diff --git a/.changelog/34261.txt b/.changelog/34261.txt new file mode 100644 index 00000000000..6dabb2e3183 --- /dev/null +++ b/.changelog/34261.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +resource/aws_inspector2_organization_configuration: Add `lambda_code` argument to the `auto_enable` configuration block +``` diff --git a/internal/service/inspector2/inspector2_test.go b/internal/service/inspector2/inspector2_test.go index 272f4e044a9..22f10ed5c12 100644 --- a/internal/service/inspector2/inspector2_test.go +++ b/internal/service/inspector2/inspector2_test.go @@ -39,6 +39,7 @@ func TestAccInspector2_serial(t *testing.T) { "disappears": testAccOrganizationConfiguration_disappears, "ec2ECR": testAccOrganizationConfiguration_ec2ECR, "lambda": testAccOrganizationConfiguration_lambda, + "lambdaCode": testAccOrganizationConfiguration_lambdaCode, }, } diff --git a/internal/service/inspector2/organization_configuration.go b/internal/service/inspector2/organization_configuration.go index 9e67587d079..3f4d43e1f3a 100644 --- a/internal/service/inspector2/organization_configuration.go +++ b/internal/service/inspector2/organization_configuration.go @@ -56,6 +56,11 @@ func ResourceOrganizationConfiguration() *schema.Resource { Optional: true, Default: false, }, + "lambda_code": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, }, }, }, @@ -126,7 +131,7 @@ func resourceOrganizationConfigurationUpdate(ctx context.Context, d *schema.Reso return create.DiagError(names.Inspector2, create.ErrActionUpdating, ResNameOrganizationConfiguration, d.Id(), err) } - if err := waitOrganizationConfigurationUpdated(ctx, conn, d.Get("auto_enable.0.ec2").(bool), d.Get("auto_enable.0.ecr").(bool), d.Get("auto_enable.0.lambda").(bool), d.Timeout(schema.TimeoutUpdate)); err != nil { + if err := waitOrganizationConfigurationUpdated(ctx, conn, d.Get("auto_enable.0.ec2").(bool), d.Get("auto_enable.0.ecr").(bool), d.Get("auto_enable.0.lambda").(bool), d.Get("auto_enable.0.lambda_code").(bool), d.Timeout(schema.TimeoutUpdate)); err != nil { return create.DiagError(names.Inspector2, create.ErrActionWaitingForUpdate, ResNameOrganizationConfiguration, d.Id(), err) } @@ -141,9 +146,10 @@ func resourceOrganizationConfigurationDelete(ctx context.Context, d *schema.Reso in := &inspector2.UpdateOrganizationConfigurationInput{ AutoEnable: &types.AutoEnable{ - Ec2: aws.Bool(false), - Ecr: aws.Bool(false), - Lambda: aws.Bool(false), + Ec2: aws.Bool(false), + Ecr: aws.Bool(false), + Lambda: aws.Bool(false), + LambdaCode: aws.Bool(false), }, } @@ -153,25 +159,33 @@ func resourceOrganizationConfigurationDelete(ctx context.Context, d *schema.Reso return create.DiagError(names.Inspector2, create.ErrActionUpdating, ResNameOrganizationConfiguration, d.Id(), err) } - if err := waitOrganizationConfigurationUpdated(ctx, conn, false, false, false, d.Timeout(schema.TimeoutUpdate)); err != nil { + if err := waitOrganizationConfigurationUpdated(ctx, conn, false, false, false, false, d.Timeout(schema.TimeoutUpdate)); err != nil { return create.DiagError(names.Inspector2, create.ErrActionWaitingForUpdate, ResNameOrganizationConfiguration, d.Id(), err) } return nil } -func waitOrganizationConfigurationUpdated(ctx context.Context, conn *inspector2.Client, ec2, ecr, lambda bool, timeout time.Duration) error { - needle := fmt.Sprintf("%t:%t:%t", ec2, ecr, lambda) +func waitOrganizationConfigurationUpdated(ctx context.Context, conn *inspector2.Client, ec2, ecr, lambda, lambda_code bool, timeout time.Duration) error { + needle := fmt.Sprintf("%t:%t:%t:%t", ec2, ecr, lambda, lambda_code) all := []string{ - fmt.Sprintf("%t:%t:%t", false, false, false), - fmt.Sprintf("%t:%t:%t", false, true, false), - fmt.Sprintf("%t:%t:%t", false, false, true), - fmt.Sprintf("%t:%t:%t", false, true, true), - fmt.Sprintf("%t:%t:%t", true, false, false), - fmt.Sprintf("%t:%t:%t", true, false, true), - fmt.Sprintf("%t:%t:%t", true, true, false), - fmt.Sprintf("%t:%t:%t", true, true, true), + fmt.Sprintf("%t:%t:%t:%t", false, false, false, false), + fmt.Sprintf("%t:%t:%t:%t", false, false, false, true), + fmt.Sprintf("%t:%t:%t:%t", false, true, false, false), + fmt.Sprintf("%t:%t:%t:%t", false, true, false, true), + fmt.Sprintf("%t:%t:%t:%t", false, false, true, false), + fmt.Sprintf("%t:%t:%t:%t", false, false, true, true), + fmt.Sprintf("%t:%t:%t:%t", false, true, true, false), + fmt.Sprintf("%t:%t:%t:%t", false, true, true, true), + fmt.Sprintf("%t:%t:%t:%t", true, false, false, false), + fmt.Sprintf("%t:%t:%t:%t", true, false, false, true), + fmt.Sprintf("%t:%t:%t:%t", true, false, true, false), + fmt.Sprintf("%t:%t:%t:%t", true, false, true, true), + fmt.Sprintf("%t:%t:%t:%t", true, true, false, false), + fmt.Sprintf("%t:%t:%t:%t", true, true, false, true), + fmt.Sprintf("%t:%t:%t:%t", true, true, true, false), + fmt.Sprintf("%t:%t:%t:%t", true, true, true, true), } for i, v := range all { @@ -207,7 +221,7 @@ func statusOrganizationConfiguration(ctx context.Context, conn *inspector2.Clien return nil, "", err } - return out, fmt.Sprintf("%t:%t:%t", aws.ToBool(out.AutoEnable.Ec2), aws.ToBool(out.AutoEnable.Ecr), aws.ToBool(out.AutoEnable.Lambda)), nil + return out, fmt.Sprintf("%t:%t:%t:%t", aws.ToBool(out.AutoEnable.Ec2), aws.ToBool(out.AutoEnable.Ecr), aws.ToBool(out.AutoEnable.Lambda), aws.ToBool(out.AutoEnable.LambdaCode)), nil } } @@ -230,6 +244,10 @@ func flattenAutoEnable(apiObject *types.AutoEnable) map[string]interface{} { m["lambda"] = aws.ToBool(v) } + if v := apiObject.LambdaCode; v != nil { + m["lambda_code"] = aws.ToBool(v) + } + return m } @@ -252,5 +270,9 @@ func expandAutoEnable(tfMap map[string]interface{}) *types.AutoEnable { a.Lambda = aws.Bool(v) } + if v, ok := tfMap["lambda_code"].(bool); ok { + a.LambdaCode = aws.Bool(v) + } + return a } diff --git a/internal/service/inspector2/organization_configuration_test.go b/internal/service/inspector2/organization_configuration_test.go index ce25b150978..ccf26e03ee0 100644 --- a/internal/service/inspector2/organization_configuration_test.go +++ b/internal/service/inspector2/organization_configuration_test.go @@ -119,12 +119,42 @@ func testAccOrganizationConfiguration_lambda(t *testing.T) { CheckDestroy: testAccCheckOrganizationConfigurationDestroy(ctx), Steps: []resource.TestStep{ { - Config: testAccOrganizationConfigurationConfig_lambda(false, false, true), + Config: testAccOrganizationConfigurationConfig_lambda(false, false, true, false), Check: resource.ComposeTestCheckFunc( testAccCheckOrganizationConfigurationExists(ctx, resourceName), resource.TestCheckResourceAttr(resourceName, "auto_enable.0.ec2", "false"), resource.TestCheckResourceAttr(resourceName, "auto_enable.0.ecr", "false"), resource.TestCheckResourceAttr(resourceName, "auto_enable.0.lambda", "true"), + resource.TestCheckResourceAttr(resourceName, "auto_enable.0.lambda_code", "false"), + ), + }, + }, + }) +} + +func testAccOrganizationConfiguration_lambdaCode(t *testing.T) { + ctx := acctest.Context(t) + resourceName := "aws_inspector2_organization_configuration.test" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { + acctest.PreCheck(ctx, t) + acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) + acctest.PreCheckInspector2(ctx, t) + acctest.PreCheckOrganizationManagementAccount(ctx, t) + }, + ErrorCheck: acctest.ErrorCheck(t, names.Inspector2EndpointID), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckOrganizationConfigurationDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccOrganizationConfigurationConfig_lambda(false, false, true, true), + Check: resource.ComposeTestCheckFunc( + testAccCheckOrganizationConfigurationExists(ctx, resourceName), + resource.TestCheckResourceAttr(resourceName, "auto_enable.0.ec2", "false"), + resource.TestCheckResourceAttr(resourceName, "auto_enable.0.ecr", "false"), + resource.TestCheckResourceAttr(resourceName, "auto_enable.0.lambda", "true"), + resource.TestCheckResourceAttr(resourceName, "auto_enable.0.lambda_code", "true"), ), }, }, @@ -164,7 +194,7 @@ func testAccCheckOrganizationConfigurationDestroy(ctx context.Context) resource. return create.Error(names.Inspector2, create.ErrActionCheckingDestroyed, tfinspector2.ResNameOrganizationConfiguration, rs.Primary.ID, err) } - if out != nil && out.AutoEnable != nil && !aws.ToBool(out.AutoEnable.Ec2) && !aws.ToBool(out.AutoEnable.Ecr) && !aws.ToBool(out.AutoEnable.Lambda) { + if out != nil && out.AutoEnable != nil && !aws.ToBool(out.AutoEnable.Ec2) && !aws.ToBool(out.AutoEnable.Ecr) && !aws.ToBool(out.AutoEnable.Lambda) && !aws.ToBool(out.AutoEnable.LambdaCode) { if enabledDelAdAcct { if err := testDisableDelegatedAdminAccount(ctx, conn, acctest.AccountID()); err != nil { return err @@ -259,7 +289,7 @@ resource "aws_inspector2_organization_configuration" "test" { `, ec2, ecr) } -func testAccOrganizationConfigurationConfig_lambda(ec2, ecr, lambda bool) string { +func testAccOrganizationConfigurationConfig_lambda(ec2, ecr, lambda, lambda_code bool) string { return fmt.Sprintf(` data "aws_caller_identity" "current" {} resource "aws_inspector2_delegated_admin_account" "test" { @@ -267,11 +297,12 @@ resource "aws_inspector2_delegated_admin_account" "test" { } resource "aws_inspector2_organization_configuration" "test" { auto_enable { - ec2 = %[1]t - ecr = %[2]t - lambda = %[3]t + ec2 = %[1]t + ecr = %[2]t + lambda = %[3]t + lambda_code = %[4]t } depends_on = [aws_inspector2_delegated_admin_account.test] } -`, ec2, ecr, lambda) +`, ec2, ecr, lambda, lambda_code) } diff --git a/website/docs/r/inspector2_organization_configuration.html.markdown b/website/docs/r/inspector2_organization_configuration.html.markdown index 9c321ccd193..316aac966a0 100644 --- a/website/docs/r/inspector2_organization_configuration.html.markdown +++ b/website/docs/r/inspector2_organization_configuration.html.markdown @@ -12,7 +12,7 @@ Terraform resource for managing an Amazon Inspector Organization Configuration. ~> **NOTE:** In order for this resource to work, the account you use must be an Inspector Delegated Admin Account. -~> **NOTE:** When this resource is deleted, EC2, ECR and Lambda scans will no longer be automatically enabled for new members of your Amazon Inspector organization. +~> **NOTE:** When this resource is deleted, EC2, ECR, Lambda, and Lambda code scans will no longer be automatically enabled for new members of your Amazon Inspector organization. ## Example Usage @@ -21,9 +21,10 @@ Terraform resource for managing an Amazon Inspector Organization Configuration. ```terraform resource "aws_inspector2_organization_configuration" "example" { auto_enable { - ec2 = true - ecr = false - lambda = true + ec2 = true + ecr = false + lambda = true + lambda_code = true } } ``` @@ -39,6 +40,7 @@ The following arguments are required: * `ec2` - (Required) Whether Amazon EC2 scans are automatically enabled for new members of your Amazon Inspector organization. * `ecr` - (Required) Whether Amazon ECR scans are automatically enabled for new members of your Amazon Inspector organization. * `lambda` - (Optional) Whether Lambda Function scans are automatically enabled for new members of your Amazon Inspector organization. +* `lambda_code` - (Optional) Whether AWS Lambda code scans are automatically enabled for new members of your Amazon Inspector organization. **Note:** Lambda code scanning requires Lambda standard scanning to be activated. Consequently, if you are setting this argument to `true`, you must also set the `lambda` argument to `true`. See [Scanning AWS Lambda functions with Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/scanning-lambda.html#lambda-code-scans) for more information. ## Attribute Reference