From a2e0a3efddd64fc7977abf1844a9cca1df84e047 Mon Sep 17 00:00:00 2001 From: Jukie Date: Sat, 2 May 2020 11:45:32 -0400 Subject: [PATCH 01/20] Update ECS task def resource schema --- aws/resource_aws_ecs_task_definition.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/aws/resource_aws_ecs_task_definition.go b/aws/resource_aws_ecs_task_definition.go index 73b8bd7ee346..1ebdaaef97f8 100644 --- a/aws/resource_aws_ecs_task_definition.go +++ b/aws/resource_aws_ecs_task_definition.go @@ -196,6 +196,16 @@ func resourceAwsEcsTaskDefinition() *schema.Resource { ForceNew: true, Optional: true, }, + "transit_encryption": { + Type: schema.TypeString, + ForceNew: true, + Optional: true, + }, + "transit_encryption_port": { + Type: schema.TypeInt, + ForceNew: true, + Optional: true, + }, }, }, }, From 384fb86c1e72b0d48675ca15a748ac6255d5e5ca Mon Sep 17 00:00:00 2001 From: Jukie Date: Sat, 2 May 2020 11:47:48 -0400 Subject: [PATCH 02/20] Update EFS volume config to account for transit encryption --- aws/structure.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/aws/structure.go b/aws/structure.go index 6a733e9fbb2d..8f2540d5ff3a 100644 --- a/aws/structure.go +++ b/aws/structure.go @@ -161,6 +161,14 @@ func expandEcsVolumes(configured []interface{}) ([]*ecs.Volume, error) { if v, ok := config["root_directory"].(string); ok && v != "" { l.EfsVolumeConfiguration.RootDirectory = aws.String(v) } + + if v, ok := config["transit_encryption"].(string); ok && v != "" { + l.EfsVolumeConfiguration.TransitEncryption = aws.String(v) + } + + if v, ok := config["transit_encryption_port"].(int64); ok && v != 0 { + l.EfsVolumeConfiguration.TransitEncryptionPort = aws.Int64(v) + } } volumes = append(volumes, l) @@ -749,6 +757,14 @@ func flattenEFSVolumeConfiguration(config *ecs.EFSVolumeConfiguration) []interfa if v := config.RootDirectory; v != nil { m["root_directory"] = aws.StringValue(v) } + + if v := config.TransitEncryption; v != nil { + m["transit_encryption"] = aws.StringValue(v) + } + + if v := config.TransitEncryptionPort; v != nil { + m["transit_encryption_port"] = aws.Int64Value(v) + } } items = append(items, m) From ecd240dc626e1792a485e9a889a7fb8670baa1a2 Mon Sep 17 00:00:00 2001 From: Jukie Date: Sat, 2 May 2020 11:48:32 -0400 Subject: [PATCH 03/20] Update acceptance tests to use transit encryption --- aws/resource_aws_ecs_task_definition_test.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/aws/resource_aws_ecs_task_definition_test.go b/aws/resource_aws_ecs_task_definition_test.go index 3d4f77515c1c..1cc48e6f752c 100644 --- a/aws/resource_aws_ecs_task_definition_test.go +++ b/aws/resource_aws_ecs_task_definition_test.go @@ -241,13 +241,15 @@ func TestAccAWSEcsTaskDefinition_withEFSVolume(t *testing.T) { CheckDestroy: testAccCheckAWSEcsTaskDefinitionDestroy, Steps: []resource.TestStep{ { - Config: testAccAWSEcsTaskDefinitionWithEFSVolume(tdName, "/home/test"), + Config: testAccAWSEcsTaskDefinitionWithEFSVolume(tdName, "/home/test", "ENABLED", 2999), Check: resource.ComposeTestCheckFunc( testAccCheckAWSEcsTaskDefinitionExists(resourceName, &def), resource.TestCheckResourceAttr(resourceName, "volume.#", "1"), resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.#", "1"), resource.TestCheckResourceAttrPair(resourceName, "volume.584193650.efs_volume_configuration.0.file_system_id", efsResourceName, "id"), resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.root_directory", "/home/test"), + resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.transit_encryption", "ENABLED"), + resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.transit_encryption_port", "2999"), ), }, { @@ -1489,7 +1491,7 @@ TASK_DEFINITION `, tdName) } -func testAccAWSEcsTaskDefinitionWithEFSVolume(tdName, rDir string) string { +func testAccAWSEcsTaskDefinitionWithEFSVolume(tdName, rDir, tEnc string, tEncPort int) string { return fmt.Sprintf(` resource "aws_efs_file_system" "test" { creation_token = %[1]q @@ -1517,10 +1519,12 @@ TASK_DEFINITION efs_volume_configuration { file_system_id = "${aws_efs_file_system.test.id}" root_directory = %[2]q + transit_encryption = %[3]q + transit_encryption_port = %[4]d } } } -`, tdName, rDir) +`, tdName, rDir, tEnc, tEncPort) } func testAccAWSEcsTaskDefinitionWithTaskRoleArn(roleName, policyName, tdName string) string { From 3fdfdfb38c21641134931ab638be3f2b69c5afef Mon Sep 17 00:00:00 2001 From: Jukie Date: Sat, 2 May 2020 12:10:57 -0400 Subject: [PATCH 04/20] Update website docs for EFS volume config options --- website/docs/r/ecs_task_definition.html.markdown | 10 +++++++--- .../docs/r/waf_sql_injection_match_set.html.markdown | 2 +- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/website/docs/r/ecs_task_definition.html.markdown b/website/docs/r/ecs_task_definition.html.markdown index e67517716d48..7cc37c6f1623 100644 --- a/website/docs/r/ecs_task_definition.html.markdown +++ b/website/docs/r/ecs_task_definition.html.markdown @@ -159,10 +159,12 @@ resource "aws_ecs_task_definition" "service" { #### EFS Volume Configuration Arguments -For more information, see [Specifying an EFS volume in your Task Definition Developer Guide](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_efs.html) +For more information, see [Specifying an EFS volume in your Task Definition Developer Guide](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#specify-efs-config) * `file_system_id` - (Required) The ID of the EFS File System. * `root_directory` - (Optional) The path to mount on the host +* `transit_encryption` - (Optional) Specify "ENABLED" to use transit encryption. +* `transit_encryption_port` - (Optional) The port to use for transit encryption. If you do not specify a transit encryption port, it will use the port selection strategy that the Amazon EFS mount helper uses. ##### Example Usage @@ -175,8 +177,10 @@ resource "aws_ecs_task_definition" "service" { name = "service-storage" efs_volume_configuration { - file_system_id = aws_efs_file_system.fs.id - root_directory = "/opt/data" + file_system_id = aws_efs_file_system.fs.id + root_directory = "/opt/data" + transit_encryption = "ENABLED" + transit_encryption_port = 2999 } } } diff --git a/website/docs/r/waf_sql_injection_match_set.html.markdown b/website/docs/r/waf_sql_injection_match_set.html.markdown index 04a5e2603550..08da2041fb7b 100644 --- a/website/docs/r/waf_sql_injection_match_set.html.markdown +++ b/website/docs/r/waf_sql_injection_match_set.html.markdown @@ -70,4 +70,4 @@ AWS WAF SQL Injection Match Set can be imported using their ID, e.g. ``` $ terraform import aws_waf_sql_injection_match_set.example a1b2c3d4-d5f6-7777-8888-9999aaaabbbbcccc -``` \ No newline at end of file +``` From 8a69551f20c471123fbe1f7f01bd90fbf4938d2d Mon Sep 17 00:00:00 2001 From: Jukie Date: Sun, 3 May 2020 17:04:32 -0400 Subject: [PATCH 05/20] "Update acceptance tests to use transit encryption" --- aws/resource_aws_ecs_task_definition_test.go | 70 ++++++++++++++++++-- 1 file changed, 65 insertions(+), 5 deletions(-) diff --git a/aws/resource_aws_ecs_task_definition_test.go b/aws/resource_aws_ecs_task_definition_test.go index 1cc48e6f752c..d9ca463f2bfc 100644 --- a/aws/resource_aws_ecs_task_definition_test.go +++ b/aws/resource_aws_ecs_task_definition_test.go @@ -241,13 +241,39 @@ func TestAccAWSEcsTaskDefinition_withEFSVolume(t *testing.T) { CheckDestroy: testAccCheckAWSEcsTaskDefinitionDestroy, Steps: []resource.TestStep{ { - Config: testAccAWSEcsTaskDefinitionWithEFSVolume(tdName, "/home/test", "ENABLED", 2999), + Config: testAccAWSEcsTaskDefinitionWithEFSVolume(tdName, "/home/test"), Check: resource.ComposeTestCheckFunc( testAccCheckAWSEcsTaskDefinitionExists(resourceName, &def), resource.TestCheckResourceAttr(resourceName, "volume.#", "1"), resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.#", "1"), resource.TestCheckResourceAttrPair(resourceName, "volume.584193650.efs_volume_configuration.0.file_system_id", efsResourceName, "id"), resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.root_directory", "/home/test"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateIdFunc: testAccAWSEcsTaskDefinitionImportStateIdFunc(resourceName), + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAWSEcsTaskDefinition_withTransitEncryptionEFSVolume(t *testing.T) { + var def ecs.TaskDefinition + + tdName := acctest.RandomWithPrefix("tf-acc-td-with-efs-volume") + resourceName := "aws_ecs_task_definition.test" + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSEcsTaskDefinitionDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSEcsTaskDefinitionWithTransitEncryptionEFSVolume(tdName, "ENABLED", 2999), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSEcsTaskDefinitionExists(resourceName, &def), resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.transit_encryption", "ENABLED"), resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.transit_encryption_port", "2999"), ), @@ -1491,7 +1517,7 @@ TASK_DEFINITION `, tdName) } -func testAccAWSEcsTaskDefinitionWithEFSVolume(tdName, rDir, tEnc string, tEncPort int) string { +func testAccAWSEcsTaskDefinitionWithEFSVolume(tdName, rDir string) string { return fmt.Sprintf(` resource "aws_efs_file_system" "test" { creation_token = %[1]q @@ -1519,12 +1545,46 @@ TASK_DEFINITION efs_volume_configuration { file_system_id = "${aws_efs_file_system.test.id}" root_directory = %[2]q - transit_encryption = %[3]q - transit_encryption_port = %[4]d } } } -`, tdName, rDir, tEnc, tEncPort) +`, tdName, rDir) +} + +func testAccAWSEcsTaskDefinitionWithTransitEncryptionEFSVolume(tdName, tEnc string, tEncPort int) string { + return fmt.Sprintf(` +resource "aws_efs_file_system" "test" { + creation_token = %[1]q +} + +resource "aws_ecs_task_definition" "test" { + family = %[1]q + + container_definitions = < Date: Wed, 20 May 2020 10:21:25 -0400 Subject: [PATCH 06/20] Add EFS Access Point config schema and tests --- aws/resource_aws_ecs_task_definition.go | 25 ++++++- aws/resource_aws_ecs_task_definition_test.go | 75 ++++++++++++++++++++ aws/structure.go | 29 ++++++++ 3 files changed, 127 insertions(+), 2 deletions(-) diff --git a/aws/resource_aws_ecs_task_definition.go b/aws/resource_aws_ecs_task_definition.go index cd3fd9641ab0..462036573f69 100644 --- a/aws/resource_aws_ecs_task_definition.go +++ b/aws/resource_aws_ecs_task_definition.go @@ -202,9 +202,30 @@ func resourceAwsEcsTaskDefinition() *schema.Resource { Optional: true, }, "transit_encryption_port": { - Type: schema.TypeInt, - ForceNew: true, + Type: schema.TypeInt, + ForceNew: true, + Optional: true, + ValidateFunc: validation.IsPortNumber, + }, + "authorization_config": { + Type: schema.TypeList, Optional: true, + ForceNew: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "access_point_id": { + Type: schema.TypeString, + ForceNew: true, + Required: true, + }, + "iam_enabled": { + Type: schema.TypeString, + ForceNew: true, + Required: true, + }, + }, + }, }, }, }, diff --git a/aws/resource_aws_ecs_task_definition_test.go b/aws/resource_aws_ecs_task_definition_test.go index b18d316f05a1..087f8adf2a35 100644 --- a/aws/resource_aws_ecs_task_definition_test.go +++ b/aws/resource_aws_ecs_task_definition_test.go @@ -292,6 +292,34 @@ func TestAccAWSEcsTaskDefinition_withTransitEncryptionEFSVolume(t *testing.T) { }) } +func TestAccAWSEcsTaskDefinition_withEFSAccessPoint(t *testing.T) { + var def ecs.TaskDefinition + + tdName := acctest.RandomWithPrefix("tf-acc-td-with-efs-volume") + resourceName := "aws_ecs_task_definition.test" + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSEcsTaskDefinitionDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSEcsTaskDefinitionWitEFSAccessPoint(tdName, "ENABLED", 2999), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSEcsTaskDefinitionExists(resourceName, &def), + resource.TestCheckResourceAttrSet(resourceName, "volume.584193650.efs_volume_configuration.0.authorization_config.0.access_point_id"), + resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.authorization_config.0.iam_enabled", "DISABLED"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateIdFunc: testAccAWSEcsTaskDefinitionImportStateIdFunc(resourceName), + ImportStateVerify: true, + }, + }, + }) +} + func TestAccAWSEcsTaskDefinition_withTaskScopedDockerVolume(t *testing.T) { var def ecs.TaskDefinition @@ -1592,6 +1620,53 @@ TASK_DEFINITION `, tdName, tEnc, tEncPort) } +func testAccAWSEcsTaskDefinitionWitEFSAccessPoint(tdName, tEnc string, tEncPort int) string { + return fmt.Sprintf(` +resource "aws_efs_file_system" "test" { + creation_token = %[1]q +} + +resource "aws_efs_access_point" "test" { + file_system_id = "${aws_efs_file_system.test.id}" + posix_user { + gid = 1001 + uid = 1001 + } + } + +resource "aws_ecs_task_definition" "test" { + family = %[1]q + + container_definitions = < 0 { + + if subV, ok := v["access_point_id"].(string); ok && subV != "" { + l.EfsVolumeConfiguration.AuthorizationConfig.AccessPointId = aws.String(subV) + } + + if subV, ok := v["iam_enabled"].(string); ok && subV != "" { + l.EfsVolumeConfiguration.AuthorizationConfig.Iam = aws.String(subV) + } + } } volumes = append(volumes, l) @@ -764,6 +774,25 @@ func flattenEFSVolumeConfiguration(config *ecs.EFSVolumeConfiguration) []interfa if v := config.TransitEncryptionPort; v != nil { m["transit_encryption_port"] = aws.Int64Value(v) } + if v := config.AuthorizationConfig; v != nil { + m["authorization_config"] = flattenEFSVolumeAuthorizationConfig(v) + } + } + + items = append(items, m) + return items +} + +func flattenEFSVolumeAuthorizationConfig(config *ecs.EFSAuthorizationConfig) []interface{} { + var items []interface{} + m := make(map[string]interface{}) + if config != nil { + if v := config.AccessPointId; v != nil { + m["access_point_id"] = aws.StringValue(v) + } + if v := config.Iam; v != nil { + m["iam_enabled"] = aws.StringValue(v) + } } items = append(items, m) From 4d1ac27dfaa9921ca234e06f2197dd83a93ae963 Mon Sep 17 00:00:00 2001 From: Jukie Date: Wed, 20 May 2020 11:24:57 -0400 Subject: [PATCH 07/20] Use bool values intsead --- aws/resource_aws_ecs_task_definition.go | 8 +++--- aws/resource_aws_ecs_task_definition_test.go | 22 +++++++-------- aws/structure.go | 28 +++++++++++++++----- 3 files changed, 37 insertions(+), 21 deletions(-) diff --git a/aws/resource_aws_ecs_task_definition.go b/aws/resource_aws_ecs_task_definition.go index 462036573f69..3cfbf9b54866 100644 --- a/aws/resource_aws_ecs_task_definition.go +++ b/aws/resource_aws_ecs_task_definition.go @@ -197,7 +197,7 @@ func resourceAwsEcsTaskDefinition() *schema.Resource { Optional: true, }, "transit_encryption": { - Type: schema.TypeString, + Type: schema.TypeBool, ForceNew: true, Optional: true, }, @@ -217,12 +217,12 @@ func resourceAwsEcsTaskDefinition() *schema.Resource { "access_point_id": { Type: schema.TypeString, ForceNew: true, - Required: true, + Optional: true, }, "iam_enabled": { - Type: schema.TypeString, + Type: schema.TypeBool, ForceNew: true, - Required: true, + Optional: true, }, }, }, diff --git a/aws/resource_aws_ecs_task_definition_test.go b/aws/resource_aws_ecs_task_definition_test.go index 087f8adf2a35..17939ef057de 100644 --- a/aws/resource_aws_ecs_task_definition_test.go +++ b/aws/resource_aws_ecs_task_definition_test.go @@ -275,10 +275,10 @@ func TestAccAWSEcsTaskDefinition_withTransitEncryptionEFSVolume(t *testing.T) { CheckDestroy: testAccCheckAWSEcsTaskDefinitionDestroy, Steps: []resource.TestStep{ { - Config: testAccAWSEcsTaskDefinitionWithTransitEncryptionEFSVolume(tdName, "ENABLED", 2999), + Config: testAccAWSEcsTaskDefinitionWithTransitEncryptionEFSVolume(tdName, true, 2999), Check: resource.ComposeTestCheckFunc( testAccCheckAWSEcsTaskDefinitionExists(resourceName, &def), - resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.transit_encryption", "ENABLED"), + resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.transit_encryption", "true"), resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.transit_encryption_port", "2999"), ), }, @@ -303,11 +303,11 @@ func TestAccAWSEcsTaskDefinition_withEFSAccessPoint(t *testing.T) { CheckDestroy: testAccCheckAWSEcsTaskDefinitionDestroy, Steps: []resource.TestStep{ { - Config: testAccAWSEcsTaskDefinitionWitEFSAccessPoint(tdName, "ENABLED", 2999), + Config: testAccAWSEcsTaskDefinitionWitEFSAccessPoint(tdName, false), Check: resource.ComposeTestCheckFunc( testAccCheckAWSEcsTaskDefinitionExists(resourceName, &def), resource.TestCheckResourceAttrSet(resourceName, "volume.584193650.efs_volume_configuration.0.authorization_config.0.access_point_id"), - resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.authorization_config.0.iam_enabled", "DISABLED"), + resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.authorization_config.0.iam_enabled", "false"), ), }, { @@ -1584,7 +1584,7 @@ TASK_DEFINITION `, tdName, rDir) } -func testAccAWSEcsTaskDefinitionWithTransitEncryptionEFSVolume(tdName, tEnc string, tEncPort int) string { +func testAccAWSEcsTaskDefinitionWithTransitEncryptionEFSVolume(tdName string, tEnc bool, tEncPort int) string { return fmt.Sprintf(` resource "aws_efs_file_system" "test" { creation_token = %[1]q @@ -1612,7 +1612,7 @@ TASK_DEFINITION efs_volume_configuration { file_system_id = "${aws_efs_file_system.test.id}" root_directory = "/home/test" - transit_encryption = %[2]q + transit_encryption = %[2]t transit_encryption_port = %[3]d } } @@ -1620,7 +1620,7 @@ TASK_DEFINITION `, tdName, tEnc, tEncPort) } -func testAccAWSEcsTaskDefinitionWitEFSAccessPoint(tdName, tEnc string, tEncPort int) string { +func testAccAWSEcsTaskDefinitionWitEFSAccessPoint(tdName string, useIam bool) string { return fmt.Sprintf(` resource "aws_efs_file_system" "test" { creation_token = %[1]q @@ -1656,16 +1656,16 @@ TASK_DEFINITION efs_volume_configuration { file_system_id = "${aws_efs_file_system.test.id}" root_directory = "/home/test" - transit_encryption = %[2]q - transit_encryption_port = %[3]d + transit_encryption = true + transit_encryption_port = 2999 authorization_config { access_point_id = "${aws_efs_access_point.test.id}" - iam_enabled = "DISABLED" + iam_enabled = %[2]t } } } } -`, tdName, tEnc, tEncPort) +`, tdName, useIam) } func testAccAWSEcsTaskDefinitionWithTaskRoleArn(roleName, policyName, tdName string) string { return fmt.Sprintf(` diff --git a/aws/structure.go b/aws/structure.go index 2e4a2d3587da..38b770f892ac 100644 --- a/aws/structure.go +++ b/aws/structure.go @@ -161,8 +161,12 @@ func expandEcsVolumes(configured []interface{}) ([]*ecs.Volume, error) { l.EfsVolumeConfiguration.RootDirectory = aws.String(v) } - if v, ok := config["transit_encryption"].(string); ok && v != "" { - l.EfsVolumeConfiguration.TransitEncryption = aws.String(v) + if v, ok := config["transit_encryption"].(bool); ok { + if v == true { + l.EfsVolumeConfiguration.TransitEncryption = aws.String("ENABLED") + } else if v == false { + l.EfsVolumeConfiguration.TransitEncryption = aws.String("DISABLED") + } } if v, ok := config["transit_encryption_port"].(int64); ok && v != 0 { @@ -174,8 +178,12 @@ func expandEcsVolumes(configured []interface{}) ([]*ecs.Volume, error) { l.EfsVolumeConfiguration.AuthorizationConfig.AccessPointId = aws.String(subV) } - if subV, ok := v["iam_enabled"].(string); ok && subV != "" { - l.EfsVolumeConfiguration.AuthorizationConfig.Iam = aws.String(subV) + if subV, ok := v["iam_enabled"].(bool); ok { + if subV == true { + l.EfsVolumeConfiguration.AuthorizationConfig.Iam = aws.String("ENABLED") + } else if subV == false { + l.EfsVolumeConfiguration.AuthorizationConfig.Iam = aws.String("DISABLED") + } } } } @@ -768,7 +776,11 @@ func flattenEFSVolumeConfiguration(config *ecs.EFSVolumeConfiguration) []interfa } if v := config.TransitEncryption; v != nil { - m["transit_encryption"] = aws.StringValue(v) + if v == aws.String("ENABLED") { + m["transit_encryption"] = aws.Bool(true) + } else if v == aws.String("DISABLED") { + m["transit_encryption"] = aws.Bool(false) + } } if v := config.TransitEncryptionPort; v != nil { @@ -791,7 +803,11 @@ func flattenEFSVolumeAuthorizationConfig(config *ecs.EFSAuthorizationConfig) []i m["access_point_id"] = aws.StringValue(v) } if v := config.Iam; v != nil { - m["iam_enabled"] = aws.StringValue(v) + if v == aws.String("ENABLED") { + m["iam_enabled"] = aws.Bool(true) + } else if v == aws.String("DISABLED") { + m["iam_enabled"] = aws.Bool(false) + } } } From 98edb56ec83010b8fdb329161c82b90575c0d5d4 Mon Sep 17 00:00:00 2001 From: Jukie Date: Wed, 20 May 2020 11:26:09 -0400 Subject: [PATCH 08/20] Add docs for authorization config --- website/docs/r/ecs_task_definition.html.markdown | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/website/docs/r/ecs_task_definition.html.markdown b/website/docs/r/ecs_task_definition.html.markdown index 7cc37c6f1623..cd330055b1b0 100644 --- a/website/docs/r/ecs_task_definition.html.markdown +++ b/website/docs/r/ecs_task_definition.html.markdown @@ -163,9 +163,11 @@ For more information, see [Specifying an EFS volume in your Task Definition Deve * `file_system_id` - (Required) The ID of the EFS File System. * `root_directory` - (Optional) The path to mount on the host -* `transit_encryption` - (Optional) Specify "ENABLED" to use transit encryption. +* `transit_encryption` - (Optional) Boolean whether to use transit encryption. * `transit_encryption_port` - (Optional) The port to use for transit encryption. If you do not specify a transit encryption port, it will use the port selection strategy that the Amazon EFS mount helper uses. - +* `authorization_config` - (Optional) The authorization configuration details for the Amazon EFS file system. + * `access_point_id` - The access point ID to use. If an access point is specified, the root directory value will be relative to the directory set for the access point. If specified, transit encryption must be enabled in the EFSVolumeConfiguration. + * `iam_enabled` - Boolean for whether or not to use the Amazon ECS task IAM role defined in a task definition when mounting the Amazon EFS file system. If enabled, transit encryption must be enabled in the EFSVolumeConfiguration. ##### Example Usage ```hcl @@ -177,15 +179,20 @@ resource "aws_ecs_task_definition" "service" { name = "service-storage" efs_volume_configuration { - file_system_id = aws_efs_file_system.fs.id + file_system_id = "${aws_efs_file_system.fs.id}" root_directory = "/opt/data" - transit_encryption = "ENABLED" + transit_encryption = true transit_encryption_port = 2999 + authorization_config { + access_point_id = "${aws_efs_access_point.test.id}" + iam_enabled = true + } } } } ``` + #### Placement Constraints Arguments * `type` - (Required) The type of constraint. Use `memberOf` to restrict selection to a group of valid candidates. From c8bdc0e21a2a49c052db35edd3806fed55c1a0e3 Mon Sep 17 00:00:00 2001 From: Jukie Date: Wed, 20 May 2020 11:31:38 -0400 Subject: [PATCH 09/20] Apply linting and remove extraneous change --- aws/structure.go | 8 ++++---- website/docs/r/ecs_task_definition.html.markdown | 3 ++- website/docs/r/waf_sql_injection_match_set.html.markdown | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/aws/structure.go b/aws/structure.go index 38b770f892ac..c0169ace5e43 100644 --- a/aws/structure.go +++ b/aws/structure.go @@ -162,9 +162,9 @@ func expandEcsVolumes(configured []interface{}) ([]*ecs.Volume, error) { } if v, ok := config["transit_encryption"].(bool); ok { - if v == true { + if v { l.EfsVolumeConfiguration.TransitEncryption = aws.String("ENABLED") - } else if v == false { + } else if !v { l.EfsVolumeConfiguration.TransitEncryption = aws.String("DISABLED") } } @@ -179,9 +179,9 @@ func expandEcsVolumes(configured []interface{}) ([]*ecs.Volume, error) { } if subV, ok := v["iam_enabled"].(bool); ok { - if subV == true { + if subV { l.EfsVolumeConfiguration.AuthorizationConfig.Iam = aws.String("ENABLED") - } else if subV == false { + } else if !subV { l.EfsVolumeConfiguration.AuthorizationConfig.Iam = aws.String("DISABLED") } } diff --git a/website/docs/r/ecs_task_definition.html.markdown b/website/docs/r/ecs_task_definition.html.markdown index cd330055b1b0..6a331471d276 100644 --- a/website/docs/r/ecs_task_definition.html.markdown +++ b/website/docs/r/ecs_task_definition.html.markdown @@ -168,6 +168,7 @@ For more information, see [Specifying an EFS volume in your Task Definition Deve * `authorization_config` - (Optional) The authorization configuration details for the Amazon EFS file system. * `access_point_id` - The access point ID to use. If an access point is specified, the root directory value will be relative to the directory set for the access point. If specified, transit encryption must be enabled in the EFSVolumeConfiguration. * `iam_enabled` - Boolean for whether or not to use the Amazon ECS task IAM role defined in a task definition when mounting the Amazon EFS file system. If enabled, transit encryption must be enabled in the EFSVolumeConfiguration. + ##### Example Usage ```hcl @@ -185,7 +186,7 @@ resource "aws_ecs_task_definition" "service" { transit_encryption_port = 2999 authorization_config { access_point_id = "${aws_efs_access_point.test.id}" - iam_enabled = true + iam_enabled = true } } } diff --git a/website/docs/r/waf_sql_injection_match_set.html.markdown b/website/docs/r/waf_sql_injection_match_set.html.markdown index 08da2041fb7b..04a5e2603550 100644 --- a/website/docs/r/waf_sql_injection_match_set.html.markdown +++ b/website/docs/r/waf_sql_injection_match_set.html.markdown @@ -70,4 +70,4 @@ AWS WAF SQL Injection Match Set can be imported using their ID, e.g. ``` $ terraform import aws_waf_sql_injection_match_set.example a1b2c3d4-d5f6-7777-8888-9999aaaabbbbcccc -``` +``` \ No newline at end of file From eb2c35f82e3535d75e9dc03f10018d0ebffc2b0c Mon Sep 17 00:00:00 2001 From: Jukie Date: Wed, 10 Jun 2020 09:23:40 -0400 Subject: [PATCH 10/20] Better align schema keys with api names --- aws/resource_aws_ecs_task_definition.go | 6 ++--- aws/resource_aws_ecs_task_definition_test.go | 18 ++++++------- aws/structure.go | 28 +++++--------------- 3 files changed, 18 insertions(+), 34 deletions(-) diff --git a/aws/resource_aws_ecs_task_definition.go b/aws/resource_aws_ecs_task_definition.go index 3cfbf9b54866..ae80a556f3e3 100644 --- a/aws/resource_aws_ecs_task_definition.go +++ b/aws/resource_aws_ecs_task_definition.go @@ -197,7 +197,7 @@ func resourceAwsEcsTaskDefinition() *schema.Resource { Optional: true, }, "transit_encryption": { - Type: schema.TypeBool, + Type: schema.TypeString, ForceNew: true, Optional: true, }, @@ -219,8 +219,8 @@ func resourceAwsEcsTaskDefinition() *schema.Resource { ForceNew: true, Optional: true, }, - "iam_enabled": { - Type: schema.TypeBool, + "iam": { + Type: schema.TypeString, ForceNew: true, Optional: true, }, diff --git a/aws/resource_aws_ecs_task_definition_test.go b/aws/resource_aws_ecs_task_definition_test.go index 17939ef057de..fe20d0179848 100644 --- a/aws/resource_aws_ecs_task_definition_test.go +++ b/aws/resource_aws_ecs_task_definition_test.go @@ -275,10 +275,10 @@ func TestAccAWSEcsTaskDefinition_withTransitEncryptionEFSVolume(t *testing.T) { CheckDestroy: testAccCheckAWSEcsTaskDefinitionDestroy, Steps: []resource.TestStep{ { - Config: testAccAWSEcsTaskDefinitionWithTransitEncryptionEFSVolume(tdName, true, 2999), + Config: testAccAWSEcsTaskDefinitionWithTransitEncryptionEFSVolume(tdName, "ENABLED", 2999), Check: resource.ComposeTestCheckFunc( testAccCheckAWSEcsTaskDefinitionExists(resourceName, &def), - resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.transit_encryption", "true"), + resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.transit_encryption", "ENABLED"), resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.transit_encryption_port", "2999"), ), }, @@ -303,11 +303,11 @@ func TestAccAWSEcsTaskDefinition_withEFSAccessPoint(t *testing.T) { CheckDestroy: testAccCheckAWSEcsTaskDefinitionDestroy, Steps: []resource.TestStep{ { - Config: testAccAWSEcsTaskDefinitionWitEFSAccessPoint(tdName, false), + Config: testAccAWSEcsTaskDefinitionWitEFSAccessPoint(tdName, "DISABLED"), Check: resource.ComposeTestCheckFunc( testAccCheckAWSEcsTaskDefinitionExists(resourceName, &def), resource.TestCheckResourceAttrSet(resourceName, "volume.584193650.efs_volume_configuration.0.authorization_config.0.access_point_id"), - resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.authorization_config.0.iam_enabled", "false"), + resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.authorization_config.0.iam", "DISABLED"), ), }, { @@ -1584,7 +1584,7 @@ TASK_DEFINITION `, tdName, rDir) } -func testAccAWSEcsTaskDefinitionWithTransitEncryptionEFSVolume(tdName string, tEnc bool, tEncPort int) string { +func testAccAWSEcsTaskDefinitionWithTransitEncryptionEFSVolume(tdName, tEnc string, tEncPort int) string { return fmt.Sprintf(` resource "aws_efs_file_system" "test" { creation_token = %[1]q @@ -1612,7 +1612,7 @@ TASK_DEFINITION efs_volume_configuration { file_system_id = "${aws_efs_file_system.test.id}" root_directory = "/home/test" - transit_encryption = %[2]t + transit_encryption = %[2]q transit_encryption_port = %[3]d } } @@ -1620,7 +1620,7 @@ TASK_DEFINITION `, tdName, tEnc, tEncPort) } -func testAccAWSEcsTaskDefinitionWitEFSAccessPoint(tdName string, useIam bool) string { +func testAccAWSEcsTaskDefinitionWitEFSAccessPoint(tdName, useIam string) string { return fmt.Sprintf(` resource "aws_efs_file_system" "test" { creation_token = %[1]q @@ -1656,11 +1656,11 @@ TASK_DEFINITION efs_volume_configuration { file_system_id = "${aws_efs_file_system.test.id}" root_directory = "/home/test" - transit_encryption = true + transit_encryption = "ENABLED" transit_encryption_port = 2999 authorization_config { access_point_id = "${aws_efs_access_point.test.id}" - iam_enabled = %[2]t + iam = %[2]q } } } diff --git a/aws/structure.go b/aws/structure.go index c0169ace5e43..a7ec097cf420 100644 --- a/aws/structure.go +++ b/aws/structure.go @@ -161,12 +161,8 @@ func expandEcsVolumes(configured []interface{}) ([]*ecs.Volume, error) { l.EfsVolumeConfiguration.RootDirectory = aws.String(v) } - if v, ok := config["transit_encryption"].(bool); ok { - if v { - l.EfsVolumeConfiguration.TransitEncryption = aws.String("ENABLED") - } else if !v { - l.EfsVolumeConfiguration.TransitEncryption = aws.String("DISABLED") - } + if v, ok := config["transit_encryption"].(string); ok && v != "" { + l.EfsVolumeConfiguration.TransitEncryption = aws.String(v) } if v, ok := config["transit_encryption_port"].(int64); ok && v != 0 { @@ -178,12 +174,8 @@ func expandEcsVolumes(configured []interface{}) ([]*ecs.Volume, error) { l.EfsVolumeConfiguration.AuthorizationConfig.AccessPointId = aws.String(subV) } - if subV, ok := v["iam_enabled"].(bool); ok { - if subV { - l.EfsVolumeConfiguration.AuthorizationConfig.Iam = aws.String("ENABLED") - } else if !subV { - l.EfsVolumeConfiguration.AuthorizationConfig.Iam = aws.String("DISABLED") - } + if subV, ok := v["iam"].(string); ok && subV != "" { + l.EfsVolumeConfiguration.AuthorizationConfig.Iam = aws.String(subV) } } } @@ -776,11 +768,7 @@ func flattenEFSVolumeConfiguration(config *ecs.EFSVolumeConfiguration) []interfa } if v := config.TransitEncryption; v != nil { - if v == aws.String("ENABLED") { - m["transit_encryption"] = aws.Bool(true) - } else if v == aws.String("DISABLED") { - m["transit_encryption"] = aws.Bool(false) - } + m["transit_encryption"] = aws.StringValue(v) } if v := config.TransitEncryptionPort; v != nil { @@ -803,11 +791,7 @@ func flattenEFSVolumeAuthorizationConfig(config *ecs.EFSAuthorizationConfig) []i m["access_point_id"] = aws.StringValue(v) } if v := config.Iam; v != nil { - if v == aws.String("ENABLED") { - m["iam_enabled"] = aws.Bool(true) - } else if v == aws.String("DISABLED") { - m["iam_enabled"] = aws.Bool(false) - } + m["iam"] = aws.StringValue(v) } } From 3a8a596050586cfa9af1d982ff3fb90e738509bb Mon Sep 17 00:00:00 2001 From: Jukie Date: Wed, 10 Jun 2020 10:12:58 -0400 Subject: [PATCH 11/20] Add new schemas to volume hash --- aws/resource_aws_ecs_task_definition.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/aws/resource_aws_ecs_task_definition.go b/aws/resource_aws_ecs_task_definition.go index 761febb29dda..40e19700be02 100644 --- a/aws/resource_aws_ecs_task_definition.go +++ b/aws/resource_aws_ecs_task_definition.go @@ -631,6 +631,23 @@ func resourceAwsEcsTaskDefinitionVolumeHash(v interface{}) int { if v, ok := m["root_directory"]; ok && v.(string) != "" { buf.WriteString(fmt.Sprintf("%s-", v.(string))) } + + if v, ok := m["transit_encryption"]; ok && v.(string) != "" { + buf.WriteString(fmt.Sprintf("%s-", v.(string))) + } + if v, ok := m["transit_encryption_port"]; ok && v.(int) >= 0 { + buf.WriteString(fmt.Sprintf("%d-", v.(int))) + } + if v, ok := m["authorization_config"]; ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil { + m := v.([]interface{})[0].(map[string]interface{}) + if v, ok := m["access_point_id"]; ok && v.(string) != "" { + buf.WriteString(fmt.Sprintf("%s-", v.(string))) + } + if v, ok := m["iam"]; ok && v.(string) != "" { + buf.WriteString(fmt.Sprintf("%s-", v.(string))) + } + } + } return hashcode.String(buf.String()) From ff3457a5bef4fdcffde6dcacacfa61d69cdae681 Mon Sep 17 00:00:00 2001 From: Jukie Date: Wed, 10 Jun 2020 12:57:52 -0400 Subject: [PATCH 12/20] Update tests and fix encryption port --- aws/resource_aws_ecs_task_definition.go | 4 ++-- aws/resource_aws_ecs_task_definition_test.go | 14 +++++++------- aws/structure.go | 7 ++++--- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/aws/resource_aws_ecs_task_definition.go b/aws/resource_aws_ecs_task_definition.go index 40e19700be02..a0568829e431 100644 --- a/aws/resource_aws_ecs_task_definition.go +++ b/aws/resource_aws_ecs_task_definition.go @@ -635,8 +635,8 @@ func resourceAwsEcsTaskDefinitionVolumeHash(v interface{}) int { if v, ok := m["transit_encryption"]; ok && v.(string) != "" { buf.WriteString(fmt.Sprintf("%s-", v.(string))) } - if v, ok := m["transit_encryption_port"]; ok && v.(int) >= 0 { - buf.WriteString(fmt.Sprintf("%d-", v.(int))) + if v, ok := m["transit_encryption_port"]; ok && v != nil { + buf.WriteString(fmt.Sprintf("%s-", string(v.(int)))) } if v, ok := m["authorization_config"]; ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil { m := v.([]interface{})[0].(map[string]interface{}) diff --git a/aws/resource_aws_ecs_task_definition_test.go b/aws/resource_aws_ecs_task_definition_test.go index 9120c672c5c5..3ddbc2a2790f 100644 --- a/aws/resource_aws_ecs_task_definition_test.go +++ b/aws/resource_aws_ecs_task_definition_test.go @@ -258,8 +258,7 @@ func TestAccAWSEcsTaskDefinition_withTransitEncryptionEFSVolume(t *testing.T) { Config: testAccAWSEcsTaskDefinitionWithTransitEncryptionEFSVolume(tdName, "ENABLED", 2999), Check: resource.ComposeTestCheckFunc( testAccCheckAWSEcsTaskDefinitionExists(resourceName, &def), - resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.transit_encryption", "ENABLED"), - resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.transit_encryption_port", "2999"), + resource.TestCheckResourceAttr(resourceName, "volume.#", "1"), ), }, { @@ -277,6 +276,7 @@ func TestAccAWSEcsTaskDefinition_withEFSAccessPoint(t *testing.T) { tdName := acctest.RandomWithPrefix("tf-acc-td-with-efs-volume") resourceName := "aws_ecs_task_definition.test" + resource.ParallelTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, @@ -286,8 +286,7 @@ func TestAccAWSEcsTaskDefinition_withEFSAccessPoint(t *testing.T) { Config: testAccAWSEcsTaskDefinitionWitEFSAccessPoint(tdName, "DISABLED"), Check: resource.ComposeTestCheckFunc( testAccCheckAWSEcsTaskDefinitionExists(resourceName, &def), - resource.TestCheckResourceAttrSet(resourceName, "volume.584193650.efs_volume_configuration.0.authorization_config.0.access_point_id"), - resource.TestCheckResourceAttr(resourceName, "volume.584193650.efs_volume_configuration.0.authorization_config.0.iam", "DISABLED"), + resource.TestCheckResourceAttr(resourceName, "volume.#", "1"), ), }, { @@ -1585,13 +1584,14 @@ resource "aws_ecs_task_definition" "test" { TASK_DEFINITION volume { - name = "database_scratch" + name = %[1]q efs_volume_configuration { file_system_id = "${aws_efs_file_system.test.id}" root_directory = "/home/test" transit_encryption = %[2]q - transit_encryption_port = %[3]d + transit_encryption_port = %[3]d + } } } @@ -1629,7 +1629,7 @@ resource "aws_ecs_task_definition" "test" { TASK_DEFINITION volume { - name = "database_scratch" + name = %[1]q efs_volume_configuration { file_system_id = "${aws_efs_file_system.test.id}" diff --git a/aws/structure.go b/aws/structure.go index b010e26c94c0..f61e65b4da19 100644 --- a/aws/structure.go +++ b/aws/structure.go @@ -165,8 +165,8 @@ func expandEcsVolumes(configured []interface{}) ([]*ecs.Volume, error) { l.EfsVolumeConfiguration.TransitEncryption = aws.String(v) } - if v, ok := config["transit_encryption_port"].(int64); ok && v != 0 { - l.EfsVolumeConfiguration.TransitEncryptionPort = aws.Int64(v) + if v, ok := config["transit_encryption_port"].(int); ok { + l.EfsVolumeConfiguration.TransitEncryptionPort = aws.Int64(int64(v)) } if v, ok := config["authorization_config"].(map[string]interface{}); ok && len(v) > 0 { @@ -772,8 +772,9 @@ func flattenEFSVolumeConfiguration(config *ecs.EFSVolumeConfiguration) []interfa } if v := config.TransitEncryptionPort; v != nil { - m["transit_encryption_port"] = aws.Int64Value(v) + m["transit_encryption_port"] = int(aws.Int64Value(v)) } + if v := config.AuthorizationConfig; v != nil { m["authorization_config"] = flattenEFSVolumeAuthorizationConfig(v) } From fd9d5a860b00211a88b3a9a3ae4b760cada67395 Mon Sep 17 00:00:00 2001 From: Jukie Date: Wed, 10 Jun 2020 15:02:58 -0400 Subject: [PATCH 13/20] Remove default root directory path and fix auth config hash --- aws/resource_aws_ecs_task_definition.go | 5 ++--- aws/resource_aws_ecs_task_definition_test.go | 1 - aws/structure.go | 17 ++++++++++------- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/aws/resource_aws_ecs_task_definition.go b/aws/resource_aws_ecs_task_definition.go index a0568829e431..8e1cf4facf2d 100644 --- a/aws/resource_aws_ecs_task_definition.go +++ b/aws/resource_aws_ecs_task_definition.go @@ -195,7 +195,6 @@ func resourceAwsEcsTaskDefinition() *schema.Resource { Type: schema.TypeString, ForceNew: true, Optional: true, - Default: "/", }, "transit_encryption": { Type: schema.TypeString, @@ -635,8 +634,8 @@ func resourceAwsEcsTaskDefinitionVolumeHash(v interface{}) int { if v, ok := m["transit_encryption"]; ok && v.(string) != "" { buf.WriteString(fmt.Sprintf("%s-", v.(string))) } - if v, ok := m["transit_encryption_port"]; ok && v != nil { - buf.WriteString(fmt.Sprintf("%s-", string(v.(int)))) + if v, ok := m["transit_encryption_port"]; ok && v.(int) > 0 { + buf.WriteString(fmt.Sprintf("%d-", v.(int))) } if v, ok := m["authorization_config"]; ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil { m := v.([]interface{})[0].(map[string]interface{}) diff --git a/aws/resource_aws_ecs_task_definition_test.go b/aws/resource_aws_ecs_task_definition_test.go index 3ddbc2a2790f..927bc606446d 100644 --- a/aws/resource_aws_ecs_task_definition_test.go +++ b/aws/resource_aws_ecs_task_definition_test.go @@ -1633,7 +1633,6 @@ TASK_DEFINITION efs_volume_configuration { file_system_id = "${aws_efs_file_system.test.id}" - root_directory = "/home/test" transit_encryption = "ENABLED" transit_encryption_port = 2999 authorization_config { diff --git a/aws/structure.go b/aws/structure.go index f61e65b4da19..cb6ca1ed3ebc 100644 --- a/aws/structure.go +++ b/aws/structure.go @@ -165,17 +165,20 @@ func expandEcsVolumes(configured []interface{}) ([]*ecs.Volume, error) { l.EfsVolumeConfiguration.TransitEncryption = aws.String(v) } - if v, ok := config["transit_encryption_port"].(int); ok { + if v, ok := config["transit_encryption_port"].(int); ok && v > 0 { l.EfsVolumeConfiguration.TransitEncryptionPort = aws.Int64(int64(v)) } - if v, ok := config["authorization_config"].(map[string]interface{}); ok && len(v) > 0 { + authConfig, ok := config["authorization_config"].([]interface{}) + if ok && len(authConfig) > 0 { + authconfig := authConfig[0].(map[string]interface{}) + l.EfsVolumeConfiguration.AuthorizationConfig = &ecs.EFSAuthorizationConfig{} - if subV, ok := v["access_point_id"].(string); ok && subV != "" { - l.EfsVolumeConfiguration.AuthorizationConfig.AccessPointId = aws.String(subV) + if v, ok := authconfig["access_point_id"].(string); ok && v != "" { + l.EfsVolumeConfiguration.AuthorizationConfig.AccessPointId = aws.String(v) } - if subV, ok := v["iam"].(string); ok && subV != "" { - l.EfsVolumeConfiguration.AuthorizationConfig.Iam = aws.String(subV) + if v, ok := authconfig["iam"].(string); ok && v != "" { + l.EfsVolumeConfiguration.AuthorizationConfig.Iam = aws.String(v) } } } @@ -763,7 +766,7 @@ func flattenEFSVolumeConfiguration(config *ecs.EFSVolumeConfiguration) []interfa m["file_system_id"] = aws.StringValue(v) } - if v := config.RootDirectory; v != nil { + if v := config.RootDirectory; v != nil && aws.StringValue(v) != "/" { m["root_directory"] = aws.StringValue(v) } From 099a608f3c313aa82db7478d487d50f18b64ab10 Mon Sep 17 00:00:00 2001 From: Isaac Wilson <10012479+Jukie@users.noreply.github.com> Date: Wed, 10 Jun 2020 16:55:03 -0400 Subject: [PATCH 14/20] Update website/docs/r/ecs_task_definition.html.markdown Co-authored-by: Milosz Pogoda <31830726+milpog@users.noreply.github.com> --- website/docs/r/ecs_task_definition.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/r/ecs_task_definition.html.markdown b/website/docs/r/ecs_task_definition.html.markdown index 6a331471d276..11d74be58877 100644 --- a/website/docs/r/ecs_task_definition.html.markdown +++ b/website/docs/r/ecs_task_definition.html.markdown @@ -182,7 +182,7 @@ resource "aws_ecs_task_definition" "service" { efs_volume_configuration { file_system_id = "${aws_efs_file_system.fs.id}" root_directory = "/opt/data" - transit_encryption = true + transit_encryption = "ENABLED" transit_encryption_port = 2999 authorization_config { access_point_id = "${aws_efs_access_point.test.id}" From db5d4d403e19887baf4bea31c7007e8e72bc0ce9 Mon Sep 17 00:00:00 2001 From: Isaac Wilson <10012479+Jukie@users.noreply.github.com> Date: Wed, 10 Jun 2020 16:55:37 -0400 Subject: [PATCH 15/20] Update website/docs/r/ecs_task_definition.html.markdown Co-authored-by: Milosz Pogoda <31830726+milpog@users.noreply.github.com> --- website/docs/r/ecs_task_definition.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/r/ecs_task_definition.html.markdown b/website/docs/r/ecs_task_definition.html.markdown index 11d74be58877..2a86fdb89e4f 100644 --- a/website/docs/r/ecs_task_definition.html.markdown +++ b/website/docs/r/ecs_task_definition.html.markdown @@ -167,7 +167,7 @@ For more information, see [Specifying an EFS volume in your Task Definition Deve * `transit_encryption_port` - (Optional) The port to use for transit encryption. If you do not specify a transit encryption port, it will use the port selection strategy that the Amazon EFS mount helper uses. * `authorization_config` - (Optional) The authorization configuration details for the Amazon EFS file system. * `access_point_id` - The access point ID to use. If an access point is specified, the root directory value will be relative to the directory set for the access point. If specified, transit encryption must be enabled in the EFSVolumeConfiguration. - * `iam_enabled` - Boolean for whether or not to use the Amazon ECS task IAM role defined in a task definition when mounting the Amazon EFS file system. If enabled, transit encryption must be enabled in the EFSVolumeConfiguration. + * `iam` - Whether or not to use the Amazon ECS task IAM role defined in a task definition when mounting the Amazon EFS file system. If enabled, transit encryption must be enabled in the EFSVolumeConfiguration. Valid values: `ENABLED`, `DISABLED`. If this parameter is omitted, the default value of `DISABLED` is used. ##### Example Usage From aa2072284dc1bfb7aef7a5243961e5df9278df02 Mon Sep 17 00:00:00 2001 From: Isaac Wilson <10012479+Jukie@users.noreply.github.com> Date: Wed, 10 Jun 2020 16:55:47 -0400 Subject: [PATCH 16/20] Update website/docs/r/ecs_task_definition.html.markdown Co-authored-by: Milosz Pogoda <31830726+milpog@users.noreply.github.com> --- website/docs/r/ecs_task_definition.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/r/ecs_task_definition.html.markdown b/website/docs/r/ecs_task_definition.html.markdown index 2a86fdb89e4f..d9622ee3202d 100644 --- a/website/docs/r/ecs_task_definition.html.markdown +++ b/website/docs/r/ecs_task_definition.html.markdown @@ -162,7 +162,7 @@ resource "aws_ecs_task_definition" "service" { For more information, see [Specifying an EFS volume in your Task Definition Developer Guide](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#specify-efs-config) * `file_system_id` - (Required) The ID of the EFS File System. -* `root_directory` - (Optional) The path to mount on the host +* `root_directory` - (Optional) The directory within the Amazon EFS file system to mount as the root directory inside the host. If this parameter is omitted, the root of the Amazon EFS volume will be used. Specifying / will have the same effect as omitting this parameter. * `transit_encryption` - (Optional) Boolean whether to use transit encryption. * `transit_encryption_port` - (Optional) The port to use for transit encryption. If you do not specify a transit encryption port, it will use the port selection strategy that the Amazon EFS mount helper uses. * `authorization_config` - (Optional) The authorization configuration details for the Amazon EFS file system. From a6b19f4d5e74912c719fd813f1ab27cb0f65d0c7 Mon Sep 17 00:00:00 2001 From: Isaac Wilson <10012479+Jukie@users.noreply.github.com> Date: Wed, 10 Jun 2020 16:57:48 -0400 Subject: [PATCH 17/20] Apply suggestions from code review Update docs per @milpog Co-authored-by: Milosz Pogoda <31830726+milpog@users.noreply.github.com> --- website/docs/r/ecs_task_definition.html.markdown | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/website/docs/r/ecs_task_definition.html.markdown b/website/docs/r/ecs_task_definition.html.markdown index d9622ee3202d..1a53a5173981 100644 --- a/website/docs/r/ecs_task_definition.html.markdown +++ b/website/docs/r/ecs_task_definition.html.markdown @@ -163,7 +163,7 @@ For more information, see [Specifying an EFS volume in your Task Definition Deve * `file_system_id` - (Required) The ID of the EFS File System. * `root_directory` - (Optional) The directory within the Amazon EFS file system to mount as the root directory inside the host. If this parameter is omitted, the root of the Amazon EFS volume will be used. Specifying / will have the same effect as omitting this parameter. -* `transit_encryption` - (Optional) Boolean whether to use transit encryption. +* `transit_encryption` - (Optional) Whether or not to enable encryption for Amazon EFS data in transit between the Amazon ECS host and the Amazon EFS server. Transit encryption must be enabled if Amazon EFS IAM authorization is used. Valid values: `ENABLED`, `DISABLED`. If this parameter is omitted, the default value of `DISABLED` is used. * `transit_encryption_port` - (Optional) The port to use for transit encryption. If you do not specify a transit encryption port, it will use the port selection strategy that the Amazon EFS mount helper uses. * `authorization_config` - (Optional) The authorization configuration details for the Amazon EFS file system. * `access_point_id` - The access point ID to use. If an access point is specified, the root directory value will be relative to the directory set for the access point. If specified, transit encryption must be enabled in the EFSVolumeConfiguration. @@ -180,13 +180,13 @@ resource "aws_ecs_task_definition" "service" { name = "service-storage" efs_volume_configuration { - file_system_id = "${aws_efs_file_system.fs.id}" + file_system_id = aws_efs_file_system.fs.id root_directory = "/opt/data" transit_encryption = "ENABLED" transit_encryption_port = 2999 authorization_config { - access_point_id = "${aws_efs_access_point.test.id}" - iam_enabled = true + access_point_id = aws_efs_access_point.test.id + iam = "ENABLED" } } } From e6767767a0b3a1603a6f71182ca22adcde673ae6 Mon Sep 17 00:00:00 2001 From: Jukie Date: Wed, 10 Jun 2020 17:24:05 -0400 Subject: [PATCH 18/20] Ignore root_directory if authorization_config is used --- aws/resource_aws_ecs_task_definition.go | 1 + aws/structure.go | 5 ++--- website/docs/r/ecs_task_definition.html.markdown | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/aws/resource_aws_ecs_task_definition.go b/aws/resource_aws_ecs_task_definition.go index 8e1cf4facf2d..99525f526270 100644 --- a/aws/resource_aws_ecs_task_definition.go +++ b/aws/resource_aws_ecs_task_definition.go @@ -195,6 +195,7 @@ func resourceAwsEcsTaskDefinition() *schema.Resource { Type: schema.TypeString, ForceNew: true, Optional: true, + Default: "/", }, "transit_encryption": { Type: schema.TypeString, diff --git a/aws/structure.go b/aws/structure.go index cb6ca1ed3ebc..709a8245d5b1 100644 --- a/aws/structure.go +++ b/aws/structure.go @@ -160,7 +160,6 @@ func expandEcsVolumes(configured []interface{}) ([]*ecs.Volume, error) { if v, ok := config["root_directory"].(string); ok && v != "" { l.EfsVolumeConfiguration.RootDirectory = aws.String(v) } - if v, ok := config["transit_encryption"].(string); ok && v != "" { l.EfsVolumeConfiguration.TransitEncryption = aws.String(v) } @@ -171,6 +170,7 @@ func expandEcsVolumes(configured []interface{}) ([]*ecs.Volume, error) { authConfig, ok := config["authorization_config"].([]interface{}) if ok && len(authConfig) > 0 { authconfig := authConfig[0].(map[string]interface{}) + l.EfsVolumeConfiguration.RootDirectory = nil l.EfsVolumeConfiguration.AuthorizationConfig = &ecs.EFSAuthorizationConfig{} if v, ok := authconfig["access_point_id"].(string); ok && v != "" { @@ -766,10 +766,9 @@ func flattenEFSVolumeConfiguration(config *ecs.EFSVolumeConfiguration) []interfa m["file_system_id"] = aws.StringValue(v) } - if v := config.RootDirectory; v != nil && aws.StringValue(v) != "/" { + if v := config.RootDirectory; v != nil { m["root_directory"] = aws.StringValue(v) } - if v := config.TransitEncryption; v != nil { m["transit_encryption"] = aws.StringValue(v) } diff --git a/website/docs/r/ecs_task_definition.html.markdown b/website/docs/r/ecs_task_definition.html.markdown index 1a53a5173981..a04f2cf34f5b 100644 --- a/website/docs/r/ecs_task_definition.html.markdown +++ b/website/docs/r/ecs_task_definition.html.markdown @@ -162,7 +162,7 @@ resource "aws_ecs_task_definition" "service" { For more information, see [Specifying an EFS volume in your Task Definition Developer Guide](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#specify-efs-config) * `file_system_id` - (Required) The ID of the EFS File System. -* `root_directory` - (Optional) The directory within the Amazon EFS file system to mount as the root directory inside the host. If this parameter is omitted, the root of the Amazon EFS volume will be used. Specifying / will have the same effect as omitting this parameter. +* `root_directory` - (Optional) The directory within the Amazon EFS file system to mount as the root directory inside the host. If this parameter is omitted, the root of the Amazon EFS volume will be used. Specifying / will have the same effect as omitting this parameter. This argument is ignored when using `authorization_config`. * `transit_encryption` - (Optional) Whether or not to enable encryption for Amazon EFS data in transit between the Amazon ECS host and the Amazon EFS server. Transit encryption must be enabled if Amazon EFS IAM authorization is used. Valid values: `ENABLED`, `DISABLED`. If this parameter is omitted, the default value of `DISABLED` is used. * `transit_encryption_port` - (Optional) The port to use for transit encryption. If you do not specify a transit encryption port, it will use the port selection strategy that the Amazon EFS mount helper uses. * `authorization_config` - (Optional) The authorization configuration details for the Amazon EFS file system. From 68a98002eeb19a691bca760463ea9f87736dc777 Mon Sep 17 00:00:00 2001 From: Jukie Date: Thu, 11 Jun 2020 18:43:18 -0400 Subject: [PATCH 19/20] Add validator functions for EFSAuthorizationConfigIAM and EFSTransitEncryption --- aws/resource_aws_ecs_task_definition.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/aws/resource_aws_ecs_task_definition.go b/aws/resource_aws_ecs_task_definition.go index 99525f526270..41f5242ceccc 100644 --- a/aws/resource_aws_ecs_task_definition.go +++ b/aws/resource_aws_ecs_task_definition.go @@ -201,6 +201,10 @@ func resourceAwsEcsTaskDefinition() *schema.Resource { Type: schema.TypeString, ForceNew: true, Optional: true, + ValidateFunc: validation.StringInSlice([]string{ + ecs.EFSTransitEncryptionEnabled, + ecs.EFSTransitEncryptionDisabled, + }, false), }, "transit_encryption_port": { Type: schema.TypeInt, @@ -224,6 +228,10 @@ func resourceAwsEcsTaskDefinition() *schema.Resource { Type: schema.TypeString, ForceNew: true, Optional: true, + ValidateFunc: validation.StringInSlice([]string{ + ecs.EFSAuthorizationConfigIAMEnabled, + ecs.EFSAuthorizationConfigIAMDisabled, + }, false), }, }, }, From 4c5c6e404af82711afc8af1002b23e41655d3111 Mon Sep 17 00:00:00 2001 From: Jukie Date: Thu, 11 Jun 2020 18:43:50 -0400 Subject: [PATCH 20/20] Fix typo in function name --- aws/resource_aws_ecs_task_definition_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws/resource_aws_ecs_task_definition_test.go b/aws/resource_aws_ecs_task_definition_test.go index 927bc606446d..7c41848b8051 100644 --- a/aws/resource_aws_ecs_task_definition_test.go +++ b/aws/resource_aws_ecs_task_definition_test.go @@ -283,7 +283,7 @@ func TestAccAWSEcsTaskDefinition_withEFSAccessPoint(t *testing.T) { CheckDestroy: testAccCheckAWSEcsTaskDefinitionDestroy, Steps: []resource.TestStep{ { - Config: testAccAWSEcsTaskDefinitionWitEFSAccessPoint(tdName, "DISABLED"), + Config: testAccAWSEcsTaskDefinitionWithEFSAccessPoint(tdName, "DISABLED"), Check: resource.ComposeTestCheckFunc( testAccCheckAWSEcsTaskDefinitionExists(resourceName, &def), resource.TestCheckResourceAttr(resourceName, "volume.#", "1"), @@ -1598,7 +1598,7 @@ TASK_DEFINITION `, tdName, tEnc, tEncPort) } -func testAccAWSEcsTaskDefinitionWitEFSAccessPoint(tdName, useIam string) string { +func testAccAWSEcsTaskDefinitionWithEFSAccessPoint(tdName, useIam string) string { return fmt.Sprintf(` resource "aws_efs_file_system" "test" { creation_token = %[1]q