resource/aws_iam_access_key: Support resource import (#17321)

* resource/aws_iam_access_key: Support resource import Reference: #17288 Output from acceptance testing: ``` --- PASS: TestAccAWSAccessKey_encrypted (12.92s) --- PASS: TestAccAWSAccessKey_basic (12.92s) --- PASS: TestAccAWSAccessKey_inactive (19.64s) ``` * Update CHANGELOG for #17321
hashicorp · Jan 29, 2021 · d976d45 · d976d45
1 parent 57fcdbe
commit d976d45
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 14 deletions.
diff --git a/.changelog/17321.txt b/.changelog/17321.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_iam_access_key: Support resource import
+```
diff --git a/aws/resource_aws_iam_access_key.go b/aws/resource_aws_iam_access_key.go
@@ -22,6 +22,33 @@ func resourceAwsIamAccessKey() *schema.Resource {
 		Update: resourceAwsIamAccessKeyUpdate,
 		Delete: resourceAwsIamAccessKeyDelete,
 
+		Importer: &schema.ResourceImporter{
+			// ListAccessKeys requires UserName field in certain scenarios:
+			//   ValidationError: Must specify userName when calling with non-User credentials
+			// To prevent import from requiring this extra information, use GetAccessKeyLastUsed.
+			State: func(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+				conn := meta.(*AWSClient).iamconn
+
+				input := &iam.GetAccessKeyLastUsedInput{
+					AccessKeyId: aws.String(d.Id()),
+				}
+
+				output, err := conn.GetAccessKeyLastUsed(input)
+
+				if err != nil {
+					return nil, fmt.Errorf("error fetching IAM Access Key (%s) username via GetAccessKeyLastUsed: %w", d.Id(), err)
+				}
+
+				if output == nil || output.UserName == nil {
+					return nil, fmt.Errorf("error fetching IAM Access Key (%s) username via GetAccessKeyLastUsed: empty response", d.Id())
+				}
+
+				d.Set("user", output.UserName)
+
+				return []*schema.ResourceData{d}, nil
+			},
+		},
+
 		Schema: map[string]*schema.Schema{
 			"user": {
 				Type:     schema.TypeString,

diff --git a/aws/resource_aws_iam_access_key_test.go b/aws/resource_aws_iam_access_key_test.go
@@ -34,6 +34,12 @@ func TestAccAWSAccessKey_basic(t *testing.T) {
 					resource.TestCheckResourceAttrSet("aws_iam_access_key.a_key", "secret"),
 				),
 			},
+			{
+				ResourceName:            "aws_iam_access_key.a_key",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"encrypted_secret", "key_fingerprint", "pgp_key", "secret", "ses_smtp_password_v4"},
+			},
 		},
 	})
 }
@@ -61,6 +67,12 @@ func TestAccAWSAccessKey_encrypted(t *testing.T) {
 						"aws_iam_access_key.a_key", "key_fingerprint"),
 				),
 			},
+			{
+				ResourceName:            "aws_iam_access_key.a_key",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"encrypted_secret", "key_fingerprint", "pgp_key", "secret", "ses_smtp_password_v4"},
+			},
 		},
 	})
 }
@@ -82,6 +94,12 @@ func TestAccAWSAccessKey_inactive(t *testing.T) {
 					resource.TestCheckResourceAttrSet("aws_iam_access_key.a_key", "secret"),
 				),
 			},
+			{
+				ResourceName:            "aws_iam_access_key.a_key",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"encrypted_secret", "key_fingerprint", "pgp_key", "secret", "ses_smtp_password_v4"},
+			},
 			{
 				Config: testAccAWSAccessKeyConfig_inactive(rName),
 				Check: resource.ComposeTestCheckFunc(

diff --git a/website/docs/r/iam_access_key.html.markdown b/website/docs/r/iam_access_key.html.markdown
@@ -81,17 +81,17 @@ In addition to all arguments above, the following attributes are exported:
 * `create_date` - Date and time in [RFC3339 format](https://tools.ietf.org/html/rfc3339#section-5.8) that the access key was created.
 * `id` - The access key ID.
 * `user` - The IAM user associated with this access key.
-* `key_fingerprint` - The fingerprint of the PGP key used to encrypt
-  the secret
-* `secret` - The secret access key. Note that this will be written
-to the state file. If you use this, please protect your backend state file
-judiciously. Alternatively, you may supply a `pgp_key` instead, which will
-prevent the secret from being stored in plaintext, at the cost of preventing
-the use of the secret key in automation.
-* `encrypted_secret` - The encrypted secret, base64 encoded, if `pgp_key` was specified.
-~> **NOTE:** The encrypted secret may be decrypted using the command line,
-   for example: `terraform output encrypted_secret | base64 --decode | keybase pgp decrypt`.
-* `ses_smtp_password_v4` - The secret access key converted into an SES SMTP
-  password by applying [AWS's documented Sigv4 conversion
-  algorithm](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html#smtp-credentials-convert).
-  As SigV4 is region specific, valid Provider regions are `ap-south-1`, `ap-southeast-2`, `eu-central-1`, `eu-west-1`, `us-east-1` and `us-west-2`. See current [AWS SES regions](https://docs.aws.amazon.com/general/latest/gr/rande.html#ses_region)
+* `key_fingerprint` - The fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.
+* `secret` - The secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a `pgp_key` instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.
+* `encrypted_secret` - The encrypted secret, base64 encoded, if `pgp_key` was specified. This attribute is not available for imported resources. The encrypted secret may be decrypted using the command line, for example: `terraform output -raw encrypted_secret | base64 --decode | keybase pgp decrypt`.
+* `ses_smtp_password_v4` - The secret access key converted into an SES SMTP password by applying [AWS's documented Sigv4 conversion algorithm](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html#smtp-credentials-convert). This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are `ap-south-1`, `ap-southeast-2`, `eu-central-1`, `eu-west-1`, `us-east-1` and `us-west-2`. See current [AWS SES regions](https://docs.aws.amazon.com/general/latest/gr/rande.html#ses_region).
+
+## Import
+
+IAM Access Keys can be imported using the identifier, e.g.
+
+```
+$ terraform import aws_iam_access_key.example AKIA1234567890
+```
+
+Resource attributes such as `encrypted_secret`, `key_fingerprint`, `pgp_key`, `secret`, and `ses_smtp_password_v4` are not available for imported resources as this information cannot be read from the IAM API.