Add aws_acmpca_permission resource

[mattburgess]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #10090

Release note for CHANGELOG:

New Resource: aws_acmpca_permission (#10070)

Output from acceptance testing:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAwsAcmpcaPermission'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAwsAcmpcaPermission -timeout 120m
=== RUN   TestAccAwsAcmpcaPermission_Valid
=== PAUSE TestAccAwsAcmpcaPermission_Valid
=== RUN   TestAccAwsAcmpcaPermission_InvalidPrincipal
=== PAUSE TestAccAwsAcmpcaPermission_InvalidPrincipal
=== RUN   TestAccAwsAcmpcaPermission_InvalidActionsEntry
=== PAUSE TestAccAwsAcmpcaPermission_InvalidActionsEntry
=== CONT  TestAccAwsAcmpcaPermission_Valid
=== CONT  TestAccAwsAcmpcaPermission_InvalidActionsEntry
=== CONT  TestAccAwsAcmpcaPermission_InvalidPrincipal
--- PASS: TestAccAwsAcmpcaPermission_InvalidPrincipal (2.99s)
--- PASS: TestAccAwsAcmpcaPermission_InvalidActionsEntry (3.02s)
--- PASS: TestAccAwsAcmpcaPermission_Valid (31.26s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	31.302s

...

[mattburgess]

Still needs acceptance tests writing and running, but docs are there and it compiles at least!

[mattburgess]

This is failing the 1st acceptance test with the following:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAwsAcmpcaPermission_Valid'
==> Checking that code complies with gofmt requirements...

TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAwsAcmpcaPermission_Valid -timeout 120m
=== RUN   TestAccAwsAcmpcaPermission_Valid
=== PAUSE TestAccAwsAcmpcaPermission_Valid
=== CONT  TestAccAwsAcmpcaPermission_Valid
--- FAIL: TestAccAwsAcmpcaPermission_Valid (31.01s)
    testing.go:654: Step 0 error: Check failed: Check 4/6 error: aws_acmpca_permission.test: Attribute 'actions.0' not found
    testing.go:715: Error destroying resource! WARNING: Dangling resources
        may exist. The full state and error is shown below.
        
        Error: Check failed: InvalidStateException: The certificate authority is in the DELETED state and must be restored to complete this action.
        
        State: <no state>
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	31.058s
FAIL
make: *** [GNUmakefile:26: testacc] Error 1

It looks like it's doing the following:

1. Destroy Permission resource
2. Destroy CA resource
3. List Permissions

When, what I'd obviously like it to do is:

1. Destroy Permission resource
2. List Permissions
3. Destroy CA resource

I'll take a look as soon as time allows as to how to influence the destruction/test order.
I also haven't run any of the other acceptance tests yet.

[mattburgess]

2 out of 3 acceptance tests are passing now. I still have an issue with the cert authority being deleted before the check for a destroyed permission is being run. Or at least I think that's the right interpretation of the output below:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAwsAcmpcaPermission'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAwsAcmpcaPermission -timeout 120m
=== RUN   TestAccAwsAcmpcaPermission_Valid
=== PAUSE TestAccAwsAcmpcaPermission_Valid
=== RUN   TestAccAwsAcmpcaPermission_InvalidPrincipal
=== PAUSE TestAccAwsAcmpcaPermission_InvalidPrincipal
=== RUN   TestAccAwsAcmpcaPermission_InvalidActionsEntry
=== PAUSE TestAccAwsAcmpcaPermission_InvalidActionsEntry
=== CONT  TestAccAwsAcmpcaPermission_InvalidActionsEntry
=== CONT  TestAccAwsAcmpcaPermission_Valid
=== CONT  TestAccAwsAcmpcaPermission_InvalidPrincipal
--- PASS: TestAccAwsAcmpcaPermission_InvalidActionsEntry (3.68s)
--- PASS: TestAccAwsAcmpcaPermission_InvalidPrincipal (3.69s)
--- FAIL: TestAccAwsAcmpcaPermission_Valid (32.55s)
    testing.go:654: Step 0 error: Check failed: Check 4/6 error: aws_acmpca_permission.test: Attribute 'actions.0' not found
    testing.go:715: Error destroying resource! WARNING: Dangling resources
        may exist. The full state and error is shown below.
        
        Error: Check failed: InvalidStateException: The certificate authority is in the DELETED state and must be restored to complete this action.
        
        State: <no state>
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	32.587s
FAIL

[ewbankkit]

@mattburgess Thanks for this.
Because actions is correctly a Set, not a List, the index values in the Terraform state will be the hash values of the strings and not 0, 1, 2. The resource.TestCheckResourceAttr(resourceName, "actions.#", "3"), check should be sufficient here.

The InvalidStateException: The certificate authority is in the DELETED state and must be restored to complete this action. error is probably happening because the CA has been deleted and the ListPermissions call in testAccCheckAwsAcmpcaPermissionExists doesn't like this.
Adding an extra isAWSErr(err, ...) check for this error and returning nil in this case should be fine.

[mattburgess]

That was an incredibly quick review, thanks @ewbankkit ! Thanks for the pointers. I've pushed a fixup commit now, but am getting an odd error. It's obviously getting further than it was before, but for the life of me I can't see how my test step isn't configured correctly:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAwsAcmpcaPermission_Valid'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAwsAcmpcaPermission_Valid -timeout 120m
=== RUN   TestAccAwsAcmpcaPermission_Valid
=== PAUSE TestAccAwsAcmpcaPermission_Valid
=== CONT  TestAccAwsAcmpcaPermission_Valid
--- FAIL: TestAccAwsAcmpcaPermission_Valid (44.33s)
    testing.go:654: Step 1 error: unknown test mode for step. Please see TestStep docs
        
        resource.TestStep{ResourceName:"aws_acmpca_permission.test", PreConfig:(func())(nil), Taint:[]string(nil), Config:"", Check:(resource.TestCheckFunc)(nil), Destroy:false, ExpectNonEmptyPlan:false, ExpectError:(*regexp.Regexp)(nil), PlanOnly:false, PreventDiskCleanup:false, PreventPostDestroyRefresh:false, SkipFunc:(func() (bool, error))(nil), ImportState:false, ImportStateId:"", ImportStateIdPrefix:"", ImportStateIdFunc:(resource.ImportStateIdFunc)(nil), ImportStateCheck:(resource.ImportStateCheckFunc)(nil), ImportStateVerify:false, ImportStateVerifyIgnore:[]string(nil), providers:map[string]terraform.ResourceProvider{"aws":(*schema.Provider)(0xc000831100)}}
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	44.361s
FAIL

testing.go:614 spits out that error when step.Config == "" && !step.ImportState
Obviously, I don't have an ImportState (there's no import support for this resource...yet!). But step.Config is most definitely populated prior to the tests running, otherwise how would it create the PCA + Permission to then run the assertions against? Any ideas what's setting it back to "" would be greatly appreciated.

[ewbankkit]

@mattburgess It must be the test step

			{
				ResourceName: resourceName,
			},

that causes that error.

[mattburgess]

@mattburgess It must be the test step

			{
				ResourceName: resourceName,
			},

that causes that error.

Doh! Must've been working too late last night. Fixed and all the acceptance tests now pass. Many thanks for the review & patience!

[teamterraform]

Notification of Recent and Upcoming Changes to Contributions

Thank you for this contribution! There have been a few recent development changes that affect this pull request. We apologize for the inconvenience, especially if there have been long review delays up until now. Please note that this is automated message from an unmonitored account. See the FAQ for additional information on the maintainer team and review prioritization.

If you are unable to complete these updates, please leave a comment for the community and maintainers so someone can potentially continue the work. The maintainers will encourage other contributors to use the existing contribution as the base for additional changes as appropriate. Otherwise, contributions that do not receive updated code or comments from the original contributor may be closed in the future so the maintainers can focus on active items.

For the most up to date information about Terraform AWS Provider development, see the Contributing Guide. Additional technical debt changes can be tracked with the technical-debt label on issues.

As part of updating a pull request with these changes, the most current unit testing and linting will run. These may report issues that were not previously reported.

Action Required: Terraform 0.12 Syntax

Reference: #8950
Reference: #14417

Version 3 and later of the Terraform AWS Provider, which all existing contributions would potentially be added, only supports Terraform 0.12 and later. Certain syntax elements of Terraform 0.11 and earlier show deprecation warnings during runs with Terraform 0.12. Documentation and test configurations, such as those including deprecated string interpolations (some_attribute = "${aws_service_thing.example.id}") should be updated to the newer syntax (some_attribute = aws_service_thing.example.id). Contribution testing will automatically fail on older syntax in the near future. Please see the referenced issues for additional information.

Action Required: Terraform Plugin SDK Version 2

Reference: #14551

The Terraform AWS Provider has been upgraded to the latest version of the Terraform Plugin SDK. Generally, most changes to contributions should only involve updating Go import paths in source code files. Please see the referenced issue for additional information.

Action Required: Removal of website/aws.erb File

Reference: #14712

Any changes to the website/aws.erb file are no longer necessary and should be removed from this contribution to prevent merge issues in the near future when the file is removed from the repository. Please see the referenced issue for additional information.

Upcoming Change of Git Branch Naming

Reference: #14292

Development environments will need their upstream Git branch updated from master to main in the near future. Please see the referenced issue for additional information and scheduling.

Upcoming Change of GitHub Organization

Reference: #14715

This repository will be migrating from https://github.com/terraform-providers/terraform-provider-aws to https://github.com/hashicorp/terraform-provider-aws. No practitioner or developer action is anticipated and most GitHub functionality will automatically redirect to the new location. Go import paths including terraform-providers can remain for now. Please see the referenced issue for additional information and scheduling.

[nmarchini]

Any ETA on when this will be merged please?

[sandangel]

hi, can we have a review on this PR? I think all the checks are passing now.

[whyman]

Any news on getting this merged?

[zhelding]

Pull request #21306 has significantly refactored the AWS Provider codebase. As a result, most PRs opened prior to the refactor now have merge conflicts that must be resolved before proceeding.

Specifically, PR #21306 relocated the code for all AWS resources and data sources from a single aws directory to a large number of separate directories in internal/service, each corresponding to a particular AWS service. This separation of code has also allowed for us to simplify the names of underlying functions -- while still avoiding namespace collisions.

We recognize that many pull requests have been open for some time without yet being addressed by our maintainers. Therefore, we want to make it clear that resolving these conflicts in no way affects the prioritization of a particular pull request. Once a pull request has been prioritized for review, the necessary changes will be made by a maintainer -- either directly or in collaboration with the pull request author.

For a more complete description of this refactor, including examples of how old filepaths and function names correspond to their new counterparts: please refer to issue #20000.

For a quick guide on how to amend your pull request to resolve the merge conflicts resulting from this refactor and bring it in line with our new code patterns: please refer to our Service Package Refactor Pull Request Guide.

[mattburgess]

I've rebased to fix up the merge conflict, and fixed up a couple of minor issues I saw with the PR while I was at it.

This PR would be a bit more useful with resource import support added as I'd well imagine folks needing this feature will have already added the relevant permissions to their private CAs. I had a stab at that this evening but the trivial implementation I attempted failed miserably. I'll have another go tomorrow and reach out for some help if I don't get anywhere with it.

[adv4000]

Current workaround:

resource "null_resource" "permission_ca" {
  provisioner "local-exec" {
    command = <<EOT
    aws acm-pca create-permission \
    --certificate-authority-arn ${aws_acmpca_certificate_authority.main.arn} \
    --principal acm.amazonaws.com \
    --source-account ${data.aws_caller_identity.current.account_id} \
    --actions IssueCertificate GetCertificate ListPermissions
EOT
  }
}

[rmldsky]

Hello @breathingdust, any chance this will still make it within this quarters roadmap? Thanks and have a good one!

[ewbankkit]

@rmldsky Yes, I think @gdavison is scheduled to look at this one and hopefully merge by the end of the (HashiCorp) quarter (31st July).

[ewbankkit]

% make semall providerlint golangci-lint                   
==> Running Semgrep checks locally (must have semgrep installed)...
Scanning 4123 files with 37 go rules.
  100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████|4123/4123 tasks

Some files were skipped or only partially analyzed.
  Scan was limited to files tracked by git.
  Scan skipped: 1645 files matching .semgrepignore patterns
  For a full list of skipped files, run semgrep with the --verbose flag.

Ran 37 rules on 4123 files: 0 findings.
If Semgrep missed a finding, please send us feedback to let us know!
  $ semgrep shouldafound --help
Scanning 4123 files with 24 go rules.
  100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████|4123/4123 tasks

Some files were skipped or only partially analyzed.
  Scan was limited to files tracked by git.
  Scan skipped: 1645 files matching .semgrepignore patterns
  For a full list of skipped files, run semgrep with the --verbose flag.

Ran 24 rules on 4123 files: 0 findings.
If Semgrep missed a finding, please send us feedback to let us know!
  $ semgrep shouldafound --help
Scanning 1561 files with 4 go rules.
  100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████|1561/1561 tasks

Some files were skipped or only partially analyzed.
  Scan was limited to files tracked by git.
  Scan skipped: 1645 files matching .semgrepignore patterns
  For a full list of skipped files, run semgrep with the --verbose flag.

Ran 4 rules on 1561 files: 0 findings.
If Semgrep missed a finding, please send us feedback to let us know!
  $ semgrep shouldafound --help
Scanning 991 files with 206 go rules.
  100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████|991/991 tasks

Some files were skipped or only partially analyzed.
  Scan was limited to files tracked by git.
  Scan skipped: 1645 files matching .semgrepignore patterns
  For a full list of skipped files, run semgrep with the --verbose flag.

Ran 206 rules on 991 files: 0 findings.
If Semgrep missed a finding, please send us feedback to let us know!
  $ semgrep shouldafound --help
Scanning 1112 files with 205 go rules.
  100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████|1112/1112 tasks

Some files were skipped or only partially analyzed.
  Scan was limited to files tracked by git.
  Scan skipped: 1645 files matching .semgrepignore patterns
  For a full list of skipped files, run semgrep with the --verbose flag.

Ran 206 rules on 1112 files: 0 findings.
If Semgrep missed a finding, please send us feedback to let us know!
  $ semgrep shouldafound --help
Scanning 929 files with 202 go rules.
  100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████|929/929 tasks

Some files were skipped or only partially analyzed.
  Scan was limited to files tracked by git.
  Scan skipped: 1645 files matching .semgrepignore patterns
  For a full list of skipped files, run semgrep with the --verbose flag.

Ran 206 rules on 929 files: 0 findings.
If Semgrep missed a finding, please send us feedback to let us know!
  $ semgrep shouldafound --help
Scanning 999 files with 205 go rules.
  100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████|999/999 tasks

Some files were skipped or only partially analyzed.
  Scan was limited to files tracked by git.
  Scan skipped: 1645 files matching .semgrepignore patterns
  For a full list of skipped files, run semgrep with the --verbose flag.

Ran 205 rules on 999 files: 0 findings.
If Semgrep missed a finding, please send us feedback to let us know!
  $ semgrep shouldafound --help
==> Checking source code with providerlint...
==> Checking source code with golangci-lint...

[ewbankkit]

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccACMPCAPermission_' PKG=acmpca  ACCTEST_PARALLELISM=2
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/acmpca/... -v -count 1 -parallel 2  -run=TestAccACMPCAPermission_ -timeout 180m
=== RUN   TestAccACMPCAPermission_basic
=== PAUSE TestAccACMPCAPermission_basic
=== RUN   TestAccACMPCAPermission_disappears
=== PAUSE TestAccACMPCAPermission_disappears
=== RUN   TestAccACMPCAPermission_sourceAccount
=== PAUSE TestAccACMPCAPermission_sourceAccount
=== CONT  TestAccACMPCAPermission_basic
=== CONT  TestAccACMPCAPermission_sourceAccount
--- PASS: TestAccACMPCAPermission_basic (26.28s)
=== CONT  TestAccACMPCAPermission_disappears
--- PASS: TestAccACMPCAPermission_sourceAccount (27.24s)
--- PASS: TestAccACMPCAPermission_disappears (24.03s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/acmpca	61.489s

[ewbankkit]

@mattburgess Thanks for the contribution 🎉 👏.

[github-actions]

This functionality has been released in v4.24.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.