hashicorp · gdavison · Mar 13, 2026 · Mar 13, 2026 · Mar 13, 2026 · Mar 13, 2026
@@ -31,9 +31,16 @@ func (v *stateValue) GetStateValue(resourceAddress string, attributePath tfjsonp
 	return newStateValueStateChecker(v)
 }
 
-// Value checks the stored state value against the provided value.
-// Calls to Value occur before any TestStep is run.
-func (v *stateValue) Value() knownvalue.Check {
+func (v *stateValue) Value() string {
+	if v.value == nil {
+		return "<state value not set>"
+	}
+	return *v.value
+}
+
+// ValueCheck checks the stored state value against the provided value.
+// Calls to ValueCheck occur before any TestStep is run.
+func (v *stateValue) ValueCheck() knownvalue.Check {
 	return newStateValueKnownValueChecker(v)
 }
 

@@ -43,7 +43,7 @@ func TestStateValue_ValuesSame(t *testing.T) { //nolint:paralleltest // false po
 }
 				`,
 				ConfigStateChecks: []statecheck.StateCheck{
-					statecheck.ExpectKnownValue("test_resource.one", tfjsonpath.New("string_attribute"), stateValue.Value()),
+					statecheck.ExpectKnownValue("test_resource.one", tfjsonpath.New("string_attribute"), stateValue.ValueCheck()),
 				},
 			},
 		},
@@ -77,7 +77,7 @@ func TestStateValue_ValuesNotSame(t *testing.T) { //nolint:paralleltest // false
 }
 				`,
 				ConfigStateChecks: []statecheck.StateCheck{
-					statecheck.ExpectKnownValue("test_resource.one", tfjsonpath.New("string_attribute"), stateValue.Value()),
+					statecheck.ExpectKnownValue("test_resource.one", tfjsonpath.New("string_attribute"), stateValue.ValueCheck()),
 				},
 				ExpectError: regexache.MustCompile(`expected value same for StateValue check, got: not same`),
 			},
@@ -103,7 +103,7 @@ func TestStateValue_NotInitialized(t *testing.T) { //nolint:paralleltest // fals
 }
 				`,
 				ConfigStateChecks: []statecheck.StateCheck{
-					statecheck.ExpectKnownValue("test_resource.one", tfjsonpath.New("string_attribute"), stateValue.Value()),
+					statecheck.ExpectKnownValue("test_resource.one", tfjsonpath.New("string_attribute"), stateValue.ValueCheck()),
 				},
 				ExpectError: regexache.MustCompile(`state value has not been set`),
 			},

@@ -64,11 +64,11 @@ func TestAccBatchJobDefinition_List_basic(t *testing.T) {
 				},
 				QueryResultChecks: []querycheck.QueryResultCheck{
 					querycheck.ExpectIdentity("aws_batch_job_definition.test", map[string]knownvalue.Check{
-						names.AttrARN: arn1.Value(),
+						names.AttrARN: arn1.ValueCheck(),
 					}),
 
 					querycheck.ExpectIdentity("aws_batch_job_definition.test", map[string]knownvalue.Check{
-						names.AttrARN: arn2.Value(),
+						names.AttrARN: arn2.ValueCheck(),
 					}),
 				},
 			},

@@ -146,13 +146,13 @@ func testAccEC2SecondarySubnet_List_filtered(t *testing.T) {
 					querycheck.ExpectNoIdentity("aws_ec2_secondary_subnet.test", map[string]knownvalue.Check{
 						names.AttrAccountID: tfknownvalue.AccountID(),
 						names.AttrRegion:    knownvalue.StringExact(acctest.Region()),
-						names.AttrID:        notExpected1.Value(),
+						names.AttrID:        notExpected1.ValueCheck(),
 					}),
 
 					querycheck.ExpectNoIdentity("aws_ec2_secondary_subnet.test", map[string]knownvalue.Check{
 						names.AttrAccountID: tfknownvalue.AccountID(),
 						names.AttrRegion:    knownvalue.StringExact(acctest.Region()),
-						names.AttrID:        notExpected2.Value(),
+						names.AttrID:        notExpected2.ValueCheck(),
 					}),
 				},
 			},

@@ -283,3 +283,22 @@ func newAttributeFilterList(m map[string]string) []awstypes.Filter {
 
 	return filters
 }
+
+func newMultiValueAttributeFilterList(m map[string][]string) []awstypes.Filter {
+	var filters []awstypes.Filter
+
+	// Sort the filters by name to make the output deterministic.
+	names := tfmaps.Keys(m)
+	slices.Sort(names)
+
+	for _, name := range names {
+		values := m[name]
+		if len(values) == 0 {
+			continue
+		}
+
+		filters = append(filters, newFilter(name, values))
+	}
+
+	return filters
+}
@@ -1723,6 +1723,17 @@ func findVPCDefaultNetworkACL(ctx context.Context, conn *ec2.Client, id string)
 	return findNetworkACL(ctx, conn, &input)
 }
 
+func batchFindVPCDefaultNetworkACLs(ctx context.Context, conn *ec2.Client, ids []string) (map[string]*awstypes.NetworkAcl, error) {
+	input := ec2.DescribeNetworkAclsInput{
+		Filters: newMultiValueAttributeFilterList(map[string][]string{
+			"default": {"true"},
+			"vpc-id":  ids,
+		}),
+	}
+
+	return batchFindNetworkACLs(ctx, conn, &input)
+}
+
 func findNATGateway(ctx context.Context, conn *ec2.Client, input *ec2.DescribeNatGatewaysInput) (*awstypes.NatGateway, error) {
 	output, err := findNATGateways(ctx, conn, input)
 
@@ -1850,6 +1861,21 @@ func findNetworkACL(ctx context.Context, conn *ec2.Client, input *ec2.DescribeNe
 	return tfresource.AssertSingleValueResult(output)
 }
 
+func batchFindNetworkACLs(ctx context.Context, conn *ec2.Client, input *ec2.DescribeNetworkAclsInput) (map[string]*awstypes.NetworkAcl, error) {
+	output, err := findNetworkACLs(ctx, conn, input)
+
+	if err != nil {
+		return nil, err
+	}
+
+	results := make(map[string]*awstypes.NetworkAcl, len(output))
+	for i, v := range output {
+		results[aws.ToString(v.VpcId)] = &output[i]
+	}
+
+	return results, nil
+}
+
 func findNetworkACLs(ctx context.Context, conn *ec2.Client, input *ec2.DescribeNetworkAclsInput) ([]awstypes.NetworkAcl, error) {
 	var output []awstypes.NetworkAcl
 
@@ -1940,6 +1966,17 @@ func findVPCDefaultSecurityGroup(ctx context.Context, conn *ec2.Client, id strin
 	return findSecurityGroup(ctx, conn, &input)
 }
 
+func batchFindVPCDefaultSecurityGroups(ctx context.Context, conn *ec2.Client, ids []string) (map[string]*awstypes.SecurityGroup, error) {
+	input := ec2.DescribeSecurityGroupsInput{
+		Filters: newMultiValueAttributeFilterList(map[string][]string{
+			"group-name": {defaultSecurityGroupName},
+			"vpc-id":     ids,
+		}),
+	}
+
+	return batchFindSecurityGroups(ctx, conn, &input)
+}
+
 func findVPCDHCPOptionsAssociation(ctx context.Context, conn *ec2.Client, vpcID string, dhcpOptionsID string) error {
 	vpc, err := findVPCByID(ctx, conn, vpcID)
 
@@ -1967,6 +2004,17 @@ func findVPCMainRouteTable(ctx context.Context, conn *ec2.Client, id string) (*a
 	return findRouteTable(ctx, conn, &input)
 }
 
+func batchFindVPCMainRouteTables(ctx context.Context, conn *ec2.Client, ids []string) (map[string]*awstypes.RouteTable, error) {
+	input := ec2.DescribeRouteTablesInput{
+		Filters: newMultiValueAttributeFilterList(map[string][]string{
+			"association.main": {"true"},
+			"vpc-id":           ids,
+		}),
+	}
+
+	return batchFindRouteTables(ctx, conn, &input)
+}
+
 func findRouteTable(ctx context.Context, conn *ec2.Client, input *ec2.DescribeRouteTablesInput) (*awstypes.RouteTable, error) {
 	output, err := findRouteTables(ctx, conn, input)
 
@@ -1977,6 +2025,21 @@ func findRouteTable(ctx context.Context, conn *ec2.Client, input *ec2.DescribeRo
 	return tfresource.AssertSingleValueResult(output)
 }
 
+func batchFindRouteTables(ctx context.Context, conn *ec2.Client, input *ec2.DescribeRouteTablesInput) (map[string]*awstypes.RouteTable, error) {
+	output, err := findRouteTables(ctx, conn, input)
+
+	if err != nil {
+		return nil, err
+	}
+
+	results := make(map[string]*awstypes.RouteTable, len(output))
+	for i, v := range output {
+		results[aws.ToString(v.VpcId)] = &output[i]
+	}
+
+	return results, nil
+}
+
 func findRouteTables(ctx context.Context, conn *ec2.Client, input *ec2.DescribeRouteTablesInput) ([]awstypes.RouteTable, error) {
 	var output []awstypes.RouteTable
 
@@ -2010,6 +2073,21 @@ func findSecurityGroup(ctx context.Context, conn *ec2.Client, input *ec2.Describ
 	return tfresource.AssertSingleValueResult(output)
 }
 
+func batchFindSecurityGroups(ctx context.Context, conn *ec2.Client, input *ec2.DescribeSecurityGroupsInput) (map[string]*awstypes.SecurityGroup, error) {
+	output, err := findSecurityGroups(ctx, conn, input)
+
+	if err != nil {
+		return nil, err
+	}
+
+	results := make(map[string]*awstypes.SecurityGroup, len(output))
+	for i, v := range output {
+		results[aws.ToString(v.VpcId)] = &output[i]
+	}
+
+	return results, nil
+}
+
 func findSecurityGroups(ctx context.Context, conn *ec2.Client, input *ec2.DescribeSecurityGroupsInput) ([]awstypes.SecurityGroup, error) {
 	var output []awstypes.SecurityGroup
 

@@ -0,0 +1,22 @@
+# Copyright IBM Corp. 2014, 2026
+# SPDX-License-Identifier: MPL-2.0
+
+resource "aws_vpc" "test" {
+  count = var.resource_count
+
+  cidr_block = "10.1.0.0/16"
+
+  tags = var.resource_tags
+}
+
+variable "resource_count" {
+  description = "Number of resources to create"
+  type        = number
+  nullable    = false
+}
+
+variable "resource_tags" {
+  description = "Tags to set on resource"
+  type        = map(string)
+  nullable    = false
+}
@@ -0,0 +1,8 @@
+# Copyright IBM Corp. 2014, 2026
+# SPDX-License-Identifier: MPL-2.0
+
+list "aws_vpc" "test" {
+  provider = aws
+
+  include_resource = true
+}
@@ -292,6 +292,33 @@ func resourceVPCRead(ctx context.Context, d *schema.ResourceData, meta any) diag
 		diags = sdkdiag.AppendFromErr(diags, err)
 	}
 
+	if v, err := findVPCDefaultNetworkACL(ctx, conn, d.Id()); err != nil {
+		// e.g. RAM-shared VPC.
+		log.Printf("[WARN] Error reading EC2 VPC (%s) default NACL: %s", d.Id(), err)
+	} else {
+		d.Set("default_network_acl_id", v.NetworkAclId)
+	}
+
+	if v, err := findVPCMainRouteTable(ctx, conn, d.Id()); err != nil {
+		// e.g. RAM-shared VPC.
+		log.Printf("[WARN] Error reading EC2 VPC (%s) main Route Table: %s", d.Id(), err)
+		d.Set("default_route_table_id", nil)
+		d.Set("main_route_table_id", nil)
+	} else {
+		d.Set("default_route_table_id", v.RouteTableId)
+		d.Set("main_route_table_id", v.RouteTableId)
+	}
+
+	if v, err := findVPCDefaultSecurityGroup(ctx, conn, d.Id()); err != nil {
+		// e.g. RAM-shared VPC.
+		log.Printf("[WARN] Error reading EC2 VPC (%s) default Security Group: %s", d.Id(), err)
+		d.Set("default_security_group_id", nil)
+	} else {
+		d.Set("default_security_group_id", v.GroupId)
+	}
+
+	setTagsOut(ctx, vpc.Tags)
+
 	return diags
 }
 
@@ -684,31 +711,6 @@ func resourceVPCFlatten(ctx context.Context, client *conns.AWSClient, vpc *awsty
 		d.Set("enable_network_address_usage_metrics", v)
 	}
 
-	if v, err := findVPCDefaultNetworkACL(ctx, conn, d.Id()); err != nil {
-		// e.g. RAM-shared VPC.
-		log.Printf("[WARN] Error reading EC2 VPC (%s) default NACL: %s", d.Id(), err)
-	} else {
-		d.Set("default_network_acl_id", v.NetworkAclId)
-	}
-
-	if v, err := findVPCMainRouteTable(ctx, conn, d.Id()); err != nil {
-		// e.g. RAM-shared VPC.
-		log.Printf("[WARN] Error reading EC2 VPC (%s) main Route Table: %s", d.Id(), err)
-		d.Set("default_route_table_id", nil)
-		d.Set("main_route_table_id", nil)
-	} else {
-		d.Set("default_route_table_id", v.RouteTableId)
-		d.Set("main_route_table_id", v.RouteTableId)
-	}
-
-	if v, err := findVPCDefaultSecurityGroup(ctx, conn, d.Id()); err != nil {
-		// e.g. RAM-shared VPC.
-		log.Printf("[WARN] Error reading EC2 VPC (%s) default Security Group: %s", d.Id(), err)
-		d.Set("default_security_group_id", nil)
-	} else {
-		d.Set("default_security_group_id", v.GroupId)
-	}
-
 	if ipv6CIDRBlockAssociation := defaultIPv6CIDRBlockAssociation(vpc, d.Get("ipv6_association_id").(string)); ipv6CIDRBlockAssociation == nil {
 		d.Set("assign_generated_ipv6_cidr_block", nil)
 		d.Set("ipv6_association_id", nil)
@@ -748,8 +750,6 @@ func resourceVPCFlatten(ctx context.Context, client *conns.AWSClient, vpc *awsty
 		}
 	}
 
-	setTagsOut(ctx, vpc.Tags)
-
 	return nil
 }