diff --git a/.changelog/40726.txt b/.changelog/40726.txt new file mode 100644 index 000000000000..4a89f9f8159c --- /dev/null +++ b/.changelog/40726.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +resource/aws_sagemaker_domain: Modification of `domain_settings.security_group_ids` no longer forces a replacement +``` diff --git a/internal/service/sagemaker/domain.go b/internal/service/sagemaker/domain.go index 1d5b76953b9b..a5b7c5167465 100644 --- a/internal/service/sagemaker/domain.go +++ b/internal/service/sagemaker/domain.go @@ -1384,7 +1384,6 @@ func resourceDomain() *schema.Resource { names.AttrSecurityGroupIDs: { Type: schema.TypeSet, Optional: true, - ForceNew: true, MaxItems: 3, Elem: &schema.Schema{Type: schema.TypeString}, }, @@ -1745,6 +1744,8 @@ func expandDomainSettingsUpdate(l []any) *awstypes.DomainSettingsForUpdate { if v, ok := m[names.AttrSecurityGroupIDs].(*schema.Set); ok && v.Len() > 0 { config.SecurityGroupIds = flex.ExpandStringValueSet(v) + } else { + config.SecurityGroupIds = []string{} } if v, ok := m["r_studio_server_pro_domain_settings"].([]any); ok && len(v) > 0 { diff --git a/internal/service/sagemaker/domain_test.go b/internal/service/sagemaker/domain_test.go index b5c73e0bcf6b..24fcc08e0a52 100644 --- a/internal/service/sagemaker/domain_test.go +++ b/internal/service/sagemaker/domain_test.go @@ -13,6 +13,7 @@ import ( "github.com/aws/aws-sdk-go-v2/service/sagemaker" sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest" "github.com/hashicorp/terraform-plugin-testing/helper/resource" + "github.com/hashicorp/terraform-plugin-testing/plancheck" "github.com/hashicorp/terraform-plugin-testing/terraform" "github.com/hashicorp/terraform-provider-aws/internal/acctest" "github.com/hashicorp/terraform-provider-aws/internal/conns" @@ -102,6 +103,58 @@ func testAccDomain_domainSettings(t *testing.T) { }) } +func testAccDomain_domainSettingsSecurityGroupIDs(t *testing.T) { + ctx := acctest.Context(t) + var domain sagemaker.DescribeDomainOutput + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + resourceName := "aws_sagemaker_domain.test" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(ctx, t) }, + ErrorCheck: acctest.ErrorCheck(t, names.SageMakerServiceID), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckDomainDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccDomainConfig_domainSettingsSecurityGroupIDs(rName, "DISABLED"), + Check: resource.ComposeTestCheckFunc( + testAccCheckDomainExists(ctx, resourceName, &domain), + resource.TestCheckResourceAttr(resourceName, "domain_settings.#", "1"), + resource.TestCheckResourceAttr(resourceName, "domain_settings.0.execution_role_identity_config", "DISABLED"), + resource.TestCheckResourceAttr(resourceName, "domain_settings.0.security_group_ids.#", "1"), + ), + }, + { + Config: testAccDomainConfig_domainSettings(rName, "DISABLED"), + Check: resource.ComposeTestCheckFunc( + testAccCheckDomainExists(ctx, resourceName, &domain), + resource.TestCheckResourceAttr(resourceName, "domain_settings.#", "1"), + resource.TestCheckResourceAttr(resourceName, "domain_settings.0.execution_role_identity_config", "DISABLED"), + ), + ConfigPlanChecks: resource.ConfigPlanChecks{ + PreApply: []plancheck.PlanCheck{ + plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate), + }, + }, + }, + { + Config: testAccDomainConfig_domainSettingsSecurityGroupIDs(rName, "DISABLED"), + Check: resource.ComposeTestCheckFunc( + testAccCheckDomainExists(ctx, resourceName, &domain), + resource.TestCheckResourceAttr(resourceName, "domain_settings.#", "1"), + resource.TestCheckResourceAttr(resourceName, "domain_settings.0.execution_role_identity_config", "DISABLED"), + resource.TestCheckResourceAttr(resourceName, "domain_settings.0.security_group_ids.#", "1"), + ), + ConfigPlanChecks: resource.ConfigPlanChecks{ + PreApply: []plancheck.PlanCheck{ + plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate), + }, + }, + }, + }, + }) +} + func testAccDomain_domainSettingsDockerSettingsUpdated(t *testing.T) { ctx := acctest.Context(t) var domain sagemaker.DescribeDomainOutput @@ -1941,6 +1994,35 @@ resource "aws_sagemaker_domain" "test" { `, rName, config)) } +func testAccDomainConfig_domainSettingsSecurityGroupIDs(rName, config string) string { + return acctest.ConfigCompose(testAccDomainConfig_base(rName), fmt.Sprintf(` +resource "aws_security_group" "test" { + vpc_id = aws_vpc.test.id + name = %[1]q +} + +resource "aws_sagemaker_domain" "test" { + domain_name = %[1]q + auth_mode = "IAM" + vpc_id = aws_vpc.test.id + subnet_ids = aws_subnet.test[*].id + + default_user_settings { + execution_role = aws_iam_role.test.arn + } + + domain_settings { + execution_role_identity_config = %[2]q + security_group_ids = [aws_security_group.test.id] + } + + retention_policy { + home_efs_file_system = "Delete" + } +} +`, rName, config)) +} + func testAccDomainConfig_domainSettingsDockerSettings(rName, config string) string { return acctest.ConfigCompose(testAccDomainConfig_base(rName), fmt.Sprintf(` data "aws_caller_identity" "current" {} diff --git a/internal/service/sagemaker/sagemaker_test.go b/internal/service/sagemaker/sagemaker_test.go index 9898f1b2a0ec..5439783728cd 100644 --- a/internal/service/sagemaker/sagemaker_test.go +++ b/internal/service/sagemaker/sagemaker_test.go @@ -71,6 +71,7 @@ func TestAccSageMaker_serial(t *testing.T) { "workspaceSettings": testAccDomain_workspaceSettings, "domainSettings": testAccDomain_domainSettings, "domainSettingsDockerSettingsUpdated": testAccDomain_domainSettingsDockerSettingsUpdated, + "domainSettingsSecurityGroupIDs": testAccDomain_domainSettingsSecurityGroupIDs, "rSessionAppSettings": testAccDomain_rSessionAppSettings, "rStudioServerProAppSettings": testAccDomain_rStudioServerProAppSettings, "rStudioServerProDomainSettings": testAccDomain_rStudioServerProDomainSettings,