Merge pull request #42534 from badmintoncryer/f-iot-authentication-type

[Enhancement] aws_iot_domain_configuration: support for application protocol and authentication type

Author: ewbankkit

.changelog/42534.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_iot_domain_configuration: Add `application_protocol` and `authentication_type` arguments
+```

internal/service/iot/domain_configuration.go

@@ -43,6 +43,18 @@ func resourceDomainConfiguration() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"application_protocol": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				Computed:         true,
+				ValidateDiagFunc: enum.Validate[awstypes.ApplicationProtocol](),
+			},
+			"authentication_type": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				Computed:         true,
+				ValidateDiagFunc: enum.Validate[awstypes.AuthenticationType](),
+			},
 			"authorizer_config": {
 				Type:     schema.TypeList,
 				Optional: true,
@@ -129,11 +141,19 @@ func resourceDomainConfigurationCreate(ctx context.Context, d *schema.ResourceDa
 	conn := meta.(*conns.AWSClient).IoTClient(ctx)
 
 	name := d.Get(names.AttrName).(string)
-	input := &iot.CreateDomainConfigurationInput{
+	input := iot.CreateDomainConfigurationInput{
 		DomainConfigurationName: aws.String(name),
 		Tags:                    getTagsIn(ctx),
 	}
 
+	if v, ok := d.GetOk("application_protocol"); ok {
+		input.ApplicationProtocol = awstypes.ApplicationProtocol(v.(string))
+	}
+
+	if v, ok := d.GetOk("authentication_type"); ok {
+		input.AuthenticationType = awstypes.AuthenticationType(v.(string))
+	}
+
 	if v, ok := d.GetOk("authorizer_config"); ok && len(v.([]any)) > 0 && v.([]any)[0] != nil {
 		input.AuthorizerConfig = expandAuthorizerConfig(v.([]any)[0].(map[string]any))
 	}
@@ -158,7 +178,7 @@ func resourceDomainConfigurationCreate(ctx context.Context, d *schema.ResourceDa
 		input.ValidationCertificateArn = aws.String(v.(string))
 	}
 
-	output, err := conn.CreateDomainConfiguration(ctx, input)
+	output, err := conn.CreateDomainConfiguration(ctx, &input)
 
 	if err != nil {
 		return sdkdiag.AppendErrorf(diags, "creating IoT Domain Configuration (%s): %s", name, err)
@@ -185,7 +205,9 @@ func resourceDomainConfigurationRead(ctx context.Context, d *schema.ResourceData
 		return sdkdiag.AppendErrorf(diags, "reading IoT Domain Configuration (%s): %s", d.Id(), err)
 	}
 
+	d.Set("application_protocol", output.ApplicationProtocol)
 	d.Set(names.AttrARN, output.DomainConfigurationArn)
+	d.Set("authentication_type", output.AuthenticationType)
 	if output.AuthorizerConfig != nil {
 		if err := d.Set("authorizer_config", []any{flattenAuthorizerConfig(output.AuthorizerConfig)}); err != nil {
 			return sdkdiag.AppendErrorf(diags, "setting authorizer_config: %s", err)
@@ -218,10 +240,18 @@ func resourceDomainConfigurationUpdate(ctx context.Context, d *schema.ResourceDa
 	conn := meta.(*conns.AWSClient).IoTClient(ctx)
 
 	if d.HasChangesExcept(names.AttrTags, names.AttrTagsAll) {
-		input := &iot.UpdateDomainConfigurationInput{
+		input := iot.UpdateDomainConfigurationInput{
 			DomainConfigurationName: aws.String(d.Id()),
 		}
 
+		if d.HasChange("application_protocol") {
+			input.ApplicationProtocol = awstypes.ApplicationProtocol(d.Get("application_protocol").(string))
+		}
+
+		if d.HasChange("authentication_type") {
+			input.AuthenticationType = awstypes.AuthenticationType(d.Get("authentication_type").(string))
+		}
+
 		if d.HasChange("authorizer_config") {
 			if v, ok := d.GetOk("authorizer_config"); ok && len(v.([]any)) > 0 && v.([]any)[0] != nil {
 				input.AuthorizerConfig = expandAuthorizerConfig(v.([]any)[0].(map[string]any))
@@ -240,7 +270,7 @@ func resourceDomainConfigurationUpdate(ctx context.Context, d *schema.ResourceDa
 			}
 		}
 
-		_, err := conn.UpdateDomainConfiguration(ctx, input)
+		_, err := conn.UpdateDomainConfiguration(ctx, &input)
 
 		if err != nil {
 			return sdkdiag.AppendErrorf(diags, "updating IoT Domain Configuration (%s): %s", d.Id(), err)
@@ -255,10 +285,11 @@ func resourceDomainConfigurationDelete(ctx context.Context, d *schema.ResourceDa
 	conn := meta.(*conns.AWSClient).IoTClient(ctx)
 
 	if d.Get(names.AttrStatus).(string) == string(awstypes.DomainConfigurationStatusEnabled) {
-		_, err := conn.UpdateDomainConfiguration(ctx, &iot.UpdateDomainConfigurationInput{
+		input := iot.UpdateDomainConfigurationInput{
 			DomainConfigurationName:   aws.String(d.Id()),
 			DomainConfigurationStatus: awstypes.DomainConfigurationStatusDisabled,
-		})
+		}
+		_, err := conn.UpdateDomainConfiguration(ctx, &input)
 
 		if errs.IsA[*awstypes.ResourceNotFoundException](err) {
 			return diags
@@ -270,9 +301,10 @@ func resourceDomainConfigurationDelete(ctx context.Context, d *schema.ResourceDa
 	}
 
 	log.Printf("[DEBUG] Deleting IoT Domain Configuration: %s", d.Id())
-	_, err := conn.DeleteDomainConfiguration(ctx, &iot.DeleteDomainConfigurationInput{
+	input := iot.DeleteDomainConfigurationInput{
 		DomainConfigurationName: aws.String(d.Id()),
-	})
+	}
+	_, err := conn.DeleteDomainConfiguration(ctx, &input)
 
 	if errs.IsA[*awstypes.ResourceNotFoundException](err) {
 		return diags
@@ -286,11 +318,11 @@ func resourceDomainConfigurationDelete(ctx context.Context, d *schema.ResourceDa
 }
 
 func findDomainConfigurationByName(ctx context.Context, conn *iot.Client, name string) (*iot.DescribeDomainConfigurationOutput, error) {
-	input := &iot.DescribeDomainConfigurationInput{
+	input := iot.DescribeDomainConfigurationInput{
 		DomainConfigurationName: aws.String(name),
 	}
 
-	output, err := conn.DescribeDomainConfiguration(ctx, input)
+	output, err := conn.DescribeDomainConfiguration(ctx, &input)
 
 	if errs.IsA[*awstypes.ResourceNotFoundException](err) {
 		return nil, &retry.NotFoundError{

internal/service/iot/domain_configuration_test.go

@@ -37,6 +37,7 @@ func TestAccIoTDomainConfiguration_basic(t *testing.T) {
 				Check: resource.ComposeAggregateTestCheckFunc(
 					testAccCheckDomainConfigurationExists(ctx, resourceName),
 					acctest.MatchResourceAttrRegionalARN(ctx, resourceName, names.AttrARN, "iot", regexache.MustCompile(`domainconfiguration/`+rName+`/[a-z0-9]+$`)),
+					resource.TestCheckResourceAttr(resourceName, "authentication_type", "DEFAULT"),
 					resource.TestCheckResourceAttr(resourceName, "authorizer_config.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, names.AttrDomainName, domain),
 					resource.TestCheckResourceAttr(resourceName, "domain_type", "CUSTOMER_MANAGED"),
@@ -147,9 +148,11 @@ func TestAccIoTDomainConfiguration_update(t *testing.T) {
 		CheckDestroy:             testAccCheckDomainConfigurationDestroy(ctx),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDomainConfigurationConfig_securityPolicy(rName, rootDomain, domain, "IoTSecurityPolicy_TLS13_1_3_2022_10", true),
+				Config: testAccDomainConfigurationConfig_securityPolicy(rName, rootDomain, domain, "IoTSecurityPolicy_TLS13_1_3_2022_10", true, "CUSTOM_AUTH", "MQTT_WSS"),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckDomainConfigurationExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "application_protocol", "MQTT_WSS"),
+					resource.TestCheckResourceAttr(resourceName, "authentication_type", "CUSTOM_AUTH"),
 					resource.TestCheckResourceAttr(resourceName, "authorizer_config.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "authorizer_config.0.allow_authorizer_override", acctest.CtTrue),
 					resource.TestCheckResourceAttr(resourceName, "tls_config.#", "1"),
@@ -162,9 +165,11 @@ func TestAccIoTDomainConfiguration_update(t *testing.T) {
 				ImportStateVerify: true,
 			},
 			{
-				Config: testAccDomainConfigurationConfig_securityPolicy(rName, rootDomain, domain, "IoTSecurityPolicy_TLS13_1_2_2022_10", false),
+				Config: testAccDomainConfigurationConfig_securityPolicy(rName, rootDomain, domain, "IoTSecurityPolicy_TLS13_1_2_2022_10", false, "CUSTOM_AUTH_X509", "HTTPS"),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckDomainConfigurationExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "application_protocol", "HTTPS"),
+					resource.TestCheckResourceAttr(resourceName, "authentication_type", "CUSTOM_AUTH_X509"),
 					resource.TestCheckResourceAttr(resourceName, "authorizer_config.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "authorizer_config.0.allow_authorizer_override", acctest.CtFalse),
 					resource.TestCheckResourceAttr(resourceName, "tls_config.#", "1"),
@@ -325,11 +330,14 @@ resource "aws_iot_domain_configuration" "test" {
 `, rName, domain, tagKey1, tagValue1, tagKey2, tagValue2))
 }
 
-func testAccDomainConfigurationConfig_securityPolicy(rName, rootDomain, domain, securityPolicy string, allowAuthorizerOverride bool) string {
+func testAccDomainConfigurationConfig_securityPolicy(rName, rootDomain, domain, securityPolicy string, allowAuthorizerOverride bool, authenticationType, applicationProtocol string) string {
 	return acctest.ConfigCompose(testAccAuthorizerConfig_basic(rName), testAccDomainConfigurationConfig_base(rootDomain, domain), fmt.Sprintf(`
 resource "aws_iot_domain_configuration" "test" {
   depends_on = [aws_acm_certificate_validation.test]
 
+  authentication_type  = %[5]q
+  application_protocol = %[6]q
+
   authorizer_config {
     allow_authorizer_override = %[4]t
     default_authorizer_name   = aws_iot_authorizer.test.name
@@ -343,7 +351,7 @@ resource "aws_iot_domain_configuration" "test" {
     security_policy = %[3]q
   }
 }
-`, rName, domain, securityPolicy, allowAuthorizerOverride))
+`, rName, domain, securityPolicy, allowAuthorizerOverride, authenticationType, applicationProtocol))
 }
 
 func testAccDomainConfigurationConfig_awsManaged(rName string) string { // nosemgrep:ci.aws-in-func-name

website/docs/r/iot_domain_configuration.html.markdown

@@ -28,6 +28,8 @@ resource "aws_iot_domain_configuration" "iot" {
 
 This resource supports the following arguments:
 
+* `application_protocol` - (Optional) An enumerated string that specifies the application-layer protocol. Valid values are `SECURE_MQTT`, `MQTT_WSS`, `HTTPS` or `DEFAULT`.
+* `authentication_type` - (Optional) An enumerated string that specifies the authentication type. Valid values are `CUSTOM_AUTH_X509`, `CUSTOM_AUTH`, `AWS_X509`, `AWS_SIGV4` or `DEFAULT`.
 * `authorizer_config` - (Optional) An object that specifies the authorization service for a domain. See the [`authorizer_config` Block](#authorizer_config-block) below for details.
 * `domain_name` - (Optional) Fully-qualified domain name.
 * `name` - (Required) The name of the domain configuration. This value must be unique to a region.