Update identity interceptor

[YakDriver]

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

Description

This change resolves a bug in the “identity interceptor”, the logic responsible for recording identity values on Create, Read, and Update operations. Previously this interceptor did nothing during update operations for resources with an immutable identity. This assumption was valid for newly created resources, or standard applies which execute a Read operation before an update, but presented issues when a non-refresh apply takes place. For non-refreshed applies, only the update handler is invoked, and any resource in state which does not already have identity values set will end the operation with fully null values.

In v6.14.0, the provider bundled a Terraform Plugin SDK update (v2.38.0), which included additional error checking to prevent fully null identity values from being written to state. The combination of the identity interception behavior and this new error checking resulted in existing resources which supported resource identity but lacked valid identity values in state surfacing an error (Missing Resource Identity After Update).

Additionally, because versions v6.0.0 - v6.13.0 of the provider expressly did not prevent fully null values from being written to state (see a reproduction in #44330), attempting an update which correctly populated identity values would result in a different, but related error (Unexpected Identity Change). This PR also bundles an upgrade of hashicorp/terraform-plugin-sdk/v2 (v2.38.1), which now allows an identity change from fully null values to valid values.

With these changes we believe the majority of the regressions reported around resource identity in v6.14.0 should be resolved.

Relations

Closes #44330
Closes #44361
Closes #44366
Closes #44376

Relates:

• Resource Identity - Failed update without refresh can write null identity values #44330
• AWS Hashicorp - 6.14.0 - Unable to run terraform plan #44361 (+2)
• Provider 6.14.0 apply failing with "Missing Resource Identity After Update"  #44366 (+45)
• Provider returns 'Missing Resource Identity After Update' error for AWS resources on update #44376 (+1)
• identity: Update change validation to ensure empty identities (all null attributes) are not validated terraform-plugin-sdk#1527

References

Output from Acceptance Testing

% make t K=iam T=TestAccIAMRole_Identity_
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-resource-identity-intercept-fix 🌿...
TF_ACC=1 go1.24.6 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMRole_Identity_'  -timeout 360m -vet=off
2025/09/22 10:59:47 Creating Terraform AWS Provider (SDKv2-style)...
2025/09/22 10:59:47 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccIAMRole_Identity_Basic (25.81s)
--- PASS: TestAccIAMRole_Identity_ExistingResource_NoRefreshFailure (40.20s)
--- PASS: TestAccIAMRole_Identity_ExistingResource_NoRefresh (50.44s)
--- PASS: TestAccIAMRole_Identity_ExistingResource (76.71s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/iam        83.553s

% make t K=s3 T=TestAccS3Object_Identity_
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-resource-identity-intercept-fix 🌿...
TF_ACC=1 go1.24.6 test ./internal/service/s3/... -v -count 1 -parallel 20 -run='TestAccS3Object_Identity_'  -timeout 360m -vet=off
2025/09/22 11:01:59 Creating Terraform AWS Provider (SDKv2-style)...
2025/09/22 11:01:59 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccS3Object_Identity_RegionOverride (30.47s)
--- PASS: TestAccS3Object_Identity_Basic (38.80s)
--- PASS: TestAccS3Object_Identity_ExistingResource_NoRefresh (46.14s)
--- PASS: TestAccS3Object_Identity_ExistingResource (60.85s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/s3 67.624s

[github-actions]

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

• Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
• Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

[YakDriver]

At present, this PR gets us part of the way there. For some reason, mutation of IAM role identity is allowed but not S3 bucket identity.

% make t T='TestAccIAMRole_Identity_ExistingResource_NoRefresh' K=iam
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-resource-identity-intercept-fix 🌿...
TF_ACC=1 go1.24.6 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMRole_Identity_ExistingResource_NoRefresh'  -timeout 360m -vet=off
2025/09/19 17:31:52 Creating Terraform AWS Provider (SDKv2-style)...
2025/09/19 17:31:52 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccIAMRole_Identity_ExistingResource_NoRefresh
=== PAUSE TestAccIAMRole_Identity_ExistingResource_NoRefresh
=== RUN   TestAccIAMRole_Identity_ExistingResource_NoRefreshFailure
=== PAUSE TestAccIAMRole_Identity_ExistingResource_NoRefreshFailure
=== CONT  TestAccIAMRole_Identity_ExistingResource_NoRefresh
=== CONT  TestAccIAMRole_Identity_ExistingResource_NoRefreshFailure
--- PASS: TestAccIAMRole_Identity_ExistingResource_NoRefreshFailure (31.72s)
--- PASS: TestAccIAMRole_Identity_ExistingResource_NoRefresh (33.37s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/iam	38.975s

and

% make t T=TestAccS3Object_Identity_ExistingResource_NoRefresh K=s3
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-resource-identity-intercept-fix 🌿...
TF_ACC=1 go1.24.6 test ./internal/service/s3/... -v -count 1 -parallel 20 -run='TestAccS3Object_Identity_ExistingResource_NoRefresh'  -timeout 360m -vet=off
2025/09/19 17:31:56 Creating Terraform AWS Provider (SDKv2-style)...
2025/09/19 17:31:56 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccS3Object_Identity_ExistingResource_NoRefresh
=== PAUSE TestAccS3Object_Identity_ExistingResource_NoRefresh
=== CONT  TestAccS3Object_Identity_ExistingResource_NoRefresh
    object_test.go:2128: Step 2/2 error: Error running apply: exit status 1
        
        Error: Unexpected Identity Change: During the update operation, the Terraform Provider unexpectedly returned a different identity than the previously stored one.
        
        This is always a problem with the provider and should be reported to the provider developer.
        
        Planned Identity: cty.ObjectVal(map[string]cty.Value{"account_id":cty.NullVal(cty.String), "bucket":cty.NullVal(cty.String), "key":cty.NullVal(cty.String), "region":cty.NullVal(cty.String)})
        
        New Identity: cty.ObjectVal(map[string]cty.Value{"account_id":cty.StringVal("000000000000"), "bucket":cty.StringVal("tf-acc-test-2907729564858031864"), "key":cty.StringVal("test-key"), "region":cty.StringVal("us-west-2")})
        
          with aws_s3_object.object,
          on terraform_plugin_test.tf line 16, in resource "aws_s3_object" "object":
          16: resource "aws_s3_object" "object" {
        
--- FAIL: TestAccS3Object_Identity_ExistingResource_NoRefresh (36.19s)
FAIL
FAIL	github.com/hashicorp/terraform-provider-aws/internal/service/s3	45.950s

[jar-b]

Newly added test cases all passing with the most recent commits.

% make t K=iam T=TestAccIAMRole_Identity_
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-resource-identity-intercept-fix 🌿...
TF_ACC=1 go1.24.6 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMRole_Identity_'  -timeout 360m -vet=off
2025/09/22 10:59:47 Creating Terraform AWS Provider (SDKv2-style)...
2025/09/22 10:59:47 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccIAMRole_Identity_Basic (25.81s)
--- PASS: TestAccIAMRole_Identity_ExistingResource_NoRefreshFailure (40.20s)
--- PASS: TestAccIAMRole_Identity_ExistingResource_NoRefresh (50.44s)
--- PASS: TestAccIAMRole_Identity_ExistingResource (76.71s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/iam        83.553s

% make t K=s3 T=TestAccS3Object_Identity_
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-resource-identity-intercept-fix 🌿...
TF_ACC=1 go1.24.6 test ./internal/service/s3/... -v -count 1 -parallel 20 -run='TestAccS3Object_Identity_'  -timeout 360m -vet=off
2025/09/22 11:01:59 Creating Terraform AWS Provider (SDKv2-style)...
2025/09/22 11:01:59 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccS3Object_Identity_RegionOverride (30.47s)
--- PASS: TestAccS3Object_Identity_Basic (38.80s)
--- PASS: TestAccS3Object_Identity_ExistingResource_NoRefresh (46.14s)
--- PASS: TestAccS3Object_Identity_ExistingResource (60.85s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/s3 67.624s

[johnsonaj]

LGTM 🚀

[github-actions]

Warning

This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v6.14.1 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.