Add logging configuration to firewall

[nnbu]

Issue (aws-controllers-k8s/community#1553)

Description of changes:
Adds support for logging configuration to firwall spec

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[ack-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: nnbu

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ack-prow]

Hi @nnbu. Thanks for your PR.

I'm waiting for a aws-controllers-k8s member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[a-hilaly]

/ok-to-test

[nnbu]

/test networkfirewall-kind-e2e

[a-hilaly]

Hi @nnbu , looks like you need to update the commit hash in tests/e2e/requirements.txt it's the reason it's causing tests to fail

[nnbu]

/retest

[nnbu]

I will check the errors further. These are related to my code. The e2e tests run fine when I run it though. Need to see what is different in upstream.

[nnbu]

/test networkfirewall-kind-e2e

[a-hilaly]

/test networkfirewall-kind-e2e

[a-hilaly]

@nnbu could you also add a recommended IAM policy? it will help with networkfirewall-recommended-policy-test

[nnbu]

yes. I have not gotten a chance to look into where and what to add regarding the policy. I will check that

[a-hilaly]

@nnbu we need a file like https://github.com/aws-controllers-k8s/route53resolver-controller/blob/main/config/iam/recommended-policy-arn

[a-hilaly]

/test networkfirewall-kind-e2e

[nnbu]

@nnbu we need a file like https://github.com/aws-controllers-k8s/route53resolver-controller/blob/main/config/iam/recommended-policy-arn

@a-hilaly Thank you. Tests are passing now.

[nnbu]

Gentle request to review when possible

[a-hilaly]

@nnbu Nice, thanks a lot!

I have few questions/comments bellow. Feel free to ping me for questions or discussing any point.

[a-hilaly]

/hold

[a-hilaly]

/test all

[a-hilaly]

nit suggestion:

Suggested change

	logDestinationConfigMap := make(map[string]*svcapitypes.LogDestinationConfig)
	for _, cfg := range logDestinationConfig {
	logDestinationConfigMap[makeLogDestinationConfigMapKey(cfg)] = cfg
	}
	// since we only want to use this map to check for object existance
	logDestinationConfigMap := make(map[string]*struct{})
	for _, cfg := range logDestinationConfig {
	logDestinationConfigMap[makeLogDestinationConfigMapKey(cfg)] = nil
	}

[nnbu]

I am using the map value 'cfg' in compareLoggingDestinationConfigs function, so we can not make value of the map as nil.

Let me explain the purpose of this map.

In compareLoggingDestinationConfigs() , we have to compare arrays of type []*svcapitypes.LogDestinationConfig. LogDestinationConfig in itself is complex type which has a map (LogDestination) as one of its fields. This makes comparison of these 2 arrays difficult.

So, to compare these arrays, I convert the array into a map, because map comparisons are easier to handle based on map keys. So, to convert each array object into a map entry, we need to have a key corresponding to that array object. makeLogDestinationConfigMapKey creates this key from each array object. The value associated with this key is the array object itself, so that it is easier to retrieve the array object.

So, in summary,

1. makeLogDestinationConfigMapKey gives unique key for each array entry of type *svcapitypes.LogDestinationConfig.
2. makeLogDestinationConfigMap creates map with its key provided by makeLogDestinationConfigMapKey and its value as the array entry of type svcapitypes.LogDestinationConfig
3. In compareLoggingDestinationConfigs , we create 2 maps. One that represents what is desired logging configuration and one that represents what is existing logging configuration.
   Now that, we have 2 maps, we iterate over desired map and check if the keys are present in latest map. If they are not present, we append the value of that map (which is *svcapitypes.LogDestinationConfig) into the list of configs to be added. Same case to determine list of configs to be deleted.

[a-hilaly]

I understand the problem, this is something we've seen with other APIs, but had to handle with some custom comparison/update functions. But in your case looks like it's a bit different.
I'm going to clone your branch and play a little bit with the implementation exploring the complexity of this case.

[nnbu]

Let me know if you got a chance to check more on this one.

[a-hilaly]

My two cents: to avoid building strings manually with hard coded stuff, we can use json.Marshal to transform the map in into a "sorted" map - checkout https://go.dev/src/encoding/json/encode.go#L344

[nnbu]

We dont really need to 'sort' the map here. So, I am not sure how I can make use of marshaling here. I explained the logic of compareLoggingDestinationConfigs and associated functions below. Please let me know if you have suggestions.

[a-hilaly]

But i believe that you're calling sort.Strings(keys) to have deterministic output.. because of the hash map random access pattern... right? the idea was instead of manually building your "string" that is just a way of representating of the object, how about:

b1, err := json.Marshall(cfg1)
b2, err := json.Marshall(cfg2)

then you case use string(b1), string(b2) as a key for the map discussed below

[nnbu]

Thank you for the suggestion. I made a change to use json.Marshall

[nnbu]

@a-hilaly Please let me know if any additional information is needed from my end.

[nnbu]

gentle reminder to review this one

[a-hilaly]

But i believe that you're calling sort.Strings(keys) to have deterministic output.. because of the hash map random access pattern... right? the idea was instead of manually building your "string" that is just a way of representating of the object, how about:

b1, err := json.Marshall(cfg1)
b2, err := json.Marshall(cfg2)

then you case use string(b1), string(b2) as a key for the map discussed below

[a-hilaly]

I understand the problem, this is something we've seen with other APIs, but had to handle with some custom comparison/update functions. But in your case looks like it's a bit different.
I'm going to clone your branch and play a little bit with the implementation exploring the complexity of this case.

[a-hilaly]

@nnbu I didn't forget about this PR, i will experiment few things and get back to you..

[nnbu]

@a-hilaly I made the change to use b1, err := json.Marshall(cfg1).
Do you mind reviewing this one please?

[ack-bot]

Issues go stale after 180d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 60d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle stale

[ack-prow]

@nnbu: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
networkfirewall-verify-attribution	6257eeb	link	true	/test networkfirewall-verify-attribution

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.