in aws-networkfirewall-firewall/src/main/java/software/amazon/networkfirewall/firewall/UpdateHandler.java [292:331]
private boolean stabilizeSubnets(final ProxyClient<NetworkFirewallClient> client,
final ResourceModel model, final CallbackContext callbackContext, final SubnetOperation operation) {
try {
final DescribeFirewallResponse response = client.injectCredentialsAndInvokeV2(
Translator.translateToDescribeFirewallRequest(model),
client.client()::describeFirewall);
// get all subnets from SyncStates of current firewall
Set<String> actualSubnets = new HashSet<>();
for (final Map.Entry<String, SyncState> e : response.firewallStatus().syncStates().entrySet()) {
final Attachment attachment = e.getValue().attachment();
if (attachment.subnetId() != null) {
actualSubnets.add(attachment.subnetId());
}
}
switch (operation) {
case ASSOCIATE:
if (!Sets.intersection(actualSubnets, subnetsToAdd).equals(subnetsToAdd)) {
// some subnet we want added is still not associated, so return false.
return false;
}
break;
case DISASSOCIATE:
if (!Sets.intersection(actualSubnets, subnetsToRemove).isEmpty()) {
// some subnet we want removed is still associated, so return false.
return false;
}
break;
}
// after confirming (Associate: subnets started CREATING/SCALING)|(Disassociate: subnets are disassociated),
// check the firewallStatus and configurationSyncStateSummary because it shows a consolidated output
// of all configs and attachments.
return response.firewallStatus().status() == FirewallStatusValue.READY &&
response.firewallStatus().configurationSyncStateSummary() == ConfigurationSyncState.IN_SYNC;
} catch (final Exception e) {
throw new CfnGeneralServiceException("Subnets failed to associate");
}
}