From c58c679517692e43cb44594cea944f177d0b2856 Mon Sep 17 00:00:00 2001
From: drfaust92 <ilia.lazebnik@gmail.com>
Date: Fri, 1 Sep 2023 20:54:01 +0300
Subject: [PATCH 1/4] fix account import

---
 internal/service/apigateway/account.go        | 36 +++++++----
 internal/service/apigateway/account_test.go   | 60 ++++++-------------
 .../docs/r/api_gateway_account.html.markdown  |  2 +
 3 files changed, 43 insertions(+), 55 deletions(-)

diff --git a/internal/service/apigateway/account.go b/internal/service/apigateway/account.go
index f4cd784ca69..5fd310bd7f3 100644
--- a/internal/service/apigateway/account.go
+++ b/internal/service/apigateway/account.go
@@ -13,7 +13,9 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
 	"github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag"
+	"github.com/hashicorp/terraform-provider-aws/internal/flex"
 	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
+	"github.com/hashicorp/terraform-provider-aws/internal/verify"
 )
 
 // @SDKResource("aws_api_gateway_account")
@@ -29,9 +31,19 @@ func ResourceAccount() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
-			"cloudwatch_role_arn": {
+			"api_key_version": {
 				Type:     schema.TypeString,
-				Optional: true,
+				Computed: true,
+			},
+			"cloudwatch_role_arn": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: verify.ValidARN,
+			},
+			"features": {
+				Type:     schema.TypeSet,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Computed: true,
 			},
 			"throttle_settings": {
 				Type:     schema.TypeList,
@@ -59,9 +71,6 @@ func resourceAccountUpdate(ctx context.Context, d *schema.ResourceData, meta int
 
 	input := &apigateway.UpdateAccountInput{}
 
-	// Unfortunately AWS API doesn't allow empty ARNs,
-	// even though that's default settings for new AWS accounts
-	// BadRequestException: The role ARN is not well formed
 	if v, ok := d.GetOk("cloudwatch_role_arn"); ok {
 		input.PatchOperations = []*apigateway.PatchOperation{{
 			Op:    aws.String(apigateway.OpReplace),
@@ -69,7 +78,11 @@ func resourceAccountUpdate(ctx context.Context, d *schema.ResourceData, meta int
 			Value: aws.String(v.(string)),
 		}}
 	} else {
-		input.PatchOperations = []*apigateway.PatchOperation{}
+		input.PatchOperations = []*apigateway.PatchOperation{{
+			Op:    aws.String(apigateway.OpReplace),
+			Path:  aws.String("/cloudwatchRoleArn"),
+			Value: aws.String(""),
+		}}
 	}
 
 	_, err := tfresource.RetryWhen(ctx, propagationTimeout,
@@ -110,13 +123,10 @@ func resourceAccountRead(ctx context.Context, d *schema.ResourceData, meta inter
 		return sdkdiag.AppendErrorf(diags, "reading API Gateway Account: %s", err)
 	}
 
-	if _, ok := d.GetOk("cloudwatch_role_arn"); ok {
-		// Backwards compatibility:
-		// CloudwatchRoleArn cannot be empty nor made empty via API
-		// This resource can however be useful w/out defining cloudwatch_role_arn
-		// (e.g. for referencing throttle_settings)
-		d.Set("cloudwatch_role_arn", account.CloudwatchRoleArn)
-	}
+	d.Set("api_key_version", account.ApiKeyVersion)
+	d.Set("features", flex.FlattenStringSet(account.Features))
+	d.Set("cloudwatch_role_arn", account.CloudwatchRoleArn)
+
 	if err := d.Set("throttle_settings", flattenThrottleSettings(account.ThrottleSettings)); err != nil {
 		return sdkdiag.AppendErrorf(diags, "setting throttle_settings: %s", err)
 	}
diff --git a/internal/service/apigateway/account_test.go b/internal/service/apigateway/account_test.go
index 6214f12ed4c..8993ca50a9e 100644
--- a/internal/service/apigateway/account_test.go
+++ b/internal/service/apigateway/account_test.go
@@ -29,13 +29,14 @@ func TestAccAPIGatewayAccount_basic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttrPair(resourceName, "cloudwatch_role_arn", "aws_iam_role.test.0", "arn"),
 					resource.TestCheckResourceAttr(resourceName, "throttle_settings.#", "1"),
+					resource.TestCheckResourceAttrSet(resourceName, "api_key_version"),
+					resource.TestCheckResourceAttrSet(resourceName, "features.#"),
 				),
 			},
 			{
-				ResourceName:            resourceName,
-				ImportState:             true,
-				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"cloudwatch_role_arn"},
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
 			},
 			{
 				Config: testAccAccountConfig_role1(rName),
@@ -61,50 +62,25 @@ resource "aws_api_gateway_account" "test" {}
 
 func testAccAccountConfig_base(rName string) string {
 	return fmt.Sprintf(`
+data "aws_partition" "current" {}
+
 resource "aws_iam_role" "test" {
   count = 2
 
   name = "%[1]s-${count.index}"
 
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [{
-    "Sid": "",
-    "Effect": "Allow",
-    "Principal": {
-      "Service": "apigateway.amazonaws.com"
-    },
-    "Action": "sts:AssumeRole"
-  }]
-}
-EOF
-}
-
-resource "aws_iam_role_policy" "test" {
-  count = 2
-
-  name = "%[1]s-${count.index}"
-  role = aws_iam_role.test[count.index].id
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "apigateway.amazonaws.com"
+      }
+    }]
+  })
 
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [{
-    "Effect": "Allow",
-    "Action": [
-      "logs:CreateLogGroup",
-      "logs:CreateLogStream",
-      "logs:DescribeLogGroups",
-      "logs:DescribeLogStreams",
-      "logs:PutLogEvents",
-      "logs:GetLogEvents",
-      "logs:FilterLogEvents"
-    ],
-    "Resource": "*"
-  }]
-}
-EOF
+  managed_policy_arns = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"]
 }
 `, rName)
 }
diff --git a/website/docs/r/api_gateway_account.html.markdown b/website/docs/r/api_gateway_account.html.markdown
index 3dda5c7e601..010b038fa65 100644
--- a/website/docs/r/api_gateway_account.html.markdown
+++ b/website/docs/r/api_gateway_account.html.markdown
@@ -71,7 +71,9 @@ This resource supports the following arguments:
 
 This resource exports the following attributes in addition to the arguments above:
 
+* `api_key_version` - The version of the API keys used for the account.
 * `throttle_settings` - Account-Level throttle settings. See exported fields below.
+* `features` - A list of features supported for the account.
 
 `throttle_settings` block exports the following:
 

From 0dabfa2e6ee899390d9a7fd69c106ab422e413cf Mon Sep 17 00:00:00 2001
From: drfaust92 <ilia.lazebnik@gmail.com>
Date: Fri, 1 Sep 2023 20:58:15 +0300
Subject: [PATCH 2/4] changelog

---
 .changelog/33279.txt | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .changelog/33279.txt

diff --git a/.changelog/33279.txt b/.changelog/33279.txt
new file mode 100644
index 00000000000..aedcf1a1737
--- /dev/null
+++ b/.changelog/33279.txt
@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/aws_api_gateway_account: Add support `api_key_version` and `features` attributes
+```
+
+```release-note:bug
+resource/aws_api_gateway_account: Allow setting `cloudwatch_role_arn` to an empty value and setting it properly on read allowing it to be set on import
+```
\ No newline at end of file

From 2b26ec7e276e5ff7712b89a0170b526ef85074bc Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Mon, 4 Sep 2023 14:36:48 -0400
Subject: [PATCH 3/4] Tweak CHANGELOG entries.

---
 .changelog/33279.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.changelog/33279.txt b/.changelog/33279.txt
index aedcf1a1737..0e5b9e8ac88 100644
--- a/.changelog/33279.txt
+++ b/.changelog/33279.txt
@@ -1,7 +1,7 @@
 ```release-note:enhancement
-resource/aws_api_gateway_account: Add support `api_key_version` and `features` attributes
+resource/aws_api_gateway_account: Add `api_key_version` and `features` attributes
 ```
 
 ```release-note:bug
-resource/aws_api_gateway_account: Allow setting `cloudwatch_role_arn` to an empty value and setting it properly on read allowing it to be set on import
+resource/aws_api_gateway_account: Allow setting `cloudwatch_role_arn` to an empty value and set it correctly on Read, allowing its value to be determined on import
 ```
\ No newline at end of file

From ef334c7d9445ced3e20b30df62c6882e80ed2e19 Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Mon, 4 Sep 2023 14:37:39 -0400
Subject: [PATCH 4/4] r/aws_api_gateway_account: Cosmetics.

---
 internal/service/apigateway/account.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/internal/service/apigateway/account.go b/internal/service/apigateway/account.go
index 5fd310bd7f3..d2cddddb3ec 100644
--- a/internal/service/apigateway/account.go
+++ b/internal/service/apigateway/account.go
@@ -124,9 +124,8 @@ func resourceAccountRead(ctx context.Context, d *schema.ResourceData, meta inter
 	}
 
 	d.Set("api_key_version", account.ApiKeyVersion)
-	d.Set("features", flex.FlattenStringSet(account.Features))
 	d.Set("cloudwatch_role_arn", account.CloudwatchRoleArn)
-
+	d.Set("features", flex.FlattenStringSet(account.Features))
 	if err := d.Set("throttle_settings", flattenThrottleSettings(account.ThrottleSettings)); err != nil {
 		return sdkdiag.AppendErrorf(diags, "setting throttle_settings: %s", err)
 	}