Merge pull request #32091 from bschaatsbergen/iam-session-security-token

New Resource - IAM Security Token Service Preferences

.changelog/32091.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+aws_iam_security_token_service_preferences
+```

internal/service/iam/acc_test.go

@@ -11,7 +11,11 @@ import (
 	"encoding/pem"
 	"fmt"
 	"strings"
+	"testing"
 
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
 	"golang.org/x/crypto/ssh"
 )
 
@@ -56,3 +60,13 @@ func pemEncode(b []byte, block string) (string, error) {
 
 	return buf.String(), nil
 }
+
+func init() {
+	acctest.RegisterServiceErrorCheckFunc(iam.EndpointsID, testAccErrorCheckSkip)
+}
+
+func testAccErrorCheckSkip(t *testing.T) resource.ErrorCheckFunc {
+	return acctest.ErrorCheckSkipMessagesContaining(t,
+		"no identity-based policy allows the iam:SetSecurityTokenServicePreferences action",
+	)
+}

internal/service/iam/security_token_service_preferences.go

@@ -0,0 +1,71 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package iam
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	"github.com/hashicorp/terraform-provider-aws/internal/conns"
+	"github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag"
+)
+
+// @SDKResource("aws_iam_security_token_service_preferences", name="Security Token Service Preferences")
+func ResourceSecurityTokenServicePreferences() *schema.Resource {
+	return &schema.Resource{
+		CreateWithoutTimeout: resourceSecurityTokenServicePreferencesUpsert,
+		ReadWithoutTimeout:   resourceSecurityTokenServicePreferencesRead,
+		UpdateWithoutTimeout: resourceSecurityTokenServicePreferencesUpsert,
+		DeleteWithoutTimeout: schema.NoopContext,
+
+		Schema: map[string]*schema.Schema{
+			"global_endpoint_token_version": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ValidateFunc: validation.StringInSlice(iam.GlobalEndpointTokenVersion_Values(), false),
+			},
+		},
+	}
+}
+
+func resourceSecurityTokenServicePreferencesUpsert(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	var diags diag.Diagnostics
+	conn := meta.(*conns.AWSClient).IAMConn(ctx)
+
+	input := &iam.SetSecurityTokenServicePreferencesInput{
+		GlobalEndpointTokenVersion: aws.String(d.Get("global_endpoint_token_version").(string)),
+	}
+
+	_, err := conn.SetSecurityTokenServicePreferencesWithContext(ctx, input)
+
+	if err != nil {
+		return sdkdiag.AppendErrorf(diags, "setting IAM Security Token Service Preferences: %s", err)
+	}
+
+	if d.IsNewResource() {
+		d.SetId(meta.(*conns.AWSClient).AccountID)
+	}
+
+	return append(diags, resourceSecurityTokenServicePreferencesRead(ctx, d, meta)...)
+}
+
+func resourceSecurityTokenServicePreferencesRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	var diags diag.Diagnostics
+	conn := meta.(*conns.AWSClient).IAMConn(ctx)
+
+	output, err := conn.GetAccountSummaryWithContext(ctx, &iam.GetAccountSummaryInput{})
+
+	if err != nil {
+		return sdkdiag.AppendErrorf(diags, "reading IAM Account Summary: %s", err)
+	}
+
+	d.Set("global_endpoint_token_version", fmt.Sprintf("v%dToken", aws.Int64Value(output.SummaryMap[iam.SummaryKeyTypeGlobalEndpointTokenVersion])))
+
+	return diags
+}

internal/service/iam/security_token_service_preferences_test.go

@@ -0,0 +1,38 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package iam_test
+
+import (
+	"testing"
+
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
+)
+
+func TestAccIAMSecurityTokenServicePreferences_basic(t *testing.T) {
+	ctx := acctest.Context(t)
+	resourceName := "aws_iam_security_token_service_preferences.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, iam.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             acctest.CheckDestroyNoop,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccSecurityTokenServicePreferencesConfig_basic,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "global_endpoint_token_version", "v2Token"),
+				),
+			},
+		},
+	})
+}
+
+const testAccSecurityTokenServicePreferencesConfig_basic = `
+resource "aws_iam_security_token_service_preferences" "test" {
+  global_endpoint_token_version = "v2Token"
+}
+`

website/docs/r/iam_security_token_service_preferences.html.markdown

@@ -0,0 +1,31 @@
+---
+subcategory: "IAM (Identity & Access Management)"
+layout: "aws"
+page_title: "AWS: aws_iam_security_token_service_preferences"
+description: |-
+  Provides an IAM Security Token Service Preferences resource.
+---
+
+# Resource: aws_iam_security_token_service_preferences
+
+Provides an IAM Security Token Service Preferences resource.
+
+## Example Usage
+
+```terraform
+resource "aws_iam_security_token_service_preferences" "example" {
+  global_endpoint_token_version = "v2Token"
+}
+```
+
+## Argument Reference
+
+This resource supports the following arguments:
+
+* `global_endpoint_token_version` - (Required) The version of the STS global endpoint token. Valid values: `v1Token`, `v2Token`.
+
+## Attribute Reference
+
+This resource exports the following attributes in addition to the arguments above:
+
+* `id` - The AWS Account ID.