From 922e2ba68cb60b464f7cb4566f9df7850a5a0e6f Mon Sep 17 00:00:00 2001 From: Yong Wen Chua Date: Fri, 3 Mar 2023 11:47:15 +0800 Subject: [PATCH 1/5] Add `auto_enable_standards` to `aws_securityhub_organization_configuration` --- .../securityhub/organization_configuration.go | 11 ++++ .../organization_configuration_test.go | 65 +++++++++++++++++++ ...ityhub_organization_configuration.markdown | 2 +- 3 files changed, 77 insertions(+), 1 deletion(-) diff --git a/internal/service/securityhub/organization_configuration.go b/internal/service/securityhub/organization_configuration.go index 8c47ebd9337..46bb1bd4dfa 100644 --- a/internal/service/securityhub/organization_configuration.go +++ b/internal/service/securityhub/organization_configuration.go @@ -7,6 +7,7 @@ import ( "github.com/aws/aws-sdk-go/service/securityhub" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" "github.com/hashicorp/terraform-provider-aws/internal/conns" "github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag" ) @@ -28,6 +29,12 @@ func ResourceOrganizationConfiguration() *schema.Resource { Type: schema.TypeBool, Required: true, }, + "auto_enable_standards": { + Type: schema.TypeString, + Optional: true, + Computed: true, + ValidateFunc: validation.StringInSlice([]string{"NONE", "DEFAULT"}, false), + }, }, } } @@ -39,6 +46,9 @@ func resourceOrganizationConfigurationUpdate(ctx context.Context, d *schema.Reso input := &securityhub.UpdateOrganizationConfigurationInput{ AutoEnable: aws.Bool(d.Get("auto_enable").(bool)), } + if v, ok := d.GetOk("auto_enable_standards"); ok { + input.AutoEnableStandards = aws.String(v.(string)) + } _, err := conn.UpdateOrganizationConfigurationWithContext(ctx, input) @@ -62,6 +72,7 @@ func resourceOrganizationConfigurationRead(ctx context.Context, d *schema.Resour } d.Set("auto_enable", output.AutoEnable) + d.Set("auto_enable_standards", output.AutoEnableStandards) return diags } diff --git a/internal/service/securityhub/organization_configuration_test.go b/internal/service/securityhub/organization_configuration_test.go index 39dee17236d..cb747f8da8f 100644 --- a/internal/service/securityhub/organization_configuration_test.go +++ b/internal/service/securityhub/organization_configuration_test.go @@ -27,6 +27,7 @@ func testAccOrganizationConfiguration_basic(t *testing.T) { Check: resource.ComposeTestCheckFunc( testAccOrganizationConfigurationExists(ctx, resourceName), resource.TestCheckResourceAttr(resourceName, "auto_enable", "true"), + resource.TestCheckResourceAttr(resourceName, "auto_enable_standards", "DEFAULT"), ), }, { @@ -39,6 +40,42 @@ func testAccOrganizationConfiguration_basic(t *testing.T) { Check: resource.ComposeTestCheckFunc( testAccOrganizationConfigurationExists(ctx, resourceName), resource.TestCheckResourceAttr(resourceName, "auto_enable", "false"), + resource.TestCheckResourceAttr(resourceName, "auto_enable_standards", "DEFAULT"), + ), + }, + }, + }) +} + +func testAccOrganizationConfiguration_autoEnableStandards(t *testing.T) { + ctx := acctest.Context(t) + resourceName := "aws_securityhub_organization_configuration.test" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(t); acctest.PreCheckOrganizationsAccount(ctx, t) }, + ErrorCheck: acctest.ErrorCheck(t, securityhub.EndpointsID), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: nil, //lintignore:AT001 + Steps: []resource.TestStep{ + { + Config: testAccOrganizationConfigurationConfig_autoEnableStandards("DEFAULT"), + Check: resource.ComposeTestCheckFunc( + testAccOrganizationConfigurationExists(ctx, resourceName), + resource.TestCheckResourceAttr(resourceName, "auto_enable", "true"), + resource.TestCheckResourceAttr(resourceName, "auto_enable_standards", "DEFAULT"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccOrganizationConfigurationConfig_autoEnableStandards("NONE"), + Check: resource.ComposeTestCheckFunc( + testAccOrganizationConfigurationExists(ctx, resourceName), + resource.TestCheckResourceAttr(resourceName, "auto_enable", "true"), + resource.TestCheckResourceAttr(resourceName, "auto_enable_standards", "NONE"), ), }, }, @@ -86,3 +123,31 @@ resource "aws_securityhub_organization_configuration" "test" { } `, autoEnable) } + +func testAccOrganizationConfigurationConfig_autoEnableStandards(autoEnableStandards string) string { + return fmt.Sprintf(` +data "aws_partition" "current" {} + +resource "aws_organizations_organization" "test" { + aws_service_access_principals = ["securityhub.${data.aws_partition.current.dns_suffix}"] + feature_set = "ALL" +} + +resource "aws_securityhub_account" "test" {} + +data "aws_caller_identity" "current" {} + +resource "aws_securityhub_organization_admin_account" "test" { + admin_account_id = data.aws_caller_identity.current.account_id + + depends_on = [aws_organizations_organization.test, aws_securityhub_account.test] +} + +resource "aws_securityhub_organization_configuration" "test" { + auto_enable = true + auto_enable_standards = "%[1]s" + + depends_on = [aws_securityhub_organization_admin_account.test] +} +`, autoEnableStandards) +} diff --git a/website/docs/r/securityhub_organization_configuration.markdown b/website/docs/r/securityhub_organization_configuration.markdown index 2a647c10c9d..4228a8ad981 100644 --- a/website/docs/r/securityhub_organization_configuration.markdown +++ b/website/docs/r/securityhub_organization_configuration.markdown @@ -38,7 +38,7 @@ resource "aws_securityhub_organization_configuration" "example" { The following arguments are supported: * `auto_enable` - (Required) Whether to automatically enable Security Hub for new accounts in the organization. - +* `auto_enable_standards` - (Optional) Whether to automatically enable Security Hub default standards for new member accounts in the organization. By default, this parameter is equal to `DEFAULT`, and new member accounts are automatically enabled with default Security Hub standards. To opt out of enabling default standards for new member accounts, set this parameter equal to `NONE`. ## Attributes Reference In addition to all arguments above, the following attributes are exported: From 70669fcf2f2344fc8db86dfc5064e438d6768177 Mon Sep 17 00:00:00 2001 From: Yong Wen Chua Date: Fri, 3 Mar 2023 11:52:34 +0800 Subject: [PATCH 2/5] Add changelog entry --- .changelog/29773.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/29773.txt diff --git a/.changelog/29773.txt b/.changelog/29773.txt new file mode 100644 index 00000000000..a3b6847cb3c --- /dev/null +++ b/.changelog/29773.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +resource/aws_securityhub_organization_configuration: Add `auto_enable_standards` attribute +``` From e38ad90f7185bf9a4fc7249105db53411ae546e7 Mon Sep 17 00:00:00 2001 From: Yong Wen Chua Date: Wed, 8 Mar 2023 07:38:44 +0800 Subject: [PATCH 3/5] Fix lint --- .../service/securityhub/organization_configuration_test.go | 4 ++-- internal/service/securityhub/securityhub_test.go | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/internal/service/securityhub/organization_configuration_test.go b/internal/service/securityhub/organization_configuration_test.go index cb747f8da8f..684f1b051bb 100644 --- a/internal/service/securityhub/organization_configuration_test.go +++ b/internal/service/securityhub/organization_configuration_test.go @@ -144,8 +144,8 @@ resource "aws_securityhub_organization_admin_account" "test" { } resource "aws_securityhub_organization_configuration" "test" { - auto_enable = true - auto_enable_standards = "%[1]s" + auto_enable = true + auto_enable_standards = "%[1]s" depends_on = [aws_securityhub_organization_admin_account.test] } diff --git a/internal/service/securityhub/securityhub_test.go b/internal/service/securityhub/securityhub_test.go index cd00db27352..54f7f7e0d67 100644 --- a/internal/service/securityhub/securityhub_test.go +++ b/internal/service/securityhub/securityhub_test.go @@ -45,7 +45,8 @@ func TestAccSecurityHub_serial(t *testing.T) { "MultiRegion": testAccOrganizationAdminAccount_MultiRegion, }, "OrganizationConfiguration": { - "basic": testAccOrganizationConfiguration_basic, + "basic": testAccOrganizationConfiguration_basic, + "AutoEnableStandards": testAccOrganizationConfiguration_autoEnableStandards, }, "ProductSubscription": { "basic": testAccProductSubscription_basic, From 7d7f949dbad2d36d6105a266be79c77cce52aff5 Mon Sep 17 00:00:00 2001 From: Yong Wen Chua Date: Wed, 8 Mar 2023 09:38:47 +0800 Subject: [PATCH 4/5] Fix Markdown lint `website/docs/r/securityhub_organization_configuration.markdown:41 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "* `auto_enable_standards` - (O..."]`` --- website/docs/r/securityhub_organization_configuration.markdown | 1 + 1 file changed, 1 insertion(+) diff --git a/website/docs/r/securityhub_organization_configuration.markdown b/website/docs/r/securityhub_organization_configuration.markdown index 4228a8ad981..936fa055e4e 100644 --- a/website/docs/r/securityhub_organization_configuration.markdown +++ b/website/docs/r/securityhub_organization_configuration.markdown @@ -39,6 +39,7 @@ The following arguments are supported: * `auto_enable` - (Required) Whether to automatically enable Security Hub for new accounts in the organization. * `auto_enable_standards` - (Optional) Whether to automatically enable Security Hub default standards for new member accounts in the organization. By default, this parameter is equal to `DEFAULT`, and new member accounts are automatically enabled with default Security Hub standards. To opt out of enabling default standards for new member accounts, set this parameter equal to `NONE`. + ## Attributes Reference In addition to all arguments above, the following attributes are exported: From f33673d3fa4e126b0052062b491998d1694af967 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Thu, 16 Mar 2023 14:05:12 -0400 Subject: [PATCH 5/5] r/aws_securityhub_organization_configuration: Change acceptance tests PreCheck so running in OrganizationManagementAccount. --- .../organization_configuration_test.go | 44 +++++-------------- 1 file changed, 11 insertions(+), 33 deletions(-) diff --git a/internal/service/securityhub/organization_configuration_test.go b/internal/service/securityhub/organization_configuration_test.go index 8032d53c835..ebe1d1f503b 100644 --- a/internal/service/securityhub/organization_configuration_test.go +++ b/internal/service/securityhub/organization_configuration_test.go @@ -17,7 +17,7 @@ func testAccOrganizationConfiguration_basic(t *testing.T) { resourceName := "aws_securityhub_organization_configuration.test" resource.Test(t, resource.TestCase{ - PreCheck: func() { acctest.PreCheck(ctx, t); acctest.PreCheckOrganizationsAccount(ctx, t) }, + PreCheck: func() { acctest.PreCheck(ctx, t); acctest.PreCheckOrganizationManagementAccount(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, securityhub.EndpointsID), ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, CheckDestroy: acctest.CheckDestroyNoop, @@ -52,7 +52,7 @@ func testAccOrganizationConfiguration_autoEnableStandards(t *testing.T) { resourceName := "aws_securityhub_organization_configuration.test" resource.Test(t, resource.TestCase{ - PreCheck: func() { acctest.PreCheck(ctx, t); acctest.PreCheckOrganizationsAccount(ctx, t) }, + PreCheck: func() { acctest.PreCheck(ctx, t); acctest.PreCheckOrganizationManagementAccount(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, securityhub.EndpointsID), ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, CheckDestroy: acctest.CheckDestroyNoop, @@ -97,15 +97,7 @@ func testAccOrganizationConfigurationExists(ctx context.Context, n string) resou } } -func testAccOrganizationConfigurationConfig_basic(autoEnable bool) string { - return fmt.Sprintf(` -data "aws_partition" "current" {} - -resource "aws_organizations_organization" "test" { - aws_service_access_principals = ["securityhub.${data.aws_partition.current.dns_suffix}"] - feature_set = "ALL" -} - +const testAccOrganizationConfigurationConfig_base = ` resource "aws_securityhub_account" "test" {} data "aws_caller_identity" "current" {} @@ -113,41 +105,27 @@ data "aws_caller_identity" "current" {} resource "aws_securityhub_organization_admin_account" "test" { admin_account_id = data.aws_caller_identity.current.account_id - depends_on = [aws_organizations_organization.test, aws_securityhub_account.test] + depends_on = [aws_securityhub_account.test] } +` +func testAccOrganizationConfigurationConfig_basic(autoEnable bool) string { + return acctest.ConfigCompose(testAccOrganizationConfigurationConfig_base, fmt.Sprintf(` resource "aws_securityhub_organization_configuration" "test" { auto_enable = %[1]t depends_on = [aws_securityhub_organization_admin_account.test] } -`, autoEnable) +`, autoEnable)) } func testAccOrganizationConfigurationConfig_autoEnableStandards(autoEnableStandards string) string { - return fmt.Sprintf(` -data "aws_partition" "current" {} - -resource "aws_organizations_organization" "test" { - aws_service_access_principals = ["securityhub.${data.aws_partition.current.dns_suffix}"] - feature_set = "ALL" -} - -resource "aws_securityhub_account" "test" {} - -data "aws_caller_identity" "current" {} - -resource "aws_securityhub_organization_admin_account" "test" { - admin_account_id = data.aws_caller_identity.current.account_id - - depends_on = [aws_organizations_organization.test, aws_securityhub_account.test] -} - + return acctest.ConfigCompose(testAccOrganizationConfigurationConfig_base, fmt.Sprintf(` resource "aws_securityhub_organization_configuration" "test" { auto_enable = true - auto_enable_standards = "%[1]s" + auto_enable_standards = %[1]q depends_on = [aws_securityhub_organization_admin_account.test] } -`, autoEnableStandards) +`, autoEnableStandards)) }