aws_ssm_maintenance_window_task: allow service_role_arn to be optional

[0x91]

The AWS API documentation states:

ServiceRoleArn
The ARN of the IAM service role for Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses your account's service-linked role. If no service-linked role for Systems Manager exists in your account, it is created when you run RegisterTaskWithMaintenanceWindow.

Therefore, this attribute isn't required. Allowing users to rely on the AWS behaviour simplifies terraform configuration as you do not need to specify and manage an IAM role to use this resource.

I also simplified the acceptance tests for this resource to better re-use some configs. I'm happy to break that into a separate PR if you want.

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #0000

Release note for CHANGELOG:

* aws_ssm_maintenance_window_task: allow service_role_arn to be optional

Output from acceptance testing:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSSSMMaintenanceWindowTask'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSSSMMaintenanceWindowTask -timeout 120m
=== RUN   TestAccAWSSSMMaintenanceWindowTask_basic
=== PAUSE TestAccAWSSSMMaintenanceWindowTask_basic
=== RUN   TestAccAWSSSMMaintenanceWindowTask_noRole
=== PAUSE TestAccAWSSSMMaintenanceWindowTask_noRole
=== RUN   TestAccAWSSSMMaintenanceWindowTask_updateForcesNewResource
=== PAUSE TestAccAWSSSMMaintenanceWindowTask_updateForcesNewResource
=== RUN   TestAccAWSSSMMaintenanceWindowTask_TaskInvocationAutomationParameters
=== PAUSE TestAccAWSSSMMaintenanceWindowTask_TaskInvocationAutomationParameters
=== RUN   TestAccAWSSSMMaintenanceWindowTask_TaskInvocationLambdaParameters
=== PAUSE TestAccAWSSSMMaintenanceWindowTask_TaskInvocationLambdaParameters
=== RUN   TestAccAWSSSMMaintenanceWindowTask_TaskInvocationRunCommandParameters
=== PAUSE TestAccAWSSSMMaintenanceWindowTask_TaskInvocationRunCommandParameters
=== RUN   TestAccAWSSSMMaintenanceWindowTask_TaskInvocationStepFunctionParameters
=== PAUSE TestAccAWSSSMMaintenanceWindowTask_TaskInvocationStepFunctionParameters
=== RUN   TestAccAWSSSMMaintenanceWindowTask_TaskParameters
=== PAUSE TestAccAWSSSMMaintenanceWindowTask_TaskParameters
=== RUN   TestAccAWSSSMMaintenanceWindowTask_emptyNotificationConfig
=== PAUSE TestAccAWSSSMMaintenanceWindowTask_emptyNotificationConfig
=== CONT  TestAccAWSSSMMaintenanceWindowTask_basic
=== CONT  TestAccAWSSSMMaintenanceWindowTask_TaskInvocationRunCommandParameters
=== CONT  TestAccAWSSSMMaintenanceWindowTask_TaskInvocationAutomationParameters
=== CONT  TestAccAWSSSMMaintenanceWindowTask_noRole
=== CONT  TestAccAWSSSMMaintenanceWindowTask_TaskParameters
=== CONT  TestAccAWSSSMMaintenanceWindowTask_emptyNotificationConfig
=== CONT  TestAccAWSSSMMaintenanceWindowTask_TaskInvocationStepFunctionParameters
=== CONT  TestAccAWSSSMMaintenanceWindowTask_updateForcesNewResource
=== CONT  TestAccAWSSSMMaintenanceWindowTask_TaskInvocationLambdaParameters
--- PASS: TestAccAWSSSMMaintenanceWindowTask_noRole (30.92s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_emptyNotificationConfig (32.38s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskParameters (33.07s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationStepFunctionParameters (33.08s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_updateForcesNewResource (52.86s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_basic (53.34s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationLambdaParameters (57.78s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationRunCommandParameters (74.49s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationAutomationParameters (131.37s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	131.426s...

[0x91]

bump?

[bflad]

Quick rebase fixes

[bflad]

Thank you for submitting this, @0x91 👍 After rebase and fixing the Computed issue, this was good to go.

Output from acceptance testing in AWS Commercial:

--- PASS: TestAccAWSSSMMaintenanceWindowTask_disappears (21.36s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_emptyNotificationConfig (22.49s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_noRole (23.79s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationStepFunctionParameters (25.18s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_updateForcesNewResource (37.93s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_basic (38.21s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationAutomationParameters (46.55s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationRunCommandParameters (48.17s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationLambdaParameters (48.58s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationRunCommandParametersCloudWatch (49.26s)

Output from acceptance testing in AWS GovCloud (US):

--- PASS: TestAccAWSSSMMaintenanceWindowTask_noRole (26.04s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_disappears (26.62s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_emptyNotificationConfig (27.01s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationStepFunctionParameters (29.35s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_updateForcesNewResource (43.07s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_basic (43.41s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationLambdaParameters (46.46s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationAutomationParameters (51.63s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationRunCommandParameters (51.98s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationRunCommandParametersCloudWatch (59.12s)

[bflad]

Adding this type of handling in a test is indicative of a problem that practitioners would face in real world configurations:

=== CONT  TestAccAWSSSMMaintenanceWindowTask_noRole
    resource_aws_ssm_maintenance_window_task_test.go:59: Step 1/1 error: After applying this test step, the plan was not empty.
        stdout:


        An execution plan has been generated and is shown below.
        Resource actions are indicated with the following symbols:
          ~ update in-place

        Terraform will perform the following actions:

          # aws_ssm_maintenance_window_task.test will be updated in-place
          ~ resource "aws_ssm_maintenance_window_task" "test" {
                id               = "b9865b4e-8afd-40da-89ec-4c90009f40c6"
                name             = "TestMaintenanceWindowTask"
              - service_role_arn = "arn:aws:iam::123456789012:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM" -> null
                # (7 unchanged attributes hidden)


                # (2 unchanged blocks hidden)
            }

        Plan: 0 to add, 1 to change, 0 to destroy.

The solution in this case is to mark service_role_arn with Computed: true to allow Terraform to ignore the value being filled in when it is not configured. 👍

[ghost]

This has been released in version 3.28.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[0x91]

Thanks @bflad apologies I didn't come back to this.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!