Skip to content

Commit 5e1d978

Browse files
ewbankkitewbankkit
authored
Merge pull request #34055 from sQu4rks/f-verified-access-group-kms-support
Feature: Add KMS Support to Verified Access Group
2 parents a974706 + f25da9d commit 5e1d978

File tree

4 files changed

+222
-4
lines changed

4 files changed

+222
-4
lines changed

.changelog/34055.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
```release-note:enhancement
2+
resource/aws_verifiedaccess_group: Add `sse_configuration` argument
3+
```

internal/service/ec2/verifiedaccess_group.go

Lines changed: 85 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,25 @@ func ResourceVerifiedAccessGroup() *schema.Resource {
6161
Type: schema.TypeString,
6262
Optional: true,
6363
},
64+
"sse_configuration": {
65+
Type: schema.TypeList,
66+
MaxItems: 1,
67+
Optional: true,
68+
Computed: true,
69+
Elem: &schema.Resource{
70+
Schema: map[string]*schema.Schema{
71+
"customer_managed_key_enabled": {
72+
Type: schema.TypeBool,
73+
Optional: true,
74+
},
75+
"kms_key_arn": {
76+
Type: schema.TypeString,
77+
Optional: true,
78+
ValidateFunc: verify.ValidARN,
79+
},
80+
},
81+
},
82+
},
6483
names.AttrTags: tftags.TagsSchema(),
6584
names.AttrTagsAll: tftags.TagsSchemaComputed(),
6685
"verifiedaccess_group_arn": {
@@ -99,6 +118,10 @@ func resourceVerifiedAccessGroupCreate(ctx context.Context, d *schema.ResourceDa
99118
input.PolicyDocument = aws.String(v.(string))
100119
}
101120

121+
if v, ok := d.GetOk("sse_configuration"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
122+
input.SseSpecification = expandVerifiedAccessSseSpecificationRequest(v.([]interface{})[0].(map[string]interface{}))
123+
}
124+
102125
output, err := conn.CreateVerifiedAccessGroup(ctx, input)
103126

104127
if err != nil {
@@ -131,6 +154,13 @@ func resourceVerifiedAccessGroupRead(ctx context.Context, d *schema.ResourceData
131154
d.Set("description", group.Description)
132155
d.Set("last_updated_time", group.LastUpdatedTime)
133156
d.Set("owner", group.Owner)
157+
if v := group.SseSpecification; v != nil {
158+
if err := d.Set("sse_configuration", flattenVerifiedAccessSseSpecificationResponse(v)); err != nil {
159+
return sdkdiag.AppendErrorf(diags, "setting sse_configuration: %s", err)
160+
}
161+
} else {
162+
d.Set("sse_configuration", nil)
163+
}
134164
d.Set("verifiedaccess_group_arn", group.VerifiedAccessGroupArn)
135165
d.Set("verifiedaccess_group_id", group.VerifiedAccessGroupId)
136166
d.Set("verifiedaccess_instance_id", group.VerifiedAccessInstanceId)
@@ -152,7 +182,7 @@ func resourceVerifiedAccessGroupUpdate(ctx context.Context, d *schema.ResourceDa
152182
var diags diag.Diagnostics
153183
conn := meta.(*conns.AWSClient).EC2Client(ctx)
154184

155-
if d.HasChangesExcept("policy_document", "tags", "tags_all") {
185+
if d.HasChangesExcept("policy_document", "tags", "tags_all", "sse_configuration") {
156186
input := &ec2.ModifyVerifiedAccessGroupInput{
157187
ClientToken: aws.String(id.UniqueId()),
158188
VerifiedAccessGroupId: aws.String(d.Id()),
@@ -174,19 +204,35 @@ func resourceVerifiedAccessGroupUpdate(ctx context.Context, d *schema.ResourceDa
174204
}
175205

176206
if d.HasChange("policy_document") {
177-
input := &ec2.ModifyVerifiedAccessGroupPolicyInput{
207+
in := &ec2.ModifyVerifiedAccessGroupPolicyInput{
178208
PolicyDocument: aws.String(d.Get("policy_document").(string)),
179209
VerifiedAccessGroupId: aws.String(d.Id()),
180210
PolicyEnabled: aws.Bool(true),
181211
}
182212

183-
_, err := conn.ModifyVerifiedAccessGroupPolicy(ctx, input)
213+
_, err := conn.ModifyVerifiedAccessGroupPolicy(ctx, in)
184214

185215
if err != nil {
186216
return sdkdiag.AppendErrorf(diags, "updating Verified Access Group (%s) policy: %s", d.Id(), err)
187217
}
188218
}
189219

220+
if d.HasChange("sse_configuration") {
221+
in := &ec2.ModifyVerifiedAccessGroupPolicyInput{
222+
VerifiedAccessGroupId: aws.String(d.Id()),
223+
}
224+
225+
if v, ok := d.GetOk("sse_configuration"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
226+
in.SseSpecification = expandVerifiedAccessSseSpecificationRequest(v.([]interface{})[0].(map[string]interface{}))
227+
}
228+
229+
_, err := conn.ModifyVerifiedAccessGroupPolicy(ctx, in)
230+
231+
if err != nil {
232+
return sdkdiag.AppendErrorf(diags, "updating SSE on Verified Access Group (%s) policy: %s", d.Id(), err)
233+
}
234+
}
235+
190236
return append(diags, resourceVerifiedAccessGroupRead(ctx, d, meta)...)
191237
}
192238

@@ -210,3 +256,39 @@ func resourceVerifiedAccessGroupDelete(ctx context.Context, d *schema.ResourceDa
210256

211257
return diags
212258
}
259+
260+
func expandVerifiedAccessSseSpecificationRequest(tfMap map[string]interface{}) *types.VerifiedAccessSseSpecificationRequest {
261+
if tfMap == nil {
262+
return nil
263+
}
264+
265+
apiObject := &types.VerifiedAccessSseSpecificationRequest{}
266+
267+
if v, ok := tfMap["kms_key_arn"].(string); ok && v != "" {
268+
apiObject.KmsKeyArn = aws.String(v)
269+
}
270+
271+
if v, ok := tfMap["customer_managed_key_enabled"].(bool); ok {
272+
apiObject.CustomerManagedKeyEnabled = aws.Bool(v)
273+
}
274+
275+
return apiObject
276+
}
277+
278+
func flattenVerifiedAccessSseSpecificationResponse(apiObject *types.VerifiedAccessSseSpecificationResponse) []interface{} {
279+
if apiObject == nil {
280+
return nil
281+
}
282+
283+
tfMap := map[string]interface{}{}
284+
285+
if v := apiObject.CustomerManagedKeyEnabled; v != nil {
286+
tfMap["customer_managed_key_enabled"] = aws.ToBool(v)
287+
}
288+
289+
if v := apiObject.KmsKeyArn; v != nil {
290+
tfMap["kms_key_arn"] = aws.ToString(v)
291+
}
292+
293+
return []interface{}{tfMap}
294+
}

internal/service/ec2/verifiedaccess_group_test.go

Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,102 @@ func TestAccVerifiedAccessGroup_basic(t *testing.T) {
4848
resource.TestCheckResourceAttrSet(resourceName, "verifiedaccess_group_arn"),
4949
resource.TestCheckResourceAttrSet(resourceName, "verifiedaccess_group_id"),
5050
resource.TestCheckResourceAttrSet(resourceName, "verifiedaccess_instance_id"),
51+
resource.TestCheckResourceAttr(resourceName, "sse_configuration.0.customer_managed_key_enabled", "false"),
52+
resource.TestCheckResourceAttr(resourceName, "sse_configuration.0.kms_key_arn", ""),
53+
),
54+
},
55+
{
56+
ResourceName: resourceName,
57+
ImportState: true,
58+
ImportStateVerify: true,
59+
},
60+
},
61+
})
62+
}
63+
64+
func TestAccVerifiedAccessGroup_kms(t *testing.T) {
65+
ctx := acctest.Context(t)
66+
var v types.VerifiedAccessGroup
67+
resourceName := "aws_verifiedaccess_group.test"
68+
rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
69+
policyDoc := "permit(principal, action, resource) \nwhen {\ncontext.http_request.method == \"GET\"\n};"
70+
71+
resource.ParallelTest(t, resource.TestCase{
72+
PreCheck: func() {
73+
acctest.PreCheck(ctx, t)
74+
testAccPreCheckVerifiedAccess(ctx, t)
75+
},
76+
ErrorCheck: acctest.ErrorCheck(t, names.EC2),
77+
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
78+
CheckDestroy: testAccCheckVerifiedAccessGroupDestroy(ctx),
79+
Steps: []resource.TestStep{
80+
{
81+
Config: testAccVerifiedAccessGroupConfig_kms(rName, policyDoc),
82+
Check: resource.ComposeAggregateTestCheckFunc(
83+
testAccCheckVerifiedAccessGroupExists(ctx, resourceName, &v),
84+
resource.TestCheckResourceAttrSet(resourceName, "creation_time"),
85+
resource.TestCheckResourceAttr(resourceName, "sse_configuration.#", "1"),
86+
resource.TestCheckResourceAttrSet(resourceName, "sse_configuration.0.customer_managed_key_enabled"),
87+
resource.TestCheckResourceAttrSet(resourceName, "sse_configuration.0.kms_key_arn"),
88+
),
89+
},
90+
{
91+
ResourceName: resourceName,
92+
ImportState: true,
93+
ImportStateVerify: true,
94+
},
95+
},
96+
})
97+
}
98+
99+
func TestAccVerifiedAccessGroup_updateKMS(t *testing.T) {
100+
ctx := acctest.Context(t)
101+
var v types.VerifiedAccessGroup
102+
resourceName := "aws_verifiedaccess_group.test"
103+
rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
104+
policyDoc := "permit(principal, action, resource) \nwhen {\ncontext.http_request.method == \"GET\"\n};"
105+
description := sdkacctest.RandString(100)
106+
107+
resource.ParallelTest(t, resource.TestCase{
108+
PreCheck: func() {
109+
acctest.PreCheck(ctx, t)
110+
testAccPreCheckVerifiedAccess(ctx, t)
111+
},
112+
ErrorCheck: acctest.ErrorCheck(t, names.EC2),
113+
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
114+
CheckDestroy: testAccCheckVerifiedAccessGroupDestroy(ctx),
115+
Steps: []resource.TestStep{
116+
{
117+
Config: testAccVerifiedAccessGroupConfig_policy(rName, description, policyDoc),
118+
Check: resource.ComposeAggregateTestCheckFunc(
119+
testAccCheckVerifiedAccessGroupExists(ctx, resourceName, &v),
120+
resource.TestCheckResourceAttrSet(resourceName, "creation_time"),
121+
resource.TestCheckResourceAttr(resourceName, "deletion_time", ""),
122+
resource.TestCheckResourceAttr(resourceName, "description", description),
123+
resource.TestCheckResourceAttrSet(resourceName, "last_updated_time"),
124+
acctest.CheckResourceAttrAccountID(resourceName, "owner"),
125+
resource.TestCheckResourceAttr(resourceName, "policy_document", policyDoc),
126+
resource.TestCheckResourceAttr(resourceName, "tags.%", "1"),
127+
resource.TestCheckResourceAttrSet(resourceName, "verifiedaccess_group_arn"),
128+
resource.TestCheckResourceAttrSet(resourceName, "verifiedaccess_group_id"),
129+
resource.TestCheckResourceAttrSet(resourceName, "verifiedaccess_instance_id"),
130+
resource.TestCheckResourceAttr(resourceName, "sse_configuration.0.customer_managed_key_enabled", "false"),
131+
),
132+
},
133+
{
134+
ResourceName: resourceName,
135+
ImportState: true,
136+
ImportStateVerify: true,
137+
},
138+
{
139+
Config: testAccVerifiedAccessGroupConfig_kms(rName, policyDoc),
140+
Check: resource.ComposeAggregateTestCheckFunc(
141+
testAccCheckVerifiedAccessGroupExists(ctx, resourceName, &v),
142+
resource.TestCheckResourceAttrSet(resourceName, "creation_time"),
143+
resource.TestCheckResourceAttr(resourceName, "sse_configuration.#", "1"),
144+
resource.TestCheckResourceAttrSet(resourceName, "sse_configuration.0.customer_managed_key_enabled"),
145+
resource.TestCheckResourceAttr(resourceName, "sse_configuration.0.customer_managed_key_enabled", "true"),
146+
resource.TestCheckResourceAttrSet(resourceName, "sse_configuration.0.kms_key_arn"),
51147
),
52148
},
53149
{
@@ -366,6 +462,24 @@ resource "aws_verifiedaccess_group" "test" {
366462
`)
367463
}
368464

465+
func testAccVerifiedAccessGroupConfig_kms(rName, policyDoc string) string {
466+
return acctest.ConfigCompose(testAccVerifiedAccessGroupConfig_base(rName), fmt.Sprintf(`
467+
resource "aws_kms_key" "test_key" {
468+
description = "KMS key for Verified Access Group test"
469+
}
470+
471+
resource "aws_verifiedaccess_group" "test" {
472+
verifiedaccess_instance_id = aws_verifiedaccess_instance_trust_provider_attachment.test.verifiedaccess_instance_id
473+
policy_document = %[1]q
474+
475+
sse_configuration {
476+
kms_key_arn = aws_kms_key.test_key.arn
477+
customer_managed_key_enabled = true
478+
}
479+
}
480+
`, policyDoc))
481+
}
482+
369483
func testAccVerifiedAccessGroupConfig_tags1(rName, tagKey1, tagValue1 string) string {
370484
return acctest.ConfigCompose(testAccVerifiedAccessGroupConfig_base(rName), fmt.Sprintf(`
371485
resource "aws_verifiedaccess_group" "test" {

website/docs/r/verifiedaccess_group.html.markdown

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,22 @@ resource "aws_verifiedaccess_group" "example" {
2020
}
2121
```
2222

23+
### Usage with KMS Key
24+
25+
```terraform
26+
resource "aws_kms_key" "test_key" {
27+
description = "KMS key for Verified Access Group test"
28+
}
29+
30+
resource "aws_verifiedaccess_group" "test" {
31+
verifiedaccess_instance_id = aws_verifiedaccess_instance_trust_provider_attachment.test.verifiedaccess_instance_id
32+
33+
server_side_encryption_configuration {
34+
kms_key_arn = aws_kms_key.test_key.arn
35+
}
36+
}
37+
```
38+
2339
## Argument Reference
2440

2541
The following arguments are required:
@@ -29,8 +45,11 @@ The following arguments are required:
2945
The following arguments are optional:
3046

3147
* `description` - (Optional) Description of the verified access group.
32-
* `tags` - (Optional) Key-value mapping of resource tags. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
3348
* `policy_document` - (Optional) The policy document that is associated with this resource.
49+
* `sse_configuration` - (Optional) Configuration block to use KMS keys for server-side encryption.
50+
* `cmk_enabled` - (Optional) Boolean flag to indicate that the CMK should be used.
51+
* `kms_key_arn` - (Optional) ARN of the KMS key to use.
52+
* `tags` - (Optional) Key-value mapping of resource tags. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
3453

3554
## Attribute Reference
3655

0 commit comments

Comments
 (0)