aws_flow_log - adding support for sending to S3 #5509
Conversation
aws/resource_aws_flow_log.go
Outdated
| Optional: true, | ||
| ForceNew: true, | ||
| ConflictsWith: []string{"eni_id", "vpc_id"}, | ||
| "resource_id": &schema.Schema{ |
There was a problem hiding this comment.
Should be named resource_ids as potentially multiple IDs can be specified?
There was a problem hiding this comment.
I did this to conform to the AWS cli argument name*, but will make the change
aws/resource_aws_flow_log.go
Outdated
| LogGroupName: aws.String(d.Get("log_group_name").(string)), | ||
| ResourceIds: []*string{aws.String(resourceId)}, | ||
| ResourceType: aws.String(resourceType), | ||
| ResourceIds: aws.StringSlice(d.Get("resource_id").([]string)), |
There was a problem hiding this comment.
As resource_id is declared as schema.TypeSet, d.Get("resource_id") is I think of type *schema.Set, so some manipulation is required to pass to aws.StringSlice.
aws/resource_aws_flow_log.go
Outdated
|
|
||
| var resourceKey string | ||
| if strings.HasPrefix(*fl.ResourceId, "vpc-") { |
There was a problem hiding this comment.
|
Do we need to consider a diff suppression for the case resource "aws_flow_log" "foo" {
log_group_name = "bar"
}=> resource "aws_flow_log" "foo" {
log_destination_type = "cloud-watch-logs"
log_destination = "bar"
}and vice-versa? |
aws/resource_aws_flow_log.go
Outdated
| }, | ||
|
|
||
| "vpc_id": &schema.Schema{ |
There was a problem hiding this comment.
Removing existing attributes will require a deprecation warning and support of the attributes until deprecation.
radeksimko
added
enhancement
|
thanks @ewbankkit I've addressed some of your suggestions. going to take a look at the diff suppression. I'm not sure how to address your suggestion of generic ec2 resource parsing but can look later as well |
|
@ewbankkit I addressed the diff suppression for log destination, do you think I also have to add diff suppression to check if the old format matches the new format.. ie: old format: resource "aws_flow_log" "foo" {
vpc_id = "vpc-foo"
}vs new format: resource "aws_flow_log" "foo" {
resource_ids = ["vpc-foo"]
resource_type = "VPC"
} |
|
@ryandeivert RE #5509 (comment), don't worry; I was just noodling some thoughts. |
|
thanks @ewbankkit - I'm running acceptance tests and fixing some more things. will update soon |
|
Yes, strictly speaking those |
|
good to know - I'll hunt for it. thanks for the pointers |
|
aws/resource_aws_flow_log.go now has conflicts, could you rebase please? |
|
Upgrade guide is at website/docs/guides/version-2-upgrade.html.md. |
|
@ryandeivert aws/resource_aws_flow_log.go now has conflicts, could you rebase please? |
|
hey @mikecook sorry I haven't gotten to touch this in a bit. I have some local changes I hope to get upstream soon and will rebase when I take care of that |
|
@ryandeivert I can help with running acceptance tests when you're ready. |
|
thanks @ewbankkit I've actually been running them now, trying to sort out issues. will follow up soon |
|
greetings, this might turn out to be very useful, any way i can help? if not, is there an estimated release date? thanks all for the great work! |
|
hi @uovobw I'm going to try to dedicate some time to this later today. I'm having some issues with acceptance tests (thinking related to the diff suppression) so I'll probably just commit what I have and outsource some assistance from someone here. thanks for your patience! |
|
@ryandeivert ok, in the coming days i'll provide what help i can, thanks for the update and for your work. |
|
exactly what i'm looking for :-) any ETA on this? |
|
I'm interested in this as well, VPC Flow Logs through cloudwatch are very costly and would reduce the cost tremendously. |
|
This will get a first review next week. 👍 |
There was a problem hiding this comment.
Hi @ryandeivert and @ewbankkit 👋 Thanks for submitting this and thanks everyone for your patience. This took longer to review because there are two sets of changes occurring here with the usage of some more advanced resource functionality (state migrations and customizing the difference). We will keep the feedback loop tight on this going forward.
I'm a little curious why the resource_id and resource_type changes need to be included with the addition of log_destination and log_destination_type arguments? While they help the resource look more like the EC2 API, I'm not sure the change is necessary either. I feel like we can treat those changes separately (or not at all) since they complicate this PR review and are unrelated, but I will defer to the authors if they can adjust given the feedback or would like to treat them separately.
That said, I did find some items below that required me to mark this as breaking-change since it will affect existing configurations, mostly the Read function nil'ing out the old attributes. Resources should continue to have existing attributes available, even after deprecation, so configuration references to those attributes continue working.
Please let me know how you would like to proceed here or if you have any questions regarding any of these items, thanks.
aws/resource_aws_flow_log_migrate.go
Outdated
| Partition: meta.(*AWSClient).partition, | ||
| Region: meta.(*AWSClient).region, | ||
| Service: "logs", | ||
| AccountID: meta.(*AWSClient).accountid, |
There was a problem hiding this comment.
For environments that use skip_requesting_account_id this could silently break the configuration.
aws/resource_aws_flow_log.go
Outdated
| Partition: meta.(*AWSClient).partition, | ||
| Region: meta.(*AWSClient).region, | ||
| Service: "logs", | ||
| AccountID: meta.(*AWSClient).accountid, |
There was a problem hiding this comment.
We have the same problem here, that configurations using skip_requesting_account_id may not work in this scenario.
aws/resource_aws_flow_log.go
Outdated
| Partition: meta.(*AWSClient).partition, | ||
| Region: meta.(*AWSClient).region, | ||
| Service: "logs", | ||
| AccountID: meta.(*AWSClient).accountid, |
There was a problem hiding this comment.
We have the same problem here, that configurations using skip_requesting_account_id may not work in this scenario.
aws/resource_aws_flow_log.go
Outdated
| Partition: meta.(*AWSClient).partition, | ||
| Region: meta.(*AWSClient).region, | ||
| Service: "logs", | ||
| AccountID: meta.(*AWSClient).accountid, |
There was a problem hiding this comment.
We have the same problem here, that configurations using skip_requesting_account_id may not work in this scenario.
aws/resource_aws_flow_log.go
Outdated
| @@ -18,45 +20,114 @@ func resourceAwsFlowLog() *schema.Resource { | |||
| Importer: &schema.ResourceImporter{ | |||
| State: schema.ImportStatePassthrough, | |||
| }, | |||
| CustomizeDiff: resourceAwsLogFlowCustomizeDiff, | |||
There was a problem hiding this comment.
Just noting here that CustomizeDiff is not the most reliable method to work with in Terraform resources. It will silently skip computed values (e.g. Computed attributes from references like aws_vpc.XXX.id). If we can avoid its usage here, I think we should.
aws/resource_aws_flow_log.go
Outdated
| d.SetId("") | ||
| return nil | ||
| } | ||
|
|
||
| fl := resp.FlowLogs[0] | ||
| d.Set("traffic_type", fl.TrafficType) | ||
| d.Set("log_group_name", fl.LogGroupName) |
There was a problem hiding this comment.
I think we need to keep this for backwards compatibility. See note below.
aws/resource_aws_flow_log.go
Outdated
| } | ||
| if resourceKey != "" { | ||
| d.Set(resourceKey, fl.ResourceId) |
There was a problem hiding this comment.
I think we need to keep this for backwards compatibility. See note below.
aws/resource_aws_flow_log_test.go
Outdated
| Providers: testAccProviders, | ||
| CheckDestroy: testAccCheckFlowLogDestroy, | ||
| Steps: []resource.TestStep{ | ||
| { | ||
| Config: testAccFlowLogConfig_basic(rInt), | ||
| Config: testAccFlowLogConfig_vpcOldSyntaxCloudWatch(rInt), |
There was a problem hiding this comment.
For configurations using the "old" syntax, we should ensure that the "old" attributes are still available as expected. The same can also be used to verify it available in the "new" attribute. e.g.
resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "log_group_name", "aws_cloudwatch_log_group.foobar", "name"),
resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "resource_id", "aws_vpc.default", "id"),
resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "vpc_id", "aws_vpc.default", "id"),
aws/resource_aws_flow_log_test.go
Outdated
| @@ -68,16 +104,152 @@ func TestAccAWSFlowLog_subnet(t *testing.T) { | |||
| CheckDestroy: testAccCheckFlowLogDestroy, | |||
| Steps: []resource.TestStep{ | |||
| { | |||
| Config: testAccFlowLogConfig_subnet(rInt), | |||
| Config: testAccFlowLogConfig_subnetOldSyntaxCloudWatch(rInt), | |||
There was a problem hiding this comment.
Same here -- especially for configurations using the "old" syntax, we should ensure that the "old" attributes are still available as expected. The same can also be used to verify it available in the "new" attribute. e.g.
resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "log_group_name", "aws_cloudwatch_log_group.foobar", "name"),
resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "resource_id", "aws_subnet.test_subnet", "id"),
resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "subnet_id", "aws_subnet.test_subnet", "id"),
aws/resource_aws_flow_log_test.go
Outdated
| CheckDestroy: testAccCheckFlowLogDestroy, | ||
| Steps: []resource.TestStep{ | ||
| { | ||
| Config: testAccFlowLogConfig_eniOldSyntaxCloudWatch(rInt), |
There was a problem hiding this comment.
Same here -- especially for configurations using the "old" syntax, we should ensure that the "old" attributes are still available as expected. The same can also be used to verify it available in the "new" attribute. e.g.
resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "log_group_name", "aws_cloudwatch_log_group.foobar", "name"),
resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "eni_id", "aws_network_interface.test_eni", "id"),
resource.TestCheckResourceAttrPair("aws_flow_log.test_flow_log_vpc", "resource_id", "aws_network_interface.test_eni", "id"),
bflad
added
waiting-response
|
For a sample of the minimum required changes to support S3 logging, please see: https://github.com/terraform-providers/terraform-provider-aws/compare/f-aws_flow_log-log_destination?expand=1 |
|
@bflad Agreed that the currently proposed changes are large and a more lightweight approach may be more appropriate to land this much-requested feature as soon as makes sense. |
|
@bflad / @ewbankkit I'm more than happy with a more minimal approach to this. would you suggest that I modify this PR or open a new one with those changes? |
|
@ryandeivert I'll leave that up to you, but I'm sure folks here would probably appreciate whatever is quickest -- you can steal any of my branch if you wish or you/I can just create a new PR 😄 |
ghost
added
size/XL
* Add `log_destination` and `log_destination_type` arguments * Deprecate `log_group_name` and conflict it with `log_destination` * Mark `iam_role_arn` as Optional ``` $ make testacc TEST=./aws TESTARGS='-run=TestAccAWSFlowLog_' ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./aws -v -run=TestAccAWSFlowLog_ -timeout 120m === RUN TestAccAWSFlowLog_VPCID --- PASS: TestAccAWSFlowLog_VPCID (75.46s) === RUN TestAccAWSFlowLog_SubnetID --- PASS: TestAccAWSFlowLog_SubnetID (28.62s) === RUN TestAccAWSFlowLog_LogDestinationType_CloudWatchLogs --- PASS: TestAccAWSFlowLog_LogDestinationType_CloudWatchLogs (28.68s) === RUN TestAccAWSFlowLog_LogDestinationType_S3 --- PASS: TestAccAWSFlowLog_LogDestinationType_S3 (153.81s) PASS ok github.com/terraform-providers/terraform-provider-aws/aws 287.945s ```
|
thanks @bflad I just reset my commits here and cherry picked your commit. output of acceptance tests: |
bflad
removed
breaking-change
|
Hi, when can we expect a Terraform release that's having this change? |
|
@amine250 we typically release on Wednesdays, see also: https://github.com/terraform-providers/terraform-provider-aws/blob/master/CHANGELOG.md |
|
This has been released in version 1.42.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
|
How can I make use of a aws_flow_log that logs on S3 inside a aws_subnet resource? Shouldn't there be an argument for aws_subnet such as : |
|
@amine250 What makes you think it should be a configuration option on the |
|
@tomelliff I'm new to Terraform so I could be saying BS. |
|
If you're running into issues with that then you should raise a separate issue rather than reply to this pull request which added the S3 support for the |
|
@tomelliff I think we are missing an attribute to specify S3 prefix for an aws_flow_log resource. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Fixes #5482
Changes proposed in this pull request:
aws_flow_logresource for s3 delivery support, also improving schema validation.aws_flow_logresource from v0 to v1aws_flow_logstate migrationaws_flow_logresourceOutput from acceptance testing (from @ewbankkit):