New Resource: aws_guardduty_publishing_destination (#13894)

* Implementation of resource new resource type for GuardDuty S3 Export (#10920) * Added tests and documentation * Fixed test namings * Fixed linter issues and removed explicit import test case * Fixed HCL formatting in documentation * Fixed some namings and sidebar link * Update/refactor publishing destination (#1) * Merged latest master changes and resolved conflicts * Merged from Upstream master and squashed commits * Delete defaults.go * Removed changes from vendor subdirectory and synched with master. * Refactor GuardDuty to waiter pattern * Remove unused constant * Small refactor based on PR review * Add disappears test and refactor based on PR review * Refactor based on PR review * Refactor according to PR review * Additional fix wrt tf 0.12 Co-authored-by: Sebastian Häpe <[email protected]> Co-authored-by: shaepe <[email protected]>
hashicorp · Aug 25, 2020 · 3096084 · 3096084
1 parent ad72a4d
commit 3096084
Show file tree

Hide file tree

Showing 7 changed files with 667 additions and 2 deletions.
diff --git a/aws/internal/service/guardduty/waiter/waiter.go b/aws/internal/service/guardduty/waiter/waiter.go
@@ -3,6 +3,7 @@ package waiter
 import (
 	"time"
 
+	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/guardduty"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 )
@@ -14,12 +15,19 @@ const (
 	// Maximum amount of time to wait for an AdminAccount to return NotFound
 	AdminAccountNotFoundTimeout = 5 * time.Minute
 
+	// Maximum amount of time to wait for a PublishingDestination to return Publishing
+	PublishingDestinationCreatedTimeout    = 5 * time.Minute
+	PublishingDestinationCreatedMinTimeout = 3 * time.Second
+
 	// Maximum amount of time to wait for membership to propagate
 	// When removing Organization Admin Accounts, there is eventual
 	// consistency even after the account is no longer listed.
 	// Reference error message:
 	// BadRequestException: The request is rejected because the current account cannot delete detector while it has invited or associated members.
 	MembershipPropagationTimeout = 2 * time.Minute
+
+	// Constants not currently provided by the AWS Go SDK
+	guardDutyPublishingStatusFailed = "FAILED"
 )
 
 // AdminAccountEnabled waits for an AdminAccount to return Enabled
@@ -57,3 +65,35 @@ func AdminAccountNotFound(conn *guardduty.GuardDuty, adminAccountID string) (*gu
 
 	return nil, err
 }
+
+// PublishingDestinationCreated waits for GuardDuty to return Publishing
+func PublishingDestinationCreated(conn *guardduty.GuardDuty, destinationID, detectorID string) (*guardduty.CreatePublishingDestinationOutput, error) {
+	stateConf := &resource.StateChangeConf{
+		Pending: []string{guardduty.PublishingStatusPendingVerification},
+		Target:  []string{guardduty.PublishingStatusPublishing},
+		Refresh: guardDutyPublishingDestinationRefreshStatusFunc(conn, destinationID, detectorID),
+		Timeout: PublishingDestinationCreatedTimeout,
+	}
+
+	outputRaw, err := stateConf.WaitForState()
+
+	if v, ok := outputRaw.(*guardduty.CreatePublishingDestinationOutput); ok {
+		return v, err
+	}
+
+	return nil, err
+}
+
+func guardDutyPublishingDestinationRefreshStatusFunc(conn *guardduty.GuardDuty, destinationID, detectorID string) resource.StateRefreshFunc {
+	return func() (interface{}, string, error) {
+		input := &guardduty.DescribePublishingDestinationInput{
+			DetectorId:    aws.String(detectorID),
+			DestinationId: aws.String(destinationID),
+		}
+		resp, err := conn.DescribePublishingDestination(input)
+		if err != nil {
+			return nil, guardDutyPublishingStatusFailed, err
+		}
+		return resp, aws.StringValue(resp.Status), nil
+	}
+}
diff --git a/aws/provider.go b/aws/provider.go
@@ -626,6 +626,7 @@ func Provider() *schema.Provider {
 			"aws_glue_trigger":                                        resourceAwsGlueTrigger(),
 			"aws_glue_workflow":                                       resourceAwsGlueWorkflow(),
 			"aws_guardduty_detector":                                  resourceAwsGuardDutyDetector(),
+			"aws_guardduty_publishing_destination":                    resourceAwsGuardDutyPublishingDestination(),
 			"aws_guardduty_invite_accepter":                           resourceAwsGuardDutyInviteAccepter(),
 			"aws_guardduty_ipset":                                     resourceAwsGuardDutyIpset(),
 			"aws_guardduty_member":                                    resourceAwsGuardDutyMember(),

diff --git a/aws/resource_aws_guardduty_detector_test.go b/aws/resource_aws_guardduty_detector_test.go
@@ -15,8 +15,9 @@ import (
 
 func init() {
 	resource.AddTestSweepers("aws_guardduty_detector", &resource.Sweeper{
-		Name: "aws_guardduty_detector",
-		F:    testSweepGuarddutyDetectors,
+		Name:         "aws_guardduty_detector",
+		F:            testSweepGuarddutyDetectors,
+		Dependencies: []string{"aws_guardduty_publishing_destination"},
 	})
 }
 

diff --git a/aws/resource_aws_guardduty_publishing_destination.go b/aws/resource_aws_guardduty_publishing_destination.go
@@ -0,0 +1,181 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+	"strings"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/guardduty"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/guardduty/waiter"
+)
+
+func resourceAwsGuardDutyPublishingDestination() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsGuardDutyPublishingDestinationCreate,
+		Read:   resourceAwsGuardDutyPublishingDestinationRead,
+		Update: resourceAwsGuardDutyPublishingDestinationUpdate,
+		Delete: resourceAwsGuardDutyPublishingDestinationDelete,
+
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"detector_id": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+			"destination_type": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Default:  guardduty.DestinationTypeS3,
+				ValidateFunc: validation.StringInSlice([]string{
+					guardduty.DestinationTypeS3,
+				}, false),
+			},
+			"destination_arn": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ValidateFunc: validateArn,
+			},
+			"kms_key_arn": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ValidateFunc: validateArn,
+			},
+		},
+	}
+}
+
+func resourceAwsGuardDutyPublishingDestinationCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).guarddutyconn
+
+	detectorID := d.Get("detector_id").(string)
+	input := guardduty.CreatePublishingDestinationInput{
+		DetectorId: aws.String(detectorID),
+		DestinationProperties: &guardduty.DestinationProperties{
+			DestinationArn: aws.String(d.Get("destination_arn").(string)),
+			KmsKeyArn:      aws.String(d.Get("kms_key_arn").(string)),
+		},
+		DestinationType: aws.String(d.Get("destination_type").(string)),
+	}
+
+	log.Printf("[DEBUG] Creating GuardDuty publishing destination: %s", input)
+	output, err := conn.CreatePublishingDestination(&input)
+	if err != nil {
+		return fmt.Errorf("Creating GuardDuty publishing destination failed: %w", err)
+	}
+
+	_, err = waiter.PublishingDestinationCreated(conn, *output.DestinationId, detectorID)
+
+	if err != nil {
+		return fmt.Errorf("Error waiting for GuardDuty PublishingDestination status to be \"%s\": %w",
+			guardduty.PublishingStatusPublishing, err)
+	}
+
+	d.SetId(fmt.Sprintf("%s:%s", d.Get("detector_id"), aws.StringValue(output.DestinationId)))
+
+	return resourceAwsGuardDutyPublishingDestinationRead(d, meta)
+}
+
+func resourceAwsGuardDutyPublishingDestinationRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).guarddutyconn
+
+	destinationId, detectorId, errStateRead := decodeGuardDutyPublishDestinationID(d.Id())
+
+	if errStateRead != nil {
+		return errStateRead
+	}
+
+	input := &guardduty.DescribePublishingDestinationInput{
+		DetectorId:    aws.String(detectorId),
+		DestinationId: aws.String(destinationId),
+	}
+
+	log.Printf("[DEBUG] Reading GuardDuty publishing destination: %s", input)
+	gdo, err := conn.DescribePublishingDestination(input)
+	if err != nil {
+		if isAWSErr(err, guardduty.ErrCodeBadRequestException, "The request is rejected because the one or more input parameters have invalid values.") {
+			log.Printf("[WARN] GuardDuty publishing destination: %q not found, removing from state", d.Id())
+			d.SetId("")
+			return nil
+		}
+		return fmt.Errorf("Reading GuardDuty publishing destination: '%s' failed: %w", d.Id(), err)
+	}
+
+	d.Set("detector_id", detectorId)
+	d.Set("destination_type", gdo.DestinationType)
+	d.Set("kms_key_arn", gdo.DestinationProperties.KmsKeyArn)
+	d.Set("destination_arn", gdo.DestinationProperties.DestinationArn)
+	return nil
+}
+
+func resourceAwsGuardDutyPublishingDestinationUpdate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).guarddutyconn
+
+	destinationId, detectorId, errStateRead := decodeGuardDutyPublishDestinationID(d.Id())
+
+	if errStateRead != nil {
+		return errStateRead
+	}
+
+	input := guardduty.UpdatePublishingDestinationInput{
+		DestinationId: aws.String(destinationId),
+		DetectorId:    aws.String(detectorId),
+		DestinationProperties: &guardduty.DestinationProperties{
+			DestinationArn: aws.String(d.Get("destination_arn").(string)),
+			KmsKeyArn:      aws.String(d.Get("kms_key_arn").(string)),
+		},
+	}
+
+	log.Printf("[DEBUG] Update GuardDuty publishing destination: %s", input)
+	_, err := conn.UpdatePublishingDestination(&input)
+	if err != nil {
+		return fmt.Errorf("Updating GuardDuty publishing destination '%s' failed: %w", d.Id(), err)
+	}
+
+	return resourceAwsGuardDutyPublishingDestinationRead(d, meta)
+}
+
+func resourceAwsGuardDutyPublishingDestinationDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).guarddutyconn
+
+	destinationId, detectorId, errStateRead := decodeGuardDutyPublishDestinationID(d.Id())
+
+	if errStateRead != nil {
+		return errStateRead
+	}
+
+	input := guardduty.DeletePublishingDestinationInput{
+		DestinationId: aws.String(destinationId),
+		DetectorId:    aws.String(detectorId),
+	}
+
+	log.Printf("[DEBUG] Delete GuardDuty publishing destination: %s", input)
+	_, err := conn.DeletePublishingDestination(&input)
+
+	if isAWSErr(err, guardduty.ErrCodeBadRequestException, "") {
+		return nil
+	}
+
+	if err != nil {
+		return fmt.Errorf("Deleting GuardDuty publishing destination '%s' failed: %w", d.Id(), err)
+	}
+
+	return nil
+}
+
+func decodeGuardDutyPublishDestinationID(id string) (destinationID, detectorID string, err error) {
+	parts := strings.Split(id, ":")
+	if len(parts) != 2 {
+		err = fmt.Errorf("GuardDuty Publishing Destination ID must be of the form <Detector ID>:<Publishing Destination ID>, was provided: %s", id)
+		return
+	}
+	destinationID = parts[1]
+	detectorID = parts[0]
+	return
+}