Merge pull request #35310 from DanielRieske/f/add-configuration-argument-access-analyzer

ewbankkit · web-flow · commit c5a285cd595f · 2024-01-24T13:19:41.000-05:00
Add `configuration` block to `aws_accessanalyzer_analyzer` resource
diff --git a/.changelog/35310.txt b/.changelog/35310.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_accessanalyzer_analyzer: Add `configuration` configuration block
+```
diff --git a/internal/service/accessanalyzer/accessanalyzer_test.go b/internal/service/accessanalyzer/accessanalyzer_test.go
@@ -19,6 +19,7 @@ func TestAccAccessAnalyzer_serial(t *testing.T) {
 	testCases := map[string]map[string]func(t *testing.T){
 		"Analyzer": {
 			"basic":             testAccAnalyzer_basic,
+			"configuration":     testAccAnalyzer_configuration,
 			"disappears":        testAccAnalyzer_disappears,
 			"tags":              testAccAnalyzer_tags,
 			"Type_Organization": testAccAnalyzer_Type_Organization,
diff --git a/internal/service/accessanalyzer/analyzer.go b/internal/service/accessanalyzer/analyzer.go
@@ -62,6 +62,31 @@ func resourceAnalyzer() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"configuration": {
+				Type:     schema.TypeList,
+				Optional: true,
+				ForceNew: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"unused_access": {
+							Type:     schema.TypeList,
+							Optional: true,
+							ForceNew: true,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"unused_access_age": {
+										Type:     schema.TypeInt,
+										Optional: true,
+										ForceNew: true,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
 			names.AttrTags:    tftags.TagsSchema(),
 			names.AttrTagsAll: tftags.TagsSchemaComputed(),
 			"type": {
@@ -89,18 +114,16 @@ func resourceAnalyzerCreate(ctx context.Context, d *schema.ResourceData, meta in
 		Type:         types.Type(d.Get("type").(string)),
 	}
 
+	if v, ok := d.GetOk("configuration"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
+		input.Configuration = expandAnalyzerConfiguration(v.([]interface{})[0].(map[string]interface{}))
+	}
+
 	// Handle Organizations eventual consistency.
-	_, err := tfresource.RetryWhen(ctx, organizationCreationTimeout,
+	_, err := tfresource.RetryWhenIsAErrorMessageContains[*types.ValidationException](ctx, organizationCreationTimeout,
 		func() (interface{}, error) {
 			return conn.CreateAnalyzer(ctx, input)
 		},
-		func(err error) (bool, error) {
-			if errs.IsAErrorMessageContains[*types.ValidationException](err, "You must create an organization") {
-				return true, err
-			}
-
-			return false, err
-		},
+		"You must create an organization",
 	)
 
 	if err != nil {
@@ -130,6 +153,13 @@ func resourceAnalyzerRead(ctx context.Context, d *schema.ResourceData, meta inte
 
 	d.Set("analyzer_name", analyzer.Name)
 	d.Set("arn", analyzer.Arn)
+	if analyzer.Configuration != nil {
+		if err := d.Set("configuration", []interface{}{flattenConfiguration(analyzer.Configuration)}); err != nil {
+			return sdkdiag.AppendErrorf(diags, "setting configuration: %s", err)
+		}
+	} else {
+		d.Set("configuration", nil)
+	}
 	d.Set("type", analyzer.Type)
 
 	setTagsOut(ctx, analyzer.Tags)
@@ -190,3 +220,56 @@ func findAnalyzerByName(ctx context.Context, conn *accessanalyzer.Client, name s
 
 	return output.Analyzer, nil
 }
+
+func expandAnalyzerConfiguration(tfMap map[string]interface{}) types.AnalyzerConfiguration {
+	if tfMap == nil {
+		return nil
+	}
+
+	apiObject := &types.AnalyzerConfigurationMemberUnusedAccess{}
+
+	if v, ok := tfMap["unused_access"].([]interface{}); ok && len(v) > 0 && v[0] != nil {
+		apiObject.Value = expandUnusedAccess(v[0].(map[string]interface{}))
+	}
+
+	return apiObject
+}
+
+func expandUnusedAccess(tfMap map[string]interface{}) types.UnusedAccessConfiguration {
+	apiObject := types.UnusedAccessConfiguration{}
+
+	if v, ok := tfMap["unused_access_age"].(int); ok && v != 0 {
+		apiObject.UnusedAccessAge = aws.Int32(int32(v))
+	}
+
+	return apiObject
+}
+
+func flattenConfiguration(apiObject types.AnalyzerConfiguration) map[string]interface{} {
+	if apiObject == nil {
+		return nil
+	}
+
+	tfMap := map[string]interface{}{}
+
+	switch v := apiObject.(type) {
+	case *types.AnalyzerConfigurationMemberUnusedAccess:
+		tfMap["unused_access"] = []interface{}{flattenUnusedAccessConfiguration(&v.Value)}
+	}
+
+	return tfMap
+}
+
+func flattenUnusedAccessConfiguration(apiObject *types.UnusedAccessConfiguration) map[string]interface{} {
+	if apiObject == nil {
+		return nil
+	}
+
+	tfMap := map[string]interface{}{}
+
+	if v := apiObject.UnusedAccessAge; v != nil {
+		tfMap["unused_access_age"] = aws.ToInt32(v)
+	}
+
+	return tfMap
+}
diff --git a/internal/service/accessanalyzer/analyzer_test.go b/internal/service/accessanalyzer/analyzer_test.go
@@ -38,6 +38,7 @@ func testAccAnalyzer_basic(t *testing.T) {
 					testAccCheckAnalyzerExists(ctx, resourceName, &analyzer),
 					resource.TestCheckResourceAttr(resourceName, "analyzer_name", rName),
 					acctest.CheckResourceAttrRegionalARN(resourceName, "arn", "access-analyzer", fmt.Sprintf("analyzer/%s", rName)),
+					resource.TestCheckResourceAttr(resourceName, "configuration.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
 					resource.TestCheckResourceAttr(resourceName, "type", string(types.TypeAccount)),
 				),
@@ -156,6 +157,37 @@ func testAccAnalyzer_Type_Organization(t *testing.T) {
 	})
 }
 
+func testAccAnalyzer_configuration(t *testing.T) {
+	ctx := acctest.Context(t)
+	var analyzer types.AnalyzerSummary
+
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_accessanalyzer_analyzer.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t); testAccPreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.AccessAnalyzerEndpointID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckAnalyzerDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAnalyzerConfig_configuration(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAnalyzerExists(ctx, resourceName, &analyzer),
+					resource.TestCheckResourceAttr(resourceName, "configuration.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "configuration.0.unused_access.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "configuration.0.unused_access.0.unused_access_age", "180"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccCheckAnalyzerDestroy(ctx context.Context) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		conn := acctest.Provider.Meta().(*conns.AWSClient).AccessAnalyzerClient(ctx)
@@ -256,3 +288,18 @@ resource "aws_accessanalyzer_analyzer" "test" {
 }
 `, rName)
 }
+
+func testAccAnalyzerConfig_configuration(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_accessanalyzer_analyzer" "test" {
+  analyzer_name = %[1]q
+  type          = "ACCOUNT_UNUSED_ACCESS"
+
+  configuration {
+    unused_access {
+      unused_access_age = 180
+    }
+  }
+}
+`, rName)
+}
diff --git a/website/docs/r/accessanalyzer_analyzer.html.markdown b/website/docs/r/accessanalyzer_analyzer.html.markdown
@@ -43,9 +43,18 @@ The following arguments are required:
 
 The following arguments are optional:
 
+* `configuration` - (Optional) A block that specifies the configuration of the analyzer. [Documented below](#configuration-argument-reference)
 * `tags` - (Optional) Key-value map of resource tags. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
 * `type` - (Optional) Type of Analyzer. Valid values are `ACCOUNT`, `ORGANIZATION`, `ACCOUNT_UNUSED_ACCESS `, `ORGANIZATION_UNUSED_ACCESS`. Defaults to `ACCOUNT`.
 
+### `configuration` Argument Reference
+
+* `unused_access` - A block that specifies the configuration of an unused access analyzer for an AWS organization or account. [Documented below](#unused_access-argument-reference)
+
+### `unused_access` Argument Reference
+
+* `unused_access_age` - The specified access age in days for which to generate findings for unused access.
+
 ## Attribute Reference
 
 This resource exports the following attributes in addition to the arguments above:

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	+resource/aws_accessanalyzer_analyzer: Add `configuration` configuration block
	`3`	+```