r/aws_detective_organization_configuration - new resource

Signed-off-by: Owen Farrell <[email protected]>

internal/service/detective/detective_test.go

@@ -29,6 +29,9 @@ func TestAccDetective_serial(t *testing.T) {
 			"disappears":  testAccOrganizationAdminAccount_disappears,
 			"MultiRegion": testAccOrganizationAdminAccount_MultiRegion,
 		},
+		"OrganizationConfiguration": {
+			"basic": testAccOrganizationConfiguration_basic,
+		},
 	}
 
 	acctest.RunSerialTests2Levels(t, testCases, 0)

internal/service/detective/organization_configuration.go

@@ -0,0 +1,84 @@
+package detective
+
+import (
+	"context"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/detective"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-provider-aws/internal/conns"
+	"github.com/hashicorp/terraform-provider-aws/internal/verify"
+)
+
+// @SDKResource("aws_detective_organization_configuration")
+func ResourceOrganizationConfiguration() *schema.Resource {
+	return &schema.Resource{
+		CreateWithoutTimeout: resourceOrganizationConfigurationUpdate,
+		ReadWithoutTimeout:   resourceOrganizationConfigurationRead,
+		UpdateWithoutTimeout: resourceOrganizationConfigurationUpdate,
+		DeleteWithoutTimeout: schema.NoopContext,
+
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"auto_enable": {
+				Type:     schema.TypeBool,
+				Required: true,
+			},
+
+			"graph_arn": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: verify.ValidARN,
+			},
+		},
+	}
+}
+
+func resourceOrganizationConfigurationUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	conn := meta.(*conns.AWSClient).DetectiveConn()
+
+	graphARN := d.Get("graph_arn").(string)
+
+	input := &detective.UpdateOrganizationConfigurationInput{
+		AutoEnable: aws.Bool(d.Get("auto_enable").(bool)),
+		GraphArn:   aws.String(graphARN),
+	}
+
+	_, err := conn.UpdateOrganizationConfigurationWithContext(ctx, input)
+
+	if err != nil {
+		return diag.Errorf("error updating Detective Organization Configuration (%s): %s", graphARN, err)
+	}
+
+	d.SetId(graphARN)
+
+	return resourceOrganizationConfigurationRead(ctx, d, meta)
+}
+
+func resourceOrganizationConfigurationRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	conn := meta.(*conns.AWSClient).DetectiveConn()
+
+	input := &detective.DescribeOrganizationConfigurationInput{
+		GraphArn: aws.String(d.Id()),
+	}
+
+	output, err := conn.DescribeOrganizationConfigurationWithContext(ctx, input)
+
+	if err != nil {
+		return diag.Errorf("error reading Detective Organization Configuration (%s): %s", d.Id(), err)
+	}
+
+	if output == nil {
+		return diag.Errorf("error reading Detective Organization Configuration (%s): empty response", d.Id())
+	}
+
+	d.Set("auto_enable", output.AutoEnable)
+	d.Set("graph_arn", d.Id())
+
+	return nil
+}

internal/service/detective/organization_configuration_test.go

@@ -0,0 +1,77 @@
+package detective_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/service/detective"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
+)
+
+func testAccOrganizationConfiguration_basic(t *testing.T) {
+	ctx := acctest.Context(t)
+	graphResourceName := "aws_detective_graph.test"
+	resourceName := "aws_detective_organization_configuration.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.PreCheck(ctx, t)
+			acctest.PreCheckOrganizationsAccount(ctx, t)
+		},
+		ErrorCheck:               acctest.ErrorCheck(t, detective.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		// Detective Organization Configuration cannot be deleted separately.
+		// Ensure parent resource is destroyed instead.
+		CheckDestroy: testAccCheckGraphDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccOrganizationConfigurationConfig_autoEnable(true),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "auto_enable", "true"),
+					resource.TestCheckResourceAttrPair(resourceName, "graph_arn", graphResourceName, "id"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccOrganizationConfigurationConfig_autoEnable(false),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "auto_enable", "false"),
+					resource.TestCheckResourceAttrPair(resourceName, "graph_arn", graphResourceName, "id"),
+				),
+			},
+		},
+	})
+}
+
+func testAccOrganizationConfigurationConfig_autoEnable(autoEnable bool) string {
+	return fmt.Sprintf(`
+data "aws_caller_identity" "current" {}
+
+data "aws_partition" "current" {}
+
+resource "aws_organizations_organization" "test" {
+  aws_service_access_principals = ["detective.${data.aws_partition.current.dns_suffix}"]
+  feature_set                   = "ALL"
+}
+
+resource "aws_detective_graph" "test" {}
+
+resource "aws_detective_organization_admin_account" "test" {
+  depends_on = [aws_organizations_organization.test]
+
+  account_id = data.aws_caller_identity.current.account_id
+}
+
+resource "aws_detective_organization_configuration" "test" {
+  depends_on = [aws_detective_organization_admin_account.test]
+
+  auto_enable = %[1]t
+  graph_arn   = aws_detective_graph.test.id
+}
+`, autoEnable)
+}

website/docs/r/detective_organization_configuration.html.markdown

@@ -0,0 +1,47 @@
+---
+subcategory: "Detective"
+layout: "aws"
+page_title: "AWS: aws_detective_organization_configuration"
+description: |-
+  Manages the Detective Organization Configuration
+---
+
+# Resource: aws_detective_organization_configuration
+
+Manages the Detective Organization Configuration in the current AWS Region. The AWS account utilizing this resource must have been assigned as a delegated Organization administrator account, e.g., via the [`aws_detective_organization_admin_account` resource](/docs/providers/aws/r/detective_organization_admin_account.html). More information about Organizations support in Detective can be found in the [Detective User Guide](https://docs.aws.amazon.com/detective/latest/adminguide/accounts-orgs-transition.html).
+
+~> **NOTE:** This is an advanced Terraform resource. Terraform will automatically assume management of the Detective Organization Configuration without import and perform no actions on removal from the Terraform configuration.
+
+## Example Usage
+
+```terraform
+resource "aws_detective_graph" "example" {
+  enable = true
+}
+
+resource "aws_detective_organization_configuration" "example" {
+  auto_enable = true
+  graph_arn   = aws_detective_graph.example.id
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `auto_enable` - (Required) When this setting is enabled, all new accounts that are created in, or added to, the organization are added as a member accounts of the organization’s Detective delegated administrator and Detective is enabled in that AWS Region.
+* `graph_arn` - (Required) ARN of the behavior graph.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - Identifier of the Detective Graph.
+
+## Import
+
+Detective Organization Configurations can be imported using the Detective Graph ID, e.g.,
+
+```
+$ terraform import aws_detective_organization_configuration.example 00b00fd5aecc0ab60a708659477e9617
+```