Merge pull request #44501 from hashicorp/td-iam-paginate-list

IAM: Use paginated List APIs

Author: ewbankkit

internal/sdkv2/state.go

@@ -24,3 +24,8 @@ func ToLowerSchemaStateFunc(v any) string {
 func ToUpperSchemaStateFunc(v any) string {
 	return strings.ToUpper(v.(string))
 }
+
+// TrimSpaceSchemaStateFunc removes all leading and trailing white space from a string value before storing it in state.
+func TrimSpaceSchemaStateFunc(v any) string {
+	return strings.TrimSpace(v.(string))
+}

internal/sdkv2/state_test.go

@@ -47,3 +47,16 @@ func TestToUpperSchemaStateFunc(t *testing.T) {
 		t.Errorf("unexpected diff (+want, -got): %s", diff)
 	}
 }
+
+func TestTrimSpaceSchemaStateFunc(t *testing.T) {
+	t.Parallel()
+
+	var input any = " in-state  "
+	want := "in-state"
+
+	got := TrimSpaceSchemaStateFunc(input)
+
+	if diff := cmp.Diff(got, want); diff != "" {
+		t.Errorf("unexpected diff (+want, -got): %s", diff)
+	}
+}

internal/service/iam/access_key.go

@@ -9,7 +9,6 @@ import (
 	"crypto/sha256"
 	"fmt"
 	"log"
-	"reflect"
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -24,7 +23,7 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag"
 	tfslices "github.com/hashicorp/terraform-provider-aws/internal/slices"
 	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
-	itypes "github.com/hashicorp/terraform-provider-aws/internal/types"
+	inttypes "github.com/hashicorp/terraform-provider-aws/internal/types"
 	"github.com/hashicorp/terraform-provider-aws/names"
 )
 
@@ -249,10 +248,11 @@ func resourceAccessKeyDelete(ctx context.Context, d *schema.ResourceData, meta a
 	conn := meta.(*conns.AWSClient).IAMClient(ctx)
 
 	log.Printf("[DEBUG] Deleting IAM Access Key: %s", d.Id())
-	_, err := conn.DeleteAccessKey(ctx, &iam.DeleteAccessKeyInput{
+	input := iam.DeleteAccessKeyInput{
 		AccessKeyId: aws.String(d.Id()),
 		UserName:    aws.String(d.Get("user").(string)),
-	})
+	}
+	_, err := conn.DeleteAccessKey(ctx, &input)
 
 	if errs.IsA[*awstypes.NoSuchEntityException](err) {
 		return diags
@@ -281,7 +281,7 @@ func findAccessKeyByTwoPartKey(ctx context.Context, conn *iam.Client, username,
 		UserName: aws.String(username),
 	}
 
-	return findAccessKey(ctx, conn, input, func(v awstypes.AccessKeyMetadata) bool {
+	return findAccessKey(ctx, conn, input, func(v *awstypes.AccessKeyMetadata) bool {
 		return aws.ToString(v.AccessKeyId) == id
 	})
 }
@@ -291,10 +291,10 @@ func findAccessKeysByUser(ctx context.Context, conn *iam.Client, username string
 		UserName: aws.String(username),
 	}
 
-	return findAccessKeys(ctx, conn, input, tfslices.PredicateTrue[awstypes.AccessKeyMetadata]())
+	return findAccessKeys(ctx, conn, input, tfslices.PredicateTrue[*awstypes.AccessKeyMetadata]())
 }
 
-func findAccessKey(ctx context.Context, conn *iam.Client, input *iam.ListAccessKeysInput, filter tfslices.Predicate[awstypes.AccessKeyMetadata]) (*awstypes.AccessKeyMetadata, error) {
+func findAccessKey(ctx context.Context, conn *iam.Client, input *iam.ListAccessKeysInput, filter tfslices.Predicate[*awstypes.AccessKeyMetadata]) (*awstypes.AccessKeyMetadata, error) {
 	output, err := findAccessKeys(ctx, conn, input, filter)
 
 	if err != nil {
@@ -304,7 +304,7 @@ func findAccessKey(ctx context.Context, conn *iam.Client, input *iam.ListAccessK
 	return tfresource.AssertSingleValueResult(output)
 }
 
-func findAccessKeys(ctx context.Context, conn *iam.Client, input *iam.ListAccessKeysInput, filter tfslices.Predicate[awstypes.AccessKeyMetadata]) ([]awstypes.AccessKeyMetadata, error) {
+func findAccessKeys(ctx context.Context, conn *iam.Client, input *iam.ListAccessKeysInput, filter tfslices.Predicate[*awstypes.AccessKeyMetadata]) ([]awstypes.AccessKeyMetadata, error) {
 	var output []awstypes.AccessKeyMetadata
 
 	pages := iam.NewListAccessKeysPaginator(conn, input)
@@ -323,7 +323,7 @@ func findAccessKeys(ctx context.Context, conn *iam.Client, input *iam.ListAccess
 		}
 
 		for _, v := range page.AccessKeyMetadata {
-			if !reflect.ValueOf(v).IsZero() && filter(v) {
+			if p := &v; !inttypes.IsZero(p) && filter(p) {
 				output = append(output, v)
 			}
 		}
@@ -371,5 +371,5 @@ func sesSMTPPasswordFromSecretKeySigV4(key *string, region string) (string, erro
 	versionedSig := make([]byte, 0, len(rawSig)+1)
 	versionedSig = append(versionedSig, version)
 	versionedSig = append(versionedSig, rawSig...)
-	return itypes.Base64Encode(versionedSig), nil
+	return inttypes.Base64Encode(versionedSig), nil
 }

internal/service/iam/account_alias.go

@@ -5,13 +5,17 @@ package iam
 
 import (
 	"context"
+	"log"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/iam"
+	awstypes "github.com/aws/aws-sdk-go-v2/service/iam/types"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
+	"github.com/hashicorp/terraform-provider-aws/internal/errs"
 	"github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag"
+	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
 )
 
 // @SDKResource("aws_iam_account_alias", name="Account Alias")
@@ -41,15 +45,14 @@ func resourceAccountAliasCreate(ctx context.Context, d *schema.ResourceData, met
 	conn := meta.(*conns.AWSClient).IAMClient(ctx)
 
 	accountAlias := d.Get("account_alias").(string)
-
-	params := &iam.CreateAccountAliasInput{
+	input := iam.CreateAccountAliasInput{
 		AccountAlias: aws.String(accountAlias),
 	}
 
-	_, err := conn.CreateAccountAlias(ctx, params)
+	_, err := conn.CreateAccountAlias(ctx, &input)
 
 	if err != nil {
-		return sdkdiag.AppendErrorf(diags, "creating account alias with name '%s': %s", accountAlias, err)
+		return sdkdiag.AppendErrorf(diags, "creating IAM Account Alias (%s): %s", accountAlias, err)
 	}
 
 	d.SetId(accountAlias)
@@ -61,23 +64,20 @@ func resourceAccountAliasRead(ctx context.Context, d *schema.ResourceData, meta
 	var diags diag.Diagnostics
 	conn := meta.(*conns.AWSClient).IAMClient(ctx)
 
-	params := &iam.ListAccountAliasesInput{}
-
-	resp, err := conn.ListAccountAliases(ctx, params)
+	var input iam.ListAccountAliasesInput
+	output, err := findAccountAlias(ctx, conn, &input)
 
-	if err != nil {
-		return sdkdiag.AppendErrorf(diags, "listing account aliases: %s", err)
-	}
-
-	if !d.IsNewResource() && (resp == nil || len(resp.AccountAliases) == 0) {
+	if !d.IsNewResource() && tfresource.NotFound(err) {
+		log.Printf("[WARN] IAM Account Alias (%s) not found, removing from state", d.Id())
 		d.SetId("")
 		return diags
 	}
 
-	accountAlias := resp.AccountAliases[0]
+	if err != nil {
+		return sdkdiag.AppendErrorf(diags, "reading IAM Account Alias (%s): %s", d.Id(), err)
+	}
 
-	d.SetId(accountAlias)
-	d.Set("account_alias", accountAlias)
+	d.Set("account_alias", output)
 
 	return diags
 }
@@ -86,17 +86,47 @@ func resourceAccountAliasDelete(ctx context.Context, d *schema.ResourceData, met
 	var diags diag.Diagnostics
 	conn := meta.(*conns.AWSClient).IAMClient(ctx)
 
-	accountAlias := d.Get("account_alias").(string)
-
-	params := &iam.DeleteAccountAliasInput{
-		AccountAlias: aws.String(accountAlias),
+	log.Printf("[DEBUG] Deleting IAM Account Alias: %s", d.Id())
+	input := iam.DeleteAccountAliasInput{
+		AccountAlias: aws.String(d.Id()),
 	}
 
-	_, err := conn.DeleteAccountAlias(ctx, params)
+	_, err := conn.DeleteAccountAlias(ctx, &input)
+
+	if errs.IsA[*awstypes.NoSuchEntityException](err) {
+		return diags
+	}
 
 	if err != nil {
-		return sdkdiag.AppendErrorf(diags, "deleting account alias with name '%s': %s", accountAlias, err)
+		return sdkdiag.AppendErrorf(diags, "deleting IAM Account Alias (%s): %s", d.Id(), err)
 	}
 
 	return diags
 }
+
+func findAccountAlias(ctx context.Context, conn *iam.Client, input *iam.ListAccountAliasesInput) (*string, error) {
+	output, err := findAccountAliases(ctx, conn, input)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return tfresource.AssertSingleValueResult(output)
+}
+
+func findAccountAliases(ctx context.Context, conn *iam.Client, input *iam.ListAccountAliasesInput) ([]string, error) {
+	var output []string
+
+	pages := iam.NewListAccountAliasesPaginator(conn, input)
+	for pages.HasMorePages() {
+		page, err := pages.NextPage(ctx)
+
+		if err != nil {
+			return nil, err
+		}
+
+		output = append(output, page.AccountAliases...)
+	}
+
+	return output, nil
+}

internal/service/iam/account_alias_data_source.go

@@ -5,8 +5,8 @@ package iam
 
 import (
 	"context"
-	"log"
 
+	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/iam"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -32,22 +32,15 @@ func dataSourceAccountAliasRead(ctx context.Context, d *schema.ResourceData, met
 	var diags diag.Diagnostics
 	conn := meta.(*conns.AWSClient).IAMClient(ctx)
 
-	log.Printf("[DEBUG] Reading IAM Account Aliases.")
+	var input iam.ListAccountAliasesInput
+	output, err := findAccountAlias(ctx, conn, &input)
 
-	req := &iam.ListAccountAliasesInput{}
-	resp, err := conn.ListAccountAliases(ctx, req)
 	if err != nil {
 		return sdkdiag.AppendErrorf(diags, "reading IAM Account Alias: %s", err)
 	}
 
-	// 'AccountAliases': [] if there is no alias.
-	if resp == nil || len(resp.AccountAliases) == 0 {
-		return sdkdiag.AppendErrorf(diags, "reading IAM Account Alias: empty result")
-	}
-
-	alias := resp.AccountAliases[0]
-	d.SetId(alias)
-	d.Set("account_alias", alias)
+	d.SetId(aws.ToString(output))
+	d.Set("account_alias", output)
 
 	return diags
 }

internal/service/iam/account_alias_test.go

@@ -16,6 +16,8 @@ import (
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
+	tfiam "github.com/hashicorp/terraform-provider-aws/internal/service/iam"
+	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
 	"github.com/hashicorp/terraform-provider-aws/names"
 )
 
@@ -27,7 +29,8 @@ func TestAccIAMAccountAlias_serial(t *testing.T) {
 			acctest.CtBasic: testAccAccountAliasDataSource_basic,
 		},
 		"Resource": {
-			acctest.CtBasic: testAccAccountAlias_basic,
+			acctest.CtBasic:      testAccAccountAlias_basic,
+			acctest.CtDisappears: testAccAccountAlias_disappears,
 		},
 	}
 
@@ -37,7 +40,6 @@ func TestAccIAMAccountAlias_serial(t *testing.T) {
 func testAccAccountAlias_basic(t *testing.T) {
 	ctx := acctest.Context(t)
 	resourceName := "aws_iam_account_alias.test"
-
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
 
 	resource.Test(t, resource.TestCase{
@@ -64,6 +66,32 @@ func testAccAccountAlias_basic(t *testing.T) {
 	})
 }
 
+func testAccAccountAlias_disappears(t *testing.T) {
+	ctx := acctest.Context(t)
+	resourceName := "aws_iam_account_alias.test"
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.PreCheck(ctx, t)
+			testAccPreCheckAccountAlias(ctx, t)
+		},
+		ErrorCheck:               acctest.ErrorCheck(t, names.IAMServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckAccountAliasDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAccountAliasConfig_basic(rName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckAccountAliasExists(ctx, resourceName),
+					acctest.CheckResourceDisappears(ctx, acctest.Provider, tfiam.ResourceAccountAlias(), resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
 func testAccCheckAccountAliasDestroy(ctx context.Context) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		conn := acctest.Provider.Meta().(*conns.AWSClient).IAMClient(ctx)
@@ -73,21 +101,18 @@ func testAccCheckAccountAliasDestroy(ctx context.Context) resource.TestCheckFunc
 				continue
 			}
 
-			params := &iam.ListAccountAliasesInput{}
-
-			resp, err := conn.ListAccountAliases(ctx, params)
+			var input iam.ListAccountAliasesInput
+			_, err := tfiam.FindAccountAlias(ctx, conn, &input)
 
-			if err != nil {
-				return fmt.Errorf("error reading IAM Account Alias (%s): %w", rs.Primary.ID, err)
+			if tfresource.NotFound(err) {
+				continue
 			}
 
-			if resp == nil {
-				return fmt.Errorf("error reading IAM Account Alias (%s): empty response", rs.Primary.ID)
+			if err != nil {
+				return err
 			}
 
-			if len(resp.AccountAliases) > 0 {
-				return fmt.Errorf("Bad: Account alias still exists: %q", rs.Primary.ID)
-			}
+			return fmt.Errorf("IAM Server Certificate %s still exists", rs.Primary.ID)
 		}
 
 		return nil
@@ -96,29 +121,17 @@ func testAccCheckAccountAliasDestroy(ctx context.Context) resource.TestCheckFunc
 
 func testAccCheckAccountAliasExists(ctx context.Context, n string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
-		rs, ok := s.RootModule().Resources[n]
+		_, ok := s.RootModule().Resources[n]
 		if !ok {
 			return fmt.Errorf("Not found: %s", n)
 		}
 
 		conn := acctest.Provider.Meta().(*conns.AWSClient).IAMClient(ctx)
-		params := &iam.ListAccountAliasesInput{}
 
-		resp, err := conn.ListAccountAliases(ctx, params)
+		var input iam.ListAccountAliasesInput
+		_, err := tfiam.FindAccountAlias(ctx, conn, &input)
 
-		if err != nil {
-			return fmt.Errorf("error reading IAM Account Alias (%s): %w", rs.Primary.ID, err)
-		}
-
-		if resp == nil {
-			return fmt.Errorf("error reading IAM Account Alias (%s): empty response", rs.Primary.ID)
-		}
-
-		if len(resp.AccountAliases) == 0 {
-			return fmt.Errorf("Bad: Account alias %q does not exist", rs.Primary.ID)
-		}
-
-		return nil
+		return err
 	}
 }