Merge pull request #35965 from noel-phelt/f-add-attributes-for-manage…

…-password-to-aws_redshiftserverless_namespace

feat: add attributes for manage password to aws redshiftserverless namespace

.changelog/35965.txt

@@ -0,0 +1,8 @@
+```release-note:enhancement
+resource/aws_redshiftserverless_namespace:
+Add attributes `admin_password_secret_kms_key_id` and `manage_admin_password`
+```
+
+```release-note:bug
+data/aws_redshiftserverless_namespace: Properly set `iam_roles` attribute on read
+```

internal/service/redshiftserverless/namespace.go

@@ -40,10 +40,21 @@ func ResourceNamespace() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
+			"admin_password_secret_arn": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"admin_password_secret_kms_key_id": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Computed:     true,
+				ValidateFunc: verify.ValidKMSKeyID,
+			},
 			"admin_user_password": {
-				Type:      schema.TypeString,
-				Optional:  true,
-				Sensitive: true,
+				Type:          schema.TypeString,
+				Optional:      true,
+				Sensitive:     true,
+				ConflictsWith: []string{"manage_admin_password"},
 			},
 			"admin_username": {
 				Type:      schema.TypeString,
@@ -89,6 +100,11 @@ func ResourceNamespace() *schema.Resource {
 					ValidateFunc: validation.StringInSlice(redshiftserverless.LogExport_Values(), false),
 				},
 			},
+			"manage_admin_password": {
+				Type:          schema.TypeBool,
+				Optional:      true,
+				ConflictsWith: []string{"admin_user_password"},
+			},
 			"namespace_id": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -116,6 +132,10 @@ func resourceNamespaceCreate(ctx context.Context, d *schema.ResourceData, meta i
 		Tags:          getTagsIn(ctx),
 	}
 
+	if v, ok := d.GetOk("admin_password_secret_kms_key_id"); ok {
+		input.AdminPasswordSecretKmsKeyId = aws.String(v.(string))
+	}
+
 	if v, ok := d.GetOk("admin_user_password"); ok {
 		input.AdminUserPassword = aws.String(v.(string))
 	}
@@ -144,6 +164,10 @@ func resourceNamespaceCreate(ctx context.Context, d *schema.ResourceData, meta i
 		input.LogExports = flex.ExpandStringSet(v.(*schema.Set))
 	}
 
+	if v, ok := d.GetOk("manage_admin_password"); ok {
+		input.ManageAdminPassword = aws.Bool(v.(bool))
+	}
+
 	output, err := conn.CreateNamespaceWithContext(ctx, input)
 
 	if err != nil {
@@ -172,6 +196,8 @@ func resourceNamespaceRead(ctx context.Context, d *schema.ResourceData, meta int
 	}
 
 	arn := aws.StringValue(output.NamespaceArn)
+	d.Set("admin_password_secret_arn", output.AdminPasswordSecretArn)
+	d.Set("admin_password_secret_kms_key_id", output.AdminPasswordSecretKmsKeyId)
 	d.Set("admin_username", output.AdminUsername)
 	d.Set("arn", arn)
 	d.Set("db_name", output.DbName)
@@ -194,6 +220,10 @@ func resourceNamespaceUpdate(ctx context.Context, d *schema.ResourceData, meta i
 			NamespaceName: aws.String(d.Id()),
 		}
 
+		if d.HasChanges("admin_password_secret_kms_key_id") {
+			input.AdminPasswordSecretKmsKeyId = aws.String(d.Get("admin_password_secret_kms_key_id").(string))
+		}
+
 		if d.HasChanges("admin_username", "admin_user_password") {
 			input.AdminUsername = aws.String(d.Get("admin_username").(string))
 			input.AdminUserPassword = aws.String(d.Get("admin_user_password").(string))
@@ -215,6 +245,10 @@ func resourceNamespaceUpdate(ctx context.Context, d *schema.ResourceData, meta i
 			input.LogExports = flex.ExpandStringSet(d.Get("log_exports").(*schema.Set))
 		}
 
+		if d.HasChange("manage_admin_password") {
+			input.ManageAdminPassword = aws.Bool(d.Get("manage_admin_password").(bool))
+		}
+
 		_, err := conn.UpdateNamespaceWithContext(ctx, input)
 
 		if err != nil {

internal/service/redshiftserverless/namespace_data_source.go

@@ -82,7 +82,7 @@ func dataSourceNamespaceRead(ctx context.Context, d *schema.ResourceData, meta i
 	d.Set("arn", resource.NamespaceArn)
 	d.Set("db_name", resource.DbName)
 	d.Set("default_iam_role_arn", resource.DefaultIamRoleArn)
-	d.Set("iam_roles", resource.IamRoles)
+	d.Set("iam_roles", flattenNamespaceIAMRoles(resource.IamRoles))
 	d.Set("kms_key_id", resource.KmsKeyId)
 	d.Set("log_exports", resource.LogExports)
 

internal/service/redshiftserverless/namespace_test.go

@@ -218,6 +218,30 @@ func TestAccRedshiftServerlessNamespace_withWorkgroup(t *testing.T) {
 	})
 }
 
+func TestAccRedshiftServerlessNamespace_manageAdminPassword(t *testing.T) {
+	ctx := acctest.Context(t)
+	resourceName := "aws_redshiftserverless_namespace.test"
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.RedshiftServerlessServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckNamespaceDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNamespaceConfig_manageAdminPassword(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckNamespaceExists(ctx, resourceName),
+					testAccCheckNamespaceExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "manage_admin_password", "true"),
+					resource.TestCheckResourceAttrSet(resourceName, "admin_password_secret_arn"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckNamespaceDestroy(ctx context.Context) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		conn := acctest.Provider.Meta().(*conns.AWSClient).RedshiftServerlessConn(ctx)
@@ -363,6 +387,15 @@ resource "aws_redshiftserverless_namespace" "test" {
 `, rName))
 }
 
+func testAccNamespaceConfig_manageAdminPassword(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_redshiftserverless_namespace" "test" {
+  namespace_name        = %[1]q
+  manage_admin_password = true
+}
+`, rName)
+}
+
 func testAccNamespaceConfig_withWorkgroup(rName string) string {
 	return acctest.ConfigCompose(testAccNamespaceConfig_baseIAMRole(rName, 2), fmt.Sprintf(`
 resource "aws_redshiftserverless_namespace" "test" {

website/docs/r/redshiftserverless_namespace.html.markdown

@@ -22,14 +22,18 @@ resource "aws_redshiftserverless_namespace" "example" {
 
 This resource supports the following arguments:
 
+* `admin_password_secret_kms_key_id` - (Optional) ID of the KMS key used to encrypt the namespace's admin credentials secret.
 * `admin_user_password` - (Optional) The password of the administrator for the first database created in the namespace.
+  Conflicts with `manage_admin_password`.
 * `admin_username` - (Optional) The username of the administrator for the first database created in the namespace.
 * `db_name` - (Optional) The name of the first database created in the namespace.
 * `default_iam_role_arn` - (Optional) The Amazon Resource Name (ARN) of the IAM role to set as a default in the namespace. When specifying `default_iam_role_arn`, it also must be part of `iam_roles`.
 * `iam_roles` - (Optional) A list of IAM roles to associate with the namespace.
 * `kms_key_id` - (Optional) The ARN of the Amazon Web Services Key Management Service key used to encrypt your data.
 * `log_exports` - (Optional) The types of logs the namespace can export. Available export types are `userlog`, `connectionlog`, and `useractivitylog`.
 * `namespace_name` - (Required) The name of the namespace.
+* `manage_admin_password` - (Optional) Whether to use AWS SecretManager to manage namespace's admin credentials.
+  Conflicts with `admin_user_password`.
 * `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
 
 ## Attribute Reference