Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

r/aws_fms_policy - add description #29926

Merged
merged 8 commits into from
Mar 13, 2023
Merged
Show file tree
Hide file tree
Changes from 7 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/29926.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
resource/aws_fms_policy: Add `description` argument
```
79 changes: 38 additions & 41 deletions internal/service/fms/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package fms

import (
"context"
"fmt"
"log"
"regexp"

Expand Down Expand Up @@ -50,6 +49,10 @@ func ResourcePolicy() *schema.Resource {
Optional: true,
Default: false,
},
"description": {
Type: schema.TypeString,
Optional: true,
},
"exclude_resource_tags": {
Type: schema.TypeBool,
Required: true,
Expand Down Expand Up @@ -196,14 +199,40 @@ func resourcePolicyRead(ctx context.Context, d *schema.ResourceData, meta interf
return sdkdiag.AppendErrorf(diags, "reading FMS Policy (%s): %s", d.Id(), err)
}

if err := resourcePolicyFlattenPolicy(d, output); err != nil {
return sdkdiag.AppendErrorf(diags, "reading FMS Policy (%s): %s", d.Id(), err)
arn := aws.StringValue(output.PolicyArn)
d.Set("arn", arn)
policy := output.Policy
d.Set("delete_unused_fm_managed_resources", policy.DeleteUnusedFMManagedResources)
d.Set("description", policy.PolicyDescription)
if err := d.Set("exclude_map", flattenPolicyMap(policy.ExcludeMap)); err != nil {
sdkdiag.AppendErrorf(diags, "setting exclude_map: %s", err)
}
d.Set("exclude_resource_tags", policy.ExcludeResourceTags)
if err := d.Set("include_map", flattenPolicyMap(policy.IncludeMap)); err != nil {
sdkdiag.AppendErrorf(diags, "setting include_map: %s", err)
}
d.Set("name", policy.PolicyName)
d.Set("policy_update_token", policy.PolicyUpdateToken)
d.Set("remediation_enabled", policy.RemediationEnabled)
if err := d.Set("resource_tags", flattenResourceTags(policy.ResourceTags)); err != nil {
sdkdiag.AppendErrorf(diags, "setting resource_tags: %s", err)
}
d.Set("resource_type", policy.ResourceType)
if err := d.Set("resource_type_list", policy.ResourceTypeList); err != nil {
sdkdiag.AppendErrorf(diags, "setting resource_type_list: %s", err)
}
securityServicePolicy := []map[string]string{{
"type": aws.StringValue(policy.SecurityServicePolicyData.Type),
"managed_service_data": aws.StringValue(policy.SecurityServicePolicyData.ManagedServiceData),
}}
if err := d.Set("security_service_policy_data", securityServicePolicy); err != nil {
sdkdiag.AppendErrorf(diags, "setting security_service_policy_data: %s", err)
}

tags, err := ListTags(ctx, conn, d.Get("arn").(string))
tags, err := ListTags(ctx, conn, arn)

if err != nil {
return sdkdiag.AppendErrorf(diags, "reading FMS Policy (%s): listing tags: %s", d.Id(), err)
return sdkdiag.AppendErrorf(diags, "listing tags for FMS Policy (%s): %s", d.Id(), err)
}

tags = tags.IgnoreAWS().IgnoreConfig(ignoreTagsConfig)
Expand Down Expand Up @@ -285,46 +314,13 @@ func FindPolicyByID(ctx context.Context, conn *fms.FMS, id string) (*fms.GetPoli
return nil, err
}

if output == nil {
if output == nil || output.Policy == nil || output.Policy.SecurityServicePolicyData == nil {
return nil, tfresource.NewEmptyResultError(input)
}

return output, nil
}

func resourcePolicyFlattenPolicy(d *schema.ResourceData, resp *fms.GetPolicyOutput) error {
d.Set("arn", resp.PolicyArn)

d.Set("name", resp.Policy.PolicyName)
d.Set("exclude_resource_tags", resp.Policy.ExcludeResourceTags)
if err := d.Set("exclude_map", flattenPolicyMap(resp.Policy.ExcludeMap)); err != nil {
return fmt.Errorf("setting exclude_map: %w", err)
}
if err := d.Set("include_map", flattenPolicyMap(resp.Policy.IncludeMap)); err != nil {
return fmt.Errorf("setting include_map: %w", err)
}
d.Set("remediation_enabled", resp.Policy.RemediationEnabled)
if err := d.Set("resource_type_list", resp.Policy.ResourceTypeList); err != nil {
return fmt.Errorf("setting resource_type_list: %w", err)
}
d.Set("delete_unused_fm_managed_resources", resp.Policy.DeleteUnusedFMManagedResources)
d.Set("resource_type", resp.Policy.ResourceType)
d.Set("policy_update_token", resp.Policy.PolicyUpdateToken)
if err := d.Set("resource_tags", flattenResourceTags(resp.Policy.ResourceTags)); err != nil {
return fmt.Errorf("setting resource_tags: %w", err)
}

securityServicePolicy := []map[string]string{{
"type": *resp.Policy.SecurityServicePolicyData.Type,
"managed_service_data": *resp.Policy.SecurityServicePolicyData.ManagedServiceData,
}}
if err := d.Set("security_service_policy_data", securityServicePolicy); err != nil {
return fmt.Errorf("setting security_service_policy_data: %w", err)
}

return nil
}

func resourcePolicyExpandPolicy(d *schema.ResourceData) *fms.Policy {
resourceType := aws.String("ResourceTypeList")
resourceTypeList := flex.ExpandStringSet(d.Get("resource_type_list").(*schema.Set))
Expand All @@ -333,12 +329,13 @@ func resourcePolicyExpandPolicy(d *schema.ResourceData) *fms.Policy {
}

fmsPolicy := &fms.Policy{
DeleteUnusedFMManagedResources: aws.Bool(d.Get("delete_unused_fm_managed_resources").(bool)),
ExcludeResourceTags: aws.Bool(d.Get("exclude_resource_tags").(bool)),
PolicyDescription: aws.String(d.Get("description").(string)),
PolicyName: aws.String(d.Get("name").(string)),
RemediationEnabled: aws.Bool(d.Get("remediation_enabled").(bool)),
ResourceType: resourceType,
ResourceTypeList: resourceTypeList,
ExcludeResourceTags: aws.Bool(d.Get("exclude_resource_tags").(bool)),
DeleteUnusedFMManagedResources: aws.Bool(d.Get("delete_unused_fm_managed_resources").(bool)),
}

if d.Id() != "" {
Expand Down
24 changes: 12 additions & 12 deletions internal/service/fms/policy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ func testAccPolicy_basic(t *testing.T) {
testAccCheckPolicyExists(ctx, resourceName),
acctest.CheckResourceAttrRegionalARNIgnoreRegionAndAccount(resourceName, "arn", "fms", "policy/.+"),
resource.TestCheckResourceAttr(resourceName, "delete_unused_fm_managed_resources", "false"),
resource.TestCheckResourceAttr(resourceName, "description", "test description"),
resource.TestCheckResourceAttr(resourceName, "name", rName),
resource.TestCheckResourceAttr(resourceName, "security_service_policy_data.#", "1"),
resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
Expand Down Expand Up @@ -269,21 +270,20 @@ func testAccCheckPolicyExists(ctx context.Context, n string) resource.TestCheckF
}
}

func testAccPolicyConfigOrgMgmtAccountBase() string {
return acctest.ConfigCompose(testAccAdminRegionProviderConfig(), `
const testAccPolicyConfigOrgMgmtAccount_base = `
data "aws_caller_identity" "current" {}

resource "aws_fms_admin_account" "test" {
account_id = data.aws_caller_identity.current.account_id
}
`)
}
`

func testAccPolicyConfig_basic(policyName, ruleGroupName string) string {
return acctest.ConfigCompose(testAccPolicyConfigOrgMgmtAccountBase(), fmt.Sprintf(`
return acctest.ConfigCompose(testAccPolicyConfigOrgMgmtAccount_base, fmt.Sprintf(`
resource "aws_fms_policy" "test" {
exclude_resource_tags = false
name = %[1]q
description = "test description"
remediation_enabled = false
resource_type_list = ["AWS::ElasticLoadBalancingV2::LoadBalancer"]

Expand All @@ -307,7 +307,7 @@ resource "aws_wafregional_rule_group" "test" {
}

func testAccPolicyConfig_cloudFrontDistribution(rName string) string {
return acctest.ConfigCompose(testAccPolicyConfigOrgMgmtAccountBase(), fmt.Sprintf(`
return acctest.ConfigCompose(testAccPolicyConfigOrgMgmtAccount_base, fmt.Sprintf(`
resource "aws_fms_policy" "test" {
exclude_resource_tags = false
name = %[1]q
Expand Down Expand Up @@ -383,7 +383,7 @@ resource "aws_kinesis_firehose_delivery_stream" "test" {
}

func testAccPolicyConfig_updated(policyName, ruleGroupName string) string {
return acctest.ConfigCompose(testAccPolicyConfigOrgMgmtAccountBase(), fmt.Sprintf(`
return acctest.ConfigCompose(testAccPolicyConfigOrgMgmtAccount_base, fmt.Sprintf(`
resource "aws_fms_policy" "test" {
exclude_resource_tags = false
name = %[1]q
Expand Down Expand Up @@ -414,7 +414,7 @@ resource "aws_wafregional_rule_group" "test" {
}

func testAccPolicyConfig_include(rName string) string {
return acctest.ConfigCompose(testAccPolicyConfigOrgMgmtAccountBase(), fmt.Sprintf(`
return acctest.ConfigCompose(testAccPolicyConfigOrgMgmtAccount_base, fmt.Sprintf(`
resource "aws_fms_policy" "test" {
exclude_resource_tags = false
name = %[1]q
Expand All @@ -441,7 +441,7 @@ resource "aws_wafregional_rule_group" "test" {
}

func testAccPolicyConfig_resourceTags1(rName, tagKey1, tagValue1 string) string {
return acctest.ConfigCompose(testAccPolicyConfigOrgMgmtAccountBase(), fmt.Sprintf(`
return acctest.ConfigCompose(testAccPolicyConfigOrgMgmtAccount_base, fmt.Sprintf(`
resource "aws_fms_policy" "test" {
exclude_resource_tags = false
name = %[1]q
Expand All @@ -468,7 +468,7 @@ resource "aws_wafregional_rule_group" "test" {
}

func testAccPolicyConfig_resourceTags2(rName, tagKey1, tagValue1, tagKey2, tagValue2 string) string {
return acctest.ConfigCompose(testAccPolicyConfigOrgMgmtAccountBase(), fmt.Sprintf(`
return acctest.ConfigCompose(testAccPolicyConfigOrgMgmtAccount_base, fmt.Sprintf(`
resource "aws_fms_policy" "test" {
exclude_resource_tags = false
name = %[1]q
Expand Down Expand Up @@ -496,7 +496,7 @@ resource "aws_wafregional_rule_group" "test" {
}

func testAccPolicyConfig_tags1(rName, tagKey1, tagValue1 string) string {
return acctest.ConfigCompose(testAccPolicyConfigOrgMgmtAccountBase(), fmt.Sprintf(`
return acctest.ConfigCompose(testAccPolicyConfigOrgMgmtAccount_base, fmt.Sprintf(`
resource "aws_fms_policy" "test" {
exclude_resource_tags = false
name = %[1]q
Expand All @@ -523,7 +523,7 @@ resource "aws_wafregional_rule_group" "test" {
}

func testAccPolicyConfig_tags2(rName, tagKey1, tagValue1, tagKey2, tagValue2 string) string {
return acctest.ConfigCompose(testAccPolicyConfigOrgMgmtAccountBase(), fmt.Sprintf(`
return acctest.ConfigCompose(testAccPolicyConfigOrgMgmtAccount_base, fmt.Sprintf(`
resource "aws_fms_policy" "test" {
exclude_resource_tags = false
name = %[1]q
Expand Down
6 changes: 5 additions & 1 deletion internal/service/wafregional/rule_group.go
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,11 @@ func resourceRuleGroupDelete(ctx context.Context, d *schema.ResourceData, meta i
oldRules := d.Get("activated_rule").(*schema.Set).List()
err := DeleteRuleGroup(ctx, d.Id(), oldRules, conn, region)

return sdkdiag.AppendErrorf(diags, "deleting WAF Regional Rule Group (%s): %s", d.Id(), err)
if err != nil {
return sdkdiag.AppendErrorf(diags, "deleting WAF Regional Rule Group (%s): %s", d.Id(), err)
}

return diags
}

func DeleteRuleGroup(ctx context.Context, id string, oldRules []interface{}, conn *wafregional.WAFRegional, region string) error {
Expand Down
1 change: 1 addition & 0 deletions website/docs/r/fms_policy.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ The following arguments are supported:
* `name` - (Required, Forces new resource) The friendly name of the AWS Firewall Manager Policy.
* `delete_all_policy_resources` - (Optional) If true, the request will also perform a clean-up process. Defaults to `true`. More information can be found here [AWS Firewall Manager delete policy](https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_DeletePolicy.html)
* `delete_unused_fm_managed_resources` - (Optional) If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to `false`. More information can be found here [AWS Firewall Manager policy contents](https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_Policy.html)
* `description` - (Optional) The description of the AWS Network Firewall firewall policy.
* `exclude_map` - (Optional) A map of lists of accounts and OU's to exclude from the policy.
* `exclude_resource_tags` - (Required, Forces new resource) A boolean value, if true the tags that are specified in the `resource_tags` are not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy.
* `include_map` - (Optional) A map of lists of accounts and OU's to include in the policy.
Expand Down