From 68dc965a04cfeca586b6c18b2acd39694152e6eb Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Fri, 21 Aug 2020 19:09:31 -0400
Subject: [PATCH] service/acmpca: Add activation of ACMPCA CA to acceptance
 tests (#13684)

* r/aws_acmpca_certificate_authority: Test CA activation.

Acceptance test output:

$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAwsAcmpcaCertificateAuthority_Enabled'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -count 1 -parallel 20 -run=TestAccAwsAcmpcaCertificateAuthority_Enabled -timeout 120m
=== RUN   TestAccAwsAcmpcaCertificateAuthority_Enabled
=== PAUSE TestAccAwsAcmpcaCertificateAuthority_Enabled
=== CONT  TestAccAwsAcmpcaCertificateAuthority_Enabled
--- PASS: TestAccAwsAcmpcaCertificateAuthority_Enabled (69.95s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	69.989s

Add 'TestAccAwsAcmpcaCertificateAuthority_disappears'.

Acceptance test output:

$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAwsAcmpcaCertificateAuthority_disappears'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -count 1 -parallel 20 -run=TestAccAwsAcmpcaCertificateAuthority_disappears -timeout 120m
=== RUN   TestAccAwsAcmpcaCertificateAuthority_disappears
=== PAUSE TestAccAwsAcmpcaCertificateAuthority_disappears
=== CONT  TestAccAwsAcmpcaCertificateAuthority_disappears
--- PASS: TestAccAwsAcmpcaCertificateAuthority_disappears (25.10s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	25.138s

* r/aws_acmpca_certificate_authority: Remove CAs with DELETED status.
---
 aws/internal/service/acmpca/finder/finder.go  |  25 +++
 aws/internal/service/acmpca/waiter/status.go  |  35 ++++
 aws/internal/service/acmpca/waiter/waiter.go  |  26 +++
 ...source_aws_acmpca_certificate_authority.go |  58 +-----
 ...e_aws_acmpca_certificate_authority_test.go | 196 ++++++++++++------
 5 files changed, 226 insertions(+), 114 deletions(-)
 create mode 100644 aws/internal/service/acmpca/finder/finder.go
 create mode 100644 aws/internal/service/acmpca/waiter/status.go
 create mode 100644 aws/internal/service/acmpca/waiter/waiter.go

diff --git a/aws/internal/service/acmpca/finder/finder.go b/aws/internal/service/acmpca/finder/finder.go
new file mode 100644
index 00000000000..f6dfc51bb5b
--- /dev/null
+++ b/aws/internal/service/acmpca/finder/finder.go
@@ -0,0 +1,25 @@
+package finder
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/acmpca"
+)
+
+// CertificateAuthorityByARN returns the certificate authority corresponding to the specified ARN.
+// Returns nil if no certificate authority is found.
+func CertificateAuthorityByARN(conn *acmpca.ACMPCA, arn string) (*acmpca.CertificateAuthority, error) {
+	input := &acmpca.DescribeCertificateAuthorityInput{
+		CertificateAuthorityArn: aws.String(arn),
+	}
+
+	output, err := conn.DescribeCertificateAuthority(input)
+	if err != nil {
+		return nil, err
+	}
+
+	if output == nil {
+		return nil, nil
+	}
+
+	return output.CertificateAuthority, nil
+}
diff --git a/aws/internal/service/acmpca/waiter/status.go b/aws/internal/service/acmpca/waiter/status.go
new file mode 100644
index 00000000000..3faf7582449
--- /dev/null
+++ b/aws/internal/service/acmpca/waiter/status.go
@@ -0,0 +1,35 @@
+package waiter
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/acmpca"
+	"github.com/hashicorp/aws-sdk-go-base/tfawserr"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/acmpca/finder"
+)
+
+const (
+	certificateAuthorityStatusNotFound = "NotFound"
+	certificateAuthorityStatusUnknown  = "Unknown"
+)
+
+// CertificateAuthorityStatus fetches the Deployment and its Status
+func CertificateAuthorityStatus(conn *acmpca.ACMPCA, arn string) resource.StateRefreshFunc {
+	return func() (interface{}, string, error) {
+		certificateAuthority, err := finder.CertificateAuthorityByARN(conn, arn)
+
+		if tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) {
+			return nil, certificateAuthorityStatusNotFound, nil
+		}
+
+		if err != nil {
+			return nil, certificateAuthorityStatusUnknown, err
+		}
+
+		if certificateAuthority == nil {
+			return nil, certificateAuthorityStatusNotFound, nil
+		}
+
+		return certificateAuthority, aws.StringValue(certificateAuthority.Status), nil
+	}
+}
diff --git a/aws/internal/service/acmpca/waiter/waiter.go b/aws/internal/service/acmpca/waiter/waiter.go
new file mode 100644
index 00000000000..c9c4c803f9d
--- /dev/null
+++ b/aws/internal/service/acmpca/waiter/waiter.go
@@ -0,0 +1,26 @@
+package waiter
+
+import (
+	"time"
+
+	"github.com/aws/aws-sdk-go/service/acmpca"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+// CertificateAuthorityCreated waits for a CertificateAuthority to return Active or PendingCertificate
+func CertificateAuthorityCreated(conn *acmpca.ACMPCA, arn string, timeout time.Duration) (*acmpca.CertificateAuthority, error) {
+	stateConf := &resource.StateChangeConf{
+		Pending: []string{"", acmpca.CertificateAuthorityStatusCreating},
+		Target:  []string{acmpca.CertificateAuthorityStatusActive, acmpca.CertificateAuthorityStatusPendingCertificate},
+		Refresh: CertificateAuthorityStatus(conn, arn),
+		Timeout: timeout,
+	}
+
+	outputRaw, err := stateConf.WaitForState()
+
+	if v, ok := outputRaw.(*acmpca.CertificateAuthority); ok {
+		return v, err
+	}
+
+	return nil, err
+}
diff --git a/aws/resource_aws_acmpca_certificate_authority.go b/aws/resource_aws_acmpca_certificate_authority.go
index 5bf84e542d0..a2ea02cfae9 100644
--- a/aws/resource_aws_acmpca_certificate_authority.go
+++ b/aws/resource_aws_acmpca_certificate_authority.go
@@ -11,6 +11,8 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/acmpca/finder"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/acmpca/waiter"
 )
 
 func resourceAwsAcmpcaCertificateAuthority() *schema.Resource {
@@ -306,20 +308,8 @@ func resourceAwsAcmpcaCertificateAuthorityCreate(d *schema.ResourceData, meta in
 
 	d.SetId(aws.StringValue(output.CertificateAuthorityArn))
 
-	stateConf := &resource.StateChangeConf{
-		Pending: []string{
-			"",
-			acmpca.CertificateAuthorityStatusCreating,
-		},
-		Target: []string{
-			acmpca.CertificateAuthorityStatusActive,
-			acmpca.CertificateAuthorityStatusPendingCertificate,
-		},
-		Refresh: acmpcaCertificateAuthorityRefreshFunc(conn, d.Id()),
-		Timeout: d.Timeout(schema.TimeoutCreate),
-	}
+	_, err = waiter.CertificateAuthorityCreated(conn, d.Id(), d.Timeout(schema.TimeoutCreate))
 
-	_, err = stateConf.WaitForState()
 	if err != nil {
 		return fmt.Errorf("error waiting for ACMPCA Certificate Authority %q to be active or pending certificate: %s", d.Id(), err)
 	}
@@ -331,28 +321,23 @@ func resourceAwsAcmpcaCertificateAuthorityRead(d *schema.ResourceData, meta inte
 	conn := meta.(*AWSClient).acmpcaconn
 	ignoreTagsConfig := meta.(*AWSClient).IgnoreTagsConfig
 
-	describeCertificateAuthorityInput := &acmpca.DescribeCertificateAuthorityInput{
-		CertificateAuthorityArn: aws.String(d.Id()),
-	}
+	certificateAuthority, err := finder.CertificateAuthorityByARN(conn, d.Id())
 
-	log.Printf("[DEBUG] Reading ACMPCA Certificate Authority: %s", describeCertificateAuthorityInput)
+	if isAWSErr(err, acmpca.ErrCodeResourceNotFoundException, "") {
+		log.Printf("[WARN] ACMPCA Certificate Authority %q not found - removing from state", d.Id())
+		d.SetId("")
+		return nil
+	}
 
-	describeCertificateAuthorityOutput, err := conn.DescribeCertificateAuthority(describeCertificateAuthorityInput)
 	if err != nil {
-		if isAWSErr(err, acmpca.ErrCodeResourceNotFoundException, "") {
-			log.Printf("[WARN] ACMPCA Certificate Authority %q not found - removing from state", d.Id())
-			d.SetId("")
-			return nil
-		}
 		return fmt.Errorf("error reading ACMPCA Certificate Authority: %s", err)
 	}
 
-	if describeCertificateAuthorityOutput.CertificateAuthority == nil {
+	if certificateAuthority == nil || aws.StringValue(certificateAuthority.Status) == acmpca.CertificateAuthorityStatusDeleted {
 		log.Printf("[WARN] ACMPCA Certificate Authority %q not found - removing from state", d.Id())
 		d.SetId("")
 		return nil
 	}
-	certificateAuthority := describeCertificateAuthorityOutput.CertificateAuthority
 
 	d.Set("arn", certificateAuthority.Arn)
 
@@ -498,29 +483,6 @@ func resourceAwsAcmpcaCertificateAuthorityDelete(d *schema.ResourceData, meta in
 	return nil
 }
 
-func acmpcaCertificateAuthorityRefreshFunc(conn *acmpca.ACMPCA, certificateAuthorityArn string) resource.StateRefreshFunc {
-	return func() (interface{}, string, error) {
-		input := &acmpca.DescribeCertificateAuthorityInput{
-			CertificateAuthorityArn: aws.String(certificateAuthorityArn),
-		}
-
-		log.Printf("[DEBUG] Reading ACMPCA Certificate Authority: %s", input)
-		output, err := conn.DescribeCertificateAuthority(input)
-		if err != nil {
-			if isAWSErr(err, acmpca.ErrCodeResourceNotFoundException, "") {
-				return nil, "", nil
-			}
-			return nil, "", err
-		}
-
-		if output == nil || output.CertificateAuthority == nil {
-			return nil, "", nil
-		}
-
-		return output.CertificateAuthority, aws.StringValue(output.CertificateAuthority.Status), nil
-	}
-}
-
 func expandAcmpcaASN1Subject(l []interface{}) *acmpca.ASN1Subject {
 	if len(l) == 0 {
 		return nil
diff --git a/aws/resource_aws_acmpca_certificate_authority_test.go b/aws/resource_aws_acmpca_certificate_authority_test.go
index dccddf3130d..515086db17b 100644
--- a/aws/resource_aws_acmpca_certificate_authority_test.go
+++ b/aws/resource_aws_acmpca_certificate_authority_test.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/acmpca"
+	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
@@ -23,7 +24,7 @@ func init() {
 func testSweepAcmpcaCertificateAuthorities(region string) error {
 	client, err := sharedClientForRegion(region)
 	if err != nil {
-		return fmt.Errorf("error getting client: %s", err)
+		return fmt.Errorf("error getting client: %w", err)
 	}
 	conn := client.(*AWSClient).acmpcaconn
 
@@ -33,31 +34,52 @@ func testSweepAcmpcaCertificateAuthorities(region string) error {
 			log.Printf("[WARN] Skipping ACMPCA Certificate Authorities sweep for %s: %s", region, err)
 			return nil
 		}
-		return fmt.Errorf("Error retrieving ACMPCA Certificate Authorities: %s", err)
+		return fmt.Errorf("Error retrieving ACMPCA Certificate Authorities: %w", err)
 	}
 	if len(certificateAuthorities) == 0 {
 		log.Print("[DEBUG] No ACMPCA Certificate Authorities to sweep")
 		return nil
 	}
 
+	var sweeperErrs *multierror.Error
+
 	for _, certificateAuthority := range certificateAuthorities {
 		arn := aws.StringValue(certificateAuthority.Arn)
+
+		if aws.StringValue(certificateAuthority.Status) == acmpca.CertificateAuthorityStatusActive {
+			log.Printf("[INFO] Disabling ACMPCA Certificate Authority: %s", arn)
+			_, err := conn.UpdateCertificateAuthority(&acmpca.UpdateCertificateAuthorityInput{
+				CertificateAuthorityArn: aws.String(arn),
+				Status:                  aws.String(acmpca.CertificateAuthorityStatusDisabled),
+			})
+			if isAWSErr(err, acmpca.ErrCodeResourceNotFoundException, "") {
+				continue
+			}
+			if err != nil {
+				sweeperErr := fmt.Errorf("error disabling ACMPCA Certificate Authority (%s): %w", arn, err)
+				log.Printf("[ERROR] %s", sweeperErr)
+				sweeperErrs = multierror.Append(sweeperErrs, sweeperErr)
+				continue
+			}
+		}
+
 		log.Printf("[INFO] Deleting ACMPCA Certificate Authority: %s", arn)
-		input := &acmpca.DeleteCertificateAuthorityInput{
+		_, err := conn.DeleteCertificateAuthority(&acmpca.DeleteCertificateAuthorityInput{
 			CertificateAuthorityArn:     aws.String(arn),
 			PermanentDeletionTimeInDays: aws.Int64(int64(7)),
+		})
+		if isAWSErr(err, acmpca.ErrCodeResourceNotFoundException, "") {
+			continue
 		}
-
-		_, err := conn.DeleteCertificateAuthority(input)
 		if err != nil {
-			if isAWSErr(err, acmpca.ErrCodeResourceNotFoundException, "") {
-				continue
-			}
-			log.Printf("[ERROR] Failed to delete ACMPCA Certificate Authority (%s): %s", arn, err)
+			sweeperErr := fmt.Errorf("error deleting ACMPCA Certificate Authority (%s): %w", arn, err)
+			log.Printf("[ERROR] %s", sweeperErr)
+			sweeperErrs = multierror.Append(sweeperErrs, sweeperErr)
+			continue
 		}
 	}
 
-	return nil
+	return sweeperErrs.ErrorOrNil()
 }
 
 func TestAccAwsAcmpcaCertificateAuthority_basic(t *testing.T) {
@@ -104,12 +126,31 @@ func TestAccAwsAcmpcaCertificateAuthority_basic(t *testing.T) {
 	})
 }
 
-func TestAccAwsAcmpcaCertificateAuthority_Enabled(t *testing.T) {
+func TestAccAwsAcmpcaCertificateAuthority_disappears(t *testing.T) {
 	var certificateAuthority acmpca.CertificateAuthority
 	resourceName := "aws_acmpca_certificate_authority.test"
 
-	// error updating ACMPCA Certificate Authority: InvalidStateException: The certificate authority must be in the Active or DISABLED state to be updated
-	TestAccSkip(t, "We need to fully sign the certificate authority CSR from another CA in order to test this functionality, which requires another resource")
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAwsAcmpcaCertificateAuthorityDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAwsAcmpcaCertificateAuthorityConfig_Required,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsAcmpcaCertificateAuthorityExists(resourceName, &certificateAuthority),
+					testAccCheckResourceDisappears(testAccProvider, resourceAwsAcmpcaCertificateAuthority(), resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
+func TestAccAwsAcmpcaCertificateAuthority_Enabled(t *testing.T) {
+	var certificateAuthority acmpca.CertificateAuthority
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_acmpca_certificate_authority.test"
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@@ -117,19 +158,30 @@ func TestAccAwsAcmpcaCertificateAuthority_Enabled(t *testing.T) {
 		CheckDestroy: testAccCheckAwsAcmpcaCertificateAuthorityDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAwsAcmpcaCertificateAuthorityConfig_Enabled(true),
+				Config: testAccAwsAcmpcaCertificateAuthorityConfig_Enabled(rName, acmpca.CertificateAuthorityTypeRoot, true),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAwsAcmpcaCertificateAuthorityExists(resourceName, &certificateAuthority),
+					resource.TestCheckResourceAttr(resourceName, "type", acmpca.CertificateAuthorityTypeRoot),
 					resource.TestCheckResourceAttr(resourceName, "enabled", "true"),
-					resource.TestCheckResourceAttr(resourceName, "status", "PENDING_CERTIFICATE"),
+					resource.TestCheckResourceAttr(resourceName, "status", acmpca.CertificateAuthorityStatusPendingCertificate),
+					testAccCheckAwsAcmpcaCertificateAuthorityActivateCA(&certificateAuthority),
+				),
+			},
+			{
+				Config: testAccAwsAcmpcaCertificateAuthorityConfig_Enabled(rName, acmpca.CertificateAuthorityTypeRoot, true),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsAcmpcaCertificateAuthorityExists(resourceName, &certificateAuthority),
+					resource.TestCheckResourceAttr(resourceName, "type", acmpca.CertificateAuthorityTypeRoot),
+					resource.TestCheckResourceAttr(resourceName, "enabled", "true"),
+					resource.TestCheckResourceAttr(resourceName, "status", acmpca.CertificateAuthorityStatusActive),
 				),
 			},
 			{
-				Config: testAccAwsAcmpcaCertificateAuthorityConfig_Enabled(false),
+				Config: testAccAwsAcmpcaCertificateAuthorityConfig_Enabled(rName, acmpca.CertificateAuthorityTypeRoot, false),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAwsAcmpcaCertificateAuthorityExists(resourceName, &certificateAuthority),
 					resource.TestCheckResourceAttr(resourceName, "enabled", "false"),
-					resource.TestCheckResourceAttr(resourceName, "status", "DISABLED"),
+					resource.TestCheckResourceAttr(resourceName, "status", acmpca.CertificateAuthorityStatusDisabled),
 				),
 			},
 			{
@@ -410,34 +462,6 @@ func TestAccAwsAcmpcaCertificateAuthority_Tags(t *testing.T) {
 	})
 }
 
-func TestAccAwsAcmpcaCertificateAuthority_Type_Root(t *testing.T) {
-	var certificateAuthority acmpca.CertificateAuthority
-	resourceName := "aws_acmpca_certificate_authority.test"
-
-	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
-		Providers:    testAccProviders,
-		CheckDestroy: testAccCheckAwsAcmpcaCertificateAuthorityDestroy,
-		Steps: []resource.TestStep{
-			{
-				Config: testAccAwsAcmpcaCertificateAuthorityConfigType(acmpca.CertificateAuthorityTypeRoot),
-				Check: resource.ComposeTestCheckFunc(
-					testAccCheckAwsAcmpcaCertificateAuthorityExists(resourceName, &certificateAuthority),
-					resource.TestCheckResourceAttr(resourceName, "type", acmpca.CertificateAuthorityTypeRoot),
-				),
-			},
-			{
-				ResourceName:      resourceName,
-				ImportState:       true,
-				ImportStateVerify: true,
-				ImportStateVerifyIgnore: []string{
-					"permanent_deletion_time_in_days",
-				},
-			},
-		},
-	})
-}
-
 func testAccCheckAwsAcmpcaCertificateAuthorityDestroy(s *terraform.State) error {
 	conn := testAccProvider.Meta().(*AWSClient).acmpcaconn
 
@@ -496,6 +520,63 @@ func testAccCheckAwsAcmpcaCertificateAuthorityExists(resourceName string, certif
 	}
 }
 
+func testAccCheckAwsAcmpcaCertificateAuthorityActivateCA(certificateAuthority *acmpca.CertificateAuthority) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		conn := testAccProvider.Meta().(*AWSClient).acmpcaconn
+
+		arn := aws.StringValue(certificateAuthority.Arn)
+
+		getCsrResp, err := conn.GetCertificateAuthorityCsr(&acmpca.GetCertificateAuthorityCsrInput{
+			CertificateAuthorityArn: aws.String(arn),
+		})
+		if err != nil {
+			return fmt.Errorf("error getting ACMPCA Certificate Authority (%s) CSR: %s", arn, err)
+		}
+
+		issueCertResp, err := conn.IssueCertificate(&acmpca.IssueCertificateInput{
+			CertificateAuthorityArn: aws.String(arn),
+			Csr:                     []byte(aws.StringValue(getCsrResp.Csr)),
+			IdempotencyToken:        aws.String(resource.UniqueId()),
+			SigningAlgorithm:        certificateAuthority.CertificateAuthorityConfiguration.SigningAlgorithm,
+			TemplateArn:             aws.String("arn:aws:acm-pca:::template/RootCACertificate/V1"),
+			Validity: &acmpca.Validity{
+				Type:  aws.String(acmpca.ValidityPeriodTypeYears),
+				Value: aws.Int64(10),
+			},
+		})
+		if err != nil {
+			return fmt.Errorf("error issuing ACMPCA Certificate Authority (%s) Root CA certificate from CSR: %s", arn, err)
+		}
+
+		// Wait for certificate status to become ISSUED.
+		err = conn.WaitUntilCertificateIssued(&acmpca.GetCertificateInput{
+			CertificateAuthorityArn: aws.String(arn),
+			CertificateArn:          issueCertResp.CertificateArn,
+		})
+		if err != nil {
+			return fmt.Errorf("error waiting for ACMPCA Certificate Authority (%s) Root CA certificate to become ISSUED: %s", arn, err)
+		}
+
+		getCertResp, err := conn.GetCertificate(&acmpca.GetCertificateInput{
+			CertificateAuthorityArn: aws.String(arn),
+			CertificateArn:          issueCertResp.CertificateArn,
+		})
+		if err != nil {
+			return fmt.Errorf("error getting ACMPCA Certificate Authority (%s) issued Root CA certificate: %s", arn, err)
+		}
+
+		_, err = conn.ImportCertificateAuthorityCertificate(&acmpca.ImportCertificateAuthorityCertificateInput{
+			CertificateAuthorityArn: aws.String(arn),
+			Certificate:             []byte(aws.StringValue(getCertResp.Certificate)),
+		})
+		if err != nil {
+			return fmt.Errorf("error importing ACMPCA Certificate Authority (%s) Root CA certificate: %s", arn, err)
+		}
+
+		return err
+	}
+}
+
 func listAcmpcaCertificateAuthorities(conn *acmpca.ACMPCA) ([]*acmpca.CertificateAuthority, error) {
 	certificateAuthorities := []*acmpca.CertificateAuthority{}
 	input := &acmpca.ListCertificateAuthoritiesInput{}
@@ -515,22 +596,23 @@ func listAcmpcaCertificateAuthorities(conn *acmpca.ACMPCA) ([]*acmpca.Certificat
 	return certificateAuthorities, nil
 }
 
-func testAccAwsAcmpcaCertificateAuthorityConfig_Enabled(enabled bool) string {
+func testAccAwsAcmpcaCertificateAuthorityConfig_Enabled(rName, certificateAuthorityType string, enabled bool) string {
 	return fmt.Sprintf(`
 resource "aws_acmpca_certificate_authority" "test" {
   enabled                         = %[1]t
   permanent_deletion_time_in_days = 7
+  type                            = %[2]q
 
   certificate_authority_configuration {
     key_algorithm     = "RSA_4096"
     signing_algorithm = "SHA512WITHRSA"
 
     subject {
-      common_name = "terraformtesting.com"
+      common_name = "%[3]s.com"
     }
   }
 }
-`, enabled)
+`, enabled, certificateAuthorityType, rName)
 }
 
 const testAccAwsAcmpcaCertificateAuthorityConfig_Required = `
@@ -722,21 +804,3 @@ resource "aws_acmpca_certificate_authority" "test" {
   }
 }
 `
-
-func testAccAwsAcmpcaCertificateAuthorityConfigType(certificateAuthorityType string) string {
-	return fmt.Sprintf(`
-resource "aws_acmpca_certificate_authority" "test" {
-  permanent_deletion_time_in_days = 7
-  type                            = %[1]q
-
-  certificate_authority_configuration {
-    key_algorithm     = "RSA_4096"
-    signing_algorithm = "SHA512WITHRSA"
-
-    subject {
-      common_name = "terraformtesting.com"
-    }
-  }
-}
-`, certificateAuthorityType)
-}