From 3aef0a364ea5fc9753e4d8e09e897f22b0b99ef8 Mon Sep 17 00:00:00 2001 From: nikhil Date: Fri, 12 Apr 2024 22:05:25 +0100 Subject: [PATCH 1/7] f-aws_transfer_connector-support security policies --- internal/service/transfer/connector.go | 18 ++++++++ internal/service/transfer/connector_test.go | 44 +++++++++++++++++++ .../docs/r/transfer_connector.html.markdown | 1 + 3 files changed, 63 insertions(+) diff --git a/internal/service/transfer/connector.go b/internal/service/transfer/connector.go index 602065e2aae7..bf53e1cbaab8 100644 --- a/internal/service/transfer/connector.go +++ b/internal/service/transfer/connector.go @@ -7,6 +7,7 @@ import ( "context" "log" + "github.com/YakDriver/regexache" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/transfer" "github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr" @@ -98,6 +99,14 @@ func ResourceConnector() *schema.Resource { Type: schema.TypeString, Optional: true, }, + "security_policy_name": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.All( + validation.StringLenBetween(0, 100), + validation.StringMatch(regexache.MustCompile(`^TransferSFTPConnectorSecurityPolicy-[A-Za-z0-9-]+$`), "must be in the format matching TransferSFTPConnectorSecurityPolicy-[A-Za-z0-9-]+"), + ), + }, "sftp_config": { Type: schema.TypeList, MaxItems: 1, @@ -152,6 +161,10 @@ func resourceConnectorCreate(ctx context.Context, d *schema.ResourceData, meta i input.LoggingRole = aws.String(v.(string)) } + if v, ok := d.GetOk("security_policy_name"); ok { + input.SecurityPolicyName = aws.String(v.(string)) + } + if v, ok := d.GetOk("sftp_config"); ok { input.SftpConfig = expandSftpConfig(v.([]interface{})) } @@ -190,6 +203,7 @@ func resourceConnectorRead(ctx context.Context, d *schema.ResourceData, meta int } d.Set("connector_id", output.ConnectorId) d.Set("logging_role", output.LoggingRole) + d.Set("security_policy_name", output.SecurityPolicyName) if err := d.Set("sftp_config", flattenSftpConfig(output.SftpConfig)); err != nil { return sdkdiag.AppendErrorf(diags, "setting sftp_config: %s", err) } @@ -220,6 +234,10 @@ func resourceConnectorUpdate(ctx context.Context, d *schema.ResourceData, meta i input.LoggingRole = aws.String(d.Get("logging_role").(string)) } + if d.HasChange("security_policy_name") { + input.SecurityPolicyName = aws.String(d.Get("security_policy_name").(string)) + } + if d.HasChange("sftp_config") { input.SftpConfig = expandSftpConfig(d.Get("sftp_config").([]interface{})) } diff --git a/internal/service/transfer/connector_test.go b/internal/service/transfer/connector_test.go index 525b85c253b2..5f71d9225484 100644 --- a/internal/service/transfer/connector_test.go +++ b/internal/service/transfer/connector_test.go @@ -96,6 +96,38 @@ func TestAccTransferConnector_sftpConfig(t *testing.T) { }) } +func TestAccTransferConnector_securityPolicyName(t *testing.T) { + ctx := acctest.Context(t) + var conf transfer.DescribedConnector + resourceName := "aws_transfer_connector.test" + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { + acctest.PreCheck(ctx, t) + acctest.PreCheckPartitionHasService(t, transfer.EndpointsID) + testAccPreCheck(ctx, t) + }, + ErrorCheck: acctest.ErrorCheck(t, names.TransferServiceID), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckConnectorDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccConnectorConfig_securityPolicyName(rName, "http://www.example.com"), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckConnectorExists(ctx, resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSFTPConnectorSecurityPolicy-2024-03"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func TestAccTransferConnector_disappears(t *testing.T) { ctx := acctest.Context(t) var conf transfer.DescribedConnector @@ -295,6 +327,18 @@ resource "aws_transfer_connector" "test" { `, rName, url)) } +func testAccConnectorConfig_securityPolicyName(rName, url string) string { + return acctest.ConfigCompose(testAccConnectorConfig_base(rName), fmt.Sprintf(` +resource "aws_transfer_connector" "test" { + access_role = aws_iam_role.test.arn + + security_policy_name = "TransferSFTPConnectorSecurityPolicy-2024-03" + + url = %[2]q +} +`, rName, url)) +} + func testAccConnectorConfig_sftpConfig(rName, url, publickey string) string { return acctest.ConfigCompose(testAccConnectorConfig_base(rName), fmt.Sprintf(` resource "aws_transfer_connector" "test" { diff --git a/website/docs/r/transfer_connector.html.markdown b/website/docs/r/transfer_connector.html.markdown index 45be9380c1fe..ae5205605a0b 100644 --- a/website/docs/r/transfer_connector.html.markdown +++ b/website/docs/r/transfer_connector.html.markdown @@ -51,6 +51,7 @@ This resource supports the following arguments: * `access_role` - (Required) The IAM Role which provides read and write access to the parent directory of the file location mentioned in the StartFileTransfer request. * `as2_config` - (Optional) Either SFTP or AS2 is configured.The parameters to configure for the connector object. Fields documented below. * `logging_role` - (Optional) The IAM Role which is required for allowing the connector to turn on CloudWatch logging for Amazon S3 events. +* `security_policy_name` - (Optional) The name of the security policy for the connector. * `sftp_config` - (Optional) Either SFTP or AS2 is configured.The parameters to configure for the connector object. Fields documented below. * `url` - (Required) The URL of the partners AS2 endpoint or SFTP endpoint. * `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level. From d9afb5be41f639ecfcac29676ebb86fce73f4c37 Mon Sep 17 00:00:00 2001 From: nikhil Date: Fri, 12 Apr 2024 22:08:12 +0100 Subject: [PATCH 2/7] f-aws_transfer_connector-support security policies --- .changelog/36893.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/36893.txt diff --git a/.changelog/36893.txt b/.changelog/36893.txt new file mode 100644 index 000000000000..52bb898abb85 --- /dev/null +++ b/.changelog/36893.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +resource/aws_transfer_connector: Add `security_policy_name` argument +``` \ No newline at end of file From 9cf112ce4732a71b3a69fc89fc004c14572cca70 Mon Sep 17 00:00:00 2001 From: nikhil Date: Fri, 12 Apr 2024 22:14:12 +0100 Subject: [PATCH 3/7] f-aws_transfer_connector-support security policies --- internal/service/transfer/connector_test.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/internal/service/transfer/connector_test.go b/internal/service/transfer/connector_test.go index 5f71d9225484..421cf0ac30fd 100644 --- a/internal/service/transfer/connector_test.go +++ b/internal/service/transfer/connector_test.go @@ -334,6 +334,17 @@ resource "aws_transfer_connector" "test" { security_policy_name = "TransferSFTPConnectorSecurityPolicy-2024-03" + as2_config { + compression = "DISABLED" + encryption_algorithm = "AES128_CBC" + message_subject = %[1]q + local_profile_id = aws_transfer_profile.local.profile_id + mdn_response = "NONE" + mdn_signing_algorithm = "NONE" + partner_profile_id = aws_transfer_profile.partner.profile_id + signing_algorithm = "NONE" + } + url = %[2]q } `, rName, url)) From 2b97c6477abc53419fbadce112140a54ec6de4a6 Mon Sep 17 00:00:00 2001 From: nikhil Date: Fri, 12 Apr 2024 22:18:05 +0100 Subject: [PATCH 4/7] f-aws_transfer_connector-support security policies --- internal/service/transfer/connector_test.go | 23 ++++++++++----------- 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/internal/service/transfer/connector_test.go b/internal/service/transfer/connector_test.go index 421cf0ac30fd..48c2b7125d6f 100644 --- a/internal/service/transfer/connector_test.go +++ b/internal/service/transfer/connector_test.go @@ -101,6 +101,7 @@ func TestAccTransferConnector_securityPolicyName(t *testing.T) { var conf transfer.DescribedConnector resourceName := "aws_transfer_connector.test" rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + publicKey := "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNt3kA/dBkS6ZyU/sVDiGMuWJQaRPmLNbs/25K/e/fIl07ZWUgqqsFkcycLLMNFGD30Cmgp6XCXfNlIjzFWhNam+4cBb4DPpvieUw44VgsHK5JQy3JKlUfglmH5rs4G5pLiVfZpFU6jqvTsu4mE1CHCP0sXJlJhGxMG3QbsqYWNKiqGFEhuzGMs6fQlMkNiXsFoDmh33HAcXCbaFSC7V7xIqT1hlKu0iOL+GNjMj4R3xy0o3jafhO4MG2s3TwCQQCyaa5oyjL8iP8p3L9yp6cbIcXaS72SIgbCSGCyrcQPIKP2lJJHvE1oVWzLVBhR4eSzrlFDv7K4IErzaJmHqdiz" // nosemgrep:ci.ssh-key resource.Test(t, resource.TestCase{ PreCheck: func() { @@ -113,7 +114,7 @@ func TestAccTransferConnector_securityPolicyName(t *testing.T) { CheckDestroy: testAccCheckConnectorDestroy(ctx), Steps: []resource.TestStep{ { - Config: testAccConnectorConfig_securityPolicyName(rName, "http://www.example.com"), + Config: testAccConnectorConfig_securityPolicyName(rName, "sftp://s-fakeserver.server.transfer.test.amazonaws.com", publicKey), Check: resource.ComposeAggregateTestCheckFunc( testAccCheckConnectorExists(ctx, resourceName, &conf), resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSFTPConnectorSecurityPolicy-2024-03"), @@ -327,27 +328,25 @@ resource "aws_transfer_connector" "test" { `, rName, url)) } -func testAccConnectorConfig_securityPolicyName(rName, url string) string { +func testAccConnectorConfig_securityPolicyName(rName, url, publickey string) string { return acctest.ConfigCompose(testAccConnectorConfig_base(rName), fmt.Sprintf(` resource "aws_transfer_connector" "test" { access_role = aws_iam_role.test.arn security_policy_name = "TransferSFTPConnectorSecurityPolicy-2024-03" - as2_config { - compression = "DISABLED" - encryption_algorithm = "AES128_CBC" - message_subject = %[1]q - local_profile_id = aws_transfer_profile.local.profile_id - mdn_response = "NONE" - mdn_signing_algorithm = "NONE" - partner_profile_id = aws_transfer_profile.partner.profile_id - signing_algorithm = "NONE" + sftp_config { + trusted_host_keys = [%[3]q] + user_secret_id = aws_secretsmanager_secret.test.id } url = %[2]q } -`, rName, url)) + +resource "aws_secretsmanager_secret" "test" { + name = %[1]q +} +`, rName, url, publickey)) } func testAccConnectorConfig_sftpConfig(rName, url, publickey string) string { From 4cbce947df004446104bdd6007d266c79834155b Mon Sep 17 00:00:00 2001 From: nikhil Date: Fri, 12 Apr 2024 22:27:16 +0100 Subject: [PATCH 5/7] f-aws_transfer_connector-support security policies --- internal/service/transfer/connector.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/service/transfer/connector.go b/internal/service/transfer/connector.go index bf53e1cbaab8..67c205e6e937 100644 --- a/internal/service/transfer/connector.go +++ b/internal/service/transfer/connector.go @@ -102,6 +102,7 @@ func ResourceConnector() *schema.Resource { "security_policy_name": { Type: schema.TypeString, Optional: true, + Computed: true, ValidateFunc: validation.All( validation.StringLenBetween(0, 100), validation.StringMatch(regexache.MustCompile(`^TransferSFTPConnectorSecurityPolicy-[A-Za-z0-9-]+$`), "must be in the format matching TransferSFTPConnectorSecurityPolicy-[A-Za-z0-9-]+"), From 0a6a3e309b2f3fef37cdc20d0c3a6929e26733f0 Mon Sep 17 00:00:00 2001 From: Jared Baker Date: Wed, 17 Apr 2024 16:59:15 -0400 Subject: [PATCH 6/7] r/aws_transfer_connector(doc): tweak security_policy_name description --- website/docs/r/transfer_connector.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/r/transfer_connector.html.markdown b/website/docs/r/transfer_connector.html.markdown index ae5205605a0b..9f3c1e41e04b 100644 --- a/website/docs/r/transfer_connector.html.markdown +++ b/website/docs/r/transfer_connector.html.markdown @@ -51,7 +51,7 @@ This resource supports the following arguments: * `access_role` - (Required) The IAM Role which provides read and write access to the parent directory of the file location mentioned in the StartFileTransfer request. * `as2_config` - (Optional) Either SFTP or AS2 is configured.The parameters to configure for the connector object. Fields documented below. * `logging_role` - (Optional) The IAM Role which is required for allowing the connector to turn on CloudWatch logging for Amazon S3 events. -* `security_policy_name` - (Optional) The name of the security policy for the connector. +* `security_policy_name` - (Optional) Name of the security policy for the connector. * `sftp_config` - (Optional) Either SFTP or AS2 is configured.The parameters to configure for the connector object. Fields documented below. * `url` - (Required) The URL of the partners AS2 endpoint or SFTP endpoint. * `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level. From 732fb4eee1af598378666b574551bf9a8bacbef4 Mon Sep 17 00:00:00 2001 From: Jared Baker Date: Wed, 17 Apr 2024 17:03:00 -0400 Subject: [PATCH 7/7] r/aws_transfer_connector(test): tweak _securityPolicyName config args The security_policy_name argument is now set to a provided argument value, rather than hardcoded. In the future we should consider a data source to remove the dependency on the hardcoded policy name altogether. ```console % make testacc PKG=transfer TESTS=TestAccTransferConnector_ ==> Checking that code complies with gofmt requirements... TF_ACC=1 go1.21.8 test ./internal/service/transfer/... -v -count 1 -parallel 20 -run='TestAccTransferConnector_' -timeout 360m === RUN TestAccTransferConnector_basic --- PASS: TestAccTransferConnector_basic (19.12s) === RUN TestAccTransferConnector_sftpConfig --- PASS: TestAccTransferConnector_sftpConfig (11.95s) === RUN TestAccTransferConnector_securityPolicyName --- PASS: TestAccTransferConnector_securityPolicyName (11.71s) === RUN TestAccTransferConnector_disappears --- PASS: TestAccTransferConnector_disappears (9.65s) === RUN TestAccTransferConnector_tags --- PASS: TestAccTransferConnector_tags (24.38s) PASS ok github.com/hashicorp/terraform-provider-aws/internal/service/transfer 82.493s ``` --- internal/service/transfer/connector_test.go | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/internal/service/transfer/connector_test.go b/internal/service/transfer/connector_test.go index 48c2b7125d6f..8918edd70c76 100644 --- a/internal/service/transfer/connector_test.go +++ b/internal/service/transfer/connector_test.go @@ -102,6 +102,8 @@ func TestAccTransferConnector_securityPolicyName(t *testing.T) { resourceName := "aws_transfer_connector.test" rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) publicKey := "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNt3kA/dBkS6ZyU/sVDiGMuWJQaRPmLNbs/25K/e/fIl07ZWUgqqsFkcycLLMNFGD30Cmgp6XCXfNlIjzFWhNam+4cBb4DPpvieUw44VgsHK5JQy3JKlUfglmH5rs4G5pLiVfZpFU6jqvTsu4mE1CHCP0sXJlJhGxMG3QbsqYWNKiqGFEhuzGMs6fQlMkNiXsFoDmh33HAcXCbaFSC7V7xIqT1hlKu0iOL+GNjMj4R3xy0o3jafhO4MG2s3TwCQQCyaa5oyjL8iP8p3L9yp6cbIcXaS72SIgbCSGCyrcQPIKP2lJJHvE1oVWzLVBhR4eSzrlFDv7K4IErzaJmHqdiz" // nosemgrep:ci.ssh-key + url := "sftp://s-fakeserver.server.transfer.test.amazonaws.com" + securityPolicyName := "TransferSFTPConnectorSecurityPolicy-2024-03" resource.Test(t, resource.TestCase{ PreCheck: func() { @@ -114,10 +116,10 @@ func TestAccTransferConnector_securityPolicyName(t *testing.T) { CheckDestroy: testAccCheckConnectorDestroy(ctx), Steps: []resource.TestStep{ { - Config: testAccConnectorConfig_securityPolicyName(rName, "sftp://s-fakeserver.server.transfer.test.amazonaws.com", publicKey), + Config: testAccConnectorConfig_securityPolicyName(rName, url, publicKey, securityPolicyName), Check: resource.ComposeAggregateTestCheckFunc( testAccCheckConnectorExists(ctx, resourceName, &conf), - resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSFTPConnectorSecurityPolicy-2024-03"), + resource.TestCheckResourceAttr(resourceName, "security_policy_name", securityPolicyName), ), }, { @@ -328,25 +330,24 @@ resource "aws_transfer_connector" "test" { `, rName, url)) } -func testAccConnectorConfig_securityPolicyName(rName, url, publickey string) string { +func testAccConnectorConfig_securityPolicyName(rName, url, publickey, securityPolicyName string) string { return acctest.ConfigCompose(testAccConnectorConfig_base(rName), fmt.Sprintf(` resource "aws_transfer_connector" "test" { access_role = aws_iam_role.test.arn - security_policy_name = "TransferSFTPConnectorSecurityPolicy-2024-03" - sftp_config { trusted_host_keys = [%[3]q] user_secret_id = aws_secretsmanager_secret.test.id } - url = %[2]q + url = %[2]q + security_policy_name = %[4]q } resource "aws_secretsmanager_secret" "test" { name = %[1]q } -`, rName, url, publickey)) +`, rName, url, publickey, securityPolicyName)) } func testAccConnectorConfig_sftpConfig(rName, url, publickey string) string {