAccAwsWafv2IPSet_Tags
=== RUN   TestAccAwsWafv2IPSet_Large
=== PAUSE TestAccAwsWafv2IPSet_Large
=== CONT  TestAccAwsWafv2IPSet_Basic
=== CONT  TestAccAwsWafv2IPSet_ChangeNameForceNew
=== CONT  TestAccAwsWafv2IPSet_Large
=== CONT  TestAccAwsWafv2IPSet_Tags
=== CONT  TestAccAwsWafv2IPSet_IPv6
=== CONT  TestAccAwsWafv2IPSet_Minimal
=== CONT  TestAccAwsWafv2IPSet_Disappears
--- PASS: TestAccAwsWafv2IPSet_Disappears (19.55s)
--- PASS: TestAccAwsWafv2IPSet_Minimal (26.30s)
--- PASS: TestAccAwsWafv2IPSet_Large (31.97s)
--- PASS: TestAccAwsWafv2IPSet_IPv6 (33.23s)
--- PASS: TestAccAwsWafv2IPSet_ChangeNameForceNew (41.29s)
--- PASS: TestAccAwsWafv2IPSet_Basic (52.40s)
--- PASS: TestAccAwsWafv2IPSet_Tags (60.54s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	60.621s
$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSNetworkAcl_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -count 1 -parallel 2 -run=TestAccAWSNetworkAcl_ -timeout 120m
=== RUN   TestAccAWSNetworkAcl_basic
=== PAUSE TestAccAWSNetworkAcl_basic
=== RUN   TestAccAWSNetworkAcl_disappears
=== PAUSE TestAccAWSNetworkAcl_disappears
=== RUN   TestAccAWSNetworkAcl_Egress_ConfigMode
=== PAUSE TestAccAWSNetworkAcl_Egress_ConfigMode
=== RUN   TestAccAWSNetworkAcl_Ingress_ConfigMode
=== PAUSE TestAccAWSNetworkAcl_Ingress_ConfigMode
=== RUN   TestAccAWSNetworkAcl_EgressAndIngressRules
=== PAUSE TestAccAWSNetworkAcl_EgressAndIngressRules
=== RUN   TestAccAWSNetworkAcl_OnlyIngressRules_basic
=== PAUSE TestAccAWSNetworkAcl_OnlyIngressRules_basic
=== RUN   TestAccAWSNetworkAcl_OnlyIngressRules_update
=== PAUSE TestAccAWSNetworkAcl_OnlyIngressRules_update
=== RUN   TestAccAWSNetworkAcl_CaseSensitivityNoChanges
=== PAUSE TestAccAWSNetworkAcl_CaseSensitivityNoChanges
=== RUN   TestAccAWSNetworkAcl_OnlyEgressRules
=== PAUSE TestAccAWSNetworkAcl_OnlyEgressRules
=== RUN   TestAccAWSNetworkAcl_SubnetChange
=== PAUSE TestAccAWSNetworkAcl_SubnetChange
=== RUN   TestAccAWSNetworkAcl_Subnets
=== PAUSE TestAccAWSNetworkAcl_Subnets
=== RUN   TestAccAWSNetworkAcl_SubnetsDelete
=== PAUSE TestAccAWSNetworkAcl_SubnetsDelete
=== RUN   TestAccAWSNetworkAcl_ipv6Rules
=== PAUSE TestAccAWSNetworkAcl_ipv6Rules
=== RUN   TestAccAWSNetworkAcl_ipv6ICMPRules
=== PAUSE TestAccAWSNetworkAcl_ipv6ICMPRules
=== RUN   TestAccAWSNetworkAcl_ipv6VpcRules
=== PAUSE TestAccAWSNetworkAcl_ipv6VpcRules
=== RUN   TestAccAWSNetworkAcl_espProtocol
=== PAUSE TestAccAWSNetworkAcl_espProtocol
=== CONT  TestAccAWSNetworkAcl_basic
=== CONT  TestAccAWSNetworkAcl_SubnetChange
--- PASS: TestAccAWSNetworkAcl_basic (39.17s)
=== CONT  TestAccAWSNetworkAcl_espProtocol
--- FAIL: TestAccAWSNetworkAcl_SubnetChange (56.71s)
    testing.go:684: Step 2 error: errors during apply:
        
        Error: InvalidAssociationID.NotFound: The association ID 'aclassoc-037f56f22724202b6' does not exist
        	status code: 400, request id: 4ec81d64-3c60-4e7f-86b6-c41549389695
        
          on /tmp/tf-test185577087/main.tf line 27:
          (source code not available)
        
        
=== CONT  TestAccAWSNetworkAcl_ipv6VpcRules
--- PASS: TestAccAWSNetworkAcl_espProtocol (37.21s)
=== CONT  TestAccAWSNetworkAcl_ipv6ICMPRules
--- PASS: TestAccAWSNetworkAcl_ipv6VpcRules (37.67s)
=== CONT  TestAccAWSNetworkAcl_ipv6Rules
--- PASS: TestAccAWSNetworkAcl_ipv6ICMPRules (34.08s)
=== CONT  TestAccAWSNetworkAcl_SubnetsDelete
--- PASS: TestAccAWSNetworkAcl_ipv6Rules (44.21s)
=== CONT  TestAccAWSNetworkAcl_Subnets
--- PASS: TestAccAWSNetworkAcl_SubnetsDelete (70.20s)
=== CONT  TestAccAWSNetworkAcl_OnlyIngressRules_basic
--- PASS: TestAccAWSNetworkAcl_Subnets (78.80s)
=== CONT  TestAccAWSNetworkAcl_OnlyEgressRules
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_basic (47.18s)
=== CONT  TestAccAWSNetworkAcl_CaseSensitivityNoChanges
--- PASS: TestAccAWSNetworkAcl_OnlyEgressRules (39.26s)
=== CONT  TestAccAWSNetworkAcl_OnlyIngressRules_update
--- PASS: TestAccAWSNetworkAcl_CaseSensitivityNoChanges (44.75s)
=== CONT  TestAccAWSNetworkAcl_Ingress_ConfigMode
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_update (68.69s)
=== CONT  TestAccAWSNetworkAcl_EgressAndIngressRules
--- PASS: TestAccAWSNetworkAcl_Ingress_ConfigMode (88.84s)
=== CONT  TestAccAWSNetworkAcl_Egress_ConfigMode
--- PASS: TestAccAWSNetworkAcl_EgressAndIngressRules (38.25s)
=== CONT  TestAccAWSNetworkAcl_disappears
--- PASS: TestAccAWSNetworkAcl_disappears (35.68s)
--- PASS: TestAccAWSNetworkAcl_Egress_ConfigMode (87.58s)
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	449.091s
FAIL
GNUmakefile:26: recipe for target 'testacc' failed
make: *** [testacc] Error 1
#
# That error must be an eventual consistency issue as running the case in isolation passes:
#
$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSNetworkAcl_SubnetChange'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -count 1 -parallel 2 -run=TestAccAWSNetworkAcl_SubnetChange -timeout 120m
=== RUN   TestAccAWSNetworkAcl_SubnetChange
=== PAUSE TestAccAWSNetworkAcl_SubnetChange
=== CONT  TestAccAWSNetworkAcl_SubnetChange
--- PASS: TestAccAWSNetworkAcl_SubnetChange (71.93s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	71.985s
$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSRoute_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -count 1 -parallel 2 -run=TestAccAWSRoute_ -timeout 120m
=== RUN   TestAccAWSRoute_basic
=== PAUSE TestAccAWSRoute_basic
=== RUN   TestAccAWSRoute_disappears
=== PAUSE TestAccAWSRoute_disappears
=== RUN   TestAccAWSRoute_ipv6Support
=== PAUSE TestAccAWSRoute_ipv6Support
=== RUN   TestAccAWSRoute_ipv6ToInternetGateway
=== PAUSE TestAccAWSRoute_ipv6ToInternetGateway
=== RUN   TestAccAWSRoute_ipv6ToInstance
=== PAUSE TestAccAWSRoute_ipv6ToInstance
=== RUN   TestAccAWSRoute_ipv6ToNetworkInterface
=== PAUSE TestAccAWSRoute_ipv6ToNetworkInterface
=== RUN   TestAccAWSRoute_ipv6ToPeeringConnection
=== PAUSE TestAccAWSRoute_ipv6ToPeeringConnection
=== RUN   TestAccAWSRoute_changeRouteTable
=== PAUSE TestAccAWSRoute_changeRouteTable
=== RUN   TestAccAWSRoute_changeCidr
=== PAUSE TestAccAWSRoute_changeCidr
=== RUN   TestAccAWSRoute_noopdiff
=== PAUSE TestAccAWSRoute_noopdiff
=== RUN   TestAccAWSRoute_doesNotCrashWithVPCEndpoint
=== PAUSE TestAccAWSRoute_doesNotCrashWithVPCEndpoint
=== RUN   TestAccAWSRoute_TransitGatewayID_DestinationCidrBlock
=== PAUSE TestAccAWSRoute_TransitGatewayID_DestinationCidrBlock
=== RUN   TestAccAWSRoute_ConditionalCidrBlock
=== PAUSE TestAccAWSRoute_ConditionalCidrBlock
=== CONT  TestAccAWSRoute_basic
=== CONT  TestAccAWSRoute_changeRouteTable
--- PASS: TestAccAWSRoute_basic (51.18s)
=== CONT  TestAccAWSRoute_ConditionalCidrBlock
--- PASS: TestAccAWSRoute_changeRouteTable (82.61s)
=== CONT  TestAccAWSRoute_TransitGatewayID_DestinationCidrBlock
--- PASS: TestAccAWSRoute_ConditionalCidrBlock (77.36s)
=== CONT  TestAccAWSRoute_doesNotCrashWithVPCEndpoint
--- PASS: TestAccAWSRoute_doesNotCrashWithVPCEndpoint (58.93s)
=== CONT  TestAccAWSRoute_noopdiff
--- PASS: TestAccAWSRoute_noopdiff (116.89s)
=== CONT  TestAccAWSRoute_changeCidr
--- PASS: TestAccAWSRoute_changeCidr (80.25s)
=== CONT  TestAccAWSRoute_ipv6ToInstance
--- PASS: TestAccAWSRoute_TransitGatewayID_DestinationCidrBlock (325.06s)
=== CONT  TestAccAWSRoute_ipv6ToPeeringConnection
--- PASS: TestAccAWSRoute_ipv6ToPeeringConnection (41.94s)
=== CONT  TestAccAWSRoute_ipv6ToNetworkInterface
--- PASS: TestAccAWSRoute_ipv6ToInstance (159.74s)
=== CONT  TestAccAWSRoute_ipv6Support
--- PASS: TestAccAWSRoute_ipv6Support (58.30s)
=== CONT  TestAccAWSRoute_ipv6ToInternetGateway
--- PASS: TestAccAWSRoute_ipv6ToNetworkInterface (158.92s)
=== CONT  TestAccAWSRoute_disappears
--- PASS: TestAccAWSRoute_ipv6ToInternetGateway (50.81s)
--- PASS: TestAccAWSRoute_disappears (47.43s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	656.014s
$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSRouteTable_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -count 1 -parallel 2 -run=TestAccAWSRouteTable_ -timeout 120m
=== RUN   TestAccAWSRouteTable_basic
=== PAUSE TestAccAWSRouteTable_basic
=== RUN   TestAccAWSRouteTable_instance
=== PAUSE TestAccAWSRouteTable_instance
=== RUN   TestAccAWSRouteTable_ipv6
=== PAUSE TestAccAWSRouteTable_ipv6
=== RUN   TestAccAWSRouteTable_tags
=== PAUSE TestAccAWSRouteTable_tags
=== RUN   TestAccAWSRouteTable_panicEmptyRoute
=== PAUSE TestAccAWSRouteTable_panicEmptyRoute
=== RUN   TestAccAWSRouteTable_Route_ConfigMode
=== PAUSE TestAccAWSRouteTable_Route_ConfigMode
=== RUN   TestAccAWSRouteTable_Route_TransitGatewayID
=== PAUSE TestAccAWSRouteTable_Route_TransitGatewayID
=== RUN   TestAccAWSRouteTable_vpcPeering
=== PAUSE TestAccAWSRouteTable_vpcPeering
=== RUN   TestAccAWSRouteTable_vgwRoutePropagation
=== PAUSE TestAccAWSRouteTable_vgwRoutePropagation
=== RUN   TestAccAWSRouteTable_ConditionalCidrBlock
=== PAUSE TestAccAWSRouteTable_ConditionalCidrBlock
=== CONT  TestAccAWSRouteTable_basic
=== CONT  TestAccAWSRouteTable_Route_TransitGatewayID
--- PASS: TestAccAWSRouteTable_basic (76.18s)
=== CONT  TestAccAWSRouteTable_Route_ConfigMode
--- PASS: TestAccAWSRouteTable_Route_ConfigMode (100.20s)
=== CONT  TestAccAWSRouteTable_panicEmptyRoute
--- PASS: TestAccAWSRouteTable_panicEmptyRoute (23.80s)
=== CONT  TestAccAWSRouteTable_tags
--- PASS: TestAccAWSRouteTable_tags (61.57s)
=== CONT  TestAccAWSRouteTable_ipv6
--- PASS: TestAccAWSRouteTable_ipv6 (41.34s)
=== CONT  TestAccAWSRouteTable_instance
--- PASS: TestAccAWSRouteTable_Route_TransitGatewayID (348.22s)
=== CONT  TestAccAWSRouteTable_ConditionalCidrBlock
--- PASS: TestAccAWSRouteTable_ConditionalCidrBlock (77.53s)
=== CONT  TestAccAWSRouteTable_vgwRoutePropagation
--- PASS: TestAccAWSRouteTable_instance (129.21s)
=== CONT  TestAccAWSRouteTable_vpcPeering
--- PASS: TestAccAWSRouteTable_vgwRoutePropagation (56.46s)
--- PASS: TestAccAWSRouteTable_vpcPeering (50.43s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	482.789s
$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSDefaultRouteTable_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -count 1 -parallel 2 -run=TestAccAWSDefaultRouteTable_ -timeout 120m
=== RUN   TestAccAWSDefaultRouteTable_basic
=== PAUSE TestAccAWSDefaultRouteTable_basic
=== RUN   TestAccAWSDefaultRouteTable_disappears_Vpc
=== PAUSE TestAccAWSDefaultRouteTable_disappears_Vpc
=== RUN   TestAccAWSDefaultRouteTable_Route
=== PAUSE TestAccAWSDefaultRouteTable_Route
=== RUN   TestAccAWSDefaultRouteTable_swap
=== PAUSE TestAccAWSDefaultRouteTable_swap
=== RUN   TestAccAWSDefaultRouteTable_Route_TransitGatewayID
=== PAUSE TestAccAWSDefaultRouteTable_Route_TransitGatewayID
=== RUN   TestAccAWSDefaultRouteTable_vpc_endpoint
=== PAUSE TestAccAWSDefaultRouteTable_vpc_endpoint
=== RUN   TestAccAWSDefaultRouteTable_tags
=== PAUSE TestAccAWSDefaultRouteTable_tags
=== RUN   TestAccAWSDefaultRouteTable_ConditionalCidrBlock
=== PAUSE TestAccAWSDefaultRouteTable_ConditionalCidrBlock
=== CONT  TestAccAWSDefaultRouteTable_basic
=== CONT  TestAccAWSDefaultRouteTable_vpc_endpoint
--- PASS: TestAccAWSDefaultRouteTable_basic (52.45s)
=== CONT  TestAccAWSDefaultRouteTable_Route_TransitGatewayID
--- PASS: TestAccAWSDefaultRouteTable_vpc_endpoint (57.41s)
=== CONT  TestAccAWSDefaultRouteTable_swap
--- PASS: TestAccAWSDefaultRouteTable_swap (82.20s)
=== CONT  TestAccAWSDefaultRouteTable_Route
--- PASS: TestAccAWSDefaultRouteTable_Route (100.32s)
=== CONT  TestAccAWSDefaultRouteTable_disappears_Vpc
--- PASS: TestAccAWSDefaultRouteTable_disappears_Vpc (23.58s)
=== CONT  TestAccAWSDefaultRouteTable_ConditionalCidrBlock
--- PASS: TestAccAWSDefaultRouteTable_ConditionalCidrBlock (78.06s)
=== CONT  TestAccAWSDefaultRouteTable_tags
--- PASS: TestAccAWSDefaultRouteTable_Route_TransitGatewayID (333.87s)
--- PASS: TestAccAWSDefaultRouteTable_tags (80.83s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	422.451s

@ewbankkit ewbankkit requested a review from a team June 16, 2020 15:45
@ghost ghost added size/XL Managed by automation to categorize the size of a PR. service/ec2 Issues and PRs that pertain to the ec2 service. service/wafv2 Issues and PRs that pertain to the wafv2 service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Jun 16, 2020
ewbankkit
ewbankkit commented Jun 16, 2020
View reviewed changes
aws/network_acl_entry.go
@@ -233,17 +232,3 @@ func validatePorts(to int64, from int64, expected expectedPortPair) bool {

return true
}

// validateCIDRBlock ensures the passed CIDR block represents an implied
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved to validators.go.

ewbankkit
ewbankkit commented Jun 16, 2020
View reviewed changes
aws/network_acl_entry_test.go
@@ -98,23 +98,3 @@ func Test_validatePorts(t *testing.T) {
}
}
}

func Test_validateCIDRBlock(t *testing.T) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved to validators_test.go.

ewbankkit
ewbankkit commented Jun 16, 2020
View reviewed changes
aws/resource_aws_route.go
Optional: true,
ForceNew: true,
ValidateFunc: validation.Any(
validation.StringIsEmpty,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Allow "", often used with conditionals.

ewbankkit
ewbankkit commented Jun 16, 2020
View reviewed changes
aws/resource_aws_route.go

return nil
return resourceAwsRouteRead(d, meta)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Read after create.

ewbankkit
ewbankkit commented Jun 16, 2020
View reviewed changes
aws/resource_aws_wafv2_ip_set_test.go
@@ -374,7 +375,7 @@ resource "aws_wafv2_ip_set" "ip_set" {
scope = "REGIONAL"
ip_address_version = "IPV6"
addresses = [
"0:0:0:0:0:ffff:7f00:1/64",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you enter 0:0:0:0:0:ffff:7f00:1/64 in the console it reports as 0000:0000:0000:0000:0000:0000:0000:0000/64 when you refresh. Replace with a more usual IPv6 CIDR.

ewbankkit
ewbankkit commented Jun 16, 2020
View reviewed changes
aws/structure.go
@@ -5459,13 +5458,3 @@ func flattenRoute53ResolverRuleTargetIps(targetAddresses []*route53resolver.Targ

return vTargetIps
}

func isIpv6CidrsEquals(first, second string) bool {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replaced by cidrBlocksEqual.

@ewbankkit ewbankkit changed the title [WIP] r/aws_route: Validate CIDR blocks r/aws_route: Validate CIDR blocks Jun 16, 2020
@ewbankkit
Copy link
Contributor Author

ewbankkit commented Jun 16, 2020
edited
Loading

In theory the route block of the aws_route_table resource should exhibit the same sort of behavior except it would show as a continual diff, not a failure to create the route. I'll investigate.

Update

Verified that for routes embedded in the route table resource you see a perpetual diff with "misaligned" CIDRs:

$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

aws_vpc.test: Refreshing state... (ID: vpc-0b787780783cb384a)
data.aws_region.current: Refreshing state...
aws_subnet.test: Refreshing state... (ID: subnet-0d6d246d8f63068f1)
aws_internet_gateway.test: Refreshing state... (ID: igw-0e882d0cea86da7b2)
aws_route_table.test: Refreshing state... (ID: rtb-04ca8b2adc497c27d)

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ aws_route_table.test
      route.3386248778.cidr_block:                "10.4.0.0/16" => ""
      route.3386248778.egress_only_gateway_id:    "" => ""
      route.3386248778.gateway_id:                "igw-0e882d0cea86da7b2" => ""
      route.3386248778.instance_id:               "" => ""
      route.3386248778.ipv6_cidr_block:           "" => ""
      route.3386248778.nat_gateway_id:            "" => ""
      route.3386248778.network_interface_id:      "" => ""
      route.3386248778.transit_gateway_id:        "" => ""
      route.3386248778.vpc_peering_connection_id: "" => ""
      route.4280590009.cidr_block:                "" => "10.4.0.1/16"
      route.4280590009.egress_only_gateway_id:    "" => ""
      route.4280590009.gateway_id:                "" => "igw-0e882d0cea86da7b2"
      route.4280590009.instance_id:               "" => ""
      route.4280590009.ipv6_cidr_block:           "" => ""
      route.4280590009.nat_gateway_id:            "" => ""
      route.4280590009.network_interface_id:      "" => ""
      route.4280590009.transit_gateway_id:        "" => ""
      route.4280590009.vpc_peering_connection_id: "" => ""


Plan: 0 to add, 1 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

@ewbankkit ewbankkit changed the title r/aws_route: Validate CIDR blocks r/aws_route, r/aws_route_table, r/aws_default_route_table: Validate CIDR blocks Jun 16, 2020
@ewbankkit ewbankkit mentioned this pull request Jun 21, 2020
Closed
ewbankkit added 12 commits June 24, 2020 09:20
@ewbankkit
Add 'validateIpv4CIDRBlock', 'validateIpv6CIDRBlock' and 'cidrBlocksE…
9e13967 
…qual'.
@ewbankkit
Add 'validateIpv4CIDRNetworkAddress' and 'validateIpv6CIDRNetworkAddr…
9ab1cfe 
…ess'.
@ewbankkit
Add 'suppressEqualCIDRBlockDiffs'.
9924f76
@ewbankkit
* Exactly one of 'destination_cidr_block' or 'destination_ipv6_cidr_b…
6ded6fc 
…lock' must be specified

* Use 'validateIpv4CIDRNetworkAddress', 'validateIpv6CIDRNetworkAddress' and 'suppressEqualCIDRBlockDiffs'

Acceptance test output:

$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSRoute_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -count 1 -parallel 1 -run=TestAccAWSRoute_ -timeout 120m
=== RUN   TestAccAWSRoute_basic
=== PAUSE TestAccAWSRoute_basic
=== RUN   TestAccAWSRoute_disappears
=== PAUSE TestAccAWSRoute_disappears
=== RUN   TestAccAWSRoute_ipv6Support
=== PAUSE TestAccAWSRoute_ipv6Support
=== RUN   TestAccAWSRoute_ipv6ToInternetGateway
=== PAUSE TestAccAWSRoute_ipv6ToInternetGateway
=== RUN   TestAccAWSRoute_ipv6ToInstance
=== PAUSE TestAccAWSRoute_ipv6ToInstance
=== RUN   TestAccAWSRoute_ipv6ToNetworkInterface
=== PAUSE TestAccAWSRoute_ipv6ToNetworkInterface
=== RUN   TestAccAWSRoute_ipv6ToPeeringConnection
=== PAUSE TestAccAWSRoute_ipv6ToPeeringConnection
=== RUN   TestAccAWSRoute_changeRouteTable
=== PAUSE TestAccAWSRoute_changeRouteTable
=== RUN   TestAccAWSRoute_changeCidr
=== PAUSE TestAccAWSRoute_changeCidr
=== RUN   TestAccAWSRoute_noopdiff
=== PAUSE TestAccAWSRoute_noopdiff
=== RUN   TestAccAWSRoute_doesNotCrashWithVPCEndpoint
=== PAUSE TestAccAWSRoute_doesNotCrashWithVPCEndpoint
=== RUN   TestAccAWSRoute_TransitGatewayID_DestinationCidrBlock
=== PAUSE TestAccAWSRoute_TransitGatewayID_DestinationCidrBlock
=== CONT  TestAccAWSRoute_basic
--- PASS: TestAccAWSRoute_basic (51.53s)
=== CONT  TestAccAWSRoute_changeRouteTable
--- PASS: TestAccAWSRoute_changeRouteTable (81.91s)
=== CONT  TestAccAWSRoute_TransitGatewayID_DestinationCidrBlock
--- PASS: TestAccAWSRoute_TransitGatewayID_DestinationCidrBlock (356.43s)
=== CONT  TestAccAWSRoute_doesNotCrashWithVPCEndpoint
--- PASS: TestAccAWSRoute_doesNotCrashWithVPCEndpoint (58.07s)
=== CONT  TestAccAWSRoute_noopdiff
--- PASS: TestAccAWSRoute_noopdiff (115.41s)
=== CONT  TestAccAWSRoute_changeCidr
--- PASS: TestAccAWSRoute_changeCidr (79.86s)
=== CONT  TestAccAWSRoute_ipv6ToInstance
--- PASS: TestAccAWSRoute_ipv6ToInstance (147.08s)
=== CONT  TestAccAWSRoute_ipv6ToPeeringConnection
--- PASS: TestAccAWSRoute_ipv6ToPeeringConnection (41.01s)
=== CONT  TestAccAWSRoute_ipv6ToNetworkInterface
--- PASS: TestAccAWSRoute_ipv6ToNetworkInterface (136.78s)
=== CONT  TestAccAWSRoute_ipv6Support
--- PASS: TestAccAWSRoute_ipv6Support (58.36s)
=== CONT  TestAccAWSRoute_ipv6ToInternetGateway
--- PASS: TestAccAWSRoute_ipv6ToInternetGateway (50.74s)
=== CONT  TestAccAWSRoute_disappears
--- PASS: TestAccAWSRoute_disappears (46.79s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	1224.034s
@ewbankkit
'isIpv6CidrsEquals' -> 'cidrBlocksEqual'.
9ad8e1f
@ewbankkit
Move all CIDR validation code into 'validators.go'.
21130b8
@ewbankkit
r/aws_network_acl: Validate IPv4 CIDR vs. IPv6 CIDR.
c56fb43
@ewbankkit
r/aws_route: Allow empty strings for 'destination_cidr_block' and 'de…
4507797 
…stination_ipv6_cidr_block' (TF 0.11 compatibility).
@ewbankkit
r/aws_wafv2_ip_set: Correct IPv6 acceptance test.
208508c
@ewbankkit
r/aws_route: Add 'TestAccAWSRoute_ConditionalCidrBlock'.
615bd4a
@ewbankkit
r/aws_route_table: Validate IPv4 CIDR vs. IPv6 CIDR. Allow empty stri…
c8a8492 
…ngs for 'cidr_block' and 'ipv6_cidr_block' (TF 0.11 compatibility).
@ewbankkit
r/aws_default_route_table: Validate IPv4 CIDR vs. IPv6 CIDR. Allow em…
313b96b 
…pty strings for 'cidr_block' and 'ipv6_cidr_block' (TF 0.11 compatibility).
@bflad bflad self-assigned this Jun 24, 2020
@bflad bflad added the bug Addresses a defect in current functionality. label Jun 24, 2020
@bflad bflad added this to the v2.68.0 milestone Jun 24, 2020
bflad
bflad approved these changes Jun 24, 2020
View reviewed changes
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀 Hopefully these validation functions can get hoisted into the Terraform Plugin SDK.

Output from acceptance testing:

--- PASS: TestAccAWSDefaultNetworkAcl_basic (31.81s)
--- PASS: TestAccAWSDefaultNetworkAcl_basicIpv6Vpc (33.74s)
--- PASS: TestAccAWSDefaultNetworkAcl_deny_ingress (44.85s)
--- PASS: TestAccAWSDefaultNetworkAcl_SubnetReassign (96.04s)
--- PASS: TestAccAWSDefaultNetworkAcl_SubnetRemoval (229.81s)
--- PASS: TestAccAWSDefaultNetworkAcl_withIpv6Ingress (48.25s)

--- PASS: TestAccAWSDefaultRouteTable_basic (48.92s)
--- PASS: TestAccAWSDefaultRouteTable_ConditionalCidrBlock (73.28s)
--- PASS: TestAccAWSDefaultRouteTable_disappears_Vpc (19.28s)
--- PASS: TestAccAWSDefaultRouteTable_Route (132.34s)
--- PASS: TestAccAWSDefaultRouteTable_Route_TransitGatewayID (351.03s)
--- PASS: TestAccAWSDefaultRouteTable_swap (64.92s)
--- PASS: TestAccAWSDefaultRouteTable_tags (86.65s)
--- PASS: TestAccAWSDefaultRouteTable_vpc_endpoint (65.16s)

--- PASS: TestAccAWSNetworkAcl_basic (32.26s)
--- PASS: TestAccAWSNetworkAcl_CaseSensitivityNoChanges (35.00s)
--- PASS: TestAccAWSNetworkAcl_disappears (72.93s)
--- PASS: TestAccAWSNetworkAcl_Egress_ConfigMode (94.25s)
--- PASS: TestAccAWSNetworkAcl_EgressAndIngressRules (26.59s)
--- PASS: TestAccAWSNetworkAcl_espProtocol (25.26s)
--- PASS: TestAccAWSNetworkAcl_Ingress_ConfigMode (83.73s)
--- PASS: TestAccAWSNetworkAcl_ipv6ICMPRules (43.27s)
--- PASS: TestAccAWSNetworkAcl_ipv6Rules (33.96s)
--- PASS: TestAccAWSNetworkAcl_ipv6VpcRules (51.15s)
--- PASS: TestAccAWSNetworkAcl_OnlyEgressRules (33.49s)
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_basic (52.21s)
--- PASS: TestAccAWSNetworkAcl_OnlyIngressRules_update (67.18s)
--- PASS: TestAccAWSNetworkAcl_SubnetChange (98.79s)
--- PASS: TestAccAWSNetworkAcl_Subnets (94.70s)
--- PASS: TestAccAWSNetworkAcl_SubnetsDelete (59.72s)

--- PASS: TestAccAWSRoute_basic (42.87s)
--- PASS: TestAccAWSRoute_changeCidr (59.56s)
--- PASS: TestAccAWSRoute_changeRouteTable (51.10s)
--- PASS: TestAccAWSRoute_ConditionalCidrBlock (46.05s)
--- PASS: TestAccAWSRoute_disappears (44.72s)
--- PASS: TestAccAWSRoute_doesNotCrashWithVPCEndpoint (54.54s)
--- PASS: TestAccAWSRoute_ipv6Support (48.70s)
--- PASS: TestAccAWSRoute_ipv6ToInstance (125.79s)
--- PASS: TestAccAWSRoute_ipv6ToInternetGateway (69.53s)
--- PASS: TestAccAWSRoute_ipv6ToNetworkInterface (148.39s)
--- PASS: TestAccAWSRoute_ipv6ToPeeringConnection (51.11s)
--- PASS: TestAccAWSRoute_noopdiff (89.35s)
--- PASS: TestAccAWSRoute_TransitGatewayID_DestinationCidrBlock (332.00s)

--- PASS: TestAccAWSRouteTable_basic (78.10s)
--- PASS: TestAccAWSRouteTable_ConditionalCidrBlock (68.64s)
--- PASS: TestAccAWSRouteTable_instance (150.39s)
--- PASS: TestAccAWSRouteTable_ipv6 (26.20s)
--- PASS: TestAccAWSRouteTable_panicEmptyRoute (27.82s)
--- PASS: TestAccAWSRouteTable_Route_ConfigMode (110.18s)
--- PASS: TestAccAWSRouteTable_Route_TransitGatewayID (323.70s)
--- PASS: TestAccAWSRouteTable_tags (95.64s)
--- PASS: TestAccAWSRouteTable_vgwRoutePropagation (69.82s)
--- PASS: TestAccAWSRouteTable_vpcPeering (54.12s)

--- PASS: TestAccAwsWafv2IPSet_Basic (16.89s)
--- PASS: TestAccAwsWafv2IPSet_ChangeNameForceNew (19.97s)
--- PASS: TestAccAwsWafv2IPSet_Disappears (9.42s)
--- PASS: TestAccAwsWafv2IPSet_IPv6 (9.15s)
--- PASS: TestAccAwsWafv2IPSet_Large (23.08s)
--- PASS: TestAccAwsWafv2IPSet_Minimal (19.65s)
--- PASS: TestAccAwsWafv2IPSet_Tags (37.93s)

@bflad bflad merged commit b3d4388 into hashicorp:master Jun 24, 2020
bflad added a commit that referenced this pull request Jun 24, 2020
@bflad
Update CHANGELOG for #13778
4b2315f
@ewbankkit ewbankkit deleted the issue-338 branch June 24, 2020 17:30
@ewbankkit ewbankkit mentioned this pull request Jun 25, 2020
Closed
7 tasks
@ghost
Copy link

ghost commented Jun 26, 2020

This has been released in version 2.68.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Jul 24, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Jul 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bflad bflad bflad approved these changes

Assignees

@bflad bflad

Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service. service/wafv2 Issues and PRs that pertain to the wafv2 service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
v2.68.0
2 participants
@ewbankkit @bflad