Merge pull request #30074 from hashicorp/b-cognito-riskconfiguration

resource/aws_cognito_risk_configuration: validation for `risk_exception_configuration`
hashicorp · Mar 17, 2023 · 51cd1a1 · 51cd1a1
2 parents c513956 + dee536d
commit 51cd1a1
Show file tree

Hide file tree

Showing 5 changed files with 218 additions and 28 deletions.
diff --git a/.changelog/30074.txt b/.changelog/30074.txt
@@ -0,0 +1,3 @@
+```release-note:bug    
+resource/aws_cognito_risk_configuration: Adds validation to `risk_exception_configuration` and requires at least one of `account_takeover_risk_configuration`, `compromised_credentials_risk_configuration`, or `risk_exception_configuration`.
+```
diff --git a/internal/acctest/acctest.go b/internal/acctest/acctest.go
@@ -2292,3 +2292,11 @@ func modulePrimaryInstanceState(ms *terraform.ModuleState, name string) (*terraf
 
 	return is, nil
 }
+
+func ExpectErrorAttrAtLeastOneOf(attrs ...string) *regexp.Regexp {
+	return regexp.MustCompile(fmt.Sprintf("one of\\s+`%s`\\s+must be specified", strings.Join(attrs, ",")))
+}
+
+func ExpectErrorAttrMinItems(attr string, expected, actual int) *regexp.Regexp {
+	return regexp.MustCompile(fmt.Sprintf(`Attribute %s requires %d\s+item minimum, but config has only %d declared`, attr, expected, actual))
+}
diff --git a/internal/service/cognitoidp/risk_configuration.go b/internal/service/cognitoidp/risk_configuration.go
@@ -7,14 +7,14 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/cognitoidentityprovider"
-	"github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
 	"github.com/hashicorp/terraform-provider-aws/internal/create"
 	"github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag"
 	"github.com/hashicorp/terraform-provider-aws/internal/flex"
+	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
 	"github.com/hashicorp/terraform-provider-aws/internal/verify"
 	"github.com/hashicorp/terraform-provider-aws/names"
 )
@@ -46,6 +46,11 @@ func ResourceRiskConfiguration() *schema.Resource {
 				Type:     schema.TypeList,
 				Optional: true,
 				MaxItems: 1,
+				AtLeastOneOf: []string{
+					"account_takeover_risk_configuration",
+					"compromised_credentials_risk_configuration",
+					"risk_exception_configuration",
+				},
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"actions": {
@@ -249,21 +254,27 @@ func ResourceRiskConfiguration() *schema.Resource {
 						"blocked_ip_range_list": {
 							Type:     schema.TypeSet,
 							Optional: true,
+							MinItems: 1,
+							MaxItems: 200,
+							AtLeastOneOf: []string{
+								"risk_exception_configuration.0.blocked_ip_range_list",
+								"risk_exception_configuration.0.skipped_ip_range_list",
+							},
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 								ValidateFunc: validation.All(
-									validation.StringLenBetween(0, 200),
 									validation.IsCIDR,
 								),
 							},
 						},
 						"skipped_ip_range_list": {
 							Type:     schema.TypeSet,
 							Optional: true,
+							MinItems: 1,
+							MaxItems: 200,
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 								ValidateFunc: validation.All(
-									validation.StringLenBetween(0, 200),
 									validation.IsCIDR,
 								)},
 						},
@@ -323,7 +334,7 @@ func resourceRiskConfigurationRead(ctx context.Context, d *schema.ResourceData,
 
 	riskConfig, err := FindRiskConfigurationById(ctx, conn, d.Id())
 
-	if !d.IsNewResource() && tfawserr.ErrCodeEquals(err, cognitoidentityprovider.ErrCodeResourceNotFoundException) {
+	if !d.IsNewResource() && tfresource.NotFound(err) {
 		create.LogNotFoundRemoveState(names.CognitoIDP, create.ErrActionReading, ResNameRiskConfiguration, d.Id())
 		d.SetId("")
 		return diags
@@ -382,6 +393,10 @@ func resourceRiskConfigurationDelete(ctx context.Context, d *schema.ResourceData
 }
 
 func expandRiskExceptionConfiguration(riskConfig []interface{}) *cognitoidentityprovider.RiskExceptionConfigurationType {
+	if len(riskConfig) == 0 || riskConfig[0] == nil {
+		return nil
+	}
+
 	config := riskConfig[0].(map[string]interface{})
 
 	riskExceptionConfigurationType := &cognitoidentityprovider.RiskExceptionConfigurationType{}
@@ -416,6 +431,10 @@ func flattenRiskExceptionConfiguration(apiObject *cognitoidentityprovider.RiskEx
 }
 
 func expandCompromisedCredentialsRiskConfiguration(riskConfig []interface{}) *cognitoidentityprovider.CompromisedCredentialsRiskConfigurationType {
+	if len(riskConfig) == 0 || riskConfig[0] == nil {
+		return nil
+	}
+
 	config := riskConfig[0].(map[string]interface{})
 
 	riskExceptionConfigurationType := &cognitoidentityprovider.CompromisedCredentialsRiskConfigurationType{}
@@ -450,6 +469,10 @@ func flattenCompromisedCredentialsRiskConfiguration(apiObject *cognitoidentitypr
 }
 
 func expandCompromisedCredentialsActions(riskConfig []interface{}) *cognitoidentityprovider.CompromisedCredentialsActionsType {
+	if len(riskConfig) == 0 || riskConfig[0] == nil {
+		return nil
+	}
+
 	config := riskConfig[0].(map[string]interface{})
 
 	compromisedCredentialsAction := &cognitoidentityprovider.CompromisedCredentialsActionsType{}
@@ -476,6 +499,10 @@ func flattenCompromisedCredentialsActions(apiObject *cognitoidentityprovider.Com
 }
 
 func expandAccountTakeoverRiskConfiguration(riskConfig []interface{}) *cognitoidentityprovider.AccountTakeoverRiskConfigurationType {
+	if len(riskConfig) == 0 || riskConfig[0] == nil {
+		return nil
+	}
+
 	config := riskConfig[0].(map[string]interface{})
 
 	accountTakeoverRiskConfiguration := &cognitoidentityprovider.AccountTakeoverRiskConfigurationType{}
@@ -510,6 +537,10 @@ func flattenAccountTakeoverRiskConfiguration(apiObject *cognitoidentityprovider.
 }
 
 func expandAccountTakeoverActions(riskConfig []interface{}) *cognitoidentityprovider.AccountTakeoverActionsType {
+	if len(riskConfig) == 0 || riskConfig[0] == nil {
+		return nil
+	}
+
 	config := riskConfig[0].(map[string]interface{})
 
 	actions := &cognitoidentityprovider.AccountTakeoverActionsType{}
@@ -552,6 +583,10 @@ func flattenAccountTakeoverActions(apiObject *cognitoidentityprovider.AccountTak
 }
 
 func expandAccountTakeoverAction(riskConfig []interface{}) *cognitoidentityprovider.AccountTakeoverActionType {
+	if len(riskConfig) == 0 || riskConfig[0] == nil {
+		return nil
+	}
+
 	config := riskConfig[0].(map[string]interface{})
 
 	action := &cognitoidentityprovider.AccountTakeoverActionType{}
@@ -586,6 +621,10 @@ func flattenAccountTakeoverAction(apiObject *cognitoidentityprovider.AccountTake
 }
 
 func expandNotifyConfiguration(riskConfig []interface{}) *cognitoidentityprovider.NotifyConfigurationType {
+	if len(riskConfig) == 0 || riskConfig[0] == nil {
+		return nil
+	}
+
 	config := riskConfig[0].(map[string]interface{})
 
 	notifConfig := &cognitoidentityprovider.NotifyConfigurationType{}
@@ -652,6 +691,10 @@ func flattenNotifyConfiguration(apiObject *cognitoidentityprovider.NotifyConfigu
 }
 
 func expandNotifyEmail(riskConfig []interface{}) *cognitoidentityprovider.NotifyEmailType {
+	if len(riskConfig) == 0 || riskConfig[0] == nil {
+		return nil
+	}
+
 	config := riskConfig[0].(map[string]interface{})
 
 	notifyEmail := &cognitoidentityprovider.NotifyEmailType{}