Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New resource: aws_guardduty_organization_configuration_feature #33913

Merged
merged 12 commits into from
Oct 12, 2023
Merged
5 changes: 5 additions & 0 deletions internal/service/guardduty/guardduty_test.go
Original file line number Diff line number Diff line change
@@ -59,6 +59,11 @@ func TestAccGuardDuty_serial(t *testing.T) {
"kubernetes": testAccOrganizationConfiguration_kubernetes,
"malwareProtection": testAccOrganizationConfiguration_malwareprotection,
},
"OrganizationConfigurationFeature": {
"basic": testAccOrganizationConfigurationFeature_basic,
"additional_configuration": testAccOrganizationConfigurationFeature_additionalConfiguration,
"multiple": testAccOrganizationConfigurationFeature_multiple,
},
"ThreatIntelSet": {
"basic": testAccThreatIntelSet_basic,
"tags": testAccThreatIntelSet_tags,
Original file line number Diff line number Diff line change
@@ -73,7 +73,14 @@ func resourceOrganizationConfigurationFeaturePut(ctx context.Context, d *schema.
var diags diag.Diagnostics
conn := meta.(*conns.AWSClient).GuardDutyConn(ctx)

detectorID, name := d.Get("detector_id").(string), d.Get("name").(string)
detectorID := d.Get("detector_id").(string)
output, err := FindOrganizationConfigurationByID(ctx, conn, detectorID)

if err != nil {
return sdkdiag.AppendErrorf(diags, "reading GuardDuty Organization Configuration (%s): %s", detectorID, err)
}

name := d.Get("name").(string)
feature := &guardduty.OrganizationFeatureConfiguration{
AutoEnable: aws.String(d.Get("auto_enable").(string)),
Name: aws.String(name),
@@ -84,11 +91,12 @@ func resourceOrganizationConfigurationFeaturePut(ctx context.Context, d *schema.
}

input := &guardduty.UpdateOrganizationConfigurationInput{
DetectorId: aws.String(detectorID),
Features: []*guardduty.OrganizationFeatureConfiguration{feature},
AutoEnableOrganizationMembers: output.AutoEnableOrganizationMembers,
DetectorId: aws.String(detectorID),
Features: []*guardduty.OrganizationFeatureConfiguration{feature},
}

_, err := conn.UpdateOrganizationConfigurationWithContext(ctx, input)
_, err = conn.UpdateOrganizationConfigurationWithContext(ctx, input)

if err != nil {
return sdkdiag.AppendErrorf(diags, "updating GuardDuty Organization Configuration (%s) Feature (%s): %s", detectorID, name, err)
Original file line number Diff line number Diff line change
@@ -0,0 +1,237 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package guardduty_test

import (
"context"
"fmt"
"testing"

"github.com/aws/aws-sdk-go/service/guardduty"
"github.com/hashicorp/terraform-plugin-testing/helper/resource"
"github.com/hashicorp/terraform-plugin-testing/terraform"
"github.com/hashicorp/terraform-provider-aws/internal/acctest"
"github.com/hashicorp/terraform-provider-aws/internal/conns"
tfguardduty "github.com/hashicorp/terraform-provider-aws/internal/service/guardduty"
)

func testAccOrganizationConfigurationFeature_basic(t *testing.T) {
ctx := acctest.Context(t)
resourceName := "aws_guardduty_organization_configuration_feature.test"

resource.Test(t, resource.TestCase{
PreCheck: func() {
acctest.PreCheck(ctx, t)
acctest.PreCheckOrganizationsAccount(ctx, t)
testAccPreCheckDetectorNotExists(ctx, t)
},
ErrorCheck: acctest.ErrorCheck(t, guardduty.EndpointsID),
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
CheckDestroy: acctest.CheckDestroyNoop,
Steps: []resource.TestStep{
{
Config: testAccOrganizationConfigurationFeatureConfig_basic("RDS_LOGIN_EVENTS", "ALL"),
Check: resource.ComposeAggregateTestCheckFunc(
testAccOrganizationConfigurationFeatureExists(ctx, resourceName),
resource.TestCheckResourceAttr(resourceName, "additional_configuration.#", "0"),
resource.TestCheckResourceAttr(resourceName, "auto_enable", "ALL"),
resource.TestCheckResourceAttrSet(resourceName, "detector_id"),
resource.TestCheckResourceAttr(resourceName, "name", "RDS_LOGIN_EVENTS"),
),
},
},
})
}

func testAccOrganizationConfigurationFeature_additionalConfiguration(t *testing.T) {
ctx := acctest.Context(t)
resourceName := "aws_guardduty_organization_configuration_feature.test"

resource.Test(t, resource.TestCase{
PreCheck: func() {
acctest.PreCheck(ctx, t)
acctest.PreCheckOrganizationsAccount(ctx, t)
testAccPreCheckDetectorNotExists(ctx, t)
},
ErrorCheck: acctest.ErrorCheck(t, guardduty.EndpointsID),
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
CheckDestroy: acctest.CheckDestroyNoop,
Steps: []resource.TestStep{
{
Config: testAccOrganizationConfigurationFeatureConfig_additionalConfiguration("NEW", "NONE"),
Check: resource.ComposeTestCheckFunc(
testAccOrganizationConfigurationFeatureExists(ctx, resourceName),
resource.TestCheckResourceAttr(resourceName, "auto_enable", "NEW"),
resource.TestCheckResourceAttr(resourceName, "additional_configuration.#", "1"),
resource.TestCheckResourceAttr(resourceName, "additional_configuration.0.auto_enable", "NONE"),
resource.TestCheckResourceAttr(resourceName, "additional_configuration.0.name", "EKS_ADDON_MANAGEMENT"),
resource.TestCheckResourceAttr(resourceName, "name", "EKS_RUNTIME_MONITORING"),
),
},
{
Config: testAccOrganizationConfigurationFeatureConfig_additionalConfiguration("ALL", "ALL"),
Check: resource.ComposeTestCheckFunc(
testAccOrganizationConfigurationFeatureExists(ctx, resourceName),
resource.TestCheckResourceAttr(resourceName, "auto_enable", "ALL"),
resource.TestCheckResourceAttr(resourceName, "additional_configuration.#", "1"),
resource.TestCheckResourceAttr(resourceName, "additional_configuration.0.auto_enable", "ALL"),
resource.TestCheckResourceAttr(resourceName, "additional_configuration.0.name", "EKS_ADDON_MANAGEMENT"),
resource.TestCheckResourceAttr(resourceName, "name", "EKS_RUNTIME_MONITORING"),
),
},
},
})
}

func testAccOrganizationConfigurationFeature_multiple(t *testing.T) {
ctx := acctest.Context(t)
resource1Name := "aws_guardduty_organization_configuration_feature.test1"
resource2Name := "aws_guardduty_organization_configuration_feature.test2"
resource3Name := "aws_guardduty_organization_configuration_feature.test3"

resource.Test(t, resource.TestCase{
PreCheck: func() {
acctest.PreCheck(ctx, t)
acctest.PreCheckOrganizationsAccount(ctx, t)
testAccPreCheckDetectorNotExists(ctx, t)
},
ErrorCheck: acctest.ErrorCheck(t, guardduty.EndpointsID),
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
CheckDestroy: acctest.CheckDestroyNoop,
Steps: []resource.TestStep{
{
Config: testAccOrganizationConfigurationFeatureConfig_multiple("ALL", "NEW", "NONE"),
Check: resource.ComposeTestCheckFunc(
testAccOrganizationConfigurationFeatureExists(ctx, resource1Name),
testAccOrganizationConfigurationFeatureExists(ctx, resource2Name),
testAccOrganizationConfigurationFeatureExists(ctx, resource3Name),
resource.TestCheckResourceAttr(resource1Name, "additional_configuration.#", "0"),
resource.TestCheckResourceAttr(resource1Name, "auto_enable", "ALL"),
resource.TestCheckResourceAttr(resource1Name, "name", "EBS_MALWARE_PROTECTION"),
resource.TestCheckResourceAttr(resource2Name, "additional_configuration.#", "0"),
resource.TestCheckResourceAttr(resource2Name, "auto_enable", "NEW"),
resource.TestCheckResourceAttr(resource2Name, "name", "LAMBDA_NETWORK_LOGS"),
resource.TestCheckResourceAttr(resource3Name, "additional_configuration.#", "0"),
resource.TestCheckResourceAttr(resource3Name, "auto_enable", "NONE"),
resource.TestCheckResourceAttr(resource3Name, "name", "S3_DATA_EVENTS"),
),
},
{
Config: testAccOrganizationConfigurationFeatureConfig_multiple("NEW", "ALL", "ALL"),
Check: resource.ComposeTestCheckFunc(
testAccOrganizationConfigurationFeatureExists(ctx, resource1Name),
testAccOrganizationConfigurationFeatureExists(ctx, resource2Name),
testAccOrganizationConfigurationFeatureExists(ctx, resource3Name),
resource.TestCheckResourceAttr(resource1Name, "additional_configuration.#", "0"),
resource.TestCheckResourceAttr(resource1Name, "auto_enable", "NEW"),
resource.TestCheckResourceAttr(resource1Name, "name", "EBS_MALWARE_PROTECTION"),
resource.TestCheckResourceAttr(resource2Name, "additional_configuration.#", "0"),
resource.TestCheckResourceAttr(resource2Name, "auto_enable", "ALL"),
resource.TestCheckResourceAttr(resource2Name, "name", "LAMBDA_NETWORK_LOGS"),
resource.TestCheckResourceAttr(resource3Name, "additional_configuration.#", "0"),
resource.TestCheckResourceAttr(resource3Name, "auto_enable", "ALL"),
resource.TestCheckResourceAttr(resource3Name, "name", "S3_DATA_EVENTS"),
),
},
{
Config: testAccOrganizationConfigurationFeatureConfig_multiple("NONE", "NONE", "NONE"),
Check: resource.ComposeTestCheckFunc(
testAccOrganizationConfigurationFeatureExists(ctx, resource1Name),
testAccOrganizationConfigurationFeatureExists(ctx, resource2Name),
testAccOrganizationConfigurationFeatureExists(ctx, resource3Name),
resource.TestCheckResourceAttr(resource1Name, "additional_configuration.#", "0"),
resource.TestCheckResourceAttr(resource1Name, "auto_enable", "NONE"),
resource.TestCheckResourceAttr(resource1Name, "name", "EBS_MALWARE_PROTECTION"),
resource.TestCheckResourceAttr(resource2Name, "additional_configuration.#", "0"),
resource.TestCheckResourceAttr(resource2Name, "auto_enable", "NONE"),
resource.TestCheckResourceAttr(resource2Name, "name", "LAMBDA_NETWORK_LOGS"),
resource.TestCheckResourceAttr(resource3Name, "additional_configuration.#", "0"),
resource.TestCheckResourceAttr(resource3Name, "auto_enable", "NONE"),
resource.TestCheckResourceAttr(resource3Name, "name", "S3_DATA_EVENTS"),
),
},
},
})
}

func testAccOrganizationConfigurationFeatureExists(ctx context.Context, n string) resource.TestCheckFunc {
return func(s *terraform.State) error {
rs, ok := s.RootModule().Resources[n]
if !ok {
return fmt.Errorf("Not found: %s", n)
}

conn := acctest.Provider.Meta().(*conns.AWSClient).GuardDutyConn(ctx)

_, err := tfguardduty.FindOrganizationConfigurationFeatureByTwoPartKey(ctx, conn, rs.Primary.Attributes["detector_id"], rs.Primary.Attributes["name"])

return err
}
}

var testAccOrganizationConfigurationFeatureConfig_base = acctest.ConfigCompose(testAccOrganizationConfigurationConfig_base, `
resource "aws_guardduty_organization_configuration" "test" {
depends_on = [aws_guardduty_organization_admin_account.test]
auto_enable_organization_members = "ALL"
detector_id = aws_guardduty_detector.test.id
}
`)

func testAccOrganizationConfigurationFeatureConfig_basic(name, autoEnable string) string {
return acctest.ConfigCompose(testAccOrganizationConfigurationFeatureConfig_base, fmt.Sprintf(`
resource "aws_guardduty_organization_configuration_feature" "test" {
depends_on = [aws_guardduty_organization_configuration.test]
detector_id = aws_guardduty_detector.test.id
name = %[1]q
auto_enable = %[2]q
}
`, name, autoEnable))
}

func testAccOrganizationConfigurationFeatureConfig_additionalConfiguration(featureAutoEnable, additionalConfigurationAutoEnable string) string {
return acctest.ConfigCompose(testAccOrganizationConfigurationFeatureConfig_base, fmt.Sprintf(`
resource "aws_guardduty_organization_configuration_feature" "test" {
depends_on = [aws_guardduty_organization_configuration.test]
detector_id = aws_guardduty_detector.test.id
name = "EKS_RUNTIME_MONITORING"
auto_enable = %[1]q
additional_configuration {
name = "EKS_ADDON_MANAGEMENT"
auto_enable = %[2]q
}
}
`, featureAutoEnable, additionalConfigurationAutoEnable))
}

func testAccOrganizationConfigurationFeatureConfig_multiple(autoEnable1, autoEnable2, autoEnable3 string) string {
return acctest.ConfigCompose(testAccOrganizationConfigurationFeatureConfig_base, fmt.Sprintf(`
resource "aws_guardduty_organization_configuration_feature" "test1" {
depends_on = [aws_guardduty_organization_configuration.test]
detector_id = aws_guardduty_detector.test.id
name = "EBS_MALWARE_PROTECTION"
auto_enable = %[1]q
}
resource "aws_guardduty_organization_configuration_feature" "test2" {
depends_on = [aws_guardduty_organization_configuration.test]
detector_id = aws_guardduty_detector.test.id
name = "LAMBDA_NETWORK_LOGS"
auto_enable = %[2]q
}
resource "aws_guardduty_organization_configuration_feature" "test3" {
depends_on = [aws_guardduty_organization_configuration.test]
detector_id = aws_guardduty_detector.test.id
name = "S3_DATA_EVENTS"
auto_enable = %[3]q
}
`, autoEnable1, autoEnable2, autoEnable3))
}
22 changes: 6 additions & 16 deletions internal/service/guardduty/organization_configuration_test.go
Original file line number Diff line number Diff line change
@@ -295,7 +295,7 @@ func testAccCheckOrganizationConfigurationExists(ctx context.Context, n string)
}
}

const testAccOrganizationConfigurationConfigBase = `
const testAccOrganizationConfigurationConfig_base = `
data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}
@@ -319,9 +319,7 @@ resource "aws_guardduty_organization_admin_account" "test" {
`

func testAccOrganizationConfigurationConfig_autoEnable(autoEnable bool) string {
return acctest.ConfigCompose(
testAccOrganizationConfigurationConfigBase,
fmt.Sprintf(`
return acctest.ConfigCompose(testAccOrganizationConfigurationConfig_base, fmt.Sprintf(`
resource "aws_guardduty_organization_configuration" "test" {
depends_on = [aws_guardduty_organization_admin_account.test]
@@ -332,9 +330,7 @@ resource "aws_guardduty_organization_configuration" "test" {
}

func testAccOrganizationConfigurationConfig_autoEnableOrganizationMembers(value string) string {
return acctest.ConfigCompose(
testAccOrganizationConfigurationConfigBase,
fmt.Sprintf(`
return acctest.ConfigCompose(testAccOrganizationConfigurationConfig_base, fmt.Sprintf(`
resource "aws_guardduty_organization_configuration" "test" {
depends_on = [aws_guardduty_organization_admin_account.test]
@@ -345,9 +341,7 @@ resource "aws_guardduty_organization_configuration" "test" {
}

func testAccOrganizationConfigurationConfig_s3Logs(autoEnable bool) string {
return acctest.ConfigCompose(
testAccOrganizationConfigurationConfigBase,
fmt.Sprintf(`
return acctest.ConfigCompose(testAccOrganizationConfigurationConfig_base, fmt.Sprintf(`
resource "aws_guardduty_organization_configuration" "test" {
depends_on = [aws_guardduty_organization_admin_account.test]
@@ -364,9 +358,7 @@ resource "aws_guardduty_organization_configuration" "test" {
}

func testAccOrganizationConfigurationConfig_kubernetes(autoEnable bool) string {
return acctest.ConfigCompose(
testAccOrganizationConfigurationConfigBase,
fmt.Sprintf(`
return acctest.ConfigCompose(testAccOrganizationConfigurationConfig_base, fmt.Sprintf(`
resource "aws_guardduty_organization_configuration" "test" {
depends_on = [aws_guardduty_organization_admin_account.test]
@@ -385,9 +377,7 @@ resource "aws_guardduty_organization_configuration" "test" {
}

func testAccOrganizationConfigurationConfig_malwareprotection(autoEnable bool) string {
return acctest.ConfigCompose(
testAccOrganizationConfigurationConfigBase,
fmt.Sprintf(`
return acctest.ConfigCompose(testAccOrganizationConfigurationConfig_base, fmt.Sprintf(`
resource "aws_guardduty_organization_configuration" "test" {
depends_on = [aws_guardduty_organization_admin_account.test]