resource/cloudfront_distribution: re-introduce changes from #10013 to update active_trusted_signers attribute

aws/cloudfront_distribution_configuration_structure.go

@@ -17,7 +17,6 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/helper/hashcode"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
-	"github.com/terraform-providers/terraform-provider-aws/aws/internal/flatmap"
 )
 
 // cloudFrontRoute53ZoneID defines the route 53 zone ID for CloudFront. This
@@ -1097,20 +1096,30 @@ func flattenViewerCertificate(vc *cloudfront.ViewerCertificate) []interface{} {
 	return []interface{}{m}
 }
 
-// Convert *cloudfront.ActiveTrustedSigners to a flatmap.Map type, which ensures
-// it can probably be inserted into the schema.TypeMap type used by the
-// active_trusted_signers attribute.
-func flattenActiveTrustedSigners(ats *cloudfront.ActiveTrustedSigners) flatmap.Map {
-	m := make(map[string]interface{})
-	s := []interface{}{}
-	m["enabled"] = *ats.Enabled
+func flattenCloudfrontActiveTrustedSigners(ats *cloudfront.ActiveTrustedSigners) []interface{} {
+	if ats == nil {
+		return []interface{}{}
+	}
+
+	m := map[string]interface{}{
+		"enabled": aws.BoolValue(ats.Enabled),
+		"signers": flattenCloudfrontSigners(ats.Items),
+	}
+
+	return []interface{}{m}
+}
 
-	for _, v := range ats.Items {
-		signer := make(map[string]interface{})
-		signer["aws_account_number"] = *v.AwsAccountNumber
-		signer["key_pair_ids"] = aws.StringValueSlice(v.KeyPairIds.Items)
-		s = append(s, signer)
+func flattenCloudfrontSigners(signers []*cloudfront.Signer) []interface{} {
+	result := make([]interface{}, 0, len(signers))
+
+	for _, signer := range signers {
+		m := map[string]interface{}{
+			"aws_account_number": aws.StringValue(signer.AwsAccountNumber),
+			"key_pair_ids":       aws.StringValueSlice(signer.KeyPairIds.Items),
+		}
+
+		result = append(result, m)
 	}
-	m["items"] = s
-	return flatmap.Flatten(m)
+
+	return result
 }

aws/resource_aws_cloudfront_distribution.go

@@ -581,9 +581,33 @@ func resourceAwsCloudFrontDistribution() *schema.Resource {
 				Computed: true,
 			},
 			"active_trusted_signers": {
-				Type:     schema.TypeMap,
+				Type:     schema.TypeList,
 				Computed: true,
-				Elem:     &schema.Schema{Type: schema.TypeString},
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"enabled": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
+						"signers": {
+							Type:     schema.TypeList,
+							Computed: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"aws_account_number": {
+										Type:     schema.TypeString,
+										Computed: true,
+									},
+									"key_pair_ids": {
+										Type:     schema.TypeSet,
+										Computed: true,
+										Elem:     &schema.Schema{Type: schema.TypeString},
+									},
+								},
+							},
+						},
+					},
+				},
 			},
 			"domain_name": {
 				Type:     schema.TypeString,
@@ -705,9 +729,8 @@ func resourceAwsCloudFrontDistributionRead(d *schema.ResourceData, meta interfac
 	}
 
 	// Update other attributes outside of DistributionConfig
-	err = d.Set("active_trusted_signers", flattenActiveTrustedSigners(resp.Distribution.ActiveTrustedSigners))
-	if err != nil {
-		return err
+	if err := d.Set("active_trusted_signers", flattenCloudfrontActiveTrustedSigners(resp.Distribution.ActiveTrustedSigners)); err != nil {
+		return fmt.Errorf("error setting active_trusted_signers: %w", err)
 	}
 	d.Set("status", resp.Distribution.Status)
 	d.Set("domain_name", resp.Distribution.DomainName)

aws/resource_aws_cloudfront_distribution_test.go

@@ -581,9 +581,9 @@ func TestAccAWSCloudFrontDistribution_DefaultCacheBehavior_TrustedSigners(t *tes
 				Config: testAccAWSCloudFrontDistributionConfigDefaultCacheBehaviorTrustedSignersSelf(retainOnDelete),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckCloudFrontDistributionExists(resourceName, &distribution),
-					resource.TestCheckResourceAttr(resourceName, "active_trusted_signers.%", "6"),
-					resource.TestCheckResourceAttr(resourceName, "active_trusted_signers.items.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "active_trusted_signers.items.0.aws_account_number", "self"),
+					resource.TestCheckResourceAttr(resourceName, "active_trusted_signers.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "active_trusted_signers.0.signers.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "active_trusted_signers.0.signers.0.aws_account_number", "self"),
 					resource.TestCheckResourceAttr(resourceName, "default_cache_behavior.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "default_cache_behavior.0.trusted_signers.#", "1"),
 				),
@@ -2358,34 +2358,41 @@ resource "aws_cloudfront_distribution" "test" {
   enabled             = false
   retain_on_delete    = %[1]t
   wait_for_deployment = false
+
   default_cache_behavior {
     allowed_methods        = ["GET", "HEAD"]
     cached_methods         = ["GET", "HEAD"]
     target_origin_id       = "test"
     trusted_signers        = ["self"]
     viewer_protocol_policy = "allow-all"
+
     forwarded_values {
       query_string = false
+
       cookies {
         forward = "all"
       }
     }
   }
+
   origin {
     domain_name = "www.example.com"
     origin_id   = "test"
+
     custom_origin_config {
       http_port              = 80
       https_port             = 443
       origin_protocol_policy = "https-only"
       origin_ssl_protocols   = ["TLSv1.2"]
     }
   }
+
   restrictions {
     geo_restriction {
       restriction_type = "none"
     }
   }
+
   viewer_certificate {
     cloudfront_default_certificate = true
   }

website/docs/guides/version-3-upgrade.html.md

@@ -26,6 +26,7 @@ Upgrade topics:
 - [Resource: aws_acm_certificate](#resource-aws_acm_certificate)
 - [Resource: aws_api_gateway_method_settings](#resource-aws_api_gateway_method_settings)
 - [Resource: aws_autoscaling_group](#resource-aws_autoscaling_group)
+- [Resource: aws_cloudfront_distribution](#resource-aws_cloudfront_distribution)
 - [Resource: aws_cognito_user_pool](#resource-aws_cognito_user_pool)
 - [Resource: aws_dx_gateway](#resource-aws_dx_gateway)
 - [Resource: aws_ebs_volume](#resource-aws_ebs_volume)
@@ -615,6 +616,29 @@ resource "aws_autoscaling_group" "example"{
 }
 ```
 
+## Resource: aws_cloudfront_distribution
+
+### active_trusted_signers Attribute Type Change
+
+Previously, the `active_trusted_signers` computed attribute was implemented with a Map that did not support accessing its computed `items` attribute in Terraform 0.12. 
+To address this, the `active_trusted_signers` attribute is now implemented as a List with a computed `signers` List attribute and computed `enabled` boolean attribute. 
+The nested `signers` attribute includes computed `aws_account_number` and `key_pair_ids` sub-fields, with the latter implemented as a List. 
+Thus, user configurations referencing the `active_trusted_signers` nested attributes will need to be changed as follows.
+
+Given these previous references:
+
+```
+aws_cloudfront_distribution.example.active_trusted_signers.enabled
+aws_cloudfront_distribution.example.active_trusted_signers.items
+```
+
+Updated references: 
+
+```
+aws_cloudfront_distribution.example.active_trusted_signers.0.enabled
+aws_cloudfront_distribution.example.active_trusted_signers.0.signers
+```
+
 ## Resource: aws_cognito_user_pool
 
 ### Removal of admin_create_user_config.unused_account_validity_days Argument

website/docs/r/cloudfront_distribution.html.markdown

@@ -307,8 +307,8 @@ of several sub-resources - these resources are laid out below.
     CloudFront to route requests to when a request matches the path pattern
     either for a cache behavior or for the default cache behavior.
 
-* `trusted_signers` (Optional) - The AWS accounts, if any, that you want to
-    allow to create signed URLs for private content.
+* `trusted_signers` (Optional) - List of AWS account IDs (or `self`) that you want to allow to create signed URLs for private content. 
+See the [CloudFront User Guide](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html) for more information about this feature.
 
 * `viewer_protocol_policy` (Required) - Use this element to specify the
     protocol that users can use to access the files in the origin specified by
@@ -529,9 +529,11 @@ In addition to all arguments above, the following attributes are exported:
     distribution's information is fully propagated throughout the Amazon
     CloudFront system.
 
-* `active_trusted_signers` - The key pair IDs that CloudFront is aware of for
-    each trusted signer, if the distribution is set up to serve private content
-    with signed URLs.
+* `active_trusted_signers` - Nested attributes of active trusted signers, if the distribution is set up to serve private content with signed URLs
+    * `enabled` - `true` if any of the AWS accounts listed as trusted signers have active CloudFront key pairs
+    * `signers` - Nested attributes of each trusted signer
+        * `aws_account_number` - AWS account ID or `self`
+        * `key_pair_ids` - Set of active CloudFront key pairs associated with the signer account
 
 * `domain_name` - The domain name corresponding to the distribution. For
     example: `d604721fxaaqy9.cloudfront.net`.