r/aws_detective_organization_configuration - new resource

Signed-off-by: Owen Farrell <owen.farrell@gmail.com>

internal/service/detective/detective_test.go

@@ -29,6 +29,9 @@ func TestAccDetective_serial(t *testing.T) {
  "disappears": testAccOrganizationAdminAccount_disappears,
  "MultiRegion": testAccOrganizationAdminAccount_MultiRegion,
  },
+ "OrganizationConfiguration": {
+ "basic": testAccOrganizationConfiguration_basic,
+ },
  }
 
  acctest.RunSerialTests2Levels(t, testCases, 0)

internal/service/detective/organization_configuration.go

@@ -0,0 +1,84 @@
+package detective
+
+import (
+ "context"
+
+ "github.com/aws/aws-sdk-go/aws"
+ "github.com/aws/aws-sdk-go/service/detective"
+ "github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+ "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+ "github.com/hashicorp/terraform-provider-aws/internal/conns"
+ "github.com/hashicorp/terraform-provider-aws/internal/verify"
+)
+
+// @SDKResource("aws_detective_organization_configuration")
+func ResourceOrganizationConfiguration() *schema.Resource {
+ return &schema.Resource{
+ CreateWithoutTimeout: resourceOrganizationConfigurationUpdate,
+ ReadWithoutTimeout: resourceOrganizationConfigurationRead,
+ UpdateWithoutTimeout: resourceOrganizationConfigurationUpdate,
+ DeleteWithoutTimeout: schema.NoopContext,
+
+ Importer: &schema.ResourceImporter{
+ StateContext: schema.ImportStatePassthroughContext,
+ },
+
+ Schema: map[string]*schema.Schema{
+ "auto_enable": {
+ Type: schema.TypeBool,
+ Required: true,
+ },
+
+ "graph_arn": {
+ Type: schema.TypeString,
+ Required: true,
+ ForceNew: true,
+ ValidateFunc: verify.ValidARN,
+ },
+ },
+ }
+}
+
+func resourceOrganizationConfigurationUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+ conn := meta.(*conns.AWSClient).DetectiveConn()
+
+ graphARN := d.Get("graph_arn").(string)
+
+ input := &detective.UpdateOrganizationConfigurationInput{
+ AutoEnable: aws.Bool(d.Get("auto_enable").(bool)),
+ GraphArn: aws.String(graphARN),
+ }
+
+ _, err := conn.UpdateOrganizationConfigurationWithContext(ctx, input)
+
+ if err != nil {
+ return diag.Errorf("error updating Detective Organization Configuration (%s): %s", graphARN, err)
+ }
+
+ d.SetId(graphARN)
+
+ return resourceOrganizationConfigurationRead(ctx, d, meta)
+}
+
+func resourceOrganizationConfigurationRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+ conn := meta.(*conns.AWSClient).DetectiveConn()
+
+ input := &detective.DescribeOrganizationConfigurationInput{
+ GraphArn: aws.String(d.Id()),
+ }
+
+ output, err := conn.DescribeOrganizationConfigurationWithContext(ctx, input)
+
+ if err != nil {
+ return diag.Errorf("error reading Detective Organization Configuration (%s): %s", d.Id(), err)
+ }
+
+ if output == nil {
+ return diag.Errorf("error reading Detective Organization Configuration (%s): empty response", d.Id())
+ }
+
+ d.Set("auto_enable", output.AutoEnable)
+ d.Set("graph_arn", d.Id())
+
+ return nil
+}

internal/service/detective/organization_configuration_test.go

@@ -0,0 +1,77 @@
+package detective_test
+
+import (
+ "fmt"
+ "testing"
+
+ "github.com/aws/aws-sdk-go/service/detective"
+ "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+ "github.com/hashicorp/terraform-provider-aws/internal/acctest"
+)
+
+func testAccOrganizationConfiguration_basic(t *testing.T) {
+ ctx := acctest.Context(t)
+ graphResourceName := "aws_detective_graph.test"
+ resourceName := "aws_detective_organization_configuration.test"
+
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() {
+ acctest.PreCheck(ctx, t)
+ acctest.PreCheckOrganizationsAccount(ctx, t)
+ },
+ ErrorCheck: acctest.ErrorCheck(t, detective.EndpointsID),
+ ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+ // Detective Organization Configuration cannot be deleted separately.
+ // Ensure parent resource is destroyed instead.
+ CheckDestroy: testAccCheckGraphDestroy(ctx),
+ Steps: []resource.TestStep{
+ {
+ Config: testAccOrganizationConfigurationConfig_autoEnable(true),
+ Check: resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttr(resourceName, "auto_enable", "true"),
+ resource.TestCheckResourceAttrPair(resourceName, "graph_arn", graphResourceName, "id"),
+ ),
+ },
+ {
+ ResourceName: resourceName,
+ ImportState: true,
+ ImportStateVerify: true,
+ },
+ {
+ Config: testAccOrganizationConfigurationConfig_autoEnable(false),
+ Check: resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttr(resourceName, "auto_enable", "false"),
+ resource.TestCheckResourceAttrPair(resourceName, "graph_arn", graphResourceName, "id"),
+ ),
+ },
+ },
+ })
+}
+
+func testAccOrganizationConfigurationConfig_autoEnable(autoEnable bool) string {
+ return fmt.Sprintf(`
+data "aws_caller_identity" "current" {}
+
+data "aws_partition" "current" {}
+
+resource "aws_organizations_organization" "test" {
+ aws_service_access_principals = ["detective.${data.aws_partition.current.dns_suffix}"]
+ feature_set = "ALL"
+}
+
+resource "aws_detective_graph" "test" {}
+
+resource "aws_detective_organization_admin_account" "test" {
+ depends_on = [aws_organizations_organization.test]
+
+ account_id = data.aws_caller_identity.current.account_id
+}
+
+resource "aws_detective_organization_configuration" "test" {
+ depends_on = [aws_detective_organization_admin_account.test]
+
+ auto_enable = %[1]t
+ graph_arn = aws_detective_graph.test.id
+}
+`, autoEnable)
+}

website/docs/r/detective_organization_configuration.html.markdown

@@ -0,0 +1,47 @@
+---
+subcategory: "Detective"
+layout: "aws"
+page_title: "AWS: aws_detective_organization_configuration"
+description: |-
+ Manages the Detective Organization Configuration
+---
+
+# Resource: aws_detective_organization_configuration
+
+Manages the Detective Organization Configuration in the current AWS Region. The AWS account utilizing this resource must have been assigned as a delegated Organization administrator account, e.g., via the [`aws_detective_organization_admin_account` resource](/docs/providers/aws/r/detective_organization_admin_account.html). More information about Organizations support in Detective can be found in the [Detective User Guide](https://docs.aws.amazon.com/detective/latest/adminguide/accounts-orgs-transition.html).
+
+~> **NOTE:** This is an advanced Terraform resource. Terraform will automatically assume management of the Detective Organization Configuration without import and perform no actions on removal from the Terraform configuration.
+
+## Example Usage
+
+```terraform
+resource "aws_detective_graph" "example" {
+ enable = true
+}
+
+resource "aws_detective_organization_configuration" "example" {
+ auto_enable = true
+ graph_arn = aws_detective_graph.example.id
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `auto_enable` - (Required) When this setting is enabled, all new accounts that are created in, or added to, the organization are added as a member accounts of the organization’s Detective delegated administrator and Detective is enabled in that AWS Region.
+* `graph_arn` - (Required) ARN of the behavior graph.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - Identifier of the Detective Graph.
+
+## Import
+
+Detective Organization Configurations can be imported using the Detective Graph ID, e.g.,
+
+```
+$ terraform import aws_detective_organization_configuration.example 00b00fd5aecc0ab60a708659477e9617
+```