hashicorp · ewbankkit · Mar 13, 2023 · Mar 12, 2023 · Mar 12, 2023 · Mar 12, 2023
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_fms_policy: Add `description` argument
+```
@@ -2,7 +2,6 @@ package fms
 
 import (
 	"context"
-	"fmt"
 	"log"
 	"regexp"
 
@@ -50,6 +49,10 @@ func ResourcePolicy() *schema.Resource {
 				Optional: true,
 				Default:  false,
 			},
+			"description": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
 			"exclude_resource_tags": {
 				Type:     schema.TypeBool,
 				Required: true,
@@ -196,14 +199,40 @@ func resourcePolicyRead(ctx context.Context, d *schema.ResourceData, meta interf
 		return sdkdiag.AppendErrorf(diags, "reading FMS Policy (%s): %s", d.Id(), err)
 	}
 
-	if err := resourcePolicyFlattenPolicy(d, output); err != nil {
-		return sdkdiag.AppendErrorf(diags, "reading FMS Policy (%s): %s", d.Id(), err)
+	arn := aws.StringValue(output.PolicyArn)
+	d.Set("arn", arn)
+	policy := output.Policy
+	d.Set("delete_unused_fm_managed_resources", policy.DeleteUnusedFMManagedResources)
+	d.Set("description", policy.PolicyDescription)
+	if err := d.Set("exclude_map", flattenPolicyMap(policy.ExcludeMap)); err != nil {
+		sdkdiag.AppendErrorf(diags, "setting exclude_map: %s", err)
+	}
+	d.Set("exclude_resource_tags", policy.ExcludeResourceTags)
+	if err := d.Set("include_map", flattenPolicyMap(policy.IncludeMap)); err != nil {
+		sdkdiag.AppendErrorf(diags, "setting include_map: %s", err)
+	}
+	d.Set("name", policy.PolicyName)
+	d.Set("policy_update_token", policy.PolicyUpdateToken)
+	d.Set("remediation_enabled", policy.RemediationEnabled)
+	if err := d.Set("resource_tags", flattenResourceTags(policy.ResourceTags)); err != nil {
+		sdkdiag.AppendErrorf(diags, "setting resource_tags: %s", err)
+	}
+	d.Set("resource_type", policy.ResourceType)
+	if err := d.Set("resource_type_list", policy.ResourceTypeList); err != nil {
+		sdkdiag.AppendErrorf(diags, "setting resource_type_list: %s", err)
+	}
+	securityServicePolicy := []map[string]string{{
+		"type":                 aws.StringValue(policy.SecurityServicePolicyData.Type),
+		"managed_service_data": aws.StringValue(policy.SecurityServicePolicyData.ManagedServiceData),
+	}}
+	if err := d.Set("security_service_policy_data", securityServicePolicy); err != nil {
+		sdkdiag.AppendErrorf(diags, "setting security_service_policy_data: %s", err)
 	}
 
-	tags, err := ListTags(ctx, conn, d.Get("arn").(string))
+	tags, err := ListTags(ctx, conn, arn)
 
 	if err != nil {
-		return sdkdiag.AppendErrorf(diags, "reading FMS Policy (%s): listing tags: %s", d.Id(), err)
+		return sdkdiag.AppendErrorf(diags, "listing tags for FMS Policy (%s): %s", d.Id(), err)
 	}
 
 	tags = tags.IgnoreAWS().IgnoreConfig(ignoreTagsConfig)
@@ -285,46 +314,13 @@ func FindPolicyByID(ctx context.Context, conn *fms.FMS, id string) (*fms.GetPoli
 		return nil, err
 	}
 
-	if output == nil {
+	if output == nil || output.Policy == nil || output.Policy.SecurityServicePolicyData == nil {
 		return nil, tfresource.NewEmptyResultError(input)
 	}
 
 	return output, nil
 }
 
-func resourcePolicyFlattenPolicy(d *schema.ResourceData, resp *fms.GetPolicyOutput) error {
-	d.Set("arn", resp.PolicyArn)
-
-	d.Set("name", resp.Policy.PolicyName)
-	d.Set("exclude_resource_tags", resp.Policy.ExcludeResourceTags)
-	if err := d.Set("exclude_map", flattenPolicyMap(resp.Policy.ExcludeMap)); err != nil {
-		return fmt.Errorf("setting exclude_map: %w", err)
-	}
-	if err := d.Set("include_map", flattenPolicyMap(resp.Policy.IncludeMap)); err != nil {
-		return fmt.Errorf("setting include_map: %w", err)
-	}
-	d.Set("remediation_enabled", resp.Policy.RemediationEnabled)
-	if err := d.Set("resource_type_list", resp.Policy.ResourceTypeList); err != nil {
-		return fmt.Errorf("setting resource_type_list: %w", err)
-	}
-	d.Set("delete_unused_fm_managed_resources", resp.Policy.DeleteUnusedFMManagedResources)
-	d.Set("resource_type", resp.Policy.ResourceType)
-	d.Set("policy_update_token", resp.Policy.PolicyUpdateToken)
-	if err := d.Set("resource_tags", flattenResourceTags(resp.Policy.ResourceTags)); err != nil {
-		return fmt.Errorf("setting resource_tags: %w", err)
-	}
-
-	securityServicePolicy := []map[string]string{{
-		"type":                 *resp.Policy.SecurityServicePolicyData.Type,
-		"managed_service_data": *resp.Policy.SecurityServicePolicyData.ManagedServiceData,
-	}}
-	if err := d.Set("security_service_policy_data", securityServicePolicy); err != nil {
-		return fmt.Errorf("setting security_service_policy_data: %w", err)
-	}
-
-	return nil
-}
-
 func resourcePolicyExpandPolicy(d *schema.ResourceData) *fms.Policy {
 	resourceType := aws.String("ResourceTypeList")
 	resourceTypeList := flex.ExpandStringSet(d.Get("resource_type_list").(*schema.Set))
@@ -333,12 +329,13 @@ func resourcePolicyExpandPolicy(d *schema.ResourceData) *fms.Policy {
 	}
 
 	fmsPolicy := &fms.Policy{
+		DeleteUnusedFMManagedResources: aws.Bool(d.Get("delete_unused_fm_managed_resources").(bool)),
+		ExcludeResourceTags:            aws.Bool(d.Get("exclude_resource_tags").(bool)),
+		PolicyDescription:              aws.String(d.Get("description").(string)),
 		PolicyName:                     aws.String(d.Get("name").(string)),
 		RemediationEnabled:             aws.Bool(d.Get("remediation_enabled").(bool)),
 		ResourceType:                   resourceType,
 		ResourceTypeList:               resourceTypeList,
-		ExcludeResourceTags:            aws.Bool(d.Get("exclude_resource_tags").(bool)),
-		DeleteUnusedFMManagedResources: aws.Bool(d.Get("delete_unused_fm_managed_resources").(bool)),
 	}
 
 	if d.Id() != "" {

@@ -38,6 +38,7 @@ func testAccPolicy_basic(t *testing.T) {
 					testAccCheckPolicyExists(ctx, resourceName),
 					acctest.CheckResourceAttrRegionalARNIgnoreRegionAndAccount(resourceName, "arn", "fms", "policy/.+"),
 					resource.TestCheckResourceAttr(resourceName, "delete_unused_fm_managed_resources", "false"),
+					resource.TestCheckResourceAttr(resourceName, "description", "test description"),
 					resource.TestCheckResourceAttr(resourceName, "name", rName),
 					resource.TestCheckResourceAttr(resourceName, "security_service_policy_data.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
@@ -283,6 +284,7 @@ func testAccPolicyConfig_basic(policyName, ruleGroupName string) string {
 resource "aws_fms_policy" "test" {
   exclude_resource_tags = false
   name                  = %[1]q
+  description           = "test description"
   remediation_enabled   = false
   resource_type_list    = ["AWS::ElasticLoadBalancingV2::LoadBalancer"]
 

@@ -221,7 +221,11 @@ func resourceRuleGroupDelete(ctx context.Context, d *schema.ResourceData, meta i
 	oldRules := d.Get("activated_rule").(*schema.Set).List()
 	err := DeleteRuleGroup(ctx, d.Id(), oldRules, conn, region)
 
-	return sdkdiag.AppendErrorf(diags, "deleting WAF Regional Rule Group (%s): %s", d.Id(), err)
+	if err != nil {
+		return sdkdiag.AppendErrorf(diags, "deleting WAF Regional Rule Group (%s): %s", d.Id(), err)
+	}
+
+	return diags
 }
 
 func DeleteRuleGroup(ctx context.Context, id string, oldRules []interface{}, conn *wafregional.WAFRegional, region string) error {

@@ -55,6 +55,7 @@ The following arguments are supported:
 * `name` - (Required, Forces new resource) The friendly name of the AWS Firewall Manager Policy.
 * `delete_all_policy_resources` - (Optional) If true, the request will also perform a clean-up process. Defaults to `true`. More information can be found here [AWS Firewall Manager delete policy](https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_DeletePolicy.html)
 * `delete_unused_fm_managed_resources` - (Optional) If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to `false`. More information can be found here [AWS Firewall Manager policy contents](https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_Policy.html)
+* `description` - (Optional) The description of the AWS Network Firewall firewall policy.
 * `exclude_map` - (Optional) A map of lists of accounts and OU's to exclude from the policy.
 * `exclude_resource_tags` - (Required, Forces new resource) A boolean value, if true the tags that are specified in the `resource_tags` are not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy.
 * `include_map` - (Optional) A map of lists of accounts and OU's to include in the policy.