Merge pull request #37092 from aristosvo/feat/kms-sdk-v2

KMS: migrate to AWS SDK v2

.changelog/37092.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_kms_custom_key_store: Change `trust_anchor_certificate` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew)
+```

go.mod

@@ -103,6 +103,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/kendra v1.50.1
 	github.com/aws/aws-sdk-go-v2/service/keyspaces v1.10.4
 	github.com/aws/aws-sdk-go-v2/service/kinesis v1.27.4
+	github.com/aws/aws-sdk-go-v2/service/kms v1.31.0
 	github.com/aws/aws-sdk-go-v2/service/lakeformation v1.32.0
 	github.com/aws/aws-sdk-go-v2/service/lambda v1.54.0
 	github.com/aws/aws-sdk-go-v2/service/launchwizard v1.3.4

go.sum

@@ -236,6 +236,8 @@ github.com/aws/aws-sdk-go-v2/service/keyspaces v1.10.4 h1:b8U8xht0BhuuzDlKUq/QzB
 github.com/aws/aws-sdk-go-v2/service/keyspaces v1.10.4/go.mod h1:K0uQVx8xnUBI3CudcERApORx5cJrVUDew1K3deRDjLU=
 github.com/aws/aws-sdk-go-v2/service/kinesis v1.27.4 h1:Oe8awBiS/iitcsRJB5+DHa3iCxoA0KwJJf0JNrYMINY=
 github.com/aws/aws-sdk-go-v2/service/kinesis v1.27.4/go.mod h1:RCZCSFbieSgNG1RKegO26opXV4EXyef/vNBVJsUyHuw=
+github.com/aws/aws-sdk-go-v2/service/kms v1.31.0 h1:yl7wcqbisxPzknJVfWTLnK83McUvXba+pz2+tPbIUmQ=
+github.com/aws/aws-sdk-go-v2/service/kms v1.31.0/go.mod h1:2snWQJQUKsbN66vAawJuOGX7dr37pfOq9hb0tZDGIqQ=
 github.com/aws/aws-sdk-go-v2/service/lakeformation v1.32.0 h1:X7ydA78B8lmKVgGS3XEVUsgMKMHoYhmIwoxl3U2S2wg=
 github.com/aws/aws-sdk-go-v2/service/lakeformation v1.32.0/go.mod h1:0xTSto0XwDuPvY7P3XoEwOLH7sr5EzehNvxCoBaeuPU=
 github.com/aws/aws-sdk-go-v2/service/lambda v1.54.0 h1:gazALVrZ7RIG6gJXut3c7NKtPgs9eQ8BFCA9uoliayk=

internal/conns/awsclient.go

@@ -21,7 +21,6 @@ import (
 	directoryservice_sdkv1 "github.com/aws/aws-sdk-go/service/directoryservice"
 	dynamodb_sdkv1 "github.com/aws/aws-sdk-go/service/dynamodb"
 	efs_sdkv1 "github.com/aws/aws-sdk-go/service/efs"
-	kms_sdkv1 "github.com/aws/aws-sdk-go/service/kms"
 	opsworks_sdkv1 "github.com/aws/aws-sdk-go/service/opsworks"
 	rds_sdkv1 "github.com/aws/aws-sdk-go/service/rds"
 	baselogging "github.com/hashicorp/aws-sdk-go-base/v2/logging"
@@ -95,17 +94,7 @@ func (c *AWSClient) EFSConnForRegion(ctx context.Context, region string) *efs_sd
 	return efs_sdkv1.New(c.session, aws_sdkv1.NewConfig().WithRegion(region))
 }
 
-// KMSConnForRegion returns an AWS SDK For Go v1 KMS API client for the specified AWS Region.
-// If the specified region is not the default a new "simple" client is created.
-// This new client does not use any configured endpoint override.
-func (c *AWSClient) KMSConnForRegion(ctx context.Context, region string) *kms_sdkv1.KMS {
-	if region == c.Region {
-		return c.KMSConn(ctx)
-	}
-	return kms_sdkv1.New(c.session, aws_sdkv1.NewConfig().WithRegion(region))
-}
-
-// KMSConnForRegion returns an AWS SDK For Go v1 OpsWorks API client for the specified AWS Region.
+// OpsWorksConnForRegion returns an AWS SDK For Go v1 OpsWorks API client for the specified AWS Region.
 // If the specified region is not the default a new "simple" client is created.
 // This new client does not use any configured endpoint override.
 func (c *AWSClient) OpsWorksConnForRegion(ctx context.Context, region string) *opsworks_sdkv1.OpsWorks {

internal/flex/flex.go

@@ -238,6 +238,12 @@ func FlattenStringMap(m map[string]*string) map[string]interface{} {
 	})
 }
 
+func FlattenStringValueMap(m map[string]string) map[string]interface{} {
+	return tfmaps.ApplyToAllValues(m, func(v string) any {
+		return v
+	})
+}
+
 // Takes the result of schema.Set of strings and returns a []*int64
 func ExpandInt64Set(configured *schema.Set) []*int64 {
 	return ExpandInt64List(configured.List())

internal/service/cloudfront/distribution.go

@@ -1084,7 +1084,7 @@ func resourceDistributionDelete(ctx context.Context, d *schema.ResourceData, met
 		const (
 			timeout = 1 * time.Minute
 		)
-		_, err = tfresource.RetryWhenIsOneOf[*awstypes.PreconditionFailed, *awstypes.InvalidIfMatchVersion](ctx, timeout, func() (interface{}, error) {
+		_, err = tfresource.RetryWhenIsOneOf2[*awstypes.PreconditionFailed, *awstypes.InvalidIfMatchVersion](ctx, timeout, func() (interface{}, error) {
 			return nil, deleteDistribution(ctx, conn, d.Id())
 		})
 	}

internal/service/dynamodb/table.go

@@ -1875,7 +1875,7 @@ func clearSSEDefaultKey(ctx context.Context, client *conns.AWSClient, sseList []
 
 	sse := sseList[0].(map[string]interface{})
 
-	dk, err := kms.FindDefaultKey(ctx, client, "dynamodb", client.Region)
+	dk, err := kms.FindDefaultKeyARNForService(ctx, client.KMSClient(ctx), "dynamodb", client.Region)
 	if err != nil {
 		return sseList
 	}
@@ -1906,7 +1906,7 @@ func clearReplicaDefaultKeys(ctx context.Context, client *conns.AWSClient, repli
 			continue
 		}
 
-		dk, err := kms.FindDefaultKey(ctx, client, "dynamodb", replica["region_name"].(string))
+		dk, err := kms.FindDefaultKeyARNForService(ctx, client.KMSClient(ctx), "dynamodb", replica["region_name"].(string))
 		if err != nil {
 			continue
 		}

internal/service/dynamodb/table_replica.go

@@ -247,7 +247,7 @@ func resourceTableReplicaRead(ctx context.Context, d *schema.ResourceData, meta
 		return create.AppendDiagError(diags, names.DynamoDB, create.ErrActionReading, ResNameTableReplica, d.Id(), err)
 	}
 
-	dk, err := kms.FindDefaultKey(ctx, meta.(*conns.AWSClient), "dynamodb", replicaRegion)
+	dk, err := kms.FindDefaultKeyARNForService(ctx, meta.(*conns.AWSClient).KMSClient(ctx), "dynamodb", replicaRegion)
 	if err != nil {
 		return create.AppendDiagError(diags, names.DynamoDB, create.ErrActionReading, ResNameTableReplica, d.Id(), err)
 	}
@@ -363,7 +363,7 @@ func resourceTableReplicaUpdate(ctx context.Context, d *schema.ResourceData, met
 	}
 
 	if d.HasChange(names.AttrKMSKeyARN) && !d.IsNewResource() { // create ends with update and sets kms_key_arn causing change that is not
-		dk, err := kms.FindDefaultKey(ctx, meta.(*conns.AWSClient), "dynamodb", replicaRegion)
+		dk, err := kms.FindDefaultKeyARNForService(ctx, meta.(*conns.AWSClient).KMSClient(ctx), "dynamodb", replicaRegion)
 		if err != nil {
 			return create.AppendDiagError(diags, names.DynamoDB, create.ErrActionUpdating, ResNameTableReplica, d.Id(), fmt.Errorf("region %s: %w", replicaRegion, err))
 		}

internal/service/ec2/ebs_default_kms_key_test.go

@@ -103,7 +103,7 @@ func testAccCheckEBSDefaultKMSKey(ctx context.Context, name string) resource.Tes
 
 // testAccEBSManagedDefaultKey returns' the account's AWS-managed default CMK.
 func testAccEBSManagedDefaultKey(ctx context.Context) (*arn.ARN, error) {
-	conn := acctest.Provider.Meta().(*conns.AWSClient).KMSConn(ctx)
+	conn := acctest.Provider.Meta().(*conns.AWSClient).KMSClient(ctx)
 
 	alias, err := tfkms.FindAliasByName(ctx, conn, "alias/aws/ebs")
 	if err != nil {

internal/service/kms/alias.go

@@ -7,19 +7,21 @@ import (
 	"context"
 	"log"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/service/kms"
-	"github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/kms"
+	awstypes "github.com/aws/aws-sdk-go-v2/service/kms/types"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
 	"github.com/hashicorp/terraform-provider-aws/internal/create"
+	"github.com/hashicorp/terraform-provider-aws/internal/errs"
 	"github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag"
+	tfslices "github.com/hashicorp/terraform-provider-aws/internal/slices"
 	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
 )
 
-// @SDKResource("aws_kms_alias")
-func ResourceAlias() *schema.Resource {
+// @SDKResource("aws_kms_alias", name="Alias")
+func resourceAlias() *schema.Resource {
 	return &schema.Resource{
 		CreateWithoutTimeout: resourceAliasCreate,
 		ReadWithoutTimeout:   resourceAliasRead,
@@ -35,7 +37,6 @@ func ResourceAlias() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
-
 			"name": {
 				Type:          schema.TypeString,
 				Optional:      true,
@@ -44,7 +45,6 @@ func ResourceAlias() *schema.Resource {
 				ConflictsWith: []string{"name_prefix"},
 				ValidateFunc:  validNameForResource,
 			},
-
 			"name_prefix": {
 				Type:          schema.TypeString,
 				Optional:      true,
@@ -53,12 +53,10 @@ func ResourceAlias() *schema.Resource {
 				ConflictsWith: []string{"name"},
 				ValidateFunc:  validNameForResource,
 			},
-
 			"target_key_arn": {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
-
 			"target_key_id": {
 				Type:             schema.TypeString,
 				Required:         true,
@@ -70,25 +68,21 @@ func ResourceAlias() *schema.Resource {
 
 func resourceAliasCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).KMSConn(ctx)
+	conn := meta.(*conns.AWSClient).KMSClient(ctx)
 
 	namePrefix := d.Get("name_prefix").(string)
 	if namePrefix == "" {
-		namePrefix = AliasNamePrefix
+		namePrefix = aliasNamePrefix
 	}
 	name := create.Name(d.Get("name").(string), namePrefix)
-
 	input := &kms.CreateAliasInput{
 		AliasName:   aws.String(name),
 		TargetKeyId: aws.String(d.Get("target_key_id").(string)),
 	}
 
-	// KMS is eventually consistent.
-	log.Printf("[DEBUG] Creating KMS Alias: %s", input)
-
-	_, err := tfresource.RetryWhenAWSErrCodeEquals(ctx, KeyRotationUpdatedTimeout, func() (interface{}, error) {
-		return conn.CreateAliasWithContext(ctx, input)
-	}, kms.ErrCodeNotFoundException)
+	_, err := tfresource.RetryWhenIsA[*awstypes.NotFoundException](ctx, keyRotationUpdatedTimeout, func() (interface{}, error) {
+		return conn.CreateAlias(ctx, input)
+	})
 
 	if err != nil {
 		return sdkdiag.AppendErrorf(diags, "creating KMS Alias (%s): %s", name, err)
@@ -101,10 +95,10 @@ func resourceAliasCreate(ctx context.Context, d *schema.ResourceData, meta inter
 
 func resourceAliasRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).KMSConn(ctx)
+	conn := meta.(*conns.AWSClient).KMSClient(ctx)
 
-	outputRaw, err := tfresource.RetryWhenNewResourceNotFound(ctx, PropagationTimeout, func() (interface{}, error) {
-		return FindAliasByName(ctx, conn, d.Id())
+	outputRaw, err := tfresource.RetryWhenNewResourceNotFound(ctx, kmsPropagationTimeout, func() (interface{}, error) {
+		return findAliasByName(ctx, conn, d.Id())
 	}, d.IsNewResource())
 
 	if !d.IsNewResource() && tfresource.NotFound(err) {
@@ -117,17 +111,17 @@ func resourceAliasRead(ctx context.Context, d *schema.ResourceData, meta interfa
 		return sdkdiag.AppendErrorf(diags, "reading KMS Alias (%s): %s", d.Id(), err)
 	}
 
-	alias := outputRaw.(*kms.AliasListEntry)
-	aliasARN := aws.StringValue(alias.AliasArn)
-	targetKeyID := aws.StringValue(alias.TargetKeyId)
-	targetKeyARN, err := AliasARNToKeyARN(aliasARN, targetKeyID)
+	alias := outputRaw.(*awstypes.AliasListEntry)
+	aliasARN := aws.ToString(alias.AliasArn)
+	targetKeyID := aws.ToString(alias.TargetKeyId)
+	targetKeyARN, err := aliasARNToKeyARN(aliasARN, targetKeyID)
 	if err != nil {
 		return sdkdiag.AppendErrorf(diags, "reading KMS Alias (%s): %s", d.Id(), err)
 	}
 
 	d.Set("arn", aliasARN)
 	d.Set("name", alias.AliasName)
-	d.Set("name_prefix", create.NamePrefixFromName(aws.StringValue(alias.AliasName)))
+	d.Set("name_prefix", create.NamePrefixFromName(aws.ToString(alias.AliasName)))
 	d.Set("target_key_arn", targetKeyARN)
 	d.Set("target_key_id", targetKeyID)
 
@@ -136,16 +130,15 @@ func resourceAliasRead(ctx context.Context, d *schema.ResourceData, meta interfa
 
 func resourceAliasUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).KMSConn(ctx)
+	conn := meta.(*conns.AWSClient).KMSClient(ctx)
 
 	if d.HasChange("target_key_id") {
 		input := &kms.UpdateAliasInput{
 			AliasName:   aws.String(d.Id()),
 			TargetKeyId: aws.String(d.Get("target_key_id").(string)),
 		}
 
-		log.Printf("[DEBUG] Updating KMS Alias: %s", input)
-		_, err := conn.UpdateAliasWithContext(ctx, input)
+		_, err := conn.UpdateAlias(ctx, input)
 
 		if err != nil {
 			return sdkdiag.AppendErrorf(diags, "updating KMS Alias (%s): %s", d.Id(), err)
@@ -157,14 +150,14 @@ func resourceAliasUpdate(ctx context.Context, d *schema.ResourceData, meta inter
 
 func resourceAliasDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).KMSConn(ctx)
+	conn := meta.(*conns.AWSClient).KMSClient(ctx)
 
-	log.Printf("[DEBUG] Deleting KMS Alias: (%s)", d.Id())
-	_, err := conn.DeleteAliasWithContext(ctx, &kms.DeleteAliasInput{
+	log.Printf("[DEBUG] Deleting KMS Alias: %s", d.Id())
+	_, err := conn.DeleteAlias(ctx, &kms.DeleteAliasInput{
 		AliasName: aws.String(d.Id()),
 	})
 
-	if tfawserr.ErrCodeEquals(err, kms.ErrCodeNotFoundException) {
+	if errs.IsA[*awstypes.NotFoundException](err) {
 		return diags
 	}
 
@@ -175,6 +168,45 @@ func resourceAliasDelete(ctx context.Context, d *schema.ResourceData, meta inter
 	return diags
 }
 
+func findAliasByName(ctx context.Context, conn *kms.Client, name string) (*awstypes.AliasListEntry, error) {
+	input := &kms.ListAliasesInput{}
+
+	return findAlias(ctx, conn, input, func(v *awstypes.AliasListEntry) bool {
+		return aws.ToString(v.AliasName) == name
+	})
+}
+
+func findAlias(ctx context.Context, conn *kms.Client, input *kms.ListAliasesInput, filter tfslices.Predicate[*awstypes.AliasListEntry]) (*awstypes.AliasListEntry, error) {
+	output, err := findAliases(ctx, conn, input, filter)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return tfresource.AssertSingleValueResult(output)
+}
+
+func findAliases(ctx context.Context, conn *kms.Client, input *kms.ListAliasesInput, filter tfslices.Predicate[*awstypes.AliasListEntry]) ([]awstypes.AliasListEntry, error) {
+	var output []awstypes.AliasListEntry
+
+	pages := kms.NewListAliasesPaginator(conn, input)
+	for pages.HasMorePages() {
+		page, err := pages.NextPage(ctx)
+
+		if err != nil {
+			return output, err
+		}
+
+		for _, v := range page.Aliases {
+			if filter(&v) {
+				output = append(output, v)
+			}
+		}
+	}
+
+	return output, nil
+}
+
 func suppressEquivalentKeyARNOrID(k, old, new string, d *schema.ResourceData) bool {
-	return KeyARNOrIDEqual(old, new)
+	return keyARNOrIDEqual(old, new)
 }

internal/service/kms/alias_data_source.go

@@ -13,10 +13,11 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag"
 )
 
-// @SDKDataSource("aws_kms_alias")
-func DataSourceAlias() *schema.Resource {
+// @SDKDataSource("aws_kms_alias", name="Alias")
+func dataSourceAlias() *schema.Resource {
 	return &schema.Resource{
 		ReadWithoutTimeout: dataSourceAliasRead,
+
 		Schema: map[string]*schema.Schema{
 			"arn": {
 				Type:     schema.TypeString,
@@ -41,11 +42,10 @@ func DataSourceAlias() *schema.Resource {
 
 func dataSourceAliasRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).KMSConn(ctx)
+	conn := meta.(*conns.AWSClient).KMSClient(ctx)
 
 	target := d.Get("name").(string)
-
-	alias, err := FindAliasByName(ctx, conn, target)
+	alias, err := findAliasByName(ctx, conn, target)
 
 	if err != nil {
 		return sdkdiag.AppendErrorf(diags, "reading KMS Alias (%s): %s", target, err)
@@ -65,7 +65,7 @@ func dataSourceAliasRead(ctx context.Context, d *schema.ResourceData, meta inter
 	//
 	// https://docs.aws.amazon.com/kms/latest/APIReference/API_ListAliases.html
 
-	keyMetadata, err := FindKeyByID(ctx, conn, target)
+	keyMetadata, err := findKeyByID(ctx, conn, target)
 
 	if err != nil {
 		return sdkdiag.AppendErrorf(diags, "reading KMS Key (%s): %s", target, err)