F/aws acmpca certificate authority (#19681)

* Support for s3_object_acl

* Add CHANGELOG entry.

Co-authored-by: Kit Ewbank <[email protected]>

.changelog/19681.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+data-source/aws_acmpca_certificate_authority: Fix `error setting tags`
+```

aws/data_source_aws_acmpca_certificate_authority.go

@@ -71,6 +71,10 @@ func dataSourceAwsAcmpcaCertificateAuthority() *schema.Resource {
 										Type:     schema.TypeString,
 										Computed: true,
 									},
+									"s3_object_acl": {
+										Type:     schema.TypeString,
+										Computed: true,
+									},
 								},
 							},
 						},

aws/data_source_aws_acmpca_certificate_authority_test.go

@@ -43,6 +43,45 @@ func TestAccDataSourceAwsAcmpcaCertificateAuthority_basic(t *testing.T) {
 	})
 }
 
+func TestAccDataSourceAwsAcmpcaCertificateAuthority_S3ObjectAcl(t *testing.T) {
+	resourceName := "aws_acmpca_certificate_authority.test"
+	datasourceName := "data.aws_acmpca_certificate_authority.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:   func() { testAccPreCheck(t) },
+		ErrorCheck: testAccErrorCheck(t, acmpca.EndpointsID),
+		Providers:  testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccDataSourceAwsAcmpcaCertificateAuthorityConfig_NonExistent,
+				ExpectError: regexp.MustCompile(`(AccessDeniedException|ResourceNotFoundException)`),
+			},
+			{
+				Config: testAccDataSourceAwsAcmpcaCertificateAuthorityConfigS3ObjectAcl_ARN,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrPair(datasourceName, "arn", resourceName, "arn"),
+					resource.TestCheckResourceAttrPair(datasourceName, "certificate", resourceName, "certificate"),
+					resource.TestCheckResourceAttrPair(datasourceName, "certificate_chain", resourceName, "certificate_chain"),
+					resource.TestCheckResourceAttrPair(datasourceName, "certificate_signing_request", resourceName, "certificate_signing_request"),
+					resource.TestCheckResourceAttrPair(datasourceName, "not_after", resourceName, "not_after"),
+					resource.TestCheckResourceAttrPair(datasourceName, "not_before", resourceName, "not_before"),
+					resource.TestCheckResourceAttrPair(datasourceName, "revocation_configuration.#", resourceName, "revocation_configuration.#"),
+					resource.TestCheckResourceAttrPair(datasourceName, "revocation_configuration.0.crl_configuration.#", resourceName, "revocation_configuration.0.crl_configuration.#"),
+					resource.TestCheckResourceAttrPair(datasourceName, "revocation_configuration.0.crl_configuration.0.enabled", resourceName, "revocation_configuration.0.crl_configuration.0.enabled"),
+					resource.TestCheckResourceAttrPair(datasourceName, "revocation_configuration.0.crl_configuration.0.custom_cname", resourceName, "revocation_configuration.0.crl_configuration.0.custom_cname"),
+					resource.TestCheckResourceAttrPair(datasourceName, "revocation_configuration.0.crl_configuration.0.expiration_in_days", resourceName, "revocation_configuration.0.crl_configuration.0.expiration_in_days"),
+					resource.TestCheckResourceAttrPair(datasourceName, "revocation_configuration.0.crl_configuration.0.s3_bucket_name", resourceName, "revocation_configuration.0.crl_configuration.0.s3_bucket_name"),
+					resource.TestCheckResourceAttrPair(datasourceName, "revocation_configuration.0.crl_configuration.0.s3_object_acl", resourceName, "revocation_configuration.0.crl_configuration.0.s3_object_acl"),
+					resource.TestCheckResourceAttrPair(datasourceName, "serial", resourceName, "serial"),
+					resource.TestCheckResourceAttrPair(datasourceName, "status", resourceName, "status"),
+					resource.TestCheckResourceAttrPair(datasourceName, "tags.%", resourceName, "tags.%"),
+					resource.TestCheckResourceAttrPair(datasourceName, "type", resourceName, "type"),
+				),
+			},
+		},
+	})
+}
+
 const testAccDataSourceAwsAcmpcaCertificateAuthorityConfig_ARN = `
 resource "aws_acmpca_certificate_authority" "wrong" {
   permanent_deletion_time_in_days = 7
@@ -75,6 +114,38 @@ data "aws_acmpca_certificate_authority" "test" {
 }
 `
 
+const testAccDataSourceAwsAcmpcaCertificateAuthorityConfigS3ObjectAcl_ARN = `
+resource "aws_acmpca_certificate_authority" "wrong" {
+  permanent_deletion_time_in_days = 7
+
+  certificate_authority_configuration {
+    key_algorithm     = "RSA_4096"
+    signing_algorithm = "SHA512WITHRSA"
+
+    subject {
+      common_name = "terraformtesting.com"
+    }
+  }
+}
+
+resource "aws_acmpca_certificate_authority" "test" {
+  permanent_deletion_time_in_days = 7
+
+  certificate_authority_configuration {
+    key_algorithm     = "RSA_4096"
+    signing_algorithm = "SHA512WITHRSA"
+
+    subject {
+      common_name = "terraformtesting.com"
+    }
+  }
+}
+
+data "aws_acmpca_certificate_authority" "test" {
+  arn = aws_acmpca_certificate_authority.test.arn
+}
+`
+
 //lintignore:AWSAT003,AWSAT005
 const testAccDataSourceAwsAcmpcaCertificateAuthorityConfig_NonExistent = `
 data "aws_acmpca_certificate_authority" "test" {

website/docs/d/acmpca_certificate_authority.html.markdown

@@ -40,6 +40,7 @@ In addition to all arguments above, the following attributes are exported:
         * `revocation_configuration.0.crl_configuration.0.enabled` - Boolean value that specifies whether certificate revocation lists (CRLs) are enabled.
         * `revocation_configuration.0.crl_configuration.0.expiration_in_days` - Number of days until a certificate expires.
         * `revocation_configuration.0.crl_configuration.0.s3_bucket_name` - Name of the S3 bucket that contains the CRL.
+        * `revocation_configuration.0.crl_configuration.0.s3_object_acl` - Whether the CRL is publicly readable or privately held in the CRL Amazon S3 bucket.
 * `serial` - Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
 * `status` - Status of the certificate authority.
 * `tags` - Specifies a key-value map of user-defined tags that are attached to the certificate authority.