search

crossplane-contrib / provider-upjet-aws

Official AWS Provider for Crossplane by Upbound.
https://marketplace.upbound.io/providers/upbound/provider-aws
Apache License 2.0
142 stars 121 forks source link

Support Multiple VPC CIDRs #1407

Open willhume opened 1 month ago

willhume commented 1 month ago

What problem are you facing?

Importing a VPC with multiple CIDR blocks

I was importing a VPC built in Terraform to crossplane using the managementPolicies: ["Observe"] and noticed I could only pass the default CIDR Block which is fine but when I went to look at the rest of the resource as it was discovered I noticed it didn't show the secondary CIDR blocks I had attached to the VPC.

My config:

---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: VPC
metadata:
  name: observed-vpc
  annotations:
    crossplane.io/external-name: vpc-0fa13f9fb743fe950
  labels:
    testing.upbound.io/example-name: infra
spec:
  providerConfigRef:
    name: default
  forProvider:
    cidrBlock: 10.170.0.0/16 # Primary CIDR block for the VPC
    region: us-east-1
  managementPolicies: ["Observe"]
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: SecurityGroup
metadata:
  labels:
    testing.upbound.io/example-name: test-observe
  name: test-observe
spec:
  forProvider:
    description: Allow TLS inbound traffic
    name: test-observe
    region: us-east-1
    tags:
      Name: test-observe
    vpcIdSelector:
      matchLabels:
        testing.upbound.io/example-name: infra

Output when viewing the new VPC object

apiVersion: ec2.aws.upbound.io/v1beta1
kind: VPC
metadata:
  annotations:
    crossplane.io/external-name: vpc-0fa13f9fb743fe950
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"ec2.aws.upbound.io/v1beta1","kind":"VPC","metadata":{"annotations":{"crossplane.io/external-name":"vpc-0fa13f9fb743fe950"},"labels":{"testing.upbound.io/example-name":"infra"},"name":"observed-vpc"},"spec":{"forProvider":{"cidrBlock":"10.170.0.0/16","region":"us-east-1"},"managementPolicies":["Observe"],"providerConfigRef":{"name":"default"}}}
  creationTimestamp: "2024-07-19T16:16:53Z"
  finalizers:
  - finalizer.managedresource.crossplane.io
  generation: 2
  labels:
    testing.upbound.io/example-name: infra
  name: observed-vpc
  resourceVersion: "22615271"
  uid: 4fd12ac4-b4d5-4f5b-a813-eb7e9aaf0bbd
spec:
  deletionPolicy: Delete
  forProvider:
    cidrBlock: 10.170.0.0/16
    region: us-east-1
  initProvider: {}
  managementPolicies:
  - Observe
  providerConfigRef:
    name: default
status:
  atProvider:
    arn: arn:aws:ec2:us-east-1:<redacted>:vpc/vpc-0fa13f9fb743fe950
    assignGeneratedIpv6CidrBlock: false
    cidrBlock: 10.170.0.0/16
    defaultNetworkAclId: acl-088974e473892c4dd
    defaultRouteTableId: rtb-058704faf9b2ac332
    defaultSecurityGroupId: sg-0f58169216bd6dd40
    dhcpOptionsId: dopt-03157eb7bc8b8a8ff
    enableDnsHostnames: true
    enableDnsSupport: true
    enableNetworkAddressUsageMetrics: false
    id: vpc-0fa13f9fb743fe950
    instanceTenancy: default
    ipv6AssociationId: ""
    ipv6CidrBlock: ""
    ipv6CidrBlockNetworkBorderGroup: ""
    ipv6IpamPoolId: ""
    ipv6NetmaskLength: 0
    mainRouteTableId: rtb-058704faf9b2ac332
    ownerId: <redacted>

How could Official AWS Provider help solve your problem?

I was expecting to see the additional CIDR blocks referenced in the output. This would be useful for making security groups or subnets after importing a VPC.

blakeromano commented 1 month ago

You are looking for https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.10.0/resources/ec2.aws.upbound.io/VPCIPv4CidrBlockAssociation/v1beta1

https://stackoverflow.com/questions/47164229/does-terraform-support-secondary-cidr-for-vpcs is a relevant article describing in TF that this is the model that they use and would be the same thing to do in Crossplane Upjet provider.