aws_kinesis_firehose_delivery_stream

civitaspo · Jul 3, 2024 · 9e3af47 · 9e3af47
1 parent 0f55290
commit 9e3af47
Show file tree

Hide file tree

Showing 2 changed files with 144 additions and 10 deletions.
diff --git a/internal/service/firehose/delivery_stream.go b/internal/service/firehose/delivery_stream.go
@@ -290,6 +290,32 @@ func resourceDeliveryStream() *schema.Resource {
 					Elem:     s3ConfigurationElem(),
 				}
 			}
+			secretsManagerConfigurationSchema := func() *schema.Schema {
+				return &schema.Schema{
+					Type:     schema.TypeList,
+					MaxItems: 1,
+					Optional: true,
+					Elem: &schema.Resource{
+						Schema: map[string]*schema.Schema{
+							names.AttrEnabled: {
+								Type:     schema.TypeBool,
+								Required: true,
+								ForceNew: true,
+							},
+							names.AttrRoleARN: {
+								Type:         schema.TypeString,
+								Optional:     true,
+								ValidateFunc: verify.ValidARN,
+							},
+							"secret_arn": {
+								Type:         schema.TypeString,
+								Optional:     true,
+								ValidateFunc: verify.ValidARN,
+							},
+						},
+					},
+				}
+			}
 
 			return map[string]*schema.Schema{
 				names.AttrARN: {
@@ -780,7 +806,8 @@ func resourceDeliveryStream() *schema.Resource {
 								Default:          types.HttpEndpointS3BackupModeFailedDataOnly,
 								ValidateDiagFunc: enum.Validate[types.HttpEndpointS3BackupMode](),
 							},
-							"s3_configuration": s3ConfigurationSchema(),
+							"s3_configuration":             s3ConfigurationSchema(),
+							"secret_manager_configuration": secretsManagerConfigurationSchema(),
 							names.AttrURL: {
 								Type:     schema.TypeString,
 								Required: true,
@@ -2851,6 +2878,10 @@ func expandHTTPEndpointDestinationConfiguration(httpEndpoint map[string]interfac
 		configuration.S3BackupMode = types.HttpEndpointS3BackupMode(s3BackupMode.(string))
 	}
 
+	if _, ok := httpEndpoint["secret_manager_configuration"]; ok {
+		configuration.SecretsManagerConfiguration = expandSecretsManagerConfiguration(httpEndpoint)
+	}
+
 	return configuration
 }
 
@@ -2890,6 +2921,10 @@ func expandHTTPEndpointDestinationUpdate(httpEndpoint map[string]interface{}) *t
 		configuration.S3BackupMode = types.HttpEndpointS3BackupMode(s3BackupMode.(string))
 	}
 
+	if _, ok := httpEndpoint["secret_manager_configuration"]; ok {
+		configuration.SecretsManagerConfiguration = expandSecretsManagerConfiguration(httpEndpoint)
+	}
+
 	return configuration
 }
 
@@ -3075,6 +3110,28 @@ func expandSnowflakeVPCConfiguration(tfMap map[string]interface{}) *types.Snowfl
 	return apiObject
 }
 
+func expandSecretsManagerConfiguration(sc map[string]interface{}) *types.SecretsManagerConfiguration {
+	config := sc["secret_manager_configuration"].([]interface{})
+	if len(config) == 0 {
+		return nil
+	}
+
+	SecretsManagerConfig := config[0].(map[string]interface{})
+	SecretsManagerOptions := &types.SecretsManagerConfiguration{
+		Enabled: aws.Bool(SecretsManagerConfig[names.AttrEnabled].(bool)),
+	}
+
+	if v, ok := SecretsManagerConfig[names.AttrRoleARN]; ok {
+		SecretsManagerOptions.RoleARN = aws.String(v.(string))
+	}
+
+	if v, ok := SecretsManagerConfig["secret_arn"]; ok {
+		SecretsManagerOptions.SecretARN = aws.String(v.(string))
+	}
+
+	return SecretsManagerOptions
+}
+
 func expandSplunkRetryOptions(splunk map[string]interface{}) *types.SplunkRetryOptions {
 	retryOptions := &types.SplunkRetryOptions{}
 
@@ -3812,15 +3869,16 @@ func flattenHTTPEndpointDestinationDescription(description *types.HttpEndpointDe
 		return []map[string]interface{}{}
 	}
 	m := map[string]interface{}{
-		names.AttrAccessKey:          configuredAccessKey,
-		names.AttrURL:                aws.ToString(description.EndpointConfiguration.Url),
-		names.AttrName:               aws.ToString(description.EndpointConfiguration.Name),
-		names.AttrRoleARN:            aws.ToString(description.RoleARN),
-		"s3_backup_mode":             description.S3BackupMode,
-		"s3_configuration":           flattenS3DestinationDescription(description.S3DestinationDescription),
-		"request_configuration":      flattenHTTPEndpointRequestConfiguration(description.RequestConfiguration),
-		"cloudwatch_logging_options": flattenCloudWatchLoggingOptions(description.CloudWatchLoggingOptions),
-		"processing_configuration":   flattenProcessingConfiguration(description.ProcessingConfiguration, destinationTypeHTTPEndpoint, aws.ToString(description.RoleARN)),
+		names.AttrAccessKey:            configuredAccessKey,
+		names.AttrURL:                  aws.ToString(description.EndpointConfiguration.Url),
+		names.AttrName:                 aws.ToString(description.EndpointConfiguration.Name),
+		names.AttrRoleARN:              aws.ToString(description.RoleARN),
+		"s3_backup_mode":               description.S3BackupMode,
+		"s3_configuration":             flattenS3DestinationDescription(description.S3DestinationDescription),
+		"request_configuration":        flattenHTTPEndpointRequestConfiguration(description.RequestConfiguration),
+		"cloudwatch_logging_options":   flattenCloudWatchLoggingOptions(description.CloudWatchLoggingOptions),
+		"processing_configuration":     flattenProcessingConfiguration(description.ProcessingConfiguration, destinationTypeHTTPEndpoint, aws.ToString(description.RoleARN)),
+		"secret_manager_configuration": flattenSecretsManagerConfiguration(description.SecretsManagerConfiguration),
 	}
 
 	if description.RetryOptions != nil {
@@ -3861,6 +3919,21 @@ func flattenDocumentIDOptions(apiObject *types.DocumentIdOptions) map[string]int
 	return tfMap
 }
 
+func flattenSecretsManagerConfiguration(sc *types.SecretsManagerConfiguration) []interface{} {
+	if sc == nil {
+		return []interface{}{}
+	}
+
+	secretsManagerOptions := map[string]interface{}{
+		names.AttrEnabled: aws.ToBool(sc.Enabled),
+	}
+	if aws.ToBool(sc.Enabled) {
+		secretsManagerOptions[names.AttrRoleARN] = aws.ToString(sc.RoleARN)
+		secretsManagerOptions["secret_arn"] = aws.ToString(sc.SecretARN)
+	}
+	return []interface{}{secretsManagerOptions}
+}
+
 func flattenSnowflakeRoleConfiguration(apiObject *types.SnowflakeRoleConfiguration) []map[string]interface{} {
 	if apiObject == nil {
 		return []map[string]interface{}{}

diff --git a/internal/service/firehose/delivery_stream_test.go b/internal/service/firehose/delivery_stream_test.go
@@ -1469,6 +1469,36 @@ func TestAccFirehoseDeliveryStream_HTTPEndpoint_retryDuration(t *testing.T) {
 	})
 }
 
+func TestAccFirehoseDeliveryStream_HTTPEndpoint_SecretsManagerConfiguration(t *testing.T) {
+	ctx := acctest.Context(t)
+	var stream types.DeliveryStreamDescription
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_kinesis_firehose_delivery_stream.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.FirehoseServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckDeliveryStreamDestroy_ExtendedS3(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDeliveryStreamConfig_httpEndpointSecretsManager(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckDeliveryStreamExists(ctx, resourceName, &stream),
+					resource.TestCheckResourceAttr(resourceName, "http_endpoint_configuration.0.secret_manager_configuration.#", acctest.Ct1),
+					resource.TestCheckResourceAttr(resourceName, "http_endpoint_configuration.0.secret_manager_configuration.0.enabled", acctest.CtTrue),
+					resource.TestCheckResourceAttrPair(resourceName, "http_endpoint_configuration.0.secret_manager_configuration.0.secret_arn", "aws_secretsmanager_secret.test", names.AttrARN),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccFirehoseDeliveryStream_elasticSearchUpdates(t *testing.T) {
 	ctx := acctest.Context(t)
 	var stream types.DeliveryStreamDescription
@@ -4010,6 +4040,37 @@ resource "aws_kinesis_firehose_delivery_stream" "test" {
 `, rName))
 }
 
+func testAccDeliveryStreamConfig_httpEndpointSecretsManager(rName string) string {
+	return acctest.ConfigCompose(testAccDeliveryStreamConfig_base(rName), fmt.Sprintf(`
+resource "aws_secretsmanager_secret" "test" {
+  name = %[1]q
+}
+
+resource "aws_kinesis_firehose_delivery_stream" "test" {
+  depends_on  = [aws_iam_role_policy.firehose]
+  name        = %[1]q
+  destination = "http_endpoint"
+
+  http_endpoint_configuration {
+    url      = "https://input-test.com:443"
+    name     = "HTTP_test"
+    role_arn = aws_iam_role.firehose.arn
+
+    s3_configuration {
+      role_arn   = aws_iam_role.firehose.arn
+      bucket_arn = aws_s3_bucket.bucket.arn
+    }
+
+    secret_manager_configuration {
+      enabled    = true
+      role_arn   = aws_iam_role.firehose.arn
+      secret_arn = aws_secretsmanager_secret.test.arn
+    }
+  }
+}
+`, rName))
+}
+
 func testAccDeliveryStreamConfig_baseElasticsearch(rName string) string {
 	return acctest.ConfigCompose(testAccDeliveryStreamConfig_base(rName), fmt.Sprintf(`
 resource "aws_elasticsearch_domain" "test_cluster" {