resource/certificate_settings: Multiple bug fixes

.changelog/40589.txt

@@ -0,0 +1,19 @@
+```release-note:bug
+resource/aws_amplify_domain_association: Prevent permanent diff when `certificate_settings` not set.
+```
+
+```release-note:bug
+resource/aws_amplify_domain_association: Prevent `ValidationException` when setting `certificate_settings.type` to `AMPLIFY_MANAGED`.
+```
+
+```release-note:bug
+resource/aws_amplify_domain_association: Prevent "unexpected state" error when setting `certificate_settings.type` to `CUSTOM`.
+```
+
+```release-note:bug
+resource/aws_amplify_domain_association: No longer ignores changes to `certificate_settings` when updating.
+```
+
+```release-note:bug
+resource/aws_amplify_domain_association: Prevents panic in some circumstances when `certificate_settings` is not set during update.
+```

.teamcity/settings.kts

@@ -69,6 +69,7 @@ project {
 
         if (acmCertificateRootDomain != "") {
             text("env.ACM_CERTIFICATE_ROOT_DOMAIN", acmCertificateRootDomain, display = ParameterDisplay.HIDDEN)
+            text("env.AMPLIFY_DOMAIN_NAME", acmCertificateRootDomain, display = ParameterDisplay.HIDDEN)
         }
 
         val securityGroupRulesPerGroup = DslContext.getParameter("security_group_rules_per_group", "")

internal/service/amplify/amplify_test.go

@@ -46,10 +46,11 @@ func TestAccAmplify_serial(t *testing.T) {
 			"OptionalArguments":    testAccBranch_OptionalArguments,
 		},
 		"DomainAssociation": {
-			acctest.CtBasic:       testAccDomainAssociation_basic,
-			"certificateSettings": testAccDomainAssociation_certificateSettings,
-			acctest.CtDisappears:  testAccDomainAssociation_disappears,
-			"update":              testAccDomainAssociation_update,
+			acctest.CtBasic:               testAccDomainAssociation_basic,
+			"certificateSettings_Managed": testAccDomainAssociation_certificateSettings_Managed,
+			"certificateSettings_Custom":  testAccDomainAssociation_certificateSettings_Custom,
+			acctest.CtDisappears:          testAccDomainAssociation_disappears,
+			"update":                      testAccDomainAssociation_update,
 		},
 		"Webhook": {
 			acctest.CtBasic:      testAccWebhook_basic,

internal/service/amplify/domain_association.go

@@ -52,6 +52,7 @@ func resourceDomainAssociation() *schema.Resource {
 			"certificate_settings": {
 				Type:     schema.TypeList,
 				Optional: true,
+				Computed: true,
 				MaxItems: 1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
@@ -206,14 +207,16 @@ func resourceDomainAssociationUpdate(ctx context.Context, d *schema.ResourceData
 		return sdkdiag.AppendFromErr(diags, err)
 	}
 
-	if d.HasChanges("enable_auto_sub_domain", "sub_domain") {
-		input := &amplify.UpdateDomainAssociationInput{
+	if d.HasChanges("certificate_settings", "enable_auto_sub_domain", "sub_domain") {
+		input := amplify.UpdateDomainAssociationInput{
 			AppId:      aws.String(appID),
 			DomainName: aws.String(domainName),
 		}
 
 		if d.HasChange("certificate_settings") {
-			input.CertificateSettings = expandCertificateSettings(d.Get("certificate_settings").([]interface{})[0].(map[string]interface{}))
+			if v, ok := d.GetOk("certificate_settings"); ok && len(v.([]any)) > 0 && v.([]any)[0] != nil {
+				input.CertificateSettings = expandCertificateSettings(d.Get("certificate_settings").([]interface{})[0].(map[string]interface{}))
+			}
 		}
 
 		if d.HasChange("enable_auto_sub_domain") {
@@ -224,16 +227,16 @@ func resourceDomainAssociationUpdate(ctx context.Context, d *schema.ResourceData
 			input.SubDomainSettings = expandSubDomainSettings(d.Get("sub_domain").(*schema.Set).List())
 		}
 
-		_, err := conn.UpdateDomainAssociation(ctx, input)
+		_, err := conn.UpdateDomainAssociation(ctx, &input)
 
 		if err != nil {
 			return sdkdiag.AppendErrorf(diags, "updating Amplify Domain Association (%s): %s", d.Id(), err)
 		}
-	}
 
-	if d.Get("wait_for_verification").(bool) {
-		if _, err := waitDomainAssociationVerified(ctx, conn, appID, domainName); err != nil {
-			return sdkdiag.AppendErrorf(diags, "waiting for Amplify Domain Association (%s) verification: %s", d.Id(), err)
+		if d.Get("wait_for_verification").(bool) {
+			if _, err := waitDomainAssociationVerified(ctx, conn, appID, domainName); err != nil {
+				return sdkdiag.AppendErrorf(diags, "waiting for Amplify Domain Association (%s) verification: %s", d.Id(), err)
+			}
 		}
 	}
 
@@ -313,8 +316,17 @@ func waitDomainAssociationCreated(ctx context.Context, conn *amplify.Client, app
 		timeout = 5 * time.Minute
 	)
 	stateConf := &retry.StateChangeConf{
-		Pending: enum.Slice(types.DomainStatusCreating, types.DomainStatusInProgress, types.DomainStatusRequestingCertificate),
-		Target:  enum.Slice(types.DomainStatusPendingVerification, types.DomainStatusPendingDeployment, types.DomainStatusAvailable),
+		Pending: enum.Slice(
+			types.DomainStatusCreating,
+			types.DomainStatusInProgress,
+			types.DomainStatusRequestingCertificate,
+			types.DomainStatusImportingCustomCertificate,
+		),
+		Target: enum.Slice(
+			types.DomainStatusPendingVerification,
+			types.DomainStatusPendingDeployment,
+			types.DomainStatusAvailable,
+		),
 		Refresh: statusDomainAssociation(ctx, conn, appID, domainName),
 		Timeout: timeout,
 	}
@@ -337,8 +349,46 @@ func waitDomainAssociationVerified(ctx context.Context, conn *amplify.Client, ap
 		timeout = 15 * time.Minute
 	)
 	stateConf := &retry.StateChangeConf{
-		Pending: enum.Slice(types.DomainStatusUpdating, types.DomainStatusInProgress, types.DomainStatusPendingVerification),
-		Target:  enum.Slice(types.DomainStatusPendingDeployment, types.DomainStatusAvailable),
+		Pending: enum.Slice(
+			types.DomainStatusUpdating,
+			types.DomainStatusInProgress,
+			types.DomainStatusPendingVerification,
+		),
+		Target: enum.Slice(
+			types.DomainStatusPendingDeployment,
+			types.DomainStatusAvailable,
+		),
+		Refresh: statusDomainAssociation(ctx, conn, appID, domainName),
+		Timeout: timeout,
+	}
+
+	outputRaw, err := stateConf.WaitForStateContext(ctx)
+
+	if v, ok := outputRaw.(*types.DomainAssociation); ok {
+		if v.DomainStatus == types.DomainStatusFailed {
+			tfresource.SetLastError(err, errors.New(aws.ToString(v.StatusReason)))
+		}
+
+		return v, err
+	}
+
+	return nil, err
+}
+
+func waitDomainAssociationAvailable(ctx context.Context, conn *amplify.Client, appID, domainName string) (*types.DomainAssociation, error) {
+	const (
+		timeout = 15 * time.Minute
+	)
+	stateConf := &retry.StateChangeConf{
+		Pending: enum.Slice(
+			types.DomainStatusUpdating,
+			types.DomainStatusInProgress,
+			types.DomainStatusPendingVerification,
+			types.DomainStatusPendingDeployment,
+		),
+		Target: enum.Slice(
+			types.DomainStatusAvailable,
+		),
 		Refresh: statusDomainAssociation(ctx, conn, appID, domainName),
 		Timeout: timeout,
 	}
@@ -429,7 +479,7 @@ func expandCertificateSettings(tfMap map[string]interface{}) *types.CertificateS
 		Type: types.CertificateType(tfMap[names.AttrType].(string)),
 	}
 
-	if v, ok := tfMap["custom_certificate_arn"].(string); ok {
+	if v, ok := tfMap["custom_certificate_arn"].(string); ok && v != "" {
 		apiObject.CustomCertificateArn = aws.String(v)
 	}