[Bug]: Updating IoT Authorizer Always Fails when Signing Is Disabled

[PeterBurner]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Terraform: 1.7.5 Provider: 0.74.0

Affected Resource(s)

• awscc_iot_authorizer

Terraform Configuration Files

resource "awscc_iam_role" "this" {
  role_name = "test"
  assume_role_policy_document = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "lambda.amazonaws.com"
        }
      },
    ]
  })
}

data "archive_file" "this" {
  type                    = "zip"
  source_content          = "export function handler() {}"
  source_content_filename = "index.js"
  output_path             = "lambda_function_payload.zip"
}

resource "awscc_lambda_function" "this" {
  function_name = "lambda_function_name"
  code = {
    zip_file = data.archive_file.this.output_path
  }
  package_type  = "Zip"
  handler       = "index.handler"
  runtime       = "nodejs20.x"
  timeout       = "300"
  memory_size   = "128"
  role          = awscc_iam_role.this.arn
  architectures = ["arm64"]
}

resource "awscc_lambda_permission" "with_sns" {
  action        = "lambda:InvokeFunction"
  function_name = awscc_lambda_function.this.function_name
  principal     = "iot.amazonaws.com"
  source_arn    = awscc_iot_authorizer.this.arn
}

resource "awscc_iot_authorizer" "this" {
  authorizer_function_arn = awscc_lambda_function.this.arn
  authorizer_name         = "test"
  enable_caching_for_http = true
  signing_disabled        = true
  status                  = "ACTIVE"
  tags = [
    {
      key   = "b"
      value = "test"
    },
    {
      key   = "a"
      value = "test"
    }
  ]
}

Panic Output

│ Error: AWS SDK Go Service Operation Incomplete
│ 
│   with awscc_iot_authorizer.this,
│   on main.tf line 69, in resource "awscc_iot_authorizer" "this":
│   69: resource "awscc_iot_authorizer" "this" {
│ 
│ Waiting for Cloud Control API service UpdateResource operation completion
│ returned: waiter state transitioned to FAILED. StatusMessage: Invalid
│ request provided: Token signing keys map must be null for authorizer
│ test if using optional signature header (Service: Iot, Status
│ Code: 400, Request ID: ea17b62d-20ce-449f-a5c3-e5b49b9f672a). ErrorCode:
│ InvalidRequest

Expected Behavior

When having the signing feature disabled updates to the resource should not fail.

Actual Behavior

When signing_disabled is set to true the initial deployment will succeed. However all subsequent deployments with changes to the resource block will fail. Setting token_signing_public_keys null as suggested in the error message does not help.

Steps to Reproduce

1. terraform apply with the provided Terraform config.
2. Change something (for example tags)
3. terraform apply with changed configuration

[wellsiau-aws]

I was able to replicate this using CCAPI CLI, I believe this is an upstream issue.

aws cloudcontrol update-resource \
  --type-name AWS::IoT::Authorizer \
  --identifier test \
  --patch-document '[{"op":"replace", "path": "/EnableCachingForHttp", "value": true}]'