Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

r/aws_apigatewayv2_domain_name: Support mutual TLS authentication #15249

Conversation

ewbankkit
Copy link
Contributor

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates #15220.
Relates #13527.

Release note for CHANGELOG:

resource/aws_apigatewayv2_domain_name: Add `mutual_tls_authentication` attribute to support mutual TLS authentication

Output from acceptance testing:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayV2DomainName_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayV2DomainName_ -timeout 120m
=== RUN   TestAccAWSAPIGatewayV2DomainName_basic
=== PAUSE TestAccAWSAPIGatewayV2DomainName_basic
=== RUN   TestAccAWSAPIGatewayV2DomainName_disappears
=== PAUSE TestAccAWSAPIGatewayV2DomainName_disappears
=== RUN   TestAccAWSAPIGatewayV2DomainName_Tags
=== PAUSE TestAccAWSAPIGatewayV2DomainName_Tags
=== RUN   TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== PAUSE TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== RUN   TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== PAUSE TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayV2DomainName_basic
=== CONT  TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== CONT  TestAccAWSAPIGatewayV2DomainName_Tags
=== CONT  TestAccAWSAPIGatewayV2DomainName_disappears
=== CONT  TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
    resource_aws_apigatewayv2_domain_name_test.go:273: Step 1/3 error: terraform failed: exit status 1
        
        stderr:
        
        Error: error creating API Gateway v2 domain name: BadRequestException: The certificate provided must be issued by ACM and not imported. (Service: APIGateway; Status Code: 400; Error Code: BadRequestException; Request ID: TOopqAEdPHcEJsw=; Proxy: null)
        
        
--- FAIL: TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication (19.79s)
=== CONT  TestAccAWSAPIGatewayV2DomainName_disappears
    resource_aws_apigatewayv2_domain_name_test.go:115: [INFO] Got non-empty plan, as expected
--- PASS: TestAccAWSAPIGatewayV2DomainName_disappears (25.41s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_basic (65.41s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_Tags (115.63s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_UpdateCertificate (392.86s)
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	393.417s
FAIL
GNUmakefile:27: recipe for target 'testacc' failed
make: *** [testacc] Error 1

@ewbankkit ewbankkit requested a review from a team September 21, 2020 18:48
@ghost ghost added size/XL Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. service/apigatewayv2 Issues and PRs that pertain to the apigatewayv2 service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Sep 21, 2020
@ewbankkit
Copy link
Contributor Author

Investigating acceptance test failure...

@ewbankkit ewbankkit force-pushed the f-aws_apigatewayv2-mutual-tls-authentication branch 4 times, most recently from 4313fbe to 4b7544b Compare September 24, 2020 20:13
@ghost ghost added the service/acmpca Issues and PRs that pertain to the acmpca service. label Sep 24, 2020
@ghost ghost added the provider Pertains to the provider itself, rather than any interaction with AWS. label Oct 9, 2020
@ewbankkit
Copy link
Contributor Author

Mutual TLS requires that the API Gateway domain name be configured with an Amazon Issued ACM certificate.
To run the acceptance test specify the domain name of such a certificate:

$ AWS_APIGATEWAYV2_CERTIFICATE_DOMAIN_NAME=<domain name> make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication -timeout 120m
=== RUN   TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== PAUSE TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
--- PASS: TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication (109.89s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	109.939s

@ewbankkit ewbankkit changed the title [WIP] r/aws_apigatewayv2_domain_name: Support mutual TLS authentication r/aws_apigatewayv2_domain_name: Support mutual TLS authentication Oct 10, 2020
@ewbankkit ewbankkit removed the service/acmpca Issues and PRs that pertain to the acmpca service. label Oct 10, 2020
@ewbankkit
Copy link
Contributor Author

Investigate creating public ACM certificates in acceptance tests: #16139, #16140.

…bute.

Acceptance test output:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayV2DomainName_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayV2DomainName_ -timeout 120m
=== RUN   TestAccAWSAPIGatewayV2DomainName_basic
=== PAUSE TestAccAWSAPIGatewayV2DomainName_basic
=== RUN   TestAccAWSAPIGatewayV2DomainName_disappears
=== PAUSE TestAccAWSAPIGatewayV2DomainName_disappears
=== RUN   TestAccAWSAPIGatewayV2DomainName_Tags
=== PAUSE TestAccAWSAPIGatewayV2DomainName_Tags
=== RUN   TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== PAUSE TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== RUN   TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== PAUSE TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayV2DomainName_basic
=== CONT  TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== CONT  TestAccAWSAPIGatewayV2DomainName_Tags
=== CONT  TestAccAWSAPIGatewayV2DomainName_disappears
=== CONT  TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
    resource_aws_apigatewayv2_domain_name_test.go:273: Step 1/3 error: terraform failed: exit status 1

        stderr:

        Error: error creating API Gateway v2 domain name: BadRequestException: The certificate provided must be issued by ACM and not imported. (Service: APIGateway; Status Code: 400; Error Code: BadRequestException; Request ID: TOopqAEdPHcEJsw=; Proxy: null)

--- FAIL: TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication (19.79s)
=== CONT  TestAccAWSAPIGatewayV2DomainName_disappears
    resource_aws_apigatewayv2_domain_name_test.go:115: [INFO] Got non-empty plan, as expected
--- PASS: TestAccAWSAPIGatewayV2DomainName_disappears (25.41s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_basic (65.41s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_Tags (115.63s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_UpdateCertificate (392.86s)
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	393.417s
FAIL
GNUmakefile:27: recipe for target 'testacc' failed
make: *** [testacc] Error 1
…aCertificateAuthorityDisableCA'."

This reverts commit aa6d1a451d6ef108aa878f8b9ecbe3e50d8f5501.
@ewbankkit ewbankkit force-pushed the f-aws_apigatewayv2-mutual-tls-authentication branch from c8a2a2d to b60662e Compare November 11, 2020 21:29
@ewbankkit ewbankkit requested a review from a team as a code owner November 11, 2020 21:29
@ghost ghost added the service/acmpca Issues and PRs that pertain to the acmpca service. label Nov 11, 2020
…AwsAcmpcaCertificateAuthorityDisableCA'.""

This reverts commit ee22ef2.
…ting mutual TLS (relates: hashicorp#16139).

Acceptance test output:

$ ACM_CERTIFICATE_ROOT_DOMAIN=<domain name> make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayV2DomainName_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayV2DomainName_ -timeout 120m
=== RUN   TestAccAWSAPIGatewayV2DomainName_basic
=== PAUSE TestAccAWSAPIGatewayV2DomainName_basic
=== RUN   TestAccAWSAPIGatewayV2DomainName_disappears
=== PAUSE TestAccAWSAPIGatewayV2DomainName_disappears
=== RUN   TestAccAWSAPIGatewayV2DomainName_Tags
=== PAUSE TestAccAWSAPIGatewayV2DomainName_Tags
=== RUN   TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== PAUSE TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== RUN   TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== PAUSE TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayV2DomainName_basic
=== CONT  TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== CONT  TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayV2DomainName_Tags
=== CONT  TestAccAWSAPIGatewayV2DomainName_disappears
--- PASS: TestAccAWSAPIGatewayV2DomainName_disappears (22.46s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_Tags (83.52s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication (207.72s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_basic (240.48s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_UpdateCertificate (758.06s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	758.484s
@ewbankkit ewbankkit removed provider Pertains to the provider itself, rather than any interaction with AWS. service/acmpca Issues and PRs that pertain to the acmpca service. labels Nov 11, 2020
@ewbankkit
Copy link
Contributor Author

Rebased to remove merge conflict.
Refactored acceptance test to create a public ACM certificate (similar to #16139).

$ ACM_CERTIFICATE_ROOT_DOMAIN=<domain name> make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayV2DomainName_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayV2DomainName_ -timeout 120m
=== RUN   TestAccAWSAPIGatewayV2DomainName_basic
=== PAUSE TestAccAWSAPIGatewayV2DomainName_basic
=== RUN   TestAccAWSAPIGatewayV2DomainName_disappears
=== PAUSE TestAccAWSAPIGatewayV2DomainName_disappears
=== RUN   TestAccAWSAPIGatewayV2DomainName_Tags
=== PAUSE TestAccAWSAPIGatewayV2DomainName_Tags
=== RUN   TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== PAUSE TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== RUN   TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== PAUSE TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayV2DomainName_basic
=== CONT  TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== CONT  TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayV2DomainName_Tags
=== CONT  TestAccAWSAPIGatewayV2DomainName_disappears
--- PASS: TestAccAWSAPIGatewayV2DomainName_disappears (22.46s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_Tags (83.52s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication (207.72s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_basic (240.48s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_UpdateCertificate (758.06s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	758.484s

Copy link
Collaborator

@DrFaust92 DrFaust92 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (for what im able to test :D)

--- PASS: TestAccAWSAPIGatewayV2DomainName_disappears (83.31s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_Tags (143.04s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_basic (318.41s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_UpdateCertificate (547.88s)

@breathingdust
Copy link
Member

breathingdust commented Dec 1, 2020

LGTM 🚀 Thanks @ewbankkit

Verified Acceptance Tests in Commercial (us-west-2)

ACM_CERTIFICATE_ROOT_DOMAIN=terraform-provider-aws-acctest-acm.com make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayV2DomainName_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayV2DomainName_ -timeout 120m
=== RUN   TestAccAWSAPIGatewayV2DomainName_basic
=== PAUSE TestAccAWSAPIGatewayV2DomainName_basic
=== RUN   TestAccAWSAPIGatewayV2DomainName_disappears
=== PAUSE TestAccAWSAPIGatewayV2DomainName_disappears
=== RUN   TestAccAWSAPIGatewayV2DomainName_Tags
=== PAUSE TestAccAWSAPIGatewayV2DomainName_Tags
=== RUN   TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== PAUSE TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== RUN   TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== PAUSE TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayV2DomainName_basic
=== CONT  TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== CONT  TestAccAWSAPIGatewayV2DomainName_disappears
=== CONT  TestAccAWSAPIGatewayV2DomainName_Tags
=== CONT  TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
--- PASS: TestAccAWSAPIGatewayV2DomainName_Tags (65.70s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_disappears (106.27s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication (256.00s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_UpdateCertificate (403.07s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_basic (527.07s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	529.209s

TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication test fails in GovCloud, ticket to track issue here #16508

ACM_CERTIFICATE_ROOT_DOMAIN=terraform-provider-aws-acctest-acm.com make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayV2DomainName_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayV2DomainName_ -timeout 120m
=== RUN   TestAccAWSAPIGatewayV2DomainName_basic
=== PAUSE TestAccAWSAPIGatewayV2DomainName_basic
=== RUN   TestAccAWSAPIGatewayV2DomainName_disappears
=== PAUSE TestAccAWSAPIGatewayV2DomainName_disappears
=== RUN   TestAccAWSAPIGatewayV2DomainName_Tags
=== PAUSE TestAccAWSAPIGatewayV2DomainName_Tags
=== RUN   TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== PAUSE TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== RUN   TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== PAUSE TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayV2DomainName_basic
=== CONT  TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== CONT  TestAccAWSAPIGatewayV2DomainName_Tags
=== CONT  TestAccAWSAPIGatewayV2DomainName_disappears
=== CONT  TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
    resource_aws_apigatewayv2_domain_name_test.go:273: Step 1/4 error: Error running pre-apply refresh: 2020/12/01 10:54:22 [DEBUG] Using modified User-Agent: Terraform/0.12.29 HashiCorp-terraform-exec/0.10.0

        Error: no matching Route53Zone found


--- FAIL: TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication (2.30s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_disappears (18.60s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_basic (192.99s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_Tags (371.29s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_UpdateCertificate (446.56s)
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	448.539s
FAIL
make: *** [testacc] Error 1

@breathingdust breathingdust added this to the v3.19.0 milestone Dec 1, 2020
@breathingdust breathingdust merged commit ee0c21c into hashicorp:master Dec 1, 2020
breathingdust added a commit that referenced this pull request Dec 1, 2020
@ewbankkit ewbankkit deleted the f-aws_apigatewayv2-mutual-tls-authentication branch December 1, 2020 19:23
@ghost
Copy link

ghost commented Dec 1, 2020

This has been released in version 3.19.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Jan 1, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Jan 1, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
documentation Introduces or discusses updates to documentation. service/apigatewayv2 Issues and PRs that pertain to the apigatewayv2 service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants