Skip to content

Commit

Permalink
Merge pull request #28961 from srgustafson8/e-aws_inspector2_organiza…
Browse files Browse the repository at this point in the history 
…tion_configuration-lambda

[Enhancement]: Add support for auto-enabling lambda scanning on aws_inspector2_organization_configuration
  • Loading branch information
@ewbankkit
ewbankkit authored Mar 13, 2023
2 parents 3dd238f + 2fb8461 commit ef116f6
Show file tree
Hide file tree
Showing 4 changed files with 84 additions and 15 deletions.
3 changes: 3 additions & 0 deletions .changelog/28961.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
resource/aws_inspector2_organization_configuration: Add `lambda` attribute to `auto_enable` configuration block
```
40 changes: 29 additions & 11 deletions internal/service/inspector2/organization_configuration.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,11 @@ func ResourceOrganizationConfiguration() *schema.Resource {
Type: schema.TypeBool,
Required: true,
},
"lambda": {
Type: schema.TypeBool,
Optional: true,
Default: false,
},
},
},
},
Expand Down Expand Up @@ -118,7 +123,7 @@ func resourceOrganizationConfigurationUpdate(ctx context.Context, d *schema.Reso
return create.DiagError(names.Inspector2, create.ErrActionUpdating, ResNameOrganizationConfiguration, d.Id(), err)
}

if err := waitOrganizationConfigurationUpdated(ctx, conn, d.Get("auto_enable.0.ec2").(bool), d.Get("auto_enable.0.ecr").(bool), d.Timeout(schema.TimeoutUpdate)); err != nil {
if err := waitOrganizationConfigurationUpdated(ctx, conn, d.Get("auto_enable.0.ec2").(bool), d.Get("auto_enable.0.ecr").(bool), d.Get("auto_enable.0.lambda").(bool), d.Timeout(schema.TimeoutUpdate)); err != nil {
return create.DiagError(names.Inspector2, create.ErrActionWaitingForUpdate, ResNameOrganizationConfiguration, d.Id(), err)
}

Expand All @@ -133,8 +138,9 @@ func resourceOrganizationConfigurationDelete(ctx context.Context, d *schema.Reso

in := &inspector2.UpdateOrganizationConfigurationInput{
AutoEnable: &types.AutoEnable{
Ec2: aws.Bool(false),
Ecr: aws.Bool(false),
Ec2: aws.Bool(false),
Ecr: aws.Bool(false),
Lambda: aws.Bool(false),
},
}

Expand All @@ -144,21 +150,25 @@ func resourceOrganizationConfigurationDelete(ctx context.Context, d *schema.Reso
return create.DiagError(names.Inspector2, create.ErrActionUpdating, ResNameOrganizationConfiguration, d.Id(), err)
}

if err := waitOrganizationConfigurationUpdated(ctx, conn, false, false, d.Timeout(schema.TimeoutUpdate)); err != nil {
if err := waitOrganizationConfigurationUpdated(ctx, conn, false, false, false, d.Timeout(schema.TimeoutUpdate)); err != nil {
return create.DiagError(names.Inspector2, create.ErrActionWaitingForUpdate, ResNameOrganizationConfiguration, d.Id(), err)
}

return nil
}

func waitOrganizationConfigurationUpdated(ctx context.Context, conn *inspector2.Client, ec2, ecr bool, timeout time.Duration) error {
needle := fmt.Sprintf("%t:%t", ec2, ecr)
func waitOrganizationConfigurationUpdated(ctx context.Context, conn *inspector2.Client, ec2, ecr, lambda bool, timeout time.Duration) error {
needle := fmt.Sprintf("%t:%t:%t", ec2, ecr, lambda)

all := []string{
fmt.Sprintf("%t:%t", false, false),
fmt.Sprintf("%t:%t", false, true),
fmt.Sprintf("%t:%t", true, false),
fmt.Sprintf("%t:%t", true, true),
fmt.Sprintf("%t:%t:%t", false, false, false),
fmt.Sprintf("%t:%t:%t", false, true, false),
fmt.Sprintf("%t:%t:%t", false, false, true),
fmt.Sprintf("%t:%t:%t", false, true, true),
fmt.Sprintf("%t:%t:%t", true, false, false),
fmt.Sprintf("%t:%t:%t", true, false, true),
fmt.Sprintf("%t:%t:%t", true, true, false),
fmt.Sprintf("%t:%t:%t", true, true, true),
}

for i, v := range all {
Expand Down Expand Up @@ -194,7 +204,7 @@ func statusOrganizationConfiguration(ctx context.Context, conn *inspector2.Clien
return nil, "", err
}

return out, fmt.Sprintf("%t:%t", aws.ToBool(out.AutoEnable.Ec2), aws.ToBool(out.AutoEnable.Ecr)), nil
return out, fmt.Sprintf("%t:%t:%t", aws.ToBool(out.AutoEnable.Ec2), aws.ToBool(out.AutoEnable.Ecr), aws.ToBool(out.AutoEnable.Lambda)), nil
}
}

Expand All @@ -213,6 +223,10 @@ func flattenAutoEnable(apiObject *types.AutoEnable) map[string]interface{} {
m["ecr"] = aws.ToBool(v)
}

if v := apiObject.Lambda; v != nil {
m["lambda"] = aws.ToBool(v)
}

return m
}

Expand All @@ -231,5 +245,9 @@ func expandAutoEnable(tfMap map[string]interface{}) *types.AutoEnable {
a.Ecr = aws.Bool(v)
}

if v, ok := tfMap["lambda"].(bool); ok {
a.Lambda = aws.Bool(v)
}

return a
}
48 changes: 47 additions & 1 deletion internal/service/inspector2/organization_configuration_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ func TestAccInspector2OrganizationConfiguration_serial(t *testing.T) {
"basic": testAccOrganizationConfiguration_basic,
"disappears": testAccOrganizationConfiguration_disappears,
"ec2ECR": testAccOrganizationConfiguration_ec2ECR,
"lambda": testAccOrganizationConfiguration_lambda,
}

acctest.RunSerialTests1Level(t, testCases, 0)
Expand Down Expand Up @@ -112,6 +113,34 @@ func testAccOrganizationConfiguration_ec2ECR(t *testing.T) {
})
}

func testAccOrganizationConfiguration_lambda(t *testing.T) {
ctx := acctest.Context(t)
resourceName := "aws_inspector2_organization_configuration.test"

resource.Test(t, resource.TestCase{
PreCheck: func() {
acctest.PreCheck(ctx, t)
acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID)
testAccPreCheck(ctx, t)
acctest.PreCheckOrganizationManagementAccount(ctx, t)
},
ErrorCheck: acctest.ErrorCheck(t, names.Inspector2EndpointID),
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
CheckDestroy: testAccCheckOrganizationConfigurationDestroy(ctx),
Steps: []resource.TestStep{
{
Config: testAccOrganizationConfigurationConfig_lambda(false, false, true),
Check: resource.ComposeTestCheckFunc(
testAccCheckOrganizationConfigurationExists(ctx, resourceName),
resource.TestCheckResourceAttr(resourceName, "auto_enable.0.ec2", "false"),
resource.TestCheckResourceAttr(resourceName, "auto_enable.0.ecr", "false"),
resource.TestCheckResourceAttr(resourceName, "auto_enable.0.lambda", "true"),
),
},
},
})
}

func testAccCheckOrganizationConfigurationDestroy(ctx context.Context) resource.TestCheckFunc {
return func(s *terraform.State) error {
conn := acctest.Provider.Meta().(*conns.AWSClient).Inspector2Client()
Expand Down Expand Up @@ -145,7 +174,7 @@ func testAccCheckOrganizationConfigurationDestroy(ctx context.Context) resource.
return create.Error(names.Inspector2, create.ErrActionCheckingDestroyed, tfinspector2.ResNameOrganizationConfiguration, rs.Primary.ID, err)
}

if out != nil && out.AutoEnable != nil && !aws.ToBool(out.AutoEnable.Ec2) && !aws.ToBool(out.AutoEnable.Ecr) {
if out != nil && out.AutoEnable != nil && !aws.ToBool(out.AutoEnable.Ec2) && !aws.ToBool(out.AutoEnable.Ecr) && !aws.ToBool(out.AutoEnable.Lambda) {
if enabledDelAdAcct {
if err := testDisableDelegatedAdminAccount(ctx, conn, acctest.AccountID()); err != nil {
return err
Expand Down Expand Up @@ -239,3 +268,20 @@ resource "aws_inspector2_organization_configuration" "test" {
}
`, ec2, ecr)
}

func testAccOrganizationConfigurationConfig_lambda(ec2, ecr, lambda bool) string {
return fmt.Sprintf(`
data "aws_caller_identity" "current" {}
resource "aws_inspector2_delegated_admin_account" "test" {
account_id = data.aws_caller_identity.current.account_id
}
resource "aws_inspector2_organization_configuration" "test" {
auto_enable {
ec2 = %[1]t
ecr = %[2]t
lambda = %[3]t
}
depends_on = [aws_inspector2_delegated_admin_account.test]
}
`, ec2, ecr, lambda)
}
8 changes: 5 additions & 3 deletions website/docs/r/inspector2_organization_configuration.html.markdown
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ Terraform resource for managing an AWS Inspector V2 Organization Configuration.

~> **NOTE:** In order for this resource to work, the account you use must be an Inspector V2 Delegated Admin Account.

~> **NOTE:** When this resource is deleted, EC2 and ECR scans will no longer be automatically enabled for new members of your Amazon Inspector organization.
~> **NOTE:** When this resource is deleted, EC2, ECR and Lambda scans will no longer be automatically enabled for new members of your Amazon Inspector organization.

## Example Usage

Expand All @@ -21,8 +21,9 @@ Terraform resource for managing an AWS Inspector V2 Organization Configuration.
```terraform
resource "aws_inspector2_organization_configuration" "example" {
auto_enable {
ec2 = true
ecr = false
ec2 = true
ecr = false
lambda = true
}
}
```
Expand All @@ -37,6 +38,7 @@ The following arguments are required:

* `ec2` - (Required) Whether Amazon EC2 scans are automatically enabled for new members of your Amazon Inspector organization.
* `ecr` - (Required) Whether Amazon ECR scans are automatically enabled for new members of your Amazon Inspector organization.
* `lambda` - (Optional) Whether Lambda Function scans are automatically enabled for new members of your Amazon Inspector organization.

## Attributes Reference

Expand Down

0 comments on commit ef116f6

Please sign in to comment.