From 58eb1a9038f279507b439c02ffec2e336020d92e Mon Sep 17 00:00:00 2001 From: Daniel Rieske Date: Sat, 21 Oct 2023 22:06:20 +0200 Subject: [PATCH 1/8] feat: added image scanning configuration fields --- internal/service/imagebuilder/image.go | 46 ++++++++++++++++ .../service/imagebuilder/image_data_source.go | 37 +++++++++++++ .../imagebuilder/image_data_source_test.go | 11 ++++ internal/service/imagebuilder/image_test.go | 52 ++++++++++++++++++- .../docs/d/imagebuilder_image.html.markdown | 5 ++ .../docs/r/imagebuilder_image.html.markdown | 15 ++++++ 6 files changed, 164 insertions(+), 2 deletions(-) diff --git a/internal/service/imagebuilder/image.go b/internal/service/imagebuilder/image.go index 18e1e7fbd8ff..9d43f4c09a51 100644 --- a/internal/service/imagebuilder/image.go +++ b/internal/service/imagebuilder/image.go @@ -73,6 +73,42 @@ func ResourceImage() *schema.Resource { ValidateFunc: validation.StringMatch(regexache.MustCompile(`^arn:aws[^:]*:imagebuilder:[^:]+:(?:\d{12}|aws):image-recipe/[0-9a-z_-]+/\d+\.\d+\.\d+$`), "valid image recipe ARN must be provided"), ExactlyOneOf: []string{"container_recipe_arn", "image_recipe_arn"}, }, + "image_scanning_configuration": { + Type: schema.TypeList, + MaxItems: 1, + Optional: true, + Computed: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "image_scanning_enabled": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "ecr_configuration": { + Type: schema.TypeList, + MaxItems: 1, + Optional: true, + Computed: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "repository_name": { + Type: schema.TypeString, + Optional: true, + }, + "container_tags": { + Type: schema.TypeSet, + Optional: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + }, + }, + }, "image_tests_configuration": { Type: schema.TypeList, Optional: true, @@ -202,6 +238,10 @@ func resourceImageCreate(ctx context.Context, d *schema.ResourceData, meta inter input.ImageRecipeArn = aws.String(v.(string)) } + if v, ok := d.GetOk("image_scanning_configuration"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil { + input.ImageScanningConfiguration = expandImageScanningConfiguration(v.([]interface{})[0].(map[string]interface{})) + } + if v, ok := d.GetOk("image_tests_configuration"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil { input.ImageTestsConfiguration = expandImageTestConfiguration(v.([]interface{})[0].(map[string]interface{})) } @@ -272,6 +312,12 @@ func resourceImageRead(ctx context.Context, d *schema.ResourceData, meta interfa d.Set("image_recipe_arn", image.ImageRecipe.Arn) } + if image.ImageScanningConfiguration != nil { + d.Set("image_scanning_configuration", []interface{}{flattenImageScanningConfiguration(image.ImageScanningConfiguration)}) + } else { + d.Set("image_scanning_configuration", nil) + } + if image.ImageTestsConfiguration != nil { d.Set("image_tests_configuration", []interface{}{flattenImageTestsConfiguration(image.ImageTestsConfiguration)}) } else { diff --git a/internal/service/imagebuilder/image_data_source.go b/internal/service/imagebuilder/image_data_source.go index e54fbfa494f6..aac2925941c5 100644 --- a/internal/service/imagebuilder/image_data_source.go +++ b/internal/service/imagebuilder/image_data_source.go @@ -51,6 +51,37 @@ func DataSourceImage() *schema.Resource { Type: schema.TypeString, Computed: true, }, + "image_scanning_configuration": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "image_scanning_enabled": { + Type: schema.TypeBool, + Computed: true, + }, + "ecr_configuration": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "repository_name": { + Type: schema.TypeString, + Computed: true, + }, + "container_tags": { + Type: schema.TypeSet, + Computed: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + }, + }, + }, "image_tests_configuration": { Type: schema.TypeList, Computed: true, @@ -193,6 +224,12 @@ func dataSourceImageRead(ctx context.Context, d *schema.ResourceData, meta inter d.Set("image_recipe_arn", image.ImageRecipe.Arn) } + if image.ImageScanningConfiguration != nil { + d.Set("image_scanning_configuration", []interface{}{flattenImageScanningConfiguration(image.ImageScanningConfiguration)}) + } else { + d.Set("image_scanning_configuration", nil) + } + if image.ImageTestsConfiguration != nil { d.Set("image_tests_configuration", []interface{}{flattenImageTestsConfiguration(image.ImageTestsConfiguration)}) } else { diff --git a/internal/service/imagebuilder/image_data_source_test.go b/internal/service/imagebuilder/image_data_source_test.go index f4c2136cf6be..f294f9ea4b49 100644 --- a/internal/service/imagebuilder/image_data_source_test.go +++ b/internal/service/imagebuilder/image_data_source_test.go @@ -33,6 +33,7 @@ func TestAccImageBuilderImageDataSource_ARN_aws(t *testing.T) { // nosemgrep:ci. resource.TestCheckNoResourceAttr(dataSourceName, "distribution_configuration_arn"), resource.TestCheckResourceAttr(dataSourceName, "enhanced_image_metadata_enabled", "false"), resource.TestCheckNoResourceAttr(dataSourceName, "image_recipe_arn"), + resource.TestCheckResourceAttr(dataSourceName, "image_scanning_configuration.#", "0"), resource.TestCheckResourceAttr(dataSourceName, "image_tests_configuration.#", "0"), resource.TestCheckNoResourceAttr(dataSourceName, "infrastructure_configuration_arn"), resource.TestCheckResourceAttr(dataSourceName, "name", "Amazon Linux 2 x86"), @@ -69,6 +70,7 @@ func TestAccImageBuilderImageDataSource_ARN_self(t *testing.T) { resource.TestCheckResourceAttrPair(dataSourceName, "distribution_configuration_arn", resourceName, "distribution_configuration_arn"), resource.TestCheckResourceAttrPair(dataSourceName, "enhanced_image_metadata_enabled", resourceName, "enhanced_image_metadata_enabled"), resource.TestCheckResourceAttrPair(dataSourceName, "image_recipe_arn", resourceName, "image_recipe_arn"), + resource.TestCheckResourceAttrPair(dataSourceName, "image_scanning_configuration.#", resourceName, "image_scanning_configuration.#"), resource.TestCheckResourceAttrPair(dataSourceName, "image_tests_configuration.#", resourceName, "image_tests_configuration.#"), resource.TestCheckResourceAttrPair(dataSourceName, "infrastructure_configuration_arn", resourceName, "infrastructure_configuration_arn"), resource.TestCheckResourceAttrPair(dataSourceName, "name", resourceName, "name"), @@ -362,6 +364,15 @@ resource "aws_imagebuilder_infrastructure_configuration" "test" { resource "aws_imagebuilder_image" "test" { container_recipe_arn = aws_imagebuilder_container_recipe.test.arn infrastructure_configuration_arn = aws_imagebuilder_infrastructure_configuration.test.arn + + image_scanning_configuration { + image_scanning_enabled = true + + ecr_configuration { + repository_name = aws_ecr_repository.test.name + container_tags = ["foo", "bar"] + } + } } data "aws_imagebuilder_image" "test" { diff --git a/internal/service/imagebuilder/image_test.go b/internal/service/imagebuilder/image_test.go index f7e9404a0796..e4a26abe5089 100644 --- a/internal/service/imagebuilder/image_test.go +++ b/internal/service/imagebuilder/image_test.go @@ -266,6 +266,28 @@ func TestAccImageBuilderImage_containerRecipeARN(t *testing.T) { }) } +func TestAccImageBuilderImage_imageScanningConfiguration(t *testing.T) { + ctx := acctest.Context(t) + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + resourceName := "aws_imagebuilder_image.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(ctx, t) }, + ErrorCheck: acctest.ErrorCheck(t, imagebuilder.EndpointsID), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckImageDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccImageConfig_imageScanningConfigurationEnabled(rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckImageExists(ctx, resourceName), + resource.TestCheckResourceAttr(resourceName, "image_scanning_configuration.#", "1"), + ), + }, + }, + }) +} + func TestAccImageBuilderImage_outputResources_containers(t *testing.T) { ctx := acctest.Context(t) rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) @@ -562,7 +584,7 @@ resource "aws_imagebuilder_image" "test" { `, tagKey1, tagValue1, tagKey2, tagValue2)) } -func testAccImageConfig_containerRecipe(rName string) string { +func testAccImageConfig_containerRecipeBase(rName string) string { return fmt.Sprintf(` data "aws_region" "current" {} @@ -682,10 +704,36 @@ resource "aws_imagebuilder_infrastructure_configuration" "test" { depends_on = [aws_default_route_table.test] } + `, rName) +} +func testAccImageConfig_containerRecipe(rName string) string { + return acctest.ConfigCompose( + testAccImageConfig_containerRecipeBase(rName), + fmt.Sprintf(` resource "aws_imagebuilder_image" "test" { container_recipe_arn = aws_imagebuilder_container_recipe.test.arn infrastructure_configuration_arn = aws_imagebuilder_infrastructure_configuration.test.arn } -`, rName) +`)) +} + +func testAccImageConfig_imageScanningConfigurationEnabled(rName string) string { + return acctest.ConfigCompose( + testAccImageConfig_containerRecipeBase(rName), + fmt.Sprintf(` +resource "aws_imagebuilder_image" "test" { + container_recipe_arn = aws_imagebuilder_container_recipe.test.arn + infrastructure_configuration_arn = aws_imagebuilder_infrastructure_configuration.test.arn + + image_scanning_configuration { + image_scanning_enabled = true + + ecr_configuration { + repository_name = aws_ecr_repository.test.name + container_tags = ["foo", "bar"] + } + } +} +`)) } diff --git a/website/docs/d/imagebuilder_image.html.markdown b/website/docs/d/imagebuilder_image.html.markdown index 0aa98afffe27..31ff08533fac 100644 --- a/website/docs/d/imagebuilder_image.html.markdown +++ b/website/docs/d/imagebuilder_image.html.markdown @@ -34,6 +34,11 @@ This data source exports the following attributes in addition to the arguments a * `distribution_configuration_arn` - ARN of the Image Builder Distribution Configuration. * `enhanced_image_metadata_enabled` - Whether additional information about the image being created is collected. * `image_recipe_arn` - ARN of the image recipe. +* `image_scanning_configuration` - List of an object with image scanning configuration fields. + * `image_scanning_enabled` - Indicates whether Image Builder keeps a snapshot of the vulnerability scans that Amazon Inspector runs against the build instance when you create a new image. + * `ecr_configuration` - Configuration block with ECR configuration. + * `repository_name` - The name of the container repository that Amazon Inspector scans to identify findings for your container images. + * `container_tags` - Set of tags for Image Builder to apply to the output container image that that Amazon Inspector scans. * `image_tests_configuration` - List of an object with image tests configuration. * `image_tests_enabled` - Whether image tests are enabled. * `timeout_minutes` - Number of minutes before image tests time out. diff --git a/website/docs/r/imagebuilder_image.html.markdown b/website/docs/r/imagebuilder_image.html.markdown index 2f7be685e76d..0314e4cc0429 100644 --- a/website/docs/r/imagebuilder_image.html.markdown +++ b/website/docs/r/imagebuilder_image.html.markdown @@ -33,6 +33,7 @@ The following arguments are optional: * `enhanced_image_metadata_enabled` - (Optional) Whether additional information about the image being created is collected. Defaults to `true`. * `image_recipe_arn` - (Optional) Amazon Resource Name (ARN) of the image recipe. * `image_tests_configuration` - (Optional) Configuration block with image tests configuration. Detailed below. +* `image_scanning_configuration` - (Optional) Configuration block with image scanning configuration. Detailed below. * `tags` - (Optional) Key-value map of resource tags for the Image Builder Image. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level. ### image_tests_configuration @@ -42,6 +43,20 @@ The following arguments are optional: * `image_tests_enabled` - (Optional) Whether image tests are enabled. Defaults to `true`. * `timeout_minutes` - (Optional) Number of minutes before image tests time out. Valid values are between `60` and `1440`. Defaults to `720`. +### image_scanning_configuration + +The following arguments are optional: + +* `image_scanning_enabled` - (Optional) Indicates whether Image Builder keeps a snapshot of the vulnerability scans that Amazon Inspector runs against the build instance when you create a new image. Defaults to `false`. +* `ecr_configuration` - (Optional) Configuration block with ECR configuration. Detailed below. + +### ecr_configuration + +The following arguments are optional: + +* `repository_name` - (Optional) The name of the container repository that Amazon Inspector scans to identify findings for your container images. +* `container_tags` - (Optional) Set of tags for Image Builder to apply to the output container image that that Amazon Inspector scans. + ## Attribute Reference This resource exports the following attributes in addition to the arguments above: From c84a68e714db9b23d87d158e74d214e63e4d5027 Mon Sep 17 00:00:00 2001 From: Daniel Rieske Date: Sat, 21 Oct 2023 22:43:43 +0200 Subject: [PATCH 2/8] chore: semgrep findings --- internal/service/imagebuilder/image_data_source_test.go | 1 + internal/service/imagebuilder/image_test.go | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/internal/service/imagebuilder/image_data_source_test.go b/internal/service/imagebuilder/image_data_source_test.go index f294f9ea4b49..bc2aa2270582 100644 --- a/internal/service/imagebuilder/image_data_source_test.go +++ b/internal/service/imagebuilder/image_data_source_test.go @@ -102,6 +102,7 @@ func TestAccImageBuilderImageDataSource_ARN_containerRecipe(t *testing.T) { Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttrPair(dataSourceName, "arn", resourceName, "arn"), resource.TestCheckResourceAttrPair(dataSourceName, "container_recipe_arn", resourceName, "container_recipe_arn"), + resource.TestCheckResourceAttrPair(dataSourceName, "image_scanning_configuration.#", resourceName, "image_scanning_configuration.#"), resource.TestCheckResourceAttrPair(dataSourceName, "output_resources.#", resourceName, "output_resources.#"), resource.TestCheckResourceAttrPair(dataSourceName, "output_resources.0.containers.#", resourceName, "output_resources.0.containers.#"), resource.TestCheckResourceAttrPair(dataSourceName, "output_resources.0.containers.0.image_uris.#", resourceName, "output_resources.0.containers.0.image_uris.#"), diff --git a/internal/service/imagebuilder/image_test.go b/internal/service/imagebuilder/image_test.go index e4a26abe5089..53583028e098 100644 --- a/internal/service/imagebuilder/image_test.go +++ b/internal/service/imagebuilder/image_test.go @@ -710,18 +710,18 @@ resource "aws_imagebuilder_infrastructure_configuration" "test" { func testAccImageConfig_containerRecipe(rName string) string { return acctest.ConfigCompose( testAccImageConfig_containerRecipeBase(rName), - fmt.Sprintf(` + ` resource "aws_imagebuilder_image" "test" { container_recipe_arn = aws_imagebuilder_container_recipe.test.arn infrastructure_configuration_arn = aws_imagebuilder_infrastructure_configuration.test.arn } -`)) +`) } func testAccImageConfig_imageScanningConfigurationEnabled(rName string) string { return acctest.ConfigCompose( testAccImageConfig_containerRecipeBase(rName), - fmt.Sprintf(` + ` resource "aws_imagebuilder_image" "test" { container_recipe_arn = aws_imagebuilder_container_recipe.test.arn infrastructure_configuration_arn = aws_imagebuilder_infrastructure_configuration.test.arn @@ -735,5 +735,5 @@ resource "aws_imagebuilder_image" "test" { } } } -`)) +`) } From e12f82d3d7527f3c96b124395b19e60a8aa9510f Mon Sep 17 00:00:00 2001 From: Daniel Rieske Date: Sat, 21 Oct 2023 23:04:16 +0200 Subject: [PATCH 3/8] chore: added changelog --- .changelog/34049.txt | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .changelog/34049.txt diff --git a/.changelog/34049.txt b/.changelog/34049.txt new file mode 100644 index 000000000000..2839439d7af3 --- /dev/null +++ b/.changelog/34049.txt @@ -0,0 +1,7 @@ +```release-note:enhancement +resource/aws_imagebuilder_image: Added `image_scanning_configuration` argument +``` + +```release-note:enhancement +data-source/aws_imagebuilder_image: Added `image_scanning_configuration` argument +``` From 02888ae1250e7a3b72294220b54843f873f90db1 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Mon, 23 Oct 2023 08:35:58 -0400 Subject: [PATCH 4/8] Tweak CHANGELOG entries. --- .changelog/34049.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.changelog/34049.txt b/.changelog/34049.txt index 2839439d7af3..66f8750f9098 100644 --- a/.changelog/34049.txt +++ b/.changelog/34049.txt @@ -1,7 +1,7 @@ ```release-note:enhancement -resource/aws_imagebuilder_image: Added `image_scanning_configuration` argument +resource/aws_imagebuilder_image: Add `image_scanning_configuration` configuration block ``` ```release-note:enhancement -data-source/aws_imagebuilder_image: Added `image_scanning_configuration` argument +data-source/aws_imagebuilder_image: Add `image_scanning_configuration` attribute ``` From 2146374714aec09787e9702c9cef5f1576cf3848 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Mon, 23 Oct 2023 08:37:16 -0400 Subject: [PATCH 5/8] r/aws_imagebuilder_image: Alphabetize attributes. --- internal/service/imagebuilder/image.go | 28 ++++++++++++++------------ 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/internal/service/imagebuilder/image.go b/internal/service/imagebuilder/image.go index 9d43f4c09a51..51a3d98b7e6d 100644 --- a/internal/service/imagebuilder/image.go +++ b/internal/service/imagebuilder/image.go @@ -31,9 +31,11 @@ func ResourceImage() *schema.Resource { ReadWithoutTimeout: resourceImageRead, UpdateWithoutTimeout: resourceImageUpdate, DeleteWithoutTimeout: resourceImageDelete, + Importer: &schema.ResourceImporter{ StateContext: schema.ImportStatePassthroughContext, }, + Timeouts: &schema.ResourceTimeout{ Create: schema.DefaultTimeout(60 * time.Minute), }, @@ -43,10 +45,6 @@ func ResourceImage() *schema.Resource { Type: schema.TypeString, Computed: true, }, - "date_created": { - Type: schema.TypeString, - Computed: true, - }, "container_recipe_arn": { Type: schema.TypeString, Optional: true, @@ -54,6 +52,10 @@ func ResourceImage() *schema.Resource { ValidateFunc: validation.StringMatch(regexache.MustCompile(`^arn:aws[^:]*:imagebuilder:[^:]+:(?:\d{12}|aws):container-recipe/[0-9a-z_-]+/\d+\.\d+\.\d+$`), "valid container recipe ARN must be provided"), ExactlyOneOf: []string{"container_recipe_arn", "image_recipe_arn"}, }, + "date_created": { + Type: schema.TypeString, + Computed: true, + }, "distribution_configuration_arn": { Type: schema.TypeString, Optional: true, @@ -80,11 +82,6 @@ func ResourceImage() *schema.Resource { Computed: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ - "image_scanning_enabled": { - Type: schema.TypeBool, - Optional: true, - Default: false, - }, "ecr_configuration": { Type: schema.TypeList, MaxItems: 1, @@ -92,10 +89,6 @@ func ResourceImage() *schema.Resource { Computed: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ - "repository_name": { - Type: schema.TypeString, - Optional: true, - }, "container_tags": { Type: schema.TypeSet, Optional: true, @@ -103,9 +96,18 @@ func ResourceImage() *schema.Resource { Type: schema.TypeString, }, }, + "repository_name": { + Type: schema.TypeString, + Optional: true, + }, }, }, }, + "image_scanning_enabled": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, }, }, }, From a5af669f3423e7ce8f55cc0c26bc3bfec7475527 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Mon, 23 Oct 2023 08:38:08 -0400 Subject: [PATCH 6/8] d/aws_imagebuilder_image: Alphabetize attributes. --- .../service/imagebuilder/image_data_source.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/internal/service/imagebuilder/image_data_source.go b/internal/service/imagebuilder/image_data_source.go index aac2925941c5..c9118fe1471a 100644 --- a/internal/service/imagebuilder/image_data_source.go +++ b/internal/service/imagebuilder/image_data_source.go @@ -56,19 +56,11 @@ func DataSourceImage() *schema.Resource { Computed: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ - "image_scanning_enabled": { - Type: schema.TypeBool, - Computed: true, - }, "ecr_configuration": { Type: schema.TypeList, Computed: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ - "repository_name": { - Type: schema.TypeString, - Computed: true, - }, "container_tags": { Type: schema.TypeSet, Computed: true, @@ -76,9 +68,17 @@ func DataSourceImage() *schema.Resource { Type: schema.TypeString, }, }, + "repository_name": { + Type: schema.TypeString, + Computed: true, + }, }, }, }, + "image_scanning_enabled": { + Type: schema.TypeBool, + Computed: true, + }, }, }, }, From 1547c5087e13eeed7f656c93ce546da3d3107c07 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Mon, 23 Oct 2023 11:22:37 -0400 Subject: [PATCH 7/8] Add 'acctest.PreCheckInspector2'. --- internal/acctest/acctest.go | 17 +++++++++++ internal/service/inspector2/acc_test.go | 29 ------------------- .../delegated_admin_account_test.go | 4 +-- internal/service/inspector2/enabler_test.go | 22 +++++++------- .../inspector2/member_association_test.go | 4 +-- .../organization_configuration_test.go | 8 ++--- 6 files changed, 36 insertions(+), 48 deletions(-) delete mode 100644 internal/service/inspector2/acc_test.go diff --git a/internal/acctest/acctest.go b/internal/acctest/acctest.go index 9f151c73a12b..77b29874192a 100644 --- a/internal/acctest/acctest.go +++ b/internal/acctest/acctest.go @@ -19,6 +19,8 @@ import ( "github.com/YakDriver/regexache" ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types" + "github.com/aws/aws-sdk-go-v2/service/inspector2" + inspector2types "github.com/aws/aws-sdk-go-v2/service/inspector2/types" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/arn" "github.com/aws/aws-sdk-go/aws/endpoints" @@ -41,6 +43,7 @@ import ( "github.com/hashicorp/terraform-plugin-testing/terraform" "github.com/hashicorp/terraform-provider-aws/internal/conns" "github.com/hashicorp/terraform-provider-aws/internal/envvar" + "github.com/hashicorp/terraform-provider-aws/internal/errs" "github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag" "github.com/hashicorp/terraform-provider-aws/internal/provider" tfacmpca "github.com/hashicorp/terraform-provider-aws/internal/service/acmpca" @@ -919,6 +922,20 @@ func PreCheckPartitionNot(t *testing.T, partitions ...string) { } } +func PreCheckInspector2(ctx context.Context, t *testing.T) { + conn := Provider.Meta().(*conns.AWSClient).Inspector2Client(ctx) + + _, err := conn.ListDelegatedAdminAccounts(ctx, &inspector2.ListDelegatedAdminAccountsInput{}) + + if errs.IsA[*inspector2types.AccessDeniedException](err) { + t.Skipf("Amazon Inspector not available: %s", err) + } + + if err != nil { + t.Fatalf("listing Inspector2 delegated administrators: %s", err) + } +} + func PreCheckOrganizationsAccount(ctx context.Context, t *testing.T) { _, err := tforganizations.FindOrganization(ctx, Provider.Meta().(*conns.AWSClient).OrganizationsConn(ctx)) diff --git a/internal/service/inspector2/acc_test.go b/internal/service/inspector2/acc_test.go deleted file mode 100644 index 62ceafe4f96a..000000000000 --- a/internal/service/inspector2/acc_test.go +++ /dev/null @@ -1,29 +0,0 @@ -// Copyright (c) HashiCorp, Inc. -// SPDX-License-Identifier: MPL-2.0 - -package inspector2_test - -import ( - "context" - "testing" - - "github.com/aws/aws-sdk-go-v2/service/inspector2" - "github.com/aws/aws-sdk-go-v2/service/inspector2/types" - "github.com/hashicorp/terraform-provider-aws/internal/acctest" - "github.com/hashicorp/terraform-provider-aws/internal/conns" - "github.com/hashicorp/terraform-provider-aws/internal/errs" -) - -func testAccPreCheck(ctx context.Context, t *testing.T) { - conn := acctest.Provider.Meta().(*conns.AWSClient).Inspector2Client(ctx) - - _, err := conn.ListDelegatedAdminAccounts(ctx, &inspector2.ListDelegatedAdminAccountsInput{}) - - if errs.IsA[*types.AccessDeniedException](err) { - t.Skipf("skipping acceptance testing: %s", err) - } - - if err != nil { - t.Fatalf("unexpected PreCheck error: %s", err) - } -} diff --git a/internal/service/inspector2/delegated_admin_account_test.go b/internal/service/inspector2/delegated_admin_account_test.go index adf3ad3dd03a..9cfdb5f905ba 100644 --- a/internal/service/inspector2/delegated_admin_account_test.go +++ b/internal/service/inspector2/delegated_admin_account_test.go @@ -28,7 +28,7 @@ func testAccDelegatedAdminAccount_basic(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, names.Inspector2EndpointID), @@ -79,7 +79,7 @@ func testAccDelegatedAdminAccount_disappears(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, names.Inspector2EndpointID), diff --git a/internal/service/inspector2/enabler_test.go b/internal/service/inspector2/enabler_test.go index db3898ab31d5..e16da5d37e47 100644 --- a/internal/service/inspector2/enabler_test.go +++ b/internal/service/inspector2/enabler_test.go @@ -35,7 +35,7 @@ func testAccEnabler_basic(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, names.Inspector2EndpointID), @@ -67,7 +67,7 @@ func testAccEnabler_accountID(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, names.Inspector2EndpointID), @@ -100,7 +100,7 @@ func testAccEnabler_disappears(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, names.Inspector2EndpointID), @@ -131,7 +131,7 @@ func testAccEnabler_updateResourceTypes(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, names.Inspector2EndpointID), @@ -187,7 +187,7 @@ func testAccEnabler_updateResourceTypes_disjoint(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, names.Inspector2EndpointID), @@ -230,7 +230,7 @@ func testAccEnabler_lambda(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, names.Inspector2EndpointID), @@ -264,7 +264,7 @@ func testAccEnabler_memberAccount_basic(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) acctest.PreCheckAlternateAccount(t) }, @@ -299,7 +299,7 @@ func testAccEnabler_memberAccount_disappearsMemberAssociation(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) acctest.PreCheckAlternateAccount(t) }, @@ -331,7 +331,7 @@ func testAccEnabler_memberAccount_multiple(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) acctest.PreCheckAlternateAccount(t) acctest.PreCheckThirdAccount(t) @@ -371,7 +371,7 @@ func testAccEnabler_memberAccount_updateMemberAccounts(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) acctest.PreCheckAlternateAccount(t) acctest.PreCheckThirdAccount(t) @@ -439,7 +439,7 @@ func testAccEnabler_memberAccount_updateMemberAccountsAndScanTypes(t *testing.T) PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) acctest.PreCheckAlternateAccount(t) acctest.PreCheckThirdAccount(t) diff --git a/internal/service/inspector2/member_association_test.go b/internal/service/inspector2/member_association_test.go index 2908f133ac49..320d4b384fcb 100644 --- a/internal/service/inspector2/member_association_test.go +++ b/internal/service/inspector2/member_association_test.go @@ -26,7 +26,7 @@ func testAccMemberAssociation_basic(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) acctest.PreCheckAlternateAccount(t) }, @@ -61,7 +61,7 @@ func testAccMemberAssociation_disappears(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) acctest.PreCheckAlternateAccount(t) }, diff --git a/internal/service/inspector2/organization_configuration_test.go b/internal/service/inspector2/organization_configuration_test.go index e9e9389771cc..ce25b150978d 100644 --- a/internal/service/inspector2/organization_configuration_test.go +++ b/internal/service/inspector2/organization_configuration_test.go @@ -30,7 +30,7 @@ func testAccOrganizationConfiguration_basic(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, names.Inspector2EndpointID), @@ -57,7 +57,7 @@ func testAccOrganizationConfiguration_disappears(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, names.Inspector2EndpointID), @@ -84,7 +84,7 @@ func testAccOrganizationConfiguration_ec2ECR(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, names.Inspector2EndpointID), @@ -111,7 +111,7 @@ func testAccOrganizationConfiguration_lambda(t *testing.T) { PreCheck: func() { acctest.PreCheck(ctx, t) acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) - testAccPreCheck(ctx, t) + acctest.PreCheckInspector2(ctx, t) acctest.PreCheckOrganizationManagementAccount(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, names.Inspector2EndpointID), From 5a76c4fa30ef18e2dfd646d5687f584adddcd2c8 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Mon, 23 Oct 2023 11:23:16 -0400 Subject: [PATCH 8/8] TestAccImageBuilderImage_basic: Enable Inspector ECR scanning. --- internal/service/imagebuilder/image_test.go | 29 ++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/internal/service/imagebuilder/image_test.go b/internal/service/imagebuilder/image_test.go index 53583028e098..3f3cfd7265f7 100644 --- a/internal/service/imagebuilder/image_test.go +++ b/internal/service/imagebuilder/image_test.go @@ -18,6 +18,7 @@ import ( "github.com/hashicorp/terraform-provider-aws/internal/acctest" "github.com/hashicorp/terraform-provider-aws/internal/conns" tfimagebuilder "github.com/hashicorp/terraform-provider-aws/internal/service/imagebuilder" + "github.com/hashicorp/terraform-provider-aws/names" ) func TestAccImageBuilderImage_basic(t *testing.T) { @@ -272,7 +273,12 @@ func TestAccImageBuilderImage_imageScanningConfiguration(t *testing.T) { resourceName := "aws_imagebuilder_image.test" resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { acctest.PreCheck(ctx, t) }, + PreCheck: func() { + acctest.PreCheck(ctx, t) + acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID) + acctest.PreCheckInspector2(ctx, t) + acctest.PreCheckOrganizationManagementAccount(ctx, t) + }, ErrorCheck: acctest.ErrorCheck(t, imagebuilder.EndpointsID), ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, CheckDestroy: testAccCheckImageDestroy(ctx), @@ -592,6 +598,10 @@ data "aws_partition" "current" {} resource "aws_vpc" "test" { cidr_block = "10.0.0.0/16" + + tags = { + Name = %[1]q + } } resource "aws_default_route_table" "test" { @@ -623,12 +633,20 @@ resource "aws_default_security_group" "test" { resource "aws_internet_gateway" "test" { vpc_id = aws_vpc.test.id + + tags = { + Name = %[1]q + } } resource "aws_subnet" "test" { cidr_block = cidrsubnet(aws_vpc.test.cidr_block, 8, 0) map_public_ip_on_launch = true vpc_id = aws_vpc.test.id + + tags = { + Name = %[1]q + } } resource "aws_iam_role" "test" { @@ -722,6 +740,13 @@ func testAccImageConfig_imageScanningConfigurationEnabled(rName string) string { return acctest.ConfigCompose( testAccImageConfig_containerRecipeBase(rName), ` +data "aws_caller_identity" "current" {} + +resource "aws_inspector2_enabler" "test" { + account_ids = [data.aws_caller_identity.current.account_id] + resource_types = ["ECR"] +} + resource "aws_imagebuilder_image" "test" { container_recipe_arn = aws_imagebuilder_container_recipe.test.arn infrastructure_configuration_arn = aws_imagebuilder_infrastructure_configuration.test.arn @@ -734,6 +759,8 @@ resource "aws_imagebuilder_image" "test" { container_tags = ["foo", "bar"] } } + + depends_on = [aws_inspector2_enabler.test] } `) }