From d1363ab1287d162e07a323c39022f1b5f0fdf824 Mon Sep 17 00:00:00 2001 From: Carl Henrik Lunde Date: Thu, 23 May 2024 11:18:57 +0200 Subject: [PATCH 1/2] Add option autoGenerateAuthToken and connection details for ElastiCache ReplicationGroup Signed-off-by: Carl Henrik Lunde --- .../v1beta2/zz_generated.deepcopy.go | 5 ++ .../v1beta2/zz_replicationgroup_types.go | 8 ++ config/elasticache/config.go | 42 +++++++++++ .../elasticache/v1beta2/replicationgroup.yaml | 74 ++++++++++++++++++- ...ache.aws.upbound.io_replicationgroups.yaml | 15 +++- 5 files changed, 136 insertions(+), 8 deletions(-) diff --git a/apis/elasticache/v1beta2/zz_generated.deepcopy.go b/apis/elasticache/v1beta2/zz_generated.deepcopy.go index b4d0e4e93c..9fe791bda5 100644 --- a/apis/elasticache/v1beta2/zz_generated.deepcopy.go +++ b/apis/elasticache/v1beta2/zz_generated.deepcopy.go @@ -775,6 +775,11 @@ func (in *ReplicationGroupParameters) DeepCopyInto(out *ReplicationGroupParamete *out = new(string) **out = **in } + if in.AutoGenerateAuthToken != nil { + in, out := &in.AutoGenerateAuthToken, &out.AutoGenerateAuthToken + *out = new(bool) + **out = **in + } if in.AutoMinorVersionUpgrade != nil { in, out := &in.AutoMinorVersionUpgrade, &out.AutoMinorVersionUpgrade *out = new(string) diff --git a/apis/elasticache/v1beta2/zz_replicationgroup_types.go b/apis/elasticache/v1beta2/zz_replicationgroup_types.go index 82ae0aef86..db31317d7a 100755 --- a/apis/elasticache/v1beta2/zz_replicationgroup_types.go +++ b/apis/elasticache/v1beta2/zz_replicationgroup_types.go @@ -71,6 +71,7 @@ type ReplicationGroupInitParameters struct { AtRestEncryptionEnabled *bool `json:"atRestEncryptionEnabled,omitempty" tf:"at_rest_encryption_enabled,omitempty"` // Password used to access a password protected server. Can be specified only if transit_encryption_enabled = true. + // If you set autoGenerateAuthToken to true, the Secret referenced here will be created or updated with generated auth token if it does not already contain one. AuthTokenSecretRef *v1.SecretKeySelector `json:"authTokenSecretRef,omitempty" tf:"-"` // Strategy to use when updating the auth_token. Valid values are SET, ROTATE, and DELETE. Defaults to ROTATE. @@ -396,6 +397,7 @@ type ReplicationGroupParameters struct { AtRestEncryptionEnabled *bool `json:"atRestEncryptionEnabled,omitempty" tf:"at_rest_encryption_enabled,omitempty"` // Password used to access a password protected server. Can be specified only if transit_encryption_enabled = true. + // If you set autoGenerateAuthToken to true, the Secret referenced here will be created or updated with generated auth token if it does not already contain one. // +kubebuilder:validation:Optional AuthTokenSecretRef *v1.SecretKeySelector `json:"authTokenSecretRef,omitempty" tf:"-"` @@ -403,6 +405,12 @@ type ReplicationGroupParameters struct { // +kubebuilder:validation:Optional AuthTokenUpdateStrategy *string `json:"authTokenUpdateStrategy,omitempty" tf:"auth_token_update_strategy,omitempty"` + // Password used to access a password protected server. Can be specified only if transit_encryption_enabled = true. + // If true, the auth token will be auto-generated and stored in the Secret referenced by the authTokenSecretRef field. + // +upjet:crd:field:TFTag=- + // +kubebuilder:validation:Optional + AutoGenerateAuthToken *bool `json:"autoGenerateAuthToken,omitempty" tf:"-"` + // Specifies whether minor version engine upgrades will be applied automatically to the underlying Cache Cluster instances during the maintenance window. // Only supported for engine type "redis" and if the engine version is 6 or higher. // Defaults to true. diff --git a/config/elasticache/config.go b/config/elasticache/config.go index 16df05a73e..ef66a5862c 100644 --- a/config/elasticache/config.go +++ b/config/elasticache/config.go @@ -5,14 +5,20 @@ package elasticache import ( + "fmt" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" "github.com/crossplane/upjet/pkg/config" "github.com/crossplane/upjet/pkg/config/conversion" + "github.com/crossplane/upjet/pkg/types/comments" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/upbound/provider-aws/apis/elasticache/v1beta1" "github.com/upbound/provider-aws/apis/elasticache/v1beta2" + "github.com/upbound/provider-aws/config/common" ) // Configure adds configurations for the elasticache group. @@ -53,6 +59,42 @@ func Configure(p *config.Provider) { //nolint:gocyclo delete(r.References, "log_delivery_configuration.destination") r.UseAsync = true + r.Sensitive.AdditionalConnectionDetailsFn = func(attr map[string]any) (map[string][]byte, error) { + conn := map[string][]byte{} + if a, ok := attr["configuration_endpoint_address"].(string); ok { + conn["configuration_endpoint_address"] = []byte(a) + } + if a, ok := attr["primary_endpoint_address"].(string); ok { + conn["primary_endpoint_address"] = []byte(a) + } + if a, ok := attr["reader_endpoint_address"].(string); ok { + conn["reader_endpoint_address"] = []byte(a) + } + if a, ok := attr["port"]; ok { + conn["port"] = []byte(fmt.Sprintf("%v", a)) + } + return conn, nil + } + + // Auth token generation + desc, _ := comments.New("If true, the auth token will be auto-generated and"+ + " stored in the Secret referenced by the authTokenSecretRef field.", + comments.WithTFTag("-")) + r.TerraformResource.Schema["auto_generate_auth_token"] = &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + Description: desc.String(), + } + r.InitializerFns = append(r.InitializerFns, + common.PasswordGenerator( + "spec.forProvider.authTokenSecretRef", + "spec.forProvider.autoGenerateAuthToken", + )) + r.TerraformResource.Schema["auth_token"].Description = "If you set" + + " autoGenerateAuthToken to true, the Secret referenced here will be" + + " created or updated with generated auth token if it does not already" + + " contain one." + r.Version = "v1beta2" r.Conversions = append(r.Conversions, conversion.NewCustomConverter("v1beta1", "v1beta2", func(src, target xpresource.Managed) error { diff --git a/examples/elasticache/v1beta2/replicationgroup.yaml b/examples/elasticache/v1beta2/replicationgroup.yaml index f00571a9d5..4ebc5ad654 100644 --- a/examples/elasticache/v1beta2/replicationgroup.yaml +++ b/examples/elasticache/v1beta2/replicationgroup.yaml @@ -2,6 +2,60 @@ # # SPDX-License-Identifier: CC0-1.0 +apiVersion: elasticache.aws.upbound.io/v1beta1 +kind: SubnetGroup +metadata: + labels: + testing.upbound.io/example-name: bar + name: subnet-group +spec: + forProvider: + region: us-east-1 + subnetIdRefs: + - name: foo-1a + - name: foo-1b +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: Subnet +metadata: + labels: + testing.upbound.io/example-name: foo + name: foo-1a +spec: + forProvider: + availabilityZone: us-east-1a + cidrBlock: 10.0.1.0/24 + region: us-east-1 + vpcIdSelector: + matchLabels: + testing.upbound.io/example-name: foo +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: Subnet +metadata: + labels: + testing.upbound.io/example-name: foo + name: foo-1b +spec: + forProvider: + availabilityZone: us-east-1b + cidrBlock: 10.0.2.0/24 + region: us-east-1 + vpcIdSelector: + matchLabels: + testing.upbound.io/example-name: foo +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: VPC +metadata: + labels: + testing.upbound.io/example-name: foo + name: foo +spec: + forProvider: + cidrBlock: 10.0.0.0/16 + region: us-east-1 +--- apiVersion: elasticache.aws.upbound.io/v1beta2 kind: ReplicationGroup metadata: @@ -14,13 +68,25 @@ metadata: spec: forProvider: automaticFailoverEnabled: true + atRestEncryptionEnabled: true + autoGenerateAuthToken: true + authTokenSecretRef: + name: redis-auth-token + namespace: crossplane-system + key: auth-token description: example description maintenanceWindow: sun:05:00-sun:09:00 - nodeType: cache.m4.large + nodeType: cache.t4g.small numCacheClusters: 2 + transitEncryptionEnabled: true parameterGroupName: default.redis7 port: 6379 + subnetGroupNameRef: + name: subnet-group preferredCacheClusterAzs: - - us-west-1a - - us-west-1b - region: us-west-1 + - us-east-1a + - us-east-1b + region: us-east-1 + writeConnectionSecretToRef: + name: redis-conn + namespace: crossplane-system diff --git a/package/crds/elasticache.aws.upbound.io_replicationgroups.yaml b/package/crds/elasticache.aws.upbound.io_replicationgroups.yaml index 36c0188c1c..3c28df3b52 100644 --- a/package/crds/elasticache.aws.upbound.io_replicationgroups.yaml +++ b/package/crds/elasticache.aws.upbound.io_replicationgroups.yaml @@ -1630,8 +1630,9 @@ spec: description: Whether to enable encryption at rest. type: boolean authTokenSecretRef: - description: Password used to access a password protected server. - Can be specified only if transit_encryption_enabled = true. + description: |- + Password used to access a password protected server. Can be specified only if transit_encryption_enabled = true. + If you set autoGenerateAuthToken to true, the Secret referenced here will be created or updated with generated auth token if it does not already contain one. properties: key: description: The key to select. @@ -1651,6 +1652,11 @@ spec: description: Strategy to use when updating the auth_token. Valid values are SET, ROTATE, and DELETE. Defaults to ROTATE. type: string + autoGenerateAuthToken: + description: |- + Password used to access a password protected server. Can be specified only if transit_encryption_enabled = true. + If true, the auth token will be auto-generated and stored in the Secret referenced by the authTokenSecretRef field. + type: boolean autoMinorVersionUpgrade: description: |- Specifies whether minor version engine upgrades will be applied automatically to the underlying Cache Cluster instances during the maintenance window. @@ -2122,8 +2128,9 @@ spec: description: Whether to enable encryption at rest. type: boolean authTokenSecretRef: - description: Password used to access a password protected server. - Can be specified only if transit_encryption_enabled = true. + description: |- + Password used to access a password protected server. Can be specified only if transit_encryption_enabled = true. + If you set autoGenerateAuthToken to true, the Secret referenced here will be created or updated with generated auth token if it does not already contain one. properties: key: description: The key to select. From 2f905a6a79baf10c344e7085d7aa6cae3e85ed5d Mon Sep 17 00:00:00 2001 From: Carl Henrik Lunde Date: Thu, 6 Jun 2024 09:39:15 +0200 Subject: [PATCH 2/2] ElastiCache ReplicationGroup - Fix annotations, selectors in example, error handling From code review Signed-off-by: Carl Henrik Lunde --- config/elasticache/config.go | 10 +++-- .../elasticache/v1beta2/replicationgroup.yaml | 37 ++++++++++++------- 2 files changed, 30 insertions(+), 17 deletions(-) diff --git a/config/elasticache/config.go b/config/elasticache/config.go index ef66a5862c..9929179dd2 100644 --- a/config/elasticache/config.go +++ b/config/elasticache/config.go @@ -7,15 +7,15 @@ package elasticache import ( "fmt" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" + "github.com/pkg/errors" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" "github.com/crossplane/upjet/pkg/config" "github.com/crossplane/upjet/pkg/config/conversion" "github.com/crossplane/upjet/pkg/types/comments" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - "github.com/upbound/provider-aws/apis/elasticache/v1beta1" "github.com/upbound/provider-aws/apis/elasticache/v1beta2" "github.com/upbound/provider-aws/config/common" @@ -77,9 +77,13 @@ func Configure(p *config.Provider) { //nolint:gocyclo } // Auth token generation - desc, _ := comments.New("If true, the auth token will be auto-generated and"+ + desc, err := comments.New("If true, the auth token will be auto-generated and"+ " stored in the Secret referenced by the authTokenSecretRef field.", comments.WithTFTag("-")) + if err != nil { + panic(errors.Wrap(err, "cannot configure the generated comment for the auto_generate_auth_token argument of the aws_elasticache_replication_group resource")) + } + r.TerraformResource.Schema["auto_generate_auth_token"] = &schema.Schema{ Type: schema.TypeBool, Optional: true, diff --git a/examples/elasticache/v1beta2/replicationgroup.yaml b/examples/elasticache/v1beta2/replicationgroup.yaml index 4ebc5ad654..e1e907f14e 100644 --- a/examples/elasticache/v1beta2/replicationgroup.yaml +++ b/examples/elasticache/v1beta2/replicationgroup.yaml @@ -5,21 +5,25 @@ apiVersion: elasticache.aws.upbound.io/v1beta1 kind: SubnetGroup metadata: + annotations: + meta.upbound.io/example-id: elasticache/v1beta2/replicationgroup labels: - testing.upbound.io/example-name: bar + testing.upbound.io/example-name: replicationgroup name: subnet-group spec: forProvider: region: us-east-1 - subnetIdRefs: - - name: foo-1a - - name: foo-1b + subnetIdSelector: + matchLabels: + testing.upbound.io/example-name: replicationgroup --- apiVersion: ec2.aws.upbound.io/v1beta1 kind: Subnet metadata: + annotations: + meta.upbound.io/example-id: elasticache/v1beta2/replicationgroup labels: - testing.upbound.io/example-name: foo + testing.upbound.io/example-name: replicationgroup name: foo-1a spec: forProvider: @@ -28,13 +32,15 @@ spec: region: us-east-1 vpcIdSelector: matchLabels: - testing.upbound.io/example-name: foo + testing.upbound.io/example-name: replicationgroup --- apiVersion: ec2.aws.upbound.io/v1beta1 kind: Subnet metadata: + annotations: + meta.upbound.io/example-id: elasticache/v1beta2/replicationgroup labels: - testing.upbound.io/example-name: foo + testing.upbound.io/example-name: replicationgroup name: foo-1b spec: forProvider: @@ -43,13 +49,15 @@ spec: region: us-east-1 vpcIdSelector: matchLabels: - testing.upbound.io/example-name: foo + testing.upbound.io/example-name: replicationgroup --- apiVersion: ec2.aws.upbound.io/v1beta1 kind: VPC metadata: + annotations: + meta.upbound.io/example-id: elasticache/v1beta2/replicationgroup labels: - testing.upbound.io/example-name: foo + testing.upbound.io/example-name: replicationgroup name: foo spec: forProvider: @@ -60,7 +68,7 @@ apiVersion: elasticache.aws.upbound.io/v1beta2 kind: ReplicationGroup metadata: annotations: - meta.upbound.io/example-id: elasticache/v1beta1/replicationgroup + meta.upbound.io/example-id: elasticache/v1beta2/replicationgroup uptest.upbound.io/timeout: "3600" labels: testing.upbound.io/example-name: example @@ -72,7 +80,7 @@ spec: autoGenerateAuthToken: true authTokenSecretRef: name: redis-auth-token - namespace: crossplane-system + namespace: upbound-system key: auth-token description: example description maintenanceWindow: sun:05:00-sun:09:00 @@ -81,12 +89,13 @@ spec: transitEncryptionEnabled: true parameterGroupName: default.redis7 port: 6379 - subnetGroupNameRef: - name: subnet-group + subnetGroupNameSelector: + matchLabels: + testing.upbound.io/example-name: replicationgroup preferredCacheClusterAzs: - us-east-1a - us-east-1b region: us-east-1 writeConnectionSecretToRef: name: redis-conn - namespace: crossplane-system + namespace: upbound-system