Merge branch 'main' into b-generate-existing-resource-norefresh-nochange-test-v6-nulls

Author: jar-b

.changelog/44375.txt

@@ -0,0 +1,10 @@
+```release-note:note
+provider: This release contains both internal provider fixes and a Terraform Plugin SDK V2 update related to a [regression](https://github.com/hashicorp/terraform-provider-aws/issues/44366) which may impact resources that support resource identity
+```
+
+```release-note:bug
+provider: Fix `Missing Resource Identity After Update` errors for non-refreshed and failed updates
+```
+```release-note:bug
+provider: Fix `Unexpected Identity Change` errors when fully-null identity values in state are updated to valid values
+```

CHANGELOG.md

@@ -1,4 +1,13 @@
-## 6.15.0 (Unreleased)
+## 6.14.1 (September 22, 2025)
+
+NOTES:
+
+* provider: This release contains both internal provider fixes and a Terraform Plugin SDK V2 update related to a [regression](https://github.com/hashicorp/terraform-provider-aws/issues/44366) which may impact resources that support resource identity ([#44375](https://github.com/hashicorp/terraform-provider-aws/issues/44375))
+
+BUG FIXES:
+
+* provider: Fix `Missing Resource Identity After Update` errors for non-refreshed and failed updates ([#44375](https://github.com/hashicorp/terraform-provider-aws/issues/44375))
+* provider: Fix `Unexpected Identity Change` errors when fully-null identity values in state are updated to valid values ([#44375](https://github.com/hashicorp/terraform-provider-aws/issues/44375))
 
 ## 6.14.0 (September 18, 2025)
 

go.mod

@@ -299,7 +299,7 @@ require (
 	github.com/hashicorp/terraform-plugin-go v0.29.0
 	github.com/hashicorp/terraform-plugin-log v0.9.0
 	github.com/hashicorp/terraform-plugin-mux v0.21.0
-	github.com/hashicorp/terraform-plugin-sdk/v2 v2.38.0
+	github.com/hashicorp/terraform-plugin-sdk/v2 v2.38.1
 	github.com/hashicorp/terraform-plugin-testing v1.14.0-beta.1
 	github.com/jaswdr/faker/v2 v2.8.0
 	github.com/jmespath/go-jmespath v0.4.0

go.sum

@@ -683,8 +683,8 @@ github.com/hashicorp/terraform-plugin-go v0.29.0 h1:1nXKl/nSpaYIUBU1IG/EsDOX0vv+
 github.com/hashicorp/terraform-plugin-go v0.29.0/go.mod h1:vYZbIyvxyy0FWSmDHChCqKvI40cFTDGSb3D8D70i9GM=
 github.com/hashicorp/terraform-plugin-mux v0.21.0 h1:QsEYnzSD2c3zT8zUrUGqaFGhV/Z8zRUlU7FY3ZPJFfw=
 github.com/hashicorp/terraform-plugin-mux v0.21.0/go.mod h1:Qpt8+6AD7NmL0DS7ASkN0EXpDQ2J/FnnIgeUr1tzr5A=
-github.com/hashicorp/terraform-plugin-sdk/v2 v2.38.0 h1:PQP7Crrc7t/ozj+P9x0/lsTzGNy3lVppH8zAJylofaE=
-github.com/hashicorp/terraform-plugin-sdk/v2 v2.38.0/go.mod h1:GQhpKVvvuwzD79e8/NZ+xzj+ZpWovdPAe8nfV/skwNU=
+github.com/hashicorp/terraform-plugin-sdk/v2 v2.38.1 h1:mlAq/OrMlg04IuJT7NpefI1wwtdpWudnEmjuQs04t/4=
+github.com/hashicorp/terraform-plugin-sdk/v2 v2.38.1/go.mod h1:GQhpKVvvuwzD79e8/NZ+xzj+ZpWovdPAe8nfV/skwNU=
 github.com/hashicorp/terraform-plugin-testing v1.14.0-beta.1 h1:caWmY2Fv/KgDAXU7IVjcBDfIdmr/n6VRYhCLxNmlaXs=
 github.com/hashicorp/terraform-plugin-testing v1.14.0-beta.1/go.mod h1:jVm3pD9uQAT0X2RSEdcqjju2bCGv5f73DGZFU4v7EAU=
 github.com/hashicorp/terraform-registry-address v0.4.0 h1:S1yCGomj30Sao4l5BMPjTGZmCNzuv7/GDTDX99E9gTk=

internal/provider/sdkv2/identity_interceptor.go

@@ -63,6 +63,42 @@ func (r identityInterceptor) run(ctx context.Context, opts crudInterceptorOption
 				}
 			}
 		}
+	case OnError:
+		switch why {
+		case Update:
+			if identityIsFullyNull(d, r.identitySpec) {
+				if d.Id() == "" {
+					break
+				}
+				identity, err := d.Identity()
+				if err != nil {
+					return sdkdiag.AppendFromErr(diags, err)
+				}
+
+				for _, attr := range r.identitySpec.Attributes {
+					switch attr.Name() {
+					case names.AttrAccountID:
+						if err := identity.Set(attr.Name(), awsClient.AccountID(ctx)); err != nil {
+							return sdkdiag.AppendFromErr(diags, err)
+						}
+
+					case names.AttrRegion:
+						if err := identity.Set(attr.Name(), awsClient.Region(ctx)); err != nil {
+							return sdkdiag.AppendFromErr(diags, err)
+						}
+
+					default:
+						val, ok := getAttributeOk(d, attr.ResourceAttributeName())
+						if !ok {
+							continue
+						}
+						if err := identity.Set(attr.Name(), val); err != nil {
+							return sdkdiag.AppendFromErr(diags, err)
+						}
+					}
+				}
+			}
+		}
 	}
 
 	return diags
@@ -99,7 +135,7 @@ func getAttributeOk(d schemaResourceData, name string) (string, bool) {
 
 func newIdentityInterceptor(identitySpec *inttypes.Identity) interceptorInvocation {
 	interceptor := interceptorInvocation{
-		when: After,
+		when: After | OnError,
 		why:  Create | Read | Update,
 		interceptor: identityInterceptor{
 			identitySpec: identitySpec,

internal/provider/sdkv2/identity_interceptor_test.go

@@ -189,32 +189,37 @@ func TestIdentityInterceptor_Update(t *testing.T) {
 		attrName       string
 		identitySpec   inttypes.Identity
 		ExpectIdentity bool
+		Description    string
 	}{
-		"not mutable": {
+		"not mutable - fresh resource": {
 			attrName:       "name",
 			identitySpec:   regionalSingleParameterizedIdentitySpec("name"),
-			ExpectIdentity: false,
+			ExpectIdentity: true,
+			Description:    "Immutable identity with all null attributes should get populated (bug fix scenario)",
 		},
 		"v6.0 SDK fix": {
 			attrName: "name",
 			identitySpec: regionalSingleParameterizedIdentitySpec("name",
 				inttypes.WithV6_0SDKv2Fix(),
 			),
-			ExpectIdentity: false,
+			ExpectIdentity: true,
+			Description:    "Mutable identity (v6.0 SDK fix) should always get populated on Update",
 		},
 		"identity fix": {
 			attrName: "name",
 			identitySpec: regionalSingleParameterizedIdentitySpec("name",
 				inttypes.WithIdentityFix(),
 			),
-			ExpectIdentity: false,
+			ExpectIdentity: true,
+			Description:    "Mutable identity (identity fix) should always get populated on Update",
 		},
 		"mutable": {
 			attrName: "name",
 			identitySpec: regionalSingleParameterizedIdentitySpec("name",
 				inttypes.WithMutableIdentity(),
 			),
 			ExpectIdentity: true,
+			Description:    "Explicitly mutable identity should always get populated on Update",
 		},
 	}
 
@@ -317,3 +322,82 @@ func (c mockClient) ValidateInContextRegionInPartition(ctx context.Context) erro
 func (c mockClient) AwsConfig(context.Context) aws.Config { // nosemgrep:ci.aws-in-func-name
 	panic("not implemented") //lintignore:R009
 }
+
+func TestIdentityIsFullyNull(t *testing.T) {
+	t.Parallel()
+
+	identitySpec := &inttypes.Identity{
+		Attributes: []inttypes.IdentityAttribute{
+			inttypes.StringIdentityAttribute(names.AttrAccountID, false),
+			inttypes.StringIdentityAttribute(names.AttrRegion, false),
+			inttypes.StringIdentityAttribute(names.AttrBucket, true),
+		},
+	}
+
+	testCases := map[string]struct {
+		identityValues map[string]string
+		expectNull     bool
+		description    string
+	}{
+		"all_null": {
+			identityValues: map[string]string{},
+			expectNull:     true,
+			description:    "All attributes null should return true",
+		},
+		"some_null": {
+			identityValues: map[string]string{
+				names.AttrAccountID: "123456789012",
+				// region and bucket remain null
+			},
+			expectNull:  false,
+			description: "Some attributes set should return false",
+		},
+		"all_set": {
+			identityValues: map[string]string{
+				names.AttrAccountID: "123456789012",
+				names.AttrRegion:    "us-west-2", // lintignore:AWSAT003
+				names.AttrBucket:    "test-bucket",
+			},
+			expectNull:  false,
+			description: "All attributes set should return false",
+		},
+		"empty_string_values": {
+			identityValues: map[string]string{
+				names.AttrAccountID: "",
+				names.AttrRegion:    "",
+				names.AttrBucket:    "",
+			},
+			expectNull:  true,
+			description: "Empty string values should be treated as null",
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			resourceSchema := map[string]*schema.Schema{
+				names.AttrBucket: {Type: schema.TypeString, Required: true},
+			}
+			identitySchema := identity.NewIdentitySchema(*identitySpec)
+			d := schema.TestResourceDataWithIdentityRaw(t, resourceSchema, identitySchema, nil)
+			d.SetId("test-id")
+
+			identity, err := d.Identity()
+			if err != nil {
+				t.Fatalf("unexpected error getting identity: %v", err)
+			}
+			for attrName, value := range tc.identityValues {
+				if err := identity.Set(attrName, value); err != nil {
+					t.Fatalf("unexpected error setting %s in identity: %v", attrName, err)
+				}
+			}
+
+			result := identityIsFullyNull(d, identitySpec)
+			if result != tc.expectNull {
+				t.Errorf("%s: expected identityIsFullyNull to return %v, got %v",
+					tc.description, tc.expectNull, result)
+			}
+		})
+	}
+}

internal/service/iam/role_test.go

@@ -15,14 +15,9 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/id"
 	sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
-	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
 	"github.com/hashicorp/terraform-plugin-testing/plancheck"
-	"github.com/hashicorp/terraform-plugin-testing/statecheck"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
-	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
 	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
-	tfknownvalue "github.com/hashicorp/terraform-provider-aws/internal/acctest/knownvalue"
-	tfstatecheck "github.com/hashicorp/terraform-provider-aws/internal/acctest/statecheck"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
 	"github.com/hashicorp/terraform-provider-aws/internal/errs"
 	tfiam "github.com/hashicorp/terraform-provider-aws/internal/service/iam"
@@ -977,63 +972,6 @@ func TestAccIAMRole_ManagedPolicy_outOfBandAdditionRemovedEmpty(t *testing.T) {
 	})
 }
 
-func TestAccIAMRole_Identity_ExistingResource_NoRefresh_WithChange(t *testing.T) {
-	ctx := acctest.Context(t)
-	var conf awstypes.Role
-	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
-	resourceName := "aws_iam_role.test"
-
-	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { acctest.PreCheck(ctx, t) },
-		ErrorCheck:   acctest.ErrorCheck(t, names.IAMServiceID),
-		CheckDestroy: testAccCheckRoleDestroy(ctx),
-		AdditionalCLIOptions: &resource.AdditionalCLIOptions{
-			Plan: resource.PlanOptions{
-				NoRefresh: true,
-			},
-		},
-		Steps: []resource.TestStep{
-			{
-				ExternalProviders: map[string]resource.ExternalProvider{
-					"aws": {
-						Source:            "hashicorp/aws",
-						VersionConstraint: "5.100.0",
-					},
-				},
-				Config: testAccRoleConfig_basic(rName),
-				Check: resource.ComposeAggregateTestCheckFunc(
-					testAccCheckRoleExists(ctx, resourceName, &conf),
-				),
-				ConfigStateChecks: []statecheck.StateCheck{
-					tfstatecheck.ExpectNoIdentity(resourceName),
-				},
-			},
-			{
-				ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
-				Config:                   testAccRoleConfig_description(rName),
-				Check: resource.ComposeAggregateTestCheckFunc(
-					testAccCheckRoleExists(ctx, resourceName, &conf),
-				),
-				ConfigPlanChecks: resource.ConfigPlanChecks{
-					PreApply: []plancheck.PlanCheck{
-						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
-					},
-					PostApplyPostRefresh: []plancheck.PlanCheck{
-						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionNoop),
-					},
-				},
-				ConfigStateChecks: []statecheck.StateCheck{
-					statecheck.ExpectIdentity(resourceName, map[string]knownvalue.Check{
-						names.AttrAccountID: tfknownvalue.AccountID(),
-						names.AttrName:      knownvalue.NotNull(),
-					}),
-					statecheck.ExpectIdentityValueMatchesState(resourceName, tfjsonpath.New(names.AttrName)),
-				},
-			},
-		},
-	})
-}
-
 func TestAccIAMRole_Identity_ExistingResource_NoRefresh_OnError(t *testing.T) {
 	ctx := acctest.Context(t)
 	var conf awstypes.Role
@@ -1068,10 +1006,7 @@ func TestAccIAMRole_Identity_ExistingResource_NoRefresh_OnError(t *testing.T) {
 				Check: resource.ComposeAggregateTestCheckFunc(
 					testAccCheckRoleExists(ctx, resourceName, &conf),
 				),
-				// On an update failure, the identity interceptor is not executed and both
-				// the MalformedPolicyDocument error and a missing resource identity
-				// error will be present.
-				ExpectError: regexache.MustCompile(`Missing Resource Identity After Update`),
+				ExpectError: regexache.MustCompile(`MalformedPolicyDocument: Unknown field invalid`),
 			},
 		},
 	})
@@ -1106,9 +1041,7 @@ func TestAccIAMRole_Identity_ExistingResource_OnError(t *testing.T) {
 				Check: resource.ComposeAggregateTestCheckFunc(
 					testAccCheckRoleExists(ctx, resourceName, &conf),
 				),
-				// On an update failure, the identity interceptor is not executed and
-				// the MalformedPolicyDocument error  will be present.
-				ExpectError: regexache.MustCompile(`MalformedPolicyDocument`),
+				ExpectError: regexache.MustCompile(`MalformedPolicyDocument: Unknown field invalid`),
 			},
 		},
 	})