Add ownership-verification-cert. to API Gateway

[PsypherPunk]

• add ownership_verification_certificate_arn to:
  • aws_apigatewayv2_domain_name.domain_name_configuration,
  • aws_api_gateway_domain_name.
• update documentation to include ownership_verification_certificate_arn;
• add separate tests for mTLS with ownership-verification (as it requires both a public cert. for verification plus an imported cert. to trigger the requirement.)
  • the existing test framework provides testAccAWSAPIGatewayV2DomainNameConfigPublicCert() and testAccAWSAPIGatewayV2DomainNameConfigImportedCerts() for creating certs. However, both create a aws_acm_certificate.test resource (i.e. a conflicting name.) As this change effectively requires both (mTLS with an imported ACM cert. but using an ACM-issued cert. for verification), I've opted to use the former and use a separate, explicit config. to do the latter.
  • I've also added entirely separate tests for these rather than adding a TestStep to an existing ParallelTest as, largely due to the above, this didn't immediately seem to fit the pattern of the existing tests.
• according to AWS' docs., this field is needed for imported certs. or when using ACM PCA—the tests verify the former but due to the potential expense of the latter, I've not implemented tests for this explicitly.

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates #20582

Output from acceptance testing:

$ ACM_CERTIFICATE_ROOT_DOMAIN=${TF_DOMAIN} make testacc TESTARGS='-run=TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication_ownership'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGateway*DomainName_MutualTlsAuthentication_ownership -timeout 180m
=== RUN   TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication_ownership
=== PAUSE TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication_ownership
=== CONT  TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication_ownership
--- PASS: TestAccAWSAPIGatewayDomainName_MutualTlsAuthentication_ownership (145.43s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	145.497s

ACM_CERTIFICATE_ROOT_DOMAIN=${TF_DOMAIN} make testacc TESTARGS='-run=TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication_ownership'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication_ownership -timeout 180m
=== RUN   TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication_ownership
=== PAUSE TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication_ownership
=== CONT  TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication_ownership
--- PASS: TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication_ownership (132.09s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	132.156s

[github-actions]

Welcome @PsypherPunk 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTING guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

[PsypherPunk]

For personal reference, the contributing and FAQs have now moved.

[zhelding]

Pull request #21306 has significantly refactored the AWS Provider codebase. As a result, most PRs opened prior to the refactor now have merge conflicts that must be resolved before proceeding.

Specifically, PR #21306 relocated the code for all AWS resources and data sources from a single aws directory to a large number of separate directories in internal/service, each corresponding to a particular AWS service. This separation of code has also allowed for us to simplify the names of underlying functions -- while still avoiding namespace collisions.

We recognize that many pull requests have been open for some time without yet being addressed by our maintainers. Therefore, we want to make it clear that resolving these conflicts in no way affects the prioritization of a particular pull request. Once a pull request has been prioritized for review, the necessary changes will be made by a maintainer -- either directly or in collaboration with the pull request author.

For a more complete description of this refactor, including examples of how old filepaths and function names correspond to their new counterparts: please refer to issue #20000.

For a quick guide on how to amend your pull request to resolve the merge conflicts resulting from this refactor and bring it in line with our new code patterns: please refer to our Service Package Refactor Pull Request Guide.

[PsypherPunk]

Having issues running make testacc but for now, the output from acceptance testing directly:

❯ ACM_CERTIFICATE_ROOT_DOMAIN=${TF_DOMAIN} TF_ACC=1 go test ./internal/service/apigateway -v -count 1 -parallel 20 -run=TestAccAPIGatewayDomainName_MutualTlsAuthentication_ownership -timeout 180m
=== RUN   TestAccAPIGatewayDomainName_MutualTlsAuthentication_ownership
=== PAUSE TestAccAPIGatewayDomainName_MutualTlsAuthentication_ownership
=== CONT  TestAccAPIGatewayDomainName_MutualTlsAuthentication_ownership
--- PASS: TestAccAPIGatewayDomainName_MutualTlsAuthentication_ownership (115.72s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/apigateway	115.773s

❯ ACM_CERTIFICATE_ROOT_DOMAIN=${TF_DOMAIN} TF_ACC=1 go test ./internal/service/apigatewayv2 -v -count 1 -parallel 20 -run=TestAccAPIGatewayV2DomainName_MutualTlsAuthentication_ownership -timeout 180m
=== RUN   TestAccAPIGatewayV2DomainName_MutualTlsAuthentication_ownership
=== PAUSE TestAccAPIGatewayV2DomainName_MutualTlsAuthentication_ownership
=== CONT  TestAccAPIGatewayV2DomainName_MutualTlsAuthentication_ownership
--- PASS: TestAccAPIGatewayV2DomainName_MutualTlsAuthentication_ownership (149.24s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/apigatewayv2	149.292s

[sergii-rykov-cko]

Hello @PsypherPunk, looks like that feature is missing within terraform APIGateway module for a while. I'm currently stuck with provisioning API Gateway with mTLS support backed with imported certificate. Do you have any estimates when this could get merged? 🙏
Without that feature workaround gonna look quite ugly :)
I'm not an expert in creating and support terraform modules of AWS provider, but the implementation within PR looks straightforward.

[PsypherPunk]

@sergii-rykov-cko, from my perspective this is good to go. When it can be merged, however, depends on when the maintainers of this provider have capacity to review (based on their prioritisation.)

For what it's worth, I've been using a version of the provider compiled from my branch successfully on a project (we also need mTLS on API Gateway)—I don't know if that's something you could pursue…?

[PsypherPunk]

Rebased from main as I needed some new features alongside my changes:

❯ ACM_CERTIFICATE_ROOT_DOMAIN=${TF_DOMAIN} TF_ACC=1 go test ./internal/service/apigateway -v -count 1 -parallel 20 -run=TestAccAPIGatewayDomainName_MutualTlsAuthentication_ownership -timeout 180m
=== RUN   TestAccAPIGatewayDomainName_MutualTlsAuthentication_ownership
=== PAUSE TestAccAPIGatewayDomainName_MutualTlsAuthentication_ownership
=== CONT  TestAccAPIGatewayDomainName_MutualTlsAuthentication_ownership
--- PASS: TestAccAPIGatewayDomainName_MutualTlsAuthentication_ownership (124.11s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/apigateway	124.165s

❯ ACM_CERTIFICATE_ROOT_DOMAIN=${TF_DOMAIN} TF_ACC=1 go test ./internal/service/apigatewayv2 -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication_ownership -timeout 180m
=== RUN   TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication_ownership
=== PAUSE TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication_ownership
=== CONT  TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication_ownership
--- PASS: TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication_ownership (124.43s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/apigatewayv2	124.473s

[YakDriver]

Thanks for the contribution! Looks great! 🎉

Output from acceptance tests (us-west-2):

% make testacc TESTS=TestAccAPIGatewayV2DomainName PKG=apigatewayv2 
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/apigatewayv2/... -v -count 1 -parallel 20 -run='TestAccAPIGatewayV2DomainName'  -timeout 180m
--- PASS: TestAccAPIGatewayV2DomainName_disappears (62.54s)
--- PASS: TestAccAPIGatewayV2DomainName_basic (104.92s)
--- PASS: TestAccAPIGatewayV2DomainName_MutualTLSAuthentication_ownership (270.60s)
--- PASS: TestAccAPIGatewayV2DomainName_updateCertificate (375.47s)
--- PASS: TestAccAPIGatewayV2DomainName_MutualTLSAuthentication_basic (532.70s)
--- PASS: TestAccAPIGatewayV2DomainName_MutualTLSAuthentication_noVersion (546.79s)
--- PASS: TestAccAPIGatewayV2DomainName_tags (820.37s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/apigatewayv2	822.901s
% make testacc TESTS=TestAccAPIGatewayDomainName PKG=apigateway  
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/apigateway/... -v -count 1 -parallel 20 -run='TestAccAPIGatewayDomainName'  -timeout 180m
--- SKIP: TestAccAPIGatewayDomainName_certificateName (0.00s)
--- SKIP: TestAccAPIGatewayDomainName_regionalCertificateName (0.00s)
--- PASS: TestAccAPIGatewayDomainName_regionalCertificateARN (121.34s)
--- PASS: TestAccAPIGatewayDomainName_securityPolicy (146.43s)
--- PASS: TestAccAPIGatewayDomainName_tags (222.45s)
--- PASS: TestAccAPIGatewayDomainNameDataSource_basic (287.53s)
--- PASS: TestAccAPIGatewayDomainName_disappears (446.13s)
--- PASS: TestAccAPIGatewayDomainName_MutualTLSAuthentication_basic (537.38s)
--- PASS: TestAccAPIGatewayDomainName_MutualTLSAuthentication_ownership (584.48s)
--- PASS: TestAccAPIGatewayDomainName_certificateARN (980.90s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/apigateway	983.265s
% make testacc TESTS=TestAccS3BucketVersioning_ PKG=s3
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/s3/... -v -count 1 -parallel 20 -run='TestAccS3BucketVersioning_'  -timeout 180m
--- PASS: TestAccS3BucketVersioning_disappears (42.27s)
--- PASS: TestAccS3BucketVersioning_MFADelete (48.55s)
--- PASS: TestAccS3BucketVersioning_basic (48.83s)
--- PASS: TestAccS3BucketVersioning_update (124.55s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/s3	126.175s

GovCloud:

% make testacc TESTS=TestAccAPIGatewayDomainName PKG=apigateway
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/apigateway/... -v -count 1 -parallel 20 -run='TestAccAPIGatewayDomainName'  -timeout 180m
--- SKIP: TestAccAPIGatewayDomainName_certificateName (0.00s)
--- SKIP: TestAccAPIGatewayDomainName_regionalCertificateName (0.00s)
--- SKIP: TestAccAPIGatewayDomainName_certificateARN (1.40s)
--- SKIP: TestAccAPIGatewayDomainName_MutualTLSAuthentication_ownership (5.03s)
--- SKIP: TestAccAPIGatewayDomainName_MutualTLSAuthentication_basic (5.01s)
--- PASS: TestAccAPIGatewayDomainName_disappears (40.92s)
--- PASS: TestAccAPIGatewayDomainName_securityPolicy (85.58s)
--- PASS: TestAccAPIGatewayDomainName_tags (99.43s)
--- PASS: TestAccAPIGatewayDomainNameDataSource_basic (159.24s)
--- PASS: TestAccAPIGatewayDomainName_regionalCertificateARN (212.41s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/apigateway	215.367s
% make testacc TESTS=TestAccS3BucketVersioning_ PKG=s3
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/s3/... -v -count 1 -parallel 20 -run='TestAccS3BucketVersioning_'  -timeout 180m
--- PASS: TestAccS3BucketVersioning_disappears (32.43s)
--- PASS: TestAccS3BucketVersioning_basic (36.41s)
--- PASS: TestAccS3BucketVersioning_MFADelete (36.72s)
--- PASS: TestAccS3BucketVersioning_update (94.09s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/s3	95.832s
% make testacc TESTS=TestAccAPIGatewayV2DomainName PKG=apigatewayv2
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/apigatewayv2/... -v -count 1 -parallel 20 -run='TestAccAPIGatewayV2DomainName'  -timeout 180m
--- SKIP: TestAccAPIGatewayV2DomainName_MutualTLSAuthentication_basic (5.09s)
--- SKIP: TestAccAPIGatewayV2DomainName_MutualTLSAuthentication_ownership (5.31s)
--- SKIP: TestAccAPIGatewayV2DomainName_MutualTLSAuthentication_noVersion (5.15s)
--- PASS: TestAccAPIGatewayV2DomainName_basic (43.63s)
--- PASS: TestAccAPIGatewayV2DomainName_tags (91.48s)
--- PASS: TestAccAPIGatewayV2DomainName_disappears (137.30s)
--- PASS: TestAccAPIGatewayV2DomainName_updateCertificate (633.24s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/apigatewayv2	635.598s

[github-actions]

This functionality has been released in v4.0.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.