diff --git a/.changelog/45317.txt b/.changelog/45317.txt new file mode 100644 index 000000000000..5048cc44700f --- /dev/null +++ b/.changelog/45317.txt @@ -0,0 +1,7 @@ +```release-note:enhancement +resource/aws_ec2_transit_gateway: Add `encryption_support` argument +``` + +```release-note:enhancement +data-source/aws_ec2_transit_gateway: Add `encryption_support` attribute +``` diff --git a/internal/service/ec2/transitgateway_.go b/internal/service/ec2/transitgateway_.go index 0a761d5d81fb..2f268b0046c4 100644 --- a/internal/service/ec2/transitgateway_.go +++ b/internal/service/ec2/transitgateway_.go @@ -100,6 +100,12 @@ func resourceTransitGateway() *schema.Resource { Default: awstypes.DnsSupportValueEnable, ValidateDiagFunc: enum.Validate[awstypes.DnsSupportValue](), }, + "encryption_support": { + Type: schema.TypeString, + Optional: true, + Default: awstypes.EncryptionSupportOptionValueDisable, + ValidateDiagFunc: enum.Validate[awstypes.EncryptionSupportOptionValue](), + }, "multicast_support": { Type: schema.TypeString, Optional: true, @@ -190,6 +196,18 @@ func resourceTransitGatewayCreate(ctx context.Context, d *schema.ResourceData, m return sdkdiag.AppendErrorf(diags, "waiting for EC2 Transit Gateway (%s) create: %s", d.Id(), err) } + if v, ok := d.GetOk("encryption_support"); ok && v.(string) == string(awstypes.EncryptionSupportOptionValueEnable) { + input := &ec2.ModifyTransitGatewayInput{ + TransitGatewayId: output.TransitGateway.TransitGatewayId, + Options: &awstypes.ModifyTransitGatewayOptions{ + EncryptionSupport: awstypes.EncryptionSupportOptionValue(v.(string)), + }, + } + if _, err := conn.ModifyTransitGateway(ctx, input); err != nil { + return sdkdiag.AppendErrorf(diags, "updating EC2 Transit Gateway (%s) encryption support: %s", d.Id(), err) + } + } + return append(diags, resourceTransitGatewayRead(ctx, d, meta)...) } @@ -217,6 +235,14 @@ func resourceTransitGatewayRead(ctx context.Context, d *schema.ResourceData, met d.Set("default_route_table_propagation", transitGateway.Options.DefaultRouteTablePropagation) d.Set(names.AttrDescription, transitGateway.Description) d.Set("dns_support", transitGateway.Options.DnsSupport) + var encryptionSupport string + encryptionState := transitGateway.Options.EncryptionSupport.EncryptionState + if encryptionState == awstypes.EncryptionStateValueEnabled || encryptionState == awstypes.EncryptionStateValueEnabling { + encryptionSupport = string(awstypes.EncryptionSupportOptionValueEnable) + } else { + encryptionSupport = string(awstypes.EncryptionSupportOptionValueDisable) + } + d.Set("encryption_support", encryptionSupport) d.Set("multicast_support", transitGateway.Options.MulticastSupport) d.Set(names.AttrOwnerID, transitGateway.OwnerId) d.Set("propagation_default_route_table_id", transitGateway.Options.PropagationDefaultRouteTableId) @@ -263,6 +289,10 @@ func resourceTransitGatewayUpdate(ctx context.Context, d *schema.ResourceData, m input.Options.DnsSupport = awstypes.DnsSupportValue(d.Get("dns_support").(string)) } + if d.HasChange("encryption_support") { + input.Options.EncryptionSupport = awstypes.EncryptionSupportOptionValue(d.Get("encryption_support").(string)) + } + if d.HasChange("security_group_referencing_support") { input.Options.SecurityGroupReferencingSupport = awstypes.SecurityGroupReferencingSupportValue(d.Get("security_group_referencing_support").(string)) } diff --git a/internal/service/ec2/transitgateway_data_source.go b/internal/service/ec2/transitgateway_data_source.go index 1e649a73de2d..167f6462bb85 100644 --- a/internal/service/ec2/transitgateway_data_source.go +++ b/internal/service/ec2/transitgateway_data_source.go @@ -9,6 +9,7 @@ import ( "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/ec2" + awstypes "github.com/aws/aws-sdk-go-v2/service/ec2/types" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-provider-aws/internal/conns" @@ -62,6 +63,10 @@ func dataSourceTransitGateway() *schema.Resource { Type: schema.TypeString, Computed: true, }, + "encryption_support": { + Type: schema.TypeString, + Computed: true, + }, names.AttrFilter: customFiltersSchema(), names.AttrID: { Type: schema.TypeString, @@ -132,6 +137,14 @@ func dataSourceTransitGatewayRead(ctx context.Context, d *schema.ResourceData, m d.Set("default_route_table_propagation", transitGateway.Options.DefaultRouteTablePropagation) d.Set(names.AttrDescription, transitGateway.Description) d.Set("dns_support", transitGateway.Options.DnsSupport) + var encryptionSupport string + encryptionState := transitGateway.Options.EncryptionSupport.EncryptionState + if encryptionState == awstypes.EncryptionStateValueEnabled || encryptionState == awstypes.EncryptionStateValueEnabling { + encryptionSupport = string(awstypes.EncryptionSupportOptionValueEnable) + } else { + encryptionSupport = string(awstypes.EncryptionSupportOptionValueDisable) + } + d.Set("encryption_support", encryptionSupport) d.Set("multicast_support", transitGateway.Options.MulticastSupport) d.Set(names.AttrOwnerID, transitGateway.OwnerId) d.Set("propagation_default_route_table_id", transitGateway.Options.PropagationDefaultRouteTableId) diff --git a/internal/service/ec2/transitgateway_data_source_test.go b/internal/service/ec2/transitgateway_data_source_test.go index 7ac86e717de1..777579d50f8b 100644 --- a/internal/service/ec2/transitgateway_data_source_test.go +++ b/internal/service/ec2/transitgateway_data_source_test.go @@ -120,6 +120,7 @@ func testAccTransitGatewayDataSource_Filter(t *testing.T, semaphore tfsync.Semap resource.TestCheckResourceAttrPair(resourceName, "default_route_table_propagation", dataSourceName, "default_route_table_propagation"), resource.TestCheckResourceAttrPair(resourceName, names.AttrDescription, dataSourceName, names.AttrDescription), resource.TestCheckResourceAttrPair(resourceName, "dns_support", dataSourceName, "dns_support"), + resource.TestCheckResourceAttrPair(resourceName, "encryption_support", dataSourceName, "encryption_support"), resource.TestCheckResourceAttrPair(resourceName, "multicast_support", dataSourceName, "multicast_support"), resource.TestCheckResourceAttrPair(resourceName, names.AttrOwnerID, dataSourceName, names.AttrOwnerID), resource.TestCheckResourceAttrPair(resourceName, "propagation_default_route_table_id", dataSourceName, "propagation_default_route_table_id"), @@ -160,6 +161,7 @@ func testAccTransitGatewayDataSource_ID(t *testing.T, semaphore tfsync.Semaphore resource.TestCheckResourceAttrPair(resourceName, "default_route_table_propagation", dataSourceName, "default_route_table_propagation"), resource.TestCheckResourceAttrPair(resourceName, names.AttrDescription, dataSourceName, names.AttrDescription), resource.TestCheckResourceAttrPair(resourceName, "dns_support", dataSourceName, "dns_support"), + resource.TestCheckResourceAttrPair(resourceName, "encryption_support", dataSourceName, "encryption_support"), resource.TestCheckResourceAttrPair(resourceName, names.AttrOwnerID, dataSourceName, names.AttrOwnerID), resource.TestCheckResourceAttrPair(resourceName, "propagation_default_route_table_id", dataSourceName, "propagation_default_route_table_id"), resource.TestCheckResourceAttrPair(resourceName, "security_group_referencing_support", dataSourceName, "security_group_referencing_support"), diff --git a/internal/service/ec2/transitgateway_test.go b/internal/service/ec2/transitgateway_test.go index 742315607124..eaa63636813e 100644 --- a/internal/service/ec2/transitgateway_test.go +++ b/internal/service/ec2/transitgateway_test.go @@ -76,6 +76,8 @@ func TestAccTransitGateway_serial(t *testing.T) { "securityGroupReferencingSupport": testAccTransitGateway_securityGroupReferencingSupport, "securityGroupReferencingSupportExistingResource": testAccTransitGateway_securityGroupReferencingSupportExistingResource, "vpnEcmpSupport": testAccTransitGateway_vpnECMPSupport, + "encryptionSupportWhenCreated": testAccTransitGateway_encryptionSupportWhenCreated, + "encryptionSupportWhenUpdated": testAccTransitGateway_encryptionSupportWhenUpdated, }, "MulticastDomain": { acctest.CtBasic: testAccTransitGatewayMulticastDomain_basic, @@ -733,6 +735,77 @@ func testAccTransitGateway_description(t *testing.T, semaphore tfsync.Semaphore) }) } +// Encryption support is enabled when creating a transit gateway +func testAccTransitGateway_encryptionSupportWhenCreated(t *testing.T, semaphore tfsync.Semaphore) { + ctx := acctest.Context(t) + var transitGateway1 awstypes.TransitGateway + resourceName := "aws_ec2_transit_gateway.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { + testAccPreCheckTransitGatewaySynchronize(t, semaphore) + acctest.PreCheck(ctx, t) + testAccPreCheckTransitGateway(ctx, t) + }, + ErrorCheck: acctest.ErrorCheck(t, names.EC2ServiceID), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckTransitGatewayDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccTransitGatewayConfig_encryptionSupport(), + Check: resource.ComposeTestCheckFunc( + testAccCheckTransitGatewayExists(ctx, resourceName, &transitGateway1), + resource.TestCheckResourceAttr(resourceName, "encryption_support", string(awstypes.EncryptionSupportOptionValueEnable)), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +// A transit gateway is created without encryption support, then updated to enable it +func testAccTransitGateway_encryptionSupportWhenUpdated(t *testing.T, semaphore tfsync.Semaphore) { + ctx := acctest.Context(t) + var transitGateway1 awstypes.TransitGateway + resourceName := "aws_ec2_transit_gateway.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { + testAccPreCheckTransitGatewaySynchronize(t, semaphore) + acctest.PreCheck(ctx, t) + testAccPreCheckTransitGateway(ctx, t) + }, + ErrorCheck: acctest.ErrorCheck(t, names.EC2ServiceID), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckTransitGatewayDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccTransitGatewayConfig_basic(), + Check: resource.ComposeTestCheckFunc( + testAccCheckTransitGatewayExists(ctx, resourceName, &transitGateway1), + resource.TestCheckResourceAttr(resourceName, "encryption_support", string(awstypes.EncryptionSupportOptionValueDisable)), + ), + }, + { + Config: testAccTransitGatewayConfig_encryptionSupport(), + Check: resource.ComposeTestCheckFunc( + testAccCheckTransitGatewayExists(ctx, resourceName, &transitGateway1), + resource.TestCheckResourceAttr(resourceName, "encryption_support", string(awstypes.EncryptionSupportOptionValueEnable)), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func testAccTransitGateway_tags(t *testing.T, semaphore tfsync.Semaphore) { ctx := acctest.Context(t) var transitGateway1, transitGateway2, transitGateway3 awstypes.TransitGateway @@ -1188,3 +1261,11 @@ resource "aws_ec2_transit_gateway" "test" { } `, rName) } + +func testAccTransitGatewayConfig_encryptionSupport() string { + return ` +resource "aws_ec2_transit_gateway" "test" { + encryption_support = "enable" +} +` +} diff --git a/website/docs/d/ec2_transit_gateway.html.markdown b/website/docs/d/ec2_transit_gateway.html.markdown index 708509f7974e..0890efbe049f 100644 --- a/website/docs/d/ec2_transit_gateway.html.markdown +++ b/website/docs/d/ec2_transit_gateway.html.markdown @@ -56,6 +56,7 @@ This data source exports the following attributes in addition to the arguments a * `default_route_table_propagation` - Whether resource attachments automatically propagate routes to the default propagation route table * `description` - Description of the EC2 Transit Gateway * `dns_support` - Whether DNS support is enabled +* `encryption_support` - Whether encryption support for VPC Encryption Control is enabled. * `security_group_referencing_support` - Whether Security Group Referencing Support is enabled * `multicast_support` - Whether Multicast support is enabled * `id` - EC2 Transit Gateway identifier diff --git a/website/docs/r/ec2_transit_gateway.html.markdown b/website/docs/r/ec2_transit_gateway.html.markdown index 16ffe5aeabd2..12e91bd32776 100644 --- a/website/docs/r/ec2_transit_gateway.html.markdown +++ b/website/docs/r/ec2_transit_gateway.html.markdown @@ -32,6 +32,7 @@ This resource supports the following arguments: * `default_route_table_propagation` - (Optional) Whether resource attachments automatically propagate routes to the default propagation route table. Valid values: `disable`, `enable`. Default value: `enable`. * `description` - (Optional) Description of the EC2 Transit Gateway. * `dns_support` - (Optional) Whether DNS support is enabled. Valid values: `disable`, `enable`. Default value: `enable`. +* `encryption_support` - (Optional) Whether encryption support for VPC Encryption Control is enabled. Valid values: `disable`, `enable`. Default value: `disable`. * `security_group_referencing_support` - (Optional) Whether Security Group Referencing Support is enabled. Valid values: `disable`, `enable`. Default value: `disable`. * `multicast_support` - (Optional) Whether Multicast support is enabled. Required to use `ec2_transit_gateway_multicast_domain`. Valid values: `disable`, `enable`. Default value: `disable`. * `tags` - (Optional) Key-value tags for the EC2 Transit Gateway. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.