feat: add self managed active directory settings to aws_db_instance

.changelog/35500.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_db_instance: Add `domain_auth_secret_arn`, `domain_dns_ips`, `domain_fqdn`, and `domain_ou` arguments to support [self-managed Active Directory](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_SQLServer_SelfManagedActiveDirectory.html)
+```

internal/service/rds/instance.go

@@ -222,12 +222,42 @@ func ResourceInstance() *schema.Resource {
 				Optional: true,
 			},
 			"domain": {
-				Type:     schema.TypeString,
+				Type:          schema.TypeString,
+				Optional:      true,
+				ConflictsWith: []string{"domain_fqdn", "domain_ou", "domain_auth_secret_arn", "domain_dns_ips"},
+			},
+			"domain_auth_secret_arn": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				ValidateFunc:  verify.ValidARN,
+				ConflictsWith: []string{"domain", "domain_iam_role_name"},
+			},
+			"domain_dns_ips": {
+				Type:     schema.TypeSet,
 				Optional: true,
+				MinItems: 2,
+				MaxItems: 2,
+				Elem: &schema.Schema{
+					Type:         schema.TypeString,
+					ValidateFunc: validation.IsIPAddress,
+				},
+				ConflictsWith: []string{"domain", "domain_iam_role_name"},
+			},
+			"domain_fqdn": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				Computed:      true,
+				ConflictsWith: []string{"domain", "domain_iam_role_name"},
 			},
 			"domain_iam_role_name": {
-				Type:     schema.TypeString,
-				Optional: true,
+				Type:          schema.TypeString,
+				Optional:      true,
+				ConflictsWith: []string{"domain_fqdn", "domain_ou", "domain_auth_secret_arn", "domain_dns_ips"},
+			},
+			"domain_ou": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				ConflictsWith: []string{"domain", "domain_iam_role_name"},
 			},
 			"enabled_cloudwatch_logs_exports": {
 				Type:     schema.TypeSet,
@@ -1085,10 +1115,26 @@ func resourceInstanceCreate(ctx context.Context, d *schema.ResourceData, meta in
 			input.Domain = aws.String(v.(string))
 		}
 
+		if v, ok := d.GetOk("domain_auth_secret_arn"); ok {
+			input.DomainAuthSecretArn = aws.String(v.(string))
+		}
+
+		if v, ok := d.GetOk("domain_dns_ips"); ok && v.(*schema.Set).Len() > 0 {
+			input.DomainDnsIps = flex.ExpandStringSet(v.(*schema.Set))
+		}
+
+		if v, ok := d.GetOk("domain_fqdn"); ok {
+			input.DomainFqdn = aws.String(v.(string))
+		}
+
 		if v, ok := d.GetOk("domain_iam_role_name"); ok {
 			input.DomainIAMRoleName = aws.String(v.(string))
 		}
 
+		if v, ok := d.GetOk("domain_ou"); ok {
+			input.DomainOu = aws.String(v.(string))
+		}
+
 		if v, ok := d.GetOk("enabled_cloudwatch_logs_exports"); ok && v.(*schema.Set).Len() > 0 {
 			input.EnableCloudwatchLogsExports = flex.ExpandStringSet(v.(*schema.Set))
 		}
@@ -1314,6 +1360,22 @@ func resourceInstanceCreate(ctx context.Context, d *schema.ResourceData, meta in
 			input.DomainIAMRoleName = aws.String(v.(string))
 		}
 
+		if v, ok := d.GetOk("domain_fqdn"); ok {
+			input.DomainFqdn = aws.String(v.(string))
+		}
+
+		if v, ok := d.GetOk("domain_ou"); ok {
+			input.DomainOu = aws.String(v.(string))
+		}
+
+		if v, ok := d.GetOk("domain_auth_secret_arn"); ok {
+			input.DomainAuthSecretArn = aws.String(v.(string))
+		}
+
+		if v, ok := d.GetOk("domain_dns_ips"); ok && v.(*schema.Set).Len() > 0 {
+			input.DomainDnsIps = flex.ExpandStringSet(v.(*schema.Set))
+		}
+
 		if v, ok := d.GetOk("enabled_cloudwatch_logs_exports"); ok && v.(*schema.Set).Len() > 0 {
 			input.EnableCloudwatchLogsExports = flex.ExpandStringSet(v.(*schema.Set))
 		}
@@ -1473,10 +1535,26 @@ func resourceInstanceCreate(ctx context.Context, d *schema.ResourceData, meta in
 			input.Domain = aws.String(v.(string))
 		}
 
+		if v, ok := d.GetOk("domain_auth_secret_arn"); ok {
+			input.DomainAuthSecretArn = aws.String(v.(string))
+		}
+
+		if v, ok := d.GetOk("domain_dns_ips"); ok && v.(*schema.Set).Len() > 0 {
+			input.DomainDnsIps = flex.ExpandStringSet(v.(*schema.Set))
+		}
+
+		if v, ok := d.GetOk("domain_fqdn"); ok {
+			input.DomainFqdn = aws.String(v.(string))
+		}
+
 		if v, ok := d.GetOk("domain_iam_role_name"); ok {
 			input.DomainIAMRoleName = aws.String(v.(string))
 		}
 
+		if v, ok := d.GetOk("domain_ou"); ok {
+			input.DomainOu = aws.String(v.(string))
+		}
+
 		if v, ok := d.GetOk("enabled_cloudwatch_logs_exports"); ok && v.(*schema.Set).Len() > 0 {
 			input.EnableCloudwatchLogsExports = flex.ExpandStringSet(v.(*schema.Set))
 		}
@@ -1694,11 +1772,20 @@ func resourceInstanceRead(ctx context.Context, d *schema.ResourceData, meta inte
 	}
 	d.Set("deletion_protection", v.DeletionProtection)
 	if len(v.DomainMemberships) > 0 && v.DomainMemberships[0] != nil {
-		d.Set("domain", v.DomainMemberships[0].Domain)
-		d.Set("domain_iam_role_name", v.DomainMemberships[0].IAMRoleName)
+		v := v.DomainMemberships[0]
+		d.Set("domain", v.Domain)
+		d.Set("domain_auth_secret_arn", v.AuthSecretArn)
+		d.Set("domain_dns_ips", aws.StringValueSlice(v.DnsIps))
+		d.Set("domain_fqdn", v.FQDN)
+		d.Set("domain_iam_role_name", v.IAMRoleName)
+		d.Set("domain_ou", v.OU)
 	} else {
 		d.Set("domain", nil)
+		d.Set("domain_auth_secret_arn", nil)
+		d.Set("domain_dns_ips", nil)
+		d.Set("domain_fqdn", nil)
 		d.Set("domain_iam_role_name", nil)
+		d.Set("domain_ou", nil)
 	}
 	d.Set("enabled_cloudwatch_logs_exports", aws.StringValueSlice(v.EnabledCloudwatchLogsExports))
 	d.Set("engine", v.Engine)
@@ -2074,10 +2161,19 @@ func dbInstancePopulateModify(input *rds_sdkv2.ModifyDBInstanceInput, d *schema.
 	// Always set this. Fixes TestAccRDSInstance_BlueGreenDeployment_updateWithDeletionProtection
 	input.DeletionProtection = aws.Bool(d.Get("deletion_protection").(bool))
 
+	// "InvalidParameterCombination: Specify the parameters for either AWS Managed Active Directory or self-managed Active Directory".
 	if d.HasChanges("domain", "domain_iam_role_name") {
 		needsModify = true
 		input.Domain = aws.String(d.Get("domain").(string))
 		input.DomainIAMRoleName = aws.String(d.Get("domain_iam_role_name").(string))
+	} else if d.HasChanges("domain_auth_secret_arn", "domain_dns_ips", "domain_fqdn", "domain_ou") {
+		needsModify = true
+		input.DomainAuthSecretArn = aws.String(d.Get("domain_auth_secret_arn").(string))
+		if v, ok := d.GetOk("domain_dns_ips"); ok && v.(*schema.Set).Len() > 0 {
+			input.DomainDnsIps = flex.ExpandStringValueSet(v.(*schema.Set))
+		}
+		input.DomainFqdn = aws.String(d.Get("domain_fqdn").(string))
+		input.DomainOu = aws.String(d.Get("domain_ou").(string))
 	}
 
 	if d.HasChange("enabled_cloudwatch_logs_exports") {