New resource: aws_macie_s3_bucket_association

[ewbankkit]

Fixes #4992.
This is the initial Amazon Macie resource, associating S3 resources with Amazon Macie for monitoring and data classification.

Acceptance tests:

$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSMacieS3BucketAssociation_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -run=TestAccAWSMacieS3BucketAssociation_ -timeout 120m
=== RUN   TestAccAWSMacieS3BucketAssociation_basic
--- PASS: TestAccAWSMacieS3BucketAssociation_basic (67.79s)
=== RUN   TestAccAWSMacieS3BucketAssociation_accountIdAndPrefix
--- PASS: TestAccAWSMacieS3BucketAssociation_accountIdAndPrefix (71.10s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	152.742s

[bflad]

Hi @ewbankkit 👋 Thanks for submitting this! I left some initial feedback below. Can you please take a look or let us know if you do not have time to implement it?

[bflad]

Nitpick: This indirection is unnecessary as its only used once for a one-liner. It seems like we should also include the member account ID so we can easily support passthrough import.

[ewbankkit]

OK, I'll fix.

[bflad]

Nitpick: The else nesting here is extraneous as the if has a return statement.

[ewbankkit]

👍

[bflad]

We should prefer to use the available SDK paginated function: https://docs.aws.amazon.com/sdk-for-go/api/service/macie/#Macie.ListS3ResourcesPages

[ewbankkit]

👍

[bflad]

To prevent potential panics, we should perform a nil check for res.ClassificationType before dereferencing.

We also generally prefer to move this type of logic into a "flatten" function, e.g.

func flattenMacieClassificationType(classificationType *macie.ClassificationType) []map[string]interface{} {
  if classificationType == nil {
    return []map[string]interface{}{}
  }
  m := map[string]interface{}{
    "one_time": false,
  }
  if aws.StringValue(res.ClassificationType.OneTime) == macie.S3OneTimeClassificationTypeFull {
    m["one_time"] = true
  }
  return []map[string]interface{}{m}
}

We should also provide a helpful error message when d.Set() fails, e.g.

if err := d.Set("classification_type", flattenMacieClassificationType(res.ClassificationType)); err != nil {
  return fmt.Errorf("error setting classification_type: %s", err)
}

[ewbankkit]

👍

[bflad]

We might want to consider following the SDK and using a TypeString with the constant values in case they introduce additional types. This will also simplify the logic to remove the conditional handling.

[ewbankkit]

Agreed, trying to second guess what might come in the future is guaranteed compatibility pain.
I'll also add in the continuous attribute of TypeString.

[bflad]

Is there a way to programatically enable/disable Macie?

=== RUN   TestAccAWSMacieS3BucketAssociation_basic
--- FAIL: TestAccAWSMacieS3BucketAssociation_basic (6.07s)
	testing.go:518: Step 0 error: Error applying: 1 error(s) occurred:
		
		* aws_macie_s3_bucket_association.test: 1 error(s) occurred:
		
		* aws_macie_s3_bucket_association.test: Error creating Macie S3 bucket association: InvalidInputException: The request was rejected. Macie is not enabled for this AWS account *******.

[ewbankkit]

I'll see if AssociateMemberAccount with the current account ID does that.
I just manually enabled Macie via the console.

[ewbankkit]

No, it looks like Macie cannot programatically be enabled:

$ aws --region us-east-1 macie list-member-accounts

An error occurred (InvalidInputException) when calling the ListMemberAccounts operation: The request was rejected. Macie is not enabled for this AWS account 999999999999.
$ aws --region us-east-1 macie associate-member-account --member-account-id 999999999999

An error occurred (InvalidInputException) when calling the AssociateMemberAccount operation: The request was rejected. Macie is not enabled for this AWS account 999999999999.

I'll add a link to the manual setup instructions to the documentation.

[bflad]

We should prefer to also use the paginated method here 👍

[ewbankkit]

👍

[bflad]

This function should perform similar logic as the destroy check above to ensure the S3 resources are appropriately allocated in Macie.

[ewbankkit]

👍

[ewbankkit]

Yes, should get time to address these today.

[ewbankkit]

Acceptance tests after code review changes:

$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSMacieS3BucketAssociation_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -run=TestAccAWSMacieS3BucketAssociation_ -timeout 120m
=== RUN   TestAccAWSMacieS3BucketAssociation_basic
--- PASS: TestAccAWSMacieS3BucketAssociation_basic (65.16s)
=== RUN   TestAccAWSMacieS3BucketAssociation_accountIdAndPrefix
--- PASS: TestAccAWSMacieS3BucketAssociation_accountIdAndPrefix (72.33s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	138.118s

[bflad]

Looks great, thanks @ewbankkit! 🚀

2 tests passed (all tests)
=== RUN   TestAccAWSMacieS3BucketAssociation_basic
--- PASS: TestAccAWSMacieS3BucketAssociation_basic (23.34s)
=== RUN   TestAccAWSMacieS3BucketAssociation_accountIdAndPrefix
--- PASS: TestAccAWSMacieS3BucketAssociation_accountIdAndPrefix (28.21s)

[bflad]

This has been released in version 1.28.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!