Merge pull request #38161 from hashicorp/f/add-resource-sets-to-policy

Add resource_set_ids attribute to fms policy

Author: nam054

.changelog/38161.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_fms_policy: Add `resource_set_ids` attribute
+```

internal/service/fms/fms_test.go

@@ -28,6 +28,7 @@ func TestAccFMS_serial(t *testing.T) {
 			"securityGroup":          testAccPolicy_securityGroup,
 			"tags":                   testAccPolicy_tags,
 			"update":                 testAccPolicy_update,
+			"rscSet":                 testAccPolicy_rscSet,
 		},
 		"ResourceSet": {
 			acctest.CtBasic:      testAccFMSResourceSet_basic,

internal/service/fms/policy.go

@@ -134,6 +134,14 @@ func resourcePolicy() *schema.Resource {
 				ValidateFunc:  validation.StringMatch(regexache.MustCompile(`^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`), "must match a supported resource type, such as AWS::EC2::VPC, see also: https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_Policy.html"),
 				ConflictsWith: []string{"resource_type_list"},
 			},
+			"resource_set_ids": {
+				Type:     schema.TypeSet,
+				Optional: true,
+				Computed: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 			"resource_type_list": {
 				Type:     schema.TypeSet,
 				Optional: true,
@@ -275,6 +283,7 @@ func resourcePolicyRead(ctx context.Context, d *schema.ResourceData, meta interf
 	}
 	d.Set(names.AttrResourceType, policy.ResourceType)
 	d.Set("resource_type_list", policy.ResourceTypeList)
+	d.Set("resource_set_ids", policy.ResourceSetIds)
 	securityServicePolicy := []map[string]interface{}{{
 		names.AttrType:         string(policy.SecurityServicePolicyData.Type),
 		"managed_service_data": aws.ToString(policy.SecurityServicePolicyData.ManagedServiceData),
@@ -376,6 +385,7 @@ func expandPolicy(d *schema.ResourceData) *awstypes.Policy {
 		RemediationEnabled:             d.Get("remediation_enabled").(bool),
 		ResourceType:                   resourceType,
 		ResourceTypeList:               flex.ExpandStringValueSet(d.Get("resource_type_list").(*schema.Set)),
+		ResourceSetIds:                 flex.ExpandStringValueSet(d.Get("resource_set_ids").(*schema.Set)),
 	}
 
 	if d.Id() != "" {

internal/service/fms/policy_test.go

@@ -365,6 +365,34 @@ func testAccPolicy_securityGroup(t *testing.T) {
 	})
 }
 
+func testAccPolicy_rscSet(t *testing.T) {
+	ctx := acctest.Context(t)
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_fms_policy.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.PreCheck(ctx, t)
+			acctest.PreCheckRegion(t, names.USEast1RegionID)
+			acctest.PreCheckOrganizationsEnabled(ctx, t)
+			acctest.PreCheckOrganizationManagementAccount(ctx, t)
+		},
+		ErrorCheck:               acctest.ErrorCheck(t, names.FMSServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckPolicyDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPolicyConfig_rscSet(rName, rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckPolicyExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, names.AttrName, rName),
+					resource.TestCheckResourceAttr(resourceName, "resource_set_ids.#", acctest.Ct1),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckPolicyDestroy(ctx context.Context) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		conn := acctest.Provider.Meta().(*conns.AWSClient).FMSClient(ctx)
@@ -413,6 +441,7 @@ resource "aws_fms_policy" "test" {
   name                  = %[1]q
   description           = "test description"
   remediation_enabled   = false
+  resource_set_ids      = [aws_fms_resource_set.test.id]
   resource_type_list    = ["AWS::ElasticLoadBalancingV2::LoadBalancer"]
 
   exclude_map {
@@ -431,6 +460,14 @@ resource "aws_wafregional_rule_group" "test" {
   metric_name = "MyTest"
   name        = %[2]q
 }
+
+resource "aws_fms_resource_set" "test" {
+  depends_on = [aws_fms_admin_account.test]
+  resource_set {
+    name               = %[1]q
+    resource_type_list = ["AWS::NetworkFirewall::Firewall"]
+  }
+}
 `, policyName, ruleGroupName))
 }
 
@@ -845,3 +882,40 @@ resource "aws_fms_policy" "test" {
 }
 `, rName))
 }
+
+func testAccPolicyConfig_rscSet(policyName, ruleGroupName string) string {
+	return acctest.ConfigCompose(testAccAdminAccountConfig_basic, fmt.Sprintf(`
+resource "aws_fms_policy" "test" {
+  exclude_resource_tags = false
+  name                  = %[1]q
+  description           = "test description"
+  remediation_enabled   = false
+  resource_set_ids      = [aws_fms_resource_set.test.id]
+  resource_type_list    = ["AWS::ElasticLoadBalancingV2::LoadBalancer"]
+
+  exclude_map {
+    account = [data.aws_caller_identity.current.account_id]
+  }
+
+  security_service_policy_data {
+    type                 = "WAF"
+    managed_service_data = "{\"type\": \"WAF\", \"ruleGroups\": [{\"id\":\"${aws_wafregional_rule_group.test.id}\", \"overrideAction\" : {\"type\": \"COUNT\"}}],\"defaultAction\": {\"type\": \"BLOCK\"}, \"overrideCustomerWebACLAssociation\": false}"
+  }
+
+  depends_on = [aws_fms_admin_account.test]
+}
+
+resource "aws_wafregional_rule_group" "test" {
+  metric_name = "MyTest"
+  name        = %[2]q
+}
+
+resource "aws_fms_resource_set" "test" {
+  depends_on = [aws_fms_admin_account.test]
+  resource_set {
+    name               = %[1]q
+    resource_type_list = ["AWS::NetworkFirewall::Firewall"]
+  }
+}
+`, policyName, ruleGroupName))
+}