Merge pull request #43950 from tabito-hara/f-aws_inspector2_filter-add_ecr_filters

[Enhancement] aws_inspector2_filter:  Add missing `filter_criteria` support to `aws_inspector2_filter` resource

Author: ewbankkit

.changelog/43950.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_inspector2_filter: Support `code_repository_project_name`, `code_repository_provider_type`, `ecr_image_in_use_count`, and `ecr_image_last_in_use_at` in `filter_criteria`
+```

internal/service/inspector2/filter.go

@@ -78,6 +78,8 @@ func (r *filterResource) Schema(ctx context.Context, request resource.SchemaRequ
 				NestedObject: schema.NestedBlockObject{
 					Blocks: map[string]schema.Block{
 						names.AttrAWSAccountID:               stringFilterSchemaFramework(ctx, defaultFilterSchemaMaxSize),
+						"code_repository_project_name":       stringFilterSchemaFramework(ctx, defaultFilterSchemaMaxSize),
+						"code_repository_provider_type":      stringFilterSchemaFramework(ctx, defaultFilterSchemaMaxSize),
 						"code_vulnerability_detector_name":   stringFilterSchemaFramework(ctx, defaultFilterSchemaMaxSize),
 						"code_vulnerability_detector_tags":   stringFilterSchemaFramework(ctx, defaultFilterSchemaMaxSize),
 						"code_vulnerability_file_path":       stringFilterSchemaFramework(ctx, defaultFilterSchemaMaxSize),
@@ -88,6 +90,8 @@ func (r *filterResource) Schema(ctx context.Context, request resource.SchemaRequ
 						"ec2_instance_vpc_id":                stringFilterSchemaFramework(ctx, defaultFilterSchemaMaxSize),
 						"ecr_image_architecture":             stringFilterSchemaFramework(ctx, defaultFilterSchemaMaxSize),
 						"ecr_image_hash":                     stringFilterSchemaFramework(ctx, defaultFilterSchemaMaxSize),
+						"ecr_image_in_use_count":             numberFilterSchemaFramework(ctx, defaultFilterSchemaMaxSize),
+						"ecr_image_last_in_use_at":           dateFilterSchemaFramework(ctx, defaultFilterSchemaMaxSize),
 						"ecr_image_pushed_at":                dateFilterSchemaFramework(ctx, defaultFilterSchemaMaxSize),
 						"ecr_image_registry":                 stringFilterSchemaFramework(ctx, defaultFilterSchemaMaxSize),
 						"ecr_image_repository_name":          stringFilterSchemaFramework(ctx, defaultFilterSchemaMaxSize),
@@ -559,6 +563,8 @@ type filterResourceModel struct {
 
 type filterCriteriaModel struct {
 	AWSAccountID                   fwtypes.SetNestedObjectValueOf[stringFilterModel]    `tfsdk:"aws_account_id"`
+	CodeRepositoryProjectName      fwtypes.SetNestedObjectValueOf[stringFilterModel]    `tfsdk:"code_repository_project_name"`
+	CodeRepositoryProviderType     fwtypes.SetNestedObjectValueOf[stringFilterModel]    `tfsdk:"code_repository_provider_type"`
 	CodeVulnerabilityDetectorName  fwtypes.SetNestedObjectValueOf[stringFilterModel]    `tfsdk:"code_vulnerability_detector_name"`
 	CodeVulnerabilityDetectorTags  fwtypes.SetNestedObjectValueOf[stringFilterModel]    `tfsdk:"code_vulnerability_detector_tags"`
 	CodeVulnerabilityFilePath      fwtypes.SetNestedObjectValueOf[stringFilterModel]    `tfsdk:"code_vulnerability_file_path"`
@@ -569,6 +575,8 @@ type filterCriteriaModel struct {
 	EC2InstanceVpcId               fwtypes.SetNestedObjectValueOf[stringFilterModel]    `tfsdk:"ec2_instance_vpc_id"`
 	ECRImageArchitecture           fwtypes.SetNestedObjectValueOf[stringFilterModel]    `tfsdk:"ecr_image_architecture"`
 	ECRImageHash                   fwtypes.SetNestedObjectValueOf[stringFilterModel]    `tfsdk:"ecr_image_hash"`
+	ECRImageInUseCount             fwtypes.SetNestedObjectValueOf[numberFilterModel]    `tfsdk:"ecr_image_in_use_count"`
+	ECRImageLastInUseAt            fwtypes.SetNestedObjectValueOf[dateFilterModel]      `tfsdk:"ecr_image_last_in_use_at"`
 	ECRImagePushedAt               fwtypes.SetNestedObjectValueOf[dateFilterModel]      `tfsdk:"ecr_image_pushed_at"`
 	ECRImageRegistry               fwtypes.SetNestedObjectValueOf[stringFilterModel]    `tfsdk:"ecr_image_registry"`
 	ECRImageRepositoryName         fwtypes.SetNestedObjectValueOf[stringFilterModel]    `tfsdk:"ecr_image_repository_name"`

internal/service/inspector2/filter_test.go

@@ -181,6 +181,16 @@ func testAccInspector2Filter_stringFilters(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "reason", reason_1),
 					resource.TestCheckResourceAttr(resourceName, names.AttrAction, action_1),
 					resource.TestCheckResourceAttr(resourceName, "filter_criteria.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "filter_criteria.0.code_repository_project_name.#", "1"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "filter_criteria.0.code_repository_project_name.*", map[string]string{
+						"comparison":    comparison_1,
+						names.AttrValue: value_1,
+					}),
+					resource.TestCheckResourceAttr(resourceName, "filter_criteria.0.code_repository_provider_type.#", "1"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "filter_criteria.0.code_repository_provider_type.*", map[string]string{
+						"comparison":    comparison_1,
+						names.AttrValue: value_1,
+					}),
 					resource.TestCheckResourceAttr(resourceName, "filter_criteria.0.code_vulnerability_detector_name.#", "1"),
 					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "filter_criteria.0.code_vulnerability_detector_name.*", map[string]string{
 						"comparison":    comparison_1,
@@ -205,6 +215,16 @@ func testAccInspector2Filter_stringFilters(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, names.AttrAction, action_2),
 					resource.TestCheckResourceAttr(resourceName, "filter_criteria.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "filter_criteria.0.code_vulnerability_detector_name.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "filter_criteria.0.code_repository_project_name.#", "1"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "filter_criteria.0.code_repository_project_name.*", map[string]string{
+						"comparison":    comparison_2,
+						names.AttrValue: value_2,
+					}),
+					resource.TestCheckResourceAttr(resourceName, "filter_criteria.0.code_repository_provider_type.#", "1"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "filter_criteria.0.code_repository_provider_type.*", map[string]string{
+						"comparison":    comparison_2,
+						names.AttrValue: value_2,
+					}),
 					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "filter_criteria.0.code_vulnerability_detector_name.*", map[string]string{
 						"comparison":    comparison_2,
 						names.AttrValue: value_2,
@@ -257,6 +277,11 @@ func testAccInspector2Filter_numberFilters(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "reason", reason_1),
 					resource.TestCheckResourceAttr(resourceName, names.AttrAction, action_1),
 					resource.TestCheckResourceAttr(resourceName, "filter_criteria.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "filter_criteria.0.ecr_image_in_use_count.#", "1"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "filter_criteria.0.ecr_image_in_use_count.*", map[string]string{
+						"lower_inclusive": lower_inclusive_value_1,
+						"upper_inclusive": upper_inclusive_value_1,
+					}),
 					resource.TestCheckResourceAttr(resourceName, "filter_criteria.0.epss_score.#", "1"),
 					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "filter_criteria.0.epss_score.*", map[string]string{
 						"lower_inclusive": lower_inclusive_value_1,
@@ -280,6 +305,11 @@ func testAccInspector2Filter_numberFilters(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "reason", reason_2),
 					resource.TestCheckResourceAttr(resourceName, names.AttrAction, action_2),
 					resource.TestCheckResourceAttr(resourceName, "filter_criteria.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "filter_criteria.0.ecr_image_in_use_count.#", "1"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "filter_criteria.0.ecr_image_in_use_count.*", map[string]string{
+						"lower_inclusive": lower_inclusive_value_2,
+						"upper_inclusive": upper_inclusive_value_2,
+					}),
 					resource.TestCheckResourceAttr(resourceName, "filter_criteria.0.epss_score.#", "1"),
 					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "filter_criteria.0.epss_score.*", map[string]string{
 						"lower_inclusive": lower_inclusive_value_2,
@@ -333,6 +363,11 @@ func testAccInspector2Filter_dateFilters(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "reason", reason_1),
 					resource.TestCheckResourceAttr(resourceName, names.AttrAction, action_1),
 					resource.TestCheckResourceAttr(resourceName, "filter_criteria.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "filter_criteria.0.ecr_image_last_in_use_at.#", "1"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "filter_criteria.0.ecr_image_last_in_use_at.*", map[string]string{
+						"start_inclusive": start_inclusive_value_1,
+						"end_inclusive":   end_inclusive_value_1,
+					}),
 					resource.TestCheckResourceAttr(resourceName, "filter_criteria.0.ecr_image_pushed_at.#", "1"),
 					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "filter_criteria.0.ecr_image_pushed_at.*", map[string]string{
 						"start_inclusive": start_inclusive_value_1,
@@ -356,6 +391,11 @@ func testAccInspector2Filter_dateFilters(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "reason", reason_2),
 					resource.TestCheckResourceAttr(resourceName, names.AttrAction, action_2),
 					resource.TestCheckResourceAttr(resourceName, "filter_criteria.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "filter_criteria.0.ecr_image_last_in_use_at.#", "1"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "filter_criteria.0.ecr_image_last_in_use_at.*", map[string]string{
+						"start_inclusive": start_inclusive_value_2,
+						"end_inclusive":   end_inclusive_value_2,
+					}),
 					resource.TestCheckResourceAttr(resourceName, "filter_criteria.0.ecr_image_pushed_at.#", "1"),
 					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "filter_criteria.0.ecr_image_pushed_at.*", map[string]string{
 						"start_inclusive": start_inclusive_value_2,
@@ -819,6 +859,14 @@ resource "aws_inspector2_filter" "test" {
   description = %[3]q
   reason      = %[4]q
   filter_criteria {
+    code_repository_project_name {
+      comparison = %[5]q
+      value      = %[6]q
+    }
+    code_repository_provider_type {
+      comparison = %[5]q
+      value      = %[6]q
+    }
     code_vulnerability_detector_name {
       comparison = %[5]q
       value      = %[6]q
@@ -836,6 +884,10 @@ resource "aws_inspector2_filter" "test" {
   description = %[3]q
   reason      = %[4]q
   filter_criteria {
+    ecr_image_in_use_count {
+      lower_inclusive = %[5]q
+      upper_inclusive = %[6]q
+    }
     epss_score {
       lower_inclusive = %[5]q
       upper_inclusive = %[6]q
@@ -853,6 +905,10 @@ resource "aws_inspector2_filter" "test" {
   description = %[3]q
   reason      = %[4]q
   filter_criteria {
+    ecr_image_last_in_use_at {
+      start_inclusive = %[5]q
+      end_inclusive   = %[6]q
+    }
     ecr_image_pushed_at {
       start_inclusive = %[5]q
       end_inclusive   = %[6]q

website/docs/r/inspector2_filter.html.markdown

@@ -54,6 +54,8 @@ This resource exports the following attributes in addition to the arguments abov
 The `filter_criteria` configuration block supports the following attributes:
 
 * `aws_account_id` - (Optional) The AWS account ID in which the finding was generated. [Documented below](#string-filter).
+* `code_repository_project_name` - (Optional) The project name in a code repository. [Documented below](#string-filter).
+* `code_repository_provider_type` - (Optional) The repository provider type (such as GitHub, GitLab, etc.) [Documented below](#string-filter).
 * `code_vulnerability_detector_name` - (Optional) The ID of the component. [Documented below](#string-filter).
 * `code_vulnerability_detector_tags` - (Optional) The ID of the component. [Documented below](#string-filter).
 * `code_vulnerability_file_path` - (Optional) The ID of the component. [Documented below](#string-filter).
@@ -63,6 +65,8 @@ The `filter_criteria` configuration block supports the following attributes:
 * `ec2_instance_subnet_id` - (Optional) The ID of the subnet. [Documented below](#string-filter).
 * `ec2_instance_vpc_id` - (Optional) The ID of the VPC. [Documented below](#string-filter).
 * `ecr_image_architecture` - (Optional) The architecture of the ECR image. [Documented below](#string-filter).
+* `ecr_image_in_use_count` - (Optional)  The number of the ECR images in use. [Documented below](#number-filter).
+* `ecr_image_last_in_use_at` - (Optional) The date range when an ECR image was last used in an ECS cluster task or EKS cluster pod. [Documented below](#date-filter).
 * `ecr_image_hash` - (Optional) The SHA256 hash of the ECR image. [Documented below](#string-filter).
 * `ecr_image_pushed_at` - (Optional) The date range when the image was pushed. [Documented below](#date-filter).
 * `ecr_image_registry` - (Optional) The registry of the ECR image. [Documented below](#string-filter).