hashicorp · ewbankkit · Sep 5, 2023 · Sep 1, 2023 · Sep 1, 2023 · Sep 4, 2023
@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/aws_api_gateway_account: Add `api_key_version` and `features` attributes
+```
+
+```release-note:bug
+resource/aws_api_gateway_account: Allow setting `cloudwatch_role_arn` to an empty value and set it correctly on Read, allowing its value to be determined on import
+```
@@ -13,7 +13,9 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
 	"github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag"
+	"github.com/hashicorp/terraform-provider-aws/internal/flex"
 	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
+	"github.com/hashicorp/terraform-provider-aws/internal/verify"
 )
 
 // @SDKResource("aws_api_gateway_account")
@@ -29,9 +31,19 @@ func ResourceAccount() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
-			"cloudwatch_role_arn": {
+			"api_key_version": {
 				Type:     schema.TypeString,
-				Optional: true,
+				Computed: true,
+			},
+			"cloudwatch_role_arn": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: verify.ValidARN,
+			},
+			"features": {
+				Type:     schema.TypeSet,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Computed: true,
 			},
 			"throttle_settings": {
 				Type:     schema.TypeList,
@@ -59,17 +71,18 @@ func resourceAccountUpdate(ctx context.Context, d *schema.ResourceData, meta int
 
 	input := &apigateway.UpdateAccountInput{}
 
-	// Unfortunately AWS API doesn't allow empty ARNs,
-	// even though that's default settings for new AWS accounts
-	// BadRequestException: The role ARN is not well formed
 	if v, ok := d.GetOk("cloudwatch_role_arn"); ok {
 		input.PatchOperations = []*apigateway.PatchOperation{{
 			Op:    aws.String(apigateway.OpReplace),
 			Path:  aws.String("/cloudwatchRoleArn"),
 			Value: aws.String(v.(string)),
 		}}
 	} else {
-		input.PatchOperations = []*apigateway.PatchOperation{}
+		input.PatchOperations = []*apigateway.PatchOperation{{
+			Op:    aws.String(apigateway.OpReplace),
+			Path:  aws.String("/cloudwatchRoleArn"),
+			Value: aws.String(""),
+		}}
 	}
 
 	_, err := tfresource.RetryWhen(ctx, propagationTimeout,
@@ -110,13 +123,9 @@ func resourceAccountRead(ctx context.Context, d *schema.ResourceData, meta inter
 		return sdkdiag.AppendErrorf(diags, "reading API Gateway Account: %s", err)
 	}
 
-	if _, ok := d.GetOk("cloudwatch_role_arn"); ok {
-		// Backwards compatibility:
-		// CloudwatchRoleArn cannot be empty nor made empty via API
-		// This resource can however be useful w/out defining cloudwatch_role_arn
-		// (e.g. for referencing throttle_settings)
-		d.Set("cloudwatch_role_arn", account.CloudwatchRoleArn)
-	}
+	d.Set("api_key_version", account.ApiKeyVersion)
+	d.Set("cloudwatch_role_arn", account.CloudwatchRoleArn)
+	d.Set("features", flex.FlattenStringSet(account.Features))
 	if err := d.Set("throttle_settings", flattenThrottleSettings(account.ThrottleSettings)); err != nil {
 		return sdkdiag.AppendErrorf(diags, "setting throttle_settings: %s", err)
 	}

@@ -29,13 +29,14 @@ func TestAccAPIGatewayAccount_basic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttrPair(resourceName, "cloudwatch_role_arn", "aws_iam_role.test.0", "arn"),
 					resource.TestCheckResourceAttr(resourceName, "throttle_settings.#", "1"),
+					resource.TestCheckResourceAttrSet(resourceName, "api_key_version"),
+					resource.TestCheckResourceAttrSet(resourceName, "features.#"),
 				),
 			},
 			{
-				ResourceName:            resourceName,
-				ImportState:             true,
-				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"cloudwatch_role_arn"},
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
 			},
 			{
 				Config: testAccAccountConfig_role1(rName),
@@ -61,50 +62,25 @@ resource "aws_api_gateway_account" "test" {}
 
 func testAccAccountConfig_base(rName string) string {
 	return fmt.Sprintf(`
+data "aws_partition" "current" {}
+
 resource "aws_iam_role" "test" {
   count = 2
 
   name = "%[1]s-${count.index}"
 
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [{
-    "Sid": "",
-    "Effect": "Allow",
-    "Principal": {
-      "Service": "apigateway.amazonaws.com"
-    },
-    "Action": "sts:AssumeRole"
-  }]
-}
-EOF
-}
-
-resource "aws_iam_role_policy" "test" {
-  count = 2
-
-  name = "%[1]s-${count.index}"
-  role = aws_iam_role.test[count.index].id
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "apigateway.amazonaws.com"
+      }
+    }]
+  })
 
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [{
-    "Effect": "Allow",
-    "Action": [
-      "logs:CreateLogGroup",
-      "logs:CreateLogStream",
-      "logs:DescribeLogGroups",
-      "logs:DescribeLogStreams",
-      "logs:PutLogEvents",
-      "logs:GetLogEvents",
-      "logs:FilterLogEvents"
-    ],
-    "Resource": "*"
-  }]
-}
-EOF
+  managed_policy_arns = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"]
 }
 `, rName)
 }

@@ -71,7 +71,9 @@ This resource supports the following arguments:
 
 This resource exports the following attributes in addition to the arguments above:
 
+* `api_key_version` - The version of the API keys used for the account.
 * `throttle_settings` - Account-Level throttle settings. See exported fields below.
+* `features` - A list of features supported for the account.
 
 `throttle_settings` block exports the following: