Add support for permissions_mode to aws_qldb_ledger

aws/data_source_aws_qldb_ledger.go

@@ -29,6 +29,12 @@ func dataSourceAwsQLDBLedger() *schema.Resource {
  ),
  },
 
+ "permissions_mode": {
+ Type: schema.TypeString,
+ Required: true,
+ ValidateFunc: validation.StringInSlice(qldb.PermissionsMode_Values(), false),
+ },
+
  "deletion_protection": {
  Type: schema.TypeBool,
  Computed: true,
@@ -56,6 +62,7 @@ func dataSourceAwsQLDBLedgerRead(d *schema.ResourceData, meta interface{}) error
  d.SetId(aws.StringValue(resp.Name))
  d.Set("arn", resp.Arn)
  d.Set("deletion_protection", resp.DeletionProtection)
+ d.Set("permissions_mode", resp.PermissionsMode)
 
  return nil
 }

aws/data_source_aws_qldb_ledger_test.go

@@ -23,6 +23,7 @@ func TestAccDataSourceAwsQLDBLedger_basic(t *testing.T) {
  resource.TestCheckResourceAttrPair("data.aws_qldb_ledger.by_name", "arn", "aws_qldb_ledger.tf_test", "arn"),
  resource.TestCheckResourceAttrPair("data.aws_qldb_ledger.by_name", "deletion_protection", "aws_qldb_ledger.tf_test", "deletion_protection"),
  resource.TestCheckResourceAttrPair("data.aws_qldb_ledger.by_name", "name", "aws_qldb_ledger.tf_test", "name"),
+ resource.TestCheckResourceAttrPair("data.aws_qldb_ledger.by_name", "permissions_mode", "aws_qldb_ledger.tf_test", "permissions_mode"),
  ),
  },
  },
@@ -33,16 +34,19 @@ func testAccDataSourceAwsQLDBLedgerConfig(rName string) string {
  return fmt.Sprintf(`
 resource "aws_qldb_ledger" "tf_wrong1" {
  name = "%[1]s1"
+ permissions_mode = "STANDARD"
  deletion_protection = false
 }
 
 resource "aws_qldb_ledger" "tf_test" {
  name = "%[1]s2"
+ permissions_mode = "STANDARD"
  deletion_protection = false
 }
 
 resource "aws_qldb_ledger" "tf_wrong2" {
  name = "%[1]s3"
+ permissions_mode = "STANDARD"
  deletion_protection = false
 }
 

aws/resource_aws_qldb_ledger.go

@@ -41,6 +41,12 @@ func resourceAwsQLDBLedger() *schema.Resource {
  ),
  },
 
+ "permissions_mode": {
+ Type: schema.TypeString,
+ Required: true,
+ ValidateFunc: validation.StringInSlice(qldb.PermissionsMode_Values(), false),
+ },
+
  "deletion_protection": {
  Type: schema.TypeBool,
  Optional: true,
@@ -73,10 +79,9 @@ func resourceAwsQLDBLedgerCreate(d *schema.ResourceData, meta interface{}) error
  }
 
  // Create the QLDB Ledger
- // The qldb.PermissionsModeAllowAll is currently hardcoded because AWS doesn't support changing the mode.
  createOpts := &qldb.CreateLedgerInput{
  Name: aws.String(d.Get("name").(string)),
- PermissionsMode: aws.String(qldb.PermissionsModeAllowAll),
+ PermissionsMode: aws.String(d.Get("permissions_mode").(string)),
  DeletionProtection: aws.Bool(d.Get("deletion_protection").(bool)),
  Tags: tags.IgnoreAws().QldbTags(),
  }
@@ -136,6 +141,10 @@ func resourceAwsQLDBLedgerRead(d *schema.ResourceData, meta interface{}) error {
  return fmt.Errorf("error setting name: %s", err)
  }
 
+ if err := d.Set("permissions_mode", qldbLedger.PermissionsMode); err != nil {
+ return fmt.Errorf("error setting permissions mode: %s", err)
+ }
+
  if err := d.Set("deletion_protection", qldbLedger.DeletionProtection); err != nil {
  return fmt.Errorf("error setting deletion protection: %s", err)
  }
@@ -169,6 +178,16 @@ func resourceAwsQLDBLedgerRead(d *schema.ResourceData, meta interface{}) error {
 func resourceAwsQLDBLedgerUpdate(d *schema.ResourceData, meta interface{}) error {
  conn := meta.(*AWSClient).qldbconn
 
+ if d.HasChange("permissions_mode") {
+ updateOpts := &qldb.UpdateLedgerPermissionsModeInput{
+ Name: aws.String(d.Id()),
+ PermissionsMode: aws.String(d.Get("permissions_mode").(string)),
+ }
+ if _, err := conn.UpdateLedgerPermissionsMode(updateOpts); err != nil {
+ return fmt.Errorf("error updating permissions mode: %s", err)
+ }
+ }
+
  if d.HasChange("deletion_protection") {
  val := d.Get("deletion_protection").(bool)
  modifyOpts := &qldb.UpdateLedgerInput{

aws/resource_aws_qldb_ledger_test.go

@@ -74,11 +74,50 @@ func TestAccAWSQLDBLedger_basic(t *testing.T) {
  CheckDestroy: testAccCheckAWSQLDBLedgerDestroy,
  Steps: []resource.TestStep{
  {
- Config: testAccAWSQLDBLedgerConfig(rInt),
+ Config: testAccAWSQLDBLedgerConfig_basic(rInt),
  Check: resource.ComposeTestCheckFunc(
  testAccCheckAWSQLDBLedgerExists(resourceName, &qldbCluster),
  testAccMatchResourceAttrRegionalARN(resourceName, "arn", "qldb", regexp.MustCompile(`ledger/.+`)),
  resource.TestMatchResourceAttr(resourceName, "name", regexp.MustCompile("test-ledger-[0-9]+")),
+ resource.TestCheckResourceAttr(resourceName, "permissions_mode", "ALLOW_ALL"),
+ resource.TestCheckResourceAttr(resourceName, "deletion_protection", "false"),
+ resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
+ ),
+ },
+ {
+ ResourceName: resourceName,
+ ImportState: true,
+ ImportStateVerify: true,
+ },
+ },
+ })
+}
+
+func TestAccAWSQLDBLedger_update(t *testing.T) {
+ var qldbCluster qldb.DescribeLedgerOutput
+ rInt := acctest.RandInt()
+ resourceName := "aws_qldb_ledger.test"
+
+ resource.ParallelTest(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t); testAccPartitionHasServicePreCheck(qldb.EndpointsID, t) },
+ ErrorCheck: testAccErrorCheck(t, qldb.EndpointsID),
+ Providers: testAccProviders,
+ CheckDestroy: testAccCheckAWSQLDBLedgerDestroy,
+ Steps: []resource.TestStep{
+ {
+ Config: testAccAWSQLDBLedgerConfig_basic(rInt),
+ Check: resource.ComposeTestCheckFunc(
+ testAccCheckAWSQLDBLedgerExists(resourceName, &qldbCluster),
+ resource.TestCheckResourceAttr(resourceName, "permissions_mode", "ALLOW_ALL"),
+ ),
+ },
+ {
+ Config: testAccAWSQLDBLedgerConfig_update(rInt),
+ Check: resource.ComposeTestCheckFunc(
+ testAccCheckAWSQLDBLedgerExists(resourceName, &qldbCluster),
+ testAccMatchResourceAttrRegionalARN(resourceName, "arn", "qldb", regexp.MustCompile(`ledger/.+`)),
+ resource.TestMatchResourceAttr(resourceName, "name", regexp.MustCompile("test-ledger-[0-9]+")),
+ resource.TestCheckResourceAttr(resourceName, "permissions_mode", "STANDARD"),
  resource.TestCheckResourceAttr(resourceName, "deletion_protection", "false"),
  resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
  ),
@@ -159,10 +198,21 @@ func testAccCheckAWSQLDBLedgerExists(n string, v *qldb.DescribeLedgerOutput) res
  }
 }
 
-func testAccAWSQLDBLedgerConfig(n int) string {
+func testAccAWSQLDBLedgerConfig_basic(n int) string {
+ return fmt.Sprintf(`
+resource "aws_qldb_ledger" "test" {
+ name = "test-ledger-%d"
+ permissions_mode = "ALLOW_ALL"
+ deletion_protection = false
+}
+`, n)
+}
+
+func testAccAWSQLDBLedgerConfig_update(n int) string {
  return fmt.Sprintf(`
 resource "aws_qldb_ledger" "test" {
  name = "test-ledger-%d"
+ permissions_mode = "STANDARD"
  deletion_protection = false
 }
 `, n)
@@ -217,6 +267,7 @@ func testAccAWSQLDBLedgerConfigTags1(rName, tagKey1, tagValue1 string) string {
  return fmt.Sprintf(`
 resource "aws_qldb_ledger" "test" {
  name = %[1]q
+ permissions_mode = "ALLOW_ALL"
  deletion_protection = false
 
  tags = {
@@ -230,6 +281,7 @@ func testAccAWSQLDBLedgerConfigTags2(rName, tagKey1, tagValue1, tagKey2, tagValu
  return fmt.Sprintf(`
 resource "aws_qldb_ledger" "test" {
  name = %[1]q
+ permissions_mode = "ALLOW_ALL"
  deletion_protection = false
 
  tags = {

website/docs/d/qldb_ledger.html.markdown

@@ -24,5 +24,5 @@ data "aws_qldb_ledger" "example" {
 
 ## Attributes Reference
 
-* `arn` - Amazon Resource Name (ARN) of the ledger.
-* `deletion_protection` - Deletion protection on the QLDB Ledger instance. Set to `true` by default.
+See the [QLDB Ledger Resource](/docs/providers/aws/r/qldb_ledger.html) for details on the
+returned attributes - they are identical.

website/docs/r/qldb_ledger.html.markdown

@@ -16,7 +16,8 @@ Provides an AWS Quantum Ledger Database (QLDB) resource
 
 ```terraform
 resource "aws_qldb_ledger" "sample-ledger" {
- name = "sample-ledger"
+ name = "sample-ledger"
+ permissions_mode = "STANDARD"
 }
 ```
 
@@ -25,6 +26,7 @@ resource "aws_qldb_ledger" "sample-ledger" {
 The following arguments are supported:
 
 * `name` - (Optional) The friendly name for the QLDB Ledger instance. By default generated by Terraform.
+* `permissions_mode` - (Required) The permissions mode for the QLDB ledger instance. Specify either `ALLOW_ALL` or `STANDARD`.
 * `deletion_protection` - (Optional) The deletion protection for the QLDB Ledger instance. By default it is `true`. To delete this resource via Terraform, this value must be configured to `false` and applied first before attempting deletion.
 * `tags` - (Optional) Key-value map of resource tags. If configured with a provider [`default_tags` configuration block](https://www.terraform.io/docs/providers/aws/index.html#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.