awscc_cleanrooms_collaboration resource: membership_abilities parameter not being passed to the Cloud Control API

[rmalecky]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Terraform v1.8.4 on darwin_amd64

• provider registry.terraform.io/hashicorp/aws v4.67.0
• provider registry.terraform.io/hashicorp/awscc v1.0.0

Affected Resource(s)

• awscc_cleanrooms_collaboration

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.16"
    }
    awscc = {
      source  = "hashicorp/awscc"
      version = "~> 1.0.0"
    }
  }

  required_version = ">= 1.2.0"
}

provider "aws" {
  region  = "us-west-2"
}

provider "awscc" {
  region  = "us-west-2"
}

resource "awscc_cleanrooms_collaboration" "my_cc_collaboration" {
  creator_display_name = "creator"
  creator_member_abilities = ["CAN_QUERY", "CAN_RECEIVE_RESULTS"]
  description = "Created with Terraform"
  members = [
    {
        account_id = "111122223333"
        display_name = "Account 1111222223333"
        member_abilities = []
    },
    {
        account_id = "444455556666"
        display_name = "Account 444455556666"
        member_abilities = []
    },

  ]
  name = "Created with Terraform"
  query_log_status = "ENABLED"
  creator_payment_configuration = {
    query_compute = {
        is_responsible = true
    }
  }
}

Debug Output

https://gist.github.com/rmalecky/a7f49c99f58ed4542805026d8633163e

Expected Behavior

I expected the above HCL to create an AWS Clean Rooms Collaboration.

Actual Behavior

I get an error stating that Members.MemberAbilities key is missing

Steps to Reproduce

run the included HCL script with an AWS account is an AWS region AWS Clean Rooms is supported (us-east-1, us-east-2, us-west-2, ..)

1. terraform apply

Important Factoids

The Members Abilities is a required field, if no abilities are included for a member the call must pass an empty array. https://docs.aws.amazon.com/clean-rooms/latest/apireference/API_MemberSpecification.html#API-Type-MemberSpecification-memberAbilities

Looking at the debug logs the empty array is being dropped before the CC API is called

References

[wellsiau-aws]

@rmalecky , thanks for reporting this issue. I couldn't find reference that explicitly stated that member_ability can be an empty list.

I tried to replicate this by calling CCAPI directly as shown below:

state.json

{
  "CreatorDisplayName": "creator",
  "CreatorMemberAbilities": [
    "CAN_QUERY",
    "CAN_RECEIVE_RESULTS"
  ],
  "CreatorPaymentConfiguration": {
    "QueryCompute": {
      "IsResponsible": true
    }
  },
  "Description": "Created with Terraform",
  "Members": [
    {
      "AccountId": "204034886740",
      "DisplayName": "Account 204034886740",
      "MemberAbility" : []
    }
  ],
  "Name": "Created with Terraform",
  "QueryLogStatus": "ENABLED"
}

CCAPI call:

aws cloudcontrol create-resource \
>   --type-name AWS::CleanRooms::Collaboration \
>   --desired-state file://state.json

An error occurred (ValidationException) when calling the CreateResource operation: Model validation failed (#/Members/0: required key [MemberAbilities] not found
#/Members/0: extraneous key [MemberAbility] is not permitted)

[rmalecky]

@wellsiau-aws Thanks for engaging so quickly. There is a bug in you state file. The key is "Members"[*]."MemberAbilities", you have "Members"[*]."MemberAbility"

[wellsiau-aws]

ups, you are right! @rmalecky , I was able to successfully run this via CCAPI:

state.json

{
  "CreatorDisplayName": "creator",
  "CreatorMemberAbilities": [
    "CAN_QUERY",
    "CAN_RECEIVE_RESULTS"
  ],
  "CreatorPaymentConfiguration": {
    "QueryCompute": {
      "IsResponsible": true
    }
  },
  "Description": "Created with Terraform",
  "Members": [
    {
      "AccountId": "411257146414",
      "DisplayName": "Account 411257146414",
      "MemberAbilities" : []
    }
  ],
  "Name": "Created with Terraform",
  "QueryLogStatus": "ENABLED"
}

[wellsiau-aws]

I think this part of the code today is causing Terraform to return nil.

I am sure there's a history behind it, cc @ewbankkit for additional comments.

[ewbankkit]

It looks like that logic has been in there from the very early days (https://github.com/hashicorp/terraform-provider-awscc/pull/32, which introduced use of terraform-plugin-framework). I think it was informed by experience from terraform-provider-aws that an empty array and nil array (or missing array) are functionally equivalent.