-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Resource: aws_guardduty_member #2911
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking pretty good.
I left you 2 major questions/suggestions about potential crashes and 1 minor about tests synchronicity.
log.Printf("[DEBUG] Reading GuardDuty Member: %s", input) | ||
gmo, err := conn.GetMembers(&input) | ||
if err != nil { | ||
if isAWSErr(err, guardduty.ErrCodeBadRequestException, "The request is rejected because the input detectorId is not owned by the current account.") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😭
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah its like S3 NoSuchBucket
in this regard. 😢
aws/resource_aws_guardduty_member.go
Outdated
member := gmo.Members[0] | ||
d.Set("account_id", *member.AccountId) | ||
d.Set("detector_id", detectorID) | ||
d.Set("email", *member.Email) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dereferencing here is not necessary, or in fact undesired. Set()
will perform safe dereferencing - meaning that it won't crash on nil
. We had many crash reports caused by this in the past which led us to this thought.
Do you mind changing it accordingly? 😉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💯 I'll update this code and personally file this under "leave the stars to the night sky"!
aws/resource_aws_guardduty_member.go
Outdated
|
||
idParts := strings.Split(d.Id(), ":") | ||
accountID := idParts[1] | ||
detectorID := idParts[0] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Q: What happens if the user passes only one ID? Isn't it going to crash here because Split()
won't return [1]
?
I think it would be nice to have a helper function for this, e.g. accId, detectorId, err := decodeGuardDutyMemberId(d.Id())
and keep the error message there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oi! This is a very good catch! I totally forgot to split it out into a decode function with the error checking after initially writing it.
"Member": { | ||
"basic": testAccAwsGuardDutyMember_basic, | ||
"import": testAccAwsGuardDutyMember_import, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume there can be more than 1 member per AWS account, so we don't need to make these tests synchronous? Unless I'm mistaken...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be like this because its like AWS Config, where it can only be activated once in a region, so we're left with serially doing one test at a time since we turn the GuardDuty detector on and off each test.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, 👌
* Do not unsafely dereference member attributes for d.Set() * Separate ID parsing into decodeGuardDutyMemberID with error checking
Updated and verified locally! Thanks for those very important catches. 🚀
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
aws/resource_aws_guardduty_member.go
Outdated
func decodeGuardDutyMemberID(id string) (accountID, detectorID string, err error) { | ||
parts := strings.Split(id, ":") | ||
if len(parts) != 2 { | ||
err = fmt.Errorf("GuardDuty Member ID must be of the form <Detector ID>:<Member AWS Account ID>") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: We could include the real ID in the error message here.
"Member": { | ||
"basic": testAccAwsGuardDutyMember_basic, | ||
"import": testAccAwsGuardDutyMember_import, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, 👌
This has been released in terraform-provider-aws version 1.7.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
* commit 'b9284490eff637460fef663794a496d363e19f10': (190 commits) v1.7.0 Update CHANGELOG.md d/aws_ssm_parameter: Support returning raw encrypted SecureString value. (hashicorp#2777) Bump aws-sdk-go to v1.12.60 Update CHANGELOG.md Add acceptance test for import + randomization Removed reference to Core fixes Add instructions for vendor updates Use AWS example instead of Azure Update CHANGELOG for hashicorp#2833 Update CHANGELOG.md r/lb_target_group: Fix validation rules for LB's healthcheck Update CHANGELOG for hashicorp#2911 r/aws_guardduty_member: Provide given ID in error message when incorrect format Update CHANGELOG.md Update CHANGELOG with hashicorp#2888 r/aws_guardduty_member: hashicorp#2911 PR review r/aws_cloudwatch_event_permission: hashicorp#2888 PR review Makefile: Fixed test outputs resource/aws_lb+aws_elb: Fix regression with undefined 'name' ... # Conflicts: # .gitignore # aws/data_source_aws_s3_bucket_object.go # aws/resource_aws_elasticsearch_domain.go
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
References: