hashicorp · ewbankkit · Aug 28, 2024 · Aug 3, 2024 · Aug 26, 2024 · Aug 27, 2024
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_verifiedaccess_endpoint: Set PolicyEnabled flag to `false` on update if `policy_document` is empty
+```
@@ -187,7 +187,6 @@ func resourceVerifiedAccessEndpoint() *schema.Resource {
 
 func resourceVerifiedAccessEndpointCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
-
 	conn := meta.(*conns.AWSClient).EC2Client(ctx)
 
 	input := &ec2.CreateVerifiedAccessEndpointInput{
@@ -242,7 +241,6 @@ func resourceVerifiedAccessEndpointCreate(ctx context.Context, d *schema.Resourc
 
 func resourceVerifiedAccessEndpointRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
-
 	conn := meta.(*conns.AWSClient).EC2Client(ctx)
 
 	ep, err := findVerifiedAccessEndpointByID(ctx, conn, d.Id())
@@ -331,11 +329,16 @@ func resourceVerifiedAccessEndpointUpdate(ctx context.Context, d *schema.Resourc
 
 	if d.HasChange("policy_document") {
 		input := &ec2.ModifyVerifiedAccessEndpointPolicyInput{
-			PolicyDocument:           aws.String(d.Get("policy_document").(string)),
-			PolicyEnabled:            aws.Bool(true),
 			VerifiedAccessEndpointId: aws.String(d.Id()),
 		}
 
+		if v := d.Get("policy_document").(string); v != "" {
+			input.PolicyEnabled = aws.Bool(true)
+			input.PolicyDocument = aws.String(v)
+		} else {
+			input.PolicyEnabled = aws.Bool(false)
+		}
+
 		_, err := conn.ModifyVerifiedAccessEndpointPolicy(ctx, input)
 
 		if err != nil {
@@ -348,7 +351,6 @@ func resourceVerifiedAccessEndpointUpdate(ctx context.Context, d *schema.Resourc
 
 func resourceVerifiedAccessEndpointDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
-
 	conn := meta.(*conns.AWSClient).EC2Client(ctx)
 
 	log.Printf("[INFO] Deleting Verified Access Endpoint: %s", d.Id())

@@ -242,6 +242,12 @@ func testAccVerifiedAccessEndpoint_policyDocument(t *testing.T, semaphore tfsync
 					resource.TestCheckResourceAttr(resourceName, "policy_document", policyDoc),
 				),
 			},
+			{
+				Config: testAccVerifiedAccessEndpointConfig_policyBase(rName, acctest.TLSPEMEscapeNewlines(key), acctest.TLSPEMEscapeNewlines(certificate)),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckVerifiedAccessEndpointExists(ctx, resourceName, &v),
+				),
+			},
 		},
 	})
 }

@@ -54,7 +54,7 @@ func resourceConfigurationTemplate() *schema.Resource {
 					Optional: true,
 					Computed: true,
 					Elem:     settingSchema(),
-					Set:      optionSettingValueHash,
+					Set:      hashSettingsValue,
 				},
 				"solution_stack_name": {
 					Type:     schema.TypeString,
@@ -85,7 +85,7 @@ func resourceConfigurationTemplateCreate(ctx context.Context, d *schema.Resource
 	}
 
 	if v, ok := d.GetOk("setting"); ok && v.(*schema.Set).Len() > 0 {
-		input.OptionSettings = expandConfigurationOptionSettings(v.(*schema.Set))
+		input.OptionSettings = expandConfigurationOptionSettings(v.(*schema.Set).List())
 	}
 
 	if attr, ok := d.GetOk("solution_stack_name"); ok {
@@ -148,7 +148,7 @@ func resourceConfigurationTemplateUpdate(ctx context.Context, d *schema.Resource
 	if d.HasChange("setting") {
 		o, n := d.GetChange("setting")
 		os, ns := o.(*schema.Set), n.(*schema.Set)
-		add, del := expandConfigurationOptionSettings(ns.Difference(os)), expandConfigurationOptionSettings(os.Difference(ns))
+		add, del := expandConfigurationOptionSettings(ns.Difference(os).List()), expandConfigurationOptionSettings(os.Difference(ns).List())
 
 		// Additions and removals of options are done in a single API call, so we
 		// can't do our normal "remove these" and then later "add these", re-adding