diff --git a/.changelog/28961.txt b/.changelog/28961.txt new file mode 100644 index 00000000000..6a074f5551a --- /dev/null +++ b/.changelog/28961.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +resource/aws_inspector2_organization_configuration: Add `lambda` attribute to `auto_enable` configuration block +``` \ No newline at end of file diff --git a/internal/service/inspector2/organization_configuration.go b/internal/service/inspector2/organization_configuration.go index b04955ca99c..cd6a6a5ccdb 100644 --- a/internal/service/inspector2/organization_configuration.go +++ b/internal/service/inspector2/organization_configuration.go @@ -48,6 +48,11 @@ func ResourceOrganizationConfiguration() *schema.Resource { Type: schema.TypeBool, Required: true, }, + "lambda": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, }, }, }, @@ -118,7 +123,7 @@ func resourceOrganizationConfigurationUpdate(ctx context.Context, d *schema.Reso return create.DiagError(names.Inspector2, create.ErrActionUpdating, ResNameOrganizationConfiguration, d.Id(), err) } - if err := waitOrganizationConfigurationUpdated(ctx, conn, d.Get("auto_enable.0.ec2").(bool), d.Get("auto_enable.0.ecr").(bool), d.Timeout(schema.TimeoutUpdate)); err != nil { + if err := waitOrganizationConfigurationUpdated(ctx, conn, d.Get("auto_enable.0.ec2").(bool), d.Get("auto_enable.0.ecr").(bool), d.Get("auto_enable.0.lambda").(bool), d.Timeout(schema.TimeoutUpdate)); err != nil { return create.DiagError(names.Inspector2, create.ErrActionWaitingForUpdate, ResNameOrganizationConfiguration, d.Id(), err) } @@ -133,8 +138,9 @@ func resourceOrganizationConfigurationDelete(ctx context.Context, d *schema.Reso in := &inspector2.UpdateOrganizationConfigurationInput{ AutoEnable: &types.AutoEnable{ - Ec2: aws.Bool(false), - Ecr: aws.Bool(false), + Ec2: aws.Bool(false), + Ecr: aws.Bool(false), + Lambda: aws.Bool(false), }, } @@ -144,21 +150,25 @@ func resourceOrganizationConfigurationDelete(ctx context.Context, d *schema.Reso return create.DiagError(names.Inspector2, create.ErrActionUpdating, ResNameOrganizationConfiguration, d.Id(), err) } - if err := waitOrganizationConfigurationUpdated(ctx, conn, false, false, d.Timeout(schema.TimeoutUpdate)); err != nil { + if err := waitOrganizationConfigurationUpdated(ctx, conn, false, false, false, d.Timeout(schema.TimeoutUpdate)); err != nil { return create.DiagError(names.Inspector2, create.ErrActionWaitingForUpdate, ResNameOrganizationConfiguration, d.Id(), err) } return nil } -func waitOrganizationConfigurationUpdated(ctx context.Context, conn *inspector2.Client, ec2, ecr bool, timeout time.Duration) error { - needle := fmt.Sprintf("%t:%t", ec2, ecr) +func waitOrganizationConfigurationUpdated(ctx context.Context, conn *inspector2.Client, ec2, ecr, lambda bool, timeout time.Duration) error { + needle := fmt.Sprintf("%t:%t:%t", ec2, ecr, lambda) all := []string{ - fmt.Sprintf("%t:%t", false, false), - fmt.Sprintf("%t:%t", false, true), - fmt.Sprintf("%t:%t", true, false), - fmt.Sprintf("%t:%t", true, true), + fmt.Sprintf("%t:%t:%t", false, false, false), + fmt.Sprintf("%t:%t:%t", false, true, false), + fmt.Sprintf("%t:%t:%t", false, false, true), + fmt.Sprintf("%t:%t:%t", false, true, true), + fmt.Sprintf("%t:%t:%t", true, false, false), + fmt.Sprintf("%t:%t:%t", true, false, true), + fmt.Sprintf("%t:%t:%t", true, true, false), + fmt.Sprintf("%t:%t:%t", true, true, true), } for i, v := range all { @@ -194,7 +204,7 @@ func statusOrganizationConfiguration(ctx context.Context, conn *inspector2.Clien return nil, "", err } - return out, fmt.Sprintf("%t:%t", aws.ToBool(out.AutoEnable.Ec2), aws.ToBool(out.AutoEnable.Ecr)), nil + return out, fmt.Sprintf("%t:%t:%t", aws.ToBool(out.AutoEnable.Ec2), aws.ToBool(out.AutoEnable.Ecr), aws.ToBool(out.AutoEnable.Lambda)), nil } } @@ -213,6 +223,10 @@ func flattenAutoEnable(apiObject *types.AutoEnable) map[string]interface{} { m["ecr"] = aws.ToBool(v) } + if v := apiObject.Lambda; v != nil { + m["lambda"] = aws.ToBool(v) + } + return m } @@ -231,5 +245,9 @@ func expandAutoEnable(tfMap map[string]interface{}) *types.AutoEnable { a.Ecr = aws.Bool(v) } + if v, ok := tfMap["lambda"].(bool); ok { + a.Lambda = aws.Bool(v) + } + return a } diff --git a/internal/service/inspector2/organization_configuration_test.go b/internal/service/inspector2/organization_configuration_test.go index f0e6a24c9fc..e5d77c5e4e9 100644 --- a/internal/service/inspector2/organization_configuration_test.go +++ b/internal/service/inspector2/organization_configuration_test.go @@ -26,6 +26,7 @@ func TestAccInspector2OrganizationConfiguration_serial(t *testing.T) { "basic": testAccOrganizationConfiguration_basic, "disappears": testAccOrganizationConfiguration_disappears, "ec2ECR": testAccOrganizationConfiguration_ec2ECR, + "lambda": testAccOrganizationConfiguration_lambda, } acctest.RunSerialTests1Level(t, testCases, 0) @@ -112,6 +113,34 @@ func testAccOrganizationConfiguration_ec2ECR(t *testing.T) { }) } +func testAccOrganizationConfiguration_lambda(t *testing.T) { + ctx := acctest.Context(t) + resourceName := "aws_inspector2_organization_configuration.test" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { + acctest.PreCheck(ctx, t) + acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) + testAccPreCheck(ctx, t) + acctest.PreCheckOrganizationManagementAccount(ctx, t) + }, + ErrorCheck: acctest.ErrorCheck(t, names.Inspector2EndpointID), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckOrganizationConfigurationDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccOrganizationConfigurationConfig_lambda(false, false, true), + Check: resource.ComposeTestCheckFunc( + testAccCheckOrganizationConfigurationExists(ctx, resourceName), + resource.TestCheckResourceAttr(resourceName, "auto_enable.0.ec2", "false"), + resource.TestCheckResourceAttr(resourceName, "auto_enable.0.ecr", "false"), + resource.TestCheckResourceAttr(resourceName, "auto_enable.0.lambda", "true"), + ), + }, + }, + }) +} + func testAccCheckOrganizationConfigurationDestroy(ctx context.Context) resource.TestCheckFunc { return func(s *terraform.State) error { conn := acctest.Provider.Meta().(*conns.AWSClient).Inspector2Client() @@ -145,7 +174,7 @@ func testAccCheckOrganizationConfigurationDestroy(ctx context.Context) resource. return create.Error(names.Inspector2, create.ErrActionCheckingDestroyed, tfinspector2.ResNameOrganizationConfiguration, rs.Primary.ID, err) } - if out != nil && out.AutoEnable != nil && !aws.ToBool(out.AutoEnable.Ec2) && !aws.ToBool(out.AutoEnable.Ecr) { + if out != nil && out.AutoEnable != nil && !aws.ToBool(out.AutoEnable.Ec2) && !aws.ToBool(out.AutoEnable.Ecr) && !aws.ToBool(out.AutoEnable.Lambda) { if enabledDelAdAcct { if err := testDisableDelegatedAdminAccount(ctx, conn, acctest.AccountID()); err != nil { return err @@ -239,3 +268,20 @@ resource "aws_inspector2_organization_configuration" "test" { } `, ec2, ecr) } + +func testAccOrganizationConfigurationConfig_lambda(ec2, ecr, lambda bool) string { + return fmt.Sprintf(` +data "aws_caller_identity" "current" {} +resource "aws_inspector2_delegated_admin_account" "test" { + account_id = data.aws_caller_identity.current.account_id +} +resource "aws_inspector2_organization_configuration" "test" { + auto_enable { + ec2 = %[1]t + ecr = %[2]t + lambda = %[3]t + } + depends_on = [aws_inspector2_delegated_admin_account.test] +} +`, ec2, ecr, lambda) +} diff --git a/website/docs/r/inspector2_organization_configuration.html.markdown b/website/docs/r/inspector2_organization_configuration.html.markdown index dbaf5187554..772977747b1 100644 --- a/website/docs/r/inspector2_organization_configuration.html.markdown +++ b/website/docs/r/inspector2_organization_configuration.html.markdown @@ -12,7 +12,7 @@ Terraform resource for managing an AWS Inspector V2 Organization Configuration. ~> **NOTE:** In order for this resource to work, the account you use must be an Inspector V2 Delegated Admin Account. -~> **NOTE:** When this resource is deleted, EC2 and ECR scans will no longer be automatically enabled for new members of your Amazon Inspector organization. +~> **NOTE:** When this resource is deleted, EC2, ECR and Lambda scans will no longer be automatically enabled for new members of your Amazon Inspector organization. ## Example Usage @@ -21,8 +21,9 @@ Terraform resource for managing an AWS Inspector V2 Organization Configuration. ```terraform resource "aws_inspector2_organization_configuration" "example" { auto_enable { - ec2 = true - ecr = false + ec2 = true + ecr = false + lambda = true } } ``` @@ -37,6 +38,7 @@ The following arguments are required: * `ec2` - (Required) Whether Amazon EC2 scans are automatically enabled for new members of your Amazon Inspector organization. * `ecr` - (Required) Whether Amazon ECR scans are automatically enabled for new members of your Amazon Inspector organization. +* `lambda` - (Optional) Whether Lambda Function scans are automatically enabled for new members of your Amazon Inspector organization. ## Attributes Reference