provider/aws: Add Inspector Support (#11217)

* provider/aws: Add Inspector Support

* inscrease time to 1 hour

builtin/providers/aws/config.go

@@ -42,6 +42,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/firehose"
 	"github.com/aws/aws-sdk-go/service/glacier"
 	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/aws/aws-sdk-go/service/inspector"
 	"github.com/aws/aws-sdk-go/service/kinesis"
 	"github.com/aws/aws-sdk-go/service/kms"
 	"github.com/aws/aws-sdk-go/service/lambda"
@@ -133,6 +134,7 @@ type AWSClient struct {
 	kinesisconn           *kinesis.Kinesis
 	kmsconn               *kms.KMS
 	firehoseconn          *firehose.Firehose
+	inspectorconn         *inspector.Inspector
 	elasticacheconn       *elasticache.ElastiCache
 	elasticbeanstalkconn  *elasticbeanstalk.ElasticBeanstalk
 	elastictranscoderconn *elastictranscoder.ElasticTranscoder
@@ -282,6 +284,7 @@ func (c *Config) Client() (interface{}, error) {
 	client.emrconn = emr.New(sess)
 	client.esconn = elasticsearch.New(sess)
 	client.firehoseconn = firehose.New(sess)
+	client.inspectorconn = inspector.New(sess)
 	client.glacierconn = glacier.New(sess)
 	client.kinesisconn = kinesis.New(kinesisSess)
 	client.kmsconn = kms.New(sess)

builtin/providers/aws/provider.go

@@ -280,6 +280,9 @@ func Provider() terraform.ResourceProvider {
 			"aws_iam_user_ssh_key":                         resourceAwsIamUserSshKey(),
 			"aws_iam_user":                                 resourceAwsIamUser(),
 			"aws_iam_user_login_profile":                   resourceAwsIamUserLoginProfile(),
+			"aws_inspector_assessment_target":              resourceAWSInspectorAssessmentTarget(),
+			"aws_inspector_assessment_template":            resourceAWSInspectorAssessmentTemplate(),
+			"aws_inspector_resource_group":                 resourceAWSInspectorResourceGroup(),
 			"aws_instance":                                 resourceAwsInstance(),
 			"aws_internet_gateway":                         resourceAwsInternetGateway(),
 			"aws_key_pair":                                 resourceAwsKeyPair(),

builtin/providers/aws/resource_aws_inspector_assessment_target.go

@@ -0,0 +1,131 @@
+package aws
+
+import (
+	"log"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/inspector"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAWSInspectorAssessmentTarget() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsInspectorAssessmentTargetCreate,
+		Read:   resourceAwsInspectorAssessmentTargetRead,
+		Update: resourceAwsInspectorAssessmentTargetUpdate,
+		Delete: resourceAwsInspectorAssessmentTargetDelete,
+
+		Schema: map[string]*schema.Schema{
+			"name": &schema.Schema{
+				Type:     schema.TypeString,
+				ForceNew: true,
+				Required: true,
+			},
+			"arn": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"resource_group_arn": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+			},
+		},
+	}
+}
+
+func resourceAwsInspectorAssessmentTargetCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).inspectorconn
+
+	targetName := d.Get("name").(string)
+	resourceGroupArn := d.Get("resource_group_arn").(string)
+
+	resp, err := conn.CreateAssessmentTarget(&inspector.CreateAssessmentTargetInput{
+		AssessmentTargetName: aws.String(targetName),
+		ResourceGroupArn:     aws.String(resourceGroupArn),
+	})
+	if err != nil {
+		return err
+	}
+	log.Printf("[DEBUG] Inspector Assessment %s created", *resp.AssessmentTargetArn)
+
+	d.Set("arn", resp.AssessmentTargetArn)
+	d.SetId(*resp.AssessmentTargetArn)
+
+	return resourceAwsInspectorAssessmentTargetRead(d, meta)
+}
+
+func resourceAwsInspectorAssessmentTargetRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).inspectorconn
+
+	resp, err := conn.DescribeAssessmentTargets(&inspector.DescribeAssessmentTargetsInput{
+		AssessmentTargetArns: []*string{
+			aws.String(d.Id()),
+		},
+	})
+
+	if err != nil {
+		if inspectorerr, ok := err.(awserr.Error); ok && inspectorerr.Code() == "InvalidInputException" {
+			return nil
+		} else {
+			log.Printf("[ERROR] Error finding Inspector Assessment Target: %s", err)
+			return err
+		}
+	}
+
+	if resp.AssessmentTargets != nil && len(resp.AssessmentTargets) > 0 {
+		d.Set("name", resp.AssessmentTargets[0].Name)
+	}
+
+	return nil
+}
+
+func resourceAwsInspectorAssessmentTargetUpdate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).inspectorconn
+
+	input := inspector.UpdateAssessmentTargetInput{
+		AssessmentTargetArn: aws.String(d.Id()),
+	}
+
+	if d.HasChange("name") {
+		_, n := d.GetChange("name")
+		input.AssessmentTargetName = aws.String(n.(string))
+	}
+
+	if d.HasChange("resource_group_arn") {
+		_, n := d.GetChange("resource_group_arn")
+		input.AssessmentTargetName = aws.String(n.(string))
+	}
+
+	_, err := conn.UpdateAssessmentTarget(&input)
+	if err != nil {
+		return err
+	}
+
+	log.Println("[DEBUG] Inspector Assessment Target updated")
+
+	return resourceAwsInspectorAssessmentTargetRead(d, meta)
+}
+
+func resourceAwsInspectorAssessmentTargetDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).inspectorconn
+
+	return resource.Retry(60*time.Minute, func() *resource.RetryError {
+		_, err := conn.DeleteAssessmentTarget(&inspector.DeleteAssessmentTargetInput{
+			AssessmentTargetArn: aws.String(d.Id()),
+		})
+		if err != nil {
+			if inspectorerr, ok := err.(awserr.Error); ok && inspectorerr.Code() == "AssessmentRunInProgressException" {
+				log.Printf("[ERROR] Assement Run in progress: %s", err)
+				return resource.RetryableError(err)
+			} else {
+				log.Printf("[ERROR] Error deleting Assement Target: %s", err)
+				return resource.NonRetryableError(err)
+			}
+		}
+		return nil
+	})
+
+}

builtin/providers/aws/resource_aws_inspector_assessment_target_test.go

@@ -0,0 +1,101 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/inspector"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSInspectorTarget_basic(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSInspectorTargetAssessmentDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSInspectorTargetAssessment,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSInspectorTargetExists("aws_inspector_assessment_target.foo"),
+				),
+			},
+			resource.TestStep{
+				Config: testAccCheckAWSInspectorTargetAssessmentModified,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSInspectorTargetExists("aws_inspector_assessment_target.foo"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckAWSInspectorTargetAssessmentDestroy(s *terraform.State) error {
+	conn := testAccProvider.Meta().(*AWSClient).inspectorconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_inspector_assessment_target" {
+			continue
+		}
+
+		resp, err := conn.DescribeAssessmentTargets(&inspector.DescribeAssessmentTargetsInput{
+			AssessmentTargetArns: []*string{
+				aws.String(rs.Primary.ID),
+			},
+		})
+
+		if err != nil {
+			if inspectorerr, ok := err.(awserr.Error); ok && inspectorerr.Code() == "InvalidInputException" {
+				return nil
+			} else {
+				return fmt.Errorf("Error finding Inspector Assessment Target: %s", err)
+			}
+		}
+
+		if len(resp.AssessmentTargets) > 0 {
+			return fmt.Errorf("Found Target, expected none: %s", resp)
+		}
+	}
+
+	return nil
+}
+
+func testAccCheckAWSInspectorTargetExists(name string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		_, ok := s.RootModule().Resources[name]
+		if !ok {
+			return fmt.Errorf("Not found: %s", name)
+		}
+
+		return nil
+	}
+}
+
+var testAccAWSInspectorTargetAssessment = `
+
+resource "aws_inspector_resource_group" "foo" {
+	tags {
+	  Name  = "bar"
+  }
+}
+
+resource "aws_inspector_assessment_target" "foo" {
+	name = "foo"
+	resource_group_arn =  "${aws_inspector_resource_group.foo.arn}"
+}`
+
+var testAccCheckAWSInspectorTargetAssessmentModified = `
+
+resource "aws_inspector_resource_group" "foo" {
+	tags {
+	  Name  = "bar"
+  }
+}
+
+resource "aws_inspector_assessment_target" "foo" {
+	name = "bar"
+	resource_group_arn =  "${aws_inspector_resource_group.foo.arn}"
+}`

builtin/providers/aws/resource_aws_inspector_assessment_template.go

@@ -0,0 +1,121 @@
+package aws
+
+import (
+	"log"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/inspector"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAWSInspectorAssessmentTemplate() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsInspectorAssessmentTemplateCreate,
+		Read:   resourceAwsInspectorAssessmentTemplateRead,
+		Delete: resourceAwsInspectorAssessmentTemplateDelete,
+
+		Schema: map[string]*schema.Schema{
+			"name": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+			"target_arn": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+			"arn": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+				ForceNew: true,
+			},
+			"duration": &schema.Schema{
+				Type:     schema.TypeInt,
+				Required: true,
+				ForceNew: true,
+			},
+			"rules_package_arns": &schema.Schema{
+				Type:     schema.TypeSet,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Set:      schema.HashString,
+				Required: true,
+				ForceNew: true,
+			},
+		},
+	}
+}
+
+func resourceAwsInspectorAssessmentTemplateCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).inspectorconn
+
+	rules := []*string{}
+	if attr := d.Get("rules_package_arns").(*schema.Set); attr.Len() > 0 {
+		rules = expandStringList(attr.List())
+	}
+
+	targetArn := d.Get("target_arn").(string)
+	templateName := d.Get("name").(string)
+	duration := int64(d.Get("duration").(int))
+
+	resp, err := conn.CreateAssessmentTemplate(&inspector.CreateAssessmentTemplateInput{
+		AssessmentTargetArn:    aws.String(targetArn),
+		AssessmentTemplateName: aws.String(templateName),
+		DurationInSeconds:      aws.Int64(duration),
+		RulesPackageArns:       rules,
+	})
+	if err != nil {
+		return err
+	}
+	log.Printf("[DEBUG] Inspector Assessment Template %s created", *resp.AssessmentTemplateArn)
+
+	d.Set("arn", resp.AssessmentTemplateArn)
+
+	d.SetId(*resp.AssessmentTemplateArn)
+
+	return resourceAwsInspectorAssessmentTemplateRead(d, meta)
+}
+
+func resourceAwsInspectorAssessmentTemplateRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).inspectorconn
+
+	resp, err := conn.DescribeAssessmentTemplates(&inspector.DescribeAssessmentTemplatesInput{
+		AssessmentTemplateArns: []*string{
+			aws.String(d.Id()),
+		},
+	},
+	)
+	if err != nil {
+		if inspectorerr, ok := err.(awserr.Error); ok && inspectorerr.Code() == "InvalidInputException" {
+			return nil
+		} else {
+			log.Printf("[ERROR] Error finding Inspector Assessment Template: %s", err)
+			return err
+		}
+	}
+
+	if resp.AssessmentTemplates != nil && len(resp.AssessmentTemplates) > 0 {
+		d.Set("name", resp.AssessmentTemplates[0].Name)
+	}
+	return nil
+}
+
+func resourceAwsInspectorAssessmentTemplateDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).inspectorconn
+
+	_, err := conn.DeleteAssessmentTemplate(&inspector.DeleteAssessmentTemplateInput{
+		AssessmentTemplateArn: aws.String(d.Id()),
+	})
+	if err != nil {
+		if inspectorerr, ok := err.(awserr.Error); ok && inspectorerr.Code() == "AssessmentRunInProgressException" {
+			log.Printf("[ERROR] Assement Run in progress: %s", err)
+			return err
+		} else {
+			log.Printf("[ERROR] Error deleting Assement Template: %s", err)
+			return err
+		}
+	}
+
+	return nil
+}

builtin/providers/aws/resource_aws_inspector_assessment_template_test.go

@@ -0,0 +1,125 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/inspector"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSInspectorTemplate_basic(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSInspectorTemplateDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSInspectorTemplateAssessment,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSInspectorTemplateExists("aws_inspector_assessment_template.foo"),
+				),
+			},
+			resource.TestStep{
+				Config: testAccCheckAWSInspectorTemplatetModified,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSInspectorTargetExists("aws_inspector_assessment_template.foo"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckAWSInspectorTemplateDestroy(s *terraform.State) error {
+	conn := testAccProvider.Meta().(*AWSClient).inspectorconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_inspector_assessment_template" {
+			continue
+		}
+
+		resp, err := conn.DescribeAssessmentTemplates(&inspector.DescribeAssessmentTemplatesInput{
+			AssessmentTemplateArns: []*string{
+				aws.String(rs.Primary.ID),
+			},
+		})
+
+		if err != nil {
+			if inspectorerr, ok := err.(awserr.Error); ok && inspectorerr.Code() == "InvalidInputException" {
+				return nil
+			} else {
+				return fmt.Errorf("Error finding Inspector Assessment Template: %s", err)
+			}
+		}
+
+		if len(resp.AssessmentTemplates) > 0 {
+			return fmt.Errorf("Found Template, expected none: %s", resp)
+		}
+	}
+
+	return nil
+}
+
+func testAccCheckAWSInspectorTemplateExists(name string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		_, ok := s.RootModule().Resources[name]
+		if !ok {
+			return fmt.Errorf("Not found: %s", name)
+		}
+
+		return nil
+	}
+}
+
+var testAccAWSInspectorTemplateAssessment = `
+resource "aws_inspector_resource_group" "foo" {
+	tags {
+	  Name  = "bar"
+  }
+}
+
+resource "aws_inspector_assessment_target" "foo" {
+	name = "foo"
+	resource_group_arn =  "${aws_inspector_resource_group.foo.arn}"
+}
+
+resource "aws_inspector_assessment_template" "foo" {
+  name = "foo template"
+  target_arn    = "${aws_inspector_assessment_target.foo.arn}"
+  duration      = 3600
+
+  rules_package_arns = [
+	  "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p",
+	  "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-H5hpSawc",
+	  "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-JJOtZiqQ",
+	  "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-vg5GGHSD",
+  ]
+}`
+
+var testAccCheckAWSInspectorTemplatetModified = `
+resource "aws_inspector_resource_group" "foo" {
+	tags {
+	  Name  = "bar"
+  }
+}
+
+resource "aws_inspector_assessment_target" "foo" {
+	name = "foo"
+	resource_group_arn =  "${aws_inspector_resource_group.foo.arn}"
+}
+
+resource "aws_inspector_assessment_template" "foo" {
+  name = "bar template"
+  target_arn    = "${aws_inspector_assessment_target.foo.arn}"
+  duration      = 3600
+
+  rules_package_arns = [
+	  "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p",
+	  "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-H5hpSawc",
+	  "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-JJOtZiqQ",
+	  "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-vg5GGHSD",
+  ]
+}`

builtin/providers/aws/resource_aws_inspector_resource_group.go

@@ -0,0 +1,76 @@
+package aws
+
+import (
+	"log"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/inspector"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAWSInspectorResourceGroup() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsInspectorResourceGroupCreate,
+		Read:   resourceAwsInspectorResourceGroupRead,
+		Delete: resourceAwsInspectorResourceGroupDelete,
+
+		Schema: map[string]*schema.Schema{
+			"tags": &schema.Schema{
+				ForceNew: true,
+				Type:     schema.TypeMap,
+				Required: true,
+			},
+			"arn": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func resourceAwsInspectorResourceGroupCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).inspectorconn
+
+	resp, err := conn.CreateResourceGroup(&inspector.CreateResourceGroupInput{
+		ResourceGroupTags: tagsFromMapInspector(d.Get("tags").(map[string]interface{})),
+	})
+
+	if err != nil {
+		return err
+	}
+
+	d.Set("arn", *resp.ResourceGroupArn)
+
+	d.SetId(*resp.ResourceGroupArn)
+
+	return resourceAwsInspectorResourceGroupRead(d, meta)
+}
+
+func resourceAwsInspectorResourceGroupRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).inspectorconn
+
+	_, err := conn.DescribeResourceGroups(&inspector.DescribeResourceGroupsInput{
+		ResourceGroupArns: []*string{
+			aws.String(d.Id()),
+		},
+	})
+
+	if err != nil {
+		if inspectorerr, ok := err.(awserr.Error); ok && inspectorerr.Code() == "InvalidInputException" {
+			return nil
+		} else {
+			log.Printf("[ERROR] Error finding Inspector resource group: %s", err)
+			return err
+		}
+	}
+
+	return nil
+}
+
+func resourceAwsInspectorResourceGroupDelete(d *schema.ResourceData, meta interface{}) error {
+	d.Set("arn", "")
+	d.SetId("")
+
+	return nil
+}

builtin/providers/aws/resource_aws_inspector_resource_group_test.go

@@ -0,0 +1,55 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSInspectorResourceGroup_basic(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSInspectorResourceGroup,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSInspectorResourceGroupExists("aws_inspector_resource_group.foo"),
+				),
+			},
+			resource.TestStep{
+				Config: testAccCheckAWSInspectorResourceGroupModified,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSInspectorTargetExists("aws_inspector_resource_group.foo"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckAWSInspectorResourceGroupExists(name string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		_, ok := s.RootModule().Resources[name]
+		if !ok {
+			return fmt.Errorf("Not found: %s", name)
+		}
+
+		return nil
+	}
+}
+
+var testAccAWSInspectorResourceGroup = `
+resource "aws_inspector_resource_group" "foo" {
+	tags {
+	  Name  = "foo"
+  }
+}`
+
+var testAccCheckAWSInspectorResourceGroupModified = `
+resource "aws_inspector_resource_group" "foo" {
+	tags {
+	  Name  = "bar"
+  }
+}`

builtin/providers/aws/structure.go

@@ -1649,3 +1649,11 @@ func normalizeJsonString(jsonString interface{}) (string, error) {
 	bytes, _ := json.Marshal(j)
 	return string(bytes[:]), nil
 }
+
+func flattenInspectorTags(cfTags []*cloudformation.Tag) map[string]string {
+	tags := make(map[string]string, len(cfTags))
+	for _, t := range cfTags {
+		tags[*t.Key] = *t.Value
+	}
+	return tags
+}

builtin/providers/aws/tagsInspector.go

@@ -0,0 +1,74 @@
+package aws
+
+import (
+	"log"
+	"regexp"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/inspector"
+)
+
+// diffTags takes our tags locally and the ones remotely and returns
+// the set of tags that must be created, and the set of tags that must
+// be destroyed.
+func diffTagsInspector(oldTags, newTags []*inspector.ResourceGroupTag) ([]*inspector.ResourceGroupTag, []*inspector.ResourceGroupTag) {
+	// First, we're creating everything we have
+	create := make(map[string]interface{})
+	for _, t := range newTags {
+		create[*t.Key] = *t.Value
+	}
+
+	// Build the list of what to remove
+	var remove []*inspector.ResourceGroupTag
+	for _, t := range oldTags {
+		old, ok := create[*t.Key]
+		if !ok || old != *t.Value {
+			// Delete it!
+			remove = append(remove, t)
+		}
+	}
+
+	return tagsFromMapInspector(create), remove
+}
+
+// tagsFromMap returns the tags for the given map of data.
+func tagsFromMapInspector(m map[string]interface{}) []*inspector.ResourceGroupTag {
+	var result []*inspector.ResourceGroupTag
+	for k, v := range m {
+		t := &inspector.ResourceGroupTag{
+			Key:   aws.String(k),
+			Value: aws.String(v.(string)),
+		}
+		if !tagIgnoredInspector(t) {
+			result = append(result, t)
+		}
+	}
+
+	return result
+}
+
+// tagsToMap turns the list of tags into a map.
+func tagsToMapInspector(ts []*inspector.ResourceGroupTag) map[string]string {
+	result := make(map[string]string)
+	for _, t := range ts {
+		if !tagIgnoredInspector(t) {
+			result[*t.Key] = *t.Value
+		}
+	}
+
+	return result
+}
+
+// compare a tag against a list of strings and checks if it should
+// be ignored or not
+func tagIgnoredInspector(t *inspector.ResourceGroupTag) bool {
+	filter := []string{"^aws:*"}
+	for _, v := range filter {
+		log.Printf("[DEBUG] Matching %v with %v\n", v, *t.Key)
+		if r, _ := regexp.MatchString(v, *t.Key); r == true {
+			log.Printf("[DEBUG] Found AWS specific tag %s (val: %s), ignoring.\n", *t.Key, *t.Value)
+			return true
+		}
+	}
+	return false
+}

vendor/github.com/aws/aws-sdk-go/service/inspector/service.go

@@ -0,0 +1,95 @@
+// THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+
+package inspector
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/client"
+	"github.com/aws/aws-sdk-go/aws/client/metadata"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/aws/signer/v4"
+	"github.com/aws/aws-sdk-go/private/protocol/jsonrpc"
+)
+
+// Amazon Inspector enables you to analyze the behavior of your AWS resources
+// and to identify potential security issues. For more information, see  Amazon
+// Inspector User Guide (http://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html).
+// The service client's operations are safe to be used concurrently.
+// It is not safe to mutate any of the client's properties though.
+// Please also see https://docs.aws.amazon.com/goto/WebAPI/inspector-2016-02-16
+type Inspector struct {
+	*client.Client
+}
+
+// Used for custom client initialization logic
+var initClient func(*client.Client)
+
+// Used for custom request initialization logic
+var initRequest func(*request.Request)
+
+// Service information constants
+const (
+	ServiceName = "inspector" // Service endpoint prefix API calls made to.
+	EndpointsID = ServiceName // Service ID for Regions and Endpoints metadata.
+)
+
+// New creates a new instance of the Inspector client with a session.
+// If additional configuration is needed for the client instance use the optional
+// aws.Config parameter to add your extra config.
+//
+// Example:
+//     // Create a Inspector client from just a session.
+//     svc := inspector.New(mySession)
+//
+//     // Create a Inspector client with additional configuration
+//     svc := inspector.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
+func New(p client.ConfigProvider, cfgs ...*aws.Config) *Inspector {
+	c := p.ClientConfig(EndpointsID, cfgs...)
+	return newClient(*c.Config, c.Handlers, c.Endpoint, c.SigningRegion, c.SigningName)
+}
+
+// newClient creates, initializes and returns a new service client instance.
+func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion, signingName string) *Inspector {
+	svc := &Inspector{
+		Client: client.New(
+			cfg,
+			metadata.ClientInfo{
+				ServiceName:   ServiceName,
+				SigningName:   signingName,
+				SigningRegion: signingRegion,
+				Endpoint:      endpoint,
+				APIVersion:    "2016-02-16",
+				JSONVersion:   "1.1",
+				TargetPrefix:  "InspectorService",
+			},
+			handlers,
+		),
+	}
+
+	// Handlers
+	svc.Handlers.Sign.PushBackNamed(v4.SignRequestHandler)
+	svc.Handlers.Build.PushBackNamed(jsonrpc.BuildHandler)
+	svc.Handlers.Unmarshal.PushBackNamed(jsonrpc.UnmarshalHandler)
+	svc.Handlers.UnmarshalMeta.PushBackNamed(jsonrpc.UnmarshalMetaHandler)
+	svc.Handlers.UnmarshalError.PushBackNamed(jsonrpc.UnmarshalErrorHandler)
+
+	// Run custom client initialization if present
+	if initClient != nil {
+		initClient(svc.Client)
+	}
+
+	return svc
+}
+
+// newRequest creates a new request for a Inspector operation and runs any
+// custom request initialization.
+func (c *Inspector) newRequest(op *request.Operation, params, data interface{}) *request.Request {
+	req := c.NewRequest(op, params, data)
+
+	// Run custom request initialization if present
+	if initRequest != nil {
+		initRequest(req)
+	}
+
+	return req
+}

vendor/vendor.json

@@ -885,6 +885,12 @@
 			"version": "v1.6.9",
 			"versionExact": "v1.6.9"
 		},
+		{
+			"checksumSHA1": "lL1vgSAaM89zLB0QBCwm2FnTzTw=",
+			"path": "github.com/aws/aws-sdk-go/service/inspector",
+			"revision": "8649d278323ebf6bd20c9cd56ecb152b1c617375",
+			"revisionTime": "2017-01-04T18:16:48Z"
+		},
 		{
 			"checksumSHA1": "TR063wmYitpnw1vXbwSlslbUOAA=",
 			"path": "github.com/aws/aws-sdk-go/service/kinesis",

website/source/docs/providers/aws/r/inspector_assessment_target.html.markdown

@@ -0,0 +1,40 @@
+---
+layout: "aws"
+page_title: "AWS: aws_inspector_assessment_target"
+sidebar_current: "docs-aws-resource-inspector-assessment-target"
+description: |\
+  Provides a Inspector assessment target.
+---
+
+# aws\_inspector\_assessment\_target
+
+Provides a Inspector assessment target
+
+## Example Usage
+
+```
+resource "aws_inspector_resource_group" "bar" {
+  tags {
+    Name  = "foo"
+    Env = "bar"
+  }
+}
+
+resource "aws_inspector_assessment_target" "foo" {
+  name = "assessment target"
+  resource_group_arn = "${aws_inspector_resource_group.bar.arn}"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required) The name of the assessment target.
+* `resource_group_arn` (Required )- The resource group ARN stating tags for instance matching.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `arn` - The target assessment ARN.

website/source/docs/providers/aws/r/inspector_assessment_template.html.markdown

@@ -0,0 +1,43 @@
+---
+layout: "aws"
+page_title: "AWS: aws_inspector_assessment_template"
+sidebar_current: "docs-aws-resource-inspector-assessment-template"
+description: |\
+  Provides a Inspector assessment template.
+---
+
+# aws\_inspector\_assessment\_template
+
+Provides a Inspector assessment template
+
+## Example Usage
+
+```
+resource "aws_inspector_assessment_template" "foo" {
+  name = "bar template"
+  target_arn    = "${aws_inspector_assessment_target.foo.arn}"
+  duration      = 3600
+
+  rules_package_arns = [
+	  "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p",
+	  "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-H5hpSawc",
+	  "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-JJOtZiqQ",
+	  "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-vg5GGHSD",
+  ]
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required) The name of the assessment template.
+* `target_arn` - (Required) The assessment target ARN to attach the template to.
+* `duration` - (Required) The duration of the inspector run.
+* `rules_package_arns` - (Required) The rules to be used during the run.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `arn` - The template assessment ARN.

website/source/docs/providers/aws/r/inspector_resouce_group.html.markdown

@@ -0,0 +1,34 @@
+---
+layout: "aws"
+page_title: "AWS: aws_inspector_resource_group"
+sidebar_current: "docs-aws-resource-inspector-resource-group"
+description: |\
+  Provides a Inspector resource group.
+---
+
+# aws\_inspector\_resource\_group
+
+Provides a Inspector assessment template
+
+## Example Usage
+
+```
+resource "aws_inspector_resource_group" "bar" {
+  tags {
+    Name  = "foo"
+    Env = "bar"
+  }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `tags` - (Required) The tags on your EC2 Instance.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `arn` - The resource group ARN.

website/source/layouts/aws.erb

@@ -662,6 +662,25 @@
                     </ul>
                 </li>
 
+                <li<%= sidebar_current(/^docs-aws-resource-inspector/) %>>
+                  <a href="#">Inspector Resources</a>
+                  <ul class="nav nav-visible">
+
+                    <li<%= sidebar_current("docs-aws-resource-inspector-assessment-target") %>>
+                      <a href="/docs/providers/aws/r/inspector_assessment_template.html">aws_inspector_assessment_target</a>
+                    </li>
+
+                    <li<%= sidebar_current("docs-aws-resource-inspector-assessment-template") %>>
+                      <a href="/docs/providers/aws/r/inspector_assessment_template.html">aws_inspector_assessment_template</a>
+                    </li>
+
+                    <li<%= sidebar_current("docs-aws-resource-inspector-resource-group") %>>
+                      <a href="/docs/providers/aws/r/inspector_resource_group.html">aws_inspector_resource_group</a>
+                    </li>
+
+                  </ul>
+                </li>
+
 
                 <li<%= sidebar_current(/^docs-aws-resource-kinesis/) %>>
                     <a href="#">Kinesis Resources</a>