modified the implementation to include enabled argument and added import

Author: alexbacchin

internal/service/iam/outbound_web_identity_federation.go

@@ -11,11 +11,13 @@ import (
 	awstypes "github.com/aws/aws-sdk-go-v2/service/iam/types"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault"
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/hashicorp/terraform-provider-aws/internal/errs"
 	"github.com/hashicorp/terraform-provider-aws/internal/framework"
 	"github.com/hashicorp/terraform-provider-aws/internal/framework/flex"
 	"github.com/hashicorp/terraform-provider-aws/internal/smerr"
+	"github.com/hashicorp/terraform-provider-aws/names"
 )
 
 // @FrameworkResource("aws_iam_outbound_web_identity_federation", name="Outbound Web Identity Federation")
@@ -31,16 +33,19 @@ const (
 
 type resourceOutboundWebIdentityFederation struct {
 	framework.ResourceWithModel[resourceOutboundWebIdentityFederationModel]
-	framework.WithNoUpdate
+	framework.WithImportByID
 }
 
 func (r *resourceOutboundWebIdentityFederation) Schema(ctx context.Context, req resource.SchemaRequest, resp *resource.SchemaResponse) {
 	resp.Schema = schema.Schema{
 		Attributes: map[string]schema.Attribute{
-			"issuer_identifier": schema.StringAttribute{
+			names.AttrEnabled: schema.BoolAttribute{
+				Optional: true,
 				Computed: true,
+				Default:  booldefault.StaticBool(true),
 			},
-			"jwt_vending_enabled": schema.BoolAttribute{
+			names.AttrID: framework.IDAttribute(),
+			"issuer_identifier": schema.StringAttribute{
 				Computed: true,
 			},
 		},
@@ -55,24 +60,8 @@ func (r *resourceOutboundWebIdentityFederation) Create(ctx context.Context, req
 	if resp.Diagnostics.HasError() {
 		return
 	}
-
-	out, err := conn.EnableOutboundWebIdentityFederation(ctx, &iam.EnableOutboundWebIdentityFederationInput{})
-	if errs.IsA[*awstypes.FeatureEnabledException](err) {
-		// Feature is already enabled, adopt existing state
-		outAlreadyEnabled, err := getOutboundWebIdentityFederation(ctx, conn)
-		if err != nil {
-			smerr.AddError(ctx, &resp.Diagnostics, err)
-			return
-		}
-		if outAlreadyEnabled == nil {
-			smerr.AddError(ctx, &resp.Diagnostics, fmt.Errorf("expected non-nil response from GetOutboundWebIdentityFederationInfo"))
-			return
-		}
-		smerr.AddEnrich(ctx, &resp.Diagnostics, flex.Flatten(ctx, outAlreadyEnabled, &plan))
-		if resp.Diagnostics.HasError() {
-			return
-		}
-	} else {
+	if plan.Enabled.ValueBool() {
+		out, err := conn.EnableOutboundWebIdentityFederation(ctx, &iam.EnableOutboundWebIdentityFederationInput{})
 		if err != nil {
 			smerr.AddError(ctx, &resp.Diagnostics, err)
 			return
@@ -81,12 +70,15 @@ func (r *resourceOutboundWebIdentityFederation) Create(ctx context.Context, req
 			smerr.AddError(ctx, &resp.Diagnostics, fmt.Errorf("expected non-nil response from EnableOutboundWebIdentityFederation"))
 			return
 		}
-		plan.JwtVendingEnabled = types.BoolValue(true)
+		plan.Enabled = types.BoolValue(true)
 		smerr.AddEnrich(ctx, &resp.Diagnostics, flex.Flatten(ctx, out, &plan))
 		if resp.Diagnostics.HasError() {
 			return
 		}
+	} else {
+		plan.Enabled = types.BoolValue(false)
 	}
+	plan.AccountId = types.StringValue(r.Meta().AccountID(ctx))
 	smerr.AddEnrich(ctx, &resp.Diagnostics, resp.State.Set(ctx, plan))
 }
 
@@ -104,13 +96,52 @@ func (r *resourceOutboundWebIdentityFederation) Read(ctx context.Context, req re
 		smerr.AddError(ctx, &resp.Diagnostics, err, smerr.ID)
 		return
 	}
+	if out != nil {
+		smerr.AddEnrich(ctx, &resp.Diagnostics, flex.Flatten(ctx, out, &state))
+		if resp.Diagnostics.HasError() {
+			return
+		}
+	}
+	if state.Enabled.IsNull() || state.Enabled.IsUnknown() {
+		state.Enabled = types.BoolValue(out != nil)
+	}
+
+	smerr.AddEnrich(ctx, &resp.Diagnostics, resp.State.Set(ctx, &state))
+}
+
+func (r *resourceOutboundWebIdentityFederation) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
+	conn := r.Meta().IAMClient(ctx)
+
+	var plan resourceOutboundWebIdentityFederationModel
+	smerr.AddEnrich(ctx, &resp.Diagnostics, req.Plan.Get(ctx, &plan))
+	if resp.Diagnostics.HasError() {
+		return
+	}
 
-	smerr.AddEnrich(ctx, &resp.Diagnostics, flex.Flatten(ctx, out, &state))
+	var state resourceOutboundWebIdentityFederationModel
+	smerr.AddEnrich(ctx, &resp.Diagnostics, req.State.Get(ctx, &state))
 	if resp.Diagnostics.HasError() {
 		return
 	}
 
-	smerr.AddEnrich(ctx, &resp.Diagnostics, resp.State.Set(ctx, &state))
+	if plan.Enabled.ValueBool() != state.Enabled.ValueBool() {
+		if plan.Enabled.ValueBool() {
+			_, err := conn.EnableOutboundWebIdentityFederation(ctx, &iam.EnableOutboundWebIdentityFederationInput{})
+			if err != nil && !errs.IsA[*awstypes.FeatureEnabledException](err) {
+				smerr.AddError(ctx, &resp.Diagnostics, err, smerr.ID)
+				return
+			}
+		} else {
+			_, err := conn.DisableOutboundWebIdentityFederation(ctx, &iam.DisableOutboundWebIdentityFederationInput{})
+			if err != nil && !errs.IsA[*awstypes.FeatureDisabledException](err) {
+				smerr.AddError(ctx, &resp.Diagnostics, err, smerr.ID)
+				return
+			}
+			plan.IssuerIdentifier = types.StringNull()
+		}
+	}
+
+	smerr.AddEnrich(ctx, &resp.Diagnostics, resp.State.Set(ctx, &plan))
 }
 
 func (r *resourceOutboundWebIdentityFederation) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
@@ -133,8 +164,9 @@ func (r *resourceOutboundWebIdentityFederation) Delete(ctx context.Context, req
 }
 
 type resourceOutboundWebIdentityFederationModel struct {
-	JwtVendingEnabled types.Bool   `tfsdk:"jwt_vending_enabled"`
-	IssuerIdentifier  types.String `tfsdk:"issuer_identifier"`
+	Enabled          types.Bool   `tfsdk:"enabled"`
+	AccountId        types.String `tfsdk:"id"`
+	IssuerIdentifier types.String `tfsdk:"issuer_identifier"`
 }
 
 func getOutboundWebIdentityFederation(ctx context.Context, conn *iam.Client) (*iam.GetOutboundWebIdentityFederationInfoOutput, error) {

internal/service/iam/outbound_web_identity_federation_test.go

@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/aws/aws-sdk-go-v2/service/iam"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
@@ -17,18 +16,7 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/names"
 )
 
-func TestAccIAMOutboundWebIdentityFederation_serial(t *testing.T) {
-	t.Helper()
-
-	testCases := map[string]func(t *testing.T){
-		acctest.CtBasic:  testAccIAMOutboundWebIdentityFederation_basic,
-		"alreadyEnabled": testAccIAMOutboundWebIdentityFederation_alreadyEnabled,
-	}
-
-	acctest.RunSerialTests1Level(t, testCases, 0)
-}
-
-func testAccIAMOutboundWebIdentityFederation_basic(t *testing.T) {
+func TestAccIAMOutboundWebIdentityFederation_basic(t *testing.T) {
 	ctx := acctest.Context(t)
 
 	resourceName := "aws_iam_outbound_web_identity_federation.test"
@@ -43,43 +31,21 @@ func testAccIAMOutboundWebIdentityFederation_basic(t *testing.T) {
 		CheckDestroy:             testAccCheckOutboundWebIdentityFederationDestroy(ctx),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccOutboundWebIdentityFederationConfig_basic(),
+				Config: testAccOutboundWebIdentityFederationConfig_basic(true),
 				Check: resource.ComposeAggregateTestCheckFunc(
-					resource.TestCheckResourceAttr(resourceName, "jwt_vending_enabled", acctest.CtTrue),
+					resource.TestCheckResourceAttr(resourceName, "enabled", acctest.CtTrue),
 					resource.TestCheckResourceAttrSet(resourceName, "issuer_identifier"),
 				),
 			},
-		},
-	})
-}
-
-func testAccIAMOutboundWebIdentityFederation_alreadyEnabled(t *testing.T) {
-	ctx := acctest.Context(t)
-
-	resourceName := "aws_iam_outbound_web_identity_federation.test"
-
-	resource.Test(t, resource.TestCase{
-		PreCheck: func() {
-			acctest.PreCheck(ctx, t)
-			testAccPreCheck(ctx, t)
-		},
-		ErrorCheck:               acctest.ErrorCheck(t, names.IAMServiceID),
-		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
-		CheckDestroy:             testAccCheckOutboundWebIdentityFederationDestroy(ctx),
-		Steps: []resource.TestStep{
 			{
-				PreConfig: func() {
-					conn := acctest.Provider.Meta().(*conns.AWSClient).IAMClient(ctx)
-
-					_, err := conn.EnableOutboundWebIdentityFederation(ctx, &iam.EnableOutboundWebIdentityFederationInput{})
-					if err != nil {
-						t.Fatalf("error enabling outbound web identity federation: %s", err)
-					}
-				},
-				Config: testAccOutboundWebIdentityFederationConfig_basic(),
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccOutboundWebIdentityFederationConfig_basic(false),
 				Check: resource.ComposeAggregateTestCheckFunc(
-					resource.TestCheckResourceAttr(resourceName, "jwt_vending_enabled", acctest.CtTrue),
-					resource.TestCheckResourceAttrSet(resourceName, "issuer_identifier"),
+					resource.TestCheckResourceAttr(resourceName, "enabled", acctest.CtFalse),
 				),
 			},
 		},
@@ -125,9 +91,10 @@ func testAccPreCheck(ctx context.Context, t *testing.T) {
 	}
 }
 
-func testAccOutboundWebIdentityFederationConfig_basic() string {
-	return `
+func testAccOutboundWebIdentityFederationConfig_basic(enabled bool) string {
+	return fmt.Sprintf(`
 resource "aws_iam_outbound_web_identity_federation" "test" {
+  enabled = %[1]t
 }
-`
+`, enabled)
 }

website/docs/r/iam_outbound_web_identity_federation.html.markdown

@@ -10,27 +10,41 @@ description: |-
 
 Manages an AWS IAM (Identity & Access Management) Outbound Web Identity Federation.
 
-~> **NOTE:** This resource will enable IAM Outbound Web Identity Federation on the account when created and disable when destroyed.
+~> **NOTE:** Removing this Terraform resource disables IAM Outbound Web Identity Federation.
 
 ## Example Usage
 
 ```terraform
-resource "aws_iam_outbound_web_identity_federation" "example" {}
+resource "aws_iam_outbound_web_identity_federation" "example" {
+  enabled = true
+}
 ```
 
 ## Argument Reference
 
-This resource does not support any arguments.
+* `enabled` - (Optional) Whether or not Outbound Web Identity Federation is enabled. Valid values are `true` or `false`. Defaults to `true`.
 
 ## Attribute Reference
 
 This resource exports the following attributes in addition to the arguments above:
 
+* `id` - Unique identifier for the account registration. Since registration is applied globaly, this will be the Account ID.
 * `issuer_identifier` - A unique issuer URL for your AWS account that hosts the OpenID Connect (OIDC) discovery endpoints.
-* `jwt_vending_enabled` - Indicates whether outbound identity federation is currently enabled for your AWS account.
+
 
 ## Import
 
-You cannot import this resource.
+In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import IAM Outbound Web Identity Federation resources using the `id`. For example:
+
+```terraform
+import {
+  to = aws_iam_outbound_web_identity_federation.example
+  id = "123456789012"
+}
+```
+
+Using `terraform import`, import IAM Outbound Web Identity Federation  resources using the `id`. For example:
 
-~> **NOTE:** This resource will adopt the IAM Outbound Web Identity Federation setting in the account if this setting is already enabled.
+```console
+% terraform import aws_iam_outbound_web_identity_federation.example 123456789012
+```