Merge pull request #43916 from tabito-hara/f-aws_iot_thing_principal_attachment-support_thing_principal_type

[Enhancement] aws_iot_thing_principal_attachment: Support `thing_principal_type` argument

Author: ewbankkit

.changelog/43916.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_iot_thing_principal_attachment: Add `thing_principal_type` argument
+```

internal/service/iot/thing_principal_attachment.go

@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 	"log"
+	"strings"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/iot"
@@ -15,6 +16,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
+	"github.com/hashicorp/terraform-provider-aws/internal/enum"
 	"github.com/hashicorp/terraform-provider-aws/internal/errs"
 	"github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag"
 	tfslices "github.com/hashicorp/terraform-provider-aws/internal/slices"
@@ -29,6 +31,10 @@ func resourceThingPrincipalAttachment() *schema.Resource {
 		ReadWithoutTimeout:   resourceThingPrincipalAttachmentRead,
 		DeleteWithoutTimeout: resourceThingPrincipalAttachmentDelete,
 
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+
 		Schema: map[string]*schema.Schema{
 			names.AttrPrincipal: {
 				Type:     schema.TypeString,
@@ -40,6 +46,13 @@ func resourceThingPrincipalAttachment() *schema.Resource {
 				Required: true,
 				ForceNew: true,
 			},
+			"thing_principal_type": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				Computed:         true,
+				ForceNew:         true,
+				ValidateDiagFunc: enum.Validate[awstypes.ThingPrincipalType](),
+			},
 		},
 	}
 }
@@ -56,6 +69,10 @@ func resourceThingPrincipalAttachmentCreate(ctx context.Context, d *schema.Resou
 		ThingName: aws.String(thing),
 	}
 
+	if v, ok := d.Get("thing_principal_type").(string); ok {
+		input.ThingPrincipalType = awstypes.ThingPrincipalType(v)
+	}
+
 	_, err := conn.AttachThingPrincipal(ctx, input)
 
 	if err != nil {
@@ -71,10 +88,15 @@ func resourceThingPrincipalAttachmentRead(ctx context.Context, d *schema.Resourc
 	var diags diag.Diagnostics
 	conn := meta.(*conns.AWSClient).IoTClient(ctx)
 
-	principal := d.Get(names.AttrPrincipal).(string)
-	thing := d.Get("thing").(string)
+	id := d.Id()
+	parts := strings.Split(id, "|")
+	if len(parts) != 2 {
+		return sdkdiag.AppendErrorf(diags, "unexpected format for ID (%s), expected thing|principal", id)
+	}
+	thing := parts[0]
+	principal := parts[1]
 
-	_, err := findThingPrincipalAttachmentByTwoPartKey(ctx, conn, thing, principal)
+	out, err := findThingPrincipalAttachmentByTwoPartKey(ctx, conn, thing, principal)
 
 	if !d.IsNewResource() && tfresource.NotFound(err) {
 		log.Printf("[WARN] IoT Thing Principal Attachment (%s) not found, removing from state", d.Id())
@@ -86,6 +108,10 @@ func resourceThingPrincipalAttachmentRead(ctx context.Context, d *schema.Resourc
 		return sdkdiag.AppendErrorf(diags, "reading IoT Thing Principal Attachment (%s): %s", d.Id(), err)
 	}
 
+	d.Set(names.AttrPrincipal, out.Principal)
+	d.Set("thing", thing)
+	d.Set("thing_principal_type", out.ThingPrincipalType)
+
 	return diags
 }
 
@@ -110,8 +136,8 @@ func resourceThingPrincipalAttachmentDelete(ctx context.Context, d *schema.Resou
 	return diags
 }
 
-func findThingPrincipalAttachmentByTwoPartKey(ctx context.Context, conn *iot.Client, thing, principal string) (*string, error) {
-	input := &iot.ListThingPrincipalsInput{
+func findThingPrincipalAttachmentByTwoPartKey(ctx context.Context, conn *iot.Client, thing, principal string) (*awstypes.ThingPrincipalObject, error) {
+	input := &iot.ListThingPrincipalsV2Input{
 		ThingName: aws.String(thing),
 	}
 
@@ -120,7 +146,7 @@ func findThingPrincipalAttachmentByTwoPartKey(ctx context.Context, conn *iot.Cli
 	})
 }
 
-func findThingPrincipal(ctx context.Context, conn *iot.Client, input *iot.ListThingPrincipalsInput, filter tfslices.Predicate[string]) (*string, error) {
+func findThingPrincipal(ctx context.Context, conn *iot.Client, input *iot.ListThingPrincipalsV2Input, filter tfslices.Predicate[string]) (*awstypes.ThingPrincipalObject, error) {
 	output, err := findThingPrincipals(ctx, conn, input, filter)
 
 	if err != nil {
@@ -130,10 +156,10 @@ func findThingPrincipal(ctx context.Context, conn *iot.Client, input *iot.ListTh
 	return tfresource.AssertSingleValueResult(output)
 }
 
-func findThingPrincipals(ctx context.Context, conn *iot.Client, input *iot.ListThingPrincipalsInput, filter tfslices.Predicate[string]) ([]string, error) {
-	var output []string
+func findThingPrincipals(ctx context.Context, conn *iot.Client, input *iot.ListThingPrincipalsV2Input, filter tfslices.Predicate[string]) ([]awstypes.ThingPrincipalObject, error) {
+	var output []awstypes.ThingPrincipalObject
 
-	pages := iot.NewListThingPrincipalsPaginator(conn, input)
+	pages := iot.NewListThingPrincipalsV2Paginator(conn, input)
 	for pages.HasMorePages() {
 		page, err := pages.NextPage(ctx)
 
@@ -148,8 +174,8 @@ func findThingPrincipals(ctx context.Context, conn *iot.Client, input *iot.ListT
 			return nil, err
 		}
 
-		for _, v := range page.Principals {
-			if filter(v) {
+		for _, v := range page.ThingPrincipalObjects {
+			if filter(aws.ToString(v.Principal)) {
 				output = append(output, v)
 			}
 		}

internal/service/iot/thing_principal_attachment_test.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/YakDriver/regexache"
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/iot"
 	awstypes "github.com/aws/aws-sdk-go-v2/service/iot/types"
@@ -26,6 +27,7 @@ func TestAccIoTThingPrincipalAttachment_basic(t *testing.T) {
 	ctx := acctest.Context(t)
 	thingName := sdkacctest.RandomWithPrefix("tf-acc")
 	thingName2 := sdkacctest.RandomWithPrefix("tf-acc2")
+	resourceName := "aws_iot_thing_principal_attachment.att"
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
@@ -38,8 +40,14 @@ func TestAccIoTThingPrincipalAttachment_basic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckThingPrincipalAttachmentExists(ctx, "aws_iot_thing_principal_attachment.att"),
 					testAccCheckThingPrincipalAttachmentStatus(ctx, thingName, true, []string{"aws_iot_certificate.cert"}),
+					resource.TestCheckResourceAttr(resourceName, "thing_principal_type", string(awstypes.ThingPrincipalTypeNonExclusiveThing)),
 				),
 			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 			{
 				Config: testAccThingPrincipalAttachmentConfig_update1(thingName, thingName2),
 				Check: resource.ComposeTestCheckFunc(
@@ -76,6 +84,63 @@ func TestAccIoTThingPrincipalAttachment_basic(t *testing.T) {
 		},
 	})
 }
+func TestAccIoTThingPrincipalAttachment_thingPrincipalType(t *testing.T) {
+	ctx := acctest.Context(t)
+	thingName := sdkacctest.RandomWithPrefix("tf-acc")
+	thingName2 := sdkacctest.RandomWithPrefix("tf-acc2")
+	resourceName := "aws_iot_thing_principal_attachment.att"
+	resourceThingName := "aws_iot_thing.thing"
+	resourceCertName := "aws_iot_certificate.cert"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.IoTServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckThingPrincipalAttachmentDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccThingPrincipalAttachmentConfig_thingPrincipalType(thingName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckThingPrincipalAttachmentExists(ctx, "aws_iot_thing_principal_attachment.att"),
+					testAccCheckThingPrincipalAttachmentStatus(ctx, thingName, true, []string{"aws_iot_certificate.cert"}),
+					resource.TestCheckResourceAttr(resourceName, "thing_principal_type", string(awstypes.ThingPrincipalTypeExclusiveThing)),
+					resource.TestCheckResourceAttrPair(resourceName, "thing", resourceThingName, names.AttrName),
+					resource.TestCheckResourceAttrPair(resourceName, names.AttrPrincipal, resourceCertName, names.AttrARN),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				// The first attachment is specified as EXCLUSIVE_THING.
+				// Try to attach the same principal to another Thing, which should fail
+				// because exclusive principals can only be attached to one thing.
+				Config:      testAccThingPrincipalAttachmentConfig_thingPrincipalTypeUpdate1(thingName, thingName2),
+				ExpectError: regexache.MustCompile(`InvalidRequestException: Principal already has an exclusive Thing attached to it`),
+			},
+			{
+				// Reset to one attachment with NON_EXCLUSIVE_THING.
+				Config: testAccThingPrincipalAttachmentConfig_thingPrincipalTypeUpdate2(thingName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckThingPrincipalAttachmentExists(ctx, "aws_iot_thing_principal_attachment.att"),
+					testAccCheckThingPrincipalAttachmentStatus(ctx, thingName, true, []string{"aws_iot_certificate.cert"}),
+					resource.TestCheckResourceAttr(resourceName, "thing_principal_type", string(awstypes.ThingPrincipalTypeNonExclusiveThing)),
+					resource.TestCheckResourceAttrPair(resourceName, "thing", resourceThingName, names.AttrName),
+					resource.TestCheckResourceAttrPair(resourceName, names.AttrPrincipal, resourceCertName, names.AttrARN),
+				),
+			},
+			{
+				// Try to attach the same principal to another Thing specifying EXCLUSIVE_THING,
+				// which should fail because the principal already has a non-exclusive attachment
+				// and exclusive attachments cannot coexist with any other attachments.
+				Config:      testAccThingPrincipalAttachmentConfig_thingPrincipalTypeUpdate3(thingName, thingName2),
+				ExpectError: regexache.MustCompile(`InvalidRequestException: Principal already has a Thing attached to it`),
+			},
+		},
+	})
+}
 
 func testAccCheckThingPrincipalAttachmentDestroy(ctx context.Context) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
@@ -282,3 +347,101 @@ resource "aws_iot_thing_principal_attachment" "att2" {
 }
 `, thingName)
 }
+
+func testAccThingPrincipalAttachmentConfig_thingPrincipalType(thingName string) string {
+	return fmt.Sprintf(`
+resource "aws_iot_certificate" "cert" {
+  csr    = file("test-fixtures/iot-csr.pem")
+  active = true
+}
+
+resource "aws_iot_thing" "thing" {
+  name = "%s"
+}
+
+resource "aws_iot_thing_principal_attachment" "att" {
+  thing     = aws_iot_thing.thing.name
+  principal = aws_iot_certificate.cert.arn
+
+  thing_principal_type = "EXCLUSIVE_THING"
+}
+`, thingName)
+}
+
+func testAccThingPrincipalAttachmentConfig_thingPrincipalTypeUpdate1(thingName, thingName2 string) string {
+	return fmt.Sprintf(`
+resource "aws_iot_certificate" "cert" {
+  csr    = file("test-fixtures/iot-csr.pem")
+  active = true
+}
+
+resource "aws_iot_thing" "thing" {
+  name = %[1]q
+}
+
+resource "aws_iot_thing" "thing2" {
+  name = %[2]q
+}
+
+resource "aws_iot_thing_principal_attachment" "att" {
+  thing     = aws_iot_thing.thing.name
+  principal = aws_iot_certificate.cert.arn
+
+  thing_principal_type = "EXCLUSIVE_THING"
+}
+
+resource "aws_iot_thing_principal_attachment" "att2" {
+  thing     = aws_iot_thing.thing2.name
+  principal = aws_iot_certificate.cert.arn
+}
+`, thingName, thingName2)
+}
+
+func testAccThingPrincipalAttachmentConfig_thingPrincipalTypeUpdate2(thingName string) string {
+	return fmt.Sprintf(`
+resource "aws_iot_certificate" "cert" {
+  csr    = file("test-fixtures/iot-csr.pem")
+  active = true
+}
+
+resource "aws_iot_thing" "thing" {
+  name = "%s"
+}
+
+resource "aws_iot_thing_principal_attachment" "att" {
+  thing     = aws_iot_thing.thing.name
+  principal = aws_iot_certificate.cert.arn
+
+  thing_principal_type = "NON_EXCLUSIVE_THING"
+}
+`, thingName)
+}
+
+func testAccThingPrincipalAttachmentConfig_thingPrincipalTypeUpdate3(thingName, thingName2 string) string {
+	return fmt.Sprintf(`
+resource "aws_iot_certificate" "cert" {
+  csr    = file("test-fixtures/iot-csr.pem")
+  active = true
+}
+
+resource "aws_iot_thing" "thing" {
+  name = %[1]q
+}
+
+resource "aws_iot_thing" "thing2" {
+  name = %[2]q
+}
+
+resource "aws_iot_thing_principal_attachment" "att" {
+  thing     = aws_iot_thing.thing.name
+  principal = aws_iot_certificate.cert.arn
+}
+
+resource "aws_iot_thing_principal_attachment" "att2" {
+  thing     = aws_iot_thing.thing2.name
+  principal = aws_iot_certificate.cert.arn
+
+  thing_principal_type = "EXCLUSIVE_THING"
+}
+`, thingName, thingName2)
+}

website/docs/r/iot_thing_principal_attachment.html.markdown

@@ -35,6 +35,7 @@ This resource supports the following arguments:
 * `region` - (Optional) Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the [provider configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#aws-configuration-reference).
 * `principal` - (Required) The AWS IoT Certificate ARN or Amazon Cognito Identity ID.
 * `thing` - (Required) The name of the thing.
+* `thing_principal_type` - (Optional) The type of relationship to specify when attaching a principal to a thing. Valid values are `EXCLUSIVE_THING` (the thing will be the only one attached to the principal) or `NON_EXCLUSIVE_THING` (multiple things can be attached to the principal). Defaults to `NON_EXCLUSIVE_THING`.
 
 ## Attribute Reference