resource/aws_lb: Disable access_logs for network load balancers

[gmccue]

Fixes #2145

[Ninir]

Hi @gmccue

This seems rather good!
Just left a question to discuss before I test & merge.

Thanks for the work! 👍

[Ninir]

This should be removed as it is made post-merge :)

[Ninir]

I'm not feeling comfortable in allowing a terraform apply when the code will just ignore it. I do think we should add a guard when planning/applying, saying that this is not allowed rather than ignoring it, which may people think that logs are configured whereas it is not.

Thoughts? 😄

[gmccue]

I do agree, but preventing apply entirely might cause some issues as well. For my use case, see: https://github.com/terraform-aws-modules/terraform-aws-alb/blob/master/main.tf#L15. In certain modules it wouldn't be possible to create network load balancers this way.
But I'm a bit of a TF noob. Is there a way to do a check within the module?

Otherwise we could check against the access_logs.enabled parameter.

What do you think?

[gmccue]

We could also add a log.Printf("[WARN]"), but I'm not sure what the preferred method is for handling these cases.

[gmccue]

@Ninir Any thoughts?

[Ninir]

Let's go for an INFO notice here :)

[gmccue]

@Ninir Done!

[Ninir]

This line and the one after will trigger issues:

• no such var.bucket_prefix variable
• no such logs bucket

Could you have a look? otherwise looks good to me!

[gmccue]

@Ninir I'm a bit stuck here. The problem is that the new acceptance test to check that access logs are disabled fails:

=== RUN   TestAccAWSLB_networkLoadbalancerAccessLogsDisabled
--- FAIL: TestAccAWSLB_networkLoadbalancerAccessLogsDisabled (233.30s)
	testing.go:503: Step 0 error: After applying this step, the plan was not empty:

		DIFF:

		UPDATE: aws_lb.lb_test
		  access_logs.0.enabled: "" => "true"
		  access_logs.0.prefix:  "" => "test_bucket"

As far as I can tell, this is because the test setup does a diff against two different states. Because we are passing an access_log attribute, one of the states attempts to create the access logs, while the other does not.
I guess the simple fix for this would just be not to create a new acceptance test for this case, like is currently done for the idle_timeout parameter (doesn't have a unique acceptance test, but does skip creation if the load balancer type is network). Any thoughts?

[gmccue]

@Ninir any thoughts?

[gmccue]

@Ninir @radeksimko Sorry to bother again with this, but do you have any more guidance or input for this PR? Or should I just close it?

[gmccue]

@bflad @radeksimko is this still relevant, or should I go ahead and close this PR?

[bflad]

Hi @gmccue! 👋 Sorry that we've been slow to re-review this PR. I can't speak for the other maintainers (and would prefer they continued their review unless they don't have time) but it might be beneficial to migrate some of the logic into the CustomizeDiff function that was recently updated to handle plan-time validation of stickiness for ALB vs NLB in #2746. Without diving too much into your actual code changes in this PR, I would imagine we'll need similar handling to allow the access_logs configuration for NLBs as long as its disabled to handle Terraform modules easier. If you're already doing that then you're probably already on the right track. 👍

Admittedly, the handling of ALB vs NLB in these resources has proven to be quite onerous and generated a ton of issues. To better remedy the situation, we have talked internally about potentially splitting the resources into aws_alb*/aws_nlb*, but there are currently no official plans or timelines for doing that.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!