[Enhancement]: Export Neptune Cluster Resource ARN in Required Format

Description

Currently, the Terraform Neptune resource exports the administrative ARN as arn, which works fine for actions requiring administrative access to the cluster. However, for IAM policies, the resource ARN in the format:

arn:aws:neptune-db:region:account-id:cluster-resource-id/*

is often required in the Resource field. From what I’ve observed, Terraform doesn’t directly export this ARN, despite providing the cluster_resource_id attribute. Users are forced to build this ARN manually, typically like so:

data "aws_caller_identity" "current" {}

locals {
  neptune_cluster_arn = "arn:aws:neptune-db:${var.aws_region}:${data.aws_caller_identity.current.account_id}:${aws_neptune_cluster.db.cluster_resource_id}/*"
}

This method requires additional steps and string interpolation, which is both tedious and prone to errors, especially in environments where the resource ARN is frequently needed in IAM policies. By having Terraform natively export this ARN from the cluster resource, users would save time and reduce the risk of mistakes during deployment.

Affected Resource(s) and/or Data Source(s)

aws_neptune_cluster

Potential Terraform Configuration

resource "aws_iam_policy" "neptune_data_access_policy" {
  name        = "neptune-data-access-policy"
  path        = "/"
  description = "allows all data api actions on neptune cluster"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "neptune:*",
        ]
        Effect   = "Allow"
        Resource = aws_neptune_cluster.db.resource_arn
      },
    ]
  })
}

References

aws doc link

hashicorp / terraform-provider-aws