Skip to content

New List Resource: aws_iam_user#46869

Merged
jar-b merged 5 commits intomainfrom
f-iam_user-list
Mar 16, 2026
Merged

New List Resource: aws_iam_user#46869
jar-b merged 5 commits intomainfrom
f-iam_user-list

Conversation

@jar-b
Copy link
Member

@jar-b jar-b commented Mar 11, 2026

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

Description

Adds a new list resource for aws_iam_user. Also introduces resource identity in order to support list. Because the provider currently allows the name and path to be modified in place, the identity will be considered mutable.

Output from Acceptance Testing

% make t K=iam T=TestAccIAMUser_
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-iam_user-list 🌿...
TF_ACC=1 go1.25.8 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUser_'  -timeout 360m -vet=off
2026/03/10 16:59:25 Creating Terraform AWS Provider (SDKv2-style)...
2026/03/10 16:59:25 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccIAMUser_ForceDestroy_policyInlineAttached (37.44s)
=== CONT  TestAccIAMUser_Tags_DefaultTags_nullOverlappingResourceTag
--- PASS: TestAccIAMUser_ForceDestroy_policyInline (38.11s)
=== CONT  TestAccIAMUser_Tags_addOnUpdate
--- PASS: TestAccIAMUser_ForceDestroy_policyAttached (40.43s)
=== CONT  TestAccIAMUser_Tags_EmptyTag_onCreate
--- PASS: TestAccIAMUser_ForceDestroy_serviceSpecificCred (48.37s)
=== CONT  TestAccIAMUser_List_basic
--- PASS: TestAccIAMUser_ForceDestroy_sshKey (49.97s)
=== CONT  TestAccIAMUser_List_pathPrefix
--- PASS: TestAccIAMUser_ForceDestroy_signingCertificate (50.13s)
=== CONT  TestAccIAMUser_List_includeResource
--- PASS: TestAccIAMUser_Tags_DefaultTags_nullNonOverlappingResourceTag (52.72s)
=== CONT  TestAccIAMUser_Identity_ExistingResource_noRefreshNoChange
--- PASS: TestAccIAMUser_Tags_DefaultTags_emptyProviderOnlyTag (52.79s)
=== CONT  TestAccIAMUser_Tags_EmptyTag_OnUpdate_replace
--- PASS: TestAccIAMUser_pathChange (70.56s)
=== CONT  TestAccIAMUser_Tags_DefaultTags_overlapping
--- PASS: TestAccIAMUser_basic (74.38s)
=== CONT  TestAccIAMUser_ForceDestroy_loginProfile
--- PASS: TestAccIAMUser_nameChange (74.60s)
=== CONT  TestAccIAMUser_ForceDestroy_mfaDevice
--- PASS: TestAccIAMUser_nameAndTags (78.83s)
=== CONT  TestAccIAMUser_Tags_emptyMap
--- PASS: TestAccIAMUser_Identity_basic (80.27s)
=== CONT  TestAccIAMUser_ForceDestroy_accessKey
--- PASS: TestAccIAMUser_List_basic (41.29s)
=== CONT  TestAccIAMUser_Identity_ExistingResource_basic
--- PASS: TestAccIAMUser_List_pathPrefix (39.78s)
=== CONT  TestAccIAMUser_Tags_DefaultTags_emptyResourceTag
--- PASS: TestAccIAMUser_Tags_ComputedTag_OnUpdate_replace (89.84s)
=== CONT  TestAccIAMUser_Tags_IgnoreTags_Overlap_resourceTag
--- PASS: TestAccIAMUser_Tags_DefaultTags_updateToProviderOnly (93.33s)
=== CONT  TestAccIAMUser_Tags_IgnoreTags_Overlap_defaultTag
--- PASS: TestAccIAMUser_List_includeResource (43.50s)
=== CONT  TestAccIAMUser_Tags_DefaultTags_updateToResourceOnly
--- PASS: TestAccIAMUser_Tags_DefaultTags_nullOverlappingResourceTag (56.25s)
=== CONT  TestAccIAMUser_Tags_null
--- PASS: TestAccIAMUser_ForceDestroy_loginProfile (48.24s)
=== CONT  TestAccIAMUser_Tags_ComputedTag_OnUpdate_add
--- PASS: TestAccIAMUser_ForceDestroy_mfaDevice (48.13s)
=== CONT  TestAccIAMUser_disappears
--- PASS: TestAccIAMUser_Tags_addOnUpdate (88.04s)
=== CONT  TestAccIAMUser_Tags_ComputedTag_onCreate
--- PASS: TestAccIAMUser_ForceDestroy_accessKey (46.02s)
--- PASS: TestAccIAMUser_Tags_EmptyTag_OnUpdate_add (129.04s)
--- PASS: TestAccIAMUser_Identity_ExistingResource_noRefreshNoChange (83.11s)
--- PASS: TestAccIAMUser_Tags_DefaultTags_nonOverlapping (137.36s)
--- PASS: TestAccIAMUser_Tags_EmptyTag_OnUpdate_replace (85.10s)
--- PASS: TestAccIAMUser_Tags_DefaultTags_emptyResourceTag (51.48s)
--- PASS: TestAccIAMUser_Tags_EmptyTag_onCreate (101.00s)
--- PASS: TestAccIAMUser_Tags_emptyMap (72.41s)
--- PASS: TestAccIAMUser_disappears (29.67s)
--- PASS: TestAccIAMUser_Tags_null (62.64s)
--- PASS: TestAccIAMUser_Identity_ExistingResource_basic (68.49s)
--- PASS: TestAccIAMUser_Tags_DefaultTags_updateToResourceOnly (67.80s)
--- PASS: TestAccIAMUser_Tags_ComputedTag_onCreate (35.76s)
--- PASS: TestAccIAMUser_tags (163.88s)
--- PASS: TestAccIAMUser_Tags_DefaultTags_providerOnly (166.94s)
--- PASS: TestAccIAMUser_permissionsBoundary (169.05s)
--- PASS: TestAccIAMUser_Tags_IgnoreTags_Overlap_defaultTag (77.29s)
--- PASS: TestAccIAMUser_Tags_ComputedTag_OnUpdate_add (49.49s)
--- PASS: TestAccIAMUser_Tags_DefaultTags_overlapping (102.18s)
--- PASS: TestAccIAMUser_Tags_IgnoreTags_Overlap_resourceTag (84.36s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/iam        181.107s

@github-actions
Copy link
Contributor

github-actions bot commented Mar 11, 2026

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

  • Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
  • Please see our prioritization guide for additional information on how the maintainers handle prioritization.
  • Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added documentation Introduces or discusses updates to documentation. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/iam Issues and PRs that pertain to the iam service. generators Relates to code generators. prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. size/XL Managed by automation to categorize the size of a PR. labels Mar 11, 2026
jar-b
jar-b commented Mar 11, 2026
View reviewed changes
internal/service/iam/user.go

// @SDKResource("aws_iam_user", name="User")
// @IdentityAttribute("name")
// @MutableIdentity
Copy link
Member Author

@jar-b jar-b Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Identity is mutable because the provider allows name and path can be modified in place.

Perhaps this is something we reconsider in a future major version, but for now I'm not sure we can avoid marking it this way without breaking existing behavior.

Copy link
Contributor

@gdavison gdavison Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The AWS API also allows changing the name and path in-place.

Technically, the UserId (exposed as unique_id in the provider) is the stable unique identifier, but it's not exposed to the user, so not useful for import.

Alternatively, we could use unique_id as the Identifier, but the GetUser and ListUsers API calls aren't documented to accept the value, just the name. This would require a "full table scan" for reading IAM Users.

@jar-b jar-b force-pushed the f-iam_user-list branch 2 times, most recently from ae99910 to dd6e5a4 Compare March 11, 2026 17:28
@jar-b jar-b marked this pull request as ready for review March 11, 2026 17:55
@jar-b jar-b requested a review from a team as a code owner March 11, 2026 17:55
@dosubot dosubot bot added the new-list-resource Introduces list resource support. label Mar 11, 2026
gdavison
gdavison requested changes Mar 12, 2026
View reviewed changes
Copy link
Contributor

@gdavison gdavison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing some attributes from the includeResource test. Otherwise, looks good.

internal/service/iam/user.go

// @SDKResource("aws_iam_user", name="User")
// @IdentityAttribute("name")
// @MutableIdentity
Copy link
Contributor

@gdavison gdavison Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The AWS API also allows changing the name and path in-place.

Technically, the UserId (exposed as unique_id in the provider) is the stable unique identifier, but it's not exposed to the user, so not useful for import.

Alternatively, we could use unique_id as the Identifier, but the GetUser and ListUsers API calls aren't documented to accept the value, just the name. This would require a "full table scan" for reading IAM Users.

gdavison
gdavison previously approved these changes Mar 12, 2026
View reviewed changes
Copy link
Contributor

@gdavison gdavison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! 🚀

jar-b added 4 commits March 13, 2026 14:17
@jar-b
r/aws_iam_user: add resource identity support
63b464f 
This resource uses a parameterized identity with a single attribute, `name`.

```console
% make t K=iam T=TestAccIAMUser_Identity
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 tmp1 🌿...
TF_ACC=1 go1.25.8 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUser_Identity'  -timeout 360m -vet=off
2026/03/10 14:11:46 Creating Terraform AWS Provider (SDKv2-style)...
2026/03/10 14:11:46 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccIAMUser_Identity_basic (29.64s)
--- PASS: TestAccIAMUser_Identity_ExistingResource_basic (50.50s)
--- PASS: TestAccIAMUser_Identity_ExistingResource_noRefreshNoChange (54.20s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/iam        61.441s
```
@jar-b
names: add human_friendly_short for iam service
5dee9fc
@jar-b
r/aws_iam_user: add list support
c974c60 
```console
% make t K=iam T=TestAccIAMUser_
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-iam_user-list 🌿...
TF_ACC=1 go1.25.8 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUser_'  -timeout 360m -vet=off
2026/03/10 16:59:25 Creating Terraform AWS Provider (SDKv2-style)...
2026/03/10 16:59:25 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccIAMUser_ForceDestroy_policyInlineAttached (37.44s)
=== CONT  TestAccIAMUser_Tags_DefaultTags_nullOverlappingResourceTag
--- PASS: TestAccIAMUser_ForceDestroy_policyInline (38.11s)
=== CONT  TestAccIAMUser_Tags_addOnUpdate
--- PASS: TestAccIAMUser_ForceDestroy_policyAttached (40.43s)
=== CONT  TestAccIAMUser_Tags_EmptyTag_onCreate
--- PASS: TestAccIAMUser_ForceDestroy_serviceSpecificCred (48.37s)
=== CONT  TestAccIAMUser_List_basic
--- PASS: TestAccIAMUser_ForceDestroy_sshKey (49.97s)
=== CONT  TestAccIAMUser_List_pathPrefix
--- PASS: TestAccIAMUser_ForceDestroy_signingCertificate (50.13s)
=== CONT  TestAccIAMUser_List_includeResource
--- PASS: TestAccIAMUser_Tags_DefaultTags_nullNonOverlappingResourceTag (52.72s)
=== CONT  TestAccIAMUser_Identity_ExistingResource_noRefreshNoChange
--- PASS: TestAccIAMUser_Tags_DefaultTags_emptyProviderOnlyTag (52.79s)
=== CONT  TestAccIAMUser_Tags_EmptyTag_OnUpdate_replace
--- PASS: TestAccIAMUser_pathChange (70.56s)
=== CONT  TestAccIAMUser_Tags_DefaultTags_overlapping
--- PASS: TestAccIAMUser_basic (74.38s)
=== CONT  TestAccIAMUser_ForceDestroy_loginProfile
--- PASS: TestAccIAMUser_nameChange (74.60s)
=== CONT  TestAccIAMUser_ForceDestroy_mfaDevice
--- PASS: TestAccIAMUser_nameAndTags (78.83s)
=== CONT  TestAccIAMUser_Tags_emptyMap
--- PASS: TestAccIAMUser_Identity_basic (80.27s)
=== CONT  TestAccIAMUser_ForceDestroy_accessKey
--- PASS: TestAccIAMUser_List_basic (41.29s)
=== CONT  TestAccIAMUser_Identity_ExistingResource_basic
--- PASS: TestAccIAMUser_List_pathPrefix (39.78s)
=== CONT  TestAccIAMUser_Tags_DefaultTags_emptyResourceTag
--- PASS: TestAccIAMUser_Tags_ComputedTag_OnUpdate_replace (89.84s)
=== CONT  TestAccIAMUser_Tags_IgnoreTags_Overlap_resourceTag
--- PASS: TestAccIAMUser_Tags_DefaultTags_updateToProviderOnly (93.33s)
=== CONT  TestAccIAMUser_Tags_IgnoreTags_Overlap_defaultTag
--- PASS: TestAccIAMUser_List_includeResource (43.50s)
=== CONT  TestAccIAMUser_Tags_DefaultTags_updateToResourceOnly
--- PASS: TestAccIAMUser_Tags_DefaultTags_nullOverlappingResourceTag (56.25s)
=== CONT  TestAccIAMUser_Tags_null
--- PASS: TestAccIAMUser_ForceDestroy_loginProfile (48.24s)
=== CONT  TestAccIAMUser_Tags_ComputedTag_OnUpdate_add
--- PASS: TestAccIAMUser_ForceDestroy_mfaDevice (48.13s)
=== CONT  TestAccIAMUser_disappears
--- PASS: TestAccIAMUser_Tags_addOnUpdate (88.04s)
=== CONT  TestAccIAMUser_Tags_ComputedTag_onCreate
--- PASS: TestAccIAMUser_ForceDestroy_accessKey (46.02s)
--- PASS: TestAccIAMUser_Tags_EmptyTag_OnUpdate_add (129.04s)
--- PASS: TestAccIAMUser_Identity_ExistingResource_noRefreshNoChange (83.11s)
--- PASS: TestAccIAMUser_Tags_DefaultTags_nonOverlapping (137.36s)
--- PASS: TestAccIAMUser_Tags_EmptyTag_OnUpdate_replace (85.10s)
--- PASS: TestAccIAMUser_Tags_DefaultTags_emptyResourceTag (51.48s)
--- PASS: TestAccIAMUser_Tags_EmptyTag_onCreate (101.00s)
--- PASS: TestAccIAMUser_Tags_emptyMap (72.41s)
--- PASS: TestAccIAMUser_disappears (29.67s)
--- PASS: TestAccIAMUser_Tags_null (62.64s)
--- PASS: TestAccIAMUser_Identity_ExistingResource_basic (68.49s)
--- PASS: TestAccIAMUser_Tags_DefaultTags_updateToResourceOnly (67.80s)
--- PASS: TestAccIAMUser_Tags_ComputedTag_onCreate (35.76s)
--- PASS: TestAccIAMUser_tags (163.88s)
--- PASS: TestAccIAMUser_Tags_DefaultTags_providerOnly (166.94s)
--- PASS: TestAccIAMUser_permissionsBoundary (169.05s)
--- PASS: TestAccIAMUser_Tags_IgnoreTags_Overlap_defaultTag (77.29s)
--- PASS: TestAccIAMUser_Tags_ComputedTag_OnUpdate_add (49.49s)
--- PASS: TestAccIAMUser_Tags_DefaultTags_overlapping (102.18s)
--- PASS: TestAccIAMUser_Tags_IgnoreTags_Overlap_resourceTag (84.36s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/iam        181.107s
```
@jar-b
r/aws_iam_user(test): additional _List_includeResource checks
a8778d4 
```console
% make t K=iam T=TestAccIAMUser_List
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-iam_user-list 🌿...
TF_ACC=1 go1.25.8 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUser_List'  -timeout 360m -vet=off
2026/03/12 15:54:44 Creating Terraform AWS Provider (SDKv2-style)...
2026/03/12 15:54:44 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccIAMUser_List_basic (12.64s)
--- PASS: TestAccIAMUser_List_pathPrefix (12.70s)
--- PASS: TestAccIAMUser_List_includeResource (12.74s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/iam        19.583s
```
@jar-b jar-b force-pushed the f-iam_user-list branch from a685e9e to 4fca258 Compare March 13, 2026 18:55
@jar-b
r/aws_iam_user: post-rebase build fix
3a3da1a 
The `SetResult` signature swapped the order of the final two arguments.

```console
% make t K=iam T=TestAccIAMUser_List
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-iam_user-list 🌿...
TF_ACC=1 go1.25.8 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUser_List'  -timeout 360m -vet=off
2026/03/13 14:37:22 Creating Terraform AWS Provider (SDKv2-style)...
2026/03/13 14:37:22 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccIAMUser_List_basic (23.29s)
--- PASS: TestAccIAMUser_List_pathPrefix (23.40s)
--- PASS: TestAccIAMUser_List_includeResource (23.64s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/iam        33.605s
```
@jar-b jar-b force-pushed the f-iam_user-list branch from 4fca258 to 3a3da1a Compare March 13, 2026 18:56
gdavison
gdavison approved these changes Mar 13, 2026
View reviewed changes
Copy link
Contributor

@gdavison gdavison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! 🚀

@jar-b jar-b merged commit 020c617 into main Mar 16, 2026
73 checks passed
@jar-b jar-b deleted the f-iam_user-list branch March 16, 2026 13:56
@github-actions
Copy link
Contributor

github-actions bot commented Mar 16, 2026

Warning

This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

@github-actions github-actions bot added this to the v6.37.0 milestone Mar 16, 2026
terraform-aws-provider bot pushed a commit that referenced this pull request Mar 16, 2026
Update CHANGELOG.md for #46869
a074c19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gdavison gdavison gdavison approved these changes

Assignees

No one assigned

Labels

documentation Introduces or discusses updates to documentation. generators Relates to code generators. new-list-resource Introduces list resource support. prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. service/iam Issues and PRs that pertain to the iam service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.

Projects

None yet

Milestone

v6.37.0

Development

Successfully merging this pull request may close these issues.

2 participants

@jar-b @gdavison