Adding Resource Identity to ARN-based Resources#
You are working on the Terraform AWS Provider, specifically focused on adding resource identity to existing ARN-based Plugin SDKV2 resources. This Github issue contains the resources that need resource identity support and have an ARN based identity.
When adding resource identity, all resources in a service should be done in the same pull request. Follow the steps below to complete this task.
1. Prepare the branch#
- The feature branch name should begin with
f-ri
and be suffixed with the name of the service being updated, e.g.f-ri-elbv2
. If the current branch does not match this convention, create one. - Ensure the feature branch is rebased with the
main
branch.
2. Add resource identity to each resource#
The changes for each individual resource should be done in its own commit. Use the following steps to add resource identity to an existing resource:
- Add the
@ArnIdentity
annotation to the target resource. If the corresponding property is namedarn
, then thearnAttribute
value does not need to be specified. - If the resource's test file uses a
CheckExists
helper function that accepts 3 parameters rather than 2 (you can check this in the resource's test file), add another annotation to the resource file in the format// @Testing(existsType="github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types;types.TrustStore")
, but replacing the type with the correct one for the resource in question. The type should match the third parameter of the CheckExists function. - Since we are newly adding identity to this resource, add an annotation indicating the most recent pre-identity version, e.g.
@Testing(preIdentityVersion="v6.3.0")
. UseCHANGELOG.md
at the project root to determine the most recently released version (which will be the last before identity is added). - Some resources will have an importer function defined. If that function uses
schema.ImportStatePassthroughContext
asStateContext
value then remove that importer function declaration as it is no longer necessary. - If the service does not use generated tag tests, you will need to create template files in the
testdata/tmpl
directory. For each resource, create a file named<resource>_tags.gtpl
(e.g.,trust_store_tags.gtpl
). - Populate each template file with the configuration from the resource's
_basic
test. If populating from the_basic
configuration, be sure to replace any string format directives (e.g.name = %[1]q
) with a corresponding reference to a variable (e.g.name = var.rName
). - The generators will use the template files to generate the resource identity test configuration. These will be located in the
testdata
directory for the service. Do not manually create test directories or files as they will be generated. - The region template must be included inside each resource block in the template files. Add it as the first line after the resource declaration:
resource "aws_service_thing" "test" {
{{- template "region" }}
name = var.rName
{{- template "tags" }}
}
- If the test configuration references an
aws_region
data source, the region template should also be embedded here.
data "aws_region" "current" {
{{- template "region" }}
}
3. Generate and test the changes#
- Run the generators for this service. This can be done with the following command (e.g. for the elbv2 package):
go generate ./internal/service/elbv2/...
. This will generate tests for Resource Identity and any required test files. - Run the tests in this order:
- First run the basic identity test:
make testacc PKG=<service> TESTS=TestAcc<Resource>_Identity_Basic
- Run all identity tests:
make testacc PKG=<service> TESTS=TestAcc<Resource>_Identity
- Finally, run all tests for the resource:
make testacc PKG=<service> TESTS=TestAcc<Resource>_
. Always include thePKG
parameter to properly scope the tests to the intended service package.
- First run the basic identity test:
- Ensure the template modifications have not introduced any structural changes that would fail
terraform fmt
. To verify, runterraform fmt -recursive -check
, and confirm there is no output. - If all the preceding steps complete successfully commit the changes with an appropriate message, e.g.
r/aws_lb_target_group: add resource identity
. Ensure the commit message body includes the results of the acceptance test run in the previous step.
Repeat steps 2 and 3 for each resource in the service. When all resources are complete, proceed to the next section.
4. Submit a pull request#
!!!Important!!!: Ask for confirmation before proceeding with this step.
- Push the changes.
- Create a draft pull request with the following details:
- Title: "Add ARN-based resource identity to
<service-name>
", e.g. "Add ARN-based resource identity toelbv2
". - Use the following template for the body. Be sure to replace the acceptance test results section with the full results
- Title: "Add ARN-based resource identity to
### Description
Add resource identity to ARN-based resources in `<service-name>`. This includes:
<list Terraform resource names here>
### Relations
Relates #42983
Relates #42984
### Output from Acceptance Testing
<insert acceptance test results here>
- Once the pull request is created, fetch the PR number to add changelog entries. Create a new file,
.changelog/<pr-number>.txt
, and include one enhancement entry per resource. Refer to.changelog/43503.txt
for the appropriate formatting. - Provide a summary of the completed changes.
Common Issues and Troubleshooting#
Test Failures#
- Ensure
PKG
parameter is included in test commands - Verify template file names match exactly (
<resource>_tags.gtpl
) - Check region template placement is inside resource blocks
- Don't create test directories manually - let the generator create them
- If a generated test panics because a
testAccCheck*Exists
helper function has incorrect arguments, add a@Testing(existsType="")
annotation. NEVER modify the function signature of an existing "exists" helper function
Generator Issues#
- Remove any manually created test directories before running the generator
- Ensure template files are in the correct location (
testdata/tmpl
) - Verify template file names match the resource name
- If identity tests are not generated, verify that the
identitytests
generator is being called within the service'sgenerate.go
file. If it isn't, add the following line togenerate.go
next to the existinggo:generate
directives.
//go:generate go run ../../generate/identitytests/main.go
Resource Updates#
- Check if the resource's check exists helper takes 3 parameters
- Verify the correct type is used in the
existsType
annotation - Ensure importer is only removed if using
ImportStatePassthroughContext