New Resource: aws_guardduty_member #2911
Conversation
Ninir
added
enhancement
bflad
added
the
service/guardduty
| log.Printf("[DEBUG] Reading GuardDuty Member: %s", input) | ||
| gmo, err := conn.GetMembers(&input) | ||
| if err != nil { | ||
| if isAWSErr(err, guardduty.ErrCodeBadRequestException, "The request is rejected because the input detectorId is not owned by the current account.") { |
There was a problem hiding this comment.
Yeah its like S3 NoSuchBucket in this regard. 😢
aws/resource_aws_guardduty_member.go
Outdated
| member := gmo.Members[0] | ||
| d.Set("account_id", *member.AccountId) | ||
| d.Set("detector_id", detectorID) | ||
| d.Set("email", *member.Email) |
There was a problem hiding this comment.
Dereferencing here is not necessary, or in fact undesired. Set() will perform safe dereferencing - meaning that it won't crash on nil. We had many crash reports caused by this in the past which led us to this thought.
Do you mind changing it accordingly? 😉
There was a problem hiding this comment.
💯 I'll update this code and personally file this under "leave the stars to the night sky"!
aws/resource_aws_guardduty_member.go
Outdated
|
|
||
| idParts := strings.Split(d.Id(), ":") | ||
| accountID := idParts[1] | ||
| detectorID := idParts[0] |
There was a problem hiding this comment.
Q: What happens if the user passes only one ID? Isn't it going to crash here because Split() won't return [1]?
I think it would be nice to have a helper function for this, e.g. accId, detectorId, err := decodeGuardDutyMemberId(d.Id()) and keep the error message there.
There was a problem hiding this comment.
Oi! This is a very good catch! I totally forgot to split it out into a decode function with the error checking after initially writing it.
| "Member": { | ||
| "basic": testAccAwsGuardDutyMember_basic, | ||
| "import": testAccAwsGuardDutyMember_import, | ||
| }, |
There was a problem hiding this comment.
I assume there can be more than 1 member per AWS account, so we don't need to make these tests synchronous? Unless I'm mistaken...
There was a problem hiding this comment.
This needs to be like this because its like AWS Config, where it can only be activated once in a region, so we're left with serially doing one test at a time since we turn the GuardDuty detector on and off each test.
radeksimko
added
the
waiting-response
* Do not unsafely dereference member attributes for d.Set() * Separate ID parsing into decodeGuardDutyMemberID with error checking
|
Updated and verified locally! Thanks for those very important catches. 🚀 |
bflad
removed
the
waiting-response
aws/resource_aws_guardduty_member.go
Outdated
| func decodeGuardDutyMemberID(id string) (accountID, detectorID string, err error) { | ||
| parts := strings.Split(id, ":") | ||
| if len(parts) != 2 { | ||
| err = fmt.Errorf("GuardDuty Member ID must be of the form <Detector ID>:<Member AWS Account ID>") |
There was a problem hiding this comment.
Nitpick: We could include the real ID in the error message here.
| "Member": { | ||
| "basic": testAccAwsGuardDutyMember_basic, | ||
| "import": testAccAwsGuardDutyMember_import, | ||
| }, |
|
This has been released in terraform-provider-aws version 1.7.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
* commit 'b9284490eff637460fef663794a496d363e19f10': (190 commits) v1.7.0 Update CHANGELOG.md d/aws_ssm_parameter: Support returning raw encrypted SecureString value. (hashicorp#2777) Bump aws-sdk-go to v1.12.60 Update CHANGELOG.md Add acceptance test for import + randomization Removed reference to Core fixes Add instructions for vendor updates Use AWS example instead of Azure Update CHANGELOG for hashicorp#2833 Update CHANGELOG.md r/lb_target_group: Fix validation rules for LB's healthcheck Update CHANGELOG for hashicorp#2911 r/aws_guardduty_member: Provide given ID in error message when incorrect format Update CHANGELOG.md Update CHANGELOG with hashicorp#2888 r/aws_guardduty_member: hashicorp#2911 PR review r/aws_cloudwatch_event_permission: hashicorp#2888 PR review Makefile: Fixed test outputs resource/aws_lb+aws_elb: Fix regression with undefined 'name' ... # Conflicts: # .gitignore # aws/data_source_aws_s3_bucket_object.go # aws/resource_aws_elasticsearch_domain.go
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
References: