r/aws_iam_user: switch tag identifier to id

jar-b · jar-b · commit 70fd5970a56b · 2025-12-16T10:41:05.000-05:00
IAM user tag operations rely on the user name as the identifier. When the `name` argument is used as the identifier attribute, an update which changes both `name` and `tag` arguments causes transparent tagging to fail. Transparent tagging operations run _before_ the update operation, meaning the updated `name` value is passed to the [`TagUser`](https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagUser.html) API before the [`UpdateUser`](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateUser.html) API is called to update it. By switching the tag identifier to `id`, we allow the `TagUser` API to reference the "old" user name, via `d.GetId()`, before the update operation executes and changes the name along with resource identifier. As `id` tracks the user name, this change does not break any existing tagging workflows, just enables the "name and tag" update case to behave as expected. Before: ```console % make t K=iam T=TestAccIAMUser_nameAndTags make: Verifying source code with gofmt... ==> Checking that code complies with gofmt requirements... make: Running acceptance tests on branch: 🌿 b-iam_user-tag-and-name-update 🌿... TF_ACC=1 go1.24.11 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUser_nameAndTags' -timeout 360m -vet=off 2025/12/15 16:39:45 Creating Terraform AWS Provider (SDKv2-style)... 2025/12/15 16:39:45 Initializing Terraform AWS Provider (SDKv2-style)... === CONT TestAccIAMUser_nameAndTags user_test.go:538: Step 2/2 error: Error running apply: exit status 1 Error: updating tags for IAM (Identity & Access Management) User (tf-acc-test-1187392722609479887-updated): tagging resource (tf-acc-test-1187392722609479887-updated): operation error IAM: TagUser, https response error StatusCode: 404, RequestID: 5651011a-12db-4b23-9199-24d6672641bf, NoSuchEntity: The user with name tf-acc-test-1187392722609479887-updated cannot be found. with aws_iam_user.user, on terraform_plugin_test.tf line 12, in resource "aws_iam_user" "user": 12: resource "aws_iam_user" "user" { --- FAIL: TestAccIAMUser_nameAndTags (15.18s) FAIL FAIL github.com/hashicorp/terraform-provider-aws/internal/service/iam 21.693s ``` After: ```console % make t K=iam T=TestAccIAMUser_nameAndTags make: Verifying source code with gofmt... ==> Checking that code complies with gofmt requirements... make: Running acceptance tests on branch: 🌿 b-iam_user-tag-and-name-update 🌿... TF_ACC=1 go1.24.11 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUser_nameAndTags' -timeout 360m -vet=off 2025/12/16 10:20:19 Creating Terraform AWS Provider (SDKv2-style)... 2025/12/16 10:20:19 Initializing Terraform AWS Provider (SDKv2-style)... --- PASS: TestAccIAMUser_nameAndTags (21.19s) PASS ok github.com/hashicorp/terraform-provider-aws/internal/service/iam 27.774s ``` ```console % make t K=iam T=TestAccIAMUser_ make: Verifying source code with gofmt... ==> Checking that code complies with gofmt requirements... make: Running acceptance tests on branch: 🌿 b-iam_user-tag-and-name-update 🌿... TF_ACC=1 go1.24.11 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUser_' -timeout 360m -vet=off 2025/12/16 10:25:18 Creating Terraform AWS Provider (SDKv2-style)... 2025/12/16 10:25:18 Initializing Terraform AWS Provider (SDKv2-style)... --- PASS: TestAccIAMUser_ForceDestroy_policyInline (34.73s) === CONT TestAccIAMUser_tags_DefaultTags_updateToResourceOnly --- PASS: TestAccIAMUser_ForceDestroy_policyAttached (36.71s) === CONT TestAccIAMUser_tags_DefaultTags_updateToProviderOnly --- PASS: TestAccIAMUser_ForceDestroy_policyInlineAttached (36.82s) === CONT TestAccIAMUser_basic --- PASS: TestAccIAMUser_ForceDestroy_accessKey (43.86s) === CONT TestAccIAMUser_disappears --- PASS: TestAccIAMUser_ForceDestroy_signingCertificate (45.67s) === CONT TestAccIAMUser_tags_IgnoreTags_Overlap_ResourceTag --- PASS: TestAccIAMUser_ForceDestroy_serviceSpecificCred (45.80s) === CONT TestAccIAMUser_ForceDestroy_sshKey --- PASS: TestAccIAMUser_ForceDestroy_mfaDevice (45.97s) === CONT TestAccIAMUser_tags_IgnoreTags_Overlap_DefaultTag --- PASS: TestAccIAMUser_tags_DefaultTags_nullNonOverlappingResourceTag (49.78s) === CONT TestAccIAMUser_tags_EmptyTag_OnUpdate_Add --- PASS: TestAccIAMUser_tags_DefaultTags_nullOverlappingResourceTag (51.79s) === CONT TestAccIAMUser_tags_DefaultTags_nonOverlapping --- PASS: TestAccIAMUser_tags_DefaultTags_emptyProviderOnlyTag (52.16s) === CONT TestAccIAMUser_tags_DefaultTags_providerOnly --- PASS: TestAccIAMUser_tags_DefaultTags_emptyResourceTag (54.09s) === CONT TestAccIAMUser_tags_EmptyTag_OnUpdate_Replace --- PASS: TestAccIAMUser_tags_ComputedTag_OnCreate (56.57s) === CONT TestAccIAMUser_tags_AddOnUpdate --- PASS: TestAccIAMUser_pathChange (69.16s) === CONT TestAccIAMUser_tags_EmptyTag_OnCreate --- PASS: TestAccIAMUser_nameChange (73.24s) === CONT TestAccIAMUser_ForceDestroy_loginProfile --- PASS: TestAccIAMUser_nameAndTags (75.08s) === CONT TestAccIAMUser_tags_EmptyMap --- PASS: TestAccIAMUser_disappears (37.71s) === CONT TestAccIAMUser_tags_null --- PASS: TestAccIAMUser_tags_ComputedTag_OnUpdate_Replace (88.28s) --- PASS: TestAccIAMUser_tags_ComputedTag_OnUpdate_Add (91.48s) --- PASS: TestAccIAMUser_ForceDestroy_sshKey (46.05s) --- PASS: TestAccIAMUser_basic (71.99s) --- PASS: TestAccIAMUser_ForceDestroy_loginProfile (40.51s) --- PASS: TestAccIAMUser_tags_DefaultTags_updateToResourceOnly (79.26s) --- PASS: TestAccIAMUser_tags_DefaultTags_updateToProviderOnly (78.40s) --- PASS: TestAccIAMUser_tags_EmptyTag_OnUpdate_Replace (72.19s) --- PASS: TestAccIAMUser_tags_AddOnUpdate (70.56s) --- PASS: TestAccIAMUser_tags_DefaultTags_overlapping (131.10s) --- PASS: TestAccIAMUser_tags_EmptyMap (57.29s) --- PASS: TestAccIAMUser_tags_IgnoreTags_Overlap_DefaultTag (88.51s) --- PASS: TestAccIAMUser_tags_null (53.51s) --- PASS: TestAccIAMUser_tags_EmptyTag_OnCreate (69.51s) --- PASS: TestAccIAMUser_tags_IgnoreTags_Overlap_ResourceTag (94.78s) --- PASS: TestAccIAMUser_tags_EmptyTag_OnUpdate_Add (93.17s) --- PASS: TestAccIAMUser_tags (142.97s) --- PASS: TestAccIAMUser_tags_DefaultTags_nonOverlapping (93.90s) --- PASS: TestAccIAMUser_permissionsBoundary (147.57s) --- PASS: TestAccIAMUser_tags_DefaultTags_providerOnly (105.94s) PASS ok github.com/hashicorp/terraform-provider-aws/internal/service/iam 164.605s ```
diff --git a/internal/service/iam/service_package_gen.go b/internal/service/iam/service_package_gen.go
diff --git a/internal/service/iam/user.go b/internal/service/iam/user.go
@@ -28,7 +28,7 @@ import (
 )
 
 // @SDKResource("aws_iam_user", name="User")
-// @Tags(identifierAttribute="name", resourceType="User")
+// @Tags(identifierAttribute="id", resourceType="User")
 // @Testing(existsType="github.com/aws/aws-sdk-go-v2/service/iam/types;types.User", importIgnore="force_destroy")
 func resourceUser() *schema.Resource {
 	return &schema.Resource{
diff --git a/internal/service/iam/user_test.go b/internal/service/iam/user_test.go
@@ -14,7 +14,11 @@ import (
 	awstypes "github.com/aws/aws-sdk-go-v2/service/iam/types"
 	sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
+	"github.com/hashicorp/terraform-plugin-testing/statecheck"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
 	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
 	"github.com/hashicorp/terraform-provider-aws/internal/retry"
@@ -523,6 +527,67 @@ func TestAccIAMUser_permissionsBoundary(t *testing.T) {
 	})
 }
 
+// Verify behavior when name and tags are updated simultaneously
+func TestAccIAMUser_nameAndTags(t *testing.T) {
+	ctx := acctest.Context(t)
+	var u awstypes.User
+
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	rNameUpdated := rName + "-updated"
+	resourceName := "aws_iam_user.user"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.IAMServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckUserDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccUserConfig_nameAndTags(rName, acctest.CtKey1, acctest.CtValue1),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckUserExists(ctx, "aws_iam_user.user", &u),
+				),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionCreate),
+						plancheck.ExpectKnownValue(resourceName, tfjsonpath.New(names.AttrName), knownvalue.StringExact(rName)),
+						plancheck.ExpectKnownValue(resourceName, tfjsonpath.New(names.AttrTags), knownvalue.MapExact(map[string]knownvalue.Check{
+							acctest.CtKey1: knownvalue.StringExact(acctest.CtValue1),
+						})),
+					},
+				},
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New(names.AttrName), knownvalue.StringExact(rName)),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New(names.AttrTags), knownvalue.MapExact(map[string]knownvalue.Check{
+						acctest.CtKey1: knownvalue.StringExact(acctest.CtValue1),
+					})),
+				},
+			},
+			{
+				Config: testAccUserConfig_nameAndTags(rNameUpdated, acctest.CtKey1, acctest.CtValue1Updated),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckUserExists(ctx, "aws_iam_user.user", &u),
+				),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
+						plancheck.ExpectKnownValue(resourceName, tfjsonpath.New(names.AttrName), knownvalue.StringExact(rNameUpdated)),
+						plancheck.ExpectKnownValue(resourceName, tfjsonpath.New(names.AttrTags), knownvalue.MapExact(map[string]knownvalue.Check{
+							acctest.CtKey1: knownvalue.StringExact(acctest.CtValue1Updated),
+						})),
+					},
+				},
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New(names.AttrName), knownvalue.StringExact(rNameUpdated)),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New(names.AttrTags), knownvalue.MapExact(map[string]knownvalue.Check{
+						acctest.CtKey1: knownvalue.StringExact(acctest.CtValue1Updated),
+					})),
+				},
+			},
+		},
+	})
+}
+
 func testAccCheckUserDestroy(ctx context.Context) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		conn := acctest.Provider.Meta().(*conns.AWSClient).IAMClient(ctx)
@@ -827,3 +892,15 @@ resource "aws_iam_user" "test" {
 }
 `, rName)
 }
+
+func testAccUserConfig_nameAndTags(rName, key1, value1 string) string {
+	return fmt.Sprintf(`
+resource "aws_iam_user" "user" {
+  name = %[1]q
+
+  tags = {
+    %[2]s = %[3]q
+  }
+}
+`, rName, key1, value1)
+}

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ import (`
`28`	`28`	`)`
`29`	`29`
`30`	`30`	`// @SDKResource("aws_iam_user", name="User")`
`31`		`-// @Tags(identifierAttribute="name", resourceType="User")`
	`31`	`+// @Tags(identifierAttribute="id", resourceType="User")`
`32`	`32`	`// @Testing(existsType="github.com/aws/aws-sdk-go-v2/service/iam/types;types.User", importIgnore="force_destroy")`
`33`	`33`	`func resourceUser() *schema.Resource {`
`34`	`34`	`return &schema.Resource{`