From cf66d1c475d34a4557a8f740e133a9c7c8f4ef49 Mon Sep 17 00:00:00 2001
From: Andrew Tulloch <tullandr@amazon.co.uk>
Date: Tue, 30 Jul 2024 13:19:32 +0100
Subject: [PATCH 1/2] Fix #38145

---
 ...etwork_policy_document_data_source_test.go | 169 ++++++++++++++++++
 .../core_network_policy_model.go              |  14 +-
 2 files changed, 182 insertions(+), 1 deletion(-)

diff --git a/internal/service/networkmanager/core_network_policy_document_data_source_test.go b/internal/service/networkmanager/core_network_policy_document_data_source_test.go
index 085ba666f06..6d23fe9c825 100644
--- a/internal/service/networkmanager/core_network_policy_document_data_source_test.go
+++ b/internal/service/networkmanager/core_network_policy_document_data_source_test.go
@@ -45,6 +45,23 @@ func TestAccNetworkManagerCoreNetworkPolicyDocumentDataSource_serviceInsertion(t
 	})
 }
 
+func TestAccNetworkManagerCoreNetworkPolicyDocumentDataSource_whenSentTo(t *testing.T) {
+	ctx := acctest.Context(t)
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.NetworkManagerServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCoreNetworkPolicyDocumentDataSourceConfig_whenSentTo,
+				Check: resource.ComposeTestCheckFunc(
+					acctest.CheckResourceAttrEquivalentJSON("data.aws_networkmanager_core_network_policy_document.test", names.AttrJSON, testAccPolicyDocumentWildCardWhenSentToExpectedJSON),
+				),
+			},
+		},
+	})
+}
+
 // lintignore:AWSAT003
 const testAccCoreNetworkPolicyDocumentDataSourceConfig_basic = `
 data "aws_networkmanager_core_network_policy_document" "test" {
@@ -680,3 +697,155 @@ const testAccPolicyDocumentServiceInsertionExpectedJSON = `{
     }
   ]
 }`
+
+// lintignore:AWSAT003
+const testAccCoreNetworkPolicyDocumentDataSourceConfig_whenSentTo = `
+data "aws_networkmanager_core_network_policy_document" "test" {
+  core_network_configuration {
+    vpn_ecmp_support = true
+    asn_ranges = [
+      "64512-65534"
+    ]
+    inside_cidr_blocks = [
+      "10.0.0.0/16"
+    ]
+    edge_locations {
+      location = "us-east-2"
+    }
+    edge_locations {
+      location = "us-west-2"
+    }
+  }
+
+  segments {
+    name                          = "development"
+    require_attachment_acceptance = true
+    isolate_attachments           = true
+    edge_locations = [
+      "us-east-2"
+    ]
+  }
+
+  segments {
+    name                          = "production"
+    require_attachment_acceptance = true
+    isolate_attachments           = true
+    edge_locations = [
+      "us-east-2"
+    ]
+  }
+
+  segment_actions {
+    action  = "send-via"
+    segment = "development"
+    mode    = "single-hop"
+
+    when_sent_to {
+      segments = [
+        "*",
+      ]
+    }
+
+    via {
+      network_function_groups = ["InspectionVPC"]
+    }
+  }
+
+  attachment_policies {
+    rule_number     = 125
+    condition_logic = "and"
+
+    conditions {
+      type = "tag-exists"
+      key  = "InspectionVpcs"
+    }
+
+    action {
+      add_to_network_function_group = "InspectionVPC"
+    }
+  }
+
+  network_function_groups {
+    name                          = "InspectionVPC"
+    description                   = "Route segment traffic to the inspection VPC"
+    require_attachment_acceptance = true
+  }
+}
+`
+
+// lintignore:AWSAT003
+const testAccPolicyDocumentWildCardWhenSentToExpectedJSON = `{
+  "version": "2021.12",
+  "core-network-configuration": {
+    "vpn-ecmp-support": true,
+    "inside-cidr-blocks": [
+      "10.0.0.0/16"
+    ],
+    "asn-ranges": [
+      "64512-65534"
+    ],
+    "edge-locations": [
+      {
+        "location": "us-east-2"
+      },
+      {
+        "location": "us-west-2"
+      }
+    ]
+  },
+  "segments": [
+    {
+      "name": "development",
+      "edge-locations": [
+        "us-east-2"
+      ],
+      "require-attachment-acceptance": true,
+      "isolate-attachments": true
+    },
+    {
+      "name": "production",
+      "edge-locations": [
+        "us-east-2"
+      ],
+      "require-attachment-acceptance": true,
+      "isolate-attachments": true
+    }
+  ],
+  "network-function-groups": [
+    {
+      "name": "InspectionVPC",
+      "description": "Route segment traffic to the inspection VPC",
+      "require-attachment-acceptance": true
+    }
+  ],
+  "segment-actions": [
+    {
+      "action": "send-via",
+      "segment": "development",
+      "mode": "single-hop",
+      "when-sent-to": {
+        "segments": "*"
+      },
+      "via": {
+        "network-function-groups": [
+          "InspectionVPC"
+        ]
+      }
+    }
+  ],
+  "attachment-policies": [
+    {
+      "rule-number": 125,
+      "condition-logic": "and",
+      "conditions": [
+        {
+          "type": "tag-exists",
+          "key": "InspectionVpcs"
+        }
+      ],
+      "action": {
+        "add-to-network-function-group": "InspectionVPC"
+      }
+    }
+  ]
+}`
diff --git a/internal/service/networkmanager/core_network_policy_model.go b/internal/service/networkmanager/core_network_policy_model.go
index 8db896a38d3..8427bc21d9f 100644
--- a/internal/service/networkmanager/core_network_policy_model.go
+++ b/internal/service/networkmanager/core_network_policy_model.go
@@ -100,6 +100,7 @@ type coreNetworkPolicyAttachmentPolicyAction struct {
 func (c coreNetworkPolicySegmentAction) MarshalJSON() ([]byte, error) {
 	type Alias coreNetworkPolicySegmentAction
 	var share interface{}
+	var whenSentTo *coreNetworkPolicySegmentActionWhenSentTo
 
 	if v := c.ShareWith; v != nil {
 		v := v.([]string)
@@ -114,6 +115,17 @@ func (c coreNetworkPolicySegmentAction) MarshalJSON() ([]byte, error) {
 		}
 	}
 
+	if v := c.WhenSentTo; v != nil {
+		if s := v.Segments; s != nil {
+			s := s.([]string)
+			if s[0] == "*" {
+				whenSentTo = &coreNetworkPolicySegmentActionWhenSentTo{Segments: s[0]}
+			} else {
+				whenSentTo = c.WhenSentTo
+			}
+		}
+	}
+
 	return json.Marshal(&Alias{
 		Action:                c.Action,
 		Mode:                  c.Mode,
@@ -122,7 +134,7 @@ func (c coreNetworkPolicySegmentAction) MarshalJSON() ([]byte, error) {
 		Segment:               c.Segment,
 		ShareWith:             share,
 		Via:                   c.Via,
-		WhenSentTo:            c.WhenSentTo,
+		WhenSentTo:            whenSentTo,
 	})
 }
 

From 0a21345808d501581c57c2c2a03f021979002d73 Mon Sep 17 00:00:00 2001
From: Andrew Tulloch <tullandr@amazon.co.uk>
Date: Tue, 30 Jul 2024 13:23:40 +0100
Subject: [PATCH 2/2] Changelog

---
 .changelog/38595.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .changelog/38595.txt

diff --git a/.changelog/38595.txt b/.changelog/38595.txt
new file mode 100644
index 00000000000..9e9d1e03ecb
--- /dev/null
+++ b/.changelog/38595.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+datasource/aws_networkmanager_core_network_policy_document: Fix `CoreNetworkPolicyException` when putting policy with single wildcard in `when_sent_to`
+```
\ No newline at end of file