Merge pull request #34542 from phergoualch/f-transit-gateway-security…

…-group-referencing-support

feat: adding transit gateway security group referencing support

.changelog/34542.txt

@@ -0,0 +1,19 @@
+```release-note:enhancement
+resource/aws_ec2_transit_gateway: Add `security_group_referencing_support` argument
+```
+
+```release-note:enhancement
+data-source/aws_ec2_transit_gateway: Add `security_group_referencing_support` attribute
+```
+
+```release-note:enhancement
+resource/aws_ec2_transit_gateway_vpc_attachment: Add `security_group_referencing_support` argument
+```
+
+```release-note:enhancement
+data-source/aws_ec2_transit_gateway_vpc_attachment: Add `security_group_referencing_support` attribute
+```
+
+```release-note:enhancement
+resource/aws_ec2_transit_gateway_vpc_attachment_accepter: Add `security_group_referencing_support` argument
+```

internal/service/ec2/transitgateway_.go

@@ -116,6 +116,12 @@ func resourceTransitGateway() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"security_group_referencing_support": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				Default:          awstypes.SecurityGroupReferencingSupportValueDisable,
+				ValidateDiagFunc: enum.Validate[awstypes.SecurityGroupReferencingSupportValue](),
+			},
 			names.AttrTags:    tftags.TagsSchema(),
 			names.AttrTagsAll: tftags.TagsSchemaComputed(),
 			"transit_gateway_cidr_blocks": {
@@ -149,12 +155,13 @@ func resourceTransitGatewayCreate(ctx context.Context, d *schema.ResourceData, m
 
 	input := &ec2.CreateTransitGatewayInput{
 		Options: &awstypes.TransitGatewayRequestOptions{
-			AutoAcceptSharedAttachments:  awstypes.AutoAcceptSharedAttachmentsValue(d.Get("auto_accept_shared_attachments").(string)),
-			DefaultRouteTableAssociation: awstypes.DefaultRouteTableAssociationValue(d.Get("default_route_table_association").(string)),
-			DefaultRouteTablePropagation: awstypes.DefaultRouteTablePropagationValue(d.Get("default_route_table_propagation").(string)),
-			DnsSupport:                   awstypes.DnsSupportValue(d.Get("dns_support").(string)),
-			MulticastSupport:             awstypes.MulticastSupportValue(d.Get("multicast_support").(string)),
-			VpnEcmpSupport:               awstypes.VpnEcmpSupportValue(d.Get("vpn_ecmp_support").(string)),
+			AutoAcceptSharedAttachments:     awstypes.AutoAcceptSharedAttachmentsValue(d.Get("auto_accept_shared_attachments").(string)),
+			DefaultRouteTableAssociation:    awstypes.DefaultRouteTableAssociationValue(d.Get("default_route_table_association").(string)),
+			DefaultRouteTablePropagation:    awstypes.DefaultRouteTablePropagationValue(d.Get("default_route_table_propagation").(string)),
+			DnsSupport:                      awstypes.DnsSupportValue(d.Get("dns_support").(string)),
+			MulticastSupport:                awstypes.MulticastSupportValue(d.Get("multicast_support").(string)),
+			SecurityGroupReferencingSupport: awstypes.SecurityGroupReferencingSupportValue(d.Get("security_group_referencing_support").(string)),
+			VpnEcmpSupport:                  awstypes.VpnEcmpSupportValue(d.Get("vpn_ecmp_support").(string)),
 		},
 		TagSpecifications: getTagSpecificationsIn(ctx, awstypes.ResourceTypeTransitGateway),
 	}
@@ -214,6 +221,7 @@ func resourceTransitGatewayRead(ctx context.Context, d *schema.ResourceData, met
 	d.Set("multicast_support", transitGateway.Options.MulticastSupport)
 	d.Set(names.AttrOwnerID, transitGateway.OwnerId)
 	d.Set("propagation_default_route_table_id", transitGateway.Options.PropagationDefaultRouteTableId)
+	d.Set("security_group_referencing_support", transitGateway.Options.SecurityGroupReferencingSupport)
 	d.Set("transit_gateway_cidr_blocks", transitGateway.Options.TransitGatewayCidrBlocks)
 	d.Set("vpn_ecmp_support", transitGateway.Options.VpnEcmpSupport)
 
@@ -256,6 +264,10 @@ func resourceTransitGatewayUpdate(ctx context.Context, d *schema.ResourceData, m
 			input.Options.DnsSupport = awstypes.DnsSupportValue(d.Get("dns_support").(string))
 		}
 
+		if d.HasChange("security_group_referencing_support") {
+			input.Options.SecurityGroupReferencingSupport = awstypes.SecurityGroupReferencingSupportValue(d.Get("security_group_referencing_support").(string))
+		}
+
 		if d.HasChange("transit_gateway_cidr_blocks") {
 			oRaw, nRaw := d.GetChange("transit_gateway_cidr_blocks")
 			o, n := oRaw.(*schema.Set), nRaw.(*schema.Set)

internal/service/ec2/transitgateway_data_source.go

@@ -80,6 +80,10 @@ func dataSourceTransitGateway() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"security_group_referencing_support": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			names.AttrTags: tftags.TagsSchemaComputed(),
 			"transit_gateway_cidr_blocks": {
 				Type:     schema.TypeList,
@@ -131,6 +135,7 @@ func dataSourceTransitGatewayRead(ctx context.Context, d *schema.ResourceData, m
 	d.Set("multicast_support", transitGateway.Options.MulticastSupport)
 	d.Set(names.AttrOwnerID, transitGateway.OwnerId)
 	d.Set("propagation_default_route_table_id", transitGateway.Options.PropagationDefaultRouteTableId)
+	d.Set("security_group_referencing_support", transitGateway.Options.SecurityGroupReferencingSupport)
 	d.Set("transit_gateway_cidr_blocks", transitGateway.Options.TransitGatewayCidrBlocks)
 	d.Set("vpn_ecmp_support", transitGateway.Options.VpnEcmpSupport)
 

internal/service/ec2/transitgateway_data_source_test.go

@@ -123,6 +123,7 @@ func testAccTransitGatewayDataSource_Filter(t *testing.T, semaphore tfsync.Semap
 					resource.TestCheckResourceAttrPair(resourceName, "multicast_support", dataSourceName, "multicast_support"),
 					resource.TestCheckResourceAttrPair(resourceName, names.AttrOwnerID, dataSourceName, names.AttrOwnerID),
 					resource.TestCheckResourceAttrPair(resourceName, "propagation_default_route_table_id", dataSourceName, "propagation_default_route_table_id"),
+					resource.TestCheckResourceAttrPair(resourceName, "security_group_referencing_support", dataSourceName, "security_group_referencing_support"),
 					resource.TestCheckResourceAttrPair(resourceName, acctest.CtTagsPercent, dataSourceName, acctest.CtTagsPercent),
 					resource.TestCheckResourceAttrPair(resourceName, "transit_gateway_cidr_blocks.#", dataSourceName, "transit_gateway_cidr_blocks.#"),
 					resource.TestCheckResourceAttrPair(resourceName, "vpn_ecmp_support", dataSourceName, "vpn_ecmp_support"),
@@ -161,6 +162,7 @@ func testAccTransitGatewayDataSource_ID(t *testing.T, semaphore tfsync.Semaphore
 					resource.TestCheckResourceAttrPair(resourceName, "dns_support", dataSourceName, "dns_support"),
 					resource.TestCheckResourceAttrPair(resourceName, names.AttrOwnerID, dataSourceName, names.AttrOwnerID),
 					resource.TestCheckResourceAttrPair(resourceName, "propagation_default_route_table_id", dataSourceName, "propagation_default_route_table_id"),
+					resource.TestCheckResourceAttrPair(resourceName, "security_group_referencing_support", dataSourceName, "security_group_referencing_support"),
 					resource.TestCheckResourceAttrPair(resourceName, acctest.CtTagsPercent, dataSourceName, acctest.CtTagsPercent),
 					resource.TestCheckResourceAttrPair(resourceName, "transit_gateway_cidr_blocks.#", dataSourceName, "transit_gateway_cidr_blocks.#"),
 					resource.TestCheckResourceAttrPair(resourceName, "vpn_ecmp_support", dataSourceName, "vpn_ecmp_support"),

internal/service/ec2/transitgateway_test.go

@@ -58,6 +58,7 @@ func TestAccTransitGateway_serial(t *testing.T) {
 			"DefaultRouteTablePropagation":                       testAccTransitGateway_DefaultRouteTablePropagation,
 			"Description":                                        testAccTransitGateway_Description,
 			"DnsSupport":                                         testAccTransitGateway_DNSSupport,
+			"SecurityGroupReferencingSupport":                    testAccTransitGateway_SecurityGroupReferencingSupport,
 			"VpnEcmpSupport":                                     testAccTransitGateway_VPNECMPSupport,
 		},
 		"MulticastDomain": {
@@ -134,14 +135,15 @@ func TestAccTransitGateway_serial(t *testing.T) {
 			acctest.CtDisappears: testAccTransitGatewayRouteTablePropagation_disappears,
 		},
 		"VpcAttachment": {
-			acctest.CtBasic:        testAccTransitGatewayVPCAttachment_basic,
-			acctest.CtDisappears:   testAccTransitGatewayVPCAttachment_disappears,
-			"tags":                 testAccTransitGatewayVPCAttachment_tags,
-			"ApplianceModeSupport": testAccTransitGatewayVPCAttachment_ApplianceModeSupport,
-			"DnsSupport":           testAccTransitGatewayVPCAttachment_DNSSupport,
-			"Ipv6Support":          testAccTransitGatewayVPCAttachment_IPv6Support,
-			"SharedTransitGateway": testAccTransitGatewayVPCAttachment_SharedTransitGateway,
-			"SubnetIds":            testAccTransitGatewayVPCAttachment_SubnetIDs,
+			acctest.CtBasic:                   testAccTransitGatewayVPCAttachment_basic,
+			acctest.CtDisappears:              testAccTransitGatewayVPCAttachment_disappears,
+			"tags":                            testAccTransitGatewayVPCAttachment_tags,
+			"ApplianceModeSupport":            testAccTransitGatewayVPCAttachment_ApplianceModeSupport,
+			"DnsSupport":                      testAccTransitGatewayVPCAttachment_DNSSupport,
+			"Ipv6Support":                     testAccTransitGatewayVPCAttachment_IPv6Support,
+			"SecurityGroupReferencingSupport": testAccTransitGatewayVPCAttachment_SecurityGroupReferencingSupport,
+			"SharedTransitGateway":            testAccTransitGatewayVPCAttachment_SharedTransitGateway,
+			"SubnetIds":                       testAccTransitGatewayVPCAttachment_SubnetIDs,
 			"TransitGatewayDefaultRouteTableAssociation":                       testAccTransitGatewayVPCAttachment_TransitGatewayDefaultRouteTableAssociation,
 			"TransitGatewayDefaultRouteTableAssociationAndPropagationDisabled": testAccTransitGatewayVPCAttachment_TransitGatewayDefaultRouteTableAssociationAndPropagationDisabled,
 			"TransitGatewayDefaultRouteTablePropagation":                       testAccTransitGatewayVPCAttachment_TransitGatewayDefaultRouteTablePropagation,
@@ -190,6 +192,7 @@ func testAccTransitGateway_basic(t *testing.T, semaphore tfsync.Semaphore) {
 					resource.TestCheckResourceAttr(resourceName, "multicast_support", string(awstypes.MulticastSupportValueDisable)),
 					acctest.CheckResourceAttrAccountID(resourceName, names.AttrOwnerID),
 					resource.TestCheckResourceAttrSet(resourceName, "propagation_default_route_table_id"),
+					resource.TestCheckResourceAttr(resourceName, "security_group_referencing_support", string(awstypes.SecurityGroupReferencingSupportValueDisable)),
 					resource.TestCheckResourceAttr(resourceName, acctest.CtTagsPercent, acctest.Ct0),
 					resource.TestCheckResourceAttr(resourceName, "vpn_ecmp_support", string(awstypes.VpnEcmpSupportValueEnable)),
 				),
@@ -532,6 +535,46 @@ func testAccTransitGateway_DNSSupport(t *testing.T, semaphore tfsync.Semaphore)
 	})
 }
 
+func testAccTransitGateway_SecurityGroupReferencingSupport(t *testing.T, semaphore tfsync.Semaphore) {
+	ctx := acctest.Context(t)
+	var transitGateway1, transitGateway2 awstypes.TransitGateway
+	resourceName := "aws_ec2_transit_gateway.test"
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheckTransitGatewaySynchronize(t, semaphore)
+			acctest.PreCheck(ctx, t)
+			testAccPreCheckTransitGateway(ctx, t)
+		},
+		ErrorCheck:               acctest.ErrorCheck(t, names.EC2ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckTransitGatewayDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccTransitGatewayConfig_securityGroupReferencingSupport(rName, string(awstypes.SecurityGroupReferencingSupportValueDisable)),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTransitGatewayExists(ctx, resourceName, &transitGateway1),
+					resource.TestCheckResourceAttr(resourceName, "security_group_referencing_support", string(awstypes.SecurityGroupReferencingSupportValueDisable)),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccTransitGatewayConfig_securityGroupReferencingSupport(rName, string(awstypes.SecurityGroupReferencingSupportValueEnable)),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTransitGatewayExists(ctx, resourceName, &transitGateway2),
+					testAccCheckTransitGatewayNotRecreated(&transitGateway1, &transitGateway2),
+					resource.TestCheckResourceAttr(resourceName, "security_group_referencing_support", string(awstypes.SecurityGroupReferencingSupportValueEnable)),
+				),
+			},
+		},
+	})
+}
+
 func testAccTransitGateway_VPNECMPSupport(t *testing.T, semaphore tfsync.Semaphore) {
 	ctx := acctest.Context(t)
 	var transitGateway1, transitGateway2 awstypes.TransitGateway
@@ -987,6 +1030,18 @@ resource "aws_ec2_transit_gateway" "test" {
 `, rName, dnsSupport)
 }
 
+func testAccTransitGatewayConfig_securityGroupReferencingSupport(rName, securityGroupReferencingSupport string) string {
+	return fmt.Sprintf(`
+resource "aws_ec2_transit_gateway" "test" {
+  security_group_referencing_support = %[2]q
+
+  tags = {
+    Name = %[1]q
+  }
+}
+`, rName, securityGroupReferencingSupport)
+}
+
 func testAccTransitGatewayConfig_vpnECMPSupport(rName, vpnEcmpSupport string) string {
 	return fmt.Sprintf(`
 resource "aws_ec2_transit_gateway" "test" {

internal/service/ec2/transitgateway_vpc_attachment.go

@@ -59,6 +59,12 @@ func resourceTransitGatewayVPCAttachment() *schema.Resource {
 				Default:          awstypes.Ipv6SupportValueDisable,
 				ValidateDiagFunc: enum.Validate[awstypes.Ipv6SupportValue](),
 			},
+			"security_group_referencing_support": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				Default:          awstypes.SecurityGroupReferencingSupportValueDisable,
+				ValidateDiagFunc: enum.Validate[awstypes.SecurityGroupReferencingSupportValue](),
+			},
 			names.AttrSubnetIDs: {
 				Type:     schema.TypeSet,
 				Required: true,
@@ -104,9 +110,10 @@ func resourceTransitGatewayVPCAttachmentCreate(ctx context.Context, d *schema.Re
 	transitGatewayID := d.Get(names.AttrTransitGatewayID).(string)
 	input := &ec2.CreateTransitGatewayVpcAttachmentInput{
 		Options: &awstypes.CreateTransitGatewayVpcAttachmentRequestOptions{
-			ApplianceModeSupport: awstypes.ApplianceModeSupportValue(d.Get("appliance_mode_support").(string)),
-			DnsSupport:           awstypes.DnsSupportValue(d.Get("dns_support").(string)),
-			Ipv6Support:          awstypes.Ipv6SupportValue(d.Get("ipv6_support").(string)),
+			ApplianceModeSupport:            awstypes.ApplianceModeSupportValue(d.Get("appliance_mode_support").(string)),
+			DnsSupport:                      awstypes.DnsSupportValue(d.Get("dns_support").(string)),
+			Ipv6Support:                     awstypes.Ipv6SupportValue(d.Get("ipv6_support").(string)),
+			SecurityGroupReferencingSupport: awstypes.SecurityGroupReferencingSupportValue(d.Get("security_group_referencing_support").(string)),
 		},
 		SubnetIds:         flex.ExpandStringValueSet(d.Get(names.AttrSubnetIDs).(*schema.Set)),
 		TransitGatewayId:  aws.String(transitGatewayID),
@@ -214,6 +221,7 @@ func resourceTransitGatewayVPCAttachmentRead(ctx context.Context, d *schema.Reso
 	d.Set("appliance_mode_support", transitGatewayVPCAttachment.Options.ApplianceModeSupport)
 	d.Set("dns_support", transitGatewayVPCAttachment.Options.DnsSupport)
 	d.Set("ipv6_support", transitGatewayVPCAttachment.Options.Ipv6Support)
+	d.Set("security_group_referencing_support", transitGatewayVPCAttachment.Options.SecurityGroupReferencingSupport)
 	d.Set(names.AttrSubnetIDs, transitGatewayVPCAttachment.SubnetIds)
 	d.Set("transit_gateway_default_route_table_association", transitGatewayDefaultRouteTableAssociation)
 	d.Set("transit_gateway_default_route_table_propagation", transitGatewayDefaultRouteTablePropagation)
@@ -230,12 +238,13 @@ func resourceTransitGatewayVPCAttachmentUpdate(ctx context.Context, d *schema.Re
 	var diags diag.Diagnostics
 	conn := meta.(*conns.AWSClient).EC2Client(ctx)
 
-	if d.HasChanges("appliance_mode_support", "dns_support", "ipv6_support", names.AttrSubnetIDs) {
+	if d.HasChanges("appliance_mode_support", "dns_support", "ipv6_support", "security_group_referencing_support", names.AttrSubnetIDs) {
 		input := &ec2.ModifyTransitGatewayVpcAttachmentInput{
 			Options: &awstypes.ModifyTransitGatewayVpcAttachmentRequestOptions{
-				ApplianceModeSupport: awstypes.ApplianceModeSupportValue(d.Get("appliance_mode_support").(string)),
-				DnsSupport:           awstypes.DnsSupportValue(d.Get("dns_support").(string)),
-				Ipv6Support:          awstypes.Ipv6SupportValue(d.Get("ipv6_support").(string)),
+				ApplianceModeSupport:            awstypes.ApplianceModeSupportValue(d.Get("appliance_mode_support").(string)),
+				DnsSupport:                      awstypes.DnsSupportValue(d.Get("dns_support").(string)),
+				Ipv6Support:                     awstypes.Ipv6SupportValue(d.Get("ipv6_support").(string)),
+				SecurityGroupReferencingSupport: awstypes.SecurityGroupReferencingSupportValue(d.Get("security_group_referencing_support").(string)),
 			},
 			TransitGatewayAttachmentId: aws.String(d.Id()),
 		}

internal/service/ec2/transitgateway_vpc_attachment_accepter.go

@@ -45,6 +45,10 @@ func resourceTransitGatewayVPCAttachmentAccepter() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"security_group_referencing_support": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"ipv6_support": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -183,6 +187,7 @@ func resourceTransitGatewayVPCAttachmentAccepterRead(ctx context.Context, d *sch
 
 	d.Set("appliance_mode_support", transitGatewayVPCAttachment.Options.ApplianceModeSupport)
 	d.Set("dns_support", transitGatewayVPCAttachment.Options.DnsSupport)
+	d.Set("security_group_referencing_support", transitGatewayVPCAttachment.Options.SecurityGroupReferencingSupport)
 	d.Set("ipv6_support", transitGatewayVPCAttachment.Options.Ipv6Support)
 	d.Set(names.AttrSubnetIDs, transitGatewayVPCAttachment.SubnetIds)
 	d.Set(names.AttrTransitGatewayAttachmentID, transitGatewayVPCAttachment.TransitGatewayAttachmentId)

internal/service/ec2/transitgateway_vpc_attachment_accepter_test.go

@@ -44,6 +44,7 @@ func testAccTransitGatewayVPCAttachmentAccepter_basic(t *testing.T, semaphore tf
 					resource.TestCheckResourceAttr(resourceName, "dns_support", string(awstypes.DnsSupportValueEnable)),
 					resource.TestCheckResourceAttr(resourceName, "ipv6_support", string(awstypes.Ipv6SupportValueDisable)),
 					resource.TestCheckResourceAttr(resourceName, "subnet_ids.#", acctest.Ct1),
+					resource.TestCheckResourceAttr(resourceName, "security_group_referencing_support", string(awstypes.SecurityGroupReferencingSupportValueDisable)),
 					resource.TestCheckResourceAttr(resourceName, acctest.CtTagsPercent, acctest.Ct0),
 					resource.TestCheckResourceAttrPair(resourceName, names.AttrTransitGatewayID, transitGatewayResourceName, names.AttrID),
 					resource.TestCheckResourceAttrPair(resourceName, names.AttrTransitGatewayAttachmentID, vpcAttachmentName, names.AttrID),

internal/service/ec2/transitgateway_vpc_attachment_data_source.go

@@ -48,6 +48,10 @@ func dataSourceTransitGatewayVPCAttachment() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"security_group_referencing_support": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			names.AttrSubnetIDs: {
 				Type:     schema.TypeSet,
 				Computed: true,
@@ -99,6 +103,7 @@ func dataSourceTransitGatewayVPCAttachmentRead(ctx context.Context, d *schema.Re
 	d.Set("appliance_mode_support", transitGatewayVPCAttachment.Options.ApplianceModeSupport)
 	d.Set("dns_support", transitGatewayVPCAttachment.Options.DnsSupport)
 	d.Set("ipv6_support", transitGatewayVPCAttachment.Options.Ipv6Support)
+	d.Set("security_group_referencing_support", transitGatewayVPCAttachment.Options.SecurityGroupReferencingSupport)
 	d.Set(names.AttrSubnetIDs, transitGatewayVPCAttachment.SubnetIds)
 	d.Set(names.AttrTransitGatewayID, transitGatewayVPCAttachment.TransitGatewayId)
 	d.Set(names.AttrVPCID, transitGatewayVPCAttachment.VpcId)