[Bug]: aws_workspaces_directory requires directory_id for PERSONAL workspace_type even with AWS_IAM_IDENTITY_CENTER user_identity_type

[azabonik]

Terraform Core Version

1.13.1

AWS Provider Version

6.32.1

Affected Resource(s)

• aws_workspaces_directory

Expected Behavior

When creating an aws_workspaces_directory with workspace_type = "PERSONAL" and user_identity_type = "AWS_IAM_IDENTITY_CENTER", the resource should not require directory_id. IAM Identity Center (IDC) backed PERSONAL directories do not use an AD/Connector directory — they are registered via the RegisterWorkspaceDirectory API with WorkspaceDirectoryName, UserIdentityType, and IdcInstanceArn parameters instead. The AWS Console and API both support this configuration.

Actual Behavior

Terraform fails during plan with:

Error: `directory_id` must be set when `workspace_type` is set to `PERSONAL`

This validation in CustomizeDiff unconditionally requires directory_id for all PERSONAL directories, without accounting for the IDC identity type which doesn't use a traditional directory:

case types.WorkspaceTypePersonal:
    if v := config.GetAttr("directory_id"); v.IsKnown() &&
        (v.IsNull() || v.AsString() == "") {
        return fmt.Errorf("`directory_id` must be set when `workspace_type` is set to `%[1]s`", workspaceType)
    }

Relevant Error/Panic Output Snippet

╷
│ Error: `directory_id` must be set when `workspace_type` is set to `PERSONAL`
│
│   with aws_workspaces_directory.main,
│   on workspaces-directory.tf line 6, in resource "aws_workspaces_directory" "main":
│    6: resource "aws_workspaces_directory" "main" {
│
╵

Terraform Configuration Files

resource "aws_workspaces_directory" "main" {
  workspace_directory_name = "ephemeral-workspaces"
  subnet_ids               = ["subnet-abc123", "subnet-def456"]
  workspace_type           = "PERSONAL"
  user_identity_type       = "AWS_IAM_IDENTITY_CENTER"

  workspace_creation_properties {
    enable_internet_access              = true
    enable_maintenance_mode             = true
    user_enabled_as_local_administrator = true
  }

  workspace_access_properties {
    device_type_android    = "ALLOW"
    device_type_chromeos   = "DENY"
    device_type_ios        = "ALLOW"
    device_type_linux      = "DENY"
    device_type_osx        = "ALLOW"
    device_type_web        = "DENY"
    device_type_windows    = "ALLOW"
    device_type_zeroclient = "DENY"
  }

  self_service_permissions {
    restart_workspace    = true
    change_compute_type  = false
    increase_volume_size = false
    rebuild_workspace    = false
    switch_running_mode  = false
  }
}

Steps to Reproduce

1. Configure an aws_workspaces_directory resource with workspace_type = "PERSONAL" and user_identity_type = "AWS_IAM_IDENTITY_CENTER" (without directory_id)
2. Run terraform plan
3. Observe the error: directory_id must be set when workspace_type is set to PERSONAL

Debug Output

No response

Panic Output

No response

Important Factoids

AWS added support for IAM Identity Center backed PERSONAL WorkSpaces directories (without requiring Active Directory). These directories are created via the RegisterWorkspaceDirectory API using WorkspaceDirectoryName + UserIdentityType=AWS_IAM_IDENTITY_CENTER + IdcInstanceArn — there is no AD directory involved, so directory_id does not apply.

The provider's documentation already lists AWS_IAM_IDENTITY_CENTER as a valid value for user_identity_type and marks directory_id as Optional, but the CustomizeDiff validation blocks this valid combination.

Suggested Fix

The CustomizeDiff validation should be updated to only require directory_id for PERSONAL directories when user_identity_type is AWS_DIRECTORY_SERVICE (or not set), and skip the check when user_identity_type is AWS_IAM_IDENTITY_CENTER.

References

• AWS docs: Register a WorkSpaces directory
• Provider source: internal/service/workspaces/directory.go — CustomizeDiff function

Would you like to implement a fix?

Yes

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.

[azabonik]

I am interested in working on this issue.