[PLACEHOLDER] Consistent Resource Not Found Error Handling

[bflad]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Background

Placeholder Note: This issue contains details for a potential future project, but it has not been agreed upon in principle/design and is currently only here to track various issue/pull request references as they appear along with broad proposals.

The general goal behind this project would be to standardize resource error handling when the resource is not found. Resources today can use the following methodology for handling resource disappearance:

• Disappears Acceptance Testing: To verify that removing a resource outside of Terraform's lifecycle management is appropriately handled to suggest recreation without returning an error
• If resource not found error code(s)/message(s) are returned from the API:
  • During resource Read function: Warning log (likely warning diagnostic in future), remove resource from state, return no error
  • During resource Delete function: Return no error (resource is already automatically removed from state)
  • During acceptance testing "CheckExists" function: Return error
  • During acceptance testing CheckDestroy function: Continue resource checking loop (we got what we wanted already)

While there are some efforts to implement disappears testing across the provider codebase, it is not consistent or necessarily enforced during reviews so it is easy to miss. Without disappears testing, there are higher chances of Read handling to be missing. Handling of these errors in the Delete function are often missed because there is not an easy way in the Terraform Plugin SDK acceptance testing framework to trigger a deletion without refresh. CheckDestroy handling is almost always implemented for at least some of the errors as the testing will not pass at all without it.

Another challenge here is that there can be considerable "distance" between where the API/SDK call occurs and the resource code which would be checking for the resource not found error. For example, some resources use finder and waiter packages for delegating read or wait for removal API functionality in a more consistent (and potentially automatically generated in the future) method, while others have manually implemented similar but disparate equivalents in other resource functions. Especially for those custom implementations, some go through efforts to return nil instead of resource not found errors. These types of inconsistencies should be smoothed over through this proposal.

Proposal 1

Create a standard method for converting AWS Go SDK errors with specific error codes and messages to the Terraform Plugin SDK helper/resource.NotFoundError. We could then use static analysis to ensure this type of error is always handled in the Read/Delete/CheckDestroy functions.

Very roughly:

• Create a standardized function signature type† for consuming the AWS Go SDK error and either returning the error as-is (potentially nil) or wrapping it in resource.NotFoundError††
• In each resource, implement that function using the existing AWS Go SDK error helpers
• Around each read/delete API call, add this wrapper before returning errors
• In each resource Read, Delete, and CheckDestroy function, add a conditional with resource.NotFoundError checking and remove any existing resource not found error checking
• Implement static analysis that enforces that each read/delete API call uses the resource error wrapper
• Implement static analysis that enforces that each Read, Delete, and CheckDestroy function contains a conditional with resource.NotFoundError checking

† Or implement a new "Terraform AWS Provider resource" type and this as a new receiver method -- although if this is remotely a path forward, then this should really be thought about in the context of the "service packages" project.
†† This can (should?) be further simplified into "provide a list of error checking functions that return a boolean" whether this should be wrapped. Very related to what would likely be good for #9223 as well.

Proposal 2

Always create wrapper functions for AWS Go SDK API calls and return nil for resource not found errors immediately after they occur.

References

Related Efforts:

• Enhance Error Messaging for Resources Requiring Import #9223
• Replace testAccCheck...Disappears Implementations with testAccCheckResourceDisappears #13527
• Replace PreConfig Disappears Testing #13820
• Technical debt: Add missing '_disappears' acceptance test cases #13826
• Contributing Documentation: Add section on error handling #15792

Related Issues:

• RDS - error deleting, instance not found #12900
• resource/aws_app_cookie_stickiness_policy: Do not return error from Delete when resource not found #15781
• resource/aws_lb_cookie_stickiness_policy: Do not return error from Delete when resource not found #15782

[ewbankkit]

Some initial thoughts on what this could look like.

Returning NotFoundError when a resource is not found.

In the per-service finder/finder.go:

// ThingByID returns the thing corresponding to the specified ID.
// Returns NotFoundError if no thing is found.
func ThingByID(conn *example.Example, thingID string) (*example.Thing, error) {
	input := &example.GetThingInput{
		ThingId: aws.String(thingID),
	}

	return Thing(conn, input)
}

// Thing returns the thing corresponding to the specified input.
// Returns NotFoundError if no thing is found.
func Thing(conn *example.Example, input *example.GetThingInput) (*example.Thing, error) {
	output, err := conn.GetThing(input)

	// If the AWS API signals that the thing doesn't exist, return NotFoundError.
	if tfawserr.ErrCodeEquals(err, example.ErrCodeResourceNotFoundException) {
		return nil, &resource.NotFoundError{
			LastError:   err,
			LastRequest: input,
		}
	}

	if err != nil {
		return nil, err
	}

	// Handle any empty result.
	if output == nil || output.Thing == nil {
		return nil, &resource.NotFoundError{
			Message:     "Empty result",
			LastRequest: input,
		}
	}

	return output.Thing, nil
}

If the resource has an associated status for which one or more values indicate that nothing more can be done with the resource, finder/finder.go can be enhanced:

// ThingByID returns the thing corresponding to the specified ID.
// Returns NotFoundError if no thing is found.
func ThingByID(conn *example.Example, thingID string) (*example.Thing, error) {
	input := &example.GetThingInput{
		ThingId: aws.String(thingID),
	}

	return Thing(conn, input)
}

// Thing returns the thing corresponding to the specified input.
// Returns NotFoundError if no thing is found.
func Thing(conn *example.Example, input *example.GetThingInput) (*example.Thing, error) {
	output, err := conn.GetThing(input)

	// If the AWS API signals that the thing doesn't exist, return NotFoundError.
	if tfawserr.ErrCodeEquals(err, example.ErrCodeResourceNotFoundException) {
		return nil, &resource.NotFoundError{
			LastError:   err,
			LastRequest: input,
		}
	}

	if err != nil {
		return nil, err
	}

	// Handle any empty result.
	if output == nil || output.Thing == nil {
		return nil, &resource.NotFoundError{
			Message:     "Empty result",
			LastRequest: input,
		}
	}

	// If Thing has status(es) indicating that nothing more can be done with the thing
	// and that the thing will eventually be garbage collected by AWS, return NotFoundError.
	if status := aws.StringValue(output.Thing.Status); status == example.ThingStatusDeleted {
		return nil, &resource.NotFoundError{
			Message:     status,
			LastRequest: input,
		}
	}

	return output.Thing, nil
}

and waiter/status.go and waiter/waiter.go can be added (#12840) if the deletion occurs asynchronously:

func ThingStatus(conn *example.Example, thingID string) resource.StateRefreshFunc {
	return func() (interface{}, string, error) {
		thing, err := finder.ThingByID(conn, thingID)

		if tfresource.NotFound(err) {
			return nil, "", nil
		}

		if err != nil {
			return nil, "", err
		}

		return thing, aws.StringValue(thing.Status), nil
	}
}

const (
	// Maximum amount of time to wait for a Thing to be deleted.
	ThingDeletedTimeout = 5 * time.Minute
)

// ThingDeleted waits for a Thing to be deleted.
func ThingDeleted(conn *example.Example, thingID string) (*example.Thing, error) {
	stateConf := &resource.StateChangeConf{
		Pending: []string{example.ThingStatusDeleting},
		Target:  []string{},
		Refresh: ThingStatus(conn, thingID),
		Timeout: ThingDeletedTimeout,
	}

	outputRaw, err := stateConf.WaitForState()

	if v, ok := outputRaw.(*example.Thing); ok {
		return v, err
	}

	return nil, err
}

Similarly for resource deletion, in deleter/deleter.go (package name should be debated, I'm just mirroring finder for now):

// ThingByID deletes the thing corresponding to the specified ID.
// Returns NotFoundError if no thing is found.
func ThingByID(conn *example.Example, thingID string) error {
	input := &example.DeleteThingInput{
		ThingId: aws.String(thingID),
	}

	_, err := conn.DeleteThing(input)

	if tfawserr.ErrCodeEquals(err, example.ErrCodeResourceNotFoundException) {
		return &resource.NotFoundError{
			LastError:   err,
			LastRequest: input,
		}
	}

	return err
}

The resource implementation would then look like

func resourceAwsExampleThingCreate(d *schema.ResourceData, meta interface{}) error {
	conn := meta.(*AWSClient).exampleconn

	// Create a thing.
	output, err := conn.CreateThing(&example.CreateThingInput{
		...
	})

	if err != nil {
		return fmt.Errorf("error creating Example Thing: %w", err)
	}

	d.SetId(aws.StringValue(output.ThingId))

	return resourceAwsExampleThingRead(d, meta)
}

func resourceAwsExampleThingRead(d *schema.ResourceData, meta interface{}) error {
	conn := meta.(*AWSClient).exampleconn

	thing, err := finder.ThingByID(conn, d.Id())

	if !d.IsNewResource() && tfresource.NotFound(err) {
		log.Printf("[WARN] Example Thing (%s) not found, removing from state", d.Id())
		d.SetId("")
		return nil
	}

	if err != nil {
		return fmt.Errorf("error reading Example Thing (%s): %w", d.Id(), err)
	}

	// Set all the attributes.

	return nil
}

func resourceAwsExampleThingUpdate(d *schema.ResourceData, meta interface{}) error {
	// Update the thing.

	return resourceAwsExampleThingRead(d, meta)
}

func resourceAwsExampleThingDelete(d *schema.ResourceData, meta interface{}) error {
	conn := meta.(*AWSClient).exampleconn

	err := deleter.ThingByID(conn, d.Id())

	if tfresource.NotFound(err) {
		return nil
	}

	if err != nil {
		return fmt.Errorf("error deleting Example Thing (%s): %w", d.Id(), err)
	}

	// If the deletion occurs asynchronously, wait.
	_, err = waiter.ThingDeleted(conn, d.Id())

	if err != nil {
		return fmt.Errorf("error waiting for Example Thing (%s) to delete: %w", d.Id(), err)
	}

	return nil
}

The acceptance test Exists and Destroy functions would look like

func testAccCheckAwsExampleThingExists(name string) resource.TestCheckFunc {
	return func(s *terraform.State) error {
		conn := testAccProvider.Meta().(*AWSClient).exampleconn

		rs, ok := s.RootModule().Resources[name]
		if !ok {
			return fmt.Errorf("Not found: %s", name)
		}

		if rs.Primary.ID == "" {
			return fmt.Errorf("No ID is set")
		}

		_, err := finder.ThingByID(conn, rs.Primary.ID)

		if err != nil {
			return err
		}

		return nil
	}
}

func testAccCheckAwsExampleThingDestroy(s *terraform.State) error {
	conn := testAccProvider.Meta().(*AWSClient).globalacceleratorconn

	for _, rs := range s.RootModule().Resources {
		if rs.Type != "aws_example_thing" {
			continue
		}

		_, err := finder.ThingByID(conn, rs.Primary.ID)

		if tfresource.NotFound(err) {
			continue
		}

		if err != nil {
			return err
		}

		return fmt.Errorf("Example Thing %s still exists", rs.Primary.ID)
	}
	return nil
}

Services with GetThings() method

Some AWS services (for example AutoScalingPlans and EC2) have no GetThing() method, preferring a GetThings() lister method.
For these services prefer the paginated variant GetThingsPages() (see #13516 for how to generate a paginated lister function if the service does not provide such a method).

In the per-service finder/finder.go:

// ThingByID returns the thing corresponding to the specified ID.
// Returns NotFoundError if no thing is found.
func ThingByID(conn *example.Example, thingID string) (*example.Thing, error) {
	input := &example.GetThingsInput{
		ThingIds: aws.StringSlice([]string{thingID}),
	}

	things, err := Things(conn, input)

	if err != nil {
		return nil, err
	}

	// Handle any empty result.
	if len(things) == 0 {
		return nil, &resource.NotFoundError{
			Message:     "Empty result",
			LastRequest: input,
		}
	}

	return things[0], nil
}

// Things returns the things corresponding to the specified input.
// Returns an empty slice if no things are found.
func Things(conn *example.Example, input *example.GetThingsInput) ([]*example.Thing, error) {
	var things []*example.Thing

	err := conn.GetThingsPages(input, func(page *example.GetThingsOutput, isLast bool) bool {
		if page == nil {
			return !isLast
		}

		for _, thing := range page.Things {
			if thing == nil {
				continue
			}

			// If Thing has status(es) indicating that nothing more can be done with the thing
			// and that the thing will eventually be garbage collected by AWS, ignore the thing.
			if aws.StringValue(thing.Status) == example.ThingStatusDeleted {
				continue
			}

			things = append(things, thing)
		}

		return !isLast
	})

	// If the AWS API signals that the thing doesn't exist, return an empty slice.
	if tfawserr.ErrCodeEquals(err, example.ErrCodeResourceNotFoundException) {
		return things, nil
	}

	if err != nil {
		return nil, err
	}

	return things, nil
}

The waiter package and the aws_example_thing resource do not change.

aws_example_thing and aws_example_things data sources

The finder.Things code above can be used in any aws_example_thing and aws_example_things data sources, especially if the service supports generic attribute filtering (#13304).
Using the namevaluesfilters package from #13313, add to finder/finder.go

// ThingsByNameValuesFilters returns the things corresponding to the specified filter.
// Returns an empty slice if no thing is found.
func ThingsByNameValuesFilters(conn *example.Example, filters namevaluesfilters.NameValuesFilters) ([]*example.Thing, error) {
	input := &example.GetThingsInput{
		Filters: filters.ExampleFilters(),
	}

	things, err := Things(conn, input)

	if err != nil {
		return nil, err
	}

	return things, nil
}

The aws_example_thing data source implementation would then look like

func dataSourceAwsExampleThingRead(d *schema.ResourceData, meta interface{}) error {
	conn := meta.(*AWSClient).exampleconn

	filters := namevaluesfilters.New(map[string]string{
		"name-1": "value1",
		"name-2": "value2",
	})

	things, err := finder.ThingsByNameValuesFilters(conn, filters)

	if len(things) == 0 {
		return fmt.Errorf("no Example Things matched; change the search criteria and try again")
	}

	if err != nil {
		return fmt.Errorf("error reading Example Things: %w", err)
	}

	if n := len(things); n > 0 {
		return fmt.Errorf("%d Example Things matched; use additional constraints to reduce matches to a single Thing", n)
	}

	// Set all the attributes.

	return nil
}

and aws_example_things data source implementation would then look like

func dataSourceAwsExampleThingsRead(d *schema.ResourceData, meta interface{}) error {
	conn := meta.(*AWSClient).exampleconn

	filters := namevaluesfilters.New(map[string]string{
		"name-1": "value1",
		"name-2": "value2",
	})

	things, err := finder.ThingsByNameValuesFilters(conn, filters)

	if err != nil {
		return fmt.Errorf("error reading Example Things: %w", err)
	}

	for _, thing := range things {
		// Set all the attributes.
	}

	return nil
}

Returning nil when a resource is not found.

In the per-service finder/finder.go:

// ThingByID returns the thing corresponding to the specified ID.
// Returns nil if no thing is found.
func ThingByID(conn *example.Example, thingID string) (*example.Thing, error) {
	input := &example.GetThingInput{
		ThingId: aws.String(thingID),
	}

	return Thing(conn, input)
}

// Thing returns the thing corresponding to the specified input.
// Returns nil if no thing is found.
func Thing(conn *example.Example, input *example.GetThingInput) (*example.Thing, error) {
	output, err := conn.GetThing(input)

	// If the AWS API signals that the thing doesn't exist, return nil.
	if tfawserr.ErrCodeEquals(err, example.ErrCodeResourceNotFoundException) {
		return nil, nil
	}

	if err != nil {
		return nil, err
	}

	// Handle any empty result.
	if output == nil || output.Thing == nil {
		return nil, nil
	}

	return output.Thing, nil
}

If the resource has an associated status for which one or more values indicate that nothing more can be done with the resource, finder/finder.go can be enhanced:

// ThingByID returns the thing corresponding to the specified ID.
// Returns nil if no thing is found.
func ThingByID(conn *example.Example, thingID string) (*example.Thing, error) {
	input := &example.GetThingInput{
		ThingId: aws.String(thingID),
	}

	return Thing(conn, input)
}

// Thing returns the thing corresponding to the specified input.
// Returns nil if no thing is found.
func Thing(conn *example.Example, input *example.GetThingInput) (*example.Thing, error) {
	output, err := conn.GetThing(input)

	// If the AWS API signals that the thing doesn't exist, return nil.
	if tfawserr.ErrCodeEquals(err, example.ErrCodeResourceNotFoundException) {
		return nil, nil
	}

	if err != nil {
		return nil, err
	}

	// Handle any empty result.
	if output == nil || output.Thing == nil {
		return nil, nil
	}

	// If Thing has status(es) indicating that nothing more can be done with the thing
	// and that the thing will eventually be garbage collected by AWS, return nil.
	if status := aws.StringValue(output.Thing.Status); status == example.ThingStatusDeleted {
		return nil, nil
	}

	return output.Thing, nil
}

and waiter/status.go and waiter/waiter.go can be added (#12840) if the deletion occurs asynchronously:

func ThingStatus(conn *example.Example, thingID string) resource.StateRefreshFunc {
	return func() (interface{}, string, error) {
		thing, err := finder.ThingByID(conn, thingID)

		if err != nil {
			return nil, "", err
		}

		if thing == nil {
			return nil, "", nil
		}

		return thing, aws.StringValue(thing.Status), nil
	}
}

const (
	// Maximum amount of time to wait for a Thing to be deleted.
	ThingDeletedTimeout = 5 * time.Minute
)

// ThingDeleted waits for a Thing to be deleted.
func ThingDeleted(conn *example.Example, thingID string) (*example.Thing, error) {
	stateConf := &resource.StateChangeConf{
		Pending: []string{example.ThingStatusReady, example.ThingStatusDeleting},
		Target:  []string{},
		Refresh: ThingStatus(conn, thingID),
		Timeout: ThingDeletedTimeout,
	}

	outputRaw, err := stateConf.WaitForState()

	if v, ok := outputRaw.(*example.Thing); ok {
		return v, err
	}

	return nil, err
}

Similarly for resource deletion, in deleter/deleter.go (package name should be debated, I'm just mirroring finder for now):

// ThingByID deletes the thing corresponding to the specified ID.
// Returns nil if no thing is found.
func ThingByID(conn *example.Example, thingID string) error {
	input := &example.DeleteThingInput{
		ThingId: aws.String(thingID),
	}

	_, err := conn.DeleteThing(input)

	if tfawserr.ErrCodeEquals(err, example.ErrCodeResourceNotFoundException) {
		return nil
	}

	return err
}

The resource implementation would then look like

func resourceAwsExampleThingCreate(d *schema.ResourceData, meta interface{}) error {
	conn := meta.(*AWSClient).exampleconn

	// Create a thing.
	output, err := conn.CreateThing(&example.CreateThingInput{
		...
	})

	if err != nil {
		return fmt.Errorf("error creating Example Thing: %w", err)
	}

	d.SetId(aws.StringValue(output.ThingId))

	return resourceAwsExampleThingRead(d, meta)
}

func resourceAwsExampleThingRead(d *schema.ResourceData, meta interface{}) error {
	conn := meta.(*AWSClient).exampleconn

	thing, err := finder.ThingByID(conn, d.Id())

	if err != nil {
		return fmt.Errorf("error reading Example Thing (%s): %w", d.Id(), err)
	}

	if !d.IsNewResource() && thing == nil {
		log.Printf("[WARN] Example Thing (%s) not found, removing from state", d.Id())
		d.SetId("")
		return nil
	}

	if thing == nil {
		return fmt.Errorf("error reading Example Thing (%s): Not found", d.Id())
	}

	// Set all the attributes.

	return nil
}

func resourceAwsExampleThingUpdate(d *schema.ResourceData, meta interface{}) error {
    // Update the thing.

	return resourceAwsExampleThingRead(d, meta)
}

func resourceAwsExampleThingDelete(d *schema.ResourceData, meta interface{}) error {
	conn := meta.(*AWSClient).exampleconn

	err := deleter.ThingByID(conn, d.Id())

	if err != nil {
		return fmt.Errorf("error deleting Example Thing (%s): %w", d.Id(), err)
	}

	// If the deletion occurs asynchronously, wait.
	_, err = waiter.ThingDeleted(conn, d.Id())

	if err != nil {
		return fmt.Errorf("error waiting for Example Thing (%s) to delete: %w", d.Id(), err)
	}

	return nil
}

The acceptance test Exists and Destroy functions would look like

func testAccCheckAwsExampleThingExists(name string) resource.TestCheckFunc {
	return func(s *terraform.State) error {
		conn := testAccProvider.Meta().(*AWSClient).exampleconn

		rs, ok := s.RootModule().Resources[name]
		if !ok {
			return fmt.Errorf("Not found: %s", name)
		}

		if rs.Primary.ID == "" {
			return fmt.Errorf("No ID is set")
		}

		thing, err := finder.ThingByID(conn, rs.Primary.ID)

		if err != nil {
			return err
		}

		if thing == nil {
			return fmt.Errorf("Example Thing %s not found", rs.Primary.ID)
		}

		return nil
	}
}

func testAccCheckAwsExampleThingDestroy(s *terraform.State) error {
	conn := testAccProvider.Meta().(*AWSClient).globalacceleratorconn

	for _, rs := range s.RootModule().Resources {
		if rs.Type != "aws_example_thing" {
			continue
		}

		thing, err := finder.ThingByID(conn, rs.Primary.ID)

		if thing == nil {
			continue
		}

		if err != nil {
			return err
		}

		return fmt.Errorf("Example Thing %s still exists", rs.Primary.ID)
	}
	return nil
}

Services with GetThings() method

Some AWS services (for example AutoScalingPlans and EC2) have no GetThing() method, preferring a GetThings() lister method.
For these services prefer the paginated variant GetThingsPages() (see #13516 for how to generate a paginated lister function if the service does not provide such a method).

In the per-service finder/finder.go:

// ThingByID returns the thing corresponding to the specified ID.
// Returns nil if no thing is found.
func ThingByID(conn *example.Example, thingID string) (*example.Thing, error) {
	input := &example.GetThingsInput{
		ThingIds: aws.StringSlice([]string{thingID}),
	}

	things, err := Things(conn, input)

	if err != nil {
		return nil, err
	}

	if things == nil {
		return nil, nil
	}

	return things[0], nil
}

// Things returns the things corresponding to the specified input.
// Returns an empty slice if no things are found.
func Things(conn *example.Example, input *example.GetThingsInput) ([]*example.Thing, error) {
	var things []*example.Thing

	err := conn.GetThingsPages(input, func(page *example.GetThingsOutput, isLast bool) bool {
		if page == nil {
			return !isLast
		}

		for _, thing := range page.Things {
			if thing == nil {
				continue
			}

			// If Thing has status(es) indicating that nothing more can be done with the thing
			// and that the thing will eventually be garbage collected by AWS, ignore the thing.
			if aws.StringValue(thing.Status) == example.ThingStatusDeleted {
				continue
			}

			things = append(things, thing)
		}

		return !isLast
	})

	// If the AWS API signals that the thing doesn't exist, return an empty slice.
	if tfawserr.ErrCodeEquals(err, example.ErrCodeResourceNotFoundException) {
		return things, nil
	}

	if err != nil {
		return nil, err
	}

	return things, nil
}

The waiter package and the aws_example_thing resource do not change.

aws_example_thing and aws_example_things data sources

The finder.Things code above can be used in any aws_example_thing and aws_example_things data sources, especially if the service supports generic attribute filtering (#13304).
Using the namevaluesfilters package from #13313, add to finder/finder.go

// ThingsByNameValuesFilters returns the things corresponding to the specified filter.
// Returns an empty slice if no thing is found.
func ThingsByNameValuesFilters(conn *example.Example, filters namevaluesfilters.NameValuesFilters) ([]*example.Thing, error) {
	input := &example.GetThingsInput{
		Filters: filters.ExampleFilters(),
	}

	things, err := Things(conn, input)

	if err != nil {
		return nil, err
	}

	return things, nil
}

The aws_example_thing data source implementation would then look like

func dataSourceAwsExampleThingRead(d *schema.ResourceData, meta interface{}) error {
	conn := meta.(*AWSClient).exampleconn

	filters := namevaluesfilters.New(map[string]string{
		"name-1": "value1",
		"name-2": "value2",
	})

	things, err := finder.ThingsByNameValuesFilters(conn, filters)

	if err != nil {
		return fmt.Errorf("error reading Example Things: %w", err)
	}

	if len(things) == 0 {
		return fmt.Errorf("no Example Things matched; change the search criteria and try again")
	}

	if n := len(things); n > 0 {
		return fmt.Errorf("%d Example Things matched; use additional constraints to reduce matches to a single Thing", n)
	}

	// Set all the attributes.

	return nil
}

and aws_example_things data source implementation would then look like

func dataSourceAwsExampleThingsRead(d *schema.ResourceData, meta interface{}) error {
	conn := meta.(*AWSClient).exampleconn

	filters := namevaluesfilters.New(map[string]string{
		"name-1": "value1",
		"name-2": "value2",
	})

	things, err := finder.ThingsByNameValuesFilters(conn, filters)

	if err != nil {
		return fmt.Errorf("error reading Example Things: %w", err)
	}

	for _, thing := range things {
		// Set all the attributes.
	}

	return nil
}

[ewbankkit]

Some conclusions and considerations from the initial thoughts above:

• Returning NotFoundError simplifies the code (error propagation) and logic (no nil checks required with associated crashes if they are forgotten)
• Moving relevant AWS error checking and status code checking into the finder seems more robust (see Deleted transit gateway attachments causing resource refresh to fail #10393 for example of where not checking for DELETED status code causes issues)
• Do we want to move the resource deletion API call into a separate package (if so, what should the name be)? If acceptance test sweepers are changed to use the

			r := resourceAwsExampleThing()
			d := r.Data(nil)
			d.SetId(...)
			err = r.Delete(d, client)

form then there is usually only a single place that the resource deletion API method is called

[ewbankkit]

Testing the Resource Not Found error on resource deletion can be done by adding a second call to testAccCheckResourceDisappears in the resource's _disappears acceptance test.
For example:

func TestAccAWSVpc_disappears(t *testing.T) {
	var vpc ec2.Vpc
	resourceName := "aws_vpc.test"

	resource.ParallelTest(t, resource.TestCase{
		PreCheck:     func() { testAccPreCheck(t) },
		Providers:    testAccProviders,
		CheckDestroy: testAccCheckVpcDestroy,
		Steps: []resource.TestStep{
			{
				Config: testAccVpcConfig,
				Check: resource.ComposeTestCheckFunc(
					testAccCheckVpcExists(resourceName, &vpc),
					testAccCheckResourceDisappears(testAccProvider, resourceAwsVpc(), resourceName),
					// Deletion of deleted resource.
					testAccCheckResourceDisappears(testAccProvider, resourceAwsVpc(), resourceName),
				),
				ExpectNonEmptyPlan: true,
			},
		},
	})
}

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.