diff --git a/go.mod b/go.mod index 5640f7fe98e..3fc39134577 100644 --- a/go.mod +++ b/go.mod @@ -195,6 +195,8 @@ require ( require github.com/aws/aws-sdk-go-v2/service/costandusagereportservice v1.23.3 +require github.com/aws/aws-sdk-go-v2/service/acmpca v1.29.3 + require ( github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.2.1 // indirect diff --git a/go.sum b/go.sum index a2c45b91717..5e27a724d6c 100644 --- a/go.sum +++ b/go.sum @@ -50,6 +50,8 @@ github.com/aws/aws-sdk-go-v2/service/account v1.16.3 h1:naZ+3ZZa/j5c7N25vCII8ZHW github.com/aws/aws-sdk-go-v2/service/account v1.16.3/go.mod h1:QBT5/WHp07EA3HgT/Wg3qVpL9baYpqaLl6XWSH18ntk= github.com/aws/aws-sdk-go-v2/service/acm v1.25.3 h1:AH94I88C4CPMp6YOTncdshON5hsyBDWUAM/FBAHHkco= github.com/aws/aws-sdk-go-v2/service/acm v1.25.3/go.mod h1:hFOyylMVlIkhN7YLhv64oBZzVTJoi8bqhJZfkDVlZww= +github.com/aws/aws-sdk-go-v2/service/acmpca v1.29.3 h1:KkkUQXWi8ddsVrmX04FcAOBz/R8dmt+7MNsUoB7XImU= +github.com/aws/aws-sdk-go-v2/service/acmpca v1.29.3/go.mod h1:EfOq2JRfHuaQY21aVXTGYQ7pjF0zW9+xD+u36e1nqTU= github.com/aws/aws-sdk-go-v2/service/amp v1.25.3 h1:GkOnnt0ItVXnvo7xt1/+XJkzB6q1NAa80cLn7KkQd50= github.com/aws/aws-sdk-go-v2/service/amp v1.25.3/go.mod h1:FUrdgK1jyv01Q1DjpW6MWjA/ZEuTRphMLdkqtLTBXq0= github.com/aws/aws-sdk-go-v2/service/appconfig v1.29.1 h1:AtkGG+t4U+Mb7sR2lQj/uvDlbdA7GVAIv8o/AAnS+vk= diff --git a/internal/acctest/acctest.go b/internal/acctest/acctest.go index d856b4e44e0..5400dc4ace0 100644 --- a/internal/acctest/acctest.go +++ b/internal/acctest/acctest.go @@ -20,6 +20,8 @@ import ( "github.com/YakDriver/regexache" accounttypes "github.com/aws/aws-sdk-go-v2/service/account/types" + "github.com/aws/aws-sdk-go-v2/service/acmpca" + acmpcatypes "github.com/aws/aws-sdk-go-v2/service/acmpca/types" ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types" "github.com/aws/aws-sdk-go-v2/service/iam" awstypes "github.com/aws/aws-sdk-go-v2/service/iam/types" @@ -30,7 +32,6 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/arn" "github.com/aws/aws-sdk-go/aws/endpoints" - "github.com/aws/aws-sdk-go/service/acmpca" "github.com/aws/aws-sdk-go/service/directoryservice" "github.com/aws/aws-sdk-go/service/ec2" "github.com/aws/aws-sdk-go/service/outposts" @@ -83,6 +84,8 @@ const ( ProviderNameThird = "awsthird" ResourcePrefix = "tf-acc-test" + + CertificateIssueTimeout = 5 * time.Minute ) const RFC3339RegexPattern = `^[0-9]{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])[Tt]([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9](\.[0-9]+)?([Zz]|([+-]([01][0-9]|2[0-3]):[0-5][0-9]))$` @@ -1933,17 +1936,17 @@ func ACMCertificateRandomSubDomain(rootDomain string) string { rootDomain) } -func CheckACMPCACertificateAuthorityActivateRootCA(ctx context.Context, certificateAuthority *acmpca.CertificateAuthority) resource.TestCheckFunc { +func CheckACMPCACertificateAuthorityActivateRootCA(ctx context.Context, certificateAuthority *acmpcatypes.CertificateAuthority) resource.TestCheckFunc { return func(s *terraform.State) error { - conn := Provider.Meta().(*conns.AWSClient).ACMPCAConn(ctx) + conn := Provider.Meta().(*conns.AWSClient).ACMPCAClient(ctx) - if v := aws.StringValue(certificateAuthority.Type); v != acmpca.CertificateAuthorityTypeRoot { + if v := string(certificateAuthority.Type); v != string(acmpcatypes.CertificateAuthorityTypeRoot) { return fmt.Errorf("attempting to activate ACM PCA %s Certificate Authority", v) } arn := aws.StringValue(certificateAuthority.Arn) - getCsrOutput, err := conn.GetCertificateAuthorityCsrWithContext(ctx, &acmpca.GetCertificateAuthorityCsrInput{ + getCsrOutput, err := conn.GetCertificateAuthorityCsr(ctx, &acmpca.GetCertificateAuthorityCsrInput{ CertificateAuthorityArn: aws.String(arn), }) @@ -1951,14 +1954,14 @@ func CheckACMPCACertificateAuthorityActivateRootCA(ctx context.Context, certific return fmt.Errorf("getting ACM PCA Certificate Authority (%s) CSR: %w", arn, err) } - issueCertOutput, err := conn.IssueCertificateWithContext(ctx, &acmpca.IssueCertificateInput{ + issueCertOutput, err := conn.IssueCertificate(ctx, &acmpca.IssueCertificateInput{ CertificateAuthorityArn: aws.String(arn), Csr: []byte(aws.StringValue(getCsrOutput.Csr)), IdempotencyToken: aws.String(id.UniqueId()), SigningAlgorithm: certificateAuthority.CertificateAuthorityConfiguration.SigningAlgorithm, TemplateArn: aws.String(fmt.Sprintf("arn:%s:acm-pca:::template/RootCACertificate/V1", Partition())), - Validity: &acmpca.Validity{ - Type: aws.String(acmpca.ValidityPeriodTypeYears), + Validity: &acmpcatypes.Validity{ + Type: acmpcatypes.ValidityPeriodTypeYears, Value: aws.Int64(10), }, }) @@ -1968,16 +1971,19 @@ func CheckACMPCACertificateAuthorityActivateRootCA(ctx context.Context, certific } // Wait for certificate status to become ISSUED. - err = conn.WaitUntilCertificateIssuedWithContext(ctx, &acmpca.GetCertificateInput{ + waiter := acmpca.NewCertificateIssuedWaiter(conn) + params := &acmpca.GetCertificateInput{ CertificateAuthorityArn: aws.String(arn), CertificateArn: issueCertOutput.CertificateArn, - }) + } + + err = waiter.Wait(ctx, params, CertificateIssueTimeout) if err != nil { return fmt.Errorf("waiting for ACM PCA Certificate Authority (%s) Root CA certificate to become ISSUED: %w", arn, err) } - getCertOutput, err := conn.GetCertificateWithContext(ctx, &acmpca.GetCertificateInput{ + getCertOutput, err := conn.GetCertificate(ctx, &acmpca.GetCertificateInput{ CertificateAuthorityArn: aws.String(arn), CertificateArn: issueCertOutput.CertificateArn, }) @@ -1986,7 +1992,7 @@ func CheckACMPCACertificateAuthorityActivateRootCA(ctx context.Context, certific return fmt.Errorf("getting ACM PCA Certificate Authority (%s) issued Root CA certificate: %w", arn, err) } - _, err = conn.ImportCertificateAuthorityCertificateWithContext(ctx, &acmpca.ImportCertificateAuthorityCertificateInput{ + _, err = conn.ImportCertificateAuthorityCertificate(ctx, &acmpca.ImportCertificateAuthorityCertificateInput{ CertificateAuthorityArn: aws.String(arn), Certificate: []byte(aws.StringValue(getCertOutput.Certificate)), }) @@ -1999,17 +2005,17 @@ func CheckACMPCACertificateAuthorityActivateRootCA(ctx context.Context, certific } } -func CheckACMPCACertificateAuthorityActivateSubordinateCA(ctx context.Context, rootCertificateAuthority, certificateAuthority *acmpca.CertificateAuthority) resource.TestCheckFunc { +func CheckACMPCACertificateAuthorityActivateSubordinateCA(ctx context.Context, rootCertificateAuthority, certificateAuthority *acmpcatypes.CertificateAuthority) resource.TestCheckFunc { return func(s *terraform.State) error { - conn := Provider.Meta().(*conns.AWSClient).ACMPCAConn(ctx) + conn := Provider.Meta().(*conns.AWSClient).ACMPCAClient(ctx) - if v := aws.StringValue(certificateAuthority.Type); v != acmpca.CertificateAuthorityTypeSubordinate { + if v := string(certificateAuthority.Type); v != string(acmpcatypes.CertificateAuthorityTypeSubordinate) { return fmt.Errorf("attempting to activate ACM PCA %s Certificate Authority", v) } arn := aws.StringValue(certificateAuthority.Arn) - getCsrOutput, err := conn.GetCertificateAuthorityCsrWithContext(ctx, &acmpca.GetCertificateAuthorityCsrInput{ + getCsrOutput, err := conn.GetCertificateAuthorityCsr(ctx, &acmpca.GetCertificateAuthorityCsrInput{ CertificateAuthorityArn: aws.String(arn), }) @@ -2019,14 +2025,14 @@ func CheckACMPCACertificateAuthorityActivateSubordinateCA(ctx context.Context, r rootCertificateAuthorityArn := aws.StringValue(rootCertificateAuthority.Arn) - issueCertOutput, err := conn.IssueCertificateWithContext(ctx, &acmpca.IssueCertificateInput{ + issueCertOutput, err := conn.IssueCertificate(ctx, &acmpca.IssueCertificateInput{ CertificateAuthorityArn: aws.String(rootCertificateAuthorityArn), Csr: []byte(aws.StringValue(getCsrOutput.Csr)), IdempotencyToken: aws.String(id.UniqueId()), SigningAlgorithm: certificateAuthority.CertificateAuthorityConfiguration.SigningAlgorithm, TemplateArn: aws.String(fmt.Sprintf("arn:%s:acm-pca:::template/SubordinateCACertificate_PathLen0/V1", Partition())), - Validity: &acmpca.Validity{ - Type: aws.String(acmpca.ValidityPeriodTypeYears), + Validity: &acmpcatypes.Validity{ + Type: acmpcatypes.ValidityPeriodTypeYears, Value: aws.Int64(3), }, }) @@ -2036,16 +2042,19 @@ func CheckACMPCACertificateAuthorityActivateSubordinateCA(ctx context.Context, r } // Wait for certificate status to become ISSUED. - err = conn.WaitUntilCertificateIssuedWithContext(ctx, &acmpca.GetCertificateInput{ - CertificateAuthorityArn: aws.String(rootCertificateAuthorityArn), + waiter := acmpca.NewCertificateIssuedWaiter(conn) + params := &acmpca.GetCertificateInput{ + CertificateAuthorityArn: aws.String(arn), CertificateArn: issueCertOutput.CertificateArn, - }) + } + + err = waiter.Wait(ctx, params, CertificateIssueTimeout) if err != nil { return fmt.Errorf("waiting for ACM PCA Certificate Authority (%s) Subordinate CA certificate to become ISSUED: %w", arn, err) } - getCertOutput, err := conn.GetCertificateWithContext(ctx, &acmpca.GetCertificateInput{ + getCertOutput, err := conn.GetCertificate(ctx, &acmpca.GetCertificateInput{ CertificateAuthorityArn: aws.String(rootCertificateAuthorityArn), CertificateArn: issueCertOutput.CertificateArn, }) @@ -2054,7 +2063,7 @@ func CheckACMPCACertificateAuthorityActivateSubordinateCA(ctx context.Context, r return fmt.Errorf("getting ACM PCA Certificate Authority (%s) issued Subordinate CA certificate: %w", arn, err) } - _, err = conn.ImportCertificateAuthorityCertificateWithContext(ctx, &acmpca.ImportCertificateAuthorityCertificateInput{ + _, err = conn.ImportCertificateAuthorityCertificate(ctx, &acmpca.ImportCertificateAuthorityCertificateInput{ CertificateAuthorityArn: aws.String(arn), Certificate: []byte(aws.StringValue(getCertOutput.Certificate)), CertificateChain: []byte(aws.StringValue(getCertOutput.CertificateChain)), @@ -2068,20 +2077,20 @@ func CheckACMPCACertificateAuthorityActivateSubordinateCA(ctx context.Context, r } } -func CheckACMPCACertificateAuthorityDisableCA(ctx context.Context, certificateAuthority *acmpca.CertificateAuthority) resource.TestCheckFunc { +func CheckACMPCACertificateAuthorityDisableCA(ctx context.Context, certificateAuthority *acmpcatypes.CertificateAuthority) resource.TestCheckFunc { return func(s *terraform.State) error { - conn := Provider.Meta().(*conns.AWSClient).ACMPCAConn(ctx) + conn := Provider.Meta().(*conns.AWSClient).ACMPCAClient(ctx) - _, err := conn.UpdateCertificateAuthorityWithContext(ctx, &acmpca.UpdateCertificateAuthorityInput{ + _, err := conn.UpdateCertificateAuthority(ctx, &acmpca.UpdateCertificateAuthorityInput{ CertificateAuthorityArn: certificateAuthority.Arn, - Status: aws.String(acmpca.CertificateAuthorityStatusDisabled), + Status: acmpcatypes.CertificateAuthorityStatusDisabled, }) return err } } -func CheckACMPCACertificateAuthorityExists(ctx context.Context, n string, certificateAuthority *acmpca.CertificateAuthority) resource.TestCheckFunc { +func CheckACMPCACertificateAuthorityExists(ctx context.Context, n string, certificateAuthority *acmpcatypes.CertificateAuthority) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] if !ok { @@ -2092,7 +2101,7 @@ func CheckACMPCACertificateAuthorityExists(ctx context.Context, n string, certif return fmt.Errorf("no ACM PCA Certificate Authority ID is set") } - conn := Provider.Meta().(*conns.AWSClient).ACMPCAConn(ctx) + conn := Provider.Meta().(*conns.AWSClient).ACMPCAClient(ctx) output, err := tfacmpca.FindCertificateAuthorityByARN(ctx, conn, rs.Primary.ID) diff --git a/internal/conns/awsclient_gen.go b/internal/conns/awsclient_gen.go index 3d2c951ad00..3fe5f805fe9 100644 --- a/internal/conns/awsclient_gen.go +++ b/internal/conns/awsclient_gen.go @@ -7,6 +7,7 @@ import ( accessanalyzer_sdkv2 "github.com/aws/aws-sdk-go-v2/service/accessanalyzer" account_sdkv2 "github.com/aws/aws-sdk-go-v2/service/account" acm_sdkv2 "github.com/aws/aws-sdk-go-v2/service/acm" + acmpca_sdkv2 "github.com/aws/aws-sdk-go-v2/service/acmpca" amp_sdkv2 "github.com/aws/aws-sdk-go-v2/service/amp" appconfig_sdkv2 "github.com/aws/aws-sdk-go-v2/service/appconfig" appfabric_sdkv2 "github.com/aws/aws-sdk-go-v2/service/appfabric" @@ -147,7 +148,6 @@ import ( wellarchitected_sdkv2 "github.com/aws/aws-sdk-go-v2/service/wellarchitected" workspaces_sdkv2 "github.com/aws/aws-sdk-go-v2/service/workspaces" xray_sdkv2 "github.com/aws/aws-sdk-go-v2/service/xray" - acmpca_sdkv1 "github.com/aws/aws-sdk-go/service/acmpca" amplify_sdkv1 "github.com/aws/aws-sdk-go/service/amplify" apigateway_sdkv1 "github.com/aws/aws-sdk-go/service/apigateway" apigatewayv2_sdkv1 "github.com/aws/aws-sdk-go/service/apigatewayv2" @@ -258,8 +258,8 @@ func (c *AWSClient) ACMClient(ctx context.Context) *acm_sdkv2.Client { return errs.Must(client[*acm_sdkv2.Client](ctx, c, names.ACM, make(map[string]any))) } -func (c *AWSClient) ACMPCAConn(ctx context.Context) *acmpca_sdkv1.ACMPCA { - return errs.Must(conn[*acmpca_sdkv1.ACMPCA](ctx, c, names.ACMPCA, make(map[string]any))) +func (c *AWSClient) ACMPCAClient(ctx context.Context) *acmpca_sdkv2.Client { + return errs.Must(client[*acmpca_sdkv2.Client](ctx, c, names.ACMPCA, make(map[string]any))) } func (c *AWSClient) AMPClient(ctx context.Context) *amp_sdkv2.Client { diff --git a/internal/generate/tags/templates/v2/list_tags_body.tmpl b/internal/generate/tags/templates/v2/list_tags_body.tmpl index a4c8ac1edaf..59fb3c8ea7c 100644 --- a/internal/generate/tags/templates/v2/list_tags_body.tmpl +++ b/internal/generate/tags/templates/v2/list_tags_body.tmpl @@ -28,7 +28,7 @@ func {{ .ListTagsFunc }}(ctx context.Context, conn {{ .ClientType }}, identifier pages := {{ .TagPackage }}.New{{ .ListTagsOp }}Paginator(conn, input) for pages.HasMorePages() { - page, err := pages.NextPage(ctx) + page, err := pages.NextPage(ctx, optFns...) {{ if and ( .ParentNotFoundErrCode ) ( .ParentNotFoundErrMsg ) }} if tfawserr.ErrMessageContains(err, "{{ .ParentNotFoundErrCode }}", "{{ .ParentNotFoundErrMsg }}") { diff --git a/internal/service/acmpca/certificate.go b/internal/service/acmpca/certificate.go index 7cac716b03c..0a7e69040c5 100644 --- a/internal/service/acmpca/certificate.go +++ b/internal/service/acmpca/certificate.go @@ -16,10 +16,10 @@ import ( "time" "github.com/YakDriver/regexache" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/arn" - "github.com/aws/aws-sdk-go/service/acmpca" - "github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/aws/arn" + "github.com/aws/aws-sdk-go-v2/service/acmpca" + "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/id" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry" @@ -27,15 +27,18 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/structure" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" "github.com/hashicorp/terraform-provider-aws/internal/conns" + "github.com/hashicorp/terraform-provider-aws/internal/enum" + "github.com/hashicorp/terraform-provider-aws/internal/errs" "github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag" "github.com/hashicorp/terraform-provider-aws/internal/tfresource" "github.com/hashicorp/terraform-provider-aws/internal/verify" + "github.com/hashicorp/terraform-provider-aws/names" "golang.org/x/crypto/cryptobyte" cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1" ) -// @SDKResource("aws_acmpca_certificate") -func ResourceCertificate() *schema.Resource { +// @SDKResource("aws_acmpca_certificate", name="Certificate") +func resourceCertificate() *schema.Resource { return &schema.Resource{ CreateWithoutTimeout: resourceCertificateCreate, ReadWithoutTimeout: resourceCertificateRead, @@ -58,6 +61,17 @@ func ResourceCertificate() *schema.Resource { }, Schema: map[string]*schema.Schema{ + "api_passthrough": { + Type: schema.TypeString, + Optional: true, + ForceNew: true, + ValidateFunc: validation.StringIsJSON, + DiffSuppressFunc: verify.SuppressEquivalentJSONDiffs, + StateFunc: func(v interface{}) string { + json, _ := structure.NormalizeJsonString(v) + return json + }, + }, "arn": { Type: schema.TypeString, Computed: true, @@ -66,26 +80,32 @@ func ResourceCertificate() *schema.Resource { Type: schema.TypeString, Computed: true, }, - "certificate_chain": { - Type: schema.TypeString, - Computed: true, - }, "certificate_authority_arn": { Type: schema.TypeString, Required: true, ForceNew: true, ValidateFunc: verify.ValidARN, }, + "certificate_chain": { + Type: schema.TypeString, + Computed: true, + }, "certificate_signing_request": { Type: schema.TypeString, Required: true, ForceNew: true, }, "signing_algorithm": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateDiagFunc: enum.Validate[types.SigningAlgorithm](), + }, + "template_arn": { Type: schema.TypeString, - Required: true, + Optional: true, ForceNew: true, - ValidateFunc: validation.StringInSlice(acmpca.SigningAlgorithm_Values(), false), + ValidateFunc: validTemplateARN, }, "validity": { Type: schema.TypeList, @@ -96,10 +116,10 @@ func ResourceCertificate() *schema.Resource { Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "type": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - ValidateFunc: validation.StringInSlice(acmpca.ValidityPeriodType_Values(), false), + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateDiagFunc: enum.Validate[types.ValidityPeriodType](), }, "value": { Type: schema.TypeString, @@ -110,84 +130,58 @@ func ResourceCertificate() *schema.Resource { }, }, }, - "template_arn": { - Type: schema.TypeString, - Optional: true, - ForceNew: true, - ValidateFunc: ValidTemplateARN, - }, - "api_passthrough": { - Type: schema.TypeString, - Optional: true, - ForceNew: true, - ValidateFunc: validation.StringIsJSON, - DiffSuppressFunc: verify.SuppressEquivalentJSONDiffs, - StateFunc: func(v interface{}) string { - json, _ := structure.NormalizeJsonString(v) - return json - }, - }, }, } } func resourceCertificateCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + const certificateIssueTimeout = 5 * time.Minute var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) certificateAuthorityARN := d.Get("certificate_authority_arn").(string) - input := &acmpca.IssueCertificateInput{ + inputI := &acmpca.IssueCertificateInput{ CertificateAuthorityArn: aws.String(certificateAuthorityARN), Csr: []byte(d.Get("certificate_signing_request").(string)), IdempotencyToken: aws.String(id.UniqueId()), - SigningAlgorithm: aws.String(d.Get("signing_algorithm").(string)), - } - validity, err := expandValidity(d.Get("validity").([]interface{})) - if err != nil { - return sdkdiag.AppendErrorf(diags, "issuing ACM PCA Certificate with Certificate Authority (%s): %s", certificateAuthorityARN, err) - } - input.Validity = validity - - if v, ok := d.Get("template_arn").(string); ok && v != "" { - input.TemplateArn = aws.String(v) + SigningAlgorithm: types.SigningAlgorithm(d.Get("signing_algorithm").(string)), } if v, ok := d.Get("api_passthrough").(string); ok && v != "" { - ap := &acmpca.ApiPassthrough{} + ap := &types.ApiPassthrough{} if err := json.Unmarshal([]byte(v), ap); err != nil { - return sdkdiag.AppendErrorf(diags, "decoding api_passthrough: %s", err) + return sdkdiag.AppendFromErr(diags, err) } - input.ApiPassthrough = ap + inputI.ApiPassthrough = ap } - var output *acmpca.IssueCertificateOutput - err = retry.RetryContext(ctx, certificateAuthorityActiveTimeout, func() *retry.RetryError { - var err error - output, err = conn.IssueCertificateWithContext(ctx, input) - if tfawserr.ErrMessageContains(err, acmpca.ErrCodeInvalidStateException, "The certificate authority is not in a valid state for issuing certificates") { - return retry.RetryableError(err) - } - if err != nil { - return retry.NonRetryableError(err) - } - return nil - }) - if tfresource.TimedOut(err) { - output, err = conn.IssueCertificateWithContext(ctx, input) + if v, ok := d.Get("template_arn").(string); ok && v != "" { + inputI.TemplateArn = aws.String(v) + } + + if validity, err := expandValidity(d.Get("validity").([]interface{})); err != nil { + return sdkdiag.AppendFromErr(diags, err) + } else { + inputI.Validity = validity } + outputRaw, err := tfresource.RetryWhenIsAErrorMessageContains[*types.InvalidStateException](ctx, certificateAuthorityActiveTimeout, func() (interface{}, error) { + return conn.IssueCertificate(ctx, inputI) + }, "The certificate authority is not in a valid state for issuing certificates") + if err != nil { return sdkdiag.AppendErrorf(diags, "issuing ACM PCA Certificate with Certificate Authority (%s): %s", certificateAuthorityARN, err) } - d.SetId(aws.StringValue(output.CertificateArn)) + d.SetId(aws.ToString(outputRaw.(*acmpca.IssueCertificateOutput).CertificateArn)) - getCertificateInput := &acmpca.GetCertificateInput{ - CertificateArn: output.CertificateArn, + // Wait for certificate status to become ISSUED. + inputG := &acmpca.GetCertificateInput{ + CertificateArn: aws.String(d.Id()), CertificateAuthorityArn: aws.String(d.Get("certificate_authority_arn").(string)), } + err = acmpca.NewCertificateIssuedWaiter(conn).Wait(ctx, inputG, certificateIssueTimeout) - err = conn.WaitUntilCertificateIssuedWithContext(ctx, getCertificateInput) if err != nil { return sdkdiag.AppendErrorf(diags, "waiting for ACM PCA Certificate Authority (%s) to issue Certificate (%s), error: %s", certificateAuthorityARN, d.Id(), err) } @@ -197,18 +191,11 @@ func resourceCertificateCreate(ctx context.Context, d *schema.ResourceData, meta func resourceCertificateRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) - - getCertificateInput := &acmpca.GetCertificateInput{ - CertificateArn: aws.String(d.Id()), - CertificateAuthorityArn: aws.String(d.Get("certificate_authority_arn").(string)), - } - - log.Printf("[DEBUG] Reading ACM PCA Certificate: %s", getCertificateInput) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) - certificateOutput, err := conn.GetCertificateWithContext(ctx, getCertificateInput) + output, err := findCertificateByTwoPartKey(ctx, conn, d.Id(), d.Get("certificate_authority_arn").(string)) - if !d.IsNewResource() && tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) { + if !d.IsNewResource() && tfresource.NotFound(err) { log.Printf("[WARN] ACM PCA Certificate (%s) not found, removing from state", d.Id()) d.SetId("") return diags @@ -218,20 +205,17 @@ func resourceCertificateRead(ctx context.Context, d *schema.ResourceData, meta i return sdkdiag.AppendErrorf(diags, "reading ACM PCA Certificate (%s): %s", d.Id(), err) } - if certificateOutput == nil { - return sdkdiag.AppendErrorf(diags, "reading ACM PCA Certificate (%s): empty response", d.Id()) - } - d.Set("arn", d.Id()) - d.Set("certificate", certificateOutput.Certificate) - d.Set("certificate_chain", certificateOutput.CertificateChain) + d.Set("certificate", output.Certificate) + d.Set("certificate_authority_arn", d.Get("certificate_authority_arn").(string)) + d.Set("certificate_chain", output.CertificateChain) return diags } func resourceCertificateRevoke(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) block, _ := pem.Decode([]byte(d.Get("certificate").(string))) if block == nil { @@ -244,22 +228,23 @@ func resourceCertificateRevoke(ctx context.Context, d *schema.ResourceData, meta serial, err := getCertificateSerial(block.Bytes) if err != nil { - return sdkdiag.AppendErrorf(diags, "getting ACM PCA Certificate (%s) serial number: %s", d.Id(), err) + return sdkdiag.AppendFromErr(diags, err) } - input := &acmpca.RevokeCertificateInput{ + log.Printf("[INFO] Revoking ACM PCA Certificate: %s", d.Id()) + _, err = conn.RevokeCertificate(ctx, &acmpca.RevokeCertificateInput{ CertificateAuthorityArn: aws.String(d.Get("certificate_authority_arn").(string)), CertificateSerial: aws.String(fmt.Sprintf("%x", serial)), - RevocationReason: aws.String(acmpca.RevocationReasonUnspecified), - } - _, err = conn.RevokeCertificateWithContext(ctx, input) + RevocationReason: types.RevocationReasonUnspecified, + }) - if tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) || - tfawserr.ErrCodeEquals(err, acmpca.ErrCodeRequestAlreadyProcessedException) || - tfawserr.ErrCodeEquals(err, acmpca.ErrCodeRequestInProgressException) || - tfawserr.ErrMessageContains(err, acmpca.ErrCodeInvalidRequestException, "Self-signed certificate can not be revoked") { + if errs.IsA[*types.ResourceNotFoundException](err) || + errs.IsA[*types.RequestAlreadyProcessedException](err) || + errs.IsA[*types.RequestInProgressException](err) || + errs.IsAErrorMessageContains[*types.InvalidRequestException](err, "Self-signed certificate can not be revoked") { return diags } + if err != nil { return sdkdiag.AppendErrorf(diags, "revoking ACM PCA Certificate (%s): %s", d.Id(), err) } @@ -267,6 +252,36 @@ func resourceCertificateRevoke(ctx context.Context, d *schema.ResourceData, meta return diags } +func findCertificateByTwoPartKey(ctx context.Context, conn *acmpca.Client, certificateARN, certificateAuthorityARN string) (*acmpca.GetCertificateOutput, error) { + input := &acmpca.GetCertificateInput{ + CertificateArn: aws.String(certificateARN), + CertificateAuthorityArn: aws.String(certificateAuthorityARN), + } + + return findCertificate(ctx, conn, input) +} + +func findCertificate(ctx context.Context, conn *acmpca.Client, input *acmpca.GetCertificateInput) (*acmpca.GetCertificateOutput, error) { + output, err := conn.GetCertificate(ctx, input) + + if errs.IsA[*types.ResourceNotFoundException](err) { + return nil, &retry.NotFoundError{ + LastError: err, + LastRequest: input, + } + } + + if err != nil { + return nil, err + } + + if output == nil { + return nil, tfresource.NewEmptyResultError(input) + } + + return output, nil +} + // We parse certificate until we get serial number if possible. // This is partial copy of crypto/x509 package private function parseCertificate // https://github.com/golang/go/blob/6a70292d1cb3464e5b2c2c03341e5148730a1889/src/crypto/x509/parser.go#L800-L842 @@ -301,7 +316,7 @@ func getCertificateSerial(der []byte) (*big.Int, error) { return serial, nil } -func ValidTemplateARN(v interface{}, k string) (ws []string, errors []error) { +func validTemplateARN(v interface{}, k string) (ws []string, errors []error) { wsARN, errorsARN := verify.ValidARN(v, k) ws = append(ws, wsARN...) errors = append(errors, errorsARN...) @@ -310,8 +325,8 @@ func ValidTemplateARN(v interface{}, k string) (ws []string, errors []error) { value := v.(string) parsedARN, _ := arn.Parse(value) - if parsedARN.Service != acmpca.ServiceName { - errors = append(errors, fmt.Errorf("%q (%s) is not a valid ACM PCA template ARN: service must be \""+acmpca.ServiceName+"\", was %q)", k, value, parsedARN.Service)) + if parsedARN.Service != names.ACMPCAEndpointID { + errors = append(errors, fmt.Errorf("%q (%s) is not a valid ACM PCA template ARN: service must be \""+names.ACMPCAEndpointID+"\", was %q)", k, value, parsedARN.Service)) } if parsedARN.Region != "" { @@ -330,7 +345,7 @@ func ValidTemplateARN(v interface{}, k string) (ws []string, errors []error) { return ws, errors } -func expandValidity(l []interface{}) (*acmpca.Validity, error) { +func expandValidity(l []interface{}) (*types.Validity, error) { if len(l) == 0 { return nil, nil } @@ -338,8 +353,8 @@ func expandValidity(l []interface{}) (*acmpca.Validity, error) { m := l[0].(map[string]interface{}) valueType := m["type"].(string) - result := &acmpca.Validity{ - Type: aws.String(valueType), + result := &types.Validity{ + Type: types.ValidityPeriodType(valueType), } i, err := ExpandValidityValue(valueType, m["value"].(string)) @@ -352,7 +367,7 @@ func expandValidity(l []interface{}) (*acmpca.Validity, error) { } func ExpandValidityValue(valueType, v string) (int64, error) { - if valueType == acmpca.ValidityPeriodTypeEndDate { + if valueType == string(types.ValidityPeriodTypeEndDate) { date, err := time.Parse(time.RFC3339, v) if err != nil { return 0, err diff --git a/internal/service/acmpca/certificate_authority.go b/internal/service/acmpca/certificate_authority.go index 3b4426b9430..c9a5b00aaab 100644 --- a/internal/service/acmpca/certificate_authority.go +++ b/internal/service/acmpca/certificate_authority.go @@ -9,15 +9,17 @@ import ( "log" "time" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/acmpca" - "github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/acmpca" + "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/id" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" "github.com/hashicorp/terraform-provider-aws/internal/conns" + "github.com/hashicorp/terraform-provider-aws/internal/enum" + "github.com/hashicorp/terraform-provider-aws/internal/errs" "github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag" tftags "github.com/hashicorp/terraform-provider-aws/internal/tags" "github.com/hashicorp/terraform-provider-aws/internal/tfresource" @@ -33,8 +35,8 @@ const ( // @SDKResource("aws_acmpca_certificate_authority", name="Certificate Authority") // @Tags(identifierAttribute="id") -// @Testing(existsType="github.com/aws/aws-sdk-go/service/acmpca.CertificateAuthority", generator="acctest.RandomDomainName()", importIgnore="permanent_deletion_time_in_days") -func ResourceCertificateAuthority() *schema.Resource { +// @Testing(existsType="github.com/aws/aws-sdk-go-v2/service/acmpca/types.CertificateAuthority", generator="acctest.RandomDomainName()", importIgnore="permanent_deletion_time_in_days") +func resourceCertificateAuthority() *schema.Resource { //lintignore:R011 return &schema.Resource{ CreateWithoutTimeout: resourceCertificateAuthorityCreate, @@ -44,10 +46,7 @@ func ResourceCertificateAuthority() *schema.Resource { Importer: &schema.ResourceImporter{ StateContext: func(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { - d.Set( - "permanent_deletion_time_in_days", - certificateAuthorityPermanentDeletionTimeInDaysDefault, - ) + d.Set("permanent_deletion_time_in_days", certificateAuthorityPermanentDeletionTimeInDaysDefault) return []*schema.ResourceData{d}, nil }, @@ -77,16 +76,16 @@ func ResourceCertificateAuthority() *schema.Resource { Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "key_algorithm": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - ValidateFunc: validation.StringInSlice(acmpca.KeyAlgorithm_Values(), false), + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateDiagFunc: enum.Validate[types.KeyAlgorithm](), }, "signing_algorithm": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - ValidateFunc: validation.StringInSlice(acmpca.SigningAlgorithm_Values(), false), + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateDiagFunc: enum.Validate[types.SigningAlgorithm](), }, // https://docs.aws.amazon.com/privateca/latest/APIReference/API_ASN1Subject.html "subject": { @@ -194,11 +193,11 @@ func ResourceCertificateAuthority() *schema.Resource { Default: true, }, "key_storage_security_standard": { - Type: schema.TypeString, - Optional: true, - Computed: true, - ForceNew: true, - ValidateFunc: validation.StringInSlice(acmpca.KeyStorageSecurityStandard_Values(), false), + Type: schema.TypeString, + Optional: true, + Computed: true, + ForceNew: true, + ValidateDiagFunc: enum.Validate[types.KeyStorageSecurityStandard](), }, "not_after": { Type: schema.TypeString, @@ -219,28 +218,18 @@ func ResourceCertificateAuthority() *schema.Resource { }, // https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevocationConfiguration.html "revocation_configuration": { - Type: schema.TypeList, - Optional: true, - MaxItems: 1, - DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool { - if old == "1" && new == "0" { - return true - } - return false - }, + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + DiffSuppressFunc: verify.SuppressMissingOptionalConfigurationBlock, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ // https://docs.aws.amazon.com/privateca/latest/APIReference/API_CrlConfiguration.html "crl_configuration": { - Type: schema.TypeList, - Optional: true, - MaxItems: 1, - DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool { - if old == "1" && new == "0" { - return true - } - return false - }, + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + DiffSuppressFunc: verify.SuppressMissingOptionalConfigurationBlock, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "custom_cname": { @@ -284,10 +273,10 @@ func ResourceCertificateAuthority() *schema.Resource { }, }, "s3_object_acl": { - Type: schema.TypeString, - Optional: true, - Computed: true, - ValidateFunc: validation.StringInSlice(acmpca.S3ObjectAcl_Values(), false), + Type: schema.TypeString, + Optional: true, + Computed: true, + ValidateDiagFunc: enum.Validate[types.S3ObjectAcl](), DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool { // Ignore attributes if CRL configuration is not enabled if d.Get("revocation_configuration.0.crl_configuration.0.enabled").(bool) { @@ -301,15 +290,10 @@ func ResourceCertificateAuthority() *schema.Resource { }, // https://docs.aws.amazon.com/privateca/latest/APIReference/API_OcspConfiguration.html "ocsp_configuration": { - Type: schema.TypeList, - Optional: true, - MaxItems: 1, - DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool { - if old == "1" && new == "0" { - return true - } - return false - }, + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + DiffSuppressFunc: verify.SuppressMissingOptionalConfigurationBlock, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "enabled": { @@ -334,17 +318,17 @@ func ResourceCertificateAuthority() *schema.Resource { names.AttrTags: tftags.TagsSchema(), names.AttrTagsAll: tftags.TagsSchemaComputed(), "type": { - Type: schema.TypeString, - Optional: true, - ForceNew: true, - Default: acmpca.CertificateAuthorityTypeSubordinate, - ValidateFunc: validation.StringInSlice(acmpca.CertificateAuthorityType_Values(), false), + Type: schema.TypeString, + Optional: true, + ForceNew: true, + Default: types.CertificateAuthorityTypeSubordinate, + ValidateDiagFunc: enum.Validate[types.CertificateAuthorityType](), }, "usage_mode": { - Type: schema.TypeString, - Computed: true, - Optional: true, - ValidateFunc: validation.StringInSlice(acmpca.CertificateAuthorityUsageMode_Values(), false), + Type: schema.TypeString, + Computed: true, + Optional: true, + ValidateDiagFunc: enum.Validate[types.CertificateAuthorityUsageMode](), }, }, @@ -354,34 +338,34 @@ func ResourceCertificateAuthority() *schema.Resource { func resourceCertificateAuthorityCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) input := &acmpca.CreateCertificateAuthorityInput{ CertificateAuthorityConfiguration: expandCertificateAuthorityConfiguration(d.Get("certificate_authority_configuration").([]interface{})), - CertificateAuthorityType: aws.String(d.Get("type").(string)), + CertificateAuthorityType: types.CertificateAuthorityType(d.Get("type").(string)), IdempotencyToken: aws.String(id.UniqueId()), RevocationConfiguration: expandRevocationConfiguration(d.Get("revocation_configuration").([]interface{})), Tags: getTagsIn(ctx), } if v, ok := d.GetOk("key_storage_security_standard"); ok { - input.KeyStorageSecurityStandard = aws.String(v.(string)) + input.KeyStorageSecurityStandard = types.KeyStorageSecurityStandard(v.(string)) } if v, ok := d.GetOk("usage_mode"); ok { - input.UsageMode = aws.String(v.(string)) + input.UsageMode = types.CertificateAuthorityUsageMode(v.(string)) } // ValidationException: The ACM Private CA service account 'acm-pca-prod-pdx' requires getBucketAcl permissions for your S3 bucket 'tf-acc-test-5224996536060125340'. Check your S3 bucket permissions and try again. outputRaw, err := tfresource.RetryWhenAWSErrMessageContains(ctx, 1*time.Minute, func() (interface{}, error) { - return conn.CreateCertificateAuthorityWithContext(ctx, input) + return conn.CreateCertificateAuthority(ctx, input) }, "ValidationException", "Check your S3 bucket permissions and try again") if err != nil { return sdkdiag.AppendErrorf(diags, "creating ACM PCA Certificate Authority: %s", err) } - d.SetId(aws.StringValue(outputRaw.(*acmpca.CreateCertificateAuthorityOutput).CertificateAuthorityArn)) + d.SetId(aws.ToString(outputRaw.(*acmpca.CreateCertificateAuthorityOutput).CertificateAuthorityArn)) if _, err := waitCertificateAuthorityCreated(ctx, conn, d.Id(), d.Timeout(schema.TimeoutCreate)); err != nil { return sdkdiag.AppendErrorf(diags, "waiting for ACM PCA Certificate Authority (%s) create: %s", d.Id(), err) @@ -392,9 +376,9 @@ func resourceCertificateAuthorityCreate(ctx context.Context, d *schema.ResourceD func resourceCertificateAuthorityRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) - certificateAuthority, err := FindCertificateAuthorityByARN(ctx, conn, d.Id()) + certificateAuthority, err := findCertificateAuthorityByARN(ctx, conn, d.Id()) if !d.IsNewResource() && tfresource.NotFound(err) { log.Printf("[WARN] ACM PCA Certificate Authority (%s) not found, removing from state", d.Id()) @@ -410,10 +394,10 @@ func resourceCertificateAuthorityRead(ctx context.Context, d *schema.ResourceDat if err := d.Set("certificate_authority_configuration", flattenCertificateAuthorityConfiguration(certificateAuthority.CertificateAuthorityConfiguration)); err != nil { return sdkdiag.AppendErrorf(diags, "setting certificate_authority_configuration: %s", err) } - d.Set("enabled", (aws.StringValue(certificateAuthority.Status) != acmpca.CertificateAuthorityStatusDisabled)) + d.Set("enabled", (certificateAuthority.Status != types.CertificateAuthorityStatusDisabled)) d.Set("key_storage_security_standard", certificateAuthority.KeyStorageSecurityStandard) - d.Set("not_after", aws.TimeValue(certificateAuthority.NotAfter).Format(time.RFC3339)) - d.Set("not_before", aws.TimeValue(certificateAuthority.NotBefore).Format(time.RFC3339)) + d.Set("not_after", aws.ToTime(certificateAuthority.NotAfter).Format(time.RFC3339)) + d.Set("not_before", aws.ToTime(certificateAuthority.NotBefore).Format(time.RFC3339)) if err := d.Set("revocation_configuration", flattenRevocationConfiguration(certificateAuthority.RevocationConfiguration)); err != nil { return sdkdiag.AppendErrorf(diags, "setting revocation_configuration: %s", err) } @@ -421,13 +405,11 @@ func resourceCertificateAuthorityRead(ctx context.Context, d *schema.ResourceDat d.Set("type", certificateAuthority.Type) d.Set("usage_mode", certificateAuthority.UsageMode) - getCertificateAuthorityCertificateInput := &acmpca.GetCertificateAuthorityCertificateInput{ + outputGCACert, err := conn.GetCertificateAuthorityCertificate(ctx, &acmpca.GetCertificateAuthorityCertificateInput{ CertificateAuthorityArn: aws.String(d.Id()), - } - - getCertificateAuthorityCertificateOutput, err := conn.GetCertificateAuthorityCertificateWithContext(ctx, getCertificateAuthorityCertificateInput) + }) - if !d.IsNewResource() && tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) { + if !d.IsNewResource() && errs.IsA[*types.ResourceNotFoundException](err) { log.Printf("[WARN] ACM PCA Certificate Authority (%s) not found, removing from state", d.Id()) d.SetId("") return diags @@ -435,26 +417,22 @@ func resourceCertificateAuthorityRead(ctx context.Context, d *schema.ResourceDat // Returned when in PENDING_CERTIFICATE status // InvalidStateException: The certificate authority XXXXX is not in the correct state to have a certificate signing request. - if err != nil && !tfawserr.ErrCodeEquals(err, acmpca.ErrCodeInvalidStateException) { + if err != nil && !errs.IsA[*types.InvalidStateException](err) { return sdkdiag.AppendErrorf(diags, "reading ACM PCA Certificate Authority (%s) Certificate: %s", d.Id(), err) } d.Set("certificate", "") d.Set("certificate_chain", "") - if getCertificateAuthorityCertificateOutput != nil { - d.Set("certificate", getCertificateAuthorityCertificateOutput.Certificate) - d.Set("certificate_chain", getCertificateAuthorityCertificateOutput.CertificateChain) + if outputGCACert != nil { + d.Set("certificate", outputGCACert.Certificate) + d.Set("certificate_chain", outputGCACert.CertificateChain) } - getCertificateAuthorityCsrInput := &acmpca.GetCertificateAuthorityCsrInput{ + outputGCACsr, err := conn.GetCertificateAuthorityCsr(ctx, &acmpca.GetCertificateAuthorityCsrInput{ CertificateAuthorityArn: aws.String(d.Id()), - } + }) - log.Printf("[DEBUG] Reading ACM PCA Certificate Authority Certificate Signing Request: %s", getCertificateAuthorityCsrInput) - - getCertificateAuthorityCsrOutput, err := conn.GetCertificateAuthorityCsrWithContext(ctx, getCertificateAuthorityCsrInput) - - if !d.IsNewResource() && tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) { + if !d.IsNewResource() && errs.IsA[*types.ResourceNotFoundException](err) { log.Printf("[WARN] ACM PCA Certificate Authority (%s) not found, removing from state", d.Id()) d.SetId("") return diags @@ -462,13 +440,13 @@ func resourceCertificateAuthorityRead(ctx context.Context, d *schema.ResourceDat // Returned when in PENDING_CERTIFICATE status // InvalidStateException: The certificate authority XXXXX is not in the correct state to have a certificate signing request. - if err != nil && !tfawserr.ErrCodeEquals(err, acmpca.ErrCodeInvalidStateException) { + if err != nil && !errs.IsA[*types.InvalidStateException](err) { return sdkdiag.AppendErrorf(diags, "reading ACM PCA Certificate Authority (%s) Certificate Signing Request: %s", d.Id(), err) } d.Set("certificate_signing_request", "") - if getCertificateAuthorityCsrOutput != nil { - d.Set("certificate_signing_request", getCertificateAuthorityCsrOutput.Csr) + if outputGCACsr != nil { + d.Set("certificate_signing_request", outputGCACsr.Csr) } return diags @@ -476,7 +454,7 @@ func resourceCertificateAuthorityRead(ctx context.Context, d *schema.ResourceDat func resourceCertificateAuthorityUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) if d.HasChangesExcept("tags", "tags_all") { input := &acmpca.UpdateCertificateAuthorityInput{ @@ -484,9 +462,9 @@ func resourceCertificateAuthorityUpdate(ctx context.Context, d *schema.ResourceD } if d.HasChange("enabled") { - input.Status = aws.String(acmpca.CertificateAuthorityStatusActive) + input.Status = types.CertificateAuthorityStatusActive if !d.Get("enabled").(bool) { - input.Status = aws.String(acmpca.CertificateAuthorityStatusDisabled) + input.Status = types.CertificateAuthorityStatusDisabled } } @@ -494,7 +472,7 @@ func resourceCertificateAuthorityUpdate(ctx context.Context, d *schema.ResourceD input.RevocationConfiguration = expandRevocationConfiguration(d.Get("revocation_configuration").([]interface{})) } - _, err := conn.UpdateCertificateAuthorityWithContext(ctx, input) + _, err := conn.UpdateCertificateAuthority(ctx, input) if err != nil { return sdkdiag.AppendErrorf(diags, "updating ACM PCA Certificate Authority (%s): %s", d.Id(), err) @@ -506,34 +484,39 @@ func resourceCertificateAuthorityUpdate(ctx context.Context, d *schema.ResourceD func resourceCertificateAuthorityDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) // The Certificate Authority must be in PENDING_CERTIFICATE or DISABLED state before deleting. - updateInput := &acmpca.UpdateCertificateAuthorityInput{ + inputU := &acmpca.UpdateCertificateAuthorityInput{ CertificateAuthorityArn: aws.String(d.Id()), - Status: aws.String(acmpca.CertificateAuthorityStatusDisabled), + Status: types.CertificateAuthorityStatusDisabled, } - _, err := conn.UpdateCertificateAuthorityWithContext(ctx, updateInput) - if tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) { + + _, err := conn.UpdateCertificateAuthority(ctx, inputU) + + if errs.IsA[*types.ResourceNotFoundException](err) { return diags } - if err != nil && !tfawserr.ErrMessageContains(err, acmpca.ErrCodeInvalidStateException, "The certificate authority must be in the ACTIVE or DISABLED state to be updated") { + + if err != nil && !errs.IsAErrorMessageContains[*types.InvalidStateException](err, "The certificate authority must be in the ACTIVE or DISABLED state to be updated") { return sdkdiag.AppendErrorf(diags, "setting ACM PCA Certificate Authority (%s) to DISABLED status before deleting: %s", d.Id(), err) } - deleteInput := &acmpca.DeleteCertificateAuthorityInput{ + inputD := &acmpca.DeleteCertificateAuthorityInput{ CertificateAuthorityArn: aws.String(d.Id()), } if v, exists := d.GetOk("permanent_deletion_time_in_days"); exists { - deleteInput.PermanentDeletionTimeInDays = aws.Int64(int64(v.(int))) + inputD.PermanentDeletionTimeInDays = aws.Int32(int32(v.(int))) } log.Printf("[INFO] Deleting ACM PCA Certificate Authority: %s", d.Id()) - _, err = conn.DeleteCertificateAuthorityWithContext(ctx, deleteInput) - if tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) { + _, err = conn.DeleteCertificateAuthority(ctx, inputD) + + if errs.IsA[*types.ResourceNotFoundException](err) { return diags } + if err != nil { return sdkdiag.AppendErrorf(diags, "deleting ACM PCA Certificate Authority (%s): %s", d.Id(), err) } @@ -541,48 +524,58 @@ func resourceCertificateAuthorityDelete(ctx context.Context, d *schema.ResourceD return diags } -func FindCertificateAuthorityByARN(ctx context.Context, conn *acmpca.ACMPCA, arn string) (*acmpca.CertificateAuthority, error) { +func findCertificateAuthorityByARN(ctx context.Context, conn *acmpca.Client, arn string) (*types.CertificateAuthority, error) { input := &acmpca.DescribeCertificateAuthorityInput{ CertificateAuthorityArn: aws.String(arn), } - output, err := conn.DescribeCertificateAuthorityWithContext(ctx, input) - - if tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) { - return nil, &retry.NotFoundError{ - LastError: err, - LastRequest: input, - } - } + output, err := findCertificateAuthority(ctx, conn, input) if err != nil { return nil, err } - if output == nil || output.CertificateAuthority == nil { - return nil, tfresource.NewEmptyResultError(input) + if status := output.Status; status == types.CertificateAuthorityStatusDeleted { + return nil, &retry.NotFoundError{ + Message: string(status), + LastRequest: input, + } } - if status := aws.StringValue(output.CertificateAuthority.Status); status == acmpca.CertificateAuthorityStatusDeleted { + // Eventual consistency check. + if aws.ToString(output.Arn) != arn { return nil, &retry.NotFoundError{ - Message: status, LastRequest: input, } } - // Eventual consistency check. - if aws.StringValue(output.CertificateAuthority.Arn) != arn { + return output, nil +} + +func findCertificateAuthority(ctx context.Context, conn *acmpca.Client, input *acmpca.DescribeCertificateAuthorityInput) (*types.CertificateAuthority, error) { + output, err := conn.DescribeCertificateAuthority(ctx, input) + + if errs.IsA[*types.ResourceNotFoundException](err) { return nil, &retry.NotFoundError{ + LastError: err, LastRequest: input, } } + if err != nil { + return nil, err + } + + if output == nil || output.CertificateAuthority == nil { + return nil, tfresource.NewEmptyResultError(input) + } + return output.CertificateAuthority, nil } -func statusCertificateAuthority(ctx context.Context, conn *acmpca.ACMPCA, arn string) retry.StateRefreshFunc { +func statusCertificateAuthority(ctx context.Context, conn *acmpca.Client, arn string) retry.StateRefreshFunc { return func() (interface{}, string, error) { - output, err := FindCertificateAuthorityByARN(ctx, conn, arn) + output, err := findCertificateAuthorityByARN(ctx, conn, arn) if tfresource.NotFound(err) { return nil, "", nil @@ -592,23 +585,23 @@ func statusCertificateAuthority(ctx context.Context, conn *acmpca.ACMPCA, arn st return nil, "", err } - return output, aws.StringValue(output.Status), nil + return output, string(output.Status), nil } } -func waitCertificateAuthorityCreated(ctx context.Context, conn *acmpca.ACMPCA, arn string, timeout time.Duration) (*acmpca.CertificateAuthority, error) { +func waitCertificateAuthorityCreated(ctx context.Context, conn *acmpca.Client, arn string, timeout time.Duration) (*types.CertificateAuthority, error) { stateConf := &retry.StateChangeConf{ - Pending: []string{acmpca.CertificateAuthorityStatusCreating}, - Target: []string{acmpca.CertificateAuthorityStatusActive, acmpca.CertificateAuthorityStatusPendingCertificate}, + Pending: enum.Slice(types.CertificateAuthorityStatusCreating), + Target: enum.Slice(types.CertificateAuthorityStatusActive, types.CertificateAuthorityStatusPendingCertificate), Refresh: statusCertificateAuthority(ctx, conn, arn), Timeout: timeout, } outputRaw, err := stateConf.WaitForStateContext(ctx) - if output, ok := outputRaw.(*acmpca.CertificateAuthority); ok { - if status := aws.StringValue(output.Status); status == acmpca.CertificateAuthorityStatusFailed { - tfresource.SetLastError(err, errors.New(aws.StringValue(output.FailureReason))) + if output, ok := outputRaw.(*types.CertificateAuthority); ok { + if output.Status == types.CertificateAuthorityStatusFailed { + tfresource.SetLastError(err, errors.New(string(output.FailureReason))) } return output, err @@ -621,14 +614,14 @@ const ( certificateAuthorityActiveTimeout = 1 * time.Minute ) -func expandASN1Subject(l []interface{}) *acmpca.ASN1Subject { +func expandASN1Subject(l []interface{}) *types.ASN1Subject { if len(l) == 0 { return nil } m := l[0].(map[string]interface{}) - subject := &acmpca.ASN1Subject{} + subject := &types.ASN1Subject{} if v, ok := m["common_name"]; ok && v.(string) != "" { subject.CommonName = aws.String(v.(string)) } @@ -672,23 +665,23 @@ func expandASN1Subject(l []interface{}) *acmpca.ASN1Subject { return subject } -func expandCertificateAuthorityConfiguration(l []interface{}) *acmpca.CertificateAuthorityConfiguration { +func expandCertificateAuthorityConfiguration(l []interface{}) *types.CertificateAuthorityConfiguration { if len(l) == 0 { return nil } m := l[0].(map[string]interface{}) - config := &acmpca.CertificateAuthorityConfiguration{ - KeyAlgorithm: aws.String(m["key_algorithm"].(string)), - SigningAlgorithm: aws.String(m["signing_algorithm"].(string)), + config := &types.CertificateAuthorityConfiguration{ + KeyAlgorithm: types.KeyAlgorithm(m["key_algorithm"].(string)), + SigningAlgorithm: types.SigningAlgorithm(m["signing_algorithm"].(string)), Subject: expandASN1Subject(m["subject"].([]interface{})), } return config } -func expandCrlConfiguration(l []interface{}) *acmpca.CrlConfiguration { +func expandCrlConfiguration(l []interface{}) *types.CrlConfiguration { if len(l) == 0 { return nil } @@ -697,7 +690,7 @@ func expandCrlConfiguration(l []interface{}) *acmpca.CrlConfiguration { crlEnabled := m["enabled"].(bool) - config := &acmpca.CrlConfiguration{ + config := &types.CrlConfiguration{ Enabled: aws.Bool(crlEnabled), } @@ -706,27 +699,27 @@ func expandCrlConfiguration(l []interface{}) *acmpca.CrlConfiguration { config.CustomCname = aws.String(v.(string)) } if v, ok := m["expiration_in_days"]; ok && v.(int) > 0 { - config.ExpirationInDays = aws.Int64(int64(v.(int))) + config.ExpirationInDays = aws.Int32(int32(v.(int))) } if v, ok := m["s3_bucket_name"]; ok && v.(string) != "" { config.S3BucketName = aws.String(v.(string)) } if v, ok := m["s3_object_acl"]; ok && v.(string) != "" { - config.S3ObjectAcl = aws.String(v.(string)) + config.S3ObjectAcl = types.S3ObjectAcl(v.(string)) } } return config } -func expandOcspConfiguration(l []interface{}) *acmpca.OcspConfiguration { +func expandOcspConfiguration(l []interface{}) *types.OcspConfiguration { if len(l) == 0 { return nil } m := l[0].(map[string]interface{}) - config := &acmpca.OcspConfiguration{ + config := &types.OcspConfiguration{ Enabled: aws.Bool(m["enabled"].(bool)), } @@ -737,14 +730,14 @@ func expandOcspConfiguration(l []interface{}) *acmpca.OcspConfiguration { return config } -func expandRevocationConfiguration(l []interface{}) *acmpca.RevocationConfiguration { +func expandRevocationConfiguration(l []interface{}) *types.RevocationConfiguration { if len(l) == 0 || l[0] == nil { return nil } m := l[0].(map[string]interface{}) - config := &acmpca.RevocationConfiguration{ + config := &types.RevocationConfiguration{ CrlConfiguration: expandCrlConfiguration(m["crl_configuration"].([]interface{})), OcspConfiguration: expandOcspConfiguration(m["ocsp_configuration"].([]interface{})), } @@ -752,74 +745,74 @@ func expandRevocationConfiguration(l []interface{}) *acmpca.RevocationConfigurat return config } -func flattenASN1Subject(subject *acmpca.ASN1Subject) []interface{} { +func flattenASN1Subject(subject *types.ASN1Subject) []interface{} { if subject == nil { return []interface{}{} } m := map[string]interface{}{ - "common_name": aws.StringValue(subject.CommonName), - "country": aws.StringValue(subject.Country), - "distinguished_name_qualifier": aws.StringValue(subject.DistinguishedNameQualifier), - "generation_qualifier": aws.StringValue(subject.GenerationQualifier), - "given_name": aws.StringValue(subject.GivenName), - "initials": aws.StringValue(subject.Initials), - "locality": aws.StringValue(subject.Locality), - "organization": aws.StringValue(subject.Organization), - "organizational_unit": aws.StringValue(subject.OrganizationalUnit), - "pseudonym": aws.StringValue(subject.Pseudonym), - "state": aws.StringValue(subject.State), - "surname": aws.StringValue(subject.Surname), - "title": aws.StringValue(subject.Title), + "common_name": aws.ToString(subject.CommonName), + "country": aws.ToString(subject.Country), + "distinguished_name_qualifier": aws.ToString(subject.DistinguishedNameQualifier), + "generation_qualifier": aws.ToString(subject.GenerationQualifier), + "given_name": aws.ToString(subject.GivenName), + "initials": aws.ToString(subject.Initials), + "locality": aws.ToString(subject.Locality), + "organization": aws.ToString(subject.Organization), + "organizational_unit": aws.ToString(subject.OrganizationalUnit), + "pseudonym": aws.ToString(subject.Pseudonym), + "state": aws.ToString(subject.State), + "surname": aws.ToString(subject.Surname), + "title": aws.ToString(subject.Title), } return []interface{}{m} } -func flattenCertificateAuthorityConfiguration(config *acmpca.CertificateAuthorityConfiguration) []interface{} { +func flattenCertificateAuthorityConfiguration(config *types.CertificateAuthorityConfiguration) []interface{} { if config == nil { return []interface{}{} } m := map[string]interface{}{ - "key_algorithm": aws.StringValue(config.KeyAlgorithm), - "signing_algorithm": aws.StringValue(config.SigningAlgorithm), + "key_algorithm": string(config.KeyAlgorithm), + "signing_algorithm": string(config.SigningAlgorithm), "subject": flattenASN1Subject(config.Subject), } return []interface{}{m} } -func flattenCrlConfiguration(config *acmpca.CrlConfiguration) []interface{} { +func flattenCrlConfiguration(config *types.CrlConfiguration) []interface{} { if config == nil { return []interface{}{} } m := map[string]interface{}{ - "custom_cname": aws.StringValue(config.CustomCname), - "enabled": aws.BoolValue(config.Enabled), - "expiration_in_days": int(aws.Int64Value(config.ExpirationInDays)), - "s3_bucket_name": aws.StringValue(config.S3BucketName), - "s3_object_acl": aws.StringValue(config.S3ObjectAcl), + "custom_cname": aws.ToString(config.CustomCname), + "enabled": aws.ToBool(config.Enabled), + "expiration_in_days": int(aws.ToInt32(config.ExpirationInDays)), + "s3_bucket_name": aws.ToString(config.S3BucketName), + "s3_object_acl": string(config.S3ObjectAcl), } return []interface{}{m} } -func flattenOcspConfiguration(config *acmpca.OcspConfiguration) []interface{} { +func flattenOcspConfiguration(config *types.OcspConfiguration) []interface{} { if config == nil { return []interface{}{} } m := map[string]interface{}{ - "enabled": aws.BoolValue(config.Enabled), - "ocsp_custom_cname": aws.StringValue(config.OcspCustomCname), + "enabled": aws.ToBool(config.Enabled), + "ocsp_custom_cname": aws.ToString(config.OcspCustomCname), } return []interface{}{m} } -func flattenRevocationConfiguration(config *acmpca.RevocationConfiguration) []interface{} { +func flattenRevocationConfiguration(config *types.RevocationConfiguration) []interface{} { if config == nil { return []interface{}{} } diff --git a/internal/service/acmpca/certificate_authority_certificate.go b/internal/service/acmpca/certificate_authority_certificate.go index f72a06b04cd..d23e83a85ee 100644 --- a/internal/service/acmpca/certificate_authority_certificate.go +++ b/internal/service/acmpca/certificate_authority_certificate.go @@ -7,19 +7,22 @@ import ( "context" "log" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/acmpca" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/acmpca" + "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" "github.com/hashicorp/terraform-provider-aws/internal/conns" + "github.com/hashicorp/terraform-provider-aws/internal/errs" "github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag" "github.com/hashicorp/terraform-provider-aws/internal/tfresource" "github.com/hashicorp/terraform-provider-aws/internal/verify" ) -// @SDKResource("aws_acmpca_certificate_authority_certificate") -func ResourceCertificateAuthorityCertificate() *schema.Resource { +// @SDKResource("aws_acmpca_certificate_authority_certificate", name="Certificate Authority Certificate") +func resourceCertificateAuthorityCertificate() *schema.Resource { return &schema.Resource{ CreateWithoutTimeout: resourceCertificateAuthorityCertificateCreate, ReadWithoutTimeout: resourceCertificateAuthorityCertificateRead, @@ -54,19 +57,20 @@ func ResourceCertificateAuthorityCertificate() *schema.Resource { func resourceCertificateAuthorityCertificateCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) certificateAuthorityARN := d.Get("certificate_authority_arn").(string) - input := &acmpca.ImportCertificateAuthorityCertificateInput{ Certificate: []byte(d.Get("certificate").(string)), CertificateAuthorityArn: aws.String(certificateAuthorityARN), } + if v, ok := d.Get("certificate_chain").(string); ok && v != "" { input.CertificateChain = []byte(v) } - _, err := conn.ImportCertificateAuthorityCertificateWithContext(ctx, input) + _, err := conn.ImportCertificateAuthorityCertificate(ctx, input) + if err != nil { return sdkdiag.AppendErrorf(diags, "associating ACM PCA Certificate with Certificate Authority (%s): %s", certificateAuthorityARN, err) } @@ -78,9 +82,10 @@ func resourceCertificateAuthorityCertificateCreate(ctx context.Context, d *schem func resourceCertificateAuthorityCertificateRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) + + output, err := findCertificateAuthorityCertificateByARN(ctx, conn, d.Id()) - output, err := FindCertificateAuthorityCertificateByARN(ctx, conn, d.Id()) if !d.IsNewResource() && tfresource.NotFound(err) { log.Printf("[WARN] ACM PCA Certificate Authority Certificate (%s) not found, removing from state", d.Id()) d.SetId("") @@ -96,3 +101,28 @@ func resourceCertificateAuthorityCertificateRead(ctx context.Context, d *schema. return diags } + +func findCertificateAuthorityCertificateByARN(ctx context.Context, conn *acmpca.Client, arn string) (*acmpca.GetCertificateAuthorityCertificateOutput, error) { + input := &acmpca.GetCertificateAuthorityCertificateInput{ + CertificateAuthorityArn: aws.String(arn), + } + + output, err := conn.GetCertificateAuthorityCertificate(ctx, input) + + if errs.IsA[*types.ResourceNotFoundException](err) { + return nil, &retry.NotFoundError{ + LastError: err, + LastRequest: input, + } + } + + if err != nil { + return nil, err + } + + if output == nil { + return nil, tfresource.NewEmptyResultError(input) + } + + return output, nil +} diff --git a/internal/service/acmpca/certificate_authority_certificate_test.go b/internal/service/acmpca/certificate_authority_certificate_test.go index 404c9515119..be9ccb0b9a1 100644 --- a/internal/service/acmpca/certificate_authority_certificate_test.go +++ b/internal/service/acmpca/certificate_authority_certificate_test.go @@ -8,13 +8,12 @@ import ( "fmt" "testing" - "github.com/aws/aws-sdk-go/service/acmpca" + "github.com/aws/aws-sdk-go-v2/service/acmpca" "github.com/hashicorp/terraform-plugin-testing/helper/resource" "github.com/hashicorp/terraform-plugin-testing/terraform" "github.com/hashicorp/terraform-provider-aws/internal/acctest" "github.com/hashicorp/terraform-provider-aws/internal/conns" tfacmpca "github.com/hashicorp/terraform-provider-aws/internal/service/acmpca" - "github.com/hashicorp/terraform-provider-aws/internal/tfresource" "github.com/hashicorp/terraform-provider-aws/names" ) @@ -22,14 +21,13 @@ func TestAccACMPCACertificateAuthorityCertificate_rootCA(t *testing.T) { ctx := acctest.Context(t) var v acmpca.GetCertificateAuthorityCertificateOutput resourceName := "aws_acmpca_certificate_authority_certificate.test" - commonName := acctest.RandomDomainName() resource.ParallelTest(t, resource.TestCase{ PreCheck: func() { acctest.PreCheck(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, names.ACMPCAServiceID), ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, - CheckDestroy: nil, // Certificate authority certificates cannot be deleted + CheckDestroy: acctest.CheckDestroyNoop, Steps: []resource.TestStep{ { Config: testAccCertificateAuthorityCertificateConfig_rootCA(commonName), @@ -54,14 +52,13 @@ func TestAccACMPCACertificateAuthorityCertificate_updateRootCA(t *testing.T) { var v acmpca.GetCertificateAuthorityCertificateOutput resourceName := "aws_acmpca_certificate_authority_certificate.test" updatedResourceName := "aws_acmpca_certificate_authority_certificate.updated" - commonName := acctest.RandomDomainName() resource.ParallelTest(t, resource.TestCase{ PreCheck: func() { acctest.PreCheck(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, names.ACMPCAServiceID), ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, - CheckDestroy: nil, // Certificate authority certificates cannot be deleted + CheckDestroy: acctest.CheckDestroyNoop, Steps: []resource.TestStep{ { Config: testAccCertificateAuthorityCertificateConfig_rootCA(commonName), @@ -89,14 +86,13 @@ func TestAccACMPCACertificateAuthorityCertificate_subordinateCA(t *testing.T) { ctx := acctest.Context(t) var v acmpca.GetCertificateAuthorityCertificateOutput resourceName := "aws_acmpca_certificate_authority_certificate.test" - commonName := acctest.RandomDomainName() resource.ParallelTest(t, resource.TestCase{ PreCheck: func() { acctest.PreCheck(ctx, t) }, ErrorCheck: acctest.ErrorCheck(t, names.ACMPCAServiceID), ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, - CheckDestroy: nil, // Certificate authority certificates cannot be deleted + CheckDestroy: acctest.CheckDestroyNoop, Steps: []resource.TestStep{ { Config: testAccCertificateAuthorityCertificateConfig_subordinateCA(commonName), @@ -116,24 +112,22 @@ func TestAccACMPCACertificateAuthorityCertificate_subordinateCA(t *testing.T) { }) } -func testAccCheckCertificateAuthorityCertificateExists(ctx context.Context, resourceName string, certificate *acmpca.GetCertificateAuthorityCertificateOutput) resource.TestCheckFunc { +func testAccCheckCertificateAuthorityCertificateExists(ctx context.Context, n string, v *acmpca.GetCertificateAuthorityCertificateOutput) resource.TestCheckFunc { return func(s *terraform.State) error { - rs, ok := s.RootModule().Resources[resourceName] + rs, ok := s.RootModule().Resources[n] if !ok { - return fmt.Errorf("not found: %s", resourceName) + return fmt.Errorf("Not found: %s", n) } - conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAConn(ctx) + conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAClient(ctx) output, err := tfacmpca.FindCertificateAuthorityCertificateByARN(ctx, conn, rs.Primary.ID) + if err != nil { return err } - if tfresource.NotFound(err) { - return fmt.Errorf("ACM PCA Certificate (%s) does not exist", rs.Primary.ID) - } - *certificate = *output + *v = *output return nil } diff --git a/internal/service/acmpca/certificate_authority_data_source.go b/internal/service/acmpca/certificate_authority_data_source.go index 243e939d4c5..e9d314324be 100644 --- a/internal/service/acmpca/certificate_authority_data_source.go +++ b/internal/service/acmpca/certificate_authority_data_source.go @@ -5,21 +5,23 @@ package acmpca import ( "context" - "log" "time" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/acmpca" - "github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/acmpca" + "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-provider-aws/internal/conns" + "github.com/hashicorp/terraform-provider-aws/internal/errs" "github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag" tftags "github.com/hashicorp/terraform-provider-aws/internal/tags" ) -// @SDKDataSource("aws_acmpca_certificate_authority") -func DataSourceCertificateAuthority() *schema.Resource { +// @SDKDataSource("aws_acmpca_certificate_authority", name="Certificate Authority") +// @Tags(identifierAttribute="arn") +// @Testing(tagsTest=false) +func dataSourceCertificateAuthority() *schema.Resource { return &schema.Resource{ ReadWithoutTimeout: dataSourceCertificateAuthorityRead, @@ -130,30 +132,24 @@ func DataSourceCertificateAuthority() *schema.Resource { func dataSourceCertificateAuthorityRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) - ignoreTagsConfig := meta.(*conns.AWSClient).IgnoreTagsConfig - certificateAuthorityARN := d.Get("arn").(string) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) - describeCertificateAuthorityInput := &acmpca.DescribeCertificateAuthorityInput{ + certificateAuthorityARN := d.Get("arn").(string) + input := &acmpca.DescribeCertificateAuthorityInput{ CertificateAuthorityArn: aws.String(certificateAuthorityARN), } - log.Printf("[DEBUG] Reading ACM PCA Certificate Authority: %s", describeCertificateAuthorityInput) + certificateAuthority, err := findCertificateAuthority(ctx, conn, input) - describeCertificateAuthorityOutput, err := conn.DescribeCertificateAuthorityWithContext(ctx, describeCertificateAuthorityInput) if err != nil { return sdkdiag.AppendErrorf(diags, "reading ACM PCA Certificate Authority (%s): %s", certificateAuthorityARN, err) } - if describeCertificateAuthorityOutput.CertificateAuthority == nil { - return sdkdiag.AppendErrorf(diags, "reading ACM PCA Certificate Authority: not found") - } - certificateAuthority := describeCertificateAuthorityOutput.CertificateAuthority - + d.SetId(certificateAuthorityARN) d.Set("arn", certificateAuthority.Arn) d.Set("key_storage_security_standard", certificateAuthority.KeyStorageSecurityStandard) - d.Set("not_after", aws.TimeValue(certificateAuthority.NotAfter).Format(time.RFC3339)) - d.Set("not_before", aws.TimeValue(certificateAuthority.NotBefore).Format(time.RFC3339)) + d.Set("not_after", aws.ToTime(certificateAuthority.NotAfter).Format(time.RFC3339)) + d.Set("not_before", aws.ToTime(certificateAuthority.NotBefore).Format(time.RFC3339)) if err := d.Set("revocation_configuration", flattenRevocationConfiguration(certificateAuthority.RevocationConfiguration)); err != nil { return sdkdiag.AppendErrorf(diags, "setting revocation_configuration: %s", err) } @@ -162,55 +158,37 @@ func dataSourceCertificateAuthorityRead(ctx context.Context, d *schema.ResourceD d.Set("type", certificateAuthority.Type) d.Set("usage_mode", certificateAuthority.UsageMode) - getCertificateAuthorityCertificateInput := &acmpca.GetCertificateAuthorityCertificateInput{ + outputGCACert, err := conn.GetCertificateAuthorityCertificate(ctx, &acmpca.GetCertificateAuthorityCertificateInput{ CertificateAuthorityArn: aws.String(certificateAuthorityARN), - } - - log.Printf("[DEBUG] Reading ACM PCA Certificate Authority Certificate: %s", getCertificateAuthorityCertificateInput) + }) - getCertificateAuthorityCertificateOutput, err := conn.GetCertificateAuthorityCertificateWithContext(ctx, getCertificateAuthorityCertificateInput) - if err != nil { - // Returned when in PENDING_CERTIFICATE status - // InvalidStateException: The certificate authority XXXXX is not in the correct state to have a certificate signing request. - if !tfawserr.ErrCodeEquals(err, acmpca.ErrCodeInvalidStateException) { - return sdkdiag.AppendErrorf(diags, "reading ACM PCA Certificate Authority Certificate: %s", err) - } + // Returned when in PENDING_CERTIFICATE status + // InvalidStateException: The certificate authority XXXXX is not in the correct state to have a certificate signing request. + if err != nil && !errs.IsA[*types.InvalidStateException](err) { + return sdkdiag.AppendErrorf(diags, "reading ACM PCA Certificate Authority (%s) Certificate: %s", d.Id(), err) } d.Set("certificate", "") d.Set("certificate_chain", "") - if getCertificateAuthorityCertificateOutput != nil { - d.Set("certificate", getCertificateAuthorityCertificateOutput.Certificate) - d.Set("certificate_chain", getCertificateAuthorityCertificateOutput.CertificateChain) + if outputGCACert != nil { + d.Set("certificate", outputGCACert.Certificate) + d.Set("certificate_chain", outputGCACert.CertificateChain) } - getCertificateAuthorityCsrInput := &acmpca.GetCertificateAuthorityCsrInput{ + outputGCACsr, err := conn.GetCertificateAuthorityCsr(ctx, &acmpca.GetCertificateAuthorityCsrInput{ CertificateAuthorityArn: aws.String(certificateAuthorityARN), - } - - log.Printf("[DEBUG] Reading ACM PCA Certificate Authority Certificate Signing Request: %s", getCertificateAuthorityCsrInput) + }) - getCertificateAuthorityCsrOutput, err := conn.GetCertificateAuthorityCsrWithContext(ctx, getCertificateAuthorityCsrInput) - if err != nil { - return sdkdiag.AppendErrorf(diags, "reading ACM PCA Certificate Authority Certificate Signing Request: %s", err) + // Returned when in PENDING_CERTIFICATE status + // InvalidStateException: The certificate authority XXXXX is not in the correct state to have a certificate signing request. + if err != nil && !errs.IsA[*types.InvalidStateException](err) { + return sdkdiag.AppendErrorf(diags, "reading ACM PCA Certificate Authority (%s) Certificate Signing Request: %s", d.Id(), err) } d.Set("certificate_signing_request", "") - if getCertificateAuthorityCsrOutput != nil { - d.Set("certificate_signing_request", getCertificateAuthorityCsrOutput.Csr) - } - - tags, err := listTags(ctx, conn, certificateAuthorityARN) - - if err != nil { - return sdkdiag.AppendErrorf(diags, "listing tags for ACM PCA Certificate Authority (%s): %s", certificateAuthorityARN, err) + if outputGCACsr != nil { + d.Set("certificate_signing_request", outputGCACsr.Csr) } - if err := d.Set("tags", tags.IgnoreAWS().IgnoreConfig(ignoreTagsConfig).Map()); err != nil { - return sdkdiag.AppendErrorf(diags, "setting tags: %s", err) - } - - d.SetId(certificateAuthorityARN) - return diags } diff --git a/internal/service/acmpca/certificate_authority_tags_gen_test.go b/internal/service/acmpca/certificate_authority_tags_gen_test.go index b41b3967dd4..2481eadf4f9 100644 --- a/internal/service/acmpca/certificate_authority_tags_gen_test.go +++ b/internal/service/acmpca/certificate_authority_tags_gen_test.go @@ -5,7 +5,7 @@ package acmpca_test import ( "testing" - "github.com/aws/aws-sdk-go/service/acmpca" + "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/hashicorp/terraform-plugin-testing/helper/resource" "github.com/hashicorp/terraform-provider-aws/internal/acctest" "github.com/hashicorp/terraform-provider-aws/names" @@ -13,7 +13,7 @@ import ( func TestAccACMPCACertificateAuthority_tags(t *testing.T) { ctx := acctest.Context(t) - var v acmpca.CertificateAuthority + var v types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" rName := acctest.RandomDomainName() @@ -93,7 +93,7 @@ func TestAccACMPCACertificateAuthority_tags(t *testing.T) { func TestAccACMPCACertificateAuthority_tags_null(t *testing.T) { ctx := acctest.Context(t) - var v acmpca.CertificateAuthority + var v types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" rName := acctest.RandomDomainName() @@ -129,7 +129,7 @@ func TestAccACMPCACertificateAuthority_tags_null(t *testing.T) { func TestAccACMPCACertificateAuthority_tags_AddOnUpdate(t *testing.T) { ctx := acctest.Context(t) - var v acmpca.CertificateAuthority + var v types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" rName := acctest.RandomDomainName() @@ -168,7 +168,7 @@ func TestAccACMPCACertificateAuthority_tags_AddOnUpdate(t *testing.T) { func TestAccACMPCACertificateAuthority_tags_EmptyTag_OnCreate(t *testing.T) { ctx := acctest.Context(t) - var v acmpca.CertificateAuthority + var v types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" rName := acctest.RandomDomainName() @@ -215,7 +215,7 @@ func TestAccACMPCACertificateAuthority_tags_EmptyTag_OnCreate(t *testing.T) { func TestAccACMPCACertificateAuthority_tags_EmptyTag_OnUpdate_Add(t *testing.T) { ctx := acctest.Context(t) - var v acmpca.CertificateAuthority + var v types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" rName := acctest.RandomDomainName() @@ -272,7 +272,7 @@ func TestAccACMPCACertificateAuthority_tags_EmptyTag_OnUpdate_Add(t *testing.T) func TestAccACMPCACertificateAuthority_tags_EmptyTag_OnUpdate_Replace(t *testing.T) { ctx := acctest.Context(t) - var v acmpca.CertificateAuthority + var v types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" rName := acctest.RandomDomainName() @@ -312,7 +312,7 @@ func TestAccACMPCACertificateAuthority_tags_EmptyTag_OnUpdate_Replace(t *testing func TestAccACMPCACertificateAuthority_tags_DefaultTags_providerOnly(t *testing.T) { ctx := acctest.Context(t) - var v acmpca.CertificateAuthority + var v types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" rName := acctest.RandomDomainName() @@ -408,7 +408,7 @@ func TestAccACMPCACertificateAuthority_tags_DefaultTags_providerOnly(t *testing. func TestAccACMPCACertificateAuthority_tags_DefaultTags_nonOverlapping(t *testing.T) { ctx := acctest.Context(t) - var v acmpca.CertificateAuthority + var v types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" rName := acctest.RandomDomainName() @@ -489,7 +489,7 @@ func TestAccACMPCACertificateAuthority_tags_DefaultTags_nonOverlapping(t *testin func TestAccACMPCACertificateAuthority_tags_DefaultTags_overlapping(t *testing.T) { ctx := acctest.Context(t) - var v acmpca.CertificateAuthority + var v types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" rName := acctest.RandomDomainName() @@ -570,7 +570,7 @@ func TestAccACMPCACertificateAuthority_tags_DefaultTags_overlapping(t *testing.T func TestAccACMPCACertificateAuthority_tags_DefaultTags_updateToProviderOnly(t *testing.T) { ctx := acctest.Context(t) - var v acmpca.CertificateAuthority + var v types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" rName := acctest.RandomDomainName() @@ -616,7 +616,7 @@ func TestAccACMPCACertificateAuthority_tags_DefaultTags_updateToProviderOnly(t * func TestAccACMPCACertificateAuthority_tags_DefaultTags_updateToResourceOnly(t *testing.T) { ctx := acctest.Context(t) - var v acmpca.CertificateAuthority + var v types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" rName := acctest.RandomDomainName() @@ -662,7 +662,7 @@ func TestAccACMPCACertificateAuthority_tags_DefaultTags_updateToResourceOnly(t * func TestAccACMPCACertificateAuthority_tags_DefaultTags_emptyResourceTag(t *testing.T) { ctx := acctest.Context(t) - var v acmpca.CertificateAuthority + var v types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" rName := acctest.RandomDomainName() @@ -699,7 +699,7 @@ func TestAccACMPCACertificateAuthority_tags_DefaultTags_emptyResourceTag(t *test func TestAccACMPCACertificateAuthority_tags_DefaultTags_nullOverlappingResourceTag(t *testing.T) { ctx := acctest.Context(t) - var v acmpca.CertificateAuthority + var v types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" rName := acctest.RandomDomainName() @@ -735,7 +735,7 @@ func TestAccACMPCACertificateAuthority_tags_DefaultTags_nullOverlappingResourceT func TestAccACMPCACertificateAuthority_tags_DefaultTags_nullNonOverlappingResourceTag(t *testing.T) { ctx := acctest.Context(t) - var v acmpca.CertificateAuthority + var v types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" rName := acctest.RandomDomainName() diff --git a/internal/service/acmpca/certificate_authority_test.go b/internal/service/acmpca/certificate_authority_test.go index 057a23cd7f3..b1b55db9c8c 100644 --- a/internal/service/acmpca/certificate_authority_test.go +++ b/internal/service/acmpca/certificate_authority_test.go @@ -9,6 +9,7 @@ import ( "testing" "github.com/YakDriver/regexache" + "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/aws/aws-sdk-go/aws/endpoints" "github.com/aws/aws-sdk-go/service/acmpca" sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest" @@ -25,7 +26,7 @@ var testAccCheckCertificateAuthorityExists = acctest.CheckACMPCACertificateAutho func TestAccACMPCACertificateAuthority_basic(t *testing.T) { ctx := acctest.Context(t) - var certificateAuthority acmpca.CertificateAuthority + var certificateAuthority types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" commonName := acctest.RandomDomainName() @@ -38,7 +39,7 @@ func TestAccACMPCACertificateAuthority_basic(t *testing.T) { { Config: testAccCertificateAuthorityConfig_required(commonName), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), acctest.MatchResourceAttrRegionalARN(resourceName, "arn", "acm-pca", regexache.MustCompile(`certificate-authority/.+`)), resource.TestCheckResourceAttr(resourceName, "certificate_authority_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "certificate_authority_configuration.0.key_algorithm", "RSA_4096"), @@ -73,7 +74,7 @@ func TestAccACMPCACertificateAuthority_basic(t *testing.T) { func TestAccACMPCACertificateAuthority_disappears(t *testing.T) { ctx := acctest.Context(t) - var certificateAuthority acmpca.CertificateAuthority + var certificateAuthority types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" commonName := acctest.RandomDomainName() @@ -86,7 +87,7 @@ func TestAccACMPCACertificateAuthority_disappears(t *testing.T) { { Config: testAccCertificateAuthorityConfig_required(commonName), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), acctest.CheckResourceDisappears(ctx, acctest.Provider, tfacmpca.ResourceCertificateAuthority(), resourceName), ), ExpectNonEmptyPlan: true, @@ -97,7 +98,7 @@ func TestAccACMPCACertificateAuthority_disappears(t *testing.T) { func TestAccACMPCACertificateAuthority_enabledDeprecated(t *testing.T) { ctx := acctest.Context(t) - var certificateAuthority acmpca.CertificateAuthority + var certificateAuthority types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" commonName := acctest.RandomDomainName() @@ -110,7 +111,7 @@ func TestAccACMPCACertificateAuthority_enabledDeprecated(t *testing.T) { { Config: testAccCertificateAuthorityConfig_enabled(commonName, acmpca.CertificateAuthorityTypeRoot, true), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "type", acmpca.CertificateAuthorityTypeRoot), resource.TestCheckResourceAttr(resourceName, "enabled", "true"), acctest.CheckACMPCACertificateAuthorityActivateRootCA(ctx, &certificateAuthority), @@ -119,7 +120,7 @@ func TestAccACMPCACertificateAuthority_enabledDeprecated(t *testing.T) { { Config: testAccCertificateAuthorityConfig_enabled(commonName, acmpca.CertificateAuthorityTypeRoot, true), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "type", acmpca.CertificateAuthorityTypeRoot), resource.TestCheckResourceAttr(resourceName, "enabled", "true"), ), @@ -127,7 +128,7 @@ func TestAccACMPCACertificateAuthority_enabledDeprecated(t *testing.T) { { Config: testAccCertificateAuthorityConfig_enabled(commonName, acmpca.CertificateAuthorityTypeRoot, false), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "enabled", "false"), ), }, @@ -145,7 +146,7 @@ func TestAccACMPCACertificateAuthority_enabledDeprecated(t *testing.T) { func TestAccACMPCACertificateAuthority_usageMode(t *testing.T) { ctx := acctest.Context(t) - var certificateAuthority acmpca.CertificateAuthority + var certificateAuthority types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" commonName := acctest.RandomDomainName() @@ -158,7 +159,7 @@ func TestAccACMPCACertificateAuthority_usageMode(t *testing.T) { { Config: testAccCertificateAuthorityConfig_usageMode(commonName, acmpca.CertificateAuthorityTypeRoot, "SHORT_LIVED_CERTIFICATE"), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "usage_mode", "SHORT_LIVED_CERTIFICATE"), ), }, @@ -176,7 +177,7 @@ func TestAccACMPCACertificateAuthority_usageMode(t *testing.T) { func TestAccACMPCACertificateAuthority_keyStorageSecurityStandard(t *testing.T) { ctx := acctest.Context(t) - var certificateAuthority acmpca.CertificateAuthority + var certificateAuthority types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" commonName := acctest.RandomDomainName() @@ -193,7 +194,7 @@ func TestAccACMPCACertificateAuthority_keyStorageSecurityStandard(t *testing.T) { Config: testAccCertificateAuthorityConfig_keyStorageSecurityStandard(commonName, acmpca.CertificateAuthorityTypeRoot, "FIPS_140_2_LEVEL_2_OR_HIGHER"), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "key_storage_security_standard", "FIPS_140_2_LEVEL_2_OR_HIGHER"), ), }, @@ -211,7 +212,7 @@ func TestAccACMPCACertificateAuthority_keyStorageSecurityStandard(t *testing.T) func TestAccACMPCACertificateAuthority_deleteFromActiveState(t *testing.T) { ctx := acctest.Context(t) - var certificateAuthority acmpca.CertificateAuthority + var certificateAuthority types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" commonName := acctest.RandomDomainName() @@ -224,7 +225,7 @@ func TestAccACMPCACertificateAuthority_deleteFromActiveState(t *testing.T) { { Config: testAccCertificateAuthorityConfig_root(commonName), Check: resource.ComposeAggregateTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "type", acmpca.CertificateAuthorityTypeRoot), resource.TestCheckResourceAttr(resourceName, "enabled", "true"), ), @@ -235,7 +236,7 @@ func TestAccACMPCACertificateAuthority_deleteFromActiveState(t *testing.T) { func TestAccACMPCACertificateAuthority_RevocationConfiguration_empty(t *testing.T) { ctx := acctest.Context(t) - var certificateAuthority acmpca.CertificateAuthority + var certificateAuthority types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" commonName := acctest.RandomDomainName() @@ -248,7 +249,7 @@ func TestAccACMPCACertificateAuthority_RevocationConfiguration_empty(t *testing. { Config: testAccCertificateAuthorityConfig_revocationConfigurationEmpty(commonName), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), acctest.MatchResourceAttrRegionalARN(resourceName, "arn", "acm-pca", regexache.MustCompile(`certificate-authority/.+`)), resource.TestCheckResourceAttr(resourceName, "certificate_authority_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "certificate_authority_configuration.0.key_algorithm", "RSA_4096"), @@ -283,7 +284,7 @@ func TestAccACMPCACertificateAuthority_RevocationConfiguration_empty(t *testing. func TestAccACMPCACertificateAuthority_RevocationCrl_customCNAME(t *testing.T) { ctx := acctest.Context(t) - var certificateAuthority acmpca.CertificateAuthority + var certificateAuthority types.CertificateAuthority rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) resourceName := "aws_acmpca_certificate_authority.test" domain := acctest.RandomDomain() @@ -301,7 +302,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_customCNAME(t *testing.T) { { Config: testAccCertificateAuthorityConfig_revocationConfigurationCrlConfigurationCustomCNAME(rName, commonName, customCName), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.0.custom_cname", customCName), @@ -323,7 +324,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_customCNAME(t *testing.T) { { Config: testAccCertificateAuthorityConfig_revocationConfigurationCrlConfigurationCustomCNAME(rName, commonName, customCName2), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.0.custom_cname", customCName2), @@ -336,7 +337,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_customCNAME(t *testing.T) { { Config: testAccCertificateAuthorityConfig_revocationConfigurationCrlConfigurationEnabled(rName, commonName, true), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.0.custom_cname", ""), @@ -349,7 +350,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_customCNAME(t *testing.T) { { Config: testAccCertificateAuthorityConfig_revocationConfigurationCrlConfigurationCustomCNAME(rName, commonName, customCName), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.0.custom_cname", customCName), @@ -362,7 +363,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_customCNAME(t *testing.T) { { Config: testAccCertificateAuthorityConfig_required(commonName), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.0.enabled", "false"), @@ -374,7 +375,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_customCNAME(t *testing.T) { func TestAccACMPCACertificateAuthority_RevocationCrl_enabled(t *testing.T) { ctx := acctest.Context(t) - var certificateAuthority acmpca.CertificateAuthority + var certificateAuthority types.CertificateAuthority rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) resourceName := "aws_acmpca_certificate_authority.test" commonName := acctest.RandomDomainName() @@ -389,7 +390,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_enabled(t *testing.T) { { Config: testAccCertificateAuthorityConfig_revocationConfigurationCrlConfigurationEnabled(rName, commonName, true), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.0.custom_cname", ""), @@ -411,7 +412,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_enabled(t *testing.T) { { Config: testAccCertificateAuthorityConfig_revocationConfigurationCrlConfigurationEnabled(rName, commonName, false), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.0.enabled", "false"), @@ -421,7 +422,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_enabled(t *testing.T) { { Config: testAccCertificateAuthorityConfig_revocationConfigurationCrlConfigurationEnabled(rName, commonName, true), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.0.custom_cname", ""), @@ -434,7 +435,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_enabled(t *testing.T) { { Config: testAccCertificateAuthorityConfig_required(commonName), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.0.enabled", "false"), @@ -446,7 +447,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_enabled(t *testing.T) { func TestAccACMPCACertificateAuthority_RevocationCrl_expirationInDays(t *testing.T) { ctx := acctest.Context(t) - var certificateAuthority acmpca.CertificateAuthority + var certificateAuthority types.CertificateAuthority rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) resourceName := "aws_acmpca_certificate_authority.test" commonName := acctest.RandomDomainName() @@ -461,7 +462,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_expirationInDays(t *testing { Config: testAccCertificateAuthorityConfig_revocationConfigurationCrlConfigurationExpirationInDays(rName, commonName, 1), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.0.custom_cname", ""), @@ -484,7 +485,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_expirationInDays(t *testing { Config: testAccCertificateAuthorityConfig_revocationConfigurationCrlConfigurationExpirationInDays(rName, commonName, 2), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.0.enabled", "true"), @@ -496,7 +497,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_expirationInDays(t *testing { Config: testAccCertificateAuthorityConfig_required(commonName), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.0.enabled", "false"), @@ -508,7 +509,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_expirationInDays(t *testing func TestAccACMPCACertificateAuthority_RevocationCrl_s3ObjectACL(t *testing.T) { ctx := acctest.Context(t) - var certificateAuthority acmpca.CertificateAuthority + var certificateAuthority types.CertificateAuthority rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) resourceName := "aws_acmpca_certificate_authority.test" commonName := acctest.RandomDomainName() @@ -523,7 +524,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_s3ObjectACL(t *testing.T) { { Config: testAccCertificateAuthorityConfig_revocationConfigurationCrlConfigurationS3ObjectACL(rName, commonName, "BUCKET_OWNER_FULL_CONTROL"), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.0.enabled", "true"), @@ -545,7 +546,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_s3ObjectACL(t *testing.T) { { Config: testAccCertificateAuthorityConfig_revocationConfigurationCrlConfigurationS3ObjectACL(rName, commonName, "PUBLIC_READ"), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.crl_configuration.0.enabled", "true"), @@ -560,7 +561,7 @@ func TestAccACMPCACertificateAuthority_RevocationCrl_s3ObjectACL(t *testing.T) { func TestAccACMPCACertificateAuthority_RevocationOcsp_enabled(t *testing.T) { ctx := acctest.Context(t) - var certificateAuthority acmpca.CertificateAuthority + var certificateAuthority types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" commonName := acctest.RandomDomainName() @@ -574,7 +575,7 @@ func TestAccACMPCACertificateAuthority_RevocationOcsp_enabled(t *testing.T) { { Config: testAccCertificateAuthorityConfig_revocationConfigurationOcspConfigurationEnabled(commonName, true), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.0.enabled", "true"), @@ -594,7 +595,7 @@ func TestAccACMPCACertificateAuthority_RevocationOcsp_enabled(t *testing.T) { { Config: testAccCertificateAuthorityConfig_revocationConfigurationOcspConfigurationEnabled(commonName, false), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.0.enabled", "false"), @@ -604,7 +605,7 @@ func TestAccACMPCACertificateAuthority_RevocationOcsp_enabled(t *testing.T) { { Config: testAccCertificateAuthorityConfig_revocationConfigurationOcspConfigurationEnabled(commonName, true), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.0.enabled", "true"), @@ -615,7 +616,7 @@ func TestAccACMPCACertificateAuthority_RevocationOcsp_enabled(t *testing.T) { { Config: testAccCertificateAuthorityConfig_required(commonName), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.0.enabled", "false"), @@ -627,7 +628,7 @@ func TestAccACMPCACertificateAuthority_RevocationOcsp_enabled(t *testing.T) { func TestAccACMPCACertificateAuthority_RevocationOcsp_customCNAME(t *testing.T) { ctx := acctest.Context(t) - var certificateAuthority acmpca.CertificateAuthority + var certificateAuthority types.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" domain := acctest.RandomDomain() commonName := domain.String() @@ -644,7 +645,7 @@ func TestAccACMPCACertificateAuthority_RevocationOcsp_customCNAME(t *testing.T) { Config: testAccCertificateAuthorityConfig_revocationConfigurationOcspConfigurationCustomCNAME(commonName, customCName), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.0.enabled", "true"), @@ -664,7 +665,7 @@ func TestAccACMPCACertificateAuthority_RevocationOcsp_customCNAME(t *testing.T) { Config: testAccCertificateAuthorityConfig_revocationConfigurationOcspConfigurationCustomCNAME(commonName, customCName2), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.0.enabled", "true"), @@ -675,7 +676,7 @@ func TestAccACMPCACertificateAuthority_RevocationOcsp_customCNAME(t *testing.T) { Config: testAccCertificateAuthorityConfig_revocationConfigurationOcspConfigurationEnabled(commonName, true), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.0.enabled", "true"), @@ -686,7 +687,7 @@ func TestAccACMPCACertificateAuthority_RevocationOcsp_customCNAME(t *testing.T) { Config: testAccCertificateAuthorityConfig_revocationConfigurationOcspConfigurationCustomCNAME(commonName, customCName), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.0.enabled", "true"), @@ -697,7 +698,7 @@ func TestAccACMPCACertificateAuthority_RevocationOcsp_customCNAME(t *testing.T) { Config: testAccCertificateAuthorityConfig_required(commonName), Check: resource.ComposeTestCheckFunc( - acctest.CheckACMPCACertificateAuthorityExists(ctx, resourceName, &certificateAuthority), + testAccCheckCertificateAuthorityExists(ctx, resourceName, &certificateAuthority), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.#", "1"), resource.TestCheckResourceAttr(resourceName, "revocation_configuration.0.ocsp_configuration.0.enabled", "false"), @@ -709,7 +710,7 @@ func TestAccACMPCACertificateAuthority_RevocationOcsp_customCNAME(t *testing.T) func testAccCheckCertificateAuthorityDestroy(ctx context.Context) resource.TestCheckFunc { return func(s *terraform.State) error { - conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAConn(ctx) + conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAClient(ctx) for _, rs := range s.RootModule().Resources { if rs.Type != "aws_acmpca_certificate_authority" { diff --git a/internal/service/acmpca/certificate_data_source.go b/internal/service/acmpca/certificate_data_source.go index 578f06a27a0..c6faab0c1ee 100644 --- a/internal/service/acmpca/certificate_data_source.go +++ b/internal/service/acmpca/certificate_data_source.go @@ -5,10 +5,7 @@ package acmpca import ( "context" - "log" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/acmpca" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-provider-aws/internal/conns" @@ -16,8 +13,8 @@ import ( "github.com/hashicorp/terraform-provider-aws/internal/verify" ) -// @SDKDataSource("aws_acmpca_certificate") -func DataSourceCertificate() *schema.Resource { +// @SDKDataSource("aws_acmpca_certificate", name="Certificate") +func dataSourceCertificate() *schema.Resource { return &schema.Resource{ ReadWithoutTimeout: dataSourceCertificateRead, @@ -27,15 +24,15 @@ func DataSourceCertificate() *schema.Resource { Required: true, ValidateFunc: verify.ValidARN, }, + "certificate": { + Type: schema.TypeString, + Computed: true, + }, "certificate_authority_arn": { Type: schema.TypeString, Required: true, ValidateFunc: verify.ValidARN, }, - "certificate": { - Type: schema.TypeString, - Computed: true, - }, "certificate_chain": { Type: schema.TypeString, Computed: true, @@ -46,24 +43,18 @@ func DataSourceCertificate() *schema.Resource { func dataSourceCertificateRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) - certificateARN := d.Get("arn").(string) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) - getCertificateInput := &acmpca.GetCertificateInput{ - CertificateArn: aws.String(certificateARN), - CertificateAuthorityArn: aws.String(d.Get("certificate_authority_arn").(string)), - } - - log.Printf("[DEBUG] Reading ACM PCA Certificate: %s", getCertificateInput) + certificateARN := d.Get("arn").(string) + output, err := findCertificateByTwoPartKey(ctx, conn, certificateARN, d.Get("certificate_authority_arn").(string)) - certificateOutput, err := conn.GetCertificateWithContext(ctx, getCertificateInput) if err != nil { return sdkdiag.AppendErrorf(diags, "reading ACM PCA Certificate (%s): %s", certificateARN, err) } d.SetId(certificateARN) - d.Set("certificate", certificateOutput.Certificate) - d.Set("certificate_chain", certificateOutput.CertificateChain) + d.Set("certificate", output.Certificate) + d.Set("certificate_chain", output.CertificateChain) return diags } diff --git a/internal/service/acmpca/certificate_data_source_test.go b/internal/service/acmpca/certificate_data_source_test.go index b628e9c1b53..f1c5cb89645 100644 --- a/internal/service/acmpca/certificate_data_source_test.go +++ b/internal/service/acmpca/certificate_data_source_test.go @@ -27,7 +27,7 @@ func TestAccACMPCACertificateDataSource_basic(t *testing.T) { Steps: []resource.TestStep{ { Config: testAccCertificateDataSourceConfig_nonExistent, - ExpectError: regexache.MustCompile(`ResourceNotFoundException`), + ExpectError: regexache.MustCompile(`couldn't find resource`), }, { Config: testAccCertificateDataSourceConfig_arn(domain), diff --git a/internal/service/acmpca/certificate_test.go b/internal/service/acmpca/certificate_test.go index af8f935414e..028a571675f 100644 --- a/internal/service/acmpca/certificate_test.go +++ b/internal/service/acmpca/certificate_test.go @@ -13,14 +13,14 @@ import ( "time" "github.com/YakDriver/regexache" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/acmpca" - "github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr" + "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/hashicorp/terraform-plugin-testing/helper/resource" "github.com/hashicorp/terraform-plugin-testing/terraform" "github.com/hashicorp/terraform-provider-aws/internal/acctest" "github.com/hashicorp/terraform-provider-aws/internal/conns" + "github.com/hashicorp/terraform-provider-aws/internal/errs" tfacmpca "github.com/hashicorp/terraform-provider-aws/internal/service/acmpca" + "github.com/hashicorp/terraform-provider-aws/internal/tfresource" "github.com/hashicorp/terraform-provider-aws/names" ) @@ -28,7 +28,6 @@ func TestAccACMPCACertificate_rootCertificate(t *testing.T) { ctx := acctest.Context(t) resourceName := "aws_acmpca_certificate.test" certificateAuthorityResourceName := "aws_acmpca_certificate_authority.test" - domain := acctest.RandomDomainName() resource.ParallelTest(t, resource.TestCase{ @@ -73,7 +72,6 @@ func TestAccACMPCACertificate_rootCertificateWithAPIPassthrough(t *testing.T) { ctx := acctest.Context(t) resourceName := "aws_acmpca_certificate.test" certificateAuthorityResourceName := "aws_acmpca_certificate_authority.test" - domain := acctest.RandomDomainName() resource.ParallelTest(t, resource.TestCase{ @@ -119,7 +117,6 @@ func TestAccACMPCACertificate_subordinateCertificate(t *testing.T) { resourceName := "aws_acmpca_certificate.test" rootCertificateAuthorityResourceName := "aws_acmpca_certificate_authority.root" subordinateCertificateAuthorityResourceName := "aws_acmpca_certificate_authority.test" - domain := acctest.RandomDomainName() resource.ParallelTest(t, resource.TestCase{ @@ -162,7 +159,6 @@ func TestAccACMPCACertificate_subordinateCertificate(t *testing.T) { func TestAccACMPCACertificate_endEntityCertificate(t *testing.T) { ctx := acctest.Context(t) resourceName := "aws_acmpca_certificate.test" - csrDomain := acctest.RandomDomainName() csr, _ := acctest.TLSRSAX509CertificateRequestPEM(t, 4096, csrDomain) domain := acctest.RandomDomainName() @@ -206,7 +202,6 @@ func TestAccACMPCACertificate_endEntityCertificate(t *testing.T) { func TestAccACMPCACertificate_Validity_endDate(t *testing.T) { ctx := acctest.Context(t) resourceName := "aws_acmpca_certificate.test" - csrDomain := acctest.RandomDomainName() csr, _ := acctest.TLSRSAX509CertificateRequestPEM(t, 4096, csrDomain) domain := acctest.RandomDomainName() @@ -251,7 +246,6 @@ func TestAccACMPCACertificate_Validity_endDate(t *testing.T) { func TestAccACMPCACertificate_Validity_absolute(t *testing.T) { ctx := acctest.Context(t) resourceName := "aws_acmpca_certificate.test" - csrDomain := acctest.RandomDomainName() csr, _ := acctest.TLSRSAX509CertificateRequestPEM(t, 4096, csrDomain) domain := acctest.RandomDomainName() @@ -295,63 +289,47 @@ func TestAccACMPCACertificate_Validity_absolute(t *testing.T) { func testAccCheckCertificateDestroy(ctx context.Context) resource.TestCheckFunc { return func(s *terraform.State) error { - conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAConn(ctx) + conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAClient(ctx) for _, rs := range s.RootModule().Resources { if rs.Type != "aws_acmpca_certificate" { continue } - input := &acmpca.GetCertificateInput{ - CertificateArn: aws.String(rs.Primary.ID), - CertificateAuthorityArn: aws.String(rs.Primary.Attributes["certificate_authority_arn"]), - } + _, err := tfacmpca.FindCertificateByTwoPartKey(ctx, conn, rs.Primary.ID, rs.Primary.Attributes["certificate_authority_arn"]) - output, err := conn.GetCertificateWithContext(ctx, input) - if tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) { - return nil + if tfresource.NotFound(err) { + continue } - if tfawserr.ErrMessageContains(err, acmpca.ErrCodeInvalidStateException, "not in the correct state to have issued certificates") { + + if errs.IsAErrorMessageContains[*types.InvalidStateException](err, "not in the correct state to have issued certificates") { // This is returned when checking root certificates and the certificate has not been associated with the certificate authority - return nil + continue } + if err != nil { return err } - if output != nil { - return fmt.Errorf("ACM PCA Certificate (%s) still exists", rs.Primary.ID) - } + return fmt.Errorf("ACM PCA Certificate %s still exists", rs.Primary.ID) } return nil } } -func testAccCheckCertificateExists(ctx context.Context, resourceName string) resource.TestCheckFunc { +func testAccCheckCertificateExists(ctx context.Context, n string) resource.TestCheckFunc { return func(s *terraform.State) error { - rs, ok := s.RootModule().Resources[resourceName] + rs, ok := s.RootModule().Resources[n] if !ok { - return fmt.Errorf("Not found: %s", resourceName) - } - - conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAConn(ctx) - input := &acmpca.GetCertificateInput{ - CertificateArn: aws.String(rs.Primary.ID), - CertificateAuthorityArn: aws.String(rs.Primary.Attributes["certificate_authority_arn"]), + return fmt.Errorf("Not found: %s", n) } - output, err := conn.GetCertificateWithContext(ctx, input) + conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAClient(ctx) - if err != nil { - return err - } + _, err := tfacmpca.FindCertificateByTwoPartKey(ctx, conn, rs.Primary.ID, rs.Primary.Attributes["certificate_authority_arn"]) - if output == nil || output.Certificate == nil { - return fmt.Errorf("ACM PCA Certificate %q does not exist", rs.Primary.ID) - } - - return nil + return err } } @@ -629,22 +607,22 @@ func TestExpandValidityValue(t *testing.T) { Expected int64 }{ { - Type: acmpca.ValidityPeriodTypeEndDate, + Type: string(types.ValidityPeriodTypeEndDate), Value: "2021-02-26T16:04:00Z", Expected: 20210226160400, }, { - Type: acmpca.ValidityPeriodTypeEndDate, + Type: string(types.ValidityPeriodTypeEndDate), Value: "2021-02-26T16:04:00-08:00", Expected: 20210227000400, }, { - Type: acmpca.ValidityPeriodTypeAbsolute, + Type: string(types.ValidityPeriodTypeAbsolute), Value: "1614385420", Expected: 1614385420, }, { - Type: acmpca.ValidityPeriodTypeYears, + Type: string(types.ValidityPeriodTypeYears), Value: "2", Expected: 2, }, diff --git a/internal/service/acmpca/exports.go b/internal/service/acmpca/exports.go new file mode 100644 index 00000000000..e7ce64a37f7 --- /dev/null +++ b/internal/service/acmpca/exports.go @@ -0,0 +1,9 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +package acmpca + +// Exports for use in other modules. +var ( + FindCertificateAuthorityByARN = findCertificateAuthorityByARN +) diff --git a/internal/service/acmpca/exports_test.go b/internal/service/acmpca/exports_test.go new file mode 100644 index 00000000000..467bbe075f8 --- /dev/null +++ b/internal/service/acmpca/exports_test.go @@ -0,0 +1,19 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +package acmpca + +// Exports for use in tests only. +var ( + ResourceCertificate = resourceCertificate + ResourceCertificateAuthority = resourceCertificateAuthority + ResourceCertificateAuthorityCertificate = resourceCertificateAuthorityCertificate + ResourcePermission = resourcePermission + ResourcePolicy = resourcePolicy + + FindCertificateAuthorityCertificateByARN = findCertificateAuthorityCertificateByARN + FindCertificateByTwoPartKey = findCertificateByTwoPartKey + FindPermissionByThreePartKey = findPermissionByThreePartKey + FindPolicyByARN = findPolicyByARN + ValidTemplateARN = validTemplateARN +) diff --git a/internal/service/acmpca/find.go b/internal/service/acmpca/find.go deleted file mode 100644 index 125eec74adb..00000000000 --- a/internal/service/acmpca/find.go +++ /dev/null @@ -1,108 +0,0 @@ -// Copyright (c) HashiCorp, Inc. -// SPDX-License-Identifier: MPL-2.0 - -package acmpca - -import ( - "context" - - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/acmpca" - "github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry" - "github.com/hashicorp/terraform-provider-aws/internal/tfresource" -) - -// FindCertificateAuthorityCertificateByARN returns the certificate for the certificate authority corresponding to the specified ARN. -// Returns a retry.NotFoundError if no certificate authority is found or the certificate authority does not have a certificate assigned. -func FindCertificateAuthorityCertificateByARN(ctx context.Context, conn *acmpca.ACMPCA, arn string) (*acmpca.GetCertificateAuthorityCertificateOutput, error) { - input := &acmpca.GetCertificateAuthorityCertificateInput{ - CertificateAuthorityArn: aws.String(arn), - } - - output, err := conn.GetCertificateAuthorityCertificateWithContext(ctx, input) - if tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) { - return nil, &retry.NotFoundError{ - LastError: err, - LastRequest: input, - } - } - if err != nil { - return nil, err - } - - if output == nil { - return nil, &retry.NotFoundError{ - Message: "empty result", - LastRequest: input, - } - } - - return output, nil -} - -func FindPolicyByARN(ctx context.Context, conn *acmpca.ACMPCA, arn string) (string, error) { - input := &acmpca.GetPolicyInput{ - ResourceArn: aws.String(arn), - } - - output, err := conn.GetPolicyWithContext(ctx, input) - - if tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) { - return "", &retry.NotFoundError{ - LastError: err, - LastRequest: input, - } - } - - if err != nil { - return "", err - } - - if output == nil || output.Policy == nil { - return "", tfresource.NewEmptyResultError(input) - } - - return aws.StringValue(output.Policy), nil -} - -func FindPermission(ctx context.Context, conn *acmpca.ACMPCA, certificateAuthorityARN, principal, sourceAccount string) (*acmpca.Permission, error) { - input := &acmpca.ListPermissionsInput{ - CertificateAuthorityArn: aws.String(certificateAuthorityARN), - } - var output []*acmpca.Permission - - err := conn.ListPermissionsPagesWithContext(ctx, input, func(page *acmpca.ListPermissionsOutput, lastPage bool) bool { - if page == nil { - return !lastPage - } - - for _, v := range page.Permissions { - if v != nil { - output = append(output, v) - } - } - - return !lastPage - }) - - if tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) || - tfawserr.ErrMessageContains(err, acmpca.ErrCodeInvalidStateException, "The certificate authority is in the DELETED state") { - return nil, &retry.NotFoundError{ - LastError: err, - LastRequest: input, - } - } - - if err != nil { - return nil, err - } - - for _, v := range output { - if aws.StringValue(v.Principal) == principal && (sourceAccount == "" || aws.StringValue(v.SourceAccount) == sourceAccount) { - return v, nil - } - } - - return nil, &retry.NotFoundError{LastRequest: input} -} diff --git a/internal/service/acmpca/generate.go b/internal/service/acmpca/generate.go index af8edc3eb6f..b5ce8b4941a 100644 --- a/internal/service/acmpca/generate.go +++ b/internal/service/acmpca/generate.go @@ -1,7 +1,7 @@ // Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: MPL-2.0 -//go:generate go run ../../generate/tags/main.go -ListTags -ListTagsOp=ListTags -ListTagsOpPaginated -ListTagsInIDElem=CertificateAuthorityArn -ServiceTagsSlice -TagOp=TagCertificateAuthority -TagInIDElem=CertificateAuthorityArn -UntagOp=UntagCertificateAuthority -UntagInNeedTagType -UntagInTagsElem=Tags -UpdateTags +//go:generate go run ../../generate/tags/main.go -ListTags -ListTagsOp=ListTags -ListTagsOpPaginated -ListTagsInIDElem=CertificateAuthorityArn -ServiceTagsSlice -TagOp=TagCertificateAuthority -TagInIDElem=CertificateAuthorityArn -UntagOp=UntagCertificateAuthority -UntagInNeedTagType -UntagInTagsElem=Tags -UpdateTags -AWSSDKVersion=2 //go:generate go run ../../generate/servicepackage/main.go //go:generate go run ../../generate/tagstests/main.go // ONLY generate directives and package declaration! Do not add anything else to this file. diff --git a/internal/service/acmpca/permission.go b/internal/service/acmpca/permission.go index b1dbb20f4fe..0c6f1ade6e3 100644 --- a/internal/service/acmpca/permission.go +++ b/internal/service/acmpca/permission.go @@ -5,25 +5,31 @@ package acmpca import ( "context" - "fmt" "log" - "strings" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/acmpca" - "github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/acmpca" + "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" "github.com/hashicorp/terraform-provider-aws/internal/conns" + "github.com/hashicorp/terraform-provider-aws/internal/enum" + "github.com/hashicorp/terraform-provider-aws/internal/errs" "github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag" "github.com/hashicorp/terraform-provider-aws/internal/flex" + tfslices "github.com/hashicorp/terraform-provider-aws/internal/slices" "github.com/hashicorp/terraform-provider-aws/internal/tfresource" "github.com/hashicorp/terraform-provider-aws/internal/verify" ) -// @SDKResource("aws_acmpca_permission") -func ResourcePermission() *schema.Resource { +const ( + permissionResourceIDPartCount = 3 +) + +// @SDKResource("aws_acmpca_permission", name="Permission") +func resourcePermission() *schema.Resource { return &schema.Resource{ CreateWithoutTimeout: resourcePermissionCreate, ReadWithoutTimeout: resourcePermissionRead, @@ -35,8 +41,8 @@ func ResourcePermission() *schema.Resource { Required: true, ForceNew: true, Elem: &schema.Schema{ - Type: schema.TypeString, - ValidateFunc: validation.StringInSlice(acmpca.ActionType_Values(), false), + Type: schema.TypeString, + ValidateDiagFunc: enum.Validate[types.ActionType](), }, }, "certificate_authority_arn": { @@ -69,14 +75,14 @@ func ResourcePermission() *schema.Resource { func resourcePermissionCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) caARN := d.Get("certificate_authority_arn").(string) principal := d.Get("principal").(string) sourceAccount := d.Get("source_account").(string) - id := PermissionCreateResourceID(caARN, principal, sourceAccount) + id := errs.Must(flex.FlattenResourceId([]string{caARN, principal, sourceAccount}, permissionResourceIDPartCount, true)) input := &acmpca.CreatePermissionInput{ - Actions: flex.ExpandStringSet(d.Get("actions").(*schema.Set)), + Actions: expandPermissionActions(d.Get("actions").(*schema.Set)), CertificateAuthorityArn: aws.String(caARN), Principal: aws.String(principal), } @@ -85,8 +91,7 @@ func resourcePermissionCreate(ctx context.Context, d *schema.ResourceData, meta input.SourceAccount = aws.String(sourceAccount) } - log.Printf("[DEBUG] Creating ACM PCA Permission: %s", input) - _, err := conn.CreatePermissionWithContext(ctx, input) + _, err := conn.CreatePermission(ctx, input) if err != nil { return sdkdiag.AppendErrorf(diags, "creating ACM PCA Permission (%s): %s", id, err) @@ -99,15 +104,15 @@ func resourcePermissionCreate(ctx context.Context, d *schema.ResourceData, meta func resourcePermissionRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) - - caARN, principal, sourceAccount, err := PermissionParseResourceID(d.Id()) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) + parts, err := flex.ExpandResourceId(d.Id(), permissionResourceIDPartCount, true) if err != nil { - return sdkdiag.AppendErrorf(diags, "reading ACM PCA Permission (%s): %s", d.Id(), err) + return sdkdiag.AppendFromErr(diags, err) } - permission, err := FindPermission(ctx, conn, caARN, principal, sourceAccount) + caARN, principal, sourceAccount := parts[0], parts[1], parts[2] + permission, err := findPermissionByThreePartKey(ctx, conn, caARN, principal, sourceAccount) if !d.IsNewResource() && tfresource.NotFound(err) { log.Printf("[WARN] ACM PCA Permission (%s) not found, removing from state", d.Id()) @@ -119,7 +124,7 @@ func resourcePermissionRead(ctx context.Context, d *schema.ResourceData, meta in return sdkdiag.AppendErrorf(diags, "reading ACM PCA Permission (%s): %s", d.Id(), err) } - d.Set("actions", aws.StringValueSlice(permission.Actions)) + d.Set("actions", flattenPermissionActions(permission.Actions)) d.Set("certificate_authority_arn", permission.CertificateAuthorityArn) d.Set("policy", permission.Policy) d.Set("principal", permission.Principal) @@ -130,14 +135,14 @@ func resourcePermissionRead(ctx context.Context, d *schema.ResourceData, meta in func resourcePermissionDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) - - caARN, principal, sourceAccount, err := PermissionParseResourceID(d.Id()) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) + parts, err := flex.ExpandResourceId(d.Id(), permissionResourceIDPartCount, true) if err != nil { - return sdkdiag.AppendErrorf(diags, "deleting ACM PCA Permission (%s): %s", d.Id(), err) + return sdkdiag.AppendFromErr(diags, err) } + caARN, principal, sourceAccount := parts[0], parts[1], parts[2] input := &acmpca.DeletePermissionInput{ CertificateAuthorityArn: aws.String(caARN), Principal: aws.String(principal), @@ -148,9 +153,9 @@ func resourcePermissionDelete(ctx context.Context, d *schema.ResourceData, meta } log.Printf("[DEBUG] Deleting ACM PCA Permission: %s", d.Id()) - _, err = conn.DeletePermissionWithContext(ctx, input) + _, err = conn.DeletePermission(ctx, input) - if tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) { + if errs.IsA[*types.ResourceNotFoundException](err) { return diags } @@ -161,21 +166,73 @@ func resourcePermissionDelete(ctx context.Context, d *schema.ResourceData, meta return diags } -const permissionIDSeparator = "," +func findPermissionByThreePartKey(ctx context.Context, conn *acmpca.Client, certificateAuthorityARN, principal, sourceAccount string) (*types.Permission, error) { + input := &acmpca.ListPermissionsInput{ + CertificateAuthorityArn: aws.String(certificateAuthorityARN), + } + + return findPermission(ctx, conn, input, func(v *types.Permission) bool { + return aws.ToString(v.Principal) == principal && (sourceAccount == "" || aws.ToString(v.SourceAccount) == sourceAccount) + }) +} + +func findPermission(ctx context.Context, conn *acmpca.Client, input *acmpca.ListPermissionsInput, filter tfslices.Predicate[*types.Permission]) (*types.Permission, error) { + output, err := findPermissions(ctx, conn, input, filter) -func PermissionCreateResourceID(caARN, principal, sourceAccount string) string { - parts := []string{caARN, principal, sourceAccount} - id := strings.Join(parts, permissionIDSeparator) + if err != nil { + return nil, err + } + + return tfresource.AssertSingleValueResult(output) +} + +func findPermissions(ctx context.Context, conn *acmpca.Client, input *acmpca.ListPermissionsInput, filter tfslices.Predicate[*types.Permission]) ([]types.Permission, error) { + var output []types.Permission + + pages := acmpca.NewListPermissionsPaginator(conn, input) + for pages.HasMorePages() { + page, err := pages.NextPage(ctx) + + if errs.IsAErrorMessageContains[*types.InvalidStateException](err, "The certificate authority is in the DELETED state") { + return nil, &retry.NotFoundError{ + LastError: err, + LastRequest: input, + } + } + + if err != nil { + return nil, err + } + + for _, v := range page.Permissions { + if filter(&v) { + output = append(output, v) + } + } + } - return id + return output, nil } -func PermissionParseResourceID(id string) (string, string, string, error) { - parts := strings.Split(id, permissionIDSeparator) +func expandPermissionActions(s *schema.Set) []types.ActionType { + actions := make([]types.ActionType, 0) - if len(parts) == 3 && parts[0] != "" && parts[1] != "" { - return parts[0], parts[1], parts[2], nil + for _, a := range s.List() { + action := types.ActionType(a.(string)) + actions = append(actions, action) } + return actions +} - return "", "", "", fmt.Errorf("unexpected format for ID (%[1]s), expected CertificateAuthorityARN%[2]sPrincipal%[2]sSourceAccount", id, permissionIDSeparator) +func flattenPermissionActions(list []types.ActionType) []string { + if len(list) == 0 { + return nil + } + + result := make([]string, 0, len(list)) + for _, a := range list { + action := string(a) + result = append(result, action) + } + return result } diff --git a/internal/service/acmpca/permission_test.go b/internal/service/acmpca/permission_test.go index 4ab625fa791..bd00efb87a5 100644 --- a/internal/service/acmpca/permission_test.go +++ b/internal/service/acmpca/permission_test.go @@ -8,7 +8,7 @@ import ( "fmt" "testing" - "github.com/aws/aws-sdk-go/service/acmpca" + "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/hashicorp/terraform-plugin-testing/helper/resource" "github.com/hashicorp/terraform-plugin-testing/terraform" "github.com/hashicorp/terraform-provider-aws/internal/acctest" @@ -20,7 +20,7 @@ import ( func TestAccACMPCAPermission_basic(t *testing.T) { ctx := acctest.Context(t) - var permission acmpca.Permission + var permission types.Permission resourceName := "aws_acmpca_permission.test" commonName := acctest.RandomDomainName() @@ -49,7 +49,7 @@ func TestAccACMPCAPermission_basic(t *testing.T) { func TestAccACMPCAPermission_disappears(t *testing.T) { ctx := acctest.Context(t) - var permission acmpca.Permission + var permission types.Permission resourceName := "aws_acmpca_permission.test" commonName := acctest.RandomDomainName() @@ -73,7 +73,7 @@ func TestAccACMPCAPermission_disappears(t *testing.T) { func TestAccACMPCAPermission_sourceAccount(t *testing.T) { ctx := acctest.Context(t) - var permission acmpca.Permission + var permission types.Permission resourceName := "aws_acmpca_permission.test" commonName := acctest.RandomDomainName() @@ -96,20 +96,14 @@ func TestAccACMPCAPermission_sourceAccount(t *testing.T) { func testAccCheckPermissionDestroy(ctx context.Context) resource.TestCheckFunc { return func(s *terraform.State) error { - conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAConn(ctx) + conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAClient(ctx) for _, rs := range s.RootModule().Resources { if rs.Type != "aws_acmpca_permission" { continue } - caARN, principal, sourceAccount, err := tfacmpca.PermissionParseResourceID(rs.Primary.ID) - - if err != nil { - return err - } - - _, err = tfacmpca.FindPermission(ctx, conn, caARN, principal, sourceAccount) + _, err := tfacmpca.FindPermissionByThreePartKey(ctx, conn, rs.Primary.Attributes["certificate_authority_arn"], rs.Primary.Attributes["principal"], rs.Primary.Attributes["source_account"]) if tfresource.NotFound(err) { continue @@ -126,26 +120,16 @@ func testAccCheckPermissionDestroy(ctx context.Context) resource.TestCheckFunc { } } -func testAccCheckPermissionExists(ctx context.Context, n string, v *acmpca.Permission) resource.TestCheckFunc { +func testAccCheckPermissionExists(ctx context.Context, n string, v *types.Permission) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] if !ok { return fmt.Errorf("Not found: %s", n) } - if rs.Primary.ID == "" { - return fmt.Errorf("No ACM PCA Permission ID is set") - } - - caARN, principal, sourceAccount, err := tfacmpca.PermissionParseResourceID(rs.Primary.ID) - - if err != nil { - return err - } - - conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAConn(ctx) + conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAClient(ctx) - output, err := tfacmpca.FindPermission(ctx, conn, caARN, principal, sourceAccount) + output, err := tfacmpca.FindPermissionByThreePartKey(ctx, conn, rs.Primary.Attributes["certificate_authority_arn"], rs.Primary.Attributes["principal"], rs.Primary.Attributes["source_account"]) if err != nil { return err diff --git a/internal/service/acmpca/policy.go b/internal/service/acmpca/policy.go index 2633fc3ae09..23e3fb281f7 100644 --- a/internal/service/acmpca/policy.go +++ b/internal/service/acmpca/policy.go @@ -7,21 +7,23 @@ import ( "context" "log" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/acmpca" - "github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/acmpca" + "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/structure" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" "github.com/hashicorp/terraform-provider-aws/internal/conns" + "github.com/hashicorp/terraform-provider-aws/internal/errs" "github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag" "github.com/hashicorp/terraform-provider-aws/internal/tfresource" "github.com/hashicorp/terraform-provider-aws/internal/verify" ) -// @SDKResource("aws_acmpca_policy") -func ResourcePolicy() *schema.Resource { +// @SDKResource("aws_acmpca_policy", name="Policy") +func resourcePolicy() *schema.Resource { return &schema.Resource{ CreateWithoutTimeout: resourcePolicyPut, ReadWithoutTimeout: resourcePolicyRead, @@ -55,12 +57,11 @@ func ResourcePolicy() *schema.Resource { func resourcePolicyPut(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) policy, err := structure.NormalizeJsonString(d.Get("policy").(string)) - if err != nil { - return sdkdiag.AppendErrorf(diags, "policy (%s) is invalid JSON: %s", d.Get("policy").(string), err) + return sdkdiag.AppendFromErr(diags, err) } resourceARN := d.Get("resource_arn").(string) @@ -69,23 +70,24 @@ func resourcePolicyPut(ctx context.Context, d *schema.ResourceData, meta interfa ResourceArn: aws.String(resourceARN), } - log.Printf("[DEBUG] Putting ACM PCA Policy: %s", input) - _, err = conn.PutPolicyWithContext(ctx, input) + _, err = conn.PutPolicy(ctx, input) if err != nil { return sdkdiag.AppendErrorf(diags, "putting ACM PCA Policy (%s): %s", resourceARN, err) } - d.SetId(resourceARN) + if d.IsNewResource() { + d.SetId(resourceARN) + } return append(diags, resourcePolicyRead(ctx, d, meta)...) } func resourcePolicyRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) - policy, err := FindPolicyByARN(ctx, conn, d.Id()) + policy, err := findPolicyByARN(ctx, conn, d.Id()) if !d.IsNewResource() && tfresource.NotFound(err) { log.Printf("[WARN] ACM PCA Policy (%s) not found, removing from state", d.Id()) @@ -105,17 +107,17 @@ func resourcePolicyRead(ctx context.Context, d *schema.ResourceData, meta interf func resourcePolicyDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { var diags diag.Diagnostics - conn := meta.(*conns.AWSClient).ACMPCAConn(ctx) + conn := meta.(*conns.AWSClient).ACMPCAClient(ctx) log.Printf("[DEBUG] Deleting ACM PCA Policy: %s", d.Id()) - _, err := conn.DeletePolicyWithContext(ctx, &acmpca.DeletePolicyInput{ + _, err := conn.DeletePolicy(ctx, &acmpca.DeletePolicyInput{ ResourceArn: aws.String(d.Id()), }) - if tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) || - tfawserr.ErrCodeEquals(err, acmpca.ErrCodeRequestAlreadyProcessedException) || - tfawserr.ErrCodeEquals(err, acmpca.ErrCodeRequestInProgressException) || - tfawserr.ErrMessageContains(err, acmpca.ErrCodeInvalidRequestException, "Self-signed policy can not be revoked") { + if errs.IsA[*types.ResourceNotFoundException](err) || + errs.IsA[*types.RequestAlreadyProcessedException](err) || + errs.IsA[*types.RequestInProgressException](err) || + errs.IsAErrorMessageContains[*types.InvalidRequestException](err, "Self-signed policy can not be revoked") { return diags } @@ -125,3 +127,28 @@ func resourcePolicyDelete(ctx context.Context, d *schema.ResourceData, meta inte return diags } + +func findPolicyByARN(ctx context.Context, conn *acmpca.Client, arn string) (*string, error) { + input := &acmpca.GetPolicyInput{ + ResourceArn: aws.String(arn), + } + + output, err := conn.GetPolicy(ctx, input) + + if errs.IsA[*types.ResourceNotFoundException](err) { + return nil, &retry.NotFoundError{ + LastError: err, + LastRequest: input, + } + } + + if err != nil { + return nil, err + } + + if output == nil || output.Policy == nil { + return nil, tfresource.NewEmptyResultError(input) + } + + return output.Policy, nil +} diff --git a/internal/service/acmpca/policy_test.go b/internal/service/acmpca/policy_test.go index 26d34d914fa..285191fc861 100644 --- a/internal/service/acmpca/policy_test.go +++ b/internal/service/acmpca/policy_test.go @@ -45,7 +45,7 @@ func TestAccACMPCAPolicy_basic(t *testing.T) { func testAccCheckPolicyDestroy(ctx context.Context) resource.TestCheckFunc { return func(s *terraform.State) error { - conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAConn(ctx) + conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAClient(ctx) for _, rs := range s.RootModule().Resources { if rs.Type != "aws_acmpca_policy" { @@ -76,11 +76,7 @@ func testAccCheckPolicyExists(ctx context.Context, n string) resource.TestCheckF return fmt.Errorf("Not found: %s", n) } - if rs.Primary.ID == "" { - return fmt.Errorf("No ACM PCA Policy ID is set") - } - - conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAConn(ctx) + conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAClient(ctx) _, err := tfacmpca.FindPolicyByARN(ctx, conn, rs.Primary.ID) diff --git a/internal/service/acmpca/service_endpoints_gen_test.go b/internal/service/acmpca/service_endpoints_gen_test.go index 639dfece1b6..80976b29c9b 100644 --- a/internal/service/acmpca/service_endpoints_gen_test.go +++ b/internal/service/acmpca/service_endpoints_gen_test.go @@ -4,17 +4,17 @@ package acmpca_test import ( "context" + "errors" "fmt" "maps" - "net/url" "os" "path/filepath" "reflect" "strings" "testing" - "github.com/aws/aws-sdk-go/aws/endpoints" - acmpca_sdkv1 "github.com/aws/aws-sdk-go/service/acmpca" + aws_sdkv2 "github.com/aws/aws-sdk-go-v2/aws" + acmpca_sdkv2 "github.com/aws/aws-sdk-go-v2/service/acmpca" "github.com/aws/smithy-go/middleware" smithyhttp "github.com/aws/smithy-go/transport/http" "github.com/google/go-cmp/cmp" @@ -212,32 +212,42 @@ func TestEndpointConfiguration(t *testing.T) { //nolint:paralleltest // uses t.S } func defaultEndpoint(region string) string { - r := endpoints.DefaultResolver() + r := acmpca_sdkv2.NewDefaultEndpointResolverV2() - ep, err := r.EndpointFor(acmpca_sdkv1.EndpointsID, region) + ep, err := r.ResolveEndpoint(context.Background(), acmpca_sdkv2.EndpointParameters{ + Region: aws_sdkv2.String(region), + }) if err != nil { return err.Error() } - url, _ := url.Parse(ep.URL) - - if url.Path == "" { - url.Path = "/" + if ep.URI.Path == "" { + ep.URI.Path = "/" } - return url.String() + return ep.URI.String() } func callService(ctx context.Context, t *testing.T, meta *conns.AWSClient) string { t.Helper() - client := meta.ACMPCAConn(ctx) - - req, _ := client.ListCertificateAuthoritiesRequest(&acmpca_sdkv1.ListCertificateAuthoritiesInput{}) + var endpoint string - req.HTTPRequest.URL.Path = "/" + client := meta.ACMPCAClient(ctx) - endpoint := req.HTTPRequest.URL.String() + _, err := client.ListCertificateAuthorities(ctx, &acmpca_sdkv2.ListCertificateAuthoritiesInput{}, + func(opts *acmpca_sdkv2.Options) { + opts.APIOptions = append(opts.APIOptions, + addRetrieveEndpointURLMiddleware(t, &endpoint), + addCancelRequestMiddleware(), + ) + }, + ) + if err == nil { + t.Fatal("Expected an error, got none") + } else if !errors.Is(err, errCancelOperation) { + t.Fatalf("Unexpected error: %s", err) + } return endpoint } diff --git a/internal/service/acmpca/service_package_gen.go b/internal/service/acmpca/service_package_gen.go index 04a2de126a2..2d28a5e8c3c 100644 --- a/internal/service/acmpca/service_package_gen.go +++ b/internal/service/acmpca/service_package_gen.go @@ -5,9 +5,8 @@ package acmpca import ( "context" - aws_sdkv1 "github.com/aws/aws-sdk-go/aws" - session_sdkv1 "github.com/aws/aws-sdk-go/aws/session" - acmpca_sdkv1 "github.com/aws/aws-sdk-go/service/acmpca" + aws_sdkv2 "github.com/aws/aws-sdk-go-v2/aws" + acmpca_sdkv2 "github.com/aws/aws-sdk-go-v2/service/acmpca" "github.com/hashicorp/terraform-provider-aws/internal/conns" "github.com/hashicorp/terraform-provider-aws/internal/types" "github.com/hashicorp/terraform-provider-aws/names" @@ -26,12 +25,17 @@ func (p *servicePackage) FrameworkResources(ctx context.Context) []*types.Servic func (p *servicePackage) SDKDataSources(ctx context.Context) []*types.ServicePackageSDKDataSource { return []*types.ServicePackageSDKDataSource{ { - Factory: DataSourceCertificate, + Factory: dataSourceCertificate, TypeName: "aws_acmpca_certificate", + Name: "Certificate", }, { - Factory: DataSourceCertificateAuthority, + Factory: dataSourceCertificateAuthority, TypeName: "aws_acmpca_certificate_authority", + Name: "Certificate Authority", + Tags: &types.ServicePackageResourceTags{ + IdentifierAttribute: "arn", + }, }, } } @@ -39,11 +43,12 @@ func (p *servicePackage) SDKDataSources(ctx context.Context) []*types.ServicePac func (p *servicePackage) SDKResources(ctx context.Context) []*types.ServicePackageSDKResource { return []*types.ServicePackageSDKResource{ { - Factory: ResourceCertificate, + Factory: resourceCertificate, TypeName: "aws_acmpca_certificate", + Name: "Certificate", }, { - Factory: ResourceCertificateAuthority, + Factory: resourceCertificateAuthority, TypeName: "aws_acmpca_certificate_authority", Name: "Certificate Authority", Tags: &types.ServicePackageResourceTags{ @@ -51,16 +56,19 @@ func (p *servicePackage) SDKResources(ctx context.Context) []*types.ServicePacka }, }, { - Factory: ResourceCertificateAuthorityCertificate, + Factory: resourceCertificateAuthorityCertificate, TypeName: "aws_acmpca_certificate_authority_certificate", + Name: "Certificate Authority Certificate", }, { - Factory: ResourcePermission, + Factory: resourcePermission, TypeName: "aws_acmpca_permission", + Name: "Permission", }, { - Factory: ResourcePolicy, + Factory: resourcePolicy, TypeName: "aws_acmpca_policy", + Name: "Policy", }, } } @@ -69,11 +77,15 @@ func (p *servicePackage) ServicePackageName() string { return names.ACMPCA } -// NewConn returns a new AWS SDK for Go v1 client for this service package's AWS API. -func (p *servicePackage) NewConn(ctx context.Context, config map[string]any) (*acmpca_sdkv1.ACMPCA, error) { - sess := config["session"].(*session_sdkv1.Session) +// NewClient returns a new AWS SDK for Go v2 client for this service package's AWS API. +func (p *servicePackage) NewClient(ctx context.Context, config map[string]any) (*acmpca_sdkv2.Client, error) { + cfg := *(config["aws_sdkv2_config"].(*aws_sdkv2.Config)) - return acmpca_sdkv1.New(sess.Copy(&aws_sdkv1.Config{Endpoint: aws_sdkv1.String(config["endpoint"].(string))})), nil + return acmpca_sdkv2.NewFromConfig(cfg, func(o *acmpca_sdkv2.Options) { + if endpoint := config["endpoint"].(string); endpoint != "" { + o.BaseEndpoint = aws_sdkv2.String(endpoint) + } + }), nil } func ServicePackage(ctx context.Context) conns.ServicePackage { diff --git a/internal/service/acmpca/sweep.go b/internal/service/acmpca/sweep.go index d5deb97e471..478ebb8c0bd 100644 --- a/internal/service/acmpca/sweep.go +++ b/internal/service/acmpca/sweep.go @@ -7,11 +7,12 @@ import ( "fmt" "log" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/acmpca" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/acmpca" + awstypes "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/hashicorp/terraform-plugin-testing/helper/resource" "github.com/hashicorp/terraform-provider-aws/internal/sweep" - "github.com/hashicorp/terraform-provider-aws/internal/sweep/awsv1" + "github.com/hashicorp/terraform-provider-aws/internal/sweep/awsv2" ) func RegisterSweepers() { @@ -28,40 +29,37 @@ func sweepCertificateAuthorities(region string) error { return fmt.Errorf("error getting client: %w", err) } input := &acmpca.ListCertificateAuthoritiesInput{} - conn := client.ACMPCAConn(ctx) + conn := client.ACMPCAClient(ctx) sweepResources := make([]sweep.Sweepable, 0) - err = conn.ListCertificateAuthoritiesPagesWithContext(ctx, input, func(page *acmpca.ListCertificateAuthoritiesOutput, lastPage bool) bool { - if page == nil { - return !lastPage + paginator := acmpca.NewListCertificateAuthoritiesPaginator(conn, input) + for paginator.HasMorePages() { + page, err := paginator.NextPage(ctx) + + if awsv2.SkipSweepError(err) { + log.Printf("[WARN] Skipping ACM PCA Certificate Authority sweep for %s: %s", region, err) + return nil + } + + if err != nil { + return fmt.Errorf("error listing ACM PCA Certificate Authorities (%s): %w", region, err) } for _, v := range page.CertificateAuthorities { - arn := aws.StringValue(v.Arn) + arn := aws.ToString(v.Arn) - if status := aws.StringValue(v.Status); status == acmpca.CertificateAuthorityStatusDeleted { - log.Printf("[INFO] Skipping ACM PCA Certificate Authority %s: Status=%s", arn, status) + if v.Status == awstypes.CertificateAuthorityStatusDeleted { + log.Printf("[INFO] Skipping ACM PCA Certificate Authority %s: Status=%s", arn, string(v.Status)) continue } - r := ResourceCertificateAuthority() + r := resourceCertificateAuthority() d := r.Data(nil) d.SetId(arn) d.Set("permanent_deletion_time_in_days", 7) //nolint:gomnd sweepResources = append(sweepResources, sweep.NewSweepResource(r, d, client)) } - - return !lastPage - }) - - if awsv1.SkipSweepError(err) { - log.Printf("[WARN] Skipping ACM PCA Certificate Authority sweep for %s: %s", region, err) - return nil - } - - if err != nil { - return fmt.Errorf("error listing ACM PCA Certificate Authorities (%s): %w", region, err) } err = sweep.SweepOrchestrator(ctx, sweepResources) diff --git a/internal/service/acmpca/tags_gen.go b/internal/service/acmpca/tags_gen.go index 04f3ca619f3..9fd349d0f9f 100644 --- a/internal/service/acmpca/tags_gen.go +++ b/internal/service/acmpca/tags_gen.go @@ -5,9 +5,9 @@ import ( "context" "fmt" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/acmpca" - "github.com/aws/aws-sdk-go/service/acmpca/acmpcaiface" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/acmpca" + awstypes "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/hashicorp/terraform-plugin-log/tflog" "github.com/hashicorp/terraform-provider-aws/internal/conns" "github.com/hashicorp/terraform-provider-aws/internal/logging" @@ -19,28 +19,23 @@ import ( // listTags lists acmpca service tags. // The identifier is typically the Amazon Resource Name (ARN), although // it may also be a different identifier depending on the service. -func listTags(ctx context.Context, conn acmpcaiface.ACMPCAAPI, identifier string) (tftags.KeyValueTags, error) { +func listTags(ctx context.Context, conn *acmpca.Client, identifier string, optFns ...func(*acmpca.Options)) (tftags.KeyValueTags, error) { input := &acmpca.ListTagsInput{ CertificateAuthorityArn: aws.String(identifier), } - var output []*acmpca.Tag + var output []awstypes.Tag - err := conn.ListTagsPagesWithContext(ctx, input, func(page *acmpca.ListTagsOutput, lastPage bool) bool { - if page == nil { - return !lastPage + pages := acmpca.NewListTagsPaginator(conn, input) + for pages.HasMorePages() { + page, err := pages.NextPage(ctx, optFns...) + + if err != nil { + return tftags.New(ctx, nil), err } for _, v := range page.Tags { - if v != nil { - output = append(output, v) - } + output = append(output, v) } - - return !lastPage - }) - - if err != nil { - return tftags.New(ctx, nil), err } return KeyValueTags(ctx, output), nil @@ -49,7 +44,7 @@ func listTags(ctx context.Context, conn acmpcaiface.ACMPCAAPI, identifier string // ListTags lists acmpca service tags and set them in Context. // It is called from outside this package. func (p *servicePackage) ListTags(ctx context.Context, meta any, identifier string) error { - tags, err := listTags(ctx, meta.(*conns.AWSClient).ACMPCAConn(ctx), identifier) + tags, err := listTags(ctx, meta.(*conns.AWSClient).ACMPCAClient(ctx), identifier) if err != nil { return err @@ -65,11 +60,11 @@ func (p *servicePackage) ListTags(ctx context.Context, meta any, identifier stri // []*SERVICE.Tag handling // Tags returns acmpca service tags. -func Tags(tags tftags.KeyValueTags) []*acmpca.Tag { - result := make([]*acmpca.Tag, 0, len(tags)) +func Tags(tags tftags.KeyValueTags) []awstypes.Tag { + result := make([]awstypes.Tag, 0, len(tags)) for k, v := range tags.Map() { - tag := &acmpca.Tag{ + tag := awstypes.Tag{ Key: aws.String(k), Value: aws.String(v), } @@ -81,11 +76,11 @@ func Tags(tags tftags.KeyValueTags) []*acmpca.Tag { } // KeyValueTags creates tftags.KeyValueTags from acmpca service tags. -func KeyValueTags(ctx context.Context, tags []*acmpca.Tag) tftags.KeyValueTags { +func KeyValueTags(ctx context.Context, tags []awstypes.Tag) tftags.KeyValueTags { m := make(map[string]*string, len(tags)) for _, tag := range tags { - m[aws.StringValue(tag.Key)] = tag.Value + m[aws.ToString(tag.Key)] = tag.Value } return tftags.New(ctx, m) @@ -93,7 +88,7 @@ func KeyValueTags(ctx context.Context, tags []*acmpca.Tag) tftags.KeyValueTags { // getTagsIn returns acmpca service tags from Context. // nil is returned if there are no input tags. -func getTagsIn(ctx context.Context) []*acmpca.Tag { +func getTagsIn(ctx context.Context) []awstypes.Tag { if inContext, ok := tftags.FromContext(ctx); ok { if tags := Tags(inContext.TagsIn.UnwrapOrDefault()); len(tags) > 0 { return tags @@ -104,7 +99,7 @@ func getTagsIn(ctx context.Context) []*acmpca.Tag { } // setTagsOut sets acmpca service tags in Context. -func setTagsOut(ctx context.Context, tags []*acmpca.Tag) { +func setTagsOut(ctx context.Context, tags []awstypes.Tag) { if inContext, ok := tftags.FromContext(ctx); ok { inContext.TagsOut = option.Some(KeyValueTags(ctx, tags)) } @@ -113,7 +108,7 @@ func setTagsOut(ctx context.Context, tags []*acmpca.Tag) { // updateTags updates acmpca service tags. // The identifier is typically the Amazon Resource Name (ARN), although // it may also be a different identifier depending on the service. -func updateTags(ctx context.Context, conn acmpcaiface.ACMPCAAPI, identifier string, oldTagsMap, newTagsMap any) error { +func updateTags(ctx context.Context, conn *acmpca.Client, identifier string, oldTagsMap, newTagsMap any, optFns ...func(*acmpca.Options)) error { oldTags := tftags.New(ctx, oldTagsMap) newTags := tftags.New(ctx, newTagsMap) @@ -127,7 +122,7 @@ func updateTags(ctx context.Context, conn acmpcaiface.ACMPCAAPI, identifier stri Tags: Tags(removedTags), } - _, err := conn.UntagCertificateAuthorityWithContext(ctx, input) + _, err := conn.UntagCertificateAuthority(ctx, input, optFns...) if err != nil { return fmt.Errorf("untagging resource (%s): %w", identifier, err) @@ -142,7 +137,7 @@ func updateTags(ctx context.Context, conn acmpcaiface.ACMPCAAPI, identifier stri Tags: Tags(updatedTags), } - _, err := conn.TagCertificateAuthorityWithContext(ctx, input) + _, err := conn.TagCertificateAuthority(ctx, input, optFns...) if err != nil { return fmt.Errorf("tagging resource (%s): %w", identifier, err) @@ -155,5 +150,5 @@ func updateTags(ctx context.Context, conn acmpcaiface.ACMPCAAPI, identifier stri // UpdateTags updates acmpca service tags. // It is called from outside this package. func (p *servicePackage) UpdateTags(ctx context.Context, meta any, identifier string, oldTags, newTags any) error { - return updateTags(ctx, meta.(*conns.AWSClient).ACMPCAConn(ctx), identifier, oldTags, newTags) + return updateTags(ctx, meta.(*conns.AWSClient).ACMPCAClient(ctx), identifier, oldTags, newTags) } diff --git a/internal/service/appmesh/virtual_gateway_test.go b/internal/service/appmesh/virtual_gateway_test.go index da31755e0cb..49216e6c4ee 100644 --- a/internal/service/appmesh/virtual_gateway_test.go +++ b/internal/service/appmesh/virtual_gateway_test.go @@ -8,7 +8,7 @@ import ( "fmt" "testing" - "github.com/aws/aws-sdk-go/service/acmpca" + acmpca_types "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/aws/aws-sdk-go/service/appmesh" sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest" "github.com/hashicorp/terraform-plugin-testing/helper/resource" @@ -414,7 +414,7 @@ func testAccVirtualGateway_ListenerHealthChecks(t *testing.T) { func testAccVirtualGateway_ListenerTLS(t *testing.T) { ctx := acctest.Context(t) var v appmesh.VirtualGatewayData - var ca acmpca.CertificateAuthority + var ca acmpca_types.CertificateAuthority resourceName := "aws_appmesh_virtual_gateway.test" acmCAResourceName := "aws_acmpca_certificate_authority.test" acmCertificateResourceName := "aws_acm_certificate.test" diff --git a/internal/service/appmesh/virtual_node_test.go b/internal/service/appmesh/virtual_node_test.go index aebfa0fe436..ad2bbc0e286 100644 --- a/internal/service/appmesh/virtual_node_test.go +++ b/internal/service/appmesh/virtual_node_test.go @@ -8,7 +8,7 @@ import ( "fmt" "testing" - "github.com/aws/aws-sdk-go/service/acmpca" + acmpca_types "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/aws/aws-sdk-go/service/appmesh" sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest" "github.com/hashicorp/terraform-plugin-testing/helper/resource" @@ -91,7 +91,7 @@ func testAccVirtualNode_disappears(t *testing.T) { func testAccVirtualNode_backendClientPolicyACM(t *testing.T) { ctx := acctest.Context(t) var vn appmesh.VirtualNodeData - var ca acmpca.CertificateAuthority + var ca acmpca_types.CertificateAuthority resourceName := "aws_appmesh_virtual_node.test" acmCAResourceName := "aws_acmpca_certificate_authority.test" @@ -908,7 +908,7 @@ func testAccVirtualNode_listenerTimeout(t *testing.T) { func testAccVirtualNode_listenerTLS(t *testing.T) { ctx := acctest.Context(t) var vn appmesh.VirtualNodeData - var ca acmpca.CertificateAuthority + var ca acmpca_types.CertificateAuthority resourceName := "aws_appmesh_virtual_node.test" acmCAResourceName := "aws_acmpca_certificate_authority.test" acmCertificateResourceName := "aws_acm_certificate.test" diff --git a/internal/service/cloudhsmv2/tags_gen.go b/internal/service/cloudhsmv2/tags_gen.go index 96ef3b686cf..7ab40287af9 100644 --- a/internal/service/cloudhsmv2/tags_gen.go +++ b/internal/service/cloudhsmv2/tags_gen.go @@ -27,7 +27,7 @@ func listTags(ctx context.Context, conn *cloudhsmv2.Client, identifier string, o pages := cloudhsmv2.NewListTagsPaginator(conn, input) for pages.HasMorePages() { - page, err := pages.NextPage(ctx) + page, err := pages.NextPage(ctx, optFns...) if err != nil { return tftags.New(ctx, nil), err diff --git a/internal/service/cloudtrail/tags_gen.go b/internal/service/cloudtrail/tags_gen.go index 4dd78360e0b..35a2bceec7e 100644 --- a/internal/service/cloudtrail/tags_gen.go +++ b/internal/service/cloudtrail/tags_gen.go @@ -27,7 +27,7 @@ func listTags(ctx context.Context, conn *cloudtrail.Client, identifier string, o pages := cloudtrail.NewListTagsPaginator(conn, input) for pages.HasMorePages() { - page, err := pages.NextPage(ctx) + page, err := pages.NextPage(ctx, optFns...) if err != nil { return tftags.New(ctx, nil), err diff --git a/internal/service/ec2/vpnsite_customer_gateway_test.go b/internal/service/ec2/vpnsite_customer_gateway_test.go index a43588e1d69..f56781e6cf4 100644 --- a/internal/service/ec2/vpnsite_customer_gateway_test.go +++ b/internal/service/ec2/vpnsite_customer_gateway_test.go @@ -10,7 +10,7 @@ import ( "testing" "github.com/YakDriver/regexache" - "github.com/aws/aws-sdk-go/service/acmpca" + acmpca_types "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/aws/aws-sdk-go/service/ec2" sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest" "github.com/hashicorp/terraform-plugin-testing/helper/resource" @@ -184,8 +184,8 @@ func TestAccSiteVPNCustomerGateway_4ByteASN(t *testing.T) { func TestAccSiteVPNCustomerGateway_certificate(t *testing.T) { ctx := acctest.Context(t) var gateway ec2.CustomerGateway - var caRoot acmpca.CertificateAuthority - var caSubordinate acmpca.CertificateAuthority + var caRoot acmpca_types.CertificateAuthority + var caSubordinate acmpca_types.CertificateAuthority rBgpAsn := sdkacctest.RandIntRange(64512, 65534) rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) resourceName := "aws_customer_gateway.test" diff --git a/internal/service/guardduty/filter_test.go b/internal/service/guardduty/filter_test.go index 5ca41e303a3..53c5bf035df 100644 --- a/internal/service/guardduty/filter_test.go +++ b/internal/service/guardduty/filter_test.go @@ -9,14 +9,16 @@ import ( "testing" "github.com/YakDriver/regexache" + "github.com/aws/aws-sdk-go-v2/service/acmpca" + acmpca_types "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/acmpca" "github.com/aws/aws-sdk-go/service/guardduty" "github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr" "github.com/hashicorp/terraform-plugin-testing/helper/resource" "github.com/hashicorp/terraform-plugin-testing/terraform" "github.com/hashicorp/terraform-provider-aws/internal/acctest" "github.com/hashicorp/terraform-provider-aws/internal/conns" + "github.com/hashicorp/terraform-provider-aws/internal/errs" tfguardduty "github.com/hashicorp/terraform-provider-aws/internal/service/guardduty" "github.com/hashicorp/terraform-provider-aws/names" ) @@ -434,7 +436,7 @@ resource "aws_guardduty_detector" "test" { func testAccCheckACMPCACertificateAuthorityDestroy(ctx context.Context) resource.TestCheckFunc { return func(s *terraform.State) error { - conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAConn(ctx) + conn := acctest.Provider.Meta().(*conns.AWSClient).ACMPCAClient(ctx) for _, rs := range s.RootModule().Resources { if rs.Type != "aws_acmpca_certificate_authority" { @@ -445,17 +447,17 @@ func testAccCheckACMPCACertificateAuthorityDestroy(ctx context.Context) resource CertificateAuthorityArn: aws.String(rs.Primary.ID), } - output, err := conn.DescribeCertificateAuthorityWithContext(ctx, input) + output, err := conn.DescribeCertificateAuthority(ctx, input) if err != nil { - if tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) { + if errs.IsA[*acmpca_types.ResourceNotFoundException](err) { return nil } return err } - if output != nil && output.CertificateAuthority != nil && aws.StringValue(output.CertificateAuthority.Arn) == rs.Primary.ID && aws.StringValue(output.CertificateAuthority.Status) != acmpca.CertificateAuthorityStatusDeleted { - return fmt.Errorf("ACM PCA Certificate Authority %q still exists in non-DELETED state: %s", rs.Primary.ID, aws.StringValue(output.CertificateAuthority.Status)) + if output != nil && output.CertificateAuthority != nil && aws.StringValue(output.CertificateAuthority.Arn) == rs.Primary.ID && output.CertificateAuthority.Status != acmpca_types.CertificateAuthorityStatusDeleted { + return fmt.Errorf("ACM PCA Certificate Authority %q still exists in non-DELETED state: %s", rs.Primary.ID, string(output.CertificateAuthority.Status)) } } diff --git a/internal/service/kafka/cluster_test.go b/internal/service/kafka/cluster_test.go index 65ad8ad5aaf..526e8ebf542 100644 --- a/internal/service/kafka/cluster_test.go +++ b/internal/service/kafka/cluster_test.go @@ -13,9 +13,9 @@ import ( "github.com/YakDriver/regexache" "github.com/aws/aws-sdk-go-v2/aws" + acmpca_types "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/aws/aws-sdk-go-v2/service/kafka" "github.com/aws/aws-sdk-go-v2/service/kafka/types" - "github.com/aws/aws-sdk-go/service/acmpca" sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest" "github.com/hashicorp/terraform-plugin-testing/helper/resource" "github.com/hashicorp/terraform-plugin-testing/terraform" @@ -556,7 +556,7 @@ func TestAccKafkaCluster_ClientAuthenticationSASL_iam(t *testing.T) { func TestAccKafkaCluster_ClientAuthenticationTLS_certificateAuthorityARNs(t *testing.T) { ctx := acctest.Context(t) var cluster1 types.ClusterInfo - var ca acmpca.CertificateAuthority + var ca acmpca_types.CertificateAuthority rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) resourceName := "aws_msk_cluster.test" acmCAResourceName := "aws_acmpca_certificate_authority.test" @@ -617,7 +617,7 @@ func TestAccKafkaCluster_ClientAuthenticationTLS_certificateAuthorityARNs(t *tes func TestAccKafkaCluster_ClientAuthenticationTLS_initiallyNoAuthentication(t *testing.T) { ctx := acctest.Context(t) var cluster1, cluster2 types.ClusterInfo - var ca acmpca.CertificateAuthority + var ca acmpca_types.CertificateAuthority rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) resourceName := "aws_msk_cluster.test" acmCAResourceName := "aws_acmpca_certificate_authority.test" diff --git a/internal/service/transfer/server_test.go b/internal/service/transfer/server_test.go index 71c4df394e1..3b048440523 100644 --- a/internal/service/transfer/server_test.go +++ b/internal/service/transfer/server_test.go @@ -10,8 +10,8 @@ import ( "testing" "github.com/YakDriver/regexache" + acmpca_types "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/aws/aws-sdk-go/aws/endpoints" - "github.com/aws/aws-sdk-go/service/acmpca" "github.com/aws/aws-sdk-go/service/transfer" sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest" "github.com/hashicorp/terraform-plugin-testing/helper/resource" @@ -836,7 +836,7 @@ func testAccServer_structuredLogDestinations(t *testing.T) { func testAccServer_protocols(t *testing.T) { ctx := acctest.Context(t) var s transfer.DescribedServer - var ca acmpca.CertificateAuthority + var ca acmpca_types.CertificateAuthority resourceName := "aws_transfer_server.test" acmCAResourceName := "aws_acmpca_certificate_authority.test" acmCertificateResourceName := "aws_acm_certificate.test" diff --git a/names/data/names_data.csv b/names/data/names_data.csv index 9c8dc969db4..278e31bccb2 100644 --- a/names/data/names_data.csv +++ b/names/data/names_data.csv @@ -2,7 +2,7 @@ AWSCLIV2Command,AWSCLIV2CommandNoDashes,GoV1Package,GoV2Package,ProviderPackageA accessanalyzer,accessanalyzer,accessanalyzer,accessanalyzer,,accessanalyzer,,,AccessAnalyzer,AccessAnalyzer,,,2,,aws_accessanalyzer_,,accessanalyzer_,IAM Access Analyzer,AWS,,,,,,,AccessAnalyzer,ListAnalyzers,, account,account,account,account,,account,,,Account,Account,,,2,,aws_account_,,account_,Account Management,AWS,,,,,,,Account,ListRegions,, acm,acm,acm,acm,,acm,,,ACM,ACM,,,2,,aws_acm_,,acm_,ACM (Certificate Manager),AWS,,,,,,,ACM,ListCertificates,, -acm-pca,acmpca,acmpca,acmpca,,acmpca,,,ACMPCA,ACMPCA,,1,,,aws_acmpca_,,acmpca_,ACM PCA (Certificate Manager Private Certificate Authority),AWS,,,,,,,ACM PCA,ListCertificateAuthorities,, +acm-pca,acmpca,acmpca,acmpca,,acmpca,,,ACMPCA,ACMPCA,,,2,,aws_acmpca_,,acmpca_,ACM PCA (Certificate Manager Private Certificate Authority),AWS,,,,,,,ACM PCA,ListCertificateAuthorities,, alexaforbusiness,alexaforbusiness,alexaforbusiness,alexaforbusiness,,alexaforbusiness,,,AlexaForBusiness,AlexaForBusiness,,1,,,aws_alexaforbusiness_,,alexaforbusiness_,Alexa for Business,,,x,,,,,Alexa For Business,,, amp,amp,prometheusservice,amp,,amp,,prometheus;prometheusservice,AMP,PrometheusService,,,2,aws_prometheus_,aws_amp_,,prometheus_,AMP (Managed Prometheus),Amazon,,,,,,,amp,ListScrapers,, amplify,amplify,amplify,amplify,,amplify,,,Amplify,Amplify,,1,,,aws_amplify_,,amplify_,Amplify,AWS,,,,,,,Amplify,ListApps,, diff --git a/names/names.go b/names/names.go index 16279d9335f..3e4096ec570 100644 --- a/names/names.go +++ b/names/names.go @@ -26,6 +26,7 @@ import ( // Endpoint constants defined by the AWS SDK v1 but not defined in the AWS SDK v2. const ( AccessAnalyzerEndpointID = "access-analyzer" + ACMPCAEndpointID = "acm-pca" AMPEndpointID = "aps" AthenaEndpointID = "athena" AuditManagerEndpointID = "auditmanager"