Skip to content

new resource aws_iam_outbound_web_identity_federation #45217

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

new resource aws_iam_outbound_web_identity_federation #45217

wants to merge 10 commits into from
+328 −0

Conversation

@alexbacchin
Copy link
Contributor

@alexbacchin alexbacchin commented Nov 22, 2025

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

Description

Introduce a new Terraform resource to manage the IAM “Outbound Web Identity Federation” account setting.

  • New resource: aws_iam_outbound_web_identity_federation
  • No arguments
  • Exports 2 attributes issuer_identifier and jwt_vending_enabled as per API
  • On create: enables the account-level setting
  • On destroy: disables the account-level setting
  • No import support (intentional). If setting already enabled it will adopt the account setting with no errors

Usage

resource "aws_iam_outbound_web_identity_federation" "this" {}

Notes

This resource is intentionally stateful for a binary account-level toggle. It follows the provider pattern for similar account settings where the presence of the resource enforces “enabled,” and its absence enforces “disabled.”

Relations

Closes #45146

References

Output from Acceptance Testing

% make testacc TESTS=TestAccIAMOutboundWebIdentityFederation_serial PKG=iam 
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-iam_outbound_web_identity_federation 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMOutboundWebIdentityFederation_serial'  -timeout 360m -vet=off
2025/11/22 19:39:40 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/22 19:39:40 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccIAMOutboundWebIdentityFederation_serial
=== RUN   TestAccIAMOutboundWebIdentityFederation_serial/basic
=== RUN   TestAccIAMOutboundWebIdentityFederation_serial/alreadyEnabled
--- PASS: TestAccIAMOutboundWebIdentityFederation_serial (32.00s)
    --- PASS: TestAccIAMOutboundWebIdentityFederation_serial/basic (16.41s)
    --- PASS: TestAccIAMOutboundWebIdentityFederation_serial/alreadyEnabled (15.59s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/iam        36.472s

...

@github-actions
Copy link
Contributor

github-actions bot commented Nov 22, 2025

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

  • Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
  • Please see our prioritization guide for additional information on how the maintainers handle prioritization.
  • Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. documentation Introduces or discusses updates to documentation. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/iam Issues and PRs that pertain to the iam service. generators Relates to code generators. size/XL Managed by automation to categorize the size of a PR. external-maintainer Contribution from a trusted external contributor. labels Nov 22, 2025
@alexbacchin alexbacchin force-pushed the f-iam_outbound_web_identity_federation branch from 872ebfb to fe8012e Compare November 22, 2025 09:04
@alexbacchin alexbacchin marked this pull request as ready for review November 22, 2025 11:23
@alexbacchin alexbacchin requested a review from a team as a code owner November 22, 2025 11:23
christophetd
christophetd reviewed Nov 22, 2025
View reviewed changes
.changelog/45217.txt
@@ -0,0 +1,3 @@
```release-note:new-resource
aws_iam_outbound_web_identity_federation
Copy link
Contributor

@christophetd christophetd Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it make sense to call this aws_iam_outbound_web_identity_federation_status to make it clear that this resource is only about turning it off/on?

Copy link
Contributor Author

@alexbacchin alexbacchin Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We usually follow the API Action to name resources.

christophetd
christophetd reviewed Nov 22, 2025
View reviewed changes
website/docs/r/iam_outbound_web_identity_federation.html.markdown

You cannot import this resource.

~> **NOTE:** This resource will adopt the IAM Outbound Web Identity Federation setting in the account if this setting is already enabled.
Copy link
Contributor

@christophetd christophetd Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any way to store in the state the previous state of this setting?

My worry would be a situation where:

  • t=0: outbound federation is enabled.
  • t=1: the resource aws_iam_outbound_web_identity_federation is created to enable the setting
  • t=2: the resource is destroyed

current behavior: outbound federation is disabled
my (expected) behavior: outbound federation is preserved to its pre-existing state

Copy link
Contributor Author

@alexbacchin alexbacchin Nov 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@christophetd once you import a resource (or adopt in this case) to Terraform, from that point, it will be managed by Terraform.
My implementation, without the enabled argument, was to avoid the need to import the resource for practitioners that already enabled this setting.

christophetd
christophetd reviewed Nov 22, 2025
View reviewed changes
website/docs/r/iam_outbound_web_identity_federation.html.markdown
## Example Usage

```terraform
resource "aws_iam_outbound_web_identity_federation" "example" {}
Copy link
Contributor

@christophetd christophetd Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO this needs a boolean to state whether the intent is to enable or disable it

Copy link
Contributor Author

@alexbacchin alexbacchin Nov 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am happy to change the implementation and add the enabled argument . However, this will require also adding import.
In this case this setting was enabled outside terraform, then you would need to import its setting to terraform state otherwise you will get an error when terraform try to enable it again.

christophetd
christophetd reviewed Nov 22, 2025
View reviewed changes
Copy link
Contributor

@christophetd christophetd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As someone interested by this feature (and by no means a Terraform core contributor), I left a few comments. I also think we need a data source to retrieve the issuer_identifier of a specific account ID, and possible retrieve the status of iam outbound federation in the account

@alexbacchin
Copy link
Contributor Author

alexbacchin commented Nov 22, 2025
edited
Loading

@ewbankkit @justinretzolk can you please let me know if I should change this implementation with enabled argument?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@christophetd christophetd christophetd left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

documentation Introduces or discusses updates to documentation. external-maintainer Contribution from a trusted external contributor. generators Relates to code generators. needs-triage Waiting for first response or review from a maintainer. service/iam Issues and PRs that pertain to the iam service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support for IAM outbound identity enablement

2 participants

@alexbacchin @christophetd