AWS registration: Add support to set rtvd regions (#181)

Author: ashoksankarh-cs

docs/resources/cloud_aws_account.md

@@ -151,6 +151,7 @@ Optional:
 - `log_ingestion_s3_bucket_name` (String) S3 bucket name for CloudTrail log ingestion when log_ingestion_method is 's3'. Required when using S3 method
 - `log_ingestion_s3_bucket_prefix` (String) Optional S3 bucket prefix (a prefix used for filter log files with the prefix present in their key) for CloudTrail logs when log_ingestion_method is 's3'
 - `log_ingestion_sns_topic_arn` (String) SNS topic ARN for S3 CloudTrail log notifications when log_ingestion_method is 's3'. Required when using S3 method
+- `regions` (List of String) List of AWS regions for Real-Time Visibility and Detection. If not specified, defaults to all regions
 - `use_existing_cloudtrail` (Boolean) Set to true if a CloudTrail already exists
 
 

go.mod

@@ -1,8 +1,9 @@
 module github.com/crowdstrike/terraform-provider-crowdstrike
 
-go 1.24.0
+go 1.24.3
 
 require (
+	github.com/go-viper/mapstructure/v2 v2.4.0
 	github.com/crowdstrike/gofalcon v0.18.1-0.20251207000815-986a0b139e80
 	github.com/google/go-cmp v0.6.0
 	github.com/hashicorp/go-version v1.7.0

go.sum

@@ -80,6 +80,8 @@ github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3Bum
 github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
 github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
 github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
+github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
+github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=

internal/fcs/aws_regions.go

@@ -0,0 +1,129 @@
+package fcs
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+// AWS region regex patterns based on AWS SDK validation logic.
+var (
+	// Commercial regions: (us|eu|ap|sa|ca|me|af|il|mx)-direction-number.
+	CommercialRegionRegex = regexp.MustCompile(`^(us|eu|ap|sa|ca|me|af|il|mx)-\w+-[1-9]\d*$`)
+
+	// GovCloud regions: us-gov-direction-number.
+	GovCloudRegionRegex = regexp.MustCompile(`^us-gov-\w+-[1-9]\d*$`)
+
+	// China regions: cn-direction-number.
+	ChinaRegionRegex = regexp.MustCompile(`^cn-\w+-[1-9]\d*$`)
+
+	// ISO regions: us-iso/isob/isoe/isof-direction-number.
+	ISORegionRegex = regexp.MustCompile(`^us-iso[bf]?-\w+-[1-9]\d*$`)
+
+	// European Sovereign Cloud: eusc-de-direction-number.
+	EUSCRegionRegex = regexp.MustCompile(`^eusc-de-\w+-[1-9]\d*$`)
+)
+
+// IsValidAWSRegion validates if a region string matches AWS region patterns.
+func IsValidAWSRegion(region string) bool {
+	return CommercialRegionRegex.MatchString(region) ||
+		GovCloudRegionRegex.MatchString(region) ||
+		ChinaRegionRegex.MatchString(region) ||
+		ISORegionRegex.MatchString(region) ||
+		EUSCRegionRegex.MatchString(region)
+}
+
+// AWSRegionValidator returns a validator that checks if strings match AWS region patterns.
+func AWSRegionValidator() validator.String {
+	return &awsRegionValidator{}
+}
+
+type awsRegionValidator struct{}
+
+func (v *awsRegionValidator) Description(ctx context.Context) string {
+	return "must be a valid AWS region (e.g., us-east-1, eu-west-1, us-gov-west-1)"
+}
+
+func (v *awsRegionValidator) MarkdownDescription(ctx context.Context) string {
+	return "must be a valid AWS region (e.g., `us-east-1`, `eu-west-1`, `us-gov-west-1`)"
+}
+
+func (v *awsRegionValidator) ValidateString(ctx context.Context, req validator.StringRequest, resp *validator.StringResponse) {
+	if req.ConfigValue.IsNull() || req.ConfigValue.IsUnknown() {
+		return
+	}
+
+	region := req.ConfigValue.ValueString()
+
+	if !IsValidAWSRegion(region) {
+		resp.Diagnostics.AddAttributeError(
+			req.Path,
+			"Invalid AWS Region",
+			fmt.Sprintf("'%s' is not a valid AWS region format. Must match AWS region naming conventions for commercial, GovCloud, China, ISO, or EUSC regions.", region),
+		)
+	}
+}
+
+// AWSRegionsOrAllListValidator returns a validator that ensures the list contains either:
+// - A single element with value "all"
+// - One or more valid AWS regions.
+func AWSRegionsOrAllListValidator() validator.List {
+	return &awsRegionsOrAllListValidator{}
+}
+
+type awsRegionsOrAllListValidator struct{}
+
+func (v *awsRegionsOrAllListValidator) Description(ctx context.Context) string {
+	return "must be either a single element 'all' or a list of valid AWS regions"
+}
+
+func (v *awsRegionsOrAllListValidator) MarkdownDescription(ctx context.Context) string {
+	return "must be either a single element `all` or a list of valid AWS regions"
+}
+
+func (v *awsRegionsOrAllListValidator) ValidateList(ctx context.Context, req validator.ListRequest, resp *validator.ListResponse) {
+	if req.ConfigValue.IsNull() || req.ConfigValue.IsUnknown() {
+		return
+	}
+
+	var elements []types.String
+	diags := req.ConfigValue.ElementsAs(ctx, &elements, false)
+	if diags.HasError() {
+		resp.Diagnostics.Append(diags...)
+		return
+	}
+
+	if len(elements) == 0 {
+		return
+	}
+
+	for i, element := range elements {
+		if element.IsNull() || element.IsUnknown() {
+			continue
+		}
+
+		region := element.ValueString()
+		if region == "all" {
+			if len(elements) == 1 {
+				return
+			}
+			resp.Diagnostics.AddAttributeError(
+				req.Path,
+				"Invalid Region Configuration",
+				"When using 'all', it must be the only element in the list. Cannot mix 'all' with specific regions.",
+			)
+			return
+		}
+
+		if !IsValidAWSRegion(region) {
+			resp.Diagnostics.AddAttributeError(
+				req.Path.AtListIndex(i),
+				"Invalid AWS Region",
+				fmt.Sprintf("'%s' is not a valid AWS region format. Must match AWS region naming conventions.", region),
+			)
+		}
+	}
+}