Merge pull request #33095 from hashicorp/b-aws_securityhub_account-4.64.0-regression

ewbankkit · web-flow · commit 0182db7d804f · 2023-08-21T17:05:46.000-04:00
r/aws_securityhub_account: Remove default value for `control_finding_generator`
diff --git a/.changelog/33095.txt b/.changelog/33095.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_securityhub_account: Remove default value (`SECURITY_CONTROL`) for `control_finding_generator` argument and mark as Computed
+```
diff --git a/internal/service/securityhub/account.go b/internal/service/securityhub/account.go
@@ -61,7 +61,7 @@ func ResourceAccount() *schema.Resource {
 			"control_finding_generator": {
 				Type:         schema.TypeString,
 				Optional:     true,
-				Default:      securityhub.ControlFindingGeneratorSecurityControl,
+				Computed:     true,
 				ValidateFunc: validation.StringInSlice(securityhub.ControlFindingGenerator_Values(), false),
 			},
 			"enable_default_standards": {
@@ -94,8 +94,19 @@ func resourceAccountCreate(ctx context.Context, d *schema.ResourceData, meta int
 
 	d.SetId(meta.(*conns.AWSClient).AccountID)
 
-	// auto_enable_controls has to be done from the update API
-	return append(diags, resourceAccountUpdate(ctx, d, meta)...)
+	if autoEnableControls := d.Get("auto_enable_controls").(bool); !autoEnableControls {
+		input := &securityhub.UpdateSecurityHubConfigurationInput{
+			AutoEnableControls: aws.Bool(autoEnableControls),
+		}
+
+		_, err := conn.UpdateSecurityHubConfigurationWithContext(ctx, input)
+
+		if err != nil {
+			return sdkdiag.AppendErrorf(diags, "updating Security Hub Account (%s): %s", d.Id(), err)
+		}
+	}
+
+	return append(diags, resourceAccountRead(ctx, d, meta)...)
 }
 
 func resourceAccountRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
@@ -136,8 +147,11 @@ func resourceAccountUpdate(ctx context.Context, d *schema.ResourceData, meta int
 	conn := meta.(*conns.AWSClient).SecurityHubConn(ctx)
 
 	input := &securityhub.UpdateSecurityHubConfigurationInput{
-		ControlFindingGenerator: aws.String(d.Get("control_finding_generator").(string)),
-		AutoEnableControls:      aws.Bool(d.Get("auto_enable_controls").(bool)),
+		AutoEnableControls: aws.Bool(d.Get("auto_enable_controls").(bool)),
+	}
+
+	if d.HasChange("control_finding_generator") {
+		input.ControlFindingGenerator = aws.String(d.Get("control_finding_generator").(string))
 	}
 
 	_, err := conn.UpdateSecurityHubConfigurationWithContext(ctx, input)
diff --git a/internal/service/securityhub/account_test.go b/internal/service/securityhub/account_test.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/service/securityhub"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
@@ -20,6 +21,10 @@ import (
 func testAccAccount_basic(t *testing.T) {
 	ctx := acctest.Context(t)
 	resourceName := "aws_securityhub_account.test"
+	controlFindingGeneratorDefaultValueFromAWS := "SECURITY_CONTROL"
+	if acctest.Partition() == endpoints.AwsUsGovPartitionID {
+		controlFindingGeneratorDefaultValueFromAWS = ""
+	}
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
@@ -32,7 +37,7 @@ func testAccAccount_basic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAccountExists(ctx, resourceName),
 					resource.TestCheckResourceAttr(resourceName, "enable_default_standards", "true"),
-					resource.TestCheckResourceAttr(resourceName, "control_finding_generator", "SECURITY_CONTROL"),
+					resource.TestCheckResourceAttr(resourceName, "control_finding_generator", controlFindingGeneratorDefaultValueFromAWS),
 					resource.TestCheckResourceAttr(resourceName, "auto_enable_controls", "true"),
 				),
 			},
@@ -94,27 +99,26 @@ func testAccAccount_full(t *testing.T) {
 	resourceName := "aws_securityhub_account.test"
 
 	resource.Test(t, resource.TestCase{
-		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		// control_finding_generator not supported in AWS GovCloud.
+		PreCheck:                 func() { acctest.PreCheck(ctx, t); acctest.PreCheckPartitionNot(t, endpoints.AwsUsGovPartitionID) },
 		ErrorCheck:               acctest.ErrorCheck(t, securityhub.EndpointsID),
 		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
 		CheckDestroy:             testAccCheckAccountDestroy(ctx),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAccountConfig_basic,
+				Config: testAccAccountConfig_full(false, "STANDARD_CONTROL"),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAccountExists(ctx, resourceName),
-					resource.TestCheckResourceAttr(resourceName, "enable_default_standards", "true"),
-					resource.TestCheckResourceAttr(resourceName, "control_finding_generator", "SECURITY_CONTROL"),
-					resource.TestCheckResourceAttr(resourceName, "auto_enable_controls", "true"),
+					resource.TestCheckResourceAttr(resourceName, "auto_enable_controls", "false"),
+					resource.TestCheckResourceAttr(resourceName, "control_finding_generator", "STANDARD_CONTROL"),
 				),
 			},
 			{
-				Config: testAccAccountConfig_full,
+				Config: testAccAccountConfig_full(true, "SECURITY_CONTROL"),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAccountExists(ctx, resourceName),
-					resource.TestCheckResourceAttr(resourceName, "enable_default_standards", "false"),
-					resource.TestCheckResourceAttr(resourceName, "control_finding_generator", "STANDARD_CONTROL"),
-					resource.TestCheckResourceAttr(resourceName, "auto_enable_controls", "false"),
+					resource.TestCheckResourceAttr(resourceName, "auto_enable_controls", "true"),
+					resource.TestCheckResourceAttr(resourceName, "control_finding_generator", "SECURITY_CONTROL"),
 				),
 			},
 		},
@@ -152,6 +156,46 @@ func testAccAccount_migrateV0(t *testing.T) {
 	})
 }
 
+// https://github.com/hashicorp/terraform-provider-aws/issues/33039 et al.
+func testAccAccount_removeControlFindingGeneratorDefaultValue(t *testing.T) {
+	ctx := acctest.Context(t)
+	resourceName := "aws_securityhub_account.test"
+	controlFindingGeneratorExpectedValue := "SECURITY_CONTROL"
+	if acctest.Partition() == endpoints.AwsUsGovPartitionID {
+		controlFindingGeneratorExpectedValue = ""
+	}
+	expectNonEmptyPlan := acctest.Partition() == endpoints.AwsUsGovPartitionID
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:   acctest.ErrorCheck(t, securityhub.EndpointsID),
+		CheckDestroy: testAccCheckAccountDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				ExternalProviders: map[string]resource.ExternalProvider{
+					"aws": {
+						Source:            "hashicorp/aws",
+						VersionConstraint: "5.13.0",
+					},
+				},
+				Config: testAccAccountConfig_basic,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAccountExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "enable_default_standards", "true"),
+					resource.TestCheckResourceAttr(resourceName, "control_finding_generator", controlFindingGeneratorExpectedValue),
+					resource.TestCheckResourceAttr(resourceName, "auto_enable_controls", "true"),
+				),
+				ExpectNonEmptyPlan: expectNonEmptyPlan,
+			},
+			{
+				ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+				Config:                   testAccAccountConfig_basic,
+				PlanOnly:                 true,
+			},
+		},
+	})
+}
+
 func testAccCheckAccountExists(ctx context.Context, n string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
@@ -207,10 +251,11 @@ resource "aws_securityhub_account" "test" {
 }
 `
 
-const testAccAccountConfig_full = `
+func testAccAccountConfig_full(autoEnableControls bool, controlFindingGenerator string) string {
+	return fmt.Sprintf(`
 resource "aws_securityhub_account" "test" {
-  enable_default_standards  = false
-  control_finding_generator = "STANDARD_CONTROL"
-  auto_enable_controls      = false
+  control_finding_generator = %[2]q
+  auto_enable_controls      = %[1]t
+}
+`, autoEnableControls, controlFindingGenerator)
 }
-`
diff --git a/internal/service/securityhub/securityhub_test.go b/internal/service/securityhub/securityhub_test.go
@@ -18,7 +18,8 @@ func TestAccSecurityHub_serial(t *testing.T) {
 			"disappears":                  testAccAccount_disappears,
 			"EnableDefaultStandardsFalse": testAccAccount_enableDefaultStandardsFalse,
 			"MigrateV0":                   testAccAccount_migrateV0,
-			"full":                        testAccAccount_full,
+			"Full":                        testAccAccount_full,
+			"RemoveControlFindingGeneratorDefaultValue": testAccAccount_removeControlFindingGeneratorDefaultValue,
 		},
 		"Member": {
 			"basic":  testAccMember_basic,

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:bug
	`2`	+resource/aws_securityhub_account: Remove default value (`SECURITY_CONTROL`) for `control_finding_generator` argument and mark as Computed
	`3`	+```