Merge pull request #21482 from DrFaust92/storagegw_nfs_audit

r/storage_gateway_nfs_file_share - add `audit_destination_arn`
hashicorp · Oct 26, 2021 · f08581a · f08581a
2 parents 2647f0d + aca1db9
commit f08581a
Show file tree

Hide file tree

Showing 4 changed files with 92 additions and 4 deletions.
diff --git a/.changelog/21482.txt b/.changelog/21482.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_storage_gateway_nfs_file_share: Add `audit_destination_arn` argument.
+```
diff --git a/internal/service/storagegateway/nfs_file_share.go b/internal/service/storagegateway/nfs_file_share.go
@@ -36,6 +36,11 @@ func ResourceNFSFileShare() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
+			"audit_destination_arn": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: verify.ValidARN,
+			},
 			"arn": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -228,6 +233,10 @@ func resourceNFSFileShareCreate(d *schema.ResourceData, meta interface{}) error
 		Tags:                 Tags(tags.IgnoreAWS()),
 	}
 
+	if v, ok := d.GetOk("audit_destination_arn"); ok {
+		input.AuditDestinationARN = aws.String(v.(string))
+	}
+
 	if v, ok := d.GetOk("kms_key_arn"); ok {
 		input.KMSKey = aws.String(v.(string))
 	}
@@ -294,6 +303,7 @@ func resourceNFSFileShareRead(d *schema.ResourceData, meta interface{}) error {
 		return fmt.Errorf("error setting client_list: %w", err)
 	}
 
+	d.Set("audit_destination_arn", fileshare.AuditDestinationARN)
 	d.Set("default_storage_class", fileshare.DefaultStorageClass)
 	d.Set("fileshare_id", fileshare.FileShareId)
 	d.Set("gateway_arn", fileshare.GatewayARN)
@@ -343,10 +353,7 @@ func resourceNFSFileShareUpdate(d *schema.ResourceData, meta interface{}) error
 		}
 	}
 
-	if d.HasChanges("client_list", "default_storage_class", "guess_mime_type_enabled", "kms_encrypted",
-		"nfs_file_share_defaults", "object_acl", "read_only", "requester_pays", "squash", "kms_key_arn",
-		"cache_attributes", "file_share_name", "notification_policy") {
-
+	if d.HasChangesExcept("tags_all", "tags") {
 		fileShareDefaults, err := expandStorageGatewayNfsFileShareDefaults(d.Get("nfs_file_share_defaults").([]interface{}))
 		if err != nil {
 			return err
@@ -365,6 +372,10 @@ func resourceNFSFileShareUpdate(d *schema.ResourceData, meta interface{}) error
 			Squash:               aws.String(d.Get("squash").(string)),
 		}
 
+		if v, ok := d.GetOk("audit_destination_arn"); ok {
+			input.AuditDestinationARN = aws.String(v.(string))
+		}
+
 		if v, ok := d.GetOk("kms_key_arn"); ok {
 			input.KMSKey = aws.String(v.(string))
 		}

diff --git a/internal/service/storagegateway/nfs_file_share_test.go b/internal/service/storagegateway/nfs_file_share_test.go
@@ -66,6 +66,42 @@ func TestAccStorageGatewayNFSFileShare_basic(t *testing.T) {
 	})
 }
 
+func TestAccStorageGatewayNFSFileShare_audit(t *testing.T) {
+	var nfsFileShare storagegateway.NFSFileShareInfo
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_storagegateway_nfs_file_share.test"
+	logResourceName := "aws_cloudwatch_log_group.test"
+	logResourceNameSecond := "aws_cloudwatch_log_group.test2"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { acctest.PreCheck(t) },
+		ErrorCheck:   acctest.ErrorCheck(t, storagegateway.EndpointsID),
+		Providers:    acctest.Providers,
+		CheckDestroy: testAccCheckNFSFileShareDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNFSFileShareAuditConfig(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckNFSFileShareExists(resourceName, &nfsFileShare),
+					resource.TestCheckResourceAttrPair(resourceName, "audit_destination_arn", logResourceName, "arn"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccNFSFileShareAuditUpdatedConfig(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckNFSFileShareExists(resourceName, &nfsFileShare),
+					resource.TestCheckResourceAttrPair(resourceName, "audit_destination_arn", logResourceNameSecond, "arn"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccStorageGatewayNFSFileShare_tags(t *testing.T) {
 	var nfsFileShare storagegateway.NFSFileShareInfo
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
@@ -616,6 +652,7 @@ func TestAccStorageGatewayNFSFileShare_disappears(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckNFSFileShareExists(resourceName, &nfsFileShare),
 					acctest.CheckResourceDisappears(acctest.Provider, tfstoragegateway.ResourceNFSFileShare(), resourceName),
+					acctest.CheckResourceDisappears(acctest.Provider, tfstoragegateway.ResourceNFSFileShare(), resourceName),
 				),
 				ExpectNonEmptyPlan: true,
 			},
@@ -994,3 +1031,39 @@ resource "aws_storagegateway_nfs_file_share" "test" {
 }
 `
 }
+
+func testAccNFSFileShareAuditConfig(rName string) string {
+	return testAcc_S3FileShareBase(rName) + fmt.Sprintf(`
+resource "aws_cloudwatch_log_group" "test" {
+  name = %[1]q
+}
+
+resource "aws_storagegateway_nfs_file_share" "test" {
+  client_list           = ["0.0.0.0/0"]
+  gateway_arn           = aws_storagegateway_gateway.test.arn
+  location_arn          = aws_s3_bucket.test.arn
+  role_arn              = aws_iam_role.test.arn
+  audit_destination_arn = aws_cloudwatch_log_group.test.arn
+}
+`, rName)
+}
+
+func testAccNFSFileShareAuditUpdatedConfig(rName string) string {
+	return testAcc_S3FileShareBase(rName) + fmt.Sprintf(`
+resource "aws_cloudwatch_log_group" "test" {
+  name = %[1]q
+}
+
+resource "aws_cloudwatch_log_group" "test2" {
+  name = "%[1]s-updated"
+}
+
+resource "aws_storagegateway_nfs_file_share" "test" {
+  client_list           = ["0.0.0.0/0"]
+  gateway_arn           = aws_storagegateway_gateway.test.arn
+  location_arn          = aws_s3_bucket.test.arn
+  role_arn              = aws_iam_role.test.arn
+  audit_destination_arn = aws_cloudwatch_log_group.test2.arn
+}
+`, rName)
+}
diff --git a/website/docs/r/storagegateway_nfs_file_share.html.markdown b/website/docs/r/storagegateway_nfs_file_share.html.markdown
@@ -29,6 +29,7 @@ The following arguments are supported:
 * `gateway_arn` - (Required) Amazon Resource Name (ARN) of the file gateway.
 * `location_arn` - (Required) The ARN of the backed storage used for storing file data.
 * `role_arn` - (Required) The ARN of the AWS Identity and Access Management (IAM) role that a file gateway assumes when it accesses the underlying storage.
+* `audit_destination_arn` - (Optional) The Amazon Resource Name (ARN) of the storage used for audit logs.
 * `default_storage_class` - (Optional) The default storage class for objects put into an Amazon S3 bucket by the file gateway. Defaults to `S3_STANDARD`. Valid values: `S3_STANDARD`, `S3_STANDARD_IA`, `S3_ONEZONE_IA`.
 * `guess_mime_type_enabled` - (Optional) Boolean value that enables guessing of the MIME type for uploaded objects based on file extensions. Defaults to `true`.
 * `kms_encrypted` - (Optional) Boolean value if `true` to use Amazon S3 server side encryption with your own AWS KMS key, or `false` to use a key managed by Amazon S3. Defaults to `false`.