fix: Add missing security policy names for aws_transfer_server

hashicorp · Jul 19, 2024 · ada73f1 · ada73f1
1 parent 5f9c548
commit ada73f1
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 29 deletions.
diff --git a/.changelog/38425.txt b/.changelog/38425.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_transfer_server: Add supported values `TransferSecurityPolicy-FIPS-2024-05`, `TransferSecurityPolicy-Restricted-2018-11`, and `TransferSecurityPolicy-Restricted-2020-06` for the `security_policy_name` argument
+```
diff --git a/internal/service/transfer/server.go b/internal/service/transfer/server.go
@@ -1246,27 +1246,33 @@ type securityPolicyName string
 const (
 	securityPolicyName2018_11             securityPolicyName = "TransferSecurityPolicy-2018-11"
 	securityPolicyName2020_06             securityPolicyName = "TransferSecurityPolicy-2020-06"
-	securityPolicyNameFIPS_2020_06        securityPolicyName = "TransferSecurityPolicy-FIPS-2020-06"
-	securityPolicyNameFIPS_2023_05        securityPolicyName = "TransferSecurityPolicy-FIPS-2023-05"
-	securityPolicyNameFIPS_2024_01        securityPolicyName = "TransferSecurityPolicy-FIPS-2024-01"
 	securityPolicyName2022_03             securityPolicyName = "TransferSecurityPolicy-2022-03"
 	securityPolicyName2023_05             securityPolicyName = "TransferSecurityPolicy-2023-05"
 	securityPolicyName2024_01             securityPolicyName = "TransferSecurityPolicy-2024-01"
+	securityPolicyNameFIPS_2020_06        securityPolicyName = "TransferSecurityPolicy-FIPS-2020-06"
+	securityPolicyNameFIPS_2023_05        securityPolicyName = "TransferSecurityPolicy-FIPS-2023-05"
+	securityPolicyNameFIPS_2024_01        securityPolicyName = "TransferSecurityPolicy-FIPS-2024-01"
+	securityPolicyNameFIPS_2024_05        securityPolicyName = "TransferSecurityPolicy-FIPS-2024-05"
 	securityPolicyNamePQ_SSH_2023_04      securityPolicyName = "TransferSecurityPolicy-PQ-SSH-Experimental-2023-04"
 	securityPolicyNamePQ_SSH_FIPS_2023_04 securityPolicyName = "TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04"
+	securityPolicyNameRestricted_2018_11  securityPolicyName = "TransferSecurityPolicy-Restricted-2018-11"
+	securityPolicyNameRestricted_2020_06  securityPolicyName = "TransferSecurityPolicy-Restricted-2020-06"
 )
 
 func (securityPolicyName) Values() []securityPolicyName {
 	return []securityPolicyName{
 		securityPolicyName2018_11,
 		securityPolicyName2020_06,
-		securityPolicyNameFIPS_2020_06,
-		securityPolicyNameFIPS_2023_05,
-		securityPolicyNameFIPS_2024_01,
 		securityPolicyName2022_03,
 		securityPolicyName2023_05,
 		securityPolicyName2024_01,
+		securityPolicyNameFIPS_2020_06,
+		securityPolicyNameFIPS_2023_05,
+		securityPolicyNameFIPS_2024_01,
+		securityPolicyNameFIPS_2024_05,
 		securityPolicyNamePQ_SSH_2023_04,
 		securityPolicyNamePQ_SSH_FIPS_2023_04,
+		securityPolicyNameRestricted_2018_11,
+		securityPolicyNameRestricted_2020_06,
 	}
 }
diff --git a/internal/service/transfer/server_test.go b/internal/service/transfer/server_test.go
@@ -258,6 +258,13 @@ func testAccServer_securityPolicy(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-2023-05"),
 				),
 			},
+			{
+				Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-2024-01"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckServerExists(ctx, resourceName, &conf),
+					resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-2024-01"),
+				),
+			},
 			{
 				Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-PQ-SSH-Experimental-2023-04"),
 				Check: resource.ComposeTestCheckFunc(
@@ -266,10 +273,17 @@ func testAccServer_securityPolicy(t *testing.T) {
 				),
 			},
 			{
-				Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-2024-01"),
+				Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-Restricted-2018-11"),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckServerExists(ctx, resourceName, &conf),
-					resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-2024-01"),
+					resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-Restricted-2018-11"),
+				),
+			},
+			{
+				Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-Restricted-2020-06"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckServerExists(ctx, resourceName, &conf),
+					resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-Restricted-2020-06"),
 				),
 			},
 		},
@@ -289,10 +303,10 @@ func testAccServer_securityPolicyFIPS(t *testing.T) {
 		CheckDestroy:             testAccCheckServerDestroy(ctx),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-FIPS-2023-05"),
+				Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-FIPS-2020-06"),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckServerExists(ctx, resourceName, &conf),
-					resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-FIPS-2023-05"),
+					resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-FIPS-2020-06"),
 				),
 			},
 			{
@@ -301,13 +315,34 @@ func testAccServer_securityPolicyFIPS(t *testing.T) {
 				ImportStateVerify:       true,
 				ImportStateVerifyIgnore: []string{names.AttrForceDestroy},
 			},
+			{
+				Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-FIPS-2023-05"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckServerExists(ctx, resourceName, &conf),
+					resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-FIPS-2023-05"),
+				),
+			},
 			{
 				Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-FIPS-2024-01"),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckServerExists(ctx, resourceName, &conf),
 					resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-FIPS-2024-01"),
 				),
 			},
+			{
+				Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-FIPS-2024-05"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckServerExists(ctx, resourceName, &conf),
+					resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-FIPS-2024-05"),
+				),
+			},
+			{
+				Config: testAccServerConfig_securityPolicy(rName, "TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckServerExists(ctx, resourceName, &conf),
+					resource.TestCheckResourceAttr(resourceName, "security_policy_name", "TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04"),
+				),
+			},
 		},
 	})
 }

diff --git a/website/docs/r/transfer_server.html.markdown b/website/docs/r/transfer_server.html.markdown
@@ -132,7 +132,7 @@ This resource supports the following arguments:
     * `SFTP`: File transfer over SSH
     * `FTPS`: File transfer with TLS encryption
     * `FTP`: Unencrypted file transfer
-* `endpoint_details` - (Optional) The virtual private cloud (VPC) endpoint settings that you want to configure for your SFTP server. See [`endpoint_details` block](#endpoint_details-block) below for details.
+* `endpoint_details` - (Optional) The virtual private cloud (VPC) endpoint settings that you want to configure for your SFTP server. See [`endpoint_details` Block](#endpoint_details-block) below for details.
 * `endpoint_type` - (Optional) The type of endpoint that you want your SFTP server connect to. If you connect to a `VPC` (or `VPC_ENDPOINT`), your SFTP server isn't accessible over the public internet. If you want to connect your SFTP server via public internet, set `PUBLIC`.  Defaults to `PUBLIC`.
 * `invocation_role` - (Optional) Amazon Resource Name (ARN) of the IAM role used to authenticate the user account with an `identity_provider_type` of `API_GATEWAY`.
 * `host_key` - (Optional) RSA, ECDSA, or ED25519 private key (e.g., as generated by the `ssh-keygen -t rsa -b 2048 -N "" -m PEM -f my-new-server-key`, `ssh-keygen -t ecdsa -b 256 -N "" -m PEM -f my-new-server-key` or `ssh-keygen -t ed25519 -N "" -f my-new-server-key` commands).
@@ -145,24 +145,29 @@ This resource supports the following arguments:
 * `force_destroy` - (Optional) A boolean that indicates all users associated with the server should be deleted so that the Server can be destroyed without error. The default value is `false`. This option only applies to servers configured with a `SERVICE_MANAGED` `identity_provider_type`.
 * `post_authentication_login_banner`- (Optional) Specify a string to display when users connect to a server. This string is displayed after the user authenticates. The SFTP protocol does not support post-authentication display banners.
 * `pre_authentication_login_banner`- (Optional) Specify a string to display when users connect to a server. This string is displayed before the user authenticates.
-* `protocol_details`- (Optional) The protocol settings that are configured for your server. See [`protocol_details` block](#protocol_details-block) below for details.
-* `s3_storage_options`- (Optional) Specifies whether or not performance for your Amazon S3 directories is optimized. This is disabled by default. See [`s3_storage_options` block](#s3_storage_options-block) below for details.
+* `protocol_details`- (Optional) The protocol settings that are configured for your server. See [`protocol_details` Block](#protocol_details-block) below for details.
+* `s3_storage_options`- (Optional) Specifies whether or not performance for your Amazon S3 directories is optimized. This is disabled by default. See [`s3_storage_options` Block](#s3_storage_options-block) below for details.
 * `security_policy_name` - (Optional) Specifies the name of the security policy that is attached to the server. Default value is: `TransferSecurityPolicy-2018-11`. The available values are:
-    * `TransferSecurityPolicy-2024-01`
-    * `TransferSecurityPolicy-2023-05`
-    * `TransferSecurityPolicy-2022-03`
-    * `TransferSecurityPolicy-2020-06`
     * `TransferSecurityPolicy-2018-11`
-    * `TransferSecurityPolicy-FIPS-2024-01`
-    * `TransferSecurityPolicy-FIPS-2023-05`
+    * `TransferSecurityPolicy-2020-06`
+    * `TransferSecurityPolicy-2022-03`
+    * `TransferSecurityPolicy-2023-05`
+    * `TransferSecurityPolicy-2024-01`
     * `TransferSecurityPolicy-FIPS-2020-06`
+    * `TransferSecurityPolicy-FIPS-2023-05`
+    * `TransferSecurityPolicy-FIPS-2024-01`
+    * `TransferSecurityPolicy-FIPS-2024-05`
     * `TransferSecurityPolicy-PQ-SSH-Experimental-2023-04`
     * `TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04`
+    * `TransferSecurityPolicy-Restricted-2018-11`
+    * `TransferSecurityPolicy-Restricted-2020-06`
+
+   See [Security policies for AWS Transfer Family servers](https://docs.aws.amazon.com/transfer/latest/userguide/security-policies.html) for details.
 * `structured_log_destinations` - (Optional) A set of ARNs of destinations that will receive structured logs from the transfer server such as CloudWatch Log Group ARNs. If provided this enables the transfer server to emit structured logs to the specified locations.
 * `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
-* `workflow_details` - (Optional) Specifies the workflow details. See [`workflow_details` block](#workflow_details-block) below for details.
+* `workflow_details` - (Optional) Specifies the workflow details. See [`workflow_details` Block](#workflow_details-block) below for details.
 
-### `endpoint_details` block
+### `endpoint_details` Block
 
 The `endpoint_details` configuration block supports the following arguments:
 
@@ -172,7 +177,7 @@ The `endpoint_details` configuration block supports the following arguments:
 * `vpc_endpoint_id` - (Optional) The ID of the VPC endpoint. This property can only be used when `endpoint_type` is set to `VPC_ENDPOINT`
 * `vpc_id` - (Optional) The VPC ID of the virtual private cloud in which the SFTP server's endpoint will be hosted. This property can only be used when `endpoint_type` is set to `VPC`.
 
-### `protocol_details` block
+### `protocol_details` Block
 
 THe `protocol_details` configuration block supports the following arguments:
 
@@ -181,29 +186,29 @@ THe `protocol_details` configuration block supports the following arguments:
 * `set_stat_option` - (Optional) Use to ignore the error that is generated when the client attempts to use `SETSTAT` on a file you are uploading to an S3 bucket. Valid values: `DEFAULT`, `ENABLE_NO_OP`.
 * `tls_session_resumption_mode` - (Optional) A property used with Transfer Family servers that use the FTPS protocol. Provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. Valid values: `DISABLED`, `ENABLED`, `ENFORCED`.
 
-### `s3_storage_options` block
+### `s3_storage_options` Block
 
 The `s3_storage_options` configuration block supports the following arguments:
 
 * `directory_listing_optimization` - (Optional) Specifies whether or not performance for your Amazon S3 directories is optimized. Valid values are `DISABLED`, `ENABLED`.
 
   By default, home directory mappings have a `TYPE` of `DIRECTORY`. If you enable this option, you would then need to explicitly set the `HomeDirectoryMapEntry` Type to `FILE` if you want a mapping to have a file target. See [Using logical directories to simplify your Transfer Family directory structures](https://docs.aws.amazon.com/transfer/latest/userguide/logical-dir-mappings.html) for details.
 
-### `workflow_details` block
+### `workflow_details` Block
 
 The `workflow_details` configuration block supports the following arguments:
 
-* `on_upload` - (Optional) A trigger that starts a workflow: the workflow begins to execute after a file is uploaded. See [`on_upload` block](#on_upload-block) below for details.
-* `on_partial_upload` - (Optional) A trigger that starts a workflow if a file is only partially uploaded. See Workflow Detail below. See [`on_partial_upload` block](#on_partial_upload-block) below for details.
+* `on_upload` - (Optional) A trigger that starts a workflow: the workflow begins to execute after a file is uploaded. See [`on_upload` Block](#on_upload-block) below for details.
+* `on_partial_upload` - (Optional) A trigger that starts a workflow if a file is only partially uploaded. See Workflow Detail below. See [`on_partial_upload` Block](#on_partial_upload-block) below for details.
 
-#### `on_upload` block
+#### `on_upload` Block
 
 The `on_upload` configuration block supports the following arguments:
 
 * `execution_role` - (Required) Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources.
 * `workflow_id` - (Required) A unique identifier for the workflow.
 
-#### `on_partial_upload` block
+#### `on_partial_upload` Block
 
 The `on_partial_upload` configuration block supports the following arguments:
 
@@ -222,7 +227,7 @@ This resource exports the following attributes in addition to the arguments abov
 
 ## Import
 
-In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import Transfer Servers using the server `id`. For example:
+In Terraform v1.5.0 and later, use an [`import` Block](https://developer.hashicorp.com/terraform/language/import) to import Transfer Servers using the server `id`. For example:
 
 ```terraform
 import {