diff --git a/.changelog/21452.txt b/.changelog/21452.txt new file mode 100644 index 00000000000..07c0a18f06e --- /dev/null +++ b/.changelog/21452.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +resource/aws_glue_data_catalog_encryption_settings: Disable encryption on resource deletion +``` \ No newline at end of file diff --git a/internal/service/glue/data_catalog_encryption_settings.go b/internal/service/glue/data_catalog_encryption_settings.go index c4d7752ac86..50967cbd785 100644 --- a/internal/service/glue/data_catalog_encryption_settings.go +++ b/internal/service/glue/data_catalog_encryption_settings.go @@ -2,6 +2,7 @@ package glue import ( "fmt" + "log" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/glue" @@ -16,7 +17,7 @@ func ResourceDataCatalogEncryptionSettings() *schema.Resource { Create: resourceDataCatalogEncryptionSettingsPut, Read: resourceDataCatalogEncryptionSettingsRead, Update: resourceDataCatalogEncryptionSettingsPut, - Delete: schema.Noop, + Delete: resourceDataCatalogEncryptionSettingsDelete, Importer: &schema.ResourceImporter{ State: schema.ImportStatePassthrough, }, @@ -80,16 +81,21 @@ func ResourceDataCatalogEncryptionSettings() *schema.Resource { func resourceDataCatalogEncryptionSettingsPut(d *schema.ResourceData, meta interface{}) error { conn := meta.(*conns.AWSClient).GlueConn - catalogID := createCatalogID(d, meta.(*conns.AWSClient).AccountID) + catalogID := createCatalogID(d, meta.(*conns.AWSClient).AccountID) input := &glue.PutDataCatalogEncryptionSettingsInput{ - CatalogId: aws.String(catalogID), - DataCatalogEncryptionSettings: expandGlueDataCatalogEncryptionSettings(d.Get("data_catalog_encryption_settings").([]interface{})), + CatalogId: aws.String(catalogID), } + if v, ok := d.GetOk("data_catalog_encryption_settings"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil { + input.DataCatalogEncryptionSettings = expandDataCatalogEncryptionSettings(v.([]interface{})[0].(map[string]interface{})) + } + + log.Printf("[DEBUG] Putting Glue Data Catalog Encryption Settings: %s", input) _, err := conn.PutDataCatalogEncryptionSettings(input) + if err != nil { - return fmt.Errorf("Error setting Data Catalog Encryption Settings: %w", err) + return fmt.Errorf("error putting Glue Data Catalog Encryption Settings (%s): %w", catalogID, err) } d.SetId(catalogID) @@ -100,92 +106,148 @@ func resourceDataCatalogEncryptionSettingsPut(d *schema.ResourceData, meta inter func resourceDataCatalogEncryptionSettingsRead(d *schema.ResourceData, meta interface{}) error { conn := meta.(*conns.AWSClient).GlueConn - input := &glue.GetDataCatalogEncryptionSettingsInput{ + output, err := conn.GetDataCatalogEncryptionSettings(&glue.GetDataCatalogEncryptionSettingsInput{ CatalogId: aws.String(d.Id()), - } + }) - out, err := conn.GetDataCatalogEncryptionSettings(input) if err != nil { - return fmt.Errorf("Error reading Glue Data Catalog Encryption Settings: %w", err) + return fmt.Errorf("error reading Glue Data Catalog Encryption Settings (%s): %w", d.Id(), err) } d.Set("catalog_id", d.Id()) + if output.DataCatalogEncryptionSettings != nil { + if err := d.Set("data_catalog_encryption_settings", []interface{}{flattenDataCatalogEncryptionSettings(output.DataCatalogEncryptionSettings)}); err != nil { + return fmt.Errorf("error setting data_catalog_encryption_settings: %w", err) + } + } else { + d.Set("data_catalog_encryption_settings", nil) + } + + return nil +} - if err := d.Set("data_catalog_encryption_settings", flattenGlueDataCatalogEncryptionSettings(out.DataCatalogEncryptionSettings)); err != nil { - return fmt.Errorf("error setting data_catalog_encryption_settings: %w", err) +func resourceDataCatalogEncryptionSettingsDelete(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*conns.AWSClient).GlueConn + + input := &glue.PutDataCatalogEncryptionSettingsInput{ + CatalogId: aws.String(d.Id()), + DataCatalogEncryptionSettings: &glue.DataCatalogEncryptionSettings{}, + } + + log.Printf("[DEBUG] Deleting Glue Data Catalog Encryption Settings: %s", input) + _, err := conn.PutDataCatalogEncryptionSettings(input) + + if err != nil { + return fmt.Errorf("error putting Glue Data Catalog Encryption Settings (%s): %w", d.Id(), err) } return nil } -func expandGlueDataCatalogEncryptionSettings(settings []interface{}) *glue.DataCatalogEncryptionSettings { - m := settings[0].(map[string]interface{}) +func expandDataCatalogEncryptionSettings(tfMap map[string]interface{}) *glue.DataCatalogEncryptionSettings { + if tfMap == nil { + return nil + } - target := &glue.DataCatalogEncryptionSettings{ - ConnectionPasswordEncryption: expandGlueDataCatalogConnectionPasswordEncryption(m["connection_password_encryption"].([]interface{})), - EncryptionAtRest: expandGlueDataCatalogEncryptionAtRest(m["encryption_at_rest"].([]interface{})), + apiObject := &glue.DataCatalogEncryptionSettings{} + + if v, ok := tfMap["connection_password_encryption"].([]interface{}); ok && len(v) > 0 { + apiObject.ConnectionPasswordEncryption = expandConnectionPasswordEncryption(v[0].(map[string]interface{})) + } + + if v, ok := tfMap["encryption_at_rest"].([]interface{}); ok && len(v) > 0 { + apiObject.EncryptionAtRest = expandEncryptionAtRest(v[0].(map[string]interface{})) } - return target + return apiObject } -func flattenGlueDataCatalogEncryptionSettings(settings *glue.DataCatalogEncryptionSettings) []map[string]interface{} { - m := map[string]interface{}{ - "connection_password_encryption": flattenGlueDataCatalogConnectionPasswordEncryption(settings.ConnectionPasswordEncryption), - "encryption_at_rest": flattenGlueDataCatalogEncryptionAtRest(settings.EncryptionAtRest), +func expandConnectionPasswordEncryption(tfMap map[string]interface{}) *glue.ConnectionPasswordEncryption { + if tfMap == nil { + return nil } - return []map[string]interface{}{m} + apiObject := &glue.ConnectionPasswordEncryption{} + + if v, ok := tfMap["aws_kms_key_id"].(string); ok && v != "" { + apiObject.AwsKmsKeyId = aws.String(v) + } + + if v, ok := tfMap["return_connection_password_encrypted"].(bool); ok { + apiObject.ReturnConnectionPasswordEncrypted = aws.Bool(v) + } + + return apiObject } -func expandGlueDataCatalogConnectionPasswordEncryption(settings []interface{}) *glue.ConnectionPasswordEncryption { - m := settings[0].(map[string]interface{}) +func expandEncryptionAtRest(tfMap map[string]interface{}) *glue.EncryptionAtRest { + if tfMap == nil { + return nil + } + + apiObject := &glue.EncryptionAtRest{} - target := &glue.ConnectionPasswordEncryption{ - ReturnConnectionPasswordEncrypted: aws.Bool(m["return_connection_password_encrypted"].(bool)), + if v, ok := tfMap["catalog_encryption_mode"].(string); ok && v != "" { + apiObject.CatalogEncryptionMode = aws.String(v) } - if v, ok := m["aws_kms_key_id"].(string); ok && v != "" { - target.AwsKmsKeyId = aws.String(v) + if v, ok := tfMap["sse_aws_kms_key_id"].(string); ok && v != "" { + apiObject.SseAwsKmsKeyId = aws.String(v) } - return target + return apiObject } -func flattenGlueDataCatalogConnectionPasswordEncryption(settings *glue.ConnectionPasswordEncryption) []map[string]interface{} { - m := map[string]interface{}{ - "return_connection_password_encrypted": aws.BoolValue(settings.ReturnConnectionPasswordEncrypted), +func flattenDataCatalogEncryptionSettings(apiObject *glue.DataCatalogEncryptionSettings) map[string]interface{} { + if apiObject == nil { + return nil } - if settings.AwsKmsKeyId != nil { - m["aws_kms_key_id"] = aws.StringValue(settings.AwsKmsKeyId) + tfMap := map[string]interface{}{} + + if v := apiObject.ConnectionPasswordEncryption; v != nil { + tfMap["connection_password_encryption"] = []interface{}{flattenConnectionPasswordEncryption(v)} } - return []map[string]interface{}{m} + if v := apiObject.EncryptionAtRest; v != nil { + tfMap["encryption_at_rest"] = []interface{}{flattenEncryptionAtRest(v)} + } + + return tfMap } -func expandGlueDataCatalogEncryptionAtRest(settings []interface{}) *glue.EncryptionAtRest { - m := settings[0].(map[string]interface{}) +func flattenConnectionPasswordEncryption(apiObject *glue.ConnectionPasswordEncryption) map[string]interface{} { + if apiObject == nil { + return nil + } - target := &glue.EncryptionAtRest{ - CatalogEncryptionMode: aws.String(m["catalog_encryption_mode"].(string)), + tfMap := map[string]interface{}{} + + if v := apiObject.AwsKmsKeyId; v != nil { + tfMap["aws_kms_key_id"] = aws.StringValue(v) } - if v, ok := m["sse_aws_kms_key_id"].(string); ok && v != "" { - target.SseAwsKmsKeyId = aws.String(v) + if v := apiObject.ReturnConnectionPasswordEncrypted; v != nil { + tfMap["return_connection_password_encrypted"] = aws.BoolValue(v) } - return target + return tfMap } -func flattenGlueDataCatalogEncryptionAtRest(settings *glue.EncryptionAtRest) []map[string]interface{} { - m := map[string]interface{}{ - "catalog_encryption_mode": aws.StringValue(settings.CatalogEncryptionMode), +func flattenEncryptionAtRest(apiObject *glue.EncryptionAtRest) map[string]interface{} { + if apiObject == nil { + return nil + } + + tfMap := map[string]interface{}{} + + if v := apiObject.CatalogEncryptionMode; v != nil { + tfMap["catalog_encryption_mode"] = aws.StringValue(v) } - if settings.SseAwsKmsKeyId != nil { - m["sse_aws_kms_key_id"] = aws.StringValue(settings.SseAwsKmsKeyId) + if v := apiObject.SseAwsKmsKeyId; v != nil { + tfMap["sse_aws_kms_key_id"] = aws.StringValue(v) } - return []map[string]interface{}{m} + return tfMap } diff --git a/internal/service/glue/data_catalog_encryption_settings_data_source.go b/internal/service/glue/data_catalog_encryption_settings_data_source.go index 1bbbe368912..a00052ebb26 100644 --- a/internal/service/glue/data_catalog_encryption_settings_data_source.go +++ b/internal/service/glue/data_catalog_encryption_settings_data_source.go @@ -2,6 +2,7 @@ package glue import ( "context" + "fmt" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/glue" @@ -64,19 +65,25 @@ func DataSourceDataCatalogEncryptionSettings() *schema.Resource { func dataSourceDataCatalogEncryptionSettingsRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { conn := meta.(*conns.AWSClient).GlueConn - id := d.Get("catalog_id").(string) - input := &glue.GetDataCatalogEncryptionSettingsInput{ - CatalogId: aws.String(id), - } - out, err := conn.GetDataCatalogEncryptionSettings(input) + + catalogID := d.Get("catalog_id").(string) + output, err := conn.GetDataCatalogEncryptionSettings(&glue.GetDataCatalogEncryptionSettingsInput{ + CatalogId: aws.String(catalogID), + }) + if err != nil { - return diag.Errorf("Error reading Glue Data Catalog Encryption Settings: %s", err) + return diag.FromErr(fmt.Errorf("error reading Glue Data Catalog Encryption Settings (%s): %w", catalogID, err)) } - d.SetId(id) - d.Set("catalog_id", d.Id()) - if err := d.Set("data_catalog_encryption_settings", flattenGlueDataCatalogEncryptionSettings(out.DataCatalogEncryptionSettings)); err != nil { - return diag.Errorf("error setting data_catalog_encryption_settings: %s", err) + d.SetId(catalogID) + d.Set("catalog_id", d.Id()) + if output.DataCatalogEncryptionSettings != nil { + if err := d.Set("data_catalog_encryption_settings", []interface{}{flattenDataCatalogEncryptionSettings(output.DataCatalogEncryptionSettings)}); err != nil { + return diag.FromErr(fmt.Errorf("error setting data_catalog_encryption_settings: %w", err)) + } + } else { + d.Set("data_catalog_encryption_settings", nil) } + return nil } diff --git a/internal/service/glue/data_catalog_encryption_settings_data_source_test.go b/internal/service/glue/data_catalog_encryption_settings_data_source_test.go index ca566b09198..2240399aeba 100644 --- a/internal/service/glue/data_catalog_encryption_settings_data_source_test.go +++ b/internal/service/glue/data_catalog_encryption_settings_data_source_test.go @@ -1,20 +1,18 @@ package glue_test import ( - "fmt" "testing" "github.com/aws/aws-sdk-go/service/glue" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/hashicorp/terraform-provider-aws/internal/acctest" ) -func TestAccGlueDataCatalogEncryptionSettingsDataSource_basic(t *testing.T) { +func testAccGlueDataCatalogEncryptionSettingsDataSource_basic(t *testing.T) { resourceName := "aws_glue_data_catalog_encryption_settings.test" - datasourceName := "data.aws_glue_data_catalog_encryption_settings.test" + dataSourceName := "data.aws_glue_data_catalog_encryption_settings.test" - resource.ParallelTest(t, resource.TestCase{ + resource.Test(t, resource.TestCase{ PreCheck: func() { acctest.PreCheck(t) }, ErrorCheck: acctest.ErrorCheck(t, glue.EndpointsID), Providers: acctest.Providers, @@ -22,26 +20,14 @@ func TestAccGlueDataCatalogEncryptionSettingsDataSource_basic(t *testing.T) { { Config: testAccDataCatalogEncryptionSettingsDataSourceConfig(), Check: resource.ComposeTestCheckFunc( - testAccDataCatalogEncryptionSettingsCheckDataSource(datasourceName), - resource.TestCheckResourceAttrPair(datasourceName, "catalog_id", resourceName, "catalog_id"), - resource.TestCheckResourceAttrPair(datasourceName, "data_catalog_encryption_settings", resourceName, "data_catalog_encryption_settings"), + resource.TestCheckResourceAttrPair(dataSourceName, "catalog_id", resourceName, "catalog_id"), + resource.TestCheckResourceAttrPair(dataSourceName, "data_catalog_encryption_settings", resourceName, "data_catalog_encryption_settings"), ), }, }, }) } -func testAccDataCatalogEncryptionSettingsCheckDataSource(name string) resource.TestCheckFunc { - return func(s *terraform.State) error { - _, ok := s.RootModule().Resources[name] - if !ok { - return fmt.Errorf("root module has no resource called %s", name) - } - - return nil - } -} - func testAccDataCatalogEncryptionSettingsDataSourceConfig() string { return ` resource "aws_glue_data_catalog_encryption_settings" "test" { diff --git a/internal/service/glue/data_catalog_encryption_settings_test.go b/internal/service/glue/data_catalog_encryption_settings_test.go index 338a104f04e..56bef0e8047 100644 --- a/internal/service/glue/data_catalog_encryption_settings_test.go +++ b/internal/service/glue/data_catalog_encryption_settings_test.go @@ -13,14 +13,14 @@ import ( "github.com/hashicorp/terraform-provider-aws/internal/conns" ) -func TestAccGlueDataCatalogEncryptionSettings_basic(t *testing.T) { +func testAccGlueDataCatalogEncryptionSettings_basic(t *testing.T) { var settings glue.DataCatalogEncryptionSettings rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) resourceName := "aws_glue_data_catalog_encryption_settings.test" keyResourceName := "aws_kms_key.test" - resource.ParallelTest(t, resource.TestCase{ + resource.Test(t, resource.TestCase{ PreCheck: func() { acctest.PreCheck(t) }, ErrorCheck: acctest.ErrorCheck(t, glue.EndpointsID), Providers: acctest.Providers, @@ -74,7 +74,7 @@ func TestAccGlueDataCatalogEncryptionSettings_basic(t *testing.T) { }) } -func testAccCheckDataCatalogEncryptionSettingsExists(resourceName string, settings *glue.DataCatalogEncryptionSettings) resource.TestCheckFunc { +func testAccCheckDataCatalogEncryptionSettingsExists(resourceName string, v *glue.DataCatalogEncryptionSettings) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[resourceName] if !ok { @@ -90,11 +90,12 @@ func testAccCheckDataCatalogEncryptionSettingsExists(resourceName string, settin output, err := conn.GetDataCatalogEncryptionSettings(&glue.GetDataCatalogEncryptionSettingsInput{ CatalogId: aws.String(rs.Primary.ID), }) + if err != nil { return err } - *settings = *output.DataCatalogEncryptionSettings + *v = *output.DataCatalogEncryptionSettings return nil } diff --git a/internal/service/glue/glue_test.go b/internal/service/glue/glue_test.go index 4bc7385106b..a8276df1053 100644 --- a/internal/service/glue/glue_test.go +++ b/internal/service/glue/glue_test.go @@ -4,6 +4,10 @@ import "testing" func TestAccGlue_serial(t *testing.T) { testCases := map[string]map[string]func(t *testing.T){ + "DataCatalogEncryptionSettings": { + "basic": testAccGlueDataCatalogEncryptionSettings_basic, + "DataSource": testAccGlueDataCatalogEncryptionSettingsDataSource_basic, + }, "ResourcePolicy": { "basic": testAccResourcePolicy_basic, "update": testAccResourcePolicy_update,