Merge pull request #37505 from hashicorp/td-migrate-organizations-to-…

…aws-sdk-v2

Migrate `organizations` resources to AWS SDK for Go v2

go.mod

@@ -125,6 +125,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/neptunegraph v1.8.3
 	github.com/aws/aws-sdk-go-v2/service/oam v1.11.2
 	github.com/aws/aws-sdk-go-v2/service/opensearchserverless v1.11.9
+	github.com/aws/aws-sdk-go-v2/service/organizations v1.27.5
 	github.com/aws/aws-sdk-go-v2/service/osis v1.8.6
 	github.com/aws/aws-sdk-go-v2/service/paymentcryptography v1.10.2
 	github.com/aws/aws-sdk-go-v2/service/pcaconnectorad v1.5.6

go.sum

@@ -280,6 +280,8 @@ github.com/aws/aws-sdk-go-v2/service/oam v1.11.2 h1:oBEvnXHo5dRQmVh/0Or50YdkMg6o
 github.com/aws/aws-sdk-go-v2/service/oam v1.11.2/go.mod h1:zMosubbKNK8v0Q1x83mPnxKG/oCAWDKxcXEXEvsDy2Q=
 github.com/aws/aws-sdk-go-v2/service/opensearchserverless v1.11.9 h1:qkbHwKeZ61sFGDwGwErs/puO/BIUclGlSeOsmS0N4DE=
 github.com/aws/aws-sdk-go-v2/service/opensearchserverless v1.11.9/go.mod h1:DUVfgUkWUabWW+Nav9j2gXSO4axXzjDYf9rAMc+75dM=
+github.com/aws/aws-sdk-go-v2/service/organizations v1.27.5 h1:FdqFVBlCHfDx9sVRmQZ0zCAkkg56HzByVcd39PSeQdM=
+github.com/aws/aws-sdk-go-v2/service/organizations v1.27.5/go.mod h1:8eIw9l1yZXQvau0gzYngkYz9rBneHdvFCMhiWGIM1cE=
 github.com/aws/aws-sdk-go-v2/service/osis v1.8.6 h1:T91HjwgtF3TJLXj42642luGmPJRlAF+ZEoG+3qotSCM=
 github.com/aws/aws-sdk-go-v2/service/osis v1.8.6/go.mod h1:NScCEZQiuCBdMlyIh5wx+sBRSQ4+smD4hVWIJdF2FaY=
 github.com/aws/aws-sdk-go-v2/service/paymentcryptography v1.10.2 h1:Ct1ViNWyIm1T6VS1aRxQucgtykQQkyrPjOAuNQ/78Fc=

internal/acctest/acctest.go

@@ -29,6 +29,7 @@ import (
 	awstypes "github.com/aws/aws-sdk-go-v2/service/iam/types"
 	"github.com/aws/aws-sdk-go-v2/service/inspector2"
 	inspector2types "github.com/aws/aws-sdk-go-v2/service/inspector2/types"
+	organizationstypes "github.com/aws/aws-sdk-go-v2/service/organizations/types"
 	"github.com/aws/aws-sdk-go-v2/service/ssoadmin"
 	ssoadmintypes "github.com/aws/aws-sdk-go-v2/service/ssoadmin/types"
 	"github.com/aws/aws-sdk-go-v2/service/wafv2"
@@ -204,21 +205,25 @@ func protoV5ProviderFactoriesPlusProvidersInit(ctx context.Context, t *testing.T
 // For cross-account testing: Typically paired with PreCheckAlternateAccount and ConfigAlternateAccountProvider.
 func ProtoV5FactoriesPlusProvidersAlternate(ctx context.Context, t *testing.T, providers *[]*schema.Provider) map[string]func() (tfprotov5.ProviderServer, error) {
 	t.Helper()
+
 	return protoV5ProviderFactoriesPlusProvidersInit(ctx, t, providers, ProviderName, ProviderNameAlternate)
 }
 
 func ProtoV5FactoriesNamedAlternate(ctx context.Context, t *testing.T, providers map[string]*schema.Provider) map[string]func() (tfprotov5.ProviderServer, error) {
 	t.Helper()
+
 	return ProtoV5FactoriesNamed(ctx, t, providers, ProviderName, ProviderNameAlternate)
 }
 
 func ProtoV5FactoriesNamed(ctx context.Context, t *testing.T, providers map[string]*schema.Provider, providerNames ...string) map[string]func() (tfprotov5.ProviderServer, error) {
 	t.Helper()
+
 	return protoV5ProviderFactoriesNamedInit(ctx, t, providers, providerNames...)
 }
 
 func ProtoV5FactoriesAlternate(ctx context.Context, t *testing.T) map[string]func() (tfprotov5.ProviderServer, error) {
 	t.Helper()
+
 	return protoV5ProviderFactoriesInit(ctx, ProviderName, ProviderNameAlternate)
 }
 
@@ -228,6 +233,7 @@ func ProtoV5FactoriesAlternate(ctx context.Context, t *testing.T) map[string]fun
 // and ConfigAlternateAccountAndAlternateRegionProvider.
 func ProtoV5FactoriesAlternateAccountAndAlternateRegion(ctx context.Context, t *testing.T) map[string]func() (tfprotov5.ProviderServer, error) {
 	t.Helper()
+
 	return protoV5ProviderFactoriesInit(
 		ctx,
 		ProviderName,
@@ -242,6 +248,7 @@ func ProtoV5FactoriesAlternateAccountAndAlternateRegion(ctx context.Context, t *
 // Usage typically paired with PreCheckMultipleRegion and ConfigMultipleRegionProvider.
 func ProtoV5FactoriesMultipleRegions(ctx context.Context, t *testing.T, n int) map[string]func() (tfprotov5.ProviderServer, error) {
 	t.Helper()
+
 	switch n {
 	case 2:
 		return protoV5ProviderFactoriesInit(ctx, ProviderName, ProviderNameAlternate)
@@ -696,7 +703,7 @@ func CheckResourceAttrJMES(name, key, jmesPath, value string) resource.TestCheck
 
 		result, err := jmespath.Search(jmesPath, jsonData)
 		if err != nil {
-			return fmt.Errorf("Invalid JMESPath %q: %w", jmesPath, err)
+			return fmt.Errorf("invalid JMESPath %q: %w", jmesPath, err)
 		}
 
 		var v string
@@ -744,7 +751,7 @@ func CheckResourceAttrJMESPair(nameFirst, keyFirst, jmesPath, nameSecond, keySec
 
 		result, err := jmespath.Search(jmesPath, jsonData)
 		if err != nil {
-			return fmt.Errorf("Invalid JMESPath %q: %w", jmesPath, err)
+			return fmt.Errorf("invalid JMESPath %q: %w", jmesPath, err)
 		}
 
 		var value string
@@ -824,51 +831,35 @@ func AccountID() string {
 }
 
 func Region() string {
-	return envvar.GetWithDefault(envvar.DefaultRegion, endpoints.UsWest2RegionID)
+	return envvar.GetWithDefault(envvar.DefaultRegion, names.USWest2RegionID)
 }
 
 func AlternateRegion() string {
-	return envvar.GetWithDefault(envvar.AlternateRegion, endpoints.UsEast1RegionID)
+	return envvar.GetWithDefault(envvar.AlternateRegion, names.USEast1RegionID)
 }
 
 func ThirdRegion() string {
-	return envvar.GetWithDefault(envvar.ThirdRegion, endpoints.UsEast2RegionID)
+	return envvar.GetWithDefault(envvar.ThirdRegion, names.USEast2RegionID)
 }
 
 func Partition() string {
-	if partition, ok := endpoints.PartitionForRegion(endpoints.DefaultPartitions(), Region()); ok {
-		return partition.ID()
-	}
-	return endpoints.AwsPartitionID
+	return names.PartitionForRegion(Region())
 }
 
 func PartitionDNSSuffix() string {
-	if partition, ok := endpoints.PartitionForRegion(endpoints.DefaultPartitions(), Region()); ok {
-		return partition.DNSSuffix()
-	}
-	return "amazonaws.com"
+	return names.DNSSuffixForPartition(Partition())
 }
 
 func PartitionReverseDNSPrefix() string {
-	if partition, ok := endpoints.PartitionForRegion(endpoints.DefaultPartitions(), Region()); ok {
-		return names.ReverseDNS(partition.DNSSuffix())
-	}
-
-	return "com.amazonaws"
+	return names.ReverseDNS(PartitionDNSSuffix())
 }
 
 func alternateRegionPartition() string {
-	if partition, ok := endpoints.PartitionForRegion(endpoints.DefaultPartitions(), AlternateRegion()); ok {
-		return partition.ID()
-	}
-	return endpoints.AwsPartitionID
+	return names.PartitionForRegion(AlternateRegion())
 }
 
 func thirdRegionPartition() string {
-	if partition, ok := endpoints.PartitionForRegion(endpoints.DefaultPartitions(), ThirdRegion()); ok {
-		return partition.ID()
-	}
-	return endpoints.AwsPartitionID
+	return names.PartitionForRegion(ThirdRegion())
 }
 
 func PreCheckAlternateAccount(t *testing.T) {
@@ -913,7 +904,7 @@ func PreCheckMultipleRegion(t *testing.T, regions int) {
 	}
 
 	if regions >= 3 {
-		if thirdRegionPartition() == endpoints.AwsUsGovPartitionID || Partition() == endpoints.AwsUsGovPartitionID {
+		if thirdRegionPartition() == names.USGovCloudPartitionID || Partition() == names.USGovCloudPartitionID {
 			t.Skipf("wanted %d regions, partition (%s) only has 2 regions", regions, Partition())
 		}
 
@@ -1017,7 +1008,7 @@ func PreCheckInspector2(ctx context.Context, t *testing.T) {
 func PreCheckOrganizationsAccount(ctx context.Context, t *testing.T) {
 	t.Helper()
 
-	_, err := tforganizations.FindOrganization(ctx, Provider.Meta().(*conns.AWSClient).OrganizationsConn(ctx))
+	_, err := tforganizations.FindOrganization(ctx, Provider.Meta().(*conns.AWSClient).OrganizationsClient(ctx))
 
 	if tfresource.NotFound(err) {
 		return
@@ -1030,10 +1021,16 @@ func PreCheckOrganizationsAccount(ctx context.Context, t *testing.T) {
 	t.Skip("skipping tests; this AWS account must not be an existing member of an AWS Organization")
 }
 
-func PreCheckOrganizationsEnabled(ctx context.Context, t *testing.T) {
+func PreCheckOrganizationsEnabled(ctx context.Context, t *testing.T) *organizationstypes.Organization {
+	t.Helper()
+
+	return PreCheckOrganizationsEnabledWithProvider(ctx, t, func() *schema.Provider { return Provider })
+}
+
+func PreCheckOrganizationsEnabledWithProvider(ctx context.Context, t *testing.T, providerF ProviderFunc) *organizationstypes.Organization {
 	t.Helper()
 
-	_, err := tforganizations.FindOrganization(ctx, Provider.Meta().(*conns.AWSClient).OrganizationsConn(ctx))
+	organization, err := tforganizations.FindOrganization(ctx, providerF().Meta().(*conns.AWSClient).OrganizationsClient(ctx))
 
 	if tfresource.NotFound(err) {
 		t.Skip("this AWS account must be an existing member of an AWS Organization")
@@ -1042,24 +1039,22 @@ func PreCheckOrganizationsEnabled(ctx context.Context, t *testing.T) {
 	if err != nil {
 		t.Fatalf("describing AWS Organization: %s", err)
 	}
+
+	return organization
 }
 
 func PreCheckOrganizationManagementAccount(ctx context.Context, t *testing.T) {
 	t.Helper()
+
 	PreCheckOrganizationManagementAccountWithProvider(ctx, t, func() *schema.Provider { return Provider })
 }
 
 func PreCheckOrganizationManagementAccountWithProvider(ctx context.Context, t *testing.T, providerF ProviderFunc) {
 	t.Helper()
 
-	awsClient := providerF().Meta().(*conns.AWSClient)
-	organization, err := tforganizations.FindOrganization(ctx, awsClient.OrganizationsConn(ctx))
+	organization := PreCheckOrganizationsEnabledWithProvider(ctx, t, providerF)
 
-	if err != nil {
-		t.Fatalf("describing AWS Organization: %s", err)
-	}
-
-	callerIdentity, err := tfsts.FindCallerIdentity(ctx, awsClient.STSClient(ctx))
+	callerIdentity, err := tfsts.FindCallerIdentity(ctx, providerF().Meta().(*conns.AWSClient).STSClient(ctx))
 
 	if err != nil {
 		t.Fatalf("getting current identity: %s", err)
@@ -1072,20 +1067,16 @@ func PreCheckOrganizationManagementAccountWithProvider(ctx context.Context, t *t
 
 func PreCheckOrganizationMemberAccount(ctx context.Context, t *testing.T) {
 	t.Helper()
+
 	PreCheckOrganizationMemberAccountWithProvider(ctx, t, func() *schema.Provider { return Provider })
 }
 
 func PreCheckOrganizationMemberAccountWithProvider(ctx context.Context, t *testing.T, providerF ProviderFunc) {
 	t.Helper()
 
-	awsClient := providerF().Meta().(*conns.AWSClient)
-	organization, err := tforganizations.FindOrganization(ctx, awsClient.OrganizationsConn(ctx))
+	organization := PreCheckOrganizationsEnabledWithProvider(ctx, t, providerF)
 
-	if err != nil {
-		t.Fatalf("describing AWS Organization: %s", err)
-	}
-
-	callerIdentity, err := tfsts.FindCallerIdentity(ctx, awsClient.STSClient(ctx))
+	callerIdentity, err := tfsts.FindCallerIdentity(ctx, providerF().Meta().(*conns.AWSClient).STSClient(ctx))
 
 	if err != nil {
 		t.Fatalf("getting current identity: %s", err)
@@ -1157,6 +1148,7 @@ func PreCheckHasIAMRole(ctx context.Context, t *testing.T, roleName string) {
 
 func PreCheckIAMServiceLinkedRole(ctx context.Context, t *testing.T, pathPrefix string) {
 	t.Helper()
+
 	PreCheckIAMServiceLinkedRoleWithProvider(ctx, t, func() *schema.Provider { return Provider }, pathPrefix)
 }
 
@@ -1257,10 +1249,10 @@ func PreCheckWAFV2CloudFrontScope(ctx context.Context, t *testing.T) {
 	t.Helper()
 
 	switch Partition() {
-	case endpoints.AwsPartitionID:
-		PreCheckRegion(t, endpoints.UsEast1RegionID)
-	case endpoints.AwsCnPartitionID:
-		PreCheckRegion(t, endpoints.CnNorthwest1RegionID)
+	case names.StandardPartitionID:
+		PreCheckRegion(t, names.USEast1RegionID)
+	case names.ChinaPartitionID:
+		PreCheckRegion(t, names.CNNorthwest1RegionID)
 	}
 
 	conn := Provider.Meta().(*conns.AWSClient).WAFV2Client(ctx)
@@ -2119,7 +2111,7 @@ func CheckACMPCACertificateAuthorityExists(ctx context.Context, n string, certif
 func PreCheckAPIGatewayTypeEDGE(t *testing.T) {
 	t.Helper()
 
-	if Partition() != endpoints.AwsPartitionID {
+	if Partition() != names.StandardPartitionID {
 		t.Skipf("skipping test; Endpoint Configuration type EDGE is not supported in this partition (%s)", Partition())
 	}
 }
@@ -2530,10 +2522,6 @@ func CheckCallerIdentityAccountID(n string) resource.TestCheckFunc {
 			return fmt.Errorf("can't find AccountID resource: %s", n)
 		}
 
-		if rs.Primary.ID == "" {
-			return fmt.Errorf("account Id resource ID not set.")
-		}
-
 		expected := Provider.Meta().(*conns.AWSClient).AccountID
 		if rs.Primary.Attributes["account_id"] != expected {
 			return fmt.Errorf("incorrect Account ID: expected %q, got %q", expected, rs.Primary.Attributes["account_id"])

internal/service/cloudformation/stack_set_test.go

@@ -830,10 +830,10 @@ func TestAccCloudFormationStackSet_autoDeploymentDisabled(t *testing.T) {
 
 // https://github.com/hashicorp/terraform-provider-aws/issues/32536.
 // Prerequisites:
-// * Organizations root account
+// * Organizations management account
 // * Organization member account
 // * Delegated administrator not configured
-// Authenticate with member account as target account and root account as alternate.
+// Authenticate with member account as target account and management account as alternate.
 func TestAccCloudFormationStackSet_delegatedAdministrator(t *testing.T) {
 	ctx := acctest.Context(t)
 	providers := make(map[string]*schema.Provider)
@@ -853,7 +853,7 @@ func TestAccCloudFormationStackSet_delegatedAdministrator(t *testing.T) {
 		CheckDestroy:             testAccCheckStackSetDestroy(ctx),
 		Steps: []resource.TestStep{
 			{
-				// Run a simple configuration to initialize the alternate providers
+				// Run a simple configuration to initialize the alternate providers.
 				Config: testAccStackSetConfig_delegatedAdministratorInit,
 			},
 			{
@@ -1484,7 +1484,7 @@ TEMPLATE
 `, rName, testAccStackSetTemplateBodyVPC(rName), enabled, retainStacksOnAccountRemoval)
 }
 
-// Initialize all the providers used by dlegated administrator acceptance tests.
+// Initialize all the providers used by delegated administrator acceptance tests.
 var testAccStackSetConfig_delegatedAdministratorInit = acctest.ConfigCompose(acctest.ConfigAlternateAccountProvider(), `
 data "aws_caller_identity" "member" {}
 

internal/service/cloudformation/sweep.go

@@ -143,7 +143,7 @@ func sweepStackSets(region string) error {
 
 	// Attempt to determine whether or not Organizations access is enabled.
 	orgAccessEnabled := false
-	if servicePrincipalNames, err := tforganizations.FindEnabledServicePrincipalNames(ctx, client.OrganizationsConn(ctx)); err == nil {
+	if servicePrincipalNames, err := tforganizations.FindEnabledServicePrincipalNames(ctx, client.OrganizationsClient(ctx)); err == nil {
 		orgAccessEnabled = slices.Contains(servicePrincipalNames, "member.org.stacksets.cloudformation.amazonaws.com")
 	}
 

internal/service/ec2/errors.go

@@ -118,6 +118,7 @@ const (
 	errCodeInvalidVPNConnectionIDNotFound                    = "InvalidVpnConnectionID.NotFound"
 	errCodeInvalidVPNGatewayAttachmentNotFound               = "InvalidVpnGatewayAttachment.NotFound"
 	errCodeInvalidVPNGatewayIDNotFound                       = "InvalidVpnGatewayID.NotFound"
+	errCodeIPAMOrganizationAccountNotRegistered              = "IpamOrganizationAccountNotRegistered"
 	errCodeNatGatewayNotFound                                = "NatGatewayNotFound"
 	errCodeNetworkACLEntryAlreadyExists                      = "NetworkAclEntryAlreadyExists"
 	errCodeOperationNotPermitted                             = "OperationNotPermitted"

internal/service/ec2/exports_test.go

@@ -14,6 +14,7 @@ var (
 	ResourceEIPDomainName                   = newEIPDomainNameResource
 	ResourceInstanceConnectEndpoint         = newInstanceConnectEndpointResource
 	ResourceInstanceMetadataDefaults        = newInstanceMetadataDefaultsResource
+	ResourceIPAMOrganizationAdminAccount    = resourceIPAMOrganizationAdminAccount
 	ResourceKeyPair                         = resourceKeyPair
 	ResourceNetworkACL                      = resourceNetworkACL
 	ResourceNetworkACLRule                  = resourceNetworkACLRule
@@ -42,6 +43,7 @@ var (
 	FindNetworkInterfaceByIDV2                = findNetworkInterfaceByIDV2
 	FindVolumeAttachmentInstanceByID          = findVolumeAttachmentInstanceByID
 	FlattenNetworkInterfacePrivateIPAddresses = flattenNetworkInterfacePrivateIPAddresses
+	IPAMServicePrincipal                      = ipamServicePrincipal
 	NewAttributeFilterList                    = newAttributeFilterList
 	NewAttributeFilterListV2                  = newAttributeFilterListV2
 	NewCustomFilterList                       = newCustomFilterList