diff --git a/.changelog/33297.txt b/.changelog/33297.txt new file mode 100644 index 00000000000..708e1c260d8 --- /dev/null +++ b/.changelog/33297.txt @@ -0,0 +1,3 @@ +```release-note:new-resource +aws_verifiedaccess_group +``` diff --git a/internal/service/ec2/errors.go b/internal/service/ec2/errors.go index 7c3f84f44e9..4ccd1e9e105 100644 --- a/internal/service/ec2/errors.go +++ b/internal/service/ec2/errors.go @@ -100,6 +100,7 @@ const ( errCodeInvalidTransitGatewayPolicyTableIdNotFound = "InvalidTransitGatewayPolicyTableId.NotFound" errCodeInvalidTransitGatewayIDNotFound = "InvalidTransitGatewayID.NotFound" errCodeInvalidTransitGatewayMulticastDomainIdNotFound = "InvalidTransitGatewayMulticastDomainId.NotFound" + errCodeInvalidVerifiedAccessGroupIdNotFound = "InvalidVerifiedAccessGroupId.NotFound" errCodeInvalidVerifiedAccessInstanceIdNotFound = "InvalidVerifiedAccessInstanceId.NotFound" errCodeInvalidVerifiedAccessTrustProviderIdNotFound = "InvalidVerifiedAccessTrustProviderId.NotFound" errCodeInvalidVolumeNotFound = "InvalidVolume.NotFound" diff --git a/internal/service/ec2/find.go b/internal/service/ec2/find.go index 74504f6bd05..da58ec8e5b2 100644 --- a/internal/service/ec2/find.go +++ b/internal/service/ec2/find.go @@ -7022,6 +7022,84 @@ func FindInstanceConnectEndpointByID(ctx context.Context, conn *ec2_sdkv2.Client return output, nil } +func FindVerifiedAccessGroupPolicyByID(ctx context.Context, conn *ec2_sdkv2.Client, id string) (*ec2_sdkv2.GetVerifiedAccessGroupPolicyOutput, error) { + input := &ec2_sdkv2.GetVerifiedAccessGroupPolicyInput{ + VerifiedAccessGroupId: &id, + } + output, err := conn.GetVerifiedAccessGroupPolicy(ctx, input) + + if tfawserr_sdkv2.ErrCodeEquals(err, errCodeInvalidVerifiedAccessGroupIdNotFound) { + return nil, &retry.NotFoundError{ + LastError: err, + LastRequest: input, + } + } + + if err != nil { + return nil, err + } + + if output == nil { + return nil, tfresource.NewEmptyResultError(input) + } + + return output, nil +} + +func FindVerifiedAccessGroup(ctx context.Context, conn *ec2_sdkv2.Client, input *ec2_sdkv2.DescribeVerifiedAccessGroupsInput) (*awstypes.VerifiedAccessGroup, error) { + output, err := FindVerifiedAccessGroups(ctx, conn, input) + + if err != nil { + return nil, err + } + + return tfresource.AssertSingleValueResult(output) +} + +func FindVerifiedAccessGroups(ctx context.Context, conn *ec2_sdkv2.Client, input *ec2_sdkv2.DescribeVerifiedAccessGroupsInput) ([]awstypes.VerifiedAccessGroup, error) { + var output []awstypes.VerifiedAccessGroup + paginator := ec2_sdkv2.NewDescribeVerifiedAccessGroupsPaginator(conn, input) + + for paginator.HasMorePages() { + page, err := paginator.NextPage(ctx) + + if tfawserr_sdkv2.ErrCodeEquals(err, errCodeInvalidVerifiedAccessGroupIdNotFound) { + return nil, &retry.NotFoundError{ + LastError: err, + LastRequest: input, + } + } + + if err != nil { + return nil, err + } + + output = append(output, page.VerifiedAccessGroups...) + } + + return output, nil +} + +func FindVerifiedAccessGroupByID(ctx context.Context, conn *ec2_sdkv2.Client, id string) (*awstypes.VerifiedAccessGroup, error) { + input := &ec2_sdkv2.DescribeVerifiedAccessGroupsInput{ + VerifiedAccessGroupIds: []string{id}, + } + output, err := FindVerifiedAccessGroup(ctx, conn, input) + + if err != nil { + return nil, err + } + + // Eventual consistency check. + if aws_sdkv2.ToString(output.VerifiedAccessGroupId) != id { + return nil, &retry.NotFoundError{ + LastRequest: input, + } + } + + return output, nil +} + func FindVerifiedAccessInstance(ctx context.Context, conn *ec2_sdkv2.Client, input *ec2_sdkv2.DescribeVerifiedAccessInstancesInput) (*awstypes.VerifiedAccessInstance, error) { output, err := FindVerifiedAccessInstances(ctx, conn, input) diff --git a/internal/service/ec2/service_package_gen.go b/internal/service/ec2/service_package_gen.go index 48b1e6e9a38..e0565e9fee9 100644 --- a/internal/service/ec2/service_package_gen.go +++ b/internal/service/ec2/service_package_gen.go @@ -943,6 +943,14 @@ func (p *servicePackage) SDKResources(ctx context.Context) []*types.ServicePacka IdentifierAttribute: "id", }, }, + { + Factory: ResourceVerifiedAccessGroup, + TypeName: "aws_verifiedaccess_group", + Name: "Verified Access Group", + Tags: &types.ServicePackageResourceTags{ + IdentifierAttribute: "id", + }, + }, { Factory: ResourceVerifiedAccessInstance, TypeName: "aws_verifiedaccess_instance", diff --git a/internal/service/ec2/verifiedaccess_group.go b/internal/service/ec2/verifiedaccess_group.go new file mode 100644 index 00000000000..98c5113d335 --- /dev/null +++ b/internal/service/ec2/verifiedaccess_group.go @@ -0,0 +1,207 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +package ec2 + +import ( + "context" + "log" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/ec2" + "github.com/aws/aws-sdk-go-v2/service/ec2/types" + "github.com/hashicorp/aws-sdk-go-base/v2/tfawserr" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-provider-aws/internal/conns" + "github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag" + tftags "github.com/hashicorp/terraform-provider-aws/internal/tags" + "github.com/hashicorp/terraform-provider-aws/internal/tfresource" + "github.com/hashicorp/terraform-provider-aws/internal/verify" + "github.com/hashicorp/terraform-provider-aws/names" +) + +// @SDKResource("aws_verifiedaccess_group", name="Verified Access Group") +// @Tags(identifierAttribute="id") +func ResourceVerifiedAccessGroup() *schema.Resource { + return &schema.Resource{ + CreateWithoutTimeout: resourceVerifiedAccessGroupCreate, + ReadWithoutTimeout: resourceVerifiedAccessGroupRead, + UpdateWithoutTimeout: resourceVerifiedAccessGroupUpdate, + DeleteWithoutTimeout: resourceVerifiedAccessGroupDelete, + + Importer: &schema.ResourceImporter{ + StateContext: schema.ImportStatePassthroughContext, + }, + + Schema: map[string]*schema.Schema{ + "creation_time": { + Type: schema.TypeString, + Computed: true, + }, + "deletion_time": { + Type: schema.TypeString, + Computed: true, + }, + "description": { + Type: schema.TypeString, + Computed: true, + Optional: true, + }, + "last_updated_time": { + Type: schema.TypeString, + Computed: true, + }, + "owner": { + Type: schema.TypeString, + Computed: true, + }, + "policy_document": { + Type: schema.TypeString, + Optional: true, + }, + names.AttrTags: tftags.TagsSchema(), + names.AttrTagsAll: tftags.TagsSchemaComputed(), + "verifiedaccess_group_arn": { + Type: schema.TypeString, + Computed: true, + }, + "verifiedaccess_group_id": { + Type: schema.TypeString, + Computed: true, + }, + "verifiedaccess_instance_id": { + Type: schema.TypeString, + Required: true, + }, + }, + + CustomizeDiff: verify.SetTagsDiff, + } +} + +func resourceVerifiedAccessGroupCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + var diags diag.Diagnostics + conn := meta.(*conns.AWSClient).EC2Client(ctx) + + input := &ec2.CreateVerifiedAccessGroupInput{ + TagSpecifications: getTagSpecificationsInV2(ctx, types.ResourceTypeVerifiedAccessGroup), + VerifiedAccessInstanceId: aws.String(d.Get("verifiedaccess_instance_id").(string)), + } + + if v, ok := d.GetOk("description"); ok { + input.Description = aws.String(v.(string)) + } + + if v, ok := d.GetOk("policy_document"); ok { + input.PolicyDocument = aws.String(v.(string)) + } + + output, err := conn.CreateVerifiedAccessGroup(ctx, input) + + if err != nil { + return sdkdiag.AppendErrorf(diags, "creating Verified Access Group: %s", err) + } + + d.SetId(aws.ToString(output.VerifiedAccessGroup.VerifiedAccessGroupId)) + + return append(diags, resourceVerifiedAccessGroupRead(ctx, d, meta)...) +} + +func resourceVerifiedAccessGroupRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + var diags diag.Diagnostics + conn := meta.(*conns.AWSClient).EC2Client(ctx) + + group, err := FindVerifiedAccessGroupByID(ctx, conn, d.Id()) + + if !d.IsNewResource() && tfresource.NotFound(err) { + log.Printf("[WARN] EC2 Verified Access Group (%s) not found, removing from state", d.Id()) + d.SetId("") + return diags + } + + if err != nil { + return sdkdiag.AppendErrorf(diags, "reading Verified Access Group (%s): %s", d.Id(), err) + } + + d.Set("creation_time", group.CreationTime) + d.Set("deletion_time", group.DeletionTime) + d.Set("description", group.Description) + d.Set("last_updated_time", group.LastUpdatedTime) + d.Set("owner", group.Owner) + d.Set("verifiedaccess_group_arn", group.VerifiedAccessGroupArn) + d.Set("verifiedaccess_group_id", group.VerifiedAccessGroupId) + d.Set("verifiedaccess_instance_id", group.VerifiedAccessInstanceId) + + setTagsOutV2(ctx, group.Tags) + + output, err := FindVerifiedAccessGroupPolicyByID(ctx, conn, d.Id()) + + if err != nil { + return sdkdiag.AppendErrorf(diags, "reading Verified Access Group (%s) policy: %s", d.Id(), err) + } + + d.Set("policy_document", output.PolicyDocument) + + return diags +} + +func resourceVerifiedAccessGroupUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + var diags diag.Diagnostics + conn := meta.(*conns.AWSClient).EC2Client(ctx) + + if d.HasChangesExcept("policy_document", "tags", "tags_all") { + input := &ec2.ModifyVerifiedAccessGroupInput{ + VerifiedAccessGroupId: aws.String(d.Id()), + } + + if d.HasChange("description") { + input.Description = aws.String(d.Get("description").(string)) + } + + if d.HasChange("verified_access_instance_id") { + input.VerifiedAccessInstanceId = aws.String(d.Get("description").(string)) + } + + _, err := conn.ModifyVerifiedAccessGroup(ctx, input) + + if err != nil { + return sdkdiag.AppendErrorf(diags, "updating Verified Access Group (%s): %s", d.Id(), err) + } + } + + if d.HasChange("policy_document") { + input := &ec2.ModifyVerifiedAccessGroupPolicyInput{ + PolicyDocument: aws.String(d.Get("policy_document").(string)), + VerifiedAccessGroupId: aws.String(d.Id()), + } + + _, err := conn.ModifyVerifiedAccessGroupPolicy(ctx, input) + + if err != nil { + return sdkdiag.AppendErrorf(diags, "updating Verified Access Group (%s) policy: %s", d.Id(), err) + } + } + + return append(diags, resourceVerifiedAccessGroupRead(ctx, d, meta)...) +} + +func resourceVerifiedAccessGroupDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + var diags diag.Diagnostics + conn := meta.(*conns.AWSClient).EC2Client(ctx) + + log.Printf("[INFO] Deleting Verified Access Group: %s", d.Id()) + _, err := conn.DeleteVerifiedAccessGroup(ctx, &ec2.DeleteVerifiedAccessGroupInput{ + VerifiedAccessGroupId: aws.String(d.Id()), + }) + + if tfawserr.ErrCodeEquals(err, errCodeInvalidVerifiedAccessGroupIdNotFound) { + return diags + } + + if err != nil { + return sdkdiag.AppendErrorf(diags, "deleting Verified Access Group (%s): %s", d.Id(), err) + } + + return diags +} diff --git a/internal/service/ec2/verifiedaccess_group_test.go b/internal/service/ec2/verifiedaccess_group_test.go new file mode 100644 index 00000000000..af65416c001 --- /dev/null +++ b/internal/service/ec2/verifiedaccess_group_test.go @@ -0,0 +1,300 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +package ec2_test + +import ( + "context" + "fmt" + "testing" + + "github.com/aws/aws-sdk-go-v2/service/ec2/types" + sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest" + "github.com/hashicorp/terraform-plugin-testing/helper/resource" + "github.com/hashicorp/terraform-plugin-testing/terraform" + "github.com/hashicorp/terraform-provider-aws/internal/acctest" + "github.com/hashicorp/terraform-provider-aws/internal/conns" + tfec2 "github.com/hashicorp/terraform-provider-aws/internal/service/ec2" + "github.com/hashicorp/terraform-provider-aws/internal/tfresource" + "github.com/hashicorp/terraform-provider-aws/names" +) + +func TestAccVerifiedAccessGroup_basic(t *testing.T) { + ctx := acctest.Context(t) + var v types.VerifiedAccessGroup + resourceName := "aws_verifiedaccess_group.test" + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { + acctest.PreCheck(ctx, t) + testAccPreCheckVerifiedAccess(ctx, t) + }, + ErrorCheck: acctest.ErrorCheck(t, names.EC2), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckVerifiedAccessGroupDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccVerifiedAccessGroupConfig_basic(rName), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckVerifiedAccessGroupExists(ctx, resourceName, &v), + resource.TestCheckResourceAttrSet(resourceName, "creation_time"), + resource.TestCheckResourceAttr(resourceName, "deletion_time", ""), + resource.TestCheckResourceAttr(resourceName, "description", ""), + resource.TestCheckResourceAttrSet(resourceName, "last_updated_time"), + acctest.CheckResourceAttrAccountID(resourceName, "owner"), + resource.TestCheckResourceAttr(resourceName, "policy_document", ""), + resource.TestCheckResourceAttr(resourceName, "tags.%", "0"), + resource.TestCheckResourceAttrSet(resourceName, "verifiedaccess_group_arn"), + resource.TestCheckResourceAttrSet(resourceName, "verifiedaccess_group_id"), + resource.TestCheckResourceAttrSet(resourceName, "verifiedaccess_instance_id"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccVerifiedAccessGroup_disappears(t *testing.T) { + ctx := acctest.Context(t) + var v types.VerifiedAccessGroup + resourceName := "aws_verifiedaccess_group.test" + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { + acctest.PreCheck(ctx, t) + testAccPreCheckVerifiedAccess(ctx, t) + }, + ErrorCheck: acctest.ErrorCheck(t, names.EC2), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckVerifiedAccessGroupDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccVerifiedAccessGroupConfig_tags1(rName, "key1", "value1"), + Check: resource.ComposeTestCheckFunc( + testAccCheckVerifiedAccessGroupExists(ctx, resourceName, &v), + acctest.CheckResourceDisappears(ctx, acctest.Provider, tfec2.ResourceVerifiedAccessGroup(), resourceName), + ), + ExpectNonEmptyPlan: true, + }, + }, + }) +} + +func TestAccVerifiedAccessGroup_tags(t *testing.T) { + ctx := acctest.Context(t) + var v types.VerifiedAccessGroup + resourceName := "aws_verifiedaccess_group.test" + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { + acctest.PreCheck(ctx, t) + testAccPreCheckVerifiedAccess(ctx, t) + }, + ErrorCheck: acctest.ErrorCheck(t, names.EC2), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckVerifiedAccessGroupDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccVerifiedAccessGroupConfig_tags1(rName, "key1", "value1"), + Check: resource.ComposeTestCheckFunc( + testAccCheckVerifiedAccessGroupExists(ctx, resourceName, &v), + resource.TestCheckResourceAttr(resourceName, "tags.%", "1"), + resource.TestCheckResourceAttr(resourceName, "tags.key1", "value1"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{}, + }, + { + Config: testAccVerifiedAccessGroupConfig_tags2(rName, "key1", "value1updated", "key2", "value2"), + Check: resource.ComposeTestCheckFunc( + testAccCheckVerifiedAccessGroupExists(ctx, resourceName, &v), + resource.TestCheckResourceAttr(resourceName, "tags.%", "2"), + resource.TestCheckResourceAttr(resourceName, "tags.key1", "value1updated"), + resource.TestCheckResourceAttr(resourceName, "tags.key2", "value2"), + ), + }, + { + Config: testAccVerifiedAccessGroupConfig_tags1(rName, "key2", "value2"), + Check: resource.ComposeTestCheckFunc( + testAccCheckVerifiedAccessGroupExists(ctx, resourceName, &v), + resource.TestCheckResourceAttr(resourceName, "tags.%", "1"), + resource.TestCheckResourceAttr(resourceName, "tags.key2", "value2"), + ), + }, + }, + }) +} + +func TestAccVerifiedAccessGroup_policy(t *testing.T) { + ctx := acctest.Context(t) + var v types.VerifiedAccessGroup + resourceName := "aws_verifiedaccess_group.test" + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + description := sdkacctest.RandString(100) + policyDoc := "permit(principal, action, resource) \nwhen {\ncontext.http_request.method == \"GET\"\n};" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { + acctest.PreCheck(ctx, t) + testAccPreCheckVerifiedAccess(ctx, t) + }, + ErrorCheck: acctest.ErrorCheck(t, names.EC2), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckVerifiedAccessGroupDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccVerifiedAccessGroupConfig_policy(rName, description, policyDoc), + Check: resource.ComposeTestCheckFunc( + testAccCheckVerifiedAccessGroupExists(ctx, resourceName, &v), + resource.TestCheckResourceAttr(resourceName, "description", description), + resource.TestCheckResourceAttr(resourceName, "policy_document", policyDoc), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{}, + }, + }, + }) +} + +func testAccCheckVerifiedAccessGroupExists(ctx context.Context, n string, v *types.VerifiedAccessGroup) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + + conn := acctest.Provider.Meta().(*conns.AWSClient).EC2Client(ctx) + + output, err := tfec2.FindVerifiedAccessGroupByID(ctx, conn, rs.Primary.ID) + + if err != nil { + return err + } + + *v = *output + + return nil + } +} + +func testAccCheckVerifiedAccessGroupDestroy(ctx context.Context) resource.TestCheckFunc { + return func(s *terraform.State) error { + conn := acctest.Provider.Meta().(*conns.AWSClient).EC2Client(ctx) + + for _, rs := range s.RootModule().Resources { + if rs.Type != "aws_verifiedaccess_group" { + continue + } + + _, err := tfec2.FindVerifiedAccessGroupByID(ctx, conn, rs.Primary.ID) + + if tfresource.NotFound(err) { + continue + } + + if err != nil { + return err + } + + return fmt.Errorf("Verified Access Group %s still exists", rs.Primary.ID) + } + return nil + } +} + +func testAccVerifiedAccessGroupConfig_base(rName string) string { + return fmt.Sprintf(` +resource "aws_verifiedaccess_instance" "test" { + tags = { + Name = %[1]q + } +} + +resource "aws_verifiedaccess_trust_provider" "test" { + policy_reference_name = "test" + trust_provider_type = "user" + user_trust_provider_type = "oidc" + + oidc_options { + authorization_endpoint = "https://example.com/authorization_endpoint" + client_id = "s6BhdRkqt3" + client_secret = "7Fjfp0ZBr1KtDRbnfVdmIw" + issuer = "https://example.com" + scope = "test" + token_endpoint = "https://example.com/token_endpoint" + user_info_endpoint = "https://example.com/user_info_endpoint" + } + + tags = { + Name = %[1]q + } +} + +resource "aws_verifiedaccess_instance_trust_provider_attachment" "test" { + verifiedaccess_instance_id = aws_verifiedaccess_instance.test.id + verifiedaccess_trust_provider_id = aws_verifiedaccess_trust_provider.test.id +} +`, rName) +} + +func testAccVerifiedAccessGroupConfig_basic(rName string) string { + return acctest.ConfigCompose(testAccVerifiedAccessGroupConfig_base(rName), ` +resource "aws_verifiedaccess_group" "test" { + verifiedaccess_instance_id = aws_verifiedaccess_instance_trust_provider_attachment.test.verifiedaccess_instance_id +} +`) +} + +func testAccVerifiedAccessGroupConfig_tags1(rName, tagKey1, tagValue1 string) string { + return acctest.ConfigCompose(testAccVerifiedAccessGroupConfig_base(rName), fmt.Sprintf(` +resource "aws_verifiedaccess_group" "test" { + verifiedaccess_instance_id = aws_verifiedaccess_instance_trust_provider_attachment.test.verifiedaccess_instance_id + + tags = { + %[1]q = %[2]q + } +} +`, tagKey1, tagValue1)) +} + +func testAccVerifiedAccessGroupConfig_tags2(rName, tagKey1, tagValue1, tagKey2, tagValue2 string) string { + return acctest.ConfigCompose(testAccVerifiedAccessGroupConfig_base(rName), fmt.Sprintf(` +resource "aws_verifiedaccess_group" "test" { + verifiedaccess_instance_id = aws_verifiedaccess_instance_trust_provider_attachment.test.verifiedaccess_instance_id + + tags = { + %[1]q = %[2]q + %[3]q = %[4]q + } +} +`, tagKey1, tagValue1, tagKey2, tagValue2)) +} + +func testAccVerifiedAccessGroupConfig_policy(rName, description, policy string) string { + return acctest.ConfigCompose(testAccVerifiedAccessGroupConfig_base(rName), fmt.Sprintf(` +resource "aws_verifiedaccess_group" "test" { + verifiedaccess_instance_id = aws_verifiedaccess_instance_trust_provider_attachment.test.verifiedaccess_instance_id + description = %[2]q + policy_document = %[3]q + + tags = { + Name = %[1]q + } +} +`, rName, description, policy)) +} diff --git a/internal/service/ec2/verifiedaccess_instance.go b/internal/service/ec2/verifiedaccess_instance.go index 97414010613..7670fb6a586 100644 --- a/internal/service/ec2/verifiedaccess_instance.go +++ b/internal/service/ec2/verifiedaccess_instance.go @@ -124,13 +124,13 @@ func resourceVerifiedAccessInstanceRead(ctx context.Context, d *schema.ResourceD return sdkdiag.AppendErrorf(diags, "reading Verified Access Instance (%s): %s", d.Id(), err) } - d.Set("description", output.Description) d.Set("creation_time", output.CreationTime) + d.Set("description", output.Description) d.Set("last_updated_time", output.LastUpdatedTime) if v := output.VerifiedAccessTrustProviders; v != nil { if err := d.Set("verified_access_trust_providers", flattenVerifiedAccessTrustProviders(v)); err != nil { - return sdkdiag.AppendErrorf(diags, "setting verified access trust providers: %s", err) + return sdkdiag.AppendErrorf(diags, "setting verified_access_trust_providers: %s", err) } } else { d.Set("verified_access_trust_providers", nil) @@ -151,7 +151,7 @@ func resourceVerifiedAccessInstanceUpdate(ctx context.Context, d *schema.Resourc VerifiedAccessInstanceId: aws.String(d.Id()), } - if d.HasChanges("description") { + if d.HasChange("description") { input.Description = aws.String(d.Get("description").(string)) } diff --git a/internal/service/ec2/verifiedaccess_instance_test.go b/internal/service/ec2/verifiedaccess_instance_test.go index e6820f9b0c4..e2b60d52c9d 100644 --- a/internal/service/ec2/verifiedaccess_instance_test.go +++ b/internal/service/ec2/verifiedaccess_instance_test.go @@ -21,7 +21,6 @@ import ( func TestAccVerifiedAccessInstance_basic(t *testing.T) { ctx := acctest.Context(t) - var v types.VerifiedAccessInstance resourceName := "aws_verifiedaccess_instance.test" @@ -55,7 +54,6 @@ func TestAccVerifiedAccessInstance_basic(t *testing.T) { func TestAccVerifiedAccessInstance_description(t *testing.T) { ctx := acctest.Context(t) - var v types.VerifiedAccessInstance resourceName := "aws_verifiedaccess_instance.test" @@ -97,7 +95,6 @@ func TestAccVerifiedAccessInstance_description(t *testing.T) { func TestAccVerifiedAccessInstance_disappears(t *testing.T) { ctx := acctest.Context(t) - var v types.VerifiedAccessInstance resourceName := "aws_verifiedaccess_instance.test" @@ -124,7 +121,6 @@ func TestAccVerifiedAccessInstance_disappears(t *testing.T) { func TestAccVerifiedAccessInstance_tags(t *testing.T) { ctx := acctest.Context(t) - var v types.VerifiedAccessInstance resourceName := "aws_verifiedaccess_instance.test" diff --git a/internal/service/ec2/verifiedaccess_trust_provider.go b/internal/service/ec2/verifiedaccess_trust_provider.go index c1d080873e3..b7566e6c6be 100644 --- a/internal/service/ec2/verifiedaccess_trust_provider.go +++ b/internal/service/ec2/verifiedaccess_trust_provider.go @@ -231,11 +231,11 @@ func resourceVerifiedAccessTrustProviderUpdate(ctx context.Context, d *schema.Re VerifiedAccessTrustProviderId: aws.String(d.Id()), } - if d.HasChanges("description") { + if d.HasChange("description") { input.Description = aws.String(d.Get("description").(string)) } - if d.HasChanges("oidc_options") { + if d.HasChange("oidc_options") { if v, ok := d.GetOk("oidc_options"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil { input.OidcOptions = expandModifyVerifiedAccessTrustProviderOIDCOptions(v.([]interface{})[0].(map[string]interface{})) } diff --git a/internal/service/ec2/verifiedaccess_trust_provider_test.go b/internal/service/ec2/verifiedaccess_trust_provider_test.go index 5c9deab6aac..552ddce46c4 100644 --- a/internal/service/ec2/verifiedaccess_trust_provider_test.go +++ b/internal/service/ec2/verifiedaccess_trust_provider_test.go @@ -22,11 +22,6 @@ import ( func TestAccVerifiedAccessTrustProvider_basic(t *testing.T) { ctx := acctest.Context(t) - - if testing.Short() { - t.Skip("skipping long-running test in short mode") - } - var v types.VerifiedAccessTrustProvider resourceName := "aws_verifiedaccess_trust_provider.test" policyReferenceName := "test" @@ -106,10 +101,6 @@ func TestAccVerifiedAccessTrustProvider_deviceOptions(t *testing.T) { func TestAccVerifiedAccessTrustProvider_disappears(t *testing.T) { ctx := acctest.Context(t) - if testing.Short() { - t.Skip("skipping long-running test in short mode") - } - var v types.VerifiedAccessTrustProvider resourceName := "aws_verifiedaccess_trust_provider.test" policyReferenceName := "test" diff --git a/website/docs/r/verifiedaccess_group.html.markdown b/website/docs/r/verifiedaccess_group.html.markdown new file mode 100644 index 00000000000..f974af560fe --- /dev/null +++ b/website/docs/r/verifiedaccess_group.html.markdown @@ -0,0 +1,52 @@ +--- +subcategory: "Verified Access" +layout: "aws" +page_title: "AWS: aws_verifiedaccess_group" +description: |- + Terraform resource for managing a Verified Access Group. +--- + +# Resource: aws_verifiedaccess_group + +Terraform resource for managing a Verified Access Group. + +## Example Usage + +### Basic Usage + +```terraform +resource "aws_verifiedaccess_group" "example" { + verifiedaccess_instance_id = aws_verifiedaccess_instance.example.id +} +``` + +## Argument Reference + +The following arguments are required: + +* `verifiedaccess_instance_id` - (Required) The id of the verified access instance this group is associated with. + +The following arguments are optional: + +* `description` - (Optional) Description of the verified access group. +* `tags` - (Optional) Key-value mapping of resource tags. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level. +* `policy_docment` - (Optional) The policy document that is associated with this resource. + +## Attribute Reference + +This resource exports the following attributes in addition to the arguments above: + +* `creation_time` - Timestamp when the access group was created. +* `deletion_time` - Timestamp when the access group was deleted. +* `last_updated_time` - Timestamp when the access group was last updated. +* `owner` - AWS account number owning this resource. +* `verifiedaccess_group_arn` - ARN of this verified acess group. +* `verifiedaccess_group_id` - ID of this verified access group. + +## Timeouts + +[Configuration options](https://developer.hashicorp.com/terraform/language/resources/syntax#operation-timeouts): + +* `create` - (Default `60m`) +* `update` - (Default `180m`) +* `delete` - (Default `90m`)