Make State a read-only property for Server

Alex-Vol-Amz · Alex-Vol-Amz · commit b0019f0b3c94 · 2025-03-05T11:00:24.000-05:00
Cloud Control needs this to be visible as a read-only property.

Also, fixed contract tests issues with tagging. The tagging test is
failing in the pipeline without the changes added here.
diff --git a/aws-transfer-server/aws-transfer-server.json b/aws-transfer-server/aws-transfer-server.json
@@ -171,6 +171,17 @@
         "PUBLIC_KEY_AND_PASSWORD"
       ]
     },
+    "State": {
+      "type": "string",
+      "enum": [
+        "OFFLINE",
+        "ONLINE",
+        "STARTING",
+        "STOPPING",
+        "START_FAILED",
+        "STOP_FAILED"
+      ]
+    },
     "Tag": {
       "type": "object",
       "properties": {
@@ -327,6 +338,9 @@
       "minLength": 19,
       "pattern": "^s-([0-9a-f]{17})$"
     },
+    "State": {
+      "$ref": "#/definitions/State"
+    },
     "StructuredLogDestinations": {
       "type": "array",
       "insertionOrder": false,
@@ -355,7 +369,8 @@
   "readOnlyProperties": [
     "/properties/Arn",
     "/properties/As2ServiceManagedEgressIpAddresses",
-    "/properties/ServerId"
+    "/properties/ServerId",
+    "/properties/State"
   ],
   "writeOnlyProperties": [
     "/properties/IdentityProviderType"
diff --git a/aws-transfer-server/docs/README.md b/aws-transfer-server/docs/README.md
@@ -236,3 +236,7 @@ The list of egress IP addresses of this server. These IP addresses are only rele
 
 Returns the <code>ServerId</code> value.
 
+#### State
+
+Returns the <code>State</code> value.
+
diff --git a/aws-transfer-server/src/main/java/software/amazon/transfer/server/BaseHandlerStd.java b/aws-transfer-server/src/main/java/software/amazon/transfer/server/BaseHandlerStd.java
@@ -232,7 +232,7 @@ private static int getDelaySeconds(Exception e) {
         return THROTTLE_CALLBACK_DELAY_SECONDS;
     }
 
-    private String getErrorCode(Exception e) {
+    protected String getErrorCode(Exception e) {
         if (e instanceof AwsServiceException && ((AwsServiceException) e).awsErrorDetails() != null) {
             return ((AwsServiceException) e).awsErrorDetails().errorCode();
         }
diff --git a/aws-transfer-server/src/main/java/software/amazon/transfer/server/ReadHandler.java b/aws-transfer-server/src/main/java/software/amazon/transfer/server/ReadHandler.java
@@ -70,6 +70,7 @@ private ResourceModel translateFromReadResponse(final DescribeServerResponse res
                 .protocols(server.protocolsAsStrings())
                 .protocolDetails(ProtocolDetailsTranslator.fromSdk(server.protocolDetails()))
                 .securityPolicyName(server.securityPolicyName())
+                .state(server.stateAsString())
                 .tags(translateFromSdkTags(server.tags()))
                 .workflowDetails(WorkflowDetailsTranslator.fromSdk(server.workflowDetails()))
                 .structuredLogDestinations(server.structuredLogDestinations())
diff --git a/aws-transfer-server/src/main/java/software/amazon/transfer/server/UpdateHandler.java b/aws-transfer-server/src/main/java/software/amazon/transfer/server/UpdateHandler.java
@@ -29,6 +29,7 @@
 import software.amazon.awssdk.services.transfer.model.UpdateServerResponse;
 import software.amazon.awssdk.utils.CollectionUtils;
 import software.amazon.cloudformation.proxy.AmazonWebServicesClientProxy;
+import software.amazon.cloudformation.proxy.HandlerErrorCode;
 import software.amazon.cloudformation.proxy.Logger;
 import software.amazon.cloudformation.proxy.ProgressEvent;
 import software.amazon.cloudformation.proxy.ProxyClient;
@@ -43,6 +44,8 @@
 
 public class UpdateHandler extends BaseHandlerStd {
 
+    private static final String ACCESS_DENIED_ERROR_CODE = "AccessDenied";
+
     protected ProgressEvent<ResourceModel, CallbackContext> handleRequest(
             final AmazonWebServicesClientProxy proxy,
             final ResourceHandlerRequest<ResourceModel> request,
@@ -395,8 +398,13 @@ private ProgressEvent<ResourceModel, CallbackContext> tagResource(
                         return client.injectCredentialsAndInvokeV2(tagRequest, transferClient::tagResource);
                     }
                 })
-                .handleError((ignored, exception, proxyClient, model, context) ->
-                        handleError(UPDATE, exception, model, context, clientRequestToken))
+                .handleError((ignored, exception, proxyClient, model, context) -> {
+                    if (isEnvironmentTaggingException(exception)) {
+                        return ProgressEvent.failed(
+                                model, context, HandlerErrorCode.UnauthorizedTaggingOperation, exception.getMessage());
+                    }
+                    return handleError(UPDATE, exception, model, context, clientRequestToken);
+                })
                 .progress();
     }
 
@@ -439,8 +447,17 @@ private ProgressEvent<ResourceModel, CallbackContext> untagResource(
                         return client.injectCredentialsAndInvokeV2(untagRequest, transferClient::untagResource);
                     }
                 })
-                .handleError((ignored, exception, proxyClient, model, context) ->
-                        handleError(UPDATE, exception, model, context, clientRequestToken))
+                .handleError((ignored, exception, proxyClient, model, context) -> {
+                    if (isEnvironmentTaggingException(exception)) {
+                        return ProgressEvent.failed(
+                                model, context, HandlerErrorCode.UnauthorizedTaggingOperation, exception.getMessage());
+                    }
+                    return handleError(UPDATE, exception, model, context, clientRequestToken);
+                })
                 .progress();
     }
+
+    private boolean isEnvironmentTaggingException(Exception e) {
+        return StringUtils.equals(ACCESS_DENIED_ERROR_CODE, getErrorCode(e));
+    }
 }
diff --git a/aws-transfer-server/src/test/java/software/amazon/transfer/server/AbstractTestBase.java b/aws-transfer-server/src/test/java/software/amazon/transfer/server/AbstractTestBase.java
@@ -151,6 +151,7 @@ public T client() {
 
     protected static DescribeServerResponse describeServerFromModel(
             String serverId, String state, ResourceModel model) {
+        model.setState(state);
         return DescribeServerResponse.builder()
                 .server(DescribedServer.builder()
                         .arn(getTestServerArn(serverId))
@@ -193,6 +194,7 @@ protected static ResourceModel setupSimpleServerModel(String endpointType) {
                 .identityProviderType(DEFAULT_IDENTITY_PROVIDER_TYPE)
                 .securityPolicyName(DEFAULT_SECURITY_POLICY)
                 .protocols(DEFAULT_PROTOCOLS)
+                .state(software.amazon.awssdk.services.transfer.model.State.ONLINE.name())
                 .structuredLogDestinations(Collections.emptyList())
                 .tags(Collections.emptyList())
                 .build();
@@ -240,6 +242,7 @@ protected static ResourceModel fullyLoadedServerModel() {
                 .securityPolicyName(DEFAULT_SECURITY_POLICY)
                 .protocols(DEFAULT_PROTOCOLS)
                 .tags(MODEL_TAGS)
+                .state(software.amazon.awssdk.services.transfer.model.State.ONLINE.name())
                 .structuredLogDestinations(Collections.singletonList("FooLog"))
                 .loggingRole("loggingRole")
                 .preAuthenticationLoginBanner("pre")
diff --git a/aws-transfer-server/src/test/java/software/amazon/transfer/server/UpdateHandlerTest.java b/aws-transfer-server/src/test/java/software/amazon/transfer/server/UpdateHandlerTest.java
@@ -27,6 +27,8 @@
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.mockito.stubbing.Stubber;
 
+import software.amazon.awssdk.awscore.exception.AwsErrorDetails;
+import software.amazon.awssdk.awscore.exception.AwsServiceException;
 import software.amazon.awssdk.services.transfer.model.DescribeServerRequest;
 import software.amazon.awssdk.services.transfer.model.DescribeServerResponse;
 import software.amazon.awssdk.services.transfer.model.EndpointType;
@@ -73,6 +75,45 @@ public void handleRequest_SimpleUpdate() {
         verify(sdkClient, atLeastOnce()).updateServer(any(UpdateServerRequest.class));
     }
 
+    @Test
+    public void handleRequest_SimpleUpdate_Tagging_Failed() {
+        ResourceModel model = setupSimpleServerModel(DEFAULT_ENDPOINT_TYPE);
+        setServerId(model, "testServer");
+        ResourceModel newModel = setupSimpleServerModel(DEFAULT_ENDPOINT_TYPE);
+        setServerId(newModel, "testServer");
+        newModel.setTags(Translator.translateTagMapToTagList(EXTRA_MODEL_TAGS));
+
+        ResourceHandlerRequest<ResourceModel> request = getResourceHandlerRequestBuilder()
+                .previousResourceState(model)
+                .desiredResourceState(newModel)
+                .desiredResourceTags(EXTRA_MODEL_TAGS)
+                .build();
+
+        AwsServiceException ex = AwsServiceException.builder()
+                .awsErrorDetails(
+                        AwsErrorDetails.builder().errorCode("AccessDenied").build())
+                .build();
+        doThrow(ex).when(sdkClient).tagResource(any(TagResourceRequest.class));
+
+        updateServerAndAssertStatus(request, "ONLINE", OperationStatus.FAILED);
+
+        verify(sdkClient, atLeastOnce()).updateServer(any(UpdateServerRequest.class));
+        verify(sdkClient, atLeastOnce()).tagResource(any(TagResourceRequest.class));
+
+        // Do untag now
+        request = getResourceHandlerRequestBuilder()
+                .previousResourceState(newModel)
+                .desiredResourceState(model)
+                .previousResourceTags(EXTRA_MODEL_TAGS)
+                .build();
+        doThrow(ex).when(sdkClient).untagResource(any(UntagResourceRequest.class));
+
+        updateServerAndAssertStatus(request, "ONLINE", OperationStatus.FAILED);
+
+        verify(sdkClient, atLeastOnce()).updateServer(any(UpdateServerRequest.class));
+        verify(sdkClient, atLeastOnce()).untagResource(any(UntagResourceRequest.class));
+    }
+
     private static void setServerId(ResourceModel model, String serverId) {
         Region region = Region.getRegion(Regions.US_EAST_1);
         ServerArn serverArn = new ServerArn(region, "123456789012", serverId);
diff --git a/aws-transfer-user/src/main/java/software/amazon/transfer/user/BaseHandlerStd.java b/aws-transfer-user/src/main/java/software/amazon/transfer/user/BaseHandlerStd.java
@@ -51,6 +51,8 @@ public abstract class BaseHandlerStd extends BaseHandler<CallbackContext> {
     private static final String FAILURE_LOG_MESSAGE =
             "[ClientRequestToken: %s] Resource %s failed in %s operation, Error: %s%n";
     private static final String THROTTLING_EXCEPTION_ERR_CODE = "ThrottlingException";
+    private static final String ACCESS_DENIED_ERROR_CODE = "AccessDenied";
+
     protected Logger logger;
 
     @Override
@@ -334,8 +336,13 @@ private ProgressEvent<ResourceModel, CallbackContext> tagResource(
                         return client.injectCredentialsAndInvokeV2(tagRequest, transferClient::tagResource);
                     }
                 })
-                .handleError((ignored, exception, proxyClient, model, context) ->
-                        handleError(UPDATE, exception, model, context, clientRequestToken))
+                .handleError((ignored, exception, proxyClient, model, context) -> {
+                    if (isEnvironmentTaggingException(exception)) {
+                        return ProgressEvent.failed(
+                                model, context, HandlerErrorCode.UnauthorizedTaggingOperation, exception.getMessage());
+                    }
+                    return handleError(UPDATE, exception, model, context, clientRequestToken);
+                })
                 .progress();
     }
 
@@ -378,11 +385,20 @@ private ProgressEvent<ResourceModel, CallbackContext> untagResource(
                         return client.injectCredentialsAndInvokeV2(untagRequest, transferClient::untagResource);
                     }
                 })
-                .handleError((ignored, exception, proxyClient, model, context) ->
-                        handleError(UPDATE, exception, model, context, clientRequestToken))
+                .handleError((ignored, exception, proxyClient, model, context) -> {
+                    if (isEnvironmentTaggingException(exception)) {
+                        return ProgressEvent.failed(
+                                model, context, HandlerErrorCode.UnauthorizedTaggingOperation, exception.getMessage());
+                    }
+                    return handleError(UPDATE, exception, model, context, clientRequestToken);
+                })
                 .progress();
     }
 
+    private boolean isEnvironmentTaggingException(Exception e) {
+        return StringUtils.equals(ACCESS_DENIED_ERROR_CODE, getErrorCode(e));
+    }
+
     protected DescribeUserRequest translateToReadRequest(final ResourceModel model) {
         return DescribeUserRequest.builder()
                 .serverId(model.getServerId())

Original file line number	Diff line number	Diff line change
`@@ -232,7 +232,7 @@ private static int getDelaySeconds(Exception e) {`
`232`	`232`	`return THROTTLE_CALLBACK_DELAY_SECONDS;`
`233`	`233`	`}`
`234`	`234`
`235`		`- private String getErrorCode(Exception e) {`
	`235`	`+ protected String getErrorCode(Exception e) {`
`236`	`236`	`if (e instanceof AwsServiceException && ((AwsServiceException) e).awsErrorDetails() != null) {`
`237`	`237`	`return ((AwsServiceException) e).awsErrorDetails().errorCode();`
`238`	`238`	`}`