r/aws_route53_zone: skip disabling dnssec in unsupported partitions (#33103)

* r/aws_route53_zone: skip disabling dnssec in unsupported partitions

* chore: changelog

Author: jar-b

.changelog/33103.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_route53_zone: Skip disabling DNS SEC in unsupported partitions
+```

internal/service/route53/zone.go

@@ -445,7 +445,8 @@ func dnsSECStatus(ctx context.Context, conn *route53.Route53, hostedZoneID strin
 		output, err = conn.GetDNSSECWithContext(ctx, input)
 	}
 
-	if tfawserr.ErrMessageContains(err, route53.ErrCodeInvalidArgument, "Operation is unsupported for private") {
+	if tfawserr.ErrMessageContains(err, route53.ErrCodeInvalidArgument, "Operation is unsupported for private") ||
+		tfawserr.ErrMessageContains(err, "AccessDenied", "The operation GetDNSSEC is not available for the current AWS account") {
 		return "NOT_SIGNING", nil
 	}
 

internal/service/route53/zone_test.go

@@ -449,6 +449,39 @@ func TestAccRoute53Zone_VPC_updates(t *testing.T) {
 	})
 }
 
+// Excercises exception handling during forced destruction in partitions
+// which do no support DNSSEC (e.g. GovCloud).
+//
+// Ref: https://github.com/hashicorp/terraform-provider-aws/issues/22334
+func TestAccRoute53Zone_VPC_single_forceDestroy(t *testing.T) {
+	ctx := acctest.Context(t)
+	var zone route53.GetHostedZoneOutput
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_route53_zone.test"
+	vpcResourceName := "aws_vpc.test1"
+	zoneName := acctest.RandomDomainName()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, route53.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckZoneDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccZoneConfig_vpcSingle_forceDestroy(rName, zoneName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckZoneExists(ctx, resourceName, &zone),
+					resource.TestCheckResourceAttr(resourceName, "vpc.#", "1"),
+					testAccCheckZoneAssociatesVPC(vpcResourceName, &zone),
+					// Add >100 records to verify pagination works ok
+					testAccCreateRandomRecordsInZoneID(ctx, &zone, 100),
+					testAccCreateRandomRecordsInZoneID(ctx, &zone, 5),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckZoneDestroy(ctx context.Context) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		conn := acctest.Provider.Meta().(*conns.AWSClient).Route53Conn(ctx)
@@ -706,3 +739,24 @@ resource "aws_route53_zone" "test" {
 }
 `, rName, zoneName)
 }
+
+func testAccZoneConfig_vpcSingle_forceDestroy(rName, zoneName string) string {
+	return fmt.Sprintf(`
+resource "aws_vpc" "test1" {
+  cidr_block = "10.1.0.0/16"
+
+  tags = {
+    Name = %[1]q
+  }
+}
+
+resource "aws_route53_zone" "test" {
+  force_destroy = true
+  name          = "%[2]s."
+
+  vpc {
+    vpc_id = aws_vpc.test1.id
+  }
+}
+`, rName, zoneName)
+}