Merge pull request #45271 from tabito-hara/f-aws_vpn_connection-add_bgp_log

[Enhancement] aws_vpn_connection: Support Site-to-Site VPN BGP logging

Author: ewbankkit

.changelog/45271.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_vpn_connection: Add `bgp_log_enabled`, `bgp_log_group_arn`, and `bgp_log_stream_arn` arguments to `tunnel1_log_options.cloudwatch_log_options` and `tunnel2_log_options.cloudwatch_log_options` blocks
+```

internal/service/ec2/consts.go

@@ -163,6 +163,18 @@ func vpnTunnelCloudWatchLogOutputFormat_Values() []string {
 	}
 }
 
+const (
+	vpnTunnelCloudWatchLogBGPLogOutputFormatJSON = names.AttrJSON
+	vpnTunnelCloudWatchLogBGPLogOutputFormatText = "text"
+)
+
+func vpnTunnelCloudWatchLogBGPLogOutputFormat_Values() []string {
+	return []string{
+		vpnTunnelCloudWatchLogBGPLogOutputFormatJSON,
+		vpnTunnelCloudWatchLogBGPLogOutputFormatText,
+	}
+}
+
 const (
 	vpnTunnelOptionsPhase1EncryptionAlgorithmAES128        = "AES128"
 	vpnTunnelOptionsPhase1EncryptionAlgorithmAES256        = "AES256"

internal/service/ec2/vpnsite_connection.go

@@ -248,6 +248,19 @@ func resourceVPNConnection() *schema.Resource {
 							MaxItems: 1,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
+									"bgp_log_enabled": {
+										Type:     schema.TypeBool,
+										Optional: true,
+									},
+									"bgp_log_group_arn": {
+										Type:     schema.TypeString,
+										Optional: true,
+									},
+									"bgp_log_output_format": {
+										Type:         schema.TypeString,
+										Optional:     true,
+										ValidateFunc: validation.StringInSlice(vpnTunnelCloudWatchLogBGPLogOutputFormat_Values(), false),
+									},
 									"log_enabled": {
 										Type:     schema.TypeBool,
 										Optional: true,
@@ -464,6 +477,19 @@ func resourceVPNConnection() *schema.Resource {
 							MaxItems: 1,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
+									"bgp_log_enabled": {
+										Type:     schema.TypeBool,
+										Optional: true,
+									},
+									"bgp_log_group_arn": {
+										Type:     schema.TypeString,
+										Optional: true,
+									},
+									"bgp_log_output_format": {
+										Type:         schema.TypeString,
+										Optional:     true,
+										ValidateFunc: validation.StringInSlice(vpnTunnelCloudWatchLogBGPLogOutputFormat_Values(), false),
+									},
 									"log_enabled": {
 										Type:     schema.TypeBool,
 										Optional: true,
@@ -1177,6 +1203,21 @@ func expandCloudWatchLogOptionsSpecification(tfMap map[string]any) *awstypes.Clo
 
 	apiObject := &awstypes.CloudWatchLogOptionsSpecification{}
 
+	if v, ok := tfMap["bgp_log_enabled"].(bool); ok {
+		apiObject.BgpLogEnabled = aws.Bool(v)
+	}
+
+	// No ARN or format if not enabled.
+	if aws.ToBool(apiObject.BgpLogEnabled) {
+		if v, ok := tfMap["bgp_log_group_arn"].(string); ok && v != "" {
+			apiObject.BgpLogGroupArn = aws.String(v)
+		}
+
+		if v, ok := tfMap["bgp_log_output_format"].(string); ok && v != "" {
+			apiObject.BgpLogOutputFormat = aws.String(v)
+		}
+	}
+
 	if v, ok := tfMap["log_enabled"].(bool); ok {
 		apiObject.LogEnabled = aws.Bool(v)
 	}
@@ -1525,6 +1566,22 @@ func flattenCloudWatchLogOptions(apiObject *awstypes.CloudWatchLogOptions) map[s
 
 	tfMap := map[string]any{}
 
+	if v := apiObject.BgpLogEnabled; v != nil {
+		enabled := aws.ToBool(v)
+		tfMap["bgp_log_enabled"] = enabled
+
+		// No ARN or format if not enabled.
+		if enabled {
+			if v := apiObject.BgpLogGroupArn; v != nil {
+				tfMap["bgp_log_group_arn"] = aws.ToString(v)
+			}
+
+			if v := apiObject.BgpLogOutputFormat; v != nil {
+				tfMap["bgp_log_output_format"] = aws.ToString(v)
+			}
+		}
+	}
+
 	if v := apiObject.LogEnabled; v != nil {
 		enabled := aws.ToBool(v)
 		tfMap["log_enabled"] = enabled

internal/service/ec2/vpnsite_connection_test.go

@@ -400,6 +400,56 @@ func TestAccSiteVPNConnection_cloudWatchLogOptions(t *testing.T) {
 	})
 }
 
+func TestAccSiteVPNConnection_cloudWatchLogOptionsBGPLog(t *testing.T) {
+	ctx := acctest.Context(t)
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	rBgpAsn := sdkacctest.RandIntRange(64512, 65534)
+	resourceName := "aws_vpn_connection.test"
+	var vpn awstypes.VpnConnection
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.EC2ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckVPNConnectionDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccVPNConnectionConfig_cloudWatchLogOptionsBGPLog(rName, rBgpAsn),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccVPNConnectionExists(ctx, resourceName, &vpn),
+					resource.TestCheckResourceAttr(resourceName, "tunnel1_log_options.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "tunnel1_log_options.0.cloudwatch_log_options.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "tunnel1_log_options.0.cloudwatch_log_options.0.bgp_log_enabled", acctest.CtTrue),
+					resource.TestCheckResourceAttrPair(resourceName, "tunnel1_log_options.0.cloudwatch_log_options.0.bgp_log_group_arn", "aws_cloudwatch_log_group.test", names.AttrARN),
+					resource.TestCheckResourceAttr(resourceName, "tunnel1_log_options.0.cloudwatch_log_options.0.bgp_log_output_format", names.AttrJSON),
+					resource.TestCheckResourceAttr(resourceName, "tunnel2_log_options.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "tunnel2_log_options.0.cloudwatch_log_options.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "tunnel2_log_options.0.cloudwatch_log_options.0.bgp_log_enabled", acctest.CtFalse),
+				),
+			},
+			{
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"vgw_telemetry"},
+			},
+			{
+				Config: testAccVPNConnectionConfig_cloudWatchLogOptionsBGPLogUpdated(rName, rBgpAsn),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccVPNConnectionExists(ctx, resourceName, &vpn),
+					resource.TestCheckResourceAttr(resourceName, "tunnel1_log_options.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "tunnel1_log_options.0.cloudwatch_log_options.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "tunnel1_log_options.0.cloudwatch_log_options.0.bgp_log_enabled", acctest.CtFalse),
+					resource.TestCheckResourceAttr(resourceName, "tunnel2_log_options.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "tunnel2_log_options.0.cloudwatch_log_options.0.bgp_log_enabled", acctest.CtTrue),
+					resource.TestCheckResourceAttrPair(resourceName, "tunnel2_log_options.0.cloudwatch_log_options.0.bgp_log_group_arn", "aws_cloudwatch_log_group.test", names.AttrARN),
+					resource.TestCheckResourceAttr(resourceName, "tunnel2_log_options.0.cloudwatch_log_options.0.bgp_log_output_format", "text"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccSiteVPNConnection_transitGatewayID(t *testing.T) {
 	ctx := acctest.Context(t)
 	var vpn awstypes.VpnConnection
@@ -2062,6 +2112,88 @@ resource "aws_vpn_connection" "test" {
 `, rName, rBgpAsn)
 }
 
+func testAccVPNConnectionConfig_cloudWatchLogOptionsBGPLog(rName string, rBgpAsn int) string {
+	return fmt.Sprintf(`
+resource "aws_vpn_gateway" "test" {
+  tags = {
+    Name = %[1]q
+  }
+}
+
+resource "aws_customer_gateway" "test" {
+  bgp_asn    = %[2]d
+  ip_address = "178.0.0.1"
+  type       = "ipsec.1"
+
+  tags = {
+    Name = %[1]q
+  }
+}
+
+resource "aws_cloudwatch_log_group" "test" {
+  name = %[1]q
+}
+
+resource "aws_vpn_connection" "test" {
+  vpn_gateway_id      = aws_vpn_gateway.test.id
+  customer_gateway_id = aws_customer_gateway.test.id
+  type                = "ipsec.1"
+
+  tunnel1_log_options {
+    cloudwatch_log_options {
+      bgp_log_enabled       = true
+      bgp_log_group_arn     = aws_cloudwatch_log_group.test.arn
+      bgp_log_output_format = "json"
+    }
+  }
+}
+`, rName, rBgpAsn)
+}
+
+func testAccVPNConnectionConfig_cloudWatchLogOptionsBGPLogUpdated(rName string, rBgpAsn int) string {
+	return fmt.Sprintf(`
+resource "aws_vpn_gateway" "test" {
+  tags = {
+    Name = %[1]q
+  }
+}
+
+resource "aws_customer_gateway" "test" {
+  bgp_asn    = %[2]d
+  ip_address = "178.0.0.1"
+  type       = "ipsec.1"
+
+  tags = {
+    Name = %[1]q
+  }
+}
+
+resource "aws_cloudwatch_log_group" "test" {
+  name = %[1]q
+}
+
+resource "aws_vpn_connection" "test" {
+  vpn_gateway_id      = aws_vpn_gateway.test.id
+  customer_gateway_id = aws_customer_gateway.test.id
+  type                = "ipsec.1"
+
+  tunnel1_log_options {
+    cloudwatch_log_options {
+      bgp_log_enabled = false
+    }
+  }
+
+  tunnel2_log_options {
+    cloudwatch_log_options {
+      bgp_log_enabled       = true
+      bgp_log_group_arn     = aws_cloudwatch_log_group.test.arn
+      bgp_log_output_format = "text"
+    }
+  }
+}
+`, rName, rBgpAsn)
+}
+
 func testAccVPNConnectionConfig_customerGatewayID(rName string, rBgpAsn1, rBgpAsn2 int) string {
 	return fmt.Sprintf(`
 resource "aws_vpn_gateway" "test" {

website/docs/r/vpn_connection.html.markdown

@@ -192,6 +192,9 @@ The `tunnel1_log_options` and `tunnel2_log_options` block supports the following
 
 The `cloudwatch_log_options` blocks supports the following arguments:
 
+* `bgp_log_enabled` - (Optional) Enable or disable BGP logging feature. The default is `false`.
+* `bgp_log_group_arn` - (Optional) The Amazon Resource Name (ARN) of the CloudWatch log group to send BGP logs to.
+* `bgp_log_output_format` - (Optional) Set BGP log format. Default format is json. Possible values are: `json` and `text`. The default is `json`.
 * `log_enabled` - (Optional) Enable or disable VPN tunnel logging feature. The default is `false`.
 * `log_group_arn` - (Optional) The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
 * `log_output_format` - (Optional) Set log format. Default format is json. Possible values are: `json` and `text`. The default is `json`.