provider: Followup items from initial Code Signing release

aws/data_source_aws_lambda_function.go

@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/service/lambda"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags"
@@ -303,6 +304,15 @@ func dataSourceAwsLambdaFunctionRead(d *schema.ResourceData, meta interface{}) e
 		return fmt.Errorf("error setting file_system_config: %s", err)
 	}
 
+	// Currently, this functionality is only enabled in AWS Commercial partition
+	// and other partitions return ambiguous error codes (e.g. AccessDeniedException
+	// in AWS GovCloud (US)) so we cannot just ignore the error as would typically.
+	if meta.(*AWSClient).partition != endpoints.AwsPartitionID {
+		d.SetId(aws.StringValue(function.FunctionName))
+
+		return nil
+	}
+
 	// Get Code Signing Config Output
 	// If code signing config output exists, set it to that value, otherwise set it empty.
 	codeSigningConfigInput := &lambda.GetFunctionCodeSigningConfigInput{

aws/data_source_aws_signer_signing_job_test.go

@@ -9,17 +9,16 @@ import (
 )
 
 func TestAccDataSourceAWSSignerSigningJob_basic(t *testing.T) {
-	rString := acctest.RandString(48)
-	profileName := fmt.Sprintf("tf_acc_sp_basic_%s", rString)
+	rName := acctest.RandomWithPrefix("tf-acc-test")
 	dataSourceName := "data.aws_signer_signing_job.test"
-	resourceName := "aws_signer_signing_job.job_test"
+	resourceName := "aws_signer_signing_job.test"
 
 	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:  func() { testAccPreCheck(t) },
+		PreCheck:  func() { testAccPreCheck(t); testAccPreCheckSingerSigningProfile(t, "AWSLambda-SHA384-ECDSA") },
 		Providers: testAccProviders,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDataSourceAWSSignerSigningJobConfigBasic(profileName),
+				Config: testAccDataSourceAWSSignerSigningJobConfigBasic(rName),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttrPair(dataSourceName, "status", resourceName, "status"),
 					resource.TestCheckResourceAttrPair(dataSourceName, "job_owner", resourceName, "job_owner"),
@@ -31,17 +30,17 @@ func TestAccDataSourceAWSSignerSigningJob_basic(t *testing.T) {
 	})
 }
 
-func testAccDataSourceAWSSignerSigningJobConfigBasic(profileName string) string {
+func testAccDataSourceAWSSignerSigningJobConfigBasic(rName string) string {
 	return fmt.Sprintf(`
 data "aws_caller_identity" "current" {}
 
-resource "aws_signer_signing_profile" "test_sp" {
+resource "aws_signer_signing_profile" "test" {
   platform_id = "AWSLambda-SHA384-ECDSA"
-  name        = "%s"
+  name        = replace(%[1]q, "-", "_")
 }
 
-resource "aws_s3_bucket" "bucket" {
-  bucket = "tf-signer-signing-bucket"
+resource "aws_s3_bucket" "source" {
+  bucket = "%[1]s-source"
 
   versioning {
     enabled = true
@@ -50,36 +49,37 @@ resource "aws_s3_bucket" "bucket" {
   force_destroy = true
 }
 
-resource "aws_s3_bucket" "dest_bucket" {
-  bucket        = "tf-signer-signing-dest-bucket"
+resource "aws_s3_bucket" "destination" {
+  bucket        = "%[1]s-destination"
   force_destroy = true
 }
 
-resource "aws_s3_bucket_object" "lambda_signing_code" {
-  bucket = aws_s3_bucket.bucket.bucket
+resource "aws_s3_bucket_object" "source" {
+  bucket = aws_s3_bucket.source.bucket
   key    = "lambdatest.zip"
   source = "test-fixtures/lambdatest.zip"
 }
 
-resource "aws_signer_signing_job" "job_test" {
-  profile_name = aws_signer_signing_profile.test_sp.name
+resource "aws_signer_signing_job" "test" {
+  profile_name = aws_signer_signing_profile.test.name
 
   source {
     s3 {
-      bucket  = aws_s3_bucket.bucket.bucket
-      key     = aws_s3_bucket_object.lambda_signing_code.key
-      version = aws_s3_bucket_object.lambda_signing_code.version_id
+      bucket  = aws_s3_bucket_object.source.bucket
+      key     = aws_s3_bucket_object.source.key
+      version = aws_s3_bucket_object.source.version_id
     }
   }
 
   destination {
     s3 {
-      bucket = aws_s3_bucket.dest_bucket.bucket
+      bucket = aws_s3_bucket.destination.bucket
     }
   }
 }
 
 data "aws_signer_signing_job" "test" {
-  job_id = aws_signer_signing_job.job_test.job_id
-}`, profileName)
+  job_id = aws_signer_signing_job.test.job_id
+}
+`, rName)
 }

aws/data_source_aws_signer_signing_profile_test.go

@@ -15,7 +15,7 @@ func TestAccDataSourceAWSSignerSigningProfile_basic(t *testing.T) {
 	profileName := fmt.Sprintf("tf_acc_sp_basic_%s", rString)
 
 	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:  func() { testAccPreCheck(t) },
+		PreCheck:  func() { testAccPreCheck(t); testAccPreCheckSingerSigningProfile(t, "AWSLambda-SHA384-ECDSA") },
 		Providers: testAccProviders,
 		Steps: []resource.TestStep{
 			{

aws/resource_aws_lambda_function.go

@@ -12,6 +12,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/arn"
 	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/service/lambda"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -711,8 +712,13 @@ func resourceAwsLambdaFunctionRead(d *schema.ResourceData, meta interface{}) err
 	invokeArn := lambdaFunctionInvokeArn(*function.FunctionArn, meta)
 	d.Set("invoke_arn", invokeArn)
 
-	// Get Code Signing Config Output
-	// If code signing config output exists, set it to that value, otherwise set it empty.
+	// Currently, this functionality is only enabled in AWS Commercial partition
+	// and other partitions return ambiguous error codes (e.g. AccessDeniedException
+	// in AWS GovCloud (US)) so we cannot just ignore the error as would typically.
+	if meta.(*AWSClient).partition != endpoints.AwsPartitionID {
+		return nil
+	}
+
 	codeSigningConfigInput := &lambda.GetFunctionCodeSigningConfigInput{
 		FunctionName: aws.String(d.Get("function_name").(string)),
 	}

aws/resource_aws_lambda_function_test.go

@@ -191,7 +191,7 @@ func TestAccAWSLambdaFunction_codeSigningConfig(t *testing.T) {
 	cscUpdateResourceName := "aws_lambda_code_signing_config.code_signing_config_2"
 
 	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
+		PreCheck:     func() { testAccPreCheck(t); testAccPreCheckSingerSigningProfile(t, "AWSLambda-SHA384-ECDSA") },
 		Providers:    testAccProviders,
 		CheckDestroy: testAccCheckLambdaFunctionDestroy,
 		Steps: []resource.TestStep{

aws/resource_aws_signer_signing_job_test.go

@@ -12,23 +12,22 @@ import (
 )
 
 func TestAccAWSSignerSigningJob_basic(t *testing.T) {
-	resourceName := "aws_signer_signing_job.test_job"
-	profileResourceName := "aws_signer_signing_profile.test_sp"
-	rString := acctest.RandString(48)
-	profileName := fmt.Sprintf("tf_acc_sp_basic_%s", rString)
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_signer_signing_job.test"
+	profileResourceName := "aws_signer_signing_profile.test"
 
 	var job signer.DescribeSigningJobOutput
 	var conf signer.GetSigningProfileOutput
 
 	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
+		PreCheck:     func() { testAccPreCheck(t); testAccPreCheckSingerSigningProfile(t, "AWSLambda-SHA384-ECDSA") },
 		Providers:    testAccProviders,
 		CheckDestroy: nil,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAWSSignerSigningJobConfig(profileName),
+				Config: testAccAWSSignerSigningJobConfig(rName),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckAWSSignerSigningProfileExists(profileResourceName, profileName, &conf),
+					testAccCheckAWSSignerSigningProfileExists(profileResourceName, &conf),
 					testAccCheckAWSSignerSigningJobExists(resourceName, &job),
 					resource.TestCheckResourceAttr(resourceName, "platform_id", "AWSLambda-SHA384-ECDSA"),
 					resource.TestCheckResourceAttr(resourceName, "platform_display_name", "AWS Lambda"),
@@ -40,17 +39,17 @@ func TestAccAWSSignerSigningJob_basic(t *testing.T) {
 
 }
 
-func testAccAWSSignerSigningJobConfig(profileName string) string {
+func testAccAWSSignerSigningJobConfig(rName string) string {
 	return fmt.Sprintf(`
 data "aws_caller_identity" "current" {}
 
-resource "aws_signer_signing_profile" "test_sp" {
+resource "aws_signer_signing_profile" "test" {
   platform_id = "AWSLambda-SHA384-ECDSA"
-  name        = "%s"
+  name        = replace(%[1]q, "-", "_")
 }
 
-resource "aws_s3_bucket" "bucket" {
-  bucket = "tf-signer-signing-bucket"
+resource "aws_s3_bucket" "source" {
+  bucket = "%[1]s-source"
 
   versioning {
     enabled = true
@@ -59,34 +58,35 @@ resource "aws_s3_bucket" "bucket" {
   force_destroy = true
 }
 
-resource "aws_s3_bucket" "dest_bucket" {
-  bucket        = "tf-signer-signing-dest-bucket"
+resource "aws_s3_bucket" "destination" {
+  bucket        = "%[1]s"
   force_destroy = true
 }
 
-resource "aws_s3_bucket_object" "lambda_signing_code" {
-  bucket = aws_s3_bucket.bucket.bucket
+resource "aws_s3_bucket_object" "source" {
+  bucket = aws_s3_bucket.source.bucket
   key    = "lambdatest.zip"
   source = "test-fixtures/lambdatest.zip"
 }
 
-resource "aws_signer_signing_job" "test_job" {
-  profile_name = aws_signer_signing_profile.test_sp.name
+resource "aws_signer_signing_job" "test" {
+  profile_name = aws_signer_signing_profile.test.name
 
   source {
     s3 {
-      bucket  = aws_s3_bucket.bucket.bucket
-      key     = aws_s3_bucket_object.lambda_signing_code.key
-      version = aws_s3_bucket_object.lambda_signing_code.version_id
+      bucket  = aws_s3_bucket_object.source.bucket
+      key     = aws_s3_bucket_object.source.key
+      version = aws_s3_bucket_object.source.version_id
     }
   }
 
   destination {
     s3 {
-      bucket = aws_s3_bucket.dest_bucket.bucket
+      bucket = aws_s3_bucket.destination.bucket
     }
   }
-}`, profileName)
+}
+`, rName)
 }
 
 func testAccCheckAWSSignerSigningJobExists(res string, job *signer.DescribeSigningJobOutput) resource.TestCheckFunc {

aws/resource_aws_signer_signing_profile_permission_test.go

@@ -22,15 +22,15 @@ func TestAccAWSSignerSigningProfilePermission_basic(t *testing.T) {
 	var sppconf signer.ListProfilePermissionsOutput
 
 	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
+		PreCheck:     func() { testAccPreCheck(t); testAccPreCheckSingerSigningProfile(t, "AWSLambda-SHA384-ECDSA") },
 		Providers:    testAccProviders,
 		CheckDestroy: testAccCheckAWSSignerSigningProfileDestroy,
 		Steps: []resource.TestStep{
 			{
 				Config:  testAccAWSSignerSigningProfilePermissionConfig(profileName),
 				Destroy: false,
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckAWSSignerSigningProfileExists(profileResourceName, profileName, &conf),
+					testAccCheckAWSSignerSigningProfileExists(profileResourceName, &conf),
 					testAccCheckAWSSignerSigningProfilePermissionExists(resourceName, profileName, &sppconf),
 					naming.TestCheckResourceAttrNameGenerated(resourceName, "statement_id"),
 				),
@@ -55,15 +55,15 @@ func TestAccAWSSignerSigningProfilePermission_GetSigningProfile(t *testing.T) {
 	var sppconf signer.ListProfilePermissionsOutput
 
 	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
+		PreCheck:     func() { testAccPreCheck(t); testAccPreCheckSingerSigningProfile(t, "AWSLambda-SHA384-ECDSA") },
 		Providers:    testAccProviders,
 		CheckDestroy: testAccCheckAWSSignerSigningProfileDestroy,
 		Steps: []resource.TestStep{
 			{
 				Config:  testAccAWSSignerSigningProfilePermissionGetSP(profileName),
 				Destroy: false,
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckAWSSignerSigningProfileExists(profileResourceName, profileName, &conf),
+					testAccCheckAWSSignerSigningProfileExists(profileResourceName, &conf),
 					testAccCheckAWSSignerSigningProfilePermissionExists(resourceName, profileName, &sppconf),
 				),
 			},
@@ -77,7 +77,7 @@ func TestAccAWSSignerSigningProfilePermission_GetSigningProfile(t *testing.T) {
 				Config:  testAccAWSSignerSigningProfilePermissionRevokeSignature(profileName),
 				Destroy: false,
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckAWSSignerSigningProfileExists(profileResourceName, profileName, &conf),
+					testAccCheckAWSSignerSigningProfileExists(profileResourceName, &conf),
 					testAccCheckAWSSignerSigningProfilePermissionExists(resourceName, profileName, &sppconf),
 				),
 			},
@@ -96,14 +96,14 @@ func TestAccAWSSignerSigningProfilePermission_StartSigningJob_GetSP(t *testing.T
 	var sppconf signer.ListProfilePermissionsOutput
 
 	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
+		PreCheck:     func() { testAccPreCheck(t); testAccPreCheckSingerSigningProfile(t, "AWSLambda-SHA384-ECDSA") },
 		Providers:    testAccProviders,
 		CheckDestroy: testAccCheckAWSSignerSigningProfileDestroy,
 		Steps: []resource.TestStep{
 			{
 				Config: testAccAWSSignerSigningProfilePermissionStartSigningJobGetSP(profileName),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckAWSSignerSigningProfileExists(profileResourceName, profileName, &conf),
+					testAccCheckAWSSignerSigningProfileExists(profileResourceName, &conf),
 					testAccCheckAWSSignerSigningProfilePermissionExists(resourceName1, profileName, &sppconf),
 					testAccCheckAWSSignerSigningProfilePermissionExists(resourceName2, profileName, &sppconf),
 				),
@@ -129,7 +129,7 @@ func TestAccAWSSignerSigningProfilePermission_StatementPrefix(t *testing.T) {
 	var sppconf signer.ListProfilePermissionsOutput
 
 	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
+		PreCheck:     func() { testAccPreCheck(t); testAccPreCheckSingerSigningProfile(t, "AWSLambda-SHA384-ECDSA") },
 		Providers:    testAccProviders,
 		CheckDestroy: testAccCheckAWSSignerSigningProfileDestroy,
 		Steps: []resource.TestStep{