added identity center configuration block

CHANGELOG.md

@@ -9,6 +9,7 @@ ENHANCEMENTS:
 
 * provider: Allow `default_tags` to be set by environment variables ([#33339](https://github.com/hashicorp/terraform-provider-aws/issues/33339))
 * resource/aws_lb_target_group: Add `target_health_state.unhealthy_draining_interval` argument ([#38654](https://github.com/hashicorp/terraform-provider-aws/issues/38654))
+* resource/aws_athena_workgroup: Add `identity_center_configuration` configuration block to support Identity Center enabled Athena workgroups ([#35734](https://github.com/hashicorp/terraform-provider-aws/issues/35734))
 
 BUG FIXES:
 

internal/service/athena/workgroup.go

@@ -88,6 +88,24 @@ func resourceWorkGroup() *schema.Resource {
  Optional: true,
  ValidateFunc: verify.ValidARN,
  },
+ "identity_center_configuration": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "enable_identity_center": {
+ Type: schema.TypeBool,
+ Optional: true,
+ },
+ "identity_center_instance_arn": {
+ Type: schema.TypeString,
+ Optional: true,
+ ValidateFunc: verify.ValidARN,
+ },
+ },
+ },
+ },
  "publish_cloudwatch_metrics_enabled": {
  Type: schema.TypeBool,
  Optional: true,
@@ -360,6 +378,10 @@ func expandWorkGroupConfiguration(l []interface{}) *types.WorkGroupConfiguration
  configuration.ExecutionRole = aws.String(v)
  }
 
+ if v, ok := m["identity_center_configuration"]; ok {
+ configuration.IdentityCenterConfiguration = expandWorkGroupIdentityCenterConfiguration(v.([]interface{}))
+ }
+
  if v, ok := m["publish_cloudwatch_metrics_enabled"].(bool); ok {
  configuration.PublishCloudWatchMetricsEnabled = aws.Bool(v)
  }
@@ -433,6 +455,26 @@ func expandWorkGroupConfigurationUpdates(l []interface{}) *types.WorkGroupConfig
  return configurationUpdates
 }
 
+func expandWorkGroupIdentityCenterConfiguration(l []interface{}) *types.IdentityCenterConfiguration {
+ if len(l) == 0 || l[0] == nil {
+ return nil
+ }
+
+ m := l[0].(map[string]interface{})
+
+ identityCenterConfiguration := &types.IdentityCenterConfiguration{}
+
+ if v, ok := m["enable_identity_center"].(bool); ok {
+ identityCenterConfiguration.EnableIdentityCenter = aws.Bool(v)
+ }
+
+ if v, ok := m["identity_center_instance_arn"].(string); ok && v != "" {
+ identityCenterConfiguration.IdentityCenterInstanceArn = aws.String(v)
+ }
+
+ return identityCenterConfiguration
+}
+
 func expandWorkGroupResultConfiguration(l []interface{}) *types.ResultConfiguration {
  if len(l) == 0 || l[0] == nil {
  return nil
@@ -527,6 +569,7 @@ func flattenWorkGroupConfiguration(configuration *types.WorkGroupConfiguration)
  "enforce_workgroup_configuration": aws.ToBool(configuration.EnforceWorkGroupConfiguration),
  names.AttrEngineVersion: flattenWorkGroupEngineVersion(configuration.EngineVersion),
  "execution_role": aws.ToString(configuration.ExecutionRole),
+ "identity_center_configuration": flattenWorkGroupIdentityCenterConfiguration(configuration.IdentityCenterConfiguration),
  "publish_cloudwatch_metrics_enabled": aws.ToBool(configuration.PublishCloudWatchMetricsEnabled),
  "result_configuration": flattenWorkGroupResultConfiguration(configuration.ResultConfiguration),
  "requester_pays_enabled": aws.ToBool(configuration.RequesterPaysEnabled),
@@ -548,6 +591,19 @@ func flattenWorkGroupEngineVersion(engineVersion *types.EngineVersion) []interfa
  return []interface{}{m}
 }
 
+func flattenWorkGroupIdentityCenterConfiguration(identityCenterConfiguration *types.IdentityCenterConfiguration) []interface{} {
+ if identityCenterConfiguration == nil {
+ return []interface{}{}
+ }
+
+ m := map[string]interface{}{
+ "enable_identity_center": aws.ToBool(identityCenterConfiguration.EnableIdentityCenter),
+ "identity_center_instance_arn": aws.ToString(identityCenterConfiguration.IdentityCenterInstanceArn),
+ }
+
+ return []interface{}{m}
+}
+
 func flattenWorkGroupResultConfiguration(resultConfiguration *types.ResultConfiguration) []interface{} {
  if resultConfiguration == nil {
  return []interface{}{}

internal/service/athena/workgroup_test.go

@@ -45,6 +45,7 @@ func TestAccAthenaWorkGroup_basic(t *testing.T) {
  resource.TestCheckResourceAttrSet(resourceName, "configuration.0.engine_version.0.effective_engine_version"),
  resource.TestCheckResourceAttr(resourceName, "configuration.0.engine_version.0.selected_engine_version", "AUTO"),
  resource.TestCheckResourceAttr(resourceName, "configuration.0.execution_role", ""),
+ resource.TestCheckResourceAttr(resourceName, "configuration.0.identity_center_configuration.#", acctest.Ct0),
  resource.TestCheckResourceAttr(resourceName, "configuration.0.publish_cloudwatch_metrics_enabled", acctest.CtTrue),
  resource.TestCheckResourceAttr(resourceName, "configuration.0.result_configuration.#", acctest.Ct0),
  resource.TestCheckResourceAttr(resourceName, "configuration.0.requester_pays_enabled", acctest.CtFalse),

website/docs/r/athena_workgroup.html.markdown

@@ -48,7 +48,8 @@ This resource supports the following arguments:
 * `bytes_scanned_cutoff_per_query` - (Optional) Integer for the upper data usage limit (cutoff) for the amount of bytes a single query in a workgroup is allowed to scan. Must be at least `10485760`.
 * `enforce_workgroup_configuration` - (Optional) Boolean whether the settings for the workgroup override client-side settings. For more information, see [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html). Defaults to `true`.
 * `engine_version` - (Optional) Configuration block for the Athena Engine Versioning. For more information, see [Athena Engine Versioning](https://docs.aws.amazon.com/athena/latest/ug/engine-versions.html). See [Engine Version](#engine-version) below.
-* `execution_role` - (Optional) Role used in a notebook session for accessing the user's resources.
+* `execution_role` - (Optional) Role used to access user resources in notebook sessions and IAM Identity Center enabled workgroups. The property is required for IAM Identity Center enabled workgroups.
+* `identity_center_configuration` - (Optional) Configuration block to set up an IAM Identity Center enabled workgroup. See [Identity Center Configuration](#identity-center-configuration) below.
 * `publish_cloudwatch_metrics_enabled` - (Optional) Boolean whether Amazon CloudWatch metrics are enabled for the workgroup. Defaults to `true`.
 * `result_configuration` - (Optional) Configuration block with result settings. See [Result Configuration](#result-configuration) below.
 * `requester_pays_enabled` - (Optional) If set to true , allows members assigned to a workgroup to reference Amazon S3 Requester Pays buckets in queries. If set to false , workgroup members cannot query data from Requester Pays buckets, and queries that retrieve data from Requester Pays buckets cause an error. The default is false . For more information about Requester Pays buckets, see [Requester Pays Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/RequesterPaysBuckets.html) in the Amazon Simple Storage Service Developer Guide.
@@ -57,6 +58,10 @@ This resource supports the following arguments:
 
 * `selected_engine_version` - (Optional) Requested engine version. Defaults to `AUTO`.
 
+#### Identity Center Configuration
+* `enable_identity_center` - (Optional) Specifies whether the workgroup is IAM Identity Center supported.
+* `identity_center_instance_arn` - (Optional) The IAM Identity Center instance ARN that the workgroup associates to.
+
 #### Result Configuration
 
 * `encryption_configuration` - (Optional) Configuration block with encryption settings. See [Encryption Configuration](#encryption-configuration) below.