[Bug]: aws_iot_ca_certificate registration_config role_arn type mismatch

[miljanic]

Terraform Core Version

1.6.6

AWS Provider Version

5.30.0

Affected Resource(s)

aws_iot_ca_certificate

Expected Behavior

When I provide the role ARN (a string value) to the registration_config.role_arn I expect the aws_iot_ca_certificate resource to be created.

Actual Behavior

I am receiving an error:

Inappropriate value for attribute "role_arn": a bool is required.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

/

Steps to Reproduce

Follow the example from the documentation and add the registration_config block to the aws_iot_ca_certificate resource.

resource "aws_iam_role" "this" {...}
resource "tls_self_signed_cert" "ca" {...}
resource "tls_private_key" "ca" {...}
resource "tls_cert_request" "verification" {...}
resource "tls_private_key" "verification" {...}
resource "tls_locally_signed_cert" "verification" {...}
data "aws_iot_registration_code" "example" {}

resource "aws_iot_ca_certificate" "example" {
  active                       = true
  ca_certificate_pem           = tls_self_signed_cert.ca.cert_pem
  verification_certificate_pem = tls_locally_signed_cert.verification.cert_pem
  allow_auto_registration      = true
  
  registration_config {
    role_arn = aws_iam_role.this.arn
    template_body = "..."
  }
}

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

I assume this issue is related to the wrong type on the role_arn field in the go code here

"role_arn": {
	Type:         schema.TypeBool,
	Optional:     true,
	ValidateFunc: verify.ValidARN,
},

instead of

"role_arn": {
	Type:         schema.TypeString,
	Optional:     true,
	ValidateFunc: verify.ValidARN,
},

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[WitoldSlawko]

Hi.

Bumping attention as well for this bug to be fixed:

as currently it is blocking setting IoT JITP via Terraform :/

[acwwat]

I'd like to help but I am having trouble finding information about the registration_config block. I can't find much in the documentation, and I don't see any options (so far) in the AWS Management Console either. While I can simply fix the data type, the best thing to do is to add a test case to validate a scenario with registration_config set.

Could someone please give an exact example of a Terraform config for the registration_config block and also explain what the role ARN is used for (what policy it should have for what service)? Thank you.

[acwwat]

I think I have what I need after reading up on provisioning template. Since the test case won't be provisioning any devices, I will set up a dummy IOT service role with no policy and a sample JITP template pulled from the AWS doc. They might not work in practice but should be sufficient for testing the Terraform resource.

[WitoldSlawko]

hi Anthony

thank you for quick response and setting up PR. You are exactly right on the spot. I also check your PR: #35234 , and for me it looks nice and it's good to go :)

[ewbankkit]

Relates #15098.

[github-actions]

This functionality has been released in v5.32.1 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.