From ada73f155c3e811c18527b0ed349513510ea4c1e Mon Sep 17 00:00:00 2001 From: Anthony Wat Date: Thu, 18 Jul 2024 23:44:37 -0400 Subject: [PATCH] fix: Add missing security policy names for aws_transfer_server --- .changelog/38425.txt | 3 ++ internal/service/transfer/server.go | 18 +++++--- internal/service/transfer/server_test.go | 43 ++++++++++++++++++-- website/docs/r/transfer_server.html.markdown | 43 +++++++++++--------- 4 files changed, 78 insertions(+), 29 deletions(-) create mode 100644 .changelog/38425.txt diff --git a/.changelog/38425.txt b/.changelog/38425.txt new file mode 100644 index 000000000000..f74bd7775158 --- /dev/null +++ b/.changelog/38425.txt @@ -0,0 +1,3 @@ +```release-note:bug +resource/aws_transfer_server: Add supported values `TransferSecurityPolicy-FIPS-2024-05`, `TransferSecurityPolicy-Restricted-2018-11`, and `TransferSecurityPolicy-Restricted-2020-06` for the `security_policy_name` argument +``` \ No newline at end of file diff --git a/internal/service/transfer/server.go b/internal/service/transfer/server.go index 784c233d4894..4ea52411d0d8 100644 --- a/internal/service/transfer/server.go +++ b/internal/service/transfer/server.go @@ -1246,27 +1246,33 @@ type securityPolicyName string const ( securityPolicyName2018_11 securityPolicyName = "TransferSecurityPolicy-2018-11" securityPolicyName2020_06 securityPolicyName = "TransferSecurityPolicy-2020-06" - securityPolicyNameFIPS_2020_06 securityPolicyName = "TransferSecurityPolicy-FIPS-2020-06" - securityPolicyNameFIPS_2023_05 securityPolicyName = "TransferSecurityPolicy-FIPS-2023-05" - securityPolicyNameFIPS_2024_01 securityPolicyName = "TransferSecurityPolicy-FIPS-2024-01" securityPolicyName2022_03 securityPolicyName = "TransferSecurityPolicy-2022-03" securityPolicyName2023_05 securityPolicyName = "TransferSecurityPolicy-2023-05" securityPolicyName2024_01 securityPolicyName = "TransferSecurityPolicy-2024-01" + securityPolicyNameFIPS_2020_06 securityPolicyName = "TransferSecurityPolicy-FIPS-2020-06" + securityPolicyNameFIPS_2023_05 securityPolicyName = "TransferSecurityPolicy-FIPS-2023-05" + securityPolicyNameFIPS_2024_01 securityPolicyName = "TransferSecurityPolicy-FIPS-2024-01" + securityPolicyNameFIPS_2024_05 securityPolicyName = "TransferSecurityPolicy-FIPS-2024-05" securityPolicyNamePQ_SSH_2023_04 securityPolicyName = "TransferSecurityPolicy-PQ-SSH-Experimental-2023-04" securityPolicyNamePQ_SSH_FIPS_2023_04 securityPolicyName = "TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04" + securityPolicyNameRestricted_2018_11 securityPolicyName = "TransferSecurityPolicy-Restricted-2018-11" + securityPolicyNameRestricted_2020_06 securityPolicyName = "TransferSecurityPolicy-Restricted-2020-06" ) func (securityPolicyName) Values() []securityPolicyName { return []securityPolicyName{ securityPolicyName2018_11, securityPolicyName2020_06, - securityPolicyNameFIPS_2020_06, - securityPolicyNameFIPS_2023_05, - securityPolicyNameFIPS_2024_01, securityPolicyName2022_03, securityPolicyName2023_05, securityPolicyName2024_01, + securityPolicyNameFIPS_2020_06, + securityPolicyNameFIPS_2023_05, + securityPolicyNameFIPS_2024_01, + securityPolicyNameFIPS_2024_05, securityPolicyNamePQ_SSH_2023_04, securityPolicyNamePQ_SSH_FIPS_2023_04, + securityPolicyNameRestricted_2018_11, + securityPolicyNameRestricted_2020_06, } } diff --git a/internal/service/transfer/server_test.go b/internal/service/transfer/server_test.go index 4977f0c27381..2b31ac56fea8 100644 --- a/internal/service/transfer/server_test.go +++ b/internal/service/transfer/server_test.go @@ -258,6 +258,13 @@ func testAccServer_securityPolicy(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-2023-05"), ), }, + { + Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-2024-01"), + Check: resource.ComposeTestCheckFunc( + testAccCheckServerExists(ctx, resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-2024-01"), + ), + }, { Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-PQ-SSH-Experimental-2023-04"), Check: resource.ComposeTestCheckFunc( @@ -266,10 +273,17 @@ func testAccServer_securityPolicy(t *testing.T) { ), }, { - Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-2024-01"), + Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-Restricted-2018-11"), Check: resource.ComposeTestCheckFunc( testAccCheckServerExists(ctx, resourceName, &conf), - resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-2024-01"), + resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-Restricted-2018-11"), + ), + }, + { + Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-Restricted-2020-06"), + Check: resource.ComposeTestCheckFunc( + testAccCheckServerExists(ctx, resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-Restricted-2020-06"), ), }, }, @@ -289,10 +303,10 @@ func testAccServer_securityPolicyFIPS(t *testing.T) { CheckDestroy: testAccCheckServerDestroy(ctx), Steps: []resource.TestStep{ { - Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-FIPS-2023-05"), + Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-FIPS-2020-06"), Check: resource.ComposeTestCheckFunc( testAccCheckServerExists(ctx, resourceName, &conf), - resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-FIPS-2023-05"), + resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-FIPS-2020-06"), ), }, { @@ -301,6 +315,13 @@ func testAccServer_securityPolicyFIPS(t *testing.T) { ImportStateVerify: true, ImportStateVerifyIgnore: []string{names.AttrForceDestroy}, }, + { + Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-FIPS-2023-05"), + Check: resource.ComposeTestCheckFunc( + testAccCheckServerExists(ctx, resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-FIPS-2023-05"), + ), + }, { Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-FIPS-2024-01"), Check: resource.ComposeTestCheckFunc( @@ -308,6 +329,20 @@ func testAccServer_securityPolicyFIPS(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-FIPS-2024-01"), ), }, + { + Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-FIPS-2024-05"), + Check: resource.ComposeTestCheckFunc( + testAccCheckServerExists(ctx, resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-FIPS-2024-05"), + ), + }, + { + Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04"), + Check: resource.ComposeTestCheckFunc( + testAccCheckServerExists(ctx, resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04"), + ), + }, }, }) } diff --git a/website/docs/r/transfer_server.html.markdown b/website/docs/r/transfer_server.html.markdown index 1b7631f363b9..8e5287c86102 100644 --- a/website/docs/r/transfer_server.html.markdown +++ b/website/docs/r/transfer_server.html.markdown @@ -132,7 +132,7 @@ This resource supports the following arguments: * `SFTP`: File transfer over SSH * `FTPS`: File transfer with TLS encryption * `FTP`: Unencrypted file transfer -* `endpoint_details` - (Optional) The virtual private cloud (VPC) endpoint settings that you want to configure for your SFTP server. See [`endpoint_details` block](#endpoint_details-block) below for details. +* `endpoint_details` - (Optional) The virtual private cloud (VPC) endpoint settings that you want to configure for your SFTP server. See [`endpoint_details` Block](#endpoint_details-block) below for details. * `endpoint_type` - (Optional) The type of endpoint that you want your SFTP server connect to. If you connect to a `VPC` (or `VPC_ENDPOINT`), your SFTP server isn't accessible over the public internet. If you want to connect your SFTP server via public internet, set `PUBLIC`. Defaults to `PUBLIC`. * `invocation_role` - (Optional) Amazon Resource Name (ARN) of the IAM role used to authenticate the user account with an `identity_provider_type` of `API_GATEWAY`. * `host_key` - (Optional) RSA, ECDSA, or ED25519 private key (e.g., as generated by the `ssh-keygen -t rsa -b 2048 -N "" -m PEM -f my-new-server-key`, `ssh-keygen -t ecdsa -b 256 -N "" -m PEM -f my-new-server-key` or `ssh-keygen -t ed25519 -N "" -f my-new-server-key` commands). @@ -145,24 +145,29 @@ This resource supports the following arguments: * `force_destroy` - (Optional) A boolean that indicates all users associated with the server should be deleted so that the Server can be destroyed without error. The default value is `false`. This option only applies to servers configured with a `SERVICE_MANAGED` `identity_provider_type`. * `post_authentication_login_banner`- (Optional) Specify a string to display when users connect to a server. This string is displayed after the user authenticates. The SFTP protocol does not support post-authentication display banners. * `pre_authentication_login_banner`- (Optional) Specify a string to display when users connect to a server. This string is displayed before the user authenticates. -* `protocol_details`- (Optional) The protocol settings that are configured for your server. See [`protocol_details` block](#protocol_details-block) below for details. -* `s3_storage_options`- (Optional) Specifies whether or not performance for your Amazon S3 directories is optimized. This is disabled by default. See [`s3_storage_options` block](#s3_storage_options-block) below for details. +* `protocol_details`- (Optional) The protocol settings that are configured for your server. See [`protocol_details` Block](#protocol_details-block) below for details. +* `s3_storage_options`- (Optional) Specifies whether or not performance for your Amazon S3 directories is optimized. This is disabled by default. See [`s3_storage_options` Block](#s3_storage_options-block) below for details. * `security_policy_name` - (Optional) Specifies the name of the security policy that is attached to the server. Default value is: `TransferSecurityPolicy-2018-11`. The available values are: - * `TransferSecurityPolicy-2024-01` - * `TransferSecurityPolicy-2023-05` - * `TransferSecurityPolicy-2022-03` - * `TransferSecurityPolicy-2020-06` * `TransferSecurityPolicy-2018-11` - * `TransferSecurityPolicy-FIPS-2024-01` - * `TransferSecurityPolicy-FIPS-2023-05` + * `TransferSecurityPolicy-2020-06` + * `TransferSecurityPolicy-2022-03` + * `TransferSecurityPolicy-2023-05` + * `TransferSecurityPolicy-2024-01` * `TransferSecurityPolicy-FIPS-2020-06` + * `TransferSecurityPolicy-FIPS-2023-05` + * `TransferSecurityPolicy-FIPS-2024-01` + * `TransferSecurityPolicy-FIPS-2024-05` * `TransferSecurityPolicy-PQ-SSH-Experimental-2023-04` * `TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04` + * `TransferSecurityPolicy-Restricted-2018-11` + * `TransferSecurityPolicy-Restricted-2020-06` + + See [Security policies for AWS Transfer Family servers](https://docs.aws.amazon.com/transfer/latest/userguide/security-policies.html) for details. * `structured_log_destinations` - (Optional) A set of ARNs of destinations that will receive structured logs from the transfer server such as CloudWatch Log Group ARNs. If provided this enables the transfer server to emit structured logs to the specified locations. * `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level. -* `workflow_details` - (Optional) Specifies the workflow details. See [`workflow_details` block](#workflow_details-block) below for details. +* `workflow_details` - (Optional) Specifies the workflow details. See [`workflow_details` Block](#workflow_details-block) below for details. -### `endpoint_details` block +### `endpoint_details` Block The `endpoint_details` configuration block supports the following arguments: @@ -172,7 +177,7 @@ The `endpoint_details` configuration block supports the following arguments: * `vpc_endpoint_id` - (Optional) The ID of the VPC endpoint. This property can only be used when `endpoint_type` is set to `VPC_ENDPOINT` * `vpc_id` - (Optional) The VPC ID of the virtual private cloud in which the SFTP server's endpoint will be hosted. This property can only be used when `endpoint_type` is set to `VPC`. -### `protocol_details` block +### `protocol_details` Block THe `protocol_details` configuration block supports the following arguments: @@ -181,7 +186,7 @@ THe `protocol_details` configuration block supports the following arguments: * `set_stat_option` - (Optional) Use to ignore the error that is generated when the client attempts to use `SETSTAT` on a file you are uploading to an S3 bucket. Valid values: `DEFAULT`, `ENABLE_NO_OP`. * `tls_session_resumption_mode` - (Optional) A property used with Transfer Family servers that use the FTPS protocol. Provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. Valid values: `DISABLED`, `ENABLED`, `ENFORCED`. -### `s3_storage_options` block +### `s3_storage_options` Block The `s3_storage_options` configuration block supports the following arguments: @@ -189,21 +194,21 @@ The `s3_storage_options` configuration block supports the following arguments: By default, home directory mappings have a `TYPE` of `DIRECTORY`. If you enable this option, you would then need to explicitly set the `HomeDirectoryMapEntry` Type to `FILE` if you want a mapping to have a file target. See [Using logical directories to simplify your Transfer Family directory structures](https://docs.aws.amazon.com/transfer/latest/userguide/logical-dir-mappings.html) for details. -### `workflow_details` block +### `workflow_details` Block The `workflow_details` configuration block supports the following arguments: -* `on_upload` - (Optional) A trigger that starts a workflow: the workflow begins to execute after a file is uploaded. See [`on_upload` block](#on_upload-block) below for details. -* `on_partial_upload` - (Optional) A trigger that starts a workflow if a file is only partially uploaded. See Workflow Detail below. See [`on_partial_upload` block](#on_partial_upload-block) below for details. +* `on_upload` - (Optional) A trigger that starts a workflow: the workflow begins to execute after a file is uploaded. See [`on_upload` Block](#on_upload-block) below for details. +* `on_partial_upload` - (Optional) A trigger that starts a workflow if a file is only partially uploaded. See Workflow Detail below. See [`on_partial_upload` Block](#on_partial_upload-block) below for details. -#### `on_upload` block +#### `on_upload` Block The `on_upload` configuration block supports the following arguments: * `execution_role` - (Required) Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources. * `workflow_id` - (Required) A unique identifier for the workflow. -#### `on_partial_upload` block +#### `on_partial_upload` Block The `on_partial_upload` configuration block supports the following arguments: @@ -222,7 +227,7 @@ This resource exports the following attributes in addition to the arguments abov ## Import -In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import Transfer Servers using the server `id`. For example: +In Terraform v1.5.0 and later, use an [`import` Block](https://developer.hashicorp.com/terraform/language/import) to import Transfer Servers using the server `id`. For example: ```terraform import {