From ba19edd696c856d6319c6a3f76bc645ff301db1b Mon Sep 17 00:00:00 2001 From: Boris Parak Date: Wed, 12 Jun 2024 20:02:30 +0200 Subject: [PATCH 1/5] Fix aws_ec2_instance_connect_endpoint/fips_dns_name for #37920 --- internal/service/ec2/ec2_instance_connect_endpoint.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/internal/service/ec2/ec2_instance_connect_endpoint.go b/internal/service/ec2/ec2_instance_connect_endpoint.go index 90273f5fb28..81ed7d99222 100644 --- a/internal/service/ec2/ec2_instance_connect_endpoint.go +++ b/internal/service/ec2/ec2_instance_connect_endpoint.go @@ -179,6 +179,11 @@ func (r *instanceConnectEndpointResource) Create(ctx context.Context, request re return } + // Fix missing FipsDnsName in regions without FIPS endpoint support. + if data.FipsDnsName.IsNull() { + data.FipsDnsName = types.StringValue("") + } + response.Diagnostics.Append(response.State.Set(ctx, &data)...) } @@ -212,6 +217,11 @@ func (r *instanceConnectEndpointResource) Read(ctx context.Context, request reso return } + // Fix missing FipsDnsName in regions without FIPS endpoint support. + if data.FipsDnsName.IsNull() { + data.FipsDnsName = types.StringValue("") + } + setTagsOutV2(ctx, instanceConnectEndpoint.Tags) response.Diagnostics.Append(response.State.Set(ctx, &data)...) From f131f5f20585ebc094ea08414127bec4d389ab2c Mon Sep 17 00:00:00 2001 From: Boris Parak Date: Wed, 12 Jun 2024 20:37:54 +0200 Subject: [PATCH 2/5] Add changelog entry for bugfix #37939 --- .changelog/37939.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/37939.txt diff --git a/.changelog/37939.txt b/.changelog/37939.txt new file mode 100644 index 00000000000..5e2a545d7ee --- /dev/null +++ b/.changelog/37939.txt @@ -0,0 +1,3 @@ +```release-note:bug +resource/aws_ec2_instance_connect_endpoint: Fix known-after-apply loops when fips_dns_name is missing in non-US regions +``` From 0f9480b2bd47a9897c6b4fa276300b8bf3ccbe70 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Fri, 27 Dec 2024 12:27:20 -0500 Subject: [PATCH 3/5] Tweak CHANGELOG entry. --- .changelog/37939.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changelog/37939.txt b/.changelog/37939.txt index 5e2a545d7ee..2bfbb9793e0 100644 --- a/.changelog/37939.txt +++ b/.changelog/37939.txt @@ -1,3 +1,3 @@ ```release-note:bug -resource/aws_ec2_instance_connect_endpoint: Fix known-after-apply loops when fips_dns_name is missing in non-US regions +resource/aws_ec2_instance_connect_endpoint: Set `fips_dns_name` to an empty value (`""`) when no value is returned from the EC2 API. This fixes known-after-apply loops in Regions that don't support FIPS endpoints ``` From ab6575fb8515bb9b8930c0e05ef80d245e6c6055 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Fri, 27 Dec 2024 12:27:54 -0500 Subject: [PATCH 4/5] Add 'TestAccEC2InstanceConnectEndpoint_fipsRegion and 'TestAccEC2InstanceConnectEndpoint_nonFIPSRegion'. --- .../ec2/ec2_instance_connect_endpoint_test.go | 56 ++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/internal/service/ec2/ec2_instance_connect_endpoint_test.go b/internal/service/ec2/ec2_instance_connect_endpoint_test.go index 0e6668e0fb0..edc54be7dee 100644 --- a/internal/service/ec2/ec2_instance_connect_endpoint_test.go +++ b/internal/service/ec2/ec2_instance_connect_endpoint_test.go @@ -9,6 +9,7 @@ import ( "testing" "github.com/YakDriver/regexache" + "github.com/hashicorp/aws-sdk-go-base/v2/endpoints" sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest" "github.com/hashicorp/terraform-plugin-testing/helper/resource" "github.com/hashicorp/terraform-plugin-testing/terraform" @@ -148,7 +149,6 @@ func TestAccEC2InstanceConnectEndpoint_securityGroupIDs(t *testing.T) { acctest.MatchResourceAttrRegionalARN(ctx, resourceName, names.AttrARN, "ec2", regexache.MustCompile(`instance-connect-endpoint/.+`)), resource.TestCheckResourceAttrSet(resourceName, names.AttrAvailabilityZone), resource.TestCheckResourceAttrSet(resourceName, names.AttrDNSName), - resource.TestCheckResourceAttrSet(resourceName, "fips_dns_name"), acctest.CheckResourceAttrGreaterThanOrEqualValue(resourceName, "network_interface_ids.#", 1), resource.TestCheckResourceAttr(resourceName, "preserve_client_ip", acctest.CtFalse), resource.TestCheckResourceAttr(resourceName, "security_group_ids.#", "2"), @@ -169,6 +169,60 @@ func TestAccEC2InstanceConnectEndpoint_securityGroupIDs(t *testing.T) { }) } +func TestAccEC2InstanceConnectEndpoint_fipsRegion(t *testing.T) { + ctx := acctest.Context(t) + resourceName := "aws_ec2_instance_connect_endpoint.test" + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(ctx, t); acctest.PreCheckRegion(t, endpoints.UsWest2RegionID) }, + ErrorCheck: acctest.ErrorCheck(t, names.EC2ServiceID), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckInstanceConnectEndpointDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccInstanceConnectEndpointConfig_basic(rName), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckInstanceConnectEndpointExists(ctx, resourceName), + resource.TestCheckResourceAttrSet(resourceName, "fips_dns_name"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccEC2InstanceConnectEndpoint_nonFIPSRegion(t *testing.T) { + ctx := acctest.Context(t) + resourceName := "aws_ec2_instance_connect_endpoint.test" + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(ctx, t); acctest.PreCheckRegion(t, endpoints.ApNortheast1RegionID) }, + ErrorCheck: acctest.ErrorCheck(t, names.EC2ServiceID), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckInstanceConnectEndpointDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccInstanceConnectEndpointConfig_basic(rName), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckInstanceConnectEndpointExists(ctx, resourceName), + resource.TestCheckResourceAttr(resourceName, "fips_dns_name", ""), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func testAccCheckInstanceConnectEndpointExists(ctx context.Context, n string) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] From 9bf58bab4fb41f0fa8de60bbf6afa0e44919b821 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Fri, 27 Dec 2024 12:39:51 -0500 Subject: [PATCH 5/5] Tweak 'TestAccEC2InstanceConnectEndpoint_basic'. --- internal/service/ec2/ec2_instance_connect_endpoint_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/internal/service/ec2/ec2_instance_connect_endpoint_test.go b/internal/service/ec2/ec2_instance_connect_endpoint_test.go index edc54be7dee..df304ca02bc 100644 --- a/internal/service/ec2/ec2_instance_connect_endpoint_test.go +++ b/internal/service/ec2/ec2_instance_connect_endpoint_test.go @@ -40,7 +40,6 @@ func TestAccEC2InstanceConnectEndpoint_basic(t *testing.T) { acctest.MatchResourceAttrRegionalARN(ctx, resourceName, names.AttrARN, "ec2", regexache.MustCompile(`instance-connect-endpoint/.+`)), resource.TestCheckResourceAttrSet(resourceName, names.AttrAvailabilityZone), resource.TestCheckResourceAttrSet(resourceName, names.AttrDNSName), - resource.TestCheckResourceAttrSet(resourceName, "fips_dns_name"), acctest.CheckResourceAttrGreaterThanOrEqualValue(resourceName, "network_interface_ids.#", 1), acctest.CheckResourceAttrAccountID(ctx, resourceName, names.AttrOwnerID), resource.TestCheckResourceAttr(resourceName, "preserve_client_ip", acctest.CtTrue),