service/guardduty: Support GuardDuty Organizations (hashicorp#13034)

* service/guardduty: Support GuardDuty Organizations Reference: hashicorp#13005 Reference: hashicorp#13006 Changes: ``` FEATURES: * **New Resource:** `aws_guardduty_organization_admin_account` * **New Resource:** `aws_guardduty_organization_configuration` ``` Output from acceptance testing: ``` --- PASS: TestAccAWSGuardDuty (137.70s) --- PASS: TestAccAWSGuardDuty/Detector (58.97s) --- PASS: TestAccAWSGuardDuty/Detector/basic (41.45s) --- PASS: TestAccAWSGuardDuty/Detector/import (17.52s) --- PASS: TestAccAWSGuardDuty/OrganizationAdminAccount (31.74s) --- PASS: TestAccAWSGuardDuty/OrganizationAdminAccount/basic (31.74s) --- PASS: TestAccAWSGuardDuty/OrganizationConfiguration (46.99s) --- PASS: TestAccAWSGuardDuty/OrganizationConfiguration/basic (46.99s) ``` * resource/aws_guardduty_organization_admin_account: Adjust for review comments Reference: hashicorp#13034 (review) Output from acceptance testing: ``` --- PASS: TestAccAWSGuardDuty/OrganizationAdminAccount (44.91s) --- PASS: TestAccAWSGuardDuty/OrganizationAdminAccount/basic (44.91s) ```
adamdecaf · May 28, 2020 · 0480fa8 · 0480fa8
1 parent 518ec42
commit 0480fa8
Show file tree

Hide file tree

Showing 12 changed files with 642 additions and 4 deletions.
diff --git a/aws/internal/service/guardduty/waiter/status.go b/aws/internal/service/guardduty/waiter/status.go
@@ -0,0 +1,59 @@
+package waiter
+
+import (
+ "github.com/aws/aws-sdk-go/aws"
+ "github.com/aws/aws-sdk-go/service/guardduty"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+)
+
+const (
+ // AdminStatus NotFound
+ AdminStatusNotFound = "NotFound"
+
+ // AdminStatus Unknown
+ AdminStatusUnknown = "Unknown"
+)
+
+// AdminAccountAdminStatus fetches the AdminAccount and its AdminStatus
+func AdminAccountAdminStatus(conn *guardduty.GuardDuty, adminAccountID string) resource.StateRefreshFunc {
+ return func() (interface{}, string, error) {
+ adminAccount, err := getOrganizationAdminAccount(conn, adminAccountID)
+
+ if err != nil {
+ return nil, AdminStatusUnknown, err
+ }
+
+ if adminAccount == nil {
+ return adminAccount, AdminStatusNotFound, nil
+ }
+
+ return adminAccount, aws.StringValue(adminAccount.AdminStatus), nil
+ }
+}
+
+// TODO: Migrate to shared internal package for aws package and this package
+func getOrganizationAdminAccount(conn *guardduty.GuardDuty, adminAccountID string) (*guardduty.AdminAccount, error) {
+ input := &guardduty.ListOrganizationAdminAccountsInput{}
+ var result *guardduty.AdminAccount
+
+ err := conn.ListOrganizationAdminAccountsPages(input, func(page *guardduty.ListOrganizationAdminAccountsOutput, lastPage bool) bool {
+ if page == nil {
+ return !lastPage
+ }
+
+ for _, adminAccount := range page.AdminAccounts {
+ if adminAccount == nil {
+ continue
+ }
+
+ if aws.StringValue(adminAccount.AdminAccountId) == adminAccountID {
+ result = adminAccount
+ return false
+ }
+ }
+
+ return !lastPage
+ })
+
+ return result, err
+}
diff --git a/aws/internal/service/guardduty/waiter/waiter.go b/aws/internal/service/guardduty/waiter/waiter.go
@@ -0,0 +1,59 @@
+package waiter
+
+import (
+ "time"
+
+ "github.com/aws/aws-sdk-go/service/guardduty"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+)
+
+const (
+ // Maximum amount of time to wait for an AdminAccount to return Enabled
+ AdminAccountEnabledTimeout = 5 * time.Minute
+
+ // Maximum amount of time to wait for an AdminAccount to return NotFound
+ AdminAccountNotFoundTimeout = 5 * time.Minute
+
+ // Maximum amount of time to wait for membership to propagate
+ // When removing Organization Admin Accounts, there is eventual
+ // consistency even after the account is no longer listed.
+ // Reference error message:
+ // BadRequestException: The request is rejected because the current account cannot delete detector while it has invited or associated members.
+ MembershipPropagationTimeout = 2 * time.Minute
+)
+
+// AdminAccountEnabled waits for an AdminAccount to return Enabled
+func AdminAccountEnabled(conn *guardduty.GuardDuty, adminAccountID string) (*guardduty.AdminAccount, error) {
+ stateConf := &resource.StateChangeConf{
+ Pending: []string{AdminStatusNotFound},
+ Target: []string{guardduty.AdminStatusEnabled},
+ Refresh: AdminAccountAdminStatus(conn, adminAccountID),
+ Timeout: AdminAccountNotFoundTimeout,
+ }
+
+ outputRaw, err := stateConf.WaitForState()
+
+ if output, ok := outputRaw.(*guardduty.AdminAccount); ok {
+ return output, err
+ }
+
+ return nil, err
+}
+
+// AdminAccountNotFound waits for an AdminAccount to return NotFound
+func AdminAccountNotFound(conn *guardduty.GuardDuty, adminAccountID string) (*guardduty.AdminAccount, error) {
+ stateConf := &resource.StateChangeConf{
+ Pending: []string{guardduty.AdminStatusDisableInProgress},
+ Target: []string{AdminStatusNotFound},
+ Refresh: AdminAccountAdminStatus(conn, adminAccountID),
+ Timeout: AdminAccountNotFoundTimeout,
+ }
+
+ outputRaw, err := stateConf.WaitForState()
+
+ if output, ok := outputRaw.(*guardduty.AdminAccount); ok {
+ return output, err
+ }
+
+ return nil, err
+}
diff --git a/aws/provider.go b/aws/provider.go
@@ -589,6 +589,8 @@ func Provider() terraform.ResourceProvider {
  "aws_guardduty_invite_accepter": resourceAwsGuardDutyInviteAccepter(),
  "aws_guardduty_ipset": resourceAwsGuardDutyIpset(),
  "aws_guardduty_member": resourceAwsGuardDutyMember(),
+ "aws_guardduty_organization_admin_account": resourceAwsGuardDutyOrganizationAdminAccount(),
+ "aws_guardduty_organization_configuration": resourceAwsGuardDutyOrganizationConfiguration(),
  "aws_guardduty_threatintelset": resourceAwsGuardDutyThreatintelset(),
  "aws_iam_access_key": resourceAwsIamAccessKey(),
  "aws_iam_account_alias": resourceAwsIamAccountAlias(),

diff --git a/aws/resource_aws_guardduty_detector.go b/aws/resource_aws_guardduty_detector.go
@@ -6,7 +6,9 @@ import (
 
  "github.com/aws/aws-sdk-go/aws"
  "github.com/aws/aws-sdk-go/service/guardduty"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/resource"
  "github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+ "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/guardduty/waiter"
 )
 
 func resourceAwsGuardDutyDetector() *schema.Resource {
@@ -106,14 +108,32 @@ func resourceAwsGuardDutyDetectorUpdate(d *schema.ResourceData, meta interface{}
 
 func resourceAwsGuardDutyDetectorDelete(d *schema.ResourceData, meta interface{}) error {
  conn := meta.(*AWSClient).guarddutyconn
- input := guardduty.DeleteDetectorInput{
+
+ input := &guardduty.DeleteDetectorInput{
  DetectorId: aws.String(d.Id()),
  }
 
- log.Printf("[DEBUG] Delete GuardDuty Detector: %s", input)
- _, err := conn.DeleteDetector(&input)
+ err := resource.Retry(waiter.MembershipPropagationTimeout, func() *resource.RetryError {
+ _, err := conn.DeleteDetector(input)
+
+ if isAWSErr(err, guardduty.ErrCodeBadRequestException, "cannot delete detector while it has invited or associated members") {
+ return resource.RetryableError(err)
+ }
+
+ if err != nil {
+ return resource.NonRetryableError(err)
+ }
+
+ return nil
+ })
+
+ if isResourceTimeoutError(err) {
+ _, err = conn.DeleteDetector(input)
+ }
+
  if err != nil {
- return fmt.Errorf("Deleting GuardDuty Detector '%s' failed: %s", d.Id(), err.Error())
+ return fmt.Errorf("error deleting GuardDuty Detector (%s): %w", d.Id(), err)
  }
+
  return nil
 }
diff --git a/aws/resource_aws_guardduty_organization_admin_account.go b/aws/resource_aws_guardduty_organization_admin_account.go
@@ -0,0 +1,122 @@
+package aws
+
+import (
+ "fmt"
+ "log"
+
+ "github.com/aws/aws-sdk-go/aws"
+ "github.com/aws/aws-sdk-go/service/guardduty"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+ "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/guardduty/waiter"
+)
+
+func resourceAwsGuardDutyOrganizationAdminAccount() *schema.Resource {
+ return &schema.Resource{
+ Create: resourceAwsGuardDutyOrganizationAdminAccountCreate,
+ Read: resourceAwsGuardDutyOrganizationAdminAccountRead,
+ Delete: resourceAwsGuardDutyOrganizationAdminAccountDelete,
+
+ Importer: &schema.ResourceImporter{
+ State: schema.ImportStatePassthrough,
+ },
+
+ Schema: map[string]*schema.Schema{
+ "admin_account_id": {
+ Type: schema.TypeString,
+ Required: true,
+ ForceNew: true,
+ ValidateFunc: validateAwsAccountId,
+ },
+ },
+ }
+}
+
+func resourceAwsGuardDutyOrganizationAdminAccountCreate(d *schema.ResourceData, meta interface{}) error {
+ conn := meta.(*AWSClient).guarddutyconn
+
+ adminAccountID := d.Get("admin_account_id").(string)
+
+ input := &guardduty.EnableOrganizationAdminAccountInput{
+ AdminAccountId: aws.String(adminAccountID),
+ }
+
+ _, err := conn.EnableOrganizationAdminAccount(input)
+
+ if err != nil {
+ return fmt.Errorf("error enabling GuardDuty Organization Admin Account (%s): %w", adminAccountID, err)
+ }
+
+ d.SetId(adminAccountID)
+
+ if _, err := waiter.AdminAccountEnabled(conn, d.Id()); err != nil {
+ return fmt.Errorf("error waiting for GuardDuty Organization Admin Account (%s) to enable: %w", d.Id(), err)
+ }
+
+ return resourceAwsGuardDutyOrganizationAdminAccountRead(d, meta)
+}
+
+func resourceAwsGuardDutyOrganizationAdminAccountRead(d *schema.ResourceData, meta interface{}) error {
+ conn := meta.(*AWSClient).guarddutyconn
+
+ adminAccount, err := getGuardDutyOrganizationAdminAccount(conn, d.Id())
+
+ if err != nil {
+ return fmt.Errorf("error reading GuardDuty Organization Admin Account (%s): %w", d.Id(), err)
+ }
+
+ if adminAccount == nil {
+ log.Printf("[WARN] GuardDuty Organization Admin Account (%s) not found, removing from state", d.Id())
+ d.SetId("")
+ return nil
+ }
+
+ d.Set("admin_account_id", adminAccount.AdminAccountId)
+
+ return nil
+}
+
+func resourceAwsGuardDutyOrganizationAdminAccountDelete(d *schema.ResourceData, meta interface{}) error {
+ conn := meta.(*AWSClient).guarddutyconn
+
+ input := &guardduty.DisableOrganizationAdminAccountInput{
+ AdminAccountId: aws.String(d.Id()),
+ }
+
+ _, err := conn.DisableOrganizationAdminAccount(input)
+
+ if err != nil {
+ return fmt.Errorf("error disabling GuardDuty Organization Admin Account (%s): %w", d.Id(), err)
+ }
+
+ if _, err := waiter.AdminAccountNotFound(conn, d.Id()); err != nil {
+ return fmt.Errorf("error waiting for GuardDuty Organization Admin Account (%s) to disable: %w", d.Id(), err)
+ }
+
+ return nil
+}
+
+func getGuardDutyOrganizationAdminAccount(conn *guardduty.GuardDuty, adminAccountID string) (*guardduty.AdminAccount, error) {
+ input := &guardduty.ListOrganizationAdminAccountsInput{}
+ var result *guardduty.AdminAccount
+
+ err := conn.ListOrganizationAdminAccountsPages(input, func(page *guardduty.ListOrganizationAdminAccountsOutput, lastPage bool) bool {
+ if page == nil {
+ return !lastPage
+ }
+
+ for _, adminAccount := range page.AdminAccounts {
+ if adminAccount == nil {
+ continue
+ }
+
+ if aws.StringValue(adminAccount.AdminAccountId) == adminAccountID {
+ result = adminAccount
+ return false
+ }
+ }
+
+ return !lastPage
+ })
+
+ return result, err
+}