hashicorp · jar-b · Apr 18, 2024 · Apr 12, 2024 · Apr 12, 2024 · Apr 12, 2024
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_transfer_connector: Add `security_policy_name` argument
+```
@@ -7,6 +7,7 @@ import (
 	"context"
 	"log"
 
+	"github.com/YakDriver/regexache"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/transfer"
 	"github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr"
@@ -98,6 +99,15 @@ func ResourceConnector() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"security_policy_name": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+				ValidateFunc: validation.All(
+					validation.StringLenBetween(0, 100),
+					validation.StringMatch(regexache.MustCompile(`^TransferSFTPConnectorSecurityPolicy-[A-Za-z0-9-]+$`), "must be in the format matching TransferSFTPConnectorSecurityPolicy-[A-Za-z0-9-]+"),
+				),
+			},
 			"sftp_config": {
 				Type:     schema.TypeList,
 				MaxItems: 1,
@@ -152,6 +162,10 @@ func resourceConnectorCreate(ctx context.Context, d *schema.ResourceData, meta i
 		input.LoggingRole = aws.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("security_policy_name"); ok {
+		input.SecurityPolicyName = aws.String(v.(string))
+	}
+
 	if v, ok := d.GetOk("sftp_config"); ok {
 		input.SftpConfig = expandSftpConfig(v.([]interface{}))
 	}
@@ -190,6 +204,7 @@ func resourceConnectorRead(ctx context.Context, d *schema.ResourceData, meta int
 	}
 	d.Set("connector_id", output.ConnectorId)
 	d.Set("logging_role", output.LoggingRole)
+	d.Set("security_policy_name", output.SecurityPolicyName)
 	if err := d.Set("sftp_config", flattenSftpConfig(output.SftpConfig)); err != nil {
 		return sdkdiag.AppendErrorf(diags, "setting sftp_config: %s", err)
 	}
@@ -220,6 +235,10 @@ func resourceConnectorUpdate(ctx context.Context, d *schema.ResourceData, meta i
 			input.LoggingRole = aws.String(d.Get("logging_role").(string))
 		}
 
+		if d.HasChange("security_policy_name") {
+			input.SecurityPolicyName = aws.String(d.Get("security_policy_name").(string))
+		}
+
 		if d.HasChange("sftp_config") {
 			input.SftpConfig = expandSftpConfig(d.Get("sftp_config").([]interface{}))
 		}

@@ -96,6 +96,41 @@ func TestAccTransferConnector_sftpConfig(t *testing.T) {
 	})
 }
 
+func TestAccTransferConnector_securityPolicyName(t *testing.T) {
+	ctx := acctest.Context(t)
+	var conf transfer.DescribedConnector
+	resourceName := "aws_transfer_connector.test"
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	publicKey := "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNt3kA/dBkS6ZyU/sVDiGMuWJQaRPmLNbs/25K/e/fIl07ZWUgqqsFkcycLLMNFGD30Cmgp6XCXfNlIjzFWhNam+4cBb4DPpvieUw44VgsHK5JQy3JKlUfglmH5rs4G5pLiVfZpFU6jqvTsu4mE1CHCP0sXJlJhGxMG3QbsqYWNKiqGFEhuzGMs6fQlMkNiXsFoDmh33HAcXCbaFSC7V7xIqT1hlKu0iOL+GNjMj4R3xy0o3jafhO4MG2s3TwCQQCyaa5oyjL8iP8p3L9yp6cbIcXaS72SIgbCSGCyrcQPIKP2lJJHvE1oVWzLVBhR4eSzrlFDv7K4IErzaJmHqdiz" // nosemgrep:ci.ssh-key
+	url := "sftp://s-fakeserver.server.transfer.test.amazonaws.com"
+	securityPolicyName := "TransferSFTPConnectorSecurityPolicy-2024-03"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.PreCheck(ctx, t)
+			acctest.PreCheckPartitionHasService(t, transfer.EndpointsID)
+			testAccPreCheck(ctx, t)
+		},
+		ErrorCheck:               acctest.ErrorCheck(t, names.TransferServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckConnectorDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccConnectorConfig_securityPolicyName(rName, url, publicKey, securityPolicyName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckConnectorExists(ctx, resourceName, &conf),
+					resource.TestCheckResourceAttr(resourceName, "security_policy_name", securityPolicyName),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccTransferConnector_disappears(t *testing.T) {
 	ctx := acctest.Context(t)
 	var conf transfer.DescribedConnector
@@ -295,6 +330,26 @@ resource "aws_transfer_connector" "test" {
 `, rName, url))
 }
 
+func testAccConnectorConfig_securityPolicyName(rName, url, publickey, securityPolicyName string) string {
+	return acctest.ConfigCompose(testAccConnectorConfig_base(rName), fmt.Sprintf(`
+resource "aws_transfer_connector" "test" {
+  access_role = aws_iam_role.test.arn
+
+  sftp_config {
+    trusted_host_keys = [%[3]q]
+    user_secret_id    = aws_secretsmanager_secret.test.id
+  }
+
+  url                  = %[2]q
+  security_policy_name = %[4]q
+}
+
+resource "aws_secretsmanager_secret" "test" {
+  name = %[1]q
+}
+`, rName, url, publickey, securityPolicyName))
+}
+
 func testAccConnectorConfig_sftpConfig(rName, url, publickey string) string {
 	return acctest.ConfigCompose(testAccConnectorConfig_base(rName), fmt.Sprintf(`
 resource "aws_transfer_connector" "test" {

@@ -51,6 +51,7 @@ This resource supports the following arguments:
 * `access_role` - (Required) The IAM Role which provides read and write access to the parent directory of the file location mentioned in the StartFileTransfer request.
 * `as2_config` - (Optional) Either SFTP or AS2 is configured.The parameters to configure for the connector object. Fields documented below.
 * `logging_role` - (Optional) The IAM Role which is required for allowing the connector to turn on CloudWatch logging for Amazon S3 events.
+* `security_policy_name` - (Optional) Name of the security policy for the connector.
 * `sftp_config` - (Optional) Either SFTP or AS2 is configured.The parameters to configure for the connector object. Fields documented below.
 * `url` - (Required) The URL of the partners AS2 endpoint or SFTP endpoint.
 * `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.