New Resource: r/aws_fms_admin_account

[gazoakley]

Closes #4057

New Resources:

• aws_fms_admin_account

$ make testacc TESTARGS='-run=TestAccFmsAdminAccount_basic'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./... -v -run=TestAccFmsAdminAccount_basic -timeout 120m
?   	github.com/terraform-providers/terraform-provider-aws	[no test files]
=== RUN   TestAccFmsAdminAccount_basic
--- PASS: TestAccFmsAdminAccount_basic (43.60s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	43.643s

[gazoakley]

Seems like the call to AssociateAdminAccount returns success without actually doing anything if an organization has only recently been created - running the tests with a pre-existing organization passes. Might need to retry creating the association and waiting until GetAdminAccount returns the expected details.

[bflad]

Thanks for this @gazoakley! Left some initial comments below. Please take a look and let us know if you have any questions.

[bflad]

Can we instead make this Optional: true and use meta.(*AWSClient).accountid if its not provided? e.g.

if v, ok := d.GetOk("account_id"); ok && v != "" {
  accountID := v.(string)
} else {
  accountID := meta.(*AWSClient).accountid
}

[bflad]

While we don't necessarily need to reference it during read/delete at the moment, can you set this to accountId still? It'll make the ID available if we need it in the future and the import a little more obvious:

# Currently:
terraform import aws_fms_admin_account.example fms-admin-account
# Proposed:
terraform import aws_fms_admin_account.example 123456789012

[gazoakley]

@bflad I adopted this approach from aws_iam_account_password_policy (aws_spot_datafeed_subscription does this too) since only one FMS admin account can be associated to an account. My concern is that the user can disassociate/associate a different admin account outside Terraform - it might be confusing/misleading to have the resource ID as an account ID different to associated admin account ID. I'm guessing it wouldn't be safe to call SetId during a read operation if the associated admin account has changed? Any suggestions?

[bflad]

We can check d.Id() != aws.StringValue(res.AdminAccount) to trigger recreation:

if d.Id() != aws.StringValue(res.AdminAccount) {
  log.Printf("[WARN] FMS Admin Account does not match, removing from state", d.Id())
  d.SetId("")
  return nil
}

[bflad]

Missing ## Import documentation section

[bflad]

We no longer need d.SetId("") during deletion functions. See also #4191

[bflad]

We no longer need d.SetId("") during deletion functions. See also #4191

[bflad]

Copy paste typo 😉

[gazoakley]

Ooops! 🤣

[jonrau1]

Any update for resolving conflicts and getting Firewall Manager merged?

[robh007]

Hi @gazoakley is there any appetite to finish this PR? Cheers.

[bflad]

Hi folks 👋 Apologies for the delays here. We went ahead and rebased this pull request, tidied it up, and merged it in. Thanks @gazoakley for the contribution. 🚀

[ghost]

This has been released in version 2.22.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!