From 1ed40dad47e6cda3ac1de6a5eb94256472533732 Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Sat, 11 Jun 2022 17:28:20 +0300 Subject: [PATCH 01/10] risk config resource --- internal/provider/provider.go | 1 + internal/service/cognitoidp/consts.go | 15 +- internal/service/cognitoidp/find.go | 34 + .../service/cognitoidp/risk_configuration.go | 590 ++++++++++++++++++ .../cognitoidp/risk_configuration_test.go | 271 ++++++++ 5 files changed, 904 insertions(+), 7 deletions(-) create mode 100644 internal/service/cognitoidp/risk_configuration.go create mode 100644 internal/service/cognitoidp/risk_configuration_test.go diff --git a/internal/provider/provider.go b/internal/provider/provider.go index 07f6e19c20e6..6493bf735715 100644 --- a/internal/provider/provider.go +++ b/internal/provider/provider.go @@ -1147,6 +1147,7 @@ func Provider() *schema.Provider { "aws_cognito_identity_provider": cognitoidp.ResourceIdentityProvider(), "aws_cognito_resource_server": cognitoidp.ResourceResourceServer(), + "aws_cognito_risk_configuration": cognitoidp.ResourceRiskConfiguration(), "aws_cognito_user": cognitoidp.ResourceUser(), "aws_cognito_user_group": cognitoidp.ResourceUserGroup(), "aws_cognito_user_in_group": cognitoidp.ResourceUserInGroup(), diff --git a/internal/service/cognitoidp/consts.go b/internal/service/cognitoidp/consts.go index ab95f2a57c5e..0292cd38217b 100644 --- a/internal/service/cognitoidp/consts.go +++ b/internal/service/cognitoidp/consts.go @@ -3,13 +3,14 @@ package cognitoidp import "time" const ( - ResIdentityProvider = "Identity Provider" - ResResourceServer = "Resource Server" - ResUserGroup = "User Group" - ResUserPoolClient = "User Pool Client" - ResUserPoolDomain = "User Pool Domain" - ResUserPool = "User Pool" - ResUser = "User" + ResIdentityProvider = "Identity Provider" + ResResourceServer = "Resource Server" + ResRiskConfiguration = "Risk Configuration" + ResUserGroup = "User Group" + ResUserPoolClient = "User Pool Client" + ResUserPoolDomain = "User Pool Domain" + ResUserPool = "User Pool" + ResUser = "User" ) const ( diff --git a/internal/service/cognitoidp/find.go b/internal/service/cognitoidp/find.go index 691d5151ed24..b1f8672ed6e6 100644 --- a/internal/service/cognitoidp/find.go +++ b/internal/service/cognitoidp/find.go @@ -102,3 +102,37 @@ func FindCognitoUserPoolClient(conn *cognitoidentityprovider.CognitoIdentityProv return output.UserPoolClient, nil } + +func FindRiskConfigurationById(conn *cognitoidentityprovider.CognitoIdentityProvider, id string) (*cognitoidentityprovider.RiskConfigurationType, error) { + userPoolId, clientId, err := RiskConfigurationParseID(id) + if err != nil { + return nil, err + } + + input := &cognitoidentityprovider.DescribeRiskConfigurationInput{ + UserPoolId: aws.String(userPoolId), + } + + if clientId != "" { + input.ClientId = aws.String(clientId) + } + + output, err := conn.DescribeRiskConfiguration(input) + + if tfawserr.ErrCodeEquals(err, cognitoidentityprovider.ErrCodeResourceNotFoundException) { + return nil, &resource.NotFoundError{ + LastError: err, + LastRequest: input, + } + } + + if err != nil { + return nil, err + } + + if output == nil || output.RiskConfiguration == nil { + return nil, tfresource.NewEmptyResultError(input) + } + + return output.RiskConfiguration, nil +} diff --git a/internal/service/cognitoidp/risk_configuration.go b/internal/service/cognitoidp/risk_configuration.go new file mode 100644 index 000000000000..f6200f45787f --- /dev/null +++ b/internal/service/cognitoidp/risk_configuration.go @@ -0,0 +1,590 @@ +package cognitoidp + +import ( + "fmt" + "strings" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/cognitoidentityprovider" + "github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" + "github.com/hashicorp/terraform-provider-aws/internal/conns" + "github.com/hashicorp/terraform-provider-aws/internal/flex" + "github.com/hashicorp/terraform-provider-aws/internal/verify" + "github.com/hashicorp/terraform-provider-aws/names" +) + +func ResourceRiskConfiguration() *schema.Resource { + return &schema.Resource{ + Create: resourceRiskConfigurationPut, + Read: resourceRiskConfigurationRead, + Delete: resourceRiskConfigurationDelete, + Update: resourceRiskConfigurationPut, + Importer: &schema.ResourceImporter{ + State: schema.ImportStatePassthrough, + }, + + Schema: map[string]*schema.Schema{ + "user_pool_id": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateFunc: validUserPoolID, + }, + "client_id": { + Type: schema.TypeString, + Optional: true, + ForceNew: true, + }, + "account_takeover_risk_configuration": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "actions": { + Type: schema.TypeList, + Required: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "high_action": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "event_action": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice(cognitoidentityprovider.AccountTakeoverEventActionType_Values(), false), + }, + "notify": { + Type: schema.TypeBool, + Required: true, + }, + }, + }, + }, + "low_action": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "event_action": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice(cognitoidentityprovider.AccountTakeoverEventActionType_Values(), false), + }, + "notify": { + Type: schema.TypeBool, + Required: true, + }, + }, + }, + }, + "medium_action": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "event_action": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice(cognitoidentityprovider.AccountTakeoverEventActionType_Values(), false), + }, + "notify": { + Type: schema.TypeBool, + Required: true, + }, + }, + }, + }, + }, + }, + }, + "notify_configuration": { + Type: schema.TypeList, + Required: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "block_email": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "html_body": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringLenBetween(6, 2000), + }, + "subject": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringLenBetween(1, 140), + }, + "text_body": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringLenBetween(6, 2000), + }, + }, + }, + }, + "from": { + Type: schema.TypeString, + Optional: true, + }, + "mfa_email": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "html_body": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringLenBetween(6, 2000), + }, + "subject": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringLenBetween(1, 140), + }, + "text_body": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringLenBetween(6, 2000), + }, + }, + }, + }, + "no_action_email": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "html_body": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringLenBetween(6, 2000), + }, + "subject": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringLenBetween(1, 140), + }, + "text_body": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringLenBetween(6, 2000), + }, + }, + }, + }, + "reply_to": { + Type: schema.TypeString, + Optional: true, + }, + "source_arn": { + Type: schema.TypeString, + Required: true, + ValidateFunc: verify.ValidARN, + }, + }, + }, + }, + }, + }, + }, + "compromised_credentials_risk_configuration": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "event_filter": { + Type: schema.TypeSet, + Optional: true, + Computed: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateFunc: validation.StringInSlice(cognitoidentityprovider.EventFilterType_Values(), false), + }, + }, + "actions": { + Type: schema.TypeList, + Required: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "event_action": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice(cognitoidentityprovider.CompromisedCredentialsEventActionType_Values(), false), + }, + }, + }, + }, + }, + }, + }, + "risk_exception_configuration": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "blocked_ip_range_list": { + Type: schema.TypeSet, + Optional: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateFunc: validation.All( + validation.StringLenBetween(0, 200), + validation.IsCIDR, + ), + }, + }, + "skipped_ip_range_list": { + Type: schema.TypeSet, + Optional: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateFunc: validation.All( + validation.StringLenBetween(0, 200), + validation.IsCIDR, + )}, + }, + }, + }, + }, + }, + } +} + +func resourceRiskConfigurationPut(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*conns.AWSClient).CognitoIDPConn + + userPoolId := d.Get("user_pool_id").(string) + id := userPoolId + input := &cognitoidentityprovider.SetRiskConfigurationInput{ + UserPoolId: aws.String(userPoolId), + } + + if v, ok := d.GetOk("client_id"); ok { + input.ClientId = aws.String(v.(string)) + id = fmt.Sprintf("%s:%s", userPoolId, v.(string)) + } + + if v, ok := d.GetOk("risk_exception_configuration"); ok && len(v.([]interface{})) > 0 { + input.RiskExceptionConfiguration = expandRiskExceptionConfiguration(v.([]interface{})) + } + + if v, ok := d.GetOk("compromised_credentials_risk_configuration"); ok && len(v.([]interface{})) > 0 { + input.CompromisedCredentialsRiskConfiguration = expandCompromisedCredentialsRiskConfiguration(v.([]interface{})) + } + + _, err := conn.SetRiskConfiguration(input) + + if err != nil { + return fmt.Errorf("error setting risk configuration: %w", err) + } + + d.SetId(id) + + return resourceRiskConfigurationRead(d, meta) +} + +func resourceRiskConfigurationRead(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*conns.AWSClient).CognitoIDPConn + + riskConfig, err := FindRiskConfigurationById(conn, d.Id()) + + if !d.IsNewResource() && tfawserr.ErrCodeEquals(err, cognitoidentityprovider.ErrCodeResourceNotFoundException) { + names.LogNotFoundRemoveState(names.CognitoIDP, names.ErrActionReading, ResRiskConfiguration, d.Id()) + d.SetId("") + return nil + } + + userPoolId, clientId, err := RiskConfigurationParseID(d.Id()) + if err != nil { + return err + } + + d.Set("user_pool_id", userPoolId) + + if clientId != "" { + d.Set("client_id", clientId) + } + + if riskConfig.RiskExceptionConfiguration != nil { + if err := d.Set("risk_exception_configuration", flattenRiskExceptionConfiguration(riskConfig.RiskExceptionConfiguration)); err != nil { + return fmt.Errorf("error setting risk_exception_configuration: %w", err) + } + } + + if err := d.Set("compromised_credentials_risk_configuration", flattenCompromisedCredentialsRiskConfiguration(riskConfig.CompromisedCredentialsRiskConfiguration)); err != nil { + return fmt.Errorf("error setting compromised_credentials_risk_configuration: %w", err) + } + + if err := d.Set("account_takeover_risk_configuration", flattenAccountTakeoverRiskConfiguration(riskConfig.AccountTakeoverRiskConfiguration)); err != nil { + return fmt.Errorf("error setting account_takeover_risk_configuration: %w", err) + } + + return nil +} + +func resourceRiskConfigurationDelete(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*conns.AWSClient).CognitoIDPConn + + userPoolId, clientId, err := RiskConfigurationParseID(d.Id()) + if err != nil { + return err + } + + input := &cognitoidentityprovider.SetRiskConfigurationInput{ + UserPoolId: aws.String(userPoolId), + } + + if clientId != "" { + input.ClientId = aws.String(clientId) + } + + _, err = conn.SetRiskConfiguration(input) + + if err != nil { + return fmt.Errorf("error removing risk configuration: %w", err) + } + + return nil +} + +func expandRiskExceptionConfiguration(riskConfig []interface{}) *cognitoidentityprovider.RiskExceptionConfigurationType { + config := riskConfig[0].(map[string]interface{}) + + riskExceptionConfigurationType := &cognitoidentityprovider.RiskExceptionConfigurationType{} + + if v, ok := config["blocked_ip_range_list"].(*schema.Set); ok && v.Len() > 0 { + riskExceptionConfigurationType.BlockedIPRangeList = flex.ExpandStringSet(v) + } + + if v, ok := config["skipped_ip_range_list"].(*schema.Set); ok && v.Len() > 0 { + riskExceptionConfigurationType.SkippedIPRangeList = flex.ExpandStringSet(v) + } + + return riskExceptionConfigurationType +} + +func flattenRiskExceptionConfiguration(apiObject *cognitoidentityprovider.RiskExceptionConfigurationType) []interface{} { + if apiObject == nil { + return nil + } + + tfMap := map[string]interface{}{} + + if v := apiObject.BlockedIPRangeList; v != nil { + tfMap["blocked_ip_range_list"] = flex.FlattenStringSet(v) + } + + if v := apiObject.SkippedIPRangeList; v != nil { + tfMap["skipped_ip_range_list"] = flex.FlattenStringSet(v) + } + + return []interface{}{tfMap} +} + +func expandCompromisedCredentialsRiskConfiguration(riskConfig []interface{}) *cognitoidentityprovider.CompromisedCredentialsRiskConfigurationType { + config := riskConfig[0].(map[string]interface{}) + + riskExceptionConfigurationType := &cognitoidentityprovider.CompromisedCredentialsRiskConfigurationType{} + + if v, ok := config["event_filter"].(*schema.Set); ok && v.Len() > 0 { + riskExceptionConfigurationType.EventFilter = flex.ExpandStringSet(v) + } + + if v, ok := config["actions"].([]interface{}); ok && len(v) > 0 { + riskExceptionConfigurationType.Actions = expandCompromisedCredentialsActions(v) + } + + return riskExceptionConfigurationType +} + +func flattenCompromisedCredentialsRiskConfiguration(apiObject *cognitoidentityprovider.CompromisedCredentialsRiskConfigurationType) []interface{} { + if apiObject == nil { + return nil + } + + tfMap := map[string]interface{}{} + + if v := apiObject.EventFilter; v != nil { + tfMap["event_filter"] = flex.FlattenStringSet(v) + } + + if v := apiObject.Actions; v != nil { + tfMap["actions"] = flattenCompromisedCredentialsActions(v) + } + + return []interface{}{tfMap} +} + +func expandCompromisedCredentialsActions(riskConfig []interface{}) *cognitoidentityprovider.CompromisedCredentialsActionsType { + config := riskConfig[0].(map[string]interface{}) + + compromisedCredentialsAction := &cognitoidentityprovider.CompromisedCredentialsActionsType{} + + if v, ok := config["event_action"].(string); ok && v != "" { + compromisedCredentialsAction.EventAction = aws.String(v) + } + + return compromisedCredentialsAction +} + +func flattenCompromisedCredentialsActions(apiObject *cognitoidentityprovider.CompromisedCredentialsActionsType) []interface{} { + if apiObject == nil { + return nil + } + + tfMap := map[string]interface{}{} + + if v := apiObject.EventAction; v != nil { + tfMap["event_action"] = aws.StringValue(v) + } + + return []interface{}{tfMap} +} + +func flattenAccountTakeoverRiskConfiguration(apiObject *cognitoidentityprovider.AccountTakeoverRiskConfigurationType) []interface{} { + if apiObject == nil { + return nil + } + + tfMap := map[string]interface{}{} + + if v := apiObject.Actions; v != nil { + tfMap["actions"] = flattenAccountTakeoverActions(v) + } + + if v := apiObject.NotifyConfiguration; v != nil { + tfMap["notify_configuration"] = flattenNotifyConfiguration(v) + } + + return []interface{}{tfMap} +} + +func flattenAccountTakeoverActions(apiObject *cognitoidentityprovider.AccountTakeoverActionsType) []interface{} { + if apiObject == nil { + return nil + } + + tfMap := map[string]interface{}{} + + if v := apiObject.HighAction; v != nil { + tfMap["high_action"] = flattenAccountTakeoverAction(v) + } + + if v := apiObject.LowAction; v != nil { + tfMap["low_action"] = flattenAccountTakeoverAction(v) + } + + if v := apiObject.MediumAction; v != nil { + tfMap["medium_action"] = flattenAccountTakeoverAction(v) + } + + return []interface{}{tfMap} +} + +func flattenAccountTakeoverAction(apiObject *cognitoidentityprovider.AccountTakeoverActionType) []interface{} { + if apiObject == nil { + return nil + } + + tfMap := map[string]interface{}{} + + if v := apiObject.EventAction; v != nil { + tfMap["event_action"] = aws.StringValue(v) + } + + if v := apiObject.Notify; v != nil { + tfMap["notify"] = aws.BoolValue(v) + } + + return []interface{}{tfMap} +} + +func flattenNotifyConfiguration(apiObject *cognitoidentityprovider.NotifyConfigurationType) []interface{} { + if apiObject == nil { + return nil + } + + tfMap := map[string]interface{}{} + + if v := apiObject.From; v != nil { + tfMap["from"] = aws.StringValue(v) + } + + if v := apiObject.ReplyTo; v != nil { + tfMap["reply_to"] = aws.StringValue(v) + } + + if v := apiObject.SourceArn; v != nil { + tfMap["source_arn"] = aws.StringValue(v) + } + + if v := apiObject.BlockEmail; v != nil { + tfMap["block_email"] = flattenNotifyEmail(v) + } + + if v := apiObject.MfaEmail; v != nil { + tfMap["mfa_email"] = flattenNotifyEmail(v) + } + + if v := apiObject.NoActionEmail; v != nil { + tfMap["no_action_email"] = flattenNotifyEmail(v) + } + + return []interface{}{tfMap} +} + +func flattenNotifyEmail(apiObject *cognitoidentityprovider.NotifyEmailType) []interface{} { + if apiObject == nil { + return nil + } + + tfMap := map[string]interface{}{} + + if v := apiObject.HtmlBody; v != nil { + tfMap["html_body"] = aws.StringValue(v) + } + + if v := apiObject.Subject; v != nil { + tfMap["subject"] = aws.StringValue(v) + } + + if v := apiObject.TextBody; v != nil { + tfMap["text_body"] = aws.StringValue(v) + } + + return []interface{}{tfMap} +} + +func RiskConfigurationParseID(id string) (string, string, error) { + parts := strings.Split(id, ":") + + if len(parts) > 2 || len(parts) < 1 { + return "", "", fmt.Errorf("Wrong format of resource: %s. Please follow 'userpool-id/client-id' or 'userpool-id'", id) + } + + if len(parts) == 2 { + return parts[0], parts[1], nil + } else { + return parts[0], "", nil + + } +} diff --git a/internal/service/cognitoidp/risk_configuration_test.go b/internal/service/cognitoidp/risk_configuration_test.go new file mode 100644 index 000000000000..c64a5ebed9b4 --- /dev/null +++ b/internal/service/cognitoidp/risk_configuration_test.go @@ -0,0 +1,271 @@ +package cognitoidp_test + +import ( + "errors" + "fmt" + "testing" + + "github.com/aws/aws-sdk-go/service/cognitoidentityprovider" + sdkacctest "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" + "github.com/hashicorp/terraform-provider-aws/internal/acctest" + "github.com/hashicorp/terraform-provider-aws/internal/conns" + tfcognitoidp "github.com/hashicorp/terraform-provider-aws/internal/service/cognitoidp" + "github.com/hashicorp/terraform-provider-aws/internal/tfresource" +) + +func TestAccCognitoIDPRiskConfiguration_exception(t *testing.T) { + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + resourceName := "aws_cognito_risk_configuration.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(t); testAccPreCheckIdentityProvider(t) }, + ErrorCheck: acctest.ErrorCheck(t, cognitoidentityprovider.EndpointsID), + ProviderFactories: acctest.ProviderFactories, + CheckDestroy: testAccCheckRiskConfigurationDestroy, + Steps: []resource.TestStep{ + { + Config: testAccRiskConfigurationConfigRiskException(rName), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckRiskConfigurationExists(resourceName), + resource.TestCheckResourceAttrPair(resourceName, "user_pool_id", "aws_cognito_user_pool.test", "id"), + resource.TestCheckResourceAttr(resourceName, "risk_exception_configuration.#", "1"), + resource.TestCheckResourceAttr(resourceName, "risk_exception_configuration.0.blocked_ip_range_list.#", "1"), + resource.TestCheckTypeSetElemAttr(resourceName, "risk_exception_configuration.0.blocked_ip_range_list.*", "10.10.10.10/32"), + resource.TestCheckResourceAttr(resourceName, "risk_exception_configuration.0.skipped_ip_range_list.#", "0"), + resource.TestCheckResourceAttr(resourceName, "compromised_credentials_risk_configuration.#", "0"), + resource.TestCheckResourceAttr(resourceName, "account_takeover_risk_configuration.#", "0"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccRiskConfigurationConfigRiskExceptionUpdated(rName), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckRiskConfigurationExists(resourceName), + resource.TestCheckResourceAttrPair(resourceName, "user_pool_id", "aws_cognito_user_pool.test", "id"), + resource.TestCheckResourceAttr(resourceName, "risk_exception_configuration.#", "1"), + resource.TestCheckResourceAttr(resourceName, "risk_exception_configuration.0.blocked_ip_range_list.#", "2"), + resource.TestCheckTypeSetElemAttr(resourceName, "risk_exception_configuration.0.blocked_ip_range_list.*", "10.10.10.10/32"), + resource.TestCheckTypeSetElemAttr(resourceName, "risk_exception_configuration.0.blocked_ip_range_list.*", "10.10.10.11/32"), + resource.TestCheckResourceAttr(resourceName, "risk_exception_configuration.0.skipped_ip_range_list.#", "1"), + resource.TestCheckTypeSetElemAttr(resourceName, "risk_exception_configuration.0.skipped_ip_range_list.*", "10.10.10.12/32"), + resource.TestCheckResourceAttr(resourceName, "compromised_credentials_risk_configuration.#", "0"), + resource.TestCheckResourceAttr(resourceName, "account_takeover_risk_configuration.#", "0"), + ), + }, + }, + }) +} + +func TestAccCognitoIDPRiskConfiguration_client(t *testing.T) { + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + resourceName := "aws_cognito_risk_configuration.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(t); testAccPreCheckIdentityProvider(t) }, + ErrorCheck: acctest.ErrorCheck(t, cognitoidentityprovider.EndpointsID), + ProviderFactories: acctest.ProviderFactories, + CheckDestroy: testAccCheckRiskConfigurationDestroy, + Steps: []resource.TestStep{ + { + Config: testAccRiskConfigurationConfigRiskExceptionClient(rName), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckRiskConfigurationExists(resourceName), + resource.TestCheckResourceAttrPair(resourceName, "user_pool_id", "aws_cognito_user_pool.test", "id"), + resource.TestCheckResourceAttrPair(resourceName, "client_id", "aws_cognito_user_pool_client.test", "id"), + resource.TestCheckResourceAttr(resourceName, "risk_exception_configuration.#", "1"), + resource.TestCheckResourceAttr(resourceName, "risk_exception_configuration.0.blocked_ip_range_list.#", "1"), + resource.TestCheckTypeSetElemAttr(resourceName, "risk_exception_configuration.0.blocked_ip_range_list.*", "10.10.10.10/32"), + resource.TestCheckResourceAttr(resourceName, "risk_exception_configuration.0.skipped_ip_range_list.#", "0"), + resource.TestCheckResourceAttr(resourceName, "compromised_credentials_risk_configuration.#", "0"), + resource.TestCheckResourceAttr(resourceName, "account_takeover_risk_configuration.#", "0"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccCognitoIDPRiskConfiguration_compromised(t *testing.T) { + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + resourceName := "aws_cognito_risk_configuration.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(t); testAccPreCheckIdentityProvider(t) }, + ErrorCheck: acctest.ErrorCheck(t, cognitoidentityprovider.EndpointsID), + ProviderFactories: acctest.ProviderFactories, + CheckDestroy: testAccCheckRiskConfigurationDestroy, + Steps: []resource.TestStep{ + { + Config: testAccRiskConfigurationConfigCompromised(rName), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckRiskConfigurationExists(resourceName), + resource.TestCheckResourceAttrPair(resourceName, "user_pool_id", "aws_cognito_user_pool.test", "id"), + resource.TestCheckResourceAttr(resourceName, "risk_exception_configuration.#", "0"), + resource.TestCheckResourceAttr(resourceName, "compromised_credentials_risk_configuration.#", "1"), + resource.TestCheckResourceAttr(resourceName, "compromised_credentials_risk_configuration.0.event_filter.#", "1"), + resource.TestCheckTypeSetElemAttr(resourceName, "compromised_credentials_risk_configuration.0.event_filter.*", "SIGN_IN"), + resource.TestCheckResourceAttr(resourceName, "compromised_credentials_risk_configuration.0.actions.#", "1"), + resource.TestCheckResourceAttr(resourceName, "compromised_credentials_risk_configuration.0.actions.0.event_action", "BLOCK"), + resource.TestCheckResourceAttr(resourceName, "account_takeover_risk_configuration.#", "0"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccCognitoIDPRiskConfiguration_disappears_userPool(t *testing.T) { + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + resourceName := "aws_cognito_risk_configuration.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(t); testAccPreCheckIdentityProvider(t) }, + ErrorCheck: acctest.ErrorCheck(t, cognitoidentityprovider.EndpointsID), + ProviderFactories: acctest.ProviderFactories, + CheckDestroy: testAccCheckRiskConfigurationDestroy, + Steps: []resource.TestStep{ + { + Config: testAccRiskConfigurationConfigRiskException(rName), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckRiskConfigurationExists(resourceName), + acctest.CheckResourceDisappears(acctest.Provider, tfcognitoidp.ResourceUserPool(), "aws_cognito_user_pool.test"), + ), + ExpectNonEmptyPlan: true, + }, + }, + }) +} + +func testAccCheckRiskConfigurationDestroy(s *terraform.State) error { + conn := acctest.Provider.Meta().(*conns.AWSClient).CognitoIDPConn + + for _, rs := range s.RootModule().Resources { + if rs.Type != "aws_cognito_risk_configuration" { + continue + } + + _, err := tfcognitoidp.FindRiskConfigurationById(conn, rs.Primary.ID) + + if tfresource.NotFound(err) { + continue + } + + if err != nil { + return err + } + } + + return nil +} + +func testAccCheckRiskConfigurationExists(name string) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[name] + if !ok { + return fmt.Errorf("Not found: %s", name) + } + + if rs.Primary.ID == "" { + return errors.New("No Cognito Risk Configuration ID set") + } + + conn := acctest.Provider.Meta().(*conns.AWSClient).CognitoIDPConn + + _, err := tfcognitoidp.FindRiskConfigurationById(conn, rs.Primary.ID) + + if err != nil { + return err + } + + return nil + } +} + +func testAccRiskConfigurationConfigRiskException(rName string) string { + return fmt.Sprintf(` +resource "aws_cognito_user_pool" "test" { + name = %[1]q +} + +resource "aws_cognito_risk_configuration" "test" { + user_pool_id = aws_cognito_user_pool.test.id + + risk_exception_configuration { + blocked_ip_range_list = ["10.10.10.10/32"] + } +} +`, rName) +} + +func testAccRiskConfigurationConfigRiskExceptionUpdated(rName string) string { + return fmt.Sprintf(` +resource "aws_cognito_user_pool" "test" { + name = %[1]q +} + +resource "aws_cognito_risk_configuration" "test" { + user_pool_id = aws_cognito_user_pool.test.id + + risk_exception_configuration { + blocked_ip_range_list = ["10.10.10.10/32", "10.10.10.11/32"] + skipped_ip_range_list = ["10.10.10.12/32"] + } +} +`, rName) +} + +func testAccRiskConfigurationConfigCompromised(rName string) string { + return fmt.Sprintf(` +resource "aws_cognito_user_pool" "test" { + name = %[1]q +} + +resource "aws_cognito_risk_configuration" "test" { + user_pool_id = aws_cognito_user_pool.test.id + + compromised_credentials_risk_configuration { + event_filter = ["SIGN_IN"] + actions { + event_action = "BLOCK" + } + } +} +`, rName) +} + +func testAccRiskConfigurationConfigRiskExceptionClient(rName string) string { + return fmt.Sprintf(` +resource "aws_cognito_user_pool" "test" { + name = %[1]q +} + +resource "aws_cognito_user_pool_client" "test" { + name = %[1]q + user_pool_id = aws_cognito_user_pool.test.id + explicit_auth_flows = ["ADMIN_NO_SRP_AUTH"] +} + +resource "aws_cognito_risk_configuration" "test" { + user_pool_id = aws_cognito_user_pool.test.id + client_id = aws_cognito_user_pool_client.test.id + + risk_exception_configuration { + blocked_ip_range_list = ["10.10.10.10/32"] + } +} +`, rName) +} From 32edfc5d36edaa104b6d9137a952dbe6345d8d35 Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Sat, 11 Jun 2022 18:07:46 +0300 Subject: [PATCH 02/10] docs + fmt --- .../cognitoidp/risk_configuration_test.go | 6 +- .../r/cognito_risk_configuration.markdown | 92 +++++++++++++++++++ 2 files changed, 95 insertions(+), 3 deletions(-) create mode 100644 website/docs/r/cognito_risk_configuration.markdown diff --git a/internal/service/cognitoidp/risk_configuration_test.go b/internal/service/cognitoidp/risk_configuration_test.go index c64a5ebed9b4..f7822093dafb 100644 --- a/internal/service/cognitoidp/risk_configuration_test.go +++ b/internal/service/cognitoidp/risk_configuration_test.go @@ -239,9 +239,9 @@ resource "aws_cognito_risk_configuration" "test" { compromised_credentials_risk_configuration { event_filter = ["SIGN_IN"] - actions { - event_action = "BLOCK" - } + actions { + event_action = "BLOCK" + } } } `, rName) diff --git a/website/docs/r/cognito_risk_configuration.markdown b/website/docs/r/cognito_risk_configuration.markdown new file mode 100644 index 000000000000..aff454c3cb7d --- /dev/null +++ b/website/docs/r/cognito_risk_configuration.markdown @@ -0,0 +1,92 @@ +--- +subcategory: "Cognito IDP (Identity Provider)" +layout: "aws" +page_title: "AWS: aws_cognito_risk_configuration" +description: |- + Provides a Cognito Risk Configuration resource. +--- + +# Resource: aws_cognito_risk_configuration + +Provides a Cognito Risk Configuration resource. + +## Example Usage + +```terraform +resource "aws_cognito_risk_configuration" "example" { + user_pool_id = aws_cognito_user_pool.example.id + + risk_exception_configuration { + blocked_ip_range_list = ["10.10.10.10/32"] + } +} +``` + +## Argument Reference + +The following arguments are supported: + +* `user_pool_id` - (Required) The user pool ID. +* `client_id` - (Optional) The app client ID. When the client ID is not provided, the same risk configuration is applied to all the clients in the User Pool. +* `account_takeover_risk_configuration` - (Optional) The account takeover risk configuration. See details below. +* `compromised_credentials_risk_configuration` - (Optional) The compromised credentials risk configuration. See details below. +* `risk_exception_configuration` - (Optional) The configuration to override the risk decision. See details below. + +### account_takeover_risk_configuration + +* `notify_configuration` - (Required) The notify configuration used to construct email notifications. See details below. +* `actions` - (Required) Account takeover risk configuration actions. See details below. + +#### notify_configuration + +* `block_email` - (Optional) Email template used when a detected risk event is blocked. See notify email type below. +* `mfa_email` - (Optional) The multi-factor authentication (MFA) email template used when MFA is challenged as part of a detected risk. See notify email type below. +* `no_action_email` - (Optional) The email template used when a detected risk event is allowed. See notify email type below. +* `from` - (Optional) The email address that is sending the email. The address must be either individually verified with Amazon Simple Email Service, or from a domain that has been verified with Amazon SES. +* `reply_to` - (Optional) The destination to which the receiver of an email should reply to. +* `source_arn` - (Required) The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization policy. This identity permits Amazon Cognito to send for the email address specified in the From parameter. + +##### notify email type + +* `html_body` - (Required) The email HTML body. +* `block_email` - (Required) The email subject. +* `block_email` - (Required) The email text body. + +#### actions + +* `high_action` - (Optional) Action to take for a high risk. See action block below. +* `low_action` - (Optional) Action to take for a low risk. See action block below. +* `medium_action` - (Optional) Action to take for a medium risk. See action block below. + +##### action + +* `event_action` - (Required) The action to take in response to the account takeover action. Valid values are `BLOCK`, `MFA_IF_CONFIGURED`, `MFA_REQUIRED` and `NO_ACTION`. +* `notify` - (Required) Whether to send a notification. + +### compromised_credentials_risk_configuration + +* `event_filter` - (Optional) Perform the action for these events. The default is to perform all events if no event filter is specified. Valid values are `SIGN_IN`, `PASSWORD_CHANGE`, and `SIGN_UP`. +* `actions` - (Required) The compromised credentials risk configuration actions. See details below. + +#### actions + +* `event_action` - (Optional) The event action. Valid values are `BLOCK` or `NO_ACTION`. + +### risk_exception_configuration + +* `blocked_ip_range_list` - (Optional) Overrides the risk decision to always block the pre-authentication requests. The IP range is in CIDR notation, a compact representation of an IP address and its routing prefix. +* `skipped_ip_range_list` - (Optional) Risk detection isn't performed on the IP addresses in this range list. The IP range is in CIDR notation. + +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +* `id` - The AWS account ID for the user pool owner. + +## Import + +Cognito Risk Configurations can be imported using the `id`, e.g., + +``` +$ terraform import aws_cognito_risk_configuration.main example +``` From ab7a8b358df1adaaf1cd71b27cde1df40067a124 Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Sat, 11 Jun 2022 20:48:41 +0300 Subject: [PATCH 03/10] fmt --- internal/service/cognitoidp/risk_configuration_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/service/cognitoidp/risk_configuration_test.go b/internal/service/cognitoidp/risk_configuration_test.go index f7822093dafb..3870b21bc17f 100644 --- a/internal/service/cognitoidp/risk_configuration_test.go +++ b/internal/service/cognitoidp/risk_configuration_test.go @@ -222,7 +222,7 @@ resource "aws_cognito_risk_configuration" "test" { risk_exception_configuration { blocked_ip_range_list = ["10.10.10.10/32", "10.10.10.11/32"] - skipped_ip_range_list = ["10.10.10.12/32"] + skipped_ip_range_list = ["10.10.10.12/32"] } } `, rName) @@ -240,7 +240,7 @@ resource "aws_cognito_risk_configuration" "test" { compromised_credentials_risk_configuration { event_filter = ["SIGN_IN"] actions { - event_action = "BLOCK" + event_action = "BLOCK" } } } From 62178afdd1c651aaf8dd0a1597187e36d58c03eb Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Sat, 11 Jun 2022 20:48:54 +0300 Subject: [PATCH 04/10] accounttakeover config --- .../service/cognitoidp/risk_configuration.go | 108 ++++++++++++++++++ 1 file changed, 108 insertions(+) diff --git a/internal/service/cognitoidp/risk_configuration.go b/internal/service/cognitoidp/risk_configuration.go index f6200f45787f..37dd28adda0b 100644 --- a/internal/service/cognitoidp/risk_configuration.go +++ b/internal/service/cognitoidp/risk_configuration.go @@ -291,6 +291,10 @@ func resourceRiskConfigurationPut(d *schema.ResourceData, meta interface{}) erro input.CompromisedCredentialsRiskConfiguration = expandCompromisedCredentialsRiskConfiguration(v.([]interface{})) } + if v, ok := d.GetOk("account_takeover_risk_configuration"); ok && len(v.([]interface{})) > 0 { + input.AccountTakeoverRiskConfiguration = expandAccountTakeoverRiskConfiguration(v.([]interface{})) + } + _, err := conn.SetRiskConfiguration(input) if err != nil { @@ -460,6 +464,22 @@ func flattenCompromisedCredentialsActions(apiObject *cognitoidentityprovider.Com return []interface{}{tfMap} } +func expandAccountTakeoverRiskConfiguration(riskConfig []interface{}) *cognitoidentityprovider.AccountTakeoverRiskConfigurationType { + config := riskConfig[0].(map[string]interface{}) + + accountTakeoverRiskConfiguration := &cognitoidentityprovider.AccountTakeoverRiskConfigurationType{} + + if v, ok := config["notify_configuration"].([]interface{}); ok && len(v) > 0 { + accountTakeoverRiskConfiguration.NotifyConfiguration = expandNotifyConfiguration(v) + } + + if v, ok := config["actions"].([]interface{}); ok && len(v) > 0 { + accountTakeoverRiskConfiguration.Actions = expandAccountTakeoverActions(v) + } + + return accountTakeoverRiskConfiguration +} + func flattenAccountTakeoverRiskConfiguration(apiObject *cognitoidentityprovider.AccountTakeoverRiskConfigurationType) []interface{} { if apiObject == nil { return nil @@ -478,6 +498,26 @@ func flattenAccountTakeoverRiskConfiguration(apiObject *cognitoidentityprovider. return []interface{}{tfMap} } +func expandAccountTakeoverActions(riskConfig []interface{}) *cognitoidentityprovider.AccountTakeoverActionsType { + config := riskConfig[0].(map[string]interface{}) + + actions := &cognitoidentityprovider.AccountTakeoverActionsType{} + + if v, ok := config["high_action"].([]interface{}); ok && len(v) > 0 { + actions.HighAction = expandAccountTakeoverAction(v) + } + + if v, ok := config["low_action"].([]interface{}); ok && len(v) > 0 { + actions.LowAction = expandAccountTakeoverAction(v) + } + + if v, ok := config["medium_action"].([]interface{}); ok && len(v) > 0 { + actions.MediumAction = expandAccountTakeoverAction(v) + } + + return actions +} + func flattenAccountTakeoverActions(apiObject *cognitoidentityprovider.AccountTakeoverActionsType) []interface{} { if apiObject == nil { return nil @@ -500,6 +540,22 @@ func flattenAccountTakeoverActions(apiObject *cognitoidentityprovider.AccountTak return []interface{}{tfMap} } +func expandAccountTakeoverAction(riskConfig []interface{}) *cognitoidentityprovider.AccountTakeoverActionType { + config := riskConfig[0].(map[string]interface{}) + + action := &cognitoidentityprovider.AccountTakeoverActionType{} + + if v, ok := config["event_action"].(string); ok && v != "" { + action.EventAction = aws.String(v) + } + + if v, ok := config["notify"].(bool); ok { + action.Notify = aws.Bool(v) + } + + return action +} + func flattenAccountTakeoverAction(apiObject *cognitoidentityprovider.AccountTakeoverActionType) []interface{} { if apiObject == nil { return nil @@ -518,6 +574,38 @@ func flattenAccountTakeoverAction(apiObject *cognitoidentityprovider.AccountTake return []interface{}{tfMap} } +func expandNotifyConfiguration(riskConfig []interface{}) *cognitoidentityprovider.NotifyConfigurationType { + config := riskConfig[0].(map[string]interface{}) + + notifConfig := &cognitoidentityprovider.NotifyConfigurationType{} + + if v, ok := config["from"].(string); ok && v != "" { + notifConfig.From = aws.String(v) + } + + if v, ok := config["reply_to"].(string); ok && v != "" { + notifConfig.ReplyTo = aws.String(v) + } + + if v, ok := config["source_arn"].(string); ok && v != "" { + notifConfig.SourceArn = aws.String(v) + } + + if v, ok := config["block_email"].([]interface{}); ok && len(v) > 0 { + notifConfig.BlockEmail = expandNotifyEmail(v) + } + + if v, ok := config["mfa_email"].([]interface{}); ok && len(v) > 0 { + notifConfig.MfaEmail = expandNotifyEmail(v) + } + + if v, ok := config["no_action_email"].([]interface{}); ok && len(v) > 0 { + notifConfig.NoActionEmail = expandNotifyEmail(v) + } + + return notifConfig +} + func flattenNotifyConfiguration(apiObject *cognitoidentityprovider.NotifyConfigurationType) []interface{} { if apiObject == nil { return nil @@ -552,6 +640,26 @@ func flattenNotifyConfiguration(apiObject *cognitoidentityprovider.NotifyConfigu return []interface{}{tfMap} } +func expandNotifyEmail(riskConfig []interface{}) *cognitoidentityprovider.NotifyEmailType { + config := riskConfig[0].(map[string]interface{}) + + notifyEmail := &cognitoidentityprovider.NotifyEmailType{} + + if v, ok := config["html_body"].(string); ok && v != "" { + notifyEmail.HtmlBody = aws.String(v) + } + + if v, ok := config["subject"].(string); ok && v != "" { + notifyEmail.Subject = aws.String(v) + } + + if v, ok := config["text_body"].(string); ok && v != "" { + notifyEmail.TextBody = aws.String(v) + } + + return notifyEmail +} + func flattenNotifyEmail(apiObject *cognitoidentityprovider.NotifyEmailType) []interface{} { if apiObject == nil { return nil From 1ade2ed7649f129bbe8bd39e8dbc33d03a628da3 Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Sat, 11 Jun 2022 20:50:53 +0300 Subject: [PATCH 05/10] docs --- ...guration.markdown => cognito_risk_configuration.html.markdown} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename website/docs/r/{cognito_risk_configuration.markdown => cognito_risk_configuration.html.markdown} (100%) diff --git a/website/docs/r/cognito_risk_configuration.markdown b/website/docs/r/cognito_risk_configuration.html.markdown similarity index 100% rename from website/docs/r/cognito_risk_configuration.markdown rename to website/docs/r/cognito_risk_configuration.html.markdown From 8423e1bee6354892a627e0ba092ec7b4abe0cfa0 Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Sat, 11 Jun 2022 21:07:02 +0300 Subject: [PATCH 06/10] docs --- names/names_data.csv | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/names/names_data.csv b/names/names_data.csv index 0a4d683f8407..9057d4152683 100644 --- a/names/names_data.csv +++ b/names/names_data.csv @@ -78,7 +78,7 @@ codestar,codestar,codestar,codestar,,codestar,,,CodeStar,CodeStar,,1,,aws_codest codestar-connections,codestarconnections,codestarconnections,codestarconnections,,codestarconnections,,,CodeStarConnections,CodeStarConnections,,1,,aws_codestarconnections_,,codestarconnections_,CodeStar Connections,AWS,,,,, codestar-notifications,codestarnotifications,codestarnotifications,codestarnotifications,,codestarnotifications,,,CodeStarNotifications,CodeStarNotifications,,1,,aws_codestarnotifications_,,codestarnotifications_,CodeStar Notifications,AWS,,,,, cognito-identity,cognitoidentity,cognitoidentity,cognitoidentity,,cognitoidentity,,,CognitoIdentity,CognitoIdentity,,1,aws_cognito_identity_(?!provider),aws_cognitoidentity_,,cognito_identity_pool,Cognito Identity,Amazon,,,,, -cognito-idp,cognitoidp,cognitoidentityprovider,cognitoidentityprovider,,cognitoidp,,cognitoidentityprovider,CognitoIDP,CognitoIdentityProvider,,1,aws_cognito_(identity_provider|resource|user),aws_cognitoidp_,,cognito_identity_provider;cognito_resource_;cognito_user,Cognito IDP (Identity Provider),Amazon,,,,, +cognito-idp,cognitoidp,cognitoidentityprovider,cognitoidentityprovider,,cognitoidp,,cognitoidentityprovider,CognitoIDP,CognitoIdentityProvider,,1,aws_cognito_(identity_provider|resource|user|risk),aws_cognitoidp_,,cognito_identity_provider;cognito_resource_;cognito_user,Cognito IDP (Identity Provider),Amazon,,,,, cognito-sync,cognitosync,cognitosync,cognitosync,,cognitosync,,,CognitoSync,CognitoSync,,1,,aws_cognitosync_,,cognitosync_,Cognito Sync,Amazon,,,,, comprehend,comprehend,comprehend,comprehend,,comprehend,,,Comprehend,Comprehend,,1,,aws_comprehend_,,comprehend_,Comprehend,Amazon,,,,, comprehendmedical,comprehendmedical,comprehendmedical,comprehendmedical,,comprehendmedical,,,ComprehendMedical,ComprehendMedical,,1,,aws_comprehendmedical_,,comprehendmedical_,Comprehend Medical,Amazon,,,,, From 104ca3ee4eac88006cc85e994049ddfd71ccb360 Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Sun, 12 Jun 2022 10:43:29 +0300 Subject: [PATCH 07/10] docs --- website/docs/r/cognito_risk_configuration.html.markdown | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/website/docs/r/cognito_risk_configuration.html.markdown b/website/docs/r/cognito_risk_configuration.html.markdown index aff454c3cb7d..82ba6bd77fd3 100644 --- a/website/docs/r/cognito_risk_configuration.html.markdown +++ b/website/docs/r/cognito_risk_configuration.html.markdown @@ -81,7 +81,7 @@ The following arguments are supported: In addition to all arguments above, the following attributes are exported: -* `id` - The AWS account ID for the user pool owner. +* `id` - The user pool ID. or The user pool ID and Client Id separated by a `:` if the configuration is client specific. ## Import @@ -90,3 +90,7 @@ Cognito Risk Configurations can be imported using the `id`, e.g., ``` $ terraform import aws_cognito_risk_configuration.main example ``` + +``` +$ terraform import aws_cognito_risk_configuration.main example:example +``` From 977758ae07d26a2234ce637294a60626ebdc8883 Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Sun, 12 Jun 2022 16:28:39 +0300 Subject: [PATCH 08/10] names --- .github/labeler-issue-triage.yml | 2 +- .github/labeler-pr-triage.yml | 1 + names/names_data.csv | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/labeler-issue-triage.yml b/.github/labeler-issue-triage.yml index 72ebbdf771fe..18f38c7c4d4e 100644 --- a/.github/labeler-issue-triage.yml +++ b/.github/labeler-issue-triage.yml @@ -142,7 +142,7 @@ service/codestarnotifications: service/cognitoidentity: - '((\*|-)\s*`?|(data|resource)\s+"?)aws_cognito_identity_(?!provider)' service/cognitoidp: - - '((\*|-)\s*`?|(data|resource)\s+"?)aws_cognito_(identity_provider|resource|user)' + - '((\*|-)\s*`?|(data|resource)\s+"?)aws_cognito_(identity_provider|resource|user|risk)' service/cognitosync: - '((\*|-)\s*`?|(data|resource)\s+"?)aws_cognitosync_' service/comprehend: diff --git a/.github/labeler-pr-triage.yml b/.github/labeler-pr-triage.yml index d9ed49f13727..643a873c82e3 100644 --- a/.github/labeler-pr-triage.yml +++ b/.github/labeler-pr-triage.yml @@ -249,6 +249,7 @@ service/cognitoidp: - 'website/**/cognito_identity_provider*' - 'website/**/cognito_resource_*' - 'website/**/cognito_user*' + - 'website/**/cognito_risk*' service/cognitosync: - 'internal/service/cognitosync/**/*' - 'website/**/cognitosync_*' diff --git a/names/names_data.csv b/names/names_data.csv index 9057d4152683..7b939310dc07 100644 --- a/names/names_data.csv +++ b/names/names_data.csv @@ -78,7 +78,7 @@ codestar,codestar,codestar,codestar,,codestar,,,CodeStar,CodeStar,,1,,aws_codest codestar-connections,codestarconnections,codestarconnections,codestarconnections,,codestarconnections,,,CodeStarConnections,CodeStarConnections,,1,,aws_codestarconnections_,,codestarconnections_,CodeStar Connections,AWS,,,,, codestar-notifications,codestarnotifications,codestarnotifications,codestarnotifications,,codestarnotifications,,,CodeStarNotifications,CodeStarNotifications,,1,,aws_codestarnotifications_,,codestarnotifications_,CodeStar Notifications,AWS,,,,, cognito-identity,cognitoidentity,cognitoidentity,cognitoidentity,,cognitoidentity,,,CognitoIdentity,CognitoIdentity,,1,aws_cognito_identity_(?!provider),aws_cognitoidentity_,,cognito_identity_pool,Cognito Identity,Amazon,,,,, -cognito-idp,cognitoidp,cognitoidentityprovider,cognitoidentityprovider,,cognitoidp,,cognitoidentityprovider,CognitoIDP,CognitoIdentityProvider,,1,aws_cognito_(identity_provider|resource|user|risk),aws_cognitoidp_,,cognito_identity_provider;cognito_resource_;cognito_user,Cognito IDP (Identity Provider),Amazon,,,,, +cognito-idp,cognitoidp,cognitoidentityprovider,cognitoidentityprovider,,cognitoidp,,cognitoidentityprovider,CognitoIDP,CognitoIdentityProvider,,1,aws_cognito_(identity_provider|resource|user|risk),aws_cognitoidp_,,cognito_identity_provider;cognito_resource_;cognito_user;cognito_risk,Cognito IDP (Identity Provider),Amazon,,,,, cognito-sync,cognitosync,cognitosync,cognitosync,,cognitosync,,,CognitoSync,CognitoSync,,1,,aws_cognitosync_,,cognitosync_,Cognito Sync,Amazon,,,,, comprehend,comprehend,comprehend,comprehend,,comprehend,,,Comprehend,Comprehend,,1,,aws_comprehend_,,comprehend_,Comprehend,Amazon,,,,, comprehendmedical,comprehendmedical,comprehendmedical,comprehendmedical,,comprehendmedical,,,ComprehendMedical,ComprehendMedical,,1,,aws_comprehendmedical_,,comprehendmedical_,Comprehend Medical,Amazon,,,,, From f33943c54d38dd84bdd8a66dc15c419e31f9338b Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Wed, 22 Jun 2022 23:56:26 +0300 Subject: [PATCH 09/10] semgrep --- .../cognitoidp/risk_configuration_test.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/internal/service/cognitoidp/risk_configuration_test.go b/internal/service/cognitoidp/risk_configuration_test.go index 3870b21bc17f..66b8cee18b53 100644 --- a/internal/service/cognitoidp/risk_configuration_test.go +++ b/internal/service/cognitoidp/risk_configuration_test.go @@ -26,7 +26,7 @@ func TestAccCognitoIDPRiskConfiguration_exception(t *testing.T) { CheckDestroy: testAccCheckRiskConfigurationDestroy, Steps: []resource.TestStep{ { - Config: testAccRiskConfigurationConfigRiskException(rName), + Config: testAccRiskConfigurationConfig_riskException(rName), Check: resource.ComposeAggregateTestCheckFunc( testAccCheckRiskConfigurationExists(resourceName), resource.TestCheckResourceAttrPair(resourceName, "user_pool_id", "aws_cognito_user_pool.test", "id"), @@ -44,7 +44,7 @@ func TestAccCognitoIDPRiskConfiguration_exception(t *testing.T) { ImportStateVerify: true, }, { - Config: testAccRiskConfigurationConfigRiskExceptionUpdated(rName), + Config: testAccRiskConfigurationConfig_riskExceptionUpdated(rName), Check: resource.ComposeAggregateTestCheckFunc( testAccCheckRiskConfigurationExists(resourceName), resource.TestCheckResourceAttrPair(resourceName, "user_pool_id", "aws_cognito_user_pool.test", "id"), @@ -73,7 +73,7 @@ func TestAccCognitoIDPRiskConfiguration_client(t *testing.T) { CheckDestroy: testAccCheckRiskConfigurationDestroy, Steps: []resource.TestStep{ { - Config: testAccRiskConfigurationConfigRiskExceptionClient(rName), + Config: testAccRiskConfigurationConfig_riskExceptionClient(rName), Check: resource.ComposeAggregateTestCheckFunc( testAccCheckRiskConfigurationExists(resourceName), resource.TestCheckResourceAttrPair(resourceName, "user_pool_id", "aws_cognito_user_pool.test", "id"), @@ -106,7 +106,7 @@ func TestAccCognitoIDPRiskConfiguration_compromised(t *testing.T) { CheckDestroy: testAccCheckRiskConfigurationDestroy, Steps: []resource.TestStep{ { - Config: testAccRiskConfigurationConfigCompromised(rName), + Config: testAccRiskConfigurationConfig_compromised(rName), Check: resource.ComposeAggregateTestCheckFunc( testAccCheckRiskConfigurationExists(resourceName), resource.TestCheckResourceAttrPair(resourceName, "user_pool_id", "aws_cognito_user_pool.test", "id"), @@ -139,7 +139,7 @@ func TestAccCognitoIDPRiskConfiguration_disappears_userPool(t *testing.T) { CheckDestroy: testAccCheckRiskConfigurationDestroy, Steps: []resource.TestStep{ { - Config: testAccRiskConfigurationConfigRiskException(rName), + Config: testAccRiskConfigurationConfig_riskException(rName), Check: resource.ComposeAggregateTestCheckFunc( testAccCheckRiskConfigurationExists(resourceName), acctest.CheckResourceDisappears(acctest.Provider, tfcognitoidp.ResourceUserPool(), "aws_cognito_user_pool.test"), @@ -195,7 +195,7 @@ func testAccCheckRiskConfigurationExists(name string) resource.TestCheckFunc { } } -func testAccRiskConfigurationConfigRiskException(rName string) string { +func testAccRiskConfigurationConfig_riskException(rName string) string { return fmt.Sprintf(` resource "aws_cognito_user_pool" "test" { name = %[1]q @@ -211,7 +211,7 @@ resource "aws_cognito_risk_configuration" "test" { `, rName) } -func testAccRiskConfigurationConfigRiskExceptionUpdated(rName string) string { +func testAccRiskConfigurationConfig_riskExceptionUpdated(rName string) string { return fmt.Sprintf(` resource "aws_cognito_user_pool" "test" { name = %[1]q @@ -228,7 +228,7 @@ resource "aws_cognito_risk_configuration" "test" { `, rName) } -func testAccRiskConfigurationConfigCompromised(rName string) string { +func testAccRiskConfigurationConfig_compromised(rName string) string { return fmt.Sprintf(` resource "aws_cognito_user_pool" "test" { name = %[1]q @@ -247,7 +247,7 @@ resource "aws_cognito_risk_configuration" "test" { `, rName) } -func testAccRiskConfigurationConfigRiskExceptionClient(rName string) string { +func testAccRiskConfigurationConfig_riskExceptionClient(rName string) string { return fmt.Sprintf(` resource "aws_cognito_user_pool" "test" { name = %[1]q From 58f40ad14ead253b3c7a896dbf523f31217cbd28 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Thu, 23 Jun 2022 07:52:05 -0400 Subject: [PATCH 10/10] Add CHANGELOG entry. --- .changelog/25282.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/25282.txt diff --git a/.changelog/25282.txt b/.changelog/25282.txt new file mode 100644 index 000000000000..eca1d4ba480a --- /dev/null +++ b/.changelog/25282.txt @@ -0,0 +1,3 @@ +```release-note:new-resource +aws_cognito_risk_configuration +``` \ No newline at end of file