Merge pull request #43138 from acwwat/f-aws_accessanalyzer_analyzer-add_internal_access_analyzer_support

feat: Add internal access analyzer support to aws_accessanalyzer_analyzer

Author: ewbankkit

.changelog/43138.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_accessanalyzer_analyzer: Add `configuration.internal_access` argument
+```

.ci/.tflint.hcl

@@ -25,3 +25,7 @@ rule "terraform_required_version" {
 rule "aws_acm_certificate_lifecycle" {
   enabled = false
 }
+
+rule "aws_accessanalyzer_analyzer_invalid_type" {
+  enabled = false
+}

internal/service/accessanalyzer/accessanalyzer_test.go

@@ -18,13 +18,15 @@ func TestAccAccessAnalyzer_serial(t *testing.T) {
 
 	testCases := map[string]map[string]func(t *testing.T){
 		"Analyzer": {
-			acctest.CtBasic:            testAccAnalyzer_basic,
-			"configuration":            testAccAnalyzer_configuration,
-			"organizationUnusedAccess": testAccAnalyzer_organizationUnusedAccess,
-			acctest.CtDisappears:       testAccAnalyzer_disappears,
-			"tags":                     testAccAccessAnalyzerAnalyzer_tagsSerial,
-			"type_Organization":        testAccAnalyzer_typeOrganization,
-			"upgradeV5_95_0":           testAccAnalyzer_upgradeV5_95_0,
+			acctest.CtBasic:              testAccAnalyzer_basic,
+			"accountInternalAccess":      testAccAnalyzer_accountInternalAccess,
+			"accountUnusedAccess":        testAccAnalyzer_accountUnusedAccess,
+			"organizationInternalAccess": testAccAnalyzer_organizationInternalAccess,
+			"organizationUnusedAccess":   testAccAnalyzer_organizationUnusedAccess,
+			acctest.CtDisappears:         testAccAnalyzer_disappears,
+			"tags":                       testAccAccessAnalyzerAnalyzer_tagsSerial,
+			"type_Organization":          testAccAnalyzer_typeOrganization,
+			"upgradeV5_95_0":             testAccAnalyzer_upgradeV5_95_0,
 		},
 		"ArchiveRule": {
 			acctest.CtBasic:      testAccAnalyzerArchiveRule_basic,

internal/service/accessanalyzer/analyzer.go

@@ -24,6 +24,7 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/internal/flex"
 	tftags "github.com/hashicorp/terraform-provider-aws/internal/tags"
 	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
+	"github.com/hashicorp/terraform-provider-aws/internal/verify"
 	"github.com/hashicorp/terraform-provider-aws/names"
 )
 
@@ -71,11 +72,69 @@ func resourceAnalyzer() *schema.Resource {
 				MaxItems: 1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
+						"internal_access": {
+							Type:          schema.TypeList,
+							Optional:      true,
+							ForceNew:      true,
+							MaxItems:      1,
+							ConflictsWith: []string{"configuration.0.unused_access"},
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"analysis_rule": {
+										Type:     schema.TypeList,
+										Optional: true,
+										ForceNew: true,
+										MaxItems: 1,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"inclusion": {
+													Type:     schema.TypeList,
+													Optional: true,
+													ForceNew: true,
+													Elem: &schema.Resource{
+														Schema: map[string]*schema.Schema{
+															"account_ids": {
+																Type:     schema.TypeList,
+																Optional: true,
+																ForceNew: true,
+																Elem: &schema.Schema{
+																	Type:         schema.TypeString,
+																	ValidateFunc: verify.ValidAccountID,
+																},
+															},
+															"resource_arns": {
+																Type:     schema.TypeList,
+																Optional: true,
+																ForceNew: true,
+																Elem: &schema.Schema{
+																	Type:         schema.TypeString,
+																	ValidateFunc: verify.ValidARN,
+																},
+															},
+															"resource_types": {
+																Type:     schema.TypeList,
+																Optional: true,
+																ForceNew: true,
+																Elem: &schema.Schema{
+																	Type:             schema.TypeString,
+																	ValidateDiagFunc: enum.Validate[types.ResourceType](),
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
 						"unused_access": {
-							Type:     schema.TypeList,
-							Optional: true,
-							ForceNew: true,
-							MaxItems: 1,
+							Type:          schema.TypeList,
+							Optional:      true,
+							ForceNew:      true,
+							MaxItems:      1,
+							ConflictsWith: []string{"configuration.0.internal_access"},
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
 									"analysis_rule": {
@@ -98,7 +157,7 @@ func resourceAnalyzer() *schema.Resource {
 																MaxItems: 2000,
 																Elem: &schema.Schema{
 																	Type:         schema.TypeString,
-																	ValidateFunc: validation.StringMatch(regexache.MustCompile(`^\d{12}$`), "Must be a 12-digit account ID"),
+																	ValidateFunc: verify.ValidAccountID,
 																},
 															},
 															names.AttrResourceTags: {
@@ -268,10 +327,94 @@ func expandAnalyzerConfiguration(tfMap map[string]any) types.AnalyzerConfigurati
 		return nil
 	}
 
-	apiObject := &types.AnalyzerConfigurationMemberUnusedAccess{}
+	var apiObject types.AnalyzerConfiguration
 
+	if v, ok := tfMap["internal_access"].([]any); ok && len(v) > 0 && v[0] != nil {
+		internalAccess := &types.AnalyzerConfigurationMemberInternalAccess{}
+		internalAccess.Value = expandInternalAccessConfiguration(v[0].(map[string]any))
+		apiObject = internalAccess
+	}
 	if v, ok := tfMap["unused_access"].([]any); ok && len(v) > 0 && v[0] != nil {
-		apiObject.Value = expandUnusedAccessConfiguration(v[0].(map[string]any))
+		unusedAccess := &types.AnalyzerConfigurationMemberUnusedAccess{}
+		unusedAccess.Value = expandUnusedAccessConfiguration(v[0].(map[string]any))
+		apiObject = unusedAccess
+	}
+
+	return apiObject
+}
+
+func expandInternalAccessConfiguration(tfMap map[string]any) types.InternalAccessConfiguration {
+	apiObject := types.InternalAccessConfiguration{}
+
+	if v, ok := tfMap["analysis_rule"].([]any); ok && len(v) > 0 && v[0] != nil {
+		apiObject.AnalysisRule = expandInternalAccessAnalysisRule(v[0].(map[string]any))
+	}
+
+	return apiObject
+}
+
+func expandInternalAccessAnalysisRule(tfMap map[string]any) *types.InternalAccessAnalysisRule {
+	apiObject := &types.InternalAccessAnalysisRule{}
+
+	if v, ok := tfMap["inclusion"].([]any); ok && len(v) > 0 {
+		apiObject.Inclusions = expandInternalAccessAnalysisRuleCriterias(v)
+	}
+
+	return apiObject
+}
+
+func expandInternalAccessAnalysisRuleCriterias(tfList []any) []types.InternalAccessAnalysisRuleCriteria {
+	if len(tfList) == 0 {
+		return nil
+	}
+
+	var apiObjects []types.InternalAccessAnalysisRuleCriteria
+
+	for _, tfMapRaw := range tfList {
+		tfMap, ok := tfMapRaw.(map[string]any)
+		if !ok {
+			continue
+		}
+
+		apiObject := expandInternalAccessAnalysisRuleCriteria(tfMap)
+
+		if apiObject == nil {
+			continue
+		}
+
+		apiObjects = append(apiObjects, *apiObject)
+	}
+
+	return apiObjects
+}
+
+func expandInternalAccessAnalysisRuleCriteria(tfMap map[string]any) *types.InternalAccessAnalysisRuleCriteria {
+	if tfMap == nil {
+		return nil
+	}
+
+	apiObject := &types.InternalAccessAnalysisRuleCriteria{}
+
+	if tfList, ok := tfMap["account_ids"].([]any); ok && len(tfList) > 0 {
+		for _, v := range tfList {
+			accountID, ok := v.(string)
+			if !ok {
+				continue
+			}
+			apiObject.AccountIds = append(apiObject.AccountIds, accountID)
+		}
+	}
+
+	if tfList, ok := tfMap["resource_arns"].([]any); ok && len(tfList) > 0 {
+		for _, v := range tfList {
+			apiObject.ResourceArns = append(apiObject.ResourceArns, v.(string))
+		}
+	}
+
+	if tfList, ok := tfMap["resource_types"].([]any); ok && len(tfList) > 0 {
+		for _, v := range tfList {
+			apiObject.ResourceTypes = append(apiObject.ResourceTypes, types.ResourceType(v.(string)))
+		}
 	}
 
 	return apiObject
@@ -360,13 +503,82 @@ func flattenAnalyzerConfiguration(apiObject types.AnalyzerConfiguration) map[str
 	tfMap := map[string]any{}
 
 	switch v := apiObject.(type) {
+	case *types.AnalyzerConfigurationMemberInternalAccess:
+		tfMap["internal_access"] = []any{flattenInternalAccessConfiguration(&v.Value)}
 	case *types.AnalyzerConfigurationMemberUnusedAccess:
 		tfMap["unused_access"] = []any{flattenUnusedAccessConfiguration(&v.Value)}
 	}
 
 	return tfMap
 }
 
+func flattenInternalAccessConfiguration(apiObject *types.InternalAccessConfiguration) map[string]any {
+	if apiObject == nil {
+		return nil
+	}
+
+	tfMap := map[string]any{}
+
+	if v := apiObject.AnalysisRule; v != nil {
+		tfMap["analysis_rule"] = []any{flattenInternalAccessAnalysisRule(v)}
+	}
+
+	return tfMap
+}
+
+func flattenInternalAccessAnalysisRule(apiObject *types.InternalAccessAnalysisRule) map[string]any {
+	if apiObject == nil {
+		return nil
+	}
+
+	tfMap := map[string]any{}
+
+	if v := apiObject.Inclusions; v != nil {
+		tfMap["inclusion"] = flattenInternalAccessAnalysisRuleCriterias(v)
+	}
+
+	return tfMap
+}
+
+func flattenInternalAccessAnalysisRuleCriterias(apiObjects []types.InternalAccessAnalysisRuleCriteria) []any {
+	if len(apiObjects) == 0 {
+		return nil
+	}
+
+	var tfList []any
+
+	for _, apiObject := range apiObjects {
+		tfMap := flattenInternalAccessAnalysisRuleCriteria(&apiObject)
+		if tfMap != nil {
+			tfList = append(tfList, tfMap)
+		}
+	}
+
+	return tfList
+}
+
+func flattenInternalAccessAnalysisRuleCriteria(apiObject *types.InternalAccessAnalysisRuleCriteria) map[string]any {
+	if apiObject == nil {
+		return nil
+	}
+
+	tfMap := map[string]any{}
+
+	if v := apiObject.AccountIds; len(v) > 0 {
+		tfMap["account_ids"] = v
+	}
+
+	if v := apiObject.ResourceArns; len(v) > 0 {
+		tfMap["resource_arns"] = v
+	}
+
+	if v := apiObject.ResourceTypes; len(v) > 0 {
+		tfMap["resource_types"] = v
+	}
+
+	return tfMap
+}
+
 func flattenUnusedAccessConfiguration(apiObject *types.UnusedAccessConfiguration) map[string]any {
 	if apiObject == nil {
 		return nil