diff --git a/.changelog/36893.txt b/.changelog/36893.txt new file mode 100644 index 000000000000..52bb898abb85 --- /dev/null +++ b/.changelog/36893.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +resource/aws_transfer_connector: Add `security_policy_name` argument +``` \ No newline at end of file diff --git a/internal/service/transfer/connector.go b/internal/service/transfer/connector.go index 602065e2aae7..67c205e6e937 100644 --- a/internal/service/transfer/connector.go +++ b/internal/service/transfer/connector.go @@ -7,6 +7,7 @@ import ( "context" "log" + "github.com/YakDriver/regexache" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/transfer" "github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr" @@ -98,6 +99,15 @@ func ResourceConnector() *schema.Resource { Type: schema.TypeString, Optional: true, }, + "security_policy_name": { + Type: schema.TypeString, + Optional: true, + Computed: true, + ValidateFunc: validation.All( + validation.StringLenBetween(0, 100), + validation.StringMatch(regexache.MustCompile(`^TransferSFTPConnectorSecurityPolicy-[A-Za-z0-9-]+$`), "must be in the format matching TransferSFTPConnectorSecurityPolicy-[A-Za-z0-9-]+"), + ), + }, "sftp_config": { Type: schema.TypeList, MaxItems: 1, @@ -152,6 +162,10 @@ func resourceConnectorCreate(ctx context.Context, d *schema.ResourceData, meta i input.LoggingRole = aws.String(v.(string)) } + if v, ok := d.GetOk("security_policy_name"); ok { + input.SecurityPolicyName = aws.String(v.(string)) + } + if v, ok := d.GetOk("sftp_config"); ok { input.SftpConfig = expandSftpConfig(v.([]interface{})) } @@ -190,6 +204,7 @@ func resourceConnectorRead(ctx context.Context, d *schema.ResourceData, meta int } d.Set("connector_id", output.ConnectorId) d.Set("logging_role", output.LoggingRole) + d.Set("security_policy_name", output.SecurityPolicyName) if err := d.Set("sftp_config", flattenSftpConfig(output.SftpConfig)); err != nil { return sdkdiag.AppendErrorf(diags, "setting sftp_config: %s", err) } @@ -220,6 +235,10 @@ func resourceConnectorUpdate(ctx context.Context, d *schema.ResourceData, meta i input.LoggingRole = aws.String(d.Get("logging_role").(string)) } + if d.HasChange("security_policy_name") { + input.SecurityPolicyName = aws.String(d.Get("security_policy_name").(string)) + } + if d.HasChange("sftp_config") { input.SftpConfig = expandSftpConfig(d.Get("sftp_config").([]interface{})) } diff --git a/internal/service/transfer/connector_test.go b/internal/service/transfer/connector_test.go index 525b85c253b2..8918edd70c76 100644 --- a/internal/service/transfer/connector_test.go +++ b/internal/service/transfer/connector_test.go @@ -96,6 +96,41 @@ func TestAccTransferConnector_sftpConfig(t *testing.T) { }) } +func TestAccTransferConnector_securityPolicyName(t *testing.T) { + ctx := acctest.Context(t) + var conf transfer.DescribedConnector + resourceName := "aws_transfer_connector.test" + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + publicKey := "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNt3kA/dBkS6ZyU/sVDiGMuWJQaRPmLNbs/25K/e/fIl07ZWUgqqsFkcycLLMNFGD30Cmgp6XCXfNlIjzFWhNam+4cBb4DPpvieUw44VgsHK5JQy3JKlUfglmH5rs4G5pLiVfZpFU6jqvTsu4mE1CHCP0sXJlJhGxMG3QbsqYWNKiqGFEhuzGMs6fQlMkNiXsFoDmh33HAcXCbaFSC7V7xIqT1hlKu0iOL+GNjMj4R3xy0o3jafhO4MG2s3TwCQQCyaa5oyjL8iP8p3L9yp6cbIcXaS72SIgbCSGCyrcQPIKP2lJJHvE1oVWzLVBhR4eSzrlFDv7K4IErzaJmHqdiz" // nosemgrep:ci.ssh-key + url := "sftp://s-fakeserver.server.transfer.test.amazonaws.com" + securityPolicyName := "TransferSFTPConnectorSecurityPolicy-2024-03" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { + acctest.PreCheck(ctx, t) + acctest.PreCheckPartitionHasService(t, transfer.EndpointsID) + testAccPreCheck(ctx, t) + }, + ErrorCheck: acctest.ErrorCheck(t, names.TransferServiceID), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckConnectorDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccConnectorConfig_securityPolicyName(rName, url, publicKey, securityPolicyName), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckConnectorExists(ctx, resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "security_policy_name", securityPolicyName), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func TestAccTransferConnector_disappears(t *testing.T) { ctx := acctest.Context(t) var conf transfer.DescribedConnector @@ -295,6 +330,26 @@ resource "aws_transfer_connector" "test" { `, rName, url)) } +func testAccConnectorConfig_securityPolicyName(rName, url, publickey, securityPolicyName string) string { + return acctest.ConfigCompose(testAccConnectorConfig_base(rName), fmt.Sprintf(` +resource "aws_transfer_connector" "test" { + access_role = aws_iam_role.test.arn + + sftp_config { + trusted_host_keys = [%[3]q] + user_secret_id = aws_secretsmanager_secret.test.id + } + + url = %[2]q + security_policy_name = %[4]q +} + +resource "aws_secretsmanager_secret" "test" { + name = %[1]q +} +`, rName, url, publickey, securityPolicyName)) +} + func testAccConnectorConfig_sftpConfig(rName, url, publickey string) string { return acctest.ConfigCompose(testAccConnectorConfig_base(rName), fmt.Sprintf(` resource "aws_transfer_connector" "test" { diff --git a/website/docs/r/transfer_connector.html.markdown b/website/docs/r/transfer_connector.html.markdown index 45be9380c1fe..9f3c1e41e04b 100644 --- a/website/docs/r/transfer_connector.html.markdown +++ b/website/docs/r/transfer_connector.html.markdown @@ -51,6 +51,7 @@ This resource supports the following arguments: * `access_role` - (Required) The IAM Role which provides read and write access to the parent directory of the file location mentioned in the StartFileTransfer request. * `as2_config` - (Optional) Either SFTP or AS2 is configured.The parameters to configure for the connector object. Fields documented below. * `logging_role` - (Optional) The IAM Role which is required for allowing the connector to turn on CloudWatch logging for Amazon S3 events. +* `security_policy_name` - (Optional) Name of the security policy for the connector. * `sftp_config` - (Optional) Either SFTP or AS2 is configured.The parameters to configure for the connector object. Fields documented below. * `url` - (Required) The URL of the partners AS2 endpoint or SFTP endpoint. * `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.