[Bug]: sns_platform_application cannot be updated in place with token auth and unchanged team ID/bundle ID

[mattbooks]

Terraform Core Version

1.5.3

AWS Provider Version

5.79.0

Affected Resource(s)

• aws_sns_platform_application

Expected Behavior

resource "aws_sns_platform_application" "apns_application" {
  platform                  = "APNS"
  platform_credential       = "<APNS_TOKEN_BASED_AUTH_SECRET>"
  platform_principal        = "<APNS_KEY_ID>"
  apple_platform_team_id    = "<TEAM_ID>"
  apple_platform_bundle_id  = "<BUNDLE_ID"
}

Changing platform_credential should perform an in-place update to set new token-based authentication for the platform application.

Actual Behavior

When updating platform_credential, terraform does plan an in-place update. The code already allows for special cases of updates to this field: https://github.com/hashicorp/terraform-provider-aws/blob/v5.79.0/internal/service/sns/platform_application.go#L218-L223 and includes platform_principal even if it didn't change.

However, this only works for certificate-based auth. For token-based auth, all 4 attributes must be specified.

If you attempt to update only credential, AWS returns the following error:

InvalidParameter: Invalid parameter: PlatformPrincipal is not a valid Apple certificate.

This implies that AWS is expecting certificate-based authentication.

This can be confirmed by manual testing of the SetPlatformApplicationAttributes API:

aws sns set-platform-application-attributes --platform-application-arn=arn:aws:sns:us-west-2:1234:app/APNS/my_app --attributes=PlatformPrincipal=ABCD,PlatformCredential=FAKE

returns: Invalid parameter: PlatformPrincipal is not a valid Apple certificate.

aws sns set-platform-application-attributes --platform-application-arn=arn:aws:sns:us-west-2:1234:app/APNS/my_app --attributes=PlatformPrincipal=ABCD,PlatformCredential=FAKE,ApplePlatformTeamID=ABCD,ApplePlatformBundleID=com.my.app

returns: Invalid parameter: Attributes Reason: The provided key could not be used to sign the APNs authentication token

Relevant Error/Panic Output Snippet

Terraform Configuration Files

resource "aws_sns_platform_application" "apns_application" {
  platform                  = "APNS"
  platform_credential       = "<APNS_TOKEN_BASED_AUTH_SECRET>"
  platform_principal        = "<APNS_KEY_ID>"
  apple_platform_team_id    = "<TEAM_ID>"
  apple_platform_bundle_id  = "<BUNDLE_ID"
}

Steps to Reproduce

1. Create an SNS platform application with token-based auth
2. Update the platform_credential value and none of the other attributes
3. Try to apply the in-place update

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

Yes

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.

[imunhatep]

Seems we faced similar issue: updating platform_principal attribute results in failed update with:

InvalidParameter: Invalid parameter: PlatformPrincipal is not a valid Apple certificate.

Rerunning apply, show no changes.