Merge pull request #21452 from hashicorp/b-aws_glue_data_catalog_encr…

…yption_settings-delete r/aws_glue_data_catalog_encryption_settings: Reset at delete
hashicorp · Oct 22, 2021 · 6a52589 · 6a52589
2 parents add4530 + 786bae4
commit 6a52589
Show file tree

Hide file tree

Showing 6 changed files with 144 additions and 81 deletions.
diff --git a/.changelog/21452.txt b/.changelog/21452.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_glue_data_catalog_encryption_settings: Disable encryption on resource deletion
+```
diff --git a/internal/service/glue/data_catalog_encryption_settings.go b/internal/service/glue/data_catalog_encryption_settings.go
@@ -2,6 +2,7 @@ package glue
 
 import (
 	"fmt"
+	"log"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/glue"
@@ -16,7 +17,7 @@ func ResourceDataCatalogEncryptionSettings() *schema.Resource {
 		Create: resourceDataCatalogEncryptionSettingsPut,
 		Read:   resourceDataCatalogEncryptionSettingsRead,
 		Update: resourceDataCatalogEncryptionSettingsPut,
-		Delete: schema.Noop,
+		Delete: resourceDataCatalogEncryptionSettingsDelete,
 		Importer: &schema.ResourceImporter{
 			State: schema.ImportStatePassthrough,
 		},
@@ -80,16 +81,21 @@ func ResourceDataCatalogEncryptionSettings() *schema.Resource {
 
 func resourceDataCatalogEncryptionSettingsPut(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*conns.AWSClient).GlueConn
-	catalogID := createCatalogID(d, meta.(*conns.AWSClient).AccountID)
 
+	catalogID := createCatalogID(d, meta.(*conns.AWSClient).AccountID)
 	input := &glue.PutDataCatalogEncryptionSettingsInput{
-		CatalogId:                     aws.String(catalogID),
-		DataCatalogEncryptionSettings: expandGlueDataCatalogEncryptionSettings(d.Get("data_catalog_encryption_settings").([]interface{})),
+		CatalogId: aws.String(catalogID),
 	}
 
+	if v, ok := d.GetOk("data_catalog_encryption_settings"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
+		input.DataCatalogEncryptionSettings = expandDataCatalogEncryptionSettings(v.([]interface{})[0].(map[string]interface{}))
+	}
+
+	log.Printf("[DEBUG] Putting Glue Data Catalog Encryption Settings: %s", input)
 	_, err := conn.PutDataCatalogEncryptionSettings(input)
+
 	if err != nil {
-		return fmt.Errorf("Error setting Data Catalog Encryption Settings: %w", err)
+		return fmt.Errorf("error putting Glue Data Catalog Encryption Settings (%s): %w", catalogID, err)
 	}
 
 	d.SetId(catalogID)
@@ -100,92 +106,148 @@ func resourceDataCatalogEncryptionSettingsPut(d *schema.ResourceData, meta inter
 func resourceDataCatalogEncryptionSettingsRead(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*conns.AWSClient).GlueConn
 
-	input := &glue.GetDataCatalogEncryptionSettingsInput{
+	output, err := conn.GetDataCatalogEncryptionSettings(&glue.GetDataCatalogEncryptionSettingsInput{
 		CatalogId: aws.String(d.Id()),
-	}
+	})
 
-	out, err := conn.GetDataCatalogEncryptionSettings(input)
 	if err != nil {
-		return fmt.Errorf("Error reading Glue Data Catalog Encryption Settings: %w", err)
+		return fmt.Errorf("error reading Glue Data Catalog Encryption Settings (%s): %w", d.Id(), err)
 	}
 
 	d.Set("catalog_id", d.Id())
+	if output.DataCatalogEncryptionSettings != nil {
+		if err := d.Set("data_catalog_encryption_settings", []interface{}{flattenDataCatalogEncryptionSettings(output.DataCatalogEncryptionSettings)}); err != nil {
+			return fmt.Errorf("error setting data_catalog_encryption_settings: %w", err)
+		}
+	} else {
+		d.Set("data_catalog_encryption_settings", nil)
+	}
+
+	return nil
+}
 
-	if err := d.Set("data_catalog_encryption_settings", flattenGlueDataCatalogEncryptionSettings(out.DataCatalogEncryptionSettings)); err != nil {
-		return fmt.Errorf("error setting data_catalog_encryption_settings: %w", err)
+func resourceDataCatalogEncryptionSettingsDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*conns.AWSClient).GlueConn
+
+	input := &glue.PutDataCatalogEncryptionSettingsInput{
+		CatalogId:                     aws.String(d.Id()),
+		DataCatalogEncryptionSettings: &glue.DataCatalogEncryptionSettings{},
+	}
+
+	log.Printf("[DEBUG] Deleting Glue Data Catalog Encryption Settings: %s", input)
+	_, err := conn.PutDataCatalogEncryptionSettings(input)
+
+	if err != nil {
+		return fmt.Errorf("error putting Glue Data Catalog Encryption Settings (%s): %w", d.Id(), err)
 	}
 
 	return nil
 }
 
-func expandGlueDataCatalogEncryptionSettings(settings []interface{}) *glue.DataCatalogEncryptionSettings {
-	m := settings[0].(map[string]interface{})
+func expandDataCatalogEncryptionSettings(tfMap map[string]interface{}) *glue.DataCatalogEncryptionSettings {
+	if tfMap == nil {
+		return nil
+	}
 
-	target := &glue.DataCatalogEncryptionSettings{
-		ConnectionPasswordEncryption: expandGlueDataCatalogConnectionPasswordEncryption(m["connection_password_encryption"].([]interface{})),
-		EncryptionAtRest:             expandGlueDataCatalogEncryptionAtRest(m["encryption_at_rest"].([]interface{})),
+	apiObject := &glue.DataCatalogEncryptionSettings{}
+
+	if v, ok := tfMap["connection_password_encryption"].([]interface{}); ok && len(v) > 0 {
+		apiObject.ConnectionPasswordEncryption = expandConnectionPasswordEncryption(v[0].(map[string]interface{}))
+	}
+
+	if v, ok := tfMap["encryption_at_rest"].([]interface{}); ok && len(v) > 0 {
+		apiObject.EncryptionAtRest = expandEncryptionAtRest(v[0].(map[string]interface{}))
 	}
 
-	return target
+	return apiObject
 }
 
-func flattenGlueDataCatalogEncryptionSettings(settings *glue.DataCatalogEncryptionSettings) []map[string]interface{} {
-	m := map[string]interface{}{
-		"connection_password_encryption": flattenGlueDataCatalogConnectionPasswordEncryption(settings.ConnectionPasswordEncryption),
-		"encryption_at_rest":             flattenGlueDataCatalogEncryptionAtRest(settings.EncryptionAtRest),
+func expandConnectionPasswordEncryption(tfMap map[string]interface{}) *glue.ConnectionPasswordEncryption {
+	if tfMap == nil {
+		return nil
 	}
 
-	return []map[string]interface{}{m}
+	apiObject := &glue.ConnectionPasswordEncryption{}
+
+	if v, ok := tfMap["aws_kms_key_id"].(string); ok && v != "" {
+		apiObject.AwsKmsKeyId = aws.String(v)
+	}
+
+	if v, ok := tfMap["return_connection_password_encrypted"].(bool); ok {
+		apiObject.ReturnConnectionPasswordEncrypted = aws.Bool(v)
+	}
+
+	return apiObject
 }
 
-func expandGlueDataCatalogConnectionPasswordEncryption(settings []interface{}) *glue.ConnectionPasswordEncryption {
-	m := settings[0].(map[string]interface{})
+func expandEncryptionAtRest(tfMap map[string]interface{}) *glue.EncryptionAtRest {
+	if tfMap == nil {
+		return nil
+	}
+
+	apiObject := &glue.EncryptionAtRest{}
 
-	target := &glue.ConnectionPasswordEncryption{
-		ReturnConnectionPasswordEncrypted: aws.Bool(m["return_connection_password_encrypted"].(bool)),
+	if v, ok := tfMap["catalog_encryption_mode"].(string); ok && v != "" {
+		apiObject.CatalogEncryptionMode = aws.String(v)
 	}
 
-	if v, ok := m["aws_kms_key_id"].(string); ok && v != "" {
-		target.AwsKmsKeyId = aws.String(v)
+	if v, ok := tfMap["sse_aws_kms_key_id"].(string); ok && v != "" {
+		apiObject.SseAwsKmsKeyId = aws.String(v)
 	}
 
-	return target
+	return apiObject
 }
 
-func flattenGlueDataCatalogConnectionPasswordEncryption(settings *glue.ConnectionPasswordEncryption) []map[string]interface{} {
-	m := map[string]interface{}{
-		"return_connection_password_encrypted": aws.BoolValue(settings.ReturnConnectionPasswordEncrypted),
+func flattenDataCatalogEncryptionSettings(apiObject *glue.DataCatalogEncryptionSettings) map[string]interface{} {
+	if apiObject == nil {
+		return nil
 	}
 
-	if settings.AwsKmsKeyId != nil {
-		m["aws_kms_key_id"] = aws.StringValue(settings.AwsKmsKeyId)
+	tfMap := map[string]interface{}{}
+
+	if v := apiObject.ConnectionPasswordEncryption; v != nil {
+		tfMap["connection_password_encryption"] = []interface{}{flattenConnectionPasswordEncryption(v)}
 	}
 
-	return []map[string]interface{}{m}
+	if v := apiObject.EncryptionAtRest; v != nil {
+		tfMap["encryption_at_rest"] = []interface{}{flattenEncryptionAtRest(v)}
+	}
+
+	return tfMap
 }
 
-func expandGlueDataCatalogEncryptionAtRest(settings []interface{}) *glue.EncryptionAtRest {
-	m := settings[0].(map[string]interface{})
+func flattenConnectionPasswordEncryption(apiObject *glue.ConnectionPasswordEncryption) map[string]interface{} {
+	if apiObject == nil {
+		return nil
+	}
 
-	target := &glue.EncryptionAtRest{
-		CatalogEncryptionMode: aws.String(m["catalog_encryption_mode"].(string)),
+	tfMap := map[string]interface{}{}
+
+	if v := apiObject.AwsKmsKeyId; v != nil {
+		tfMap["aws_kms_key_id"] = aws.StringValue(v)
 	}
 
-	if v, ok := m["sse_aws_kms_key_id"].(string); ok && v != "" {
-		target.SseAwsKmsKeyId = aws.String(v)
+	if v := apiObject.ReturnConnectionPasswordEncrypted; v != nil {
+		tfMap["return_connection_password_encrypted"] = aws.BoolValue(v)
 	}
 
-	return target
+	return tfMap
 }
 
-func flattenGlueDataCatalogEncryptionAtRest(settings *glue.EncryptionAtRest) []map[string]interface{} {
-	m := map[string]interface{}{
-		"catalog_encryption_mode": aws.StringValue(settings.CatalogEncryptionMode),
+func flattenEncryptionAtRest(apiObject *glue.EncryptionAtRest) map[string]interface{} {
+	if apiObject == nil {
+		return nil
+	}
+
+	tfMap := map[string]interface{}{}
+
+	if v := apiObject.CatalogEncryptionMode; v != nil {
+		tfMap["catalog_encryption_mode"] = aws.StringValue(v)
 	}
 
-	if settings.SseAwsKmsKeyId != nil {
-		m["sse_aws_kms_key_id"] = aws.StringValue(settings.SseAwsKmsKeyId)
+	if v := apiObject.SseAwsKmsKeyId; v != nil {
+		tfMap["sse_aws_kms_key_id"] = aws.StringValue(v)
 	}
 
-	return []map[string]interface{}{m}
+	return tfMap
 }
diff --git a/internal/service/glue/data_catalog_encryption_settings_data_source.go b/internal/service/glue/data_catalog_encryption_settings_data_source.go
@@ -2,6 +2,7 @@ package glue
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/glue"
@@ -64,19 +65,25 @@ func DataSourceDataCatalogEncryptionSettings() *schema.Resource {
 
 func dataSourceDataCatalogEncryptionSettingsRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	conn := meta.(*conns.AWSClient).GlueConn
-	id := d.Get("catalog_id").(string)
-	input := &glue.GetDataCatalogEncryptionSettingsInput{
-		CatalogId: aws.String(id),
-	}
-	out, err := conn.GetDataCatalogEncryptionSettings(input)
+
+	catalogID := d.Get("catalog_id").(string)
+	output, err := conn.GetDataCatalogEncryptionSettings(&glue.GetDataCatalogEncryptionSettingsInput{
+		CatalogId: aws.String(catalogID),
+	})
+
 	if err != nil {
-		return diag.Errorf("Error reading Glue Data Catalog Encryption Settings: %s", err)
+		return diag.FromErr(fmt.Errorf("error reading Glue Data Catalog Encryption Settings (%s): %w", catalogID, err))
 	}
-	d.SetId(id)
-	d.Set("catalog_id", d.Id())
 
-	if err := d.Set("data_catalog_encryption_settings", flattenGlueDataCatalogEncryptionSettings(out.DataCatalogEncryptionSettings)); err != nil {
-		return diag.Errorf("error setting data_catalog_encryption_settings: %s", err)
+	d.SetId(catalogID)
+	d.Set("catalog_id", d.Id())
+	if output.DataCatalogEncryptionSettings != nil {
+		if err := d.Set("data_catalog_encryption_settings", []interface{}{flattenDataCatalogEncryptionSettings(output.DataCatalogEncryptionSettings)}); err != nil {
+			return diag.FromErr(fmt.Errorf("error setting data_catalog_encryption_settings: %w", err))
+		}
+	} else {
+		d.Set("data_catalog_encryption_settings", nil)
 	}
+
 	return nil
 }
diff --git a/internal/service/glue/data_catalog_encryption_settings_data_source_test.go b/internal/service/glue/data_catalog_encryption_settings_data_source_test.go
@@ -1,47 +1,33 @@
 package glue_test
 
 import (
-	"fmt"
 	"testing"
 
 	"github.com/aws/aws-sdk-go/service/glue"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
 )
 
-func TestAccGlueDataCatalogEncryptionSettingsDataSource_basic(t *testing.T) {
+func testAccGlueDataCatalogEncryptionSettingsDataSource_basic(t *testing.T) {
 	resourceName := "aws_glue_data_catalog_encryption_settings.test"
-	datasourceName := "data.aws_glue_data_catalog_encryption_settings.test"
+	dataSourceName := "data.aws_glue_data_catalog_encryption_settings.test"
 
-	resource.ParallelTest(t, resource.TestCase{
+	resource.Test(t, resource.TestCase{
 		PreCheck:   func() { acctest.PreCheck(t) },
 		ErrorCheck: acctest.ErrorCheck(t, glue.EndpointsID),
 		Providers:  acctest.Providers,
 		Steps: []resource.TestStep{
 			{
 				Config: testAccDataCatalogEncryptionSettingsDataSourceConfig(),
 				Check: resource.ComposeTestCheckFunc(
-					testAccDataCatalogEncryptionSettingsCheckDataSource(datasourceName),
-					resource.TestCheckResourceAttrPair(datasourceName, "catalog_id", resourceName, "catalog_id"),
-					resource.TestCheckResourceAttrPair(datasourceName, "data_catalog_encryption_settings", resourceName, "data_catalog_encryption_settings"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "catalog_id", resourceName, "catalog_id"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "data_catalog_encryption_settings", resourceName, "data_catalog_encryption_settings"),
 				),
 			},
 		},
 	})
 }
 
-func testAccDataCatalogEncryptionSettingsCheckDataSource(name string) resource.TestCheckFunc {
-	return func(s *terraform.State) error {
-		_, ok := s.RootModule().Resources[name]
-		if !ok {
-			return fmt.Errorf("root module has no resource called %s", name)
-		}
-
-		return nil
-	}
-}
-
 func testAccDataCatalogEncryptionSettingsDataSourceConfig() string {
 	return `
 resource "aws_glue_data_catalog_encryption_settings" "test" {

diff --git a/internal/service/glue/data_catalog_encryption_settings_test.go b/internal/service/glue/data_catalog_encryption_settings_test.go
@@ -13,14 +13,14 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
 )
 
-func TestAccGlueDataCatalogEncryptionSettings_basic(t *testing.T) {
+func testAccGlueDataCatalogEncryptionSettings_basic(t *testing.T) {
 	var settings glue.DataCatalogEncryptionSettings
 
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
 	resourceName := "aws_glue_data_catalog_encryption_settings.test"
 	keyResourceName := "aws_kms_key.test"
 
-	resource.ParallelTest(t, resource.TestCase{
+	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { acctest.PreCheck(t) },
 		ErrorCheck:   acctest.ErrorCheck(t, glue.EndpointsID),
 		Providers:    acctest.Providers,
@@ -74,7 +74,7 @@ func TestAccGlueDataCatalogEncryptionSettings_basic(t *testing.T) {
 	})
 }
 
-func testAccCheckDataCatalogEncryptionSettingsExists(resourceName string, settings *glue.DataCatalogEncryptionSettings) resource.TestCheckFunc {
+func testAccCheckDataCatalogEncryptionSettingsExists(resourceName string, v *glue.DataCatalogEncryptionSettings) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[resourceName]
 		if !ok {
@@ -90,11 +90,12 @@ func testAccCheckDataCatalogEncryptionSettingsExists(resourceName string, settin
 		output, err := conn.GetDataCatalogEncryptionSettings(&glue.GetDataCatalogEncryptionSettingsInput{
 			CatalogId: aws.String(rs.Primary.ID),
 		})
+
 		if err != nil {
 			return err
 		}
 
-		*settings = *output.DataCatalogEncryptionSettings
+		*v = *output.DataCatalogEncryptionSettings
 
 		return nil
 	}

diff --git a/internal/service/glue/glue_test.go b/internal/service/glue/glue_test.go
@@ -4,6 +4,10 @@ import "testing"
 
 func TestAccGlue_serial(t *testing.T) {
 	testCases := map[string]map[string]func(t *testing.T){
+		"DataCatalogEncryptionSettings": {
+			"basic":      testAccGlueDataCatalogEncryptionSettings_basic,
+			"DataSource": testAccGlueDataCatalogEncryptionSettingsDataSource_basic,
+		},
 		"ResourcePolicy": {
 			"basic":      testAccResourcePolicy_basic,
 			"update":     testAccResourcePolicy_update,