Add auto_enable_standards to aws_securityhub_organization_configuration

.changelog/29773.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_securityhub_organization_configuration: Add `auto_enable_standards` attribute
+```

internal/service/securityhub/organization_configuration.go

@@ -7,6 +7,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/securityhub"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
 	"github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag"
 )
@@ -28,6 +29,12 @@ func ResourceOrganizationConfiguration() *schema.Resource {
 				Type:     schema.TypeBool,
 				Required: true,
 			},
+			"auto_enable_standards": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Computed:     true,
+				ValidateFunc: validation.StringInSlice(securityhub.AutoEnableStandards_Values(), false),
+			},
 		},
 	}
 }
@@ -40,13 +47,19 @@ func resourceOrganizationConfigurationUpdate(ctx context.Context, d *schema.Reso
 		AutoEnable: aws.Bool(d.Get("auto_enable").(bool)),
 	}
 
+	if v, ok := d.GetOk("auto_enable_standards"); ok {
+		input.AutoEnableStandards = aws.String(v.(string))
+	}
+
 	_, err := conn.UpdateOrganizationConfigurationWithContext(ctx, input)
 
 	if err != nil {
 		return sdkdiag.AppendErrorf(diags, "updating Security Hub Organization Configuration (%s): %s", d.Id(), err)
 	}
 
-	d.SetId(meta.(*conns.AWSClient).AccountID)
+	if d.IsNewResource() {
+		d.SetId(meta.(*conns.AWSClient).AccountID)
+	}
 
 	return append(diags, resourceOrganizationConfigurationRead(ctx, d, meta)...)
 }
@@ -62,6 +75,7 @@ func resourceOrganizationConfigurationRead(ctx context.Context, d *schema.Resour
 	}
 
 	d.Set("auto_enable", output.AutoEnable)
+	d.Set("auto_enable_standards", output.AutoEnableStandards)
 
 	return diags
 }

internal/service/securityhub/organization_configuration_test.go

@@ -17,16 +17,17 @@ func testAccOrganizationConfiguration_basic(t *testing.T) {
 	resourceName := "aws_securityhub_organization_configuration.test"
 
 	resource.Test(t, resource.TestCase{
-		PreCheck:                 func() { acctest.PreCheck(ctx, t); acctest.PreCheckOrganizationsAccount(ctx, t) },
+		PreCheck:                 func() { acctest.PreCheck(ctx, t); acctest.PreCheckOrganizationManagementAccount(ctx, t) },
 		ErrorCheck:               acctest.ErrorCheck(t, securityhub.EndpointsID),
 		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
-		CheckDestroy:             nil, //lintignore:AT001
+		CheckDestroy:             acctest.CheckDestroyNoop,
 		Steps: []resource.TestStep{
 			{
 				Config: testAccOrganizationConfigurationConfig_basic(true),
 				Check: resource.ComposeTestCheckFunc(
 					testAccOrganizationConfigurationExists(ctx, resourceName),
 					resource.TestCheckResourceAttr(resourceName, "auto_enable", "true"),
+					resource.TestCheckResourceAttr(resourceName, "auto_enable_standards", "DEFAULT"),
 				),
 			},
 			{
@@ -39,6 +40,42 @@ func testAccOrganizationConfiguration_basic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccOrganizationConfigurationExists(ctx, resourceName),
 					resource.TestCheckResourceAttr(resourceName, "auto_enable", "false"),
+					resource.TestCheckResourceAttr(resourceName, "auto_enable_standards", "DEFAULT"),
+				),
+			},
+		},
+	})
+}
+
+func testAccOrganizationConfiguration_autoEnableStandards(t *testing.T) {
+	ctx := acctest.Context(t)
+	resourceName := "aws_securityhub_organization_configuration.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t); acctest.PreCheckOrganizationManagementAccount(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, securityhub.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             acctest.CheckDestroyNoop,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccOrganizationConfigurationConfig_autoEnableStandards("DEFAULT"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccOrganizationConfigurationExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "auto_enable", "true"),
+					resource.TestCheckResourceAttr(resourceName, "auto_enable_standards", "DEFAULT"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccOrganizationConfigurationConfig_autoEnableStandards("NONE"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccOrganizationConfigurationExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "auto_enable", "true"),
+					resource.TestCheckResourceAttr(resourceName, "auto_enable_standards", "NONE"),
 				),
 			},
 		},
@@ -60,29 +97,35 @@ func testAccOrganizationConfigurationExists(ctx context.Context, n string) resou
 	}
 }
 
-func testAccOrganizationConfigurationConfig_basic(autoEnable bool) string {
-	return fmt.Sprintf(`
-data "aws_partition" "current" {}
-
-resource "aws_organizations_organization" "test" {
-  aws_service_access_principals = ["securityhub.${data.aws_partition.current.dns_suffix}"]
-  feature_set                   = "ALL"
-}
-
+const testAccOrganizationConfigurationConfig_base = `
 resource "aws_securityhub_account" "test" {}
 
 data "aws_caller_identity" "current" {}
 
 resource "aws_securityhub_organization_admin_account" "test" {
   admin_account_id = data.aws_caller_identity.current.account_id
 
-  depends_on = [aws_organizations_organization.test, aws_securityhub_account.test]
+  depends_on = [aws_securityhub_account.test]
 }
+`
 
+func testAccOrganizationConfigurationConfig_basic(autoEnable bool) string {
+	return acctest.ConfigCompose(testAccOrganizationConfigurationConfig_base, fmt.Sprintf(`
 resource "aws_securityhub_organization_configuration" "test" {
   auto_enable = %[1]t
 
   depends_on = [aws_securityhub_organization_admin_account.test]
 }
-`, autoEnable)
+`, autoEnable))
+}
+
+func testAccOrganizationConfigurationConfig_autoEnableStandards(autoEnableStandards string) string {
+	return acctest.ConfigCompose(testAccOrganizationConfigurationConfig_base, fmt.Sprintf(`
+resource "aws_securityhub_organization_configuration" "test" {
+  auto_enable           = true
+  auto_enable_standards = %[1]q
+
+  depends_on = [aws_securityhub_organization_admin_account.test]
+}
+`, autoEnableStandards))
 }

internal/service/securityhub/securityhub_test.go

@@ -45,7 +45,8 @@ func TestAccSecurityHub_serial(t *testing.T) {
 			"MultiRegion": testAccOrganizationAdminAccount_MultiRegion,
 		},
 		"OrganizationConfiguration": {
-			"basic": testAccOrganizationConfiguration_basic,
+			"basic":               testAccOrganizationConfiguration_basic,
+			"AutoEnableStandards": testAccOrganizationConfiguration_autoEnableStandards,
 		},
 		"ProductSubscription": {
 			"basic": testAccProductSubscription_basic,

website/docs/r/securityhub_organization_configuration.markdown

@@ -38,6 +38,7 @@ resource "aws_securityhub_organization_configuration" "example" {
 The following arguments are supported:
 
 * `auto_enable` - (Required) Whether to automatically enable Security Hub for new accounts in the organization.
+* `auto_enable_standards` - (Optional) Whether to automatically enable Security Hub default standards for new member accounts in the organization. By default, this parameter is equal to `DEFAULT`, and new member accounts are automatically enabled with default Security Hub standards. To opt out of enabling default standards for new member accounts, set this parameter equal to `NONE`.
 
 ## Attributes Reference