Added Support for Updating Access Log Policies

[xWink]

What type of PR is this?

feature

Which issue does this PR fix:
#200 partially

What does this PR do / Why do we need it:

• Enables support for updating Access Log Policies (ALPs)
  • When an ALP is updated to have a different destinationArn of the same destination type (i.e. S3 Bucket, CloudWatch Log Group, or Firehose Delivery Stream), the underlying Access Log Subscription (ALS) is updated
  • When an ALP is updated to have a different destinationArn of a different destination type, a new ALS is created to replace it, then the previous one is deleted
    • When an ALS is replaced, the ALP's VpcLatticeAccessLogSubscription annotation is updated with the new ARN
  • When an ALP is updated to have a different targetRef, a new ALS is created to replace the existing one, then the old one is deleted and the ALP's VpcLatticeAccessLogSubscription annotation is updated
  • When an ALP is updated to have a destinationArn for a destination that does not exist, the status of the ALP is set to Invalid
  • When an ALP is updated to have a targetRef for a non-existent target, the status of the ALP is set to TargetNotFound
  • When an ALP is updated to have a destinationArn for a destination type that is already in use for that target, the status of the ALP is set to Conflicted
  • Whenever an ALP update fails, the underlying ALS is not modified
    • This decision was made to reduce blast radius of mistaken updates, users should not lose their monitoring because of a typo in ALP spec
    • Status will still indicate the state of the current ALP configuration, regardless of underlying ALS
    • User can update the ALP again to fix it, or delete/recreate if they prefer

If an issue # is not available please add repro steps and logs from aws-gateway-controller showing the issue:

Testing done on this change:

Ran 47 of 47 Specs in 3079.116 seconds
SUCCESS! -- 47 Passed | 0 Failed | 0 Pending | 0 Skipped
--- PASS: TestIntegration (3080.10s)
PASS
ok      github.com/aws/aws-application-networking-k8s/test/suites/integration   3081.006s

Automation added to e2e:

New test: update properly changes or replaces Access Log Subscription and sets Access Log Policy status

• This runs all the documented update scenarios and verifies that the controller behaves as expected for each of them (as described above)

Will this PR introduce any new dependencies?:

No new dependencies, but one new CloudWatch Log Group is created/deleted as part of the e2e test. This is needed since we need two different destinations of the same type to verify the conflict scenario.

Will this break upgrades or downgrades. Has updating a running cluster been tested?:
No.

Does this PR introduce any user-facing change?:

Yes, but release note will be added in the final PR, which will include the API spec

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[coveralls]

Pull Request Test Coverage Report for Build 6593477191

• 123 of 147 (83.67%) changed or added relevant lines in 4 files are covered.
• 2 unchanged lines in 1 file lost coverage.
• Overall coverage increased (+0.4%) to 45.779%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
controllers/accesslogpolicy_controller.go	0	6	0.0%
pkg/deploy/lattice/access_log_subscription_manager.go	105	123	85.37%

Files with Coverage Reduction	New Missed Lines	%
pkg/deploy/lattice/access_log_subscription_manager.go	2	86.34%

Totals
Change from base Build 6569460474:	0.4%
Covered Lines:	4100
Relevant Lines:	8956

---

💛 - Coveralls

[mikhail-aws]

Since you are getting into de-nesting code. You can change this one too.

if err == nil {
     return &lattice.AccessLogSubscriptionStatus{
         Arn: *updateALSOutput.Arn,
     }, nil
}
swtich ...

[xWink]

Good point, will do

[xWink]

Had to fixed some git issues, but commit history should be cleaner now. Addressed above comments.

[mikhail-aws]

Just a thought, which can reduce code for unit tests, makes it easier to read and change in future.

In this mock we do 2 things, 1. assert input into lattice client is correct and 2. it produces output which use later in manager.

And every test here asserts that input to lattice is correct. I dont think we need that, we can create a single test that makes sure we call Lattice with expected fields populated. For remaining tests we use any() in place of input. For example:

		mockLattice.EXPECT().
			FindService(gomock.Any(), gomock.Any()).
			Return(&vpclattice.ServiceSummary{
				Arn:  aws.String("svc-arn"),
				Id:   aws.String("svc-id"),
				Name: aws.String(svc.LatticeServiceName()),
			}, nil)

[mikhail-aws]

it was a minor comment, I'm ok with current version

[xWink]

I think I prefer the more explicit nature of the existing code

[mikhail-aws]

Looks like we create and delete same accessLogSubscription, not "new" and "old" ones.

[xWink]

Create uses the ALS Spec to call VPC Lattice Create API

Delete uses the ARN of the ALS to call VPC Lattice Delete API

I could change Delete function to simply accept an ARN, I think that would make more sense anyways

[xWink]

New functionality:

• For create/update, if namespace of the policy does not match namespace of the targetRef, policy status is set to Invalid

• For update, previously, targetRef changes were ignored, this was a bug and is now fixed

  • Changing targetRef results in creating a new ALS and deleting the old one

  e2e tests were added for both new behaviours and pass:

Ran 47 of 47 Specs in 3026.234 seconds
SUCCESS! -- 47 Passed | 0 Failed | 0 Pending | 0 Skipped
--- PASS: TestIntegration (3027.48s)
PASS
ok      github.com/aws/aws-application-networking-k8s/test/suites/integration   3028.331s