Merge pull request #40536 from hashicorp/f-rds_certificate_default

r/rds_certificate: add `default_for_new_launches` attribute
hashicorp · Dec 23, 2024 · 300942d · 300942d
2 parents 97d06a8 + c07a3b3
commit 300942d
Show file tree

Hide file tree

Showing 5 changed files with 67 additions and 4 deletions.
diff --git a/.changelog/40536.txt b/.changelog/40536.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+data-source/aws_rds_certificate: Add `default_for_new_launches` attribute
+```
diff --git a/internal/service/rds/certificate_data_source.go b/internal/service/rds/certificate_data_source.go
@@ -40,14 +40,20 @@ func dataSourceCertificate() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"default_for_new_launches": {
+				Type:          schema.TypeBool,
+				Optional:      true,
+				ConflictsWith: []string{"latest_valid_till"},
+			},
 			names.AttrID: {
 				Type:     schema.TypeString,
 				Optional: true,
 				Computed: true,
 			},
 			"latest_valid_till": {
-				Type:     schema.TypeBool,
-				Optional: true,
+				Type:          schema.TypeBool,
+				Optional:      true,
+				ConflictsWith: []string{"default_for_new_launches"},
 			},
 			"thumbprint": {
 				Type:     schema.TypeString,
@@ -76,7 +82,8 @@ func dataSourceCertificateRead(ctx context.Context, d *schema.ResourceData, meta
 	}
 
 	var certificates []types.Certificate
-
+	var hasDefault bool
+	var defaultCertificate string
 	pages := rds.NewDescribeCertificatesPaginator(conn, input)
 	for pages.HasMorePages() {
 		page, err := pages.NextPage(ctx)
@@ -85,6 +92,11 @@ func dataSourceCertificateRead(ctx context.Context, d *schema.ResourceData, meta
 			return sdkdiag.AppendErrorf(diags, "reading RDS Certificates: %s", err)
 		}
 
+		if page.DefaultCertificateForNewLaunches != nil && aws.ToString(page.DefaultCertificateForNewLaunches) != "" && !hasDefault {
+			hasDefault = true
+			defaultCertificate = aws.ToString(page.DefaultCertificateForNewLaunches)
+		}
+
 		certificates = append(certificates, page.Certificates...)
 	}
 
@@ -100,6 +112,16 @@ func dataSourceCertificateRead(ctx context.Context, d *schema.ResourceData, meta
 			return a.ValidTill.Compare(*b.ValidTill)
 		})
 		certificate = &certificates[len(certificates)-1]
+	} else if d.Get("default_for_new_launches").(bool) {
+		i := slices.IndexFunc(certificates, func(c types.Certificate) bool {
+			return aws.ToString(c.CertificateIdentifier) == defaultCertificate
+		})
+
+		if i != -1 {
+			certificate = &certificates[i]
+		} else {
+			return sdkdiag.AppendErrorf(diags, "no default RDS Certificate found")
+		}
 	} else {
 		if len(certificates) > 1 {
 			return sdkdiag.AppendErrorf(diags, "multiple RDS Certificates match the criteria; try changing search query")

diff --git a/internal/service/rds/certificate_data_source_test.go b/internal/service/rds/certificate_data_source_test.go
@@ -62,6 +62,32 @@ func TestAccRDSCertificateDataSource_latestValidTill(t *testing.T) {
 	})
 }
 
+func TestAccRDSCertificateDataSource_defaultForNewLaunches(t *testing.T) {
+	ctx := acctest.Context(t)
+	dataSourceName := "data.aws_rds_certificate.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t); testAccCertificatePreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.RDSServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             nil,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCertificateDataSourceConfig_defaultForNewLaunches(),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					acctest.MatchResourceAttrRegionalARNNoAccount(dataSourceName, names.AttrARN, "rds", regexache.MustCompile(`cert:rds-ca-[-0-9a-z]+$`)),
+					resource.TestCheckResourceAttr(dataSourceName, "customer_override", acctest.CtFalse),
+					resource.TestCheckNoResourceAttr(dataSourceName, "customer_override_valid_till"),
+					resource.TestMatchResourceAttr(dataSourceName, names.AttrID, regexache.MustCompile(`^rds-ca-[-0-9a-z]+$`)),
+					resource.TestMatchResourceAttr(dataSourceName, "thumbprint", regexache.MustCompile(`^[0-9a-f]+$`)),
+					resource.TestMatchResourceAttr(dataSourceName, "valid_from", regexache.MustCompile(acctest.RFC3339RegexPattern)),
+					resource.TestMatchResourceAttr(dataSourceName, "valid_till", regexache.MustCompile(acctest.RFC3339RegexPattern)),
+				),
+			},
+		},
+	})
+}
+
 func testAccCertificatePreCheck(ctx context.Context, t *testing.T) {
 	conn := acctest.Provider.Meta().(*conns.AWSClient).RDSClient(ctx)
 
@@ -97,3 +123,10 @@ data "aws_rds_certificate" "test" {
 }
 `
 }
+
+func testAccCertificateDataSourceConfig_defaultForNewLaunches() string {
+	return `
+data "aws_rds_certificate" "test" {
+  default_for_new_launches = true
+}`
+}
diff --git a/internal/service/rds/cluster_test.go b/internal/service/rds/cluster_test.go
@@ -3626,10 +3626,14 @@ data "aws_rds_orderable_db_instance" "test" {
   supports_iops              = true
 }
 
+data "aws_rds_certificate" "test" {
+  default_for_new_launches = true
+}
+
 resource "aws_rds_cluster" "test" {
   apply_immediately         = true
   db_subnet_group_name      = aws_db_subnet_group.test.name
-  ca_certificate_identifier = "rds-ca-rsa2048-g1"
+  ca_certificate_identifier = data.aws_rds_certificate.test.id
   cluster_identifier        = %[1]q
   engine                    = data.aws_rds_orderable_db_instance.test.engine
   engine_version            = data.aws_rds_orderable_db_instance.test.engine_version

diff --git a/website/docs/d/rds_certificate.html.markdown b/website/docs/d/rds_certificate.html.markdown
@@ -23,6 +23,7 @@ data "aws_rds_certificate" "example" {
 This data source supports the following arguments:
 
 * `id` - (Optional) Certificate identifier. For example, `rds-ca-2019`.
+* `default_for_new_launches` - (Optional) When enabled, returns the default certificate for new RDS instances.
 * `latest_valid_till` - (Optional) When enabled, returns the certificate with the latest `ValidTill`.
 
 ## Attribute Reference