Merge pull request #34261 from acwwat/f-aws_inspector2_organization_c…

…onfiguration-lambda_code feat: Add lambda_code attr to aws_inspector2_organization_configuration resource
hashicorp · Nov 6, 2023 · f611c8a · f611c8a
2 parents 5606ee1 + 6733a31
commit f611c8a
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 27 deletions.
diff --git a/.changelog/34261.txt b/.changelog/34261.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_inspector2_organization_configuration: Add `lambda_code` argument to the `auto_enable` configuration block
+```
diff --git a/internal/service/inspector2/inspector2_test.go b/internal/service/inspector2/inspector2_test.go
@@ -39,6 +39,7 @@ func TestAccInspector2_serial(t *testing.T) {
 			"disappears": testAccOrganizationConfiguration_disappears,
 			"ec2ECR":     testAccOrganizationConfiguration_ec2ECR,
 			"lambda":     testAccOrganizationConfiguration_lambda,
+			"lambdaCode": testAccOrganizationConfiguration_lambdaCode,
 		},
 	}
 

diff --git a/internal/service/inspector2/organization_configuration.go b/internal/service/inspector2/organization_configuration.go
@@ -56,6 +56,11 @@ func ResourceOrganizationConfiguration() *schema.Resource {
 							Optional: true,
 							Default:  false,
 						},
+						"lambda_code": {
+							Type:     schema.TypeBool,
+							Optional: true,
+							Default:  false,
+						},
 					},
 				},
 			},
@@ -126,7 +131,7 @@ func resourceOrganizationConfigurationUpdate(ctx context.Context, d *schema.Reso
 		return create.DiagError(names.Inspector2, create.ErrActionUpdating, ResNameOrganizationConfiguration, d.Id(), err)
 	}
 
-	if err := waitOrganizationConfigurationUpdated(ctx, conn, d.Get("auto_enable.0.ec2").(bool), d.Get("auto_enable.0.ecr").(bool), d.Get("auto_enable.0.lambda").(bool), d.Timeout(schema.TimeoutUpdate)); err != nil {
+	if err := waitOrganizationConfigurationUpdated(ctx, conn, d.Get("auto_enable.0.ec2").(bool), d.Get("auto_enable.0.ecr").(bool), d.Get("auto_enable.0.lambda").(bool), d.Get("auto_enable.0.lambda_code").(bool), d.Timeout(schema.TimeoutUpdate)); err != nil {
 		return create.DiagError(names.Inspector2, create.ErrActionWaitingForUpdate, ResNameOrganizationConfiguration, d.Id(), err)
 	}
 
@@ -141,9 +146,10 @@ func resourceOrganizationConfigurationDelete(ctx context.Context, d *schema.Reso
 
 	in := &inspector2.UpdateOrganizationConfigurationInput{
 		AutoEnable: &types.AutoEnable{
-			Ec2:    aws.Bool(false),
-			Ecr:    aws.Bool(false),
-			Lambda: aws.Bool(false),
+			Ec2:        aws.Bool(false),
+			Ecr:        aws.Bool(false),
+			Lambda:     aws.Bool(false),
+			LambdaCode: aws.Bool(false),
 		},
 	}
 
@@ -153,25 +159,33 @@ func resourceOrganizationConfigurationDelete(ctx context.Context, d *schema.Reso
 		return create.DiagError(names.Inspector2, create.ErrActionUpdating, ResNameOrganizationConfiguration, d.Id(), err)
 	}
 
-	if err := waitOrganizationConfigurationUpdated(ctx, conn, false, false, false, d.Timeout(schema.TimeoutUpdate)); err != nil {
+	if err := waitOrganizationConfigurationUpdated(ctx, conn, false, false, false, false, d.Timeout(schema.TimeoutUpdate)); err != nil {
 		return create.DiagError(names.Inspector2, create.ErrActionWaitingForUpdate, ResNameOrganizationConfiguration, d.Id(), err)
 	}
 
 	return nil
 }
 
-func waitOrganizationConfigurationUpdated(ctx context.Context, conn *inspector2.Client, ec2, ecr, lambda bool, timeout time.Duration) error {
-	needle := fmt.Sprintf("%t:%t:%t", ec2, ecr, lambda)
+func waitOrganizationConfigurationUpdated(ctx context.Context, conn *inspector2.Client, ec2, ecr, lambda, lambda_code bool, timeout time.Duration) error {
+	needle := fmt.Sprintf("%t:%t:%t:%t", ec2, ecr, lambda, lambda_code)
 
 	all := []string{
-		fmt.Sprintf("%t:%t:%t", false, false, false),
-		fmt.Sprintf("%t:%t:%t", false, true, false),
-		fmt.Sprintf("%t:%t:%t", false, false, true),
-		fmt.Sprintf("%t:%t:%t", false, true, true),
-		fmt.Sprintf("%t:%t:%t", true, false, false),
-		fmt.Sprintf("%t:%t:%t", true, false, true),
-		fmt.Sprintf("%t:%t:%t", true, true, false),
-		fmt.Sprintf("%t:%t:%t", true, true, true),
+		fmt.Sprintf("%t:%t:%t:%t", false, false, false, false),
+		fmt.Sprintf("%t:%t:%t:%t", false, false, false, true),
+		fmt.Sprintf("%t:%t:%t:%t", false, true, false, false),
+		fmt.Sprintf("%t:%t:%t:%t", false, true, false, true),
+		fmt.Sprintf("%t:%t:%t:%t", false, false, true, false),
+		fmt.Sprintf("%t:%t:%t:%t", false, false, true, true),
+		fmt.Sprintf("%t:%t:%t:%t", false, true, true, false),
+		fmt.Sprintf("%t:%t:%t:%t", false, true, true, true),
+		fmt.Sprintf("%t:%t:%t:%t", true, false, false, false),
+		fmt.Sprintf("%t:%t:%t:%t", true, false, false, true),
+		fmt.Sprintf("%t:%t:%t:%t", true, false, true, false),
+		fmt.Sprintf("%t:%t:%t:%t", true, false, true, true),
+		fmt.Sprintf("%t:%t:%t:%t", true, true, false, false),
+		fmt.Sprintf("%t:%t:%t:%t", true, true, false, true),
+		fmt.Sprintf("%t:%t:%t:%t", true, true, true, false),
+		fmt.Sprintf("%t:%t:%t:%t", true, true, true, true),
 	}
 
 	for i, v := range all {
@@ -207,7 +221,7 @@ func statusOrganizationConfiguration(ctx context.Context, conn *inspector2.Clien
 			return nil, "", err
 		}
 
-		return out, fmt.Sprintf("%t:%t:%t", aws.ToBool(out.AutoEnable.Ec2), aws.ToBool(out.AutoEnable.Ecr), aws.ToBool(out.AutoEnable.Lambda)), nil
+		return out, fmt.Sprintf("%t:%t:%t:%t", aws.ToBool(out.AutoEnable.Ec2), aws.ToBool(out.AutoEnable.Ecr), aws.ToBool(out.AutoEnable.Lambda), aws.ToBool(out.AutoEnable.LambdaCode)), nil
 	}
 }
 
@@ -230,6 +244,10 @@ func flattenAutoEnable(apiObject *types.AutoEnable) map[string]interface{} {
 		m["lambda"] = aws.ToBool(v)
 	}
 
+	if v := apiObject.LambdaCode; v != nil {
+		m["lambda_code"] = aws.ToBool(v)
+	}
+
 	return m
 }
 
@@ -252,5 +270,9 @@ func expandAutoEnable(tfMap map[string]interface{}) *types.AutoEnable {
 		a.Lambda = aws.Bool(v)
 	}
 
+	if v, ok := tfMap["lambda_code"].(bool); ok {
+		a.LambdaCode = aws.Bool(v)
+	}
+
 	return a
 }
diff --git a/internal/service/inspector2/organization_configuration_test.go b/internal/service/inspector2/organization_configuration_test.go
@@ -119,12 +119,42 @@ func testAccOrganizationConfiguration_lambda(t *testing.T) {
 		CheckDestroy:             testAccCheckOrganizationConfigurationDestroy(ctx),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccOrganizationConfigurationConfig_lambda(false, false, true),
+				Config: testAccOrganizationConfigurationConfig_lambda(false, false, true, false),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckOrganizationConfigurationExists(ctx, resourceName),
 					resource.TestCheckResourceAttr(resourceName, "auto_enable.0.ec2", "false"),
 					resource.TestCheckResourceAttr(resourceName, "auto_enable.0.ecr", "false"),
 					resource.TestCheckResourceAttr(resourceName, "auto_enable.0.lambda", "true"),
+					resource.TestCheckResourceAttr(resourceName, "auto_enable.0.lambda_code", "false"),
+				),
+			},
+		},
+	})
+}
+
+func testAccOrganizationConfiguration_lambdaCode(t *testing.T) {
+	ctx := acctest.Context(t)
+	resourceName := "aws_inspector2_organization_configuration.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.PreCheck(ctx, t)
+			acctest.PreCheckPartitionHasService(t, names.Inspector2EndpointID)
+			acctest.PreCheckInspector2(ctx, t)
+			acctest.PreCheckOrganizationManagementAccount(ctx, t)
+		},
+		ErrorCheck:               acctest.ErrorCheck(t, names.Inspector2EndpointID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckOrganizationConfigurationDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccOrganizationConfigurationConfig_lambda(false, false, true, true),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckOrganizationConfigurationExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "auto_enable.0.ec2", "false"),
+					resource.TestCheckResourceAttr(resourceName, "auto_enable.0.ecr", "false"),
+					resource.TestCheckResourceAttr(resourceName, "auto_enable.0.lambda", "true"),
+					resource.TestCheckResourceAttr(resourceName, "auto_enable.0.lambda_code", "true"),
 				),
 			},
 		},
@@ -164,7 +194,7 @@ func testAccCheckOrganizationConfigurationDestroy(ctx context.Context) resource.
 				return create.Error(names.Inspector2, create.ErrActionCheckingDestroyed, tfinspector2.ResNameOrganizationConfiguration, rs.Primary.ID, err)
 			}
 
-			if out != nil && out.AutoEnable != nil && !aws.ToBool(out.AutoEnable.Ec2) && !aws.ToBool(out.AutoEnable.Ecr) && !aws.ToBool(out.AutoEnable.Lambda) {
+			if out != nil && out.AutoEnable != nil && !aws.ToBool(out.AutoEnable.Ec2) && !aws.ToBool(out.AutoEnable.Ecr) && !aws.ToBool(out.AutoEnable.Lambda) && !aws.ToBool(out.AutoEnable.LambdaCode) {
 				if enabledDelAdAcct {
 					if err := testDisableDelegatedAdminAccount(ctx, conn, acctest.AccountID()); err != nil {
 						return err
@@ -259,19 +289,20 @@ resource "aws_inspector2_organization_configuration" "test" {
 `, ec2, ecr)
 }
 
-func testAccOrganizationConfigurationConfig_lambda(ec2, ecr, lambda bool) string {
+func testAccOrganizationConfigurationConfig_lambda(ec2, ecr, lambda, lambda_code bool) string {
 	return fmt.Sprintf(`
 data "aws_caller_identity" "current" {}
 resource "aws_inspector2_delegated_admin_account" "test" {
   account_id = data.aws_caller_identity.current.account_id
 }
 resource "aws_inspector2_organization_configuration" "test" {
   auto_enable {
-    ec2    = %[1]t
-    ecr    = %[2]t
-    lambda = %[3]t
+    ec2         = %[1]t
+    ecr         = %[2]t
+    lambda      = %[3]t
+    lambda_code = %[4]t
   }
   depends_on = [aws_inspector2_delegated_admin_account.test]
 }
-`, ec2, ecr, lambda)
+`, ec2, ecr, lambda, lambda_code)
 }
diff --git a/website/docs/r/inspector2_organization_configuration.html.markdown b/website/docs/r/inspector2_organization_configuration.html.markdown
@@ -12,7 +12,7 @@ Terraform resource for managing an Amazon Inspector Organization Configuration.
 
 ~> **NOTE:** In order for this resource to work, the account you use must be an Inspector Delegated Admin Account.
 
-~> **NOTE:** When this resource is deleted, EC2, ECR and Lambda scans will no longer be automatically enabled for new members of your Amazon Inspector organization.
+~> **NOTE:** When this resource is deleted, EC2, ECR, Lambda, and Lambda code scans will no longer be automatically enabled for new members of your Amazon Inspector organization.
 
 ## Example Usage
 
@@ -21,9 +21,10 @@ Terraform resource for managing an Amazon Inspector Organization Configuration.
 ```terraform
 resource "aws_inspector2_organization_configuration" "example" {
   auto_enable {
-    ec2    = true
-    ecr    = false
-    lambda = true
+    ec2         = true
+    ecr         = false
+    lambda      = true
+    lambda_code = true
   }
 }
 ```
@@ -39,6 +40,7 @@ The following arguments are required:
 * `ec2` - (Required) Whether Amazon EC2 scans are automatically enabled for new members of your Amazon Inspector organization.
 * `ecr` - (Required) Whether Amazon ECR scans are automatically enabled for new members of your Amazon Inspector organization.
 * `lambda` - (Optional) Whether Lambda Function scans are automatically enabled for new members of your Amazon Inspector organization.
+* `lambda_code` - (Optional) Whether AWS Lambda code scans are automatically enabled for new members of your Amazon Inspector organization. **Note:** Lambda code scanning requires Lambda standard scanning to be activated. Consequently, if you are setting this argument to `true`, you must also set the `lambda` argument to `true`. See [Scanning AWS Lambda functions with Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/scanning-lambda.html#lambda-code-scans) for more information.
 
 ## Attribute Reference