Merge pull request #45202 from hashicorp/b-aws_accessanalyzer_analyzer.resource_tags-crash

r/aws_accessanalyzer_analyzer Fix crash when `resource_tags` are `null`

Author: ewbankkit

.changelog/45202.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_accessanalyzer_analyzer: Fix `interface conversion: interface {} is nil, not map[string]interface {}` panics when `configuration.unused_access.analysis_rule.exclusion.resource_tags` contains `null` values
+```

internal/service/accessanalyzer/accessanalyzer_test.go

@@ -26,6 +26,7 @@ func TestAccAccessAnalyzer_serial(t *testing.T) {
 			"tags":                       testAccAccessAnalyzerAnalyzer_tagsSerial,
 			"type_Organization":          testAccAnalyzer_typeOrganization,
 			"upgradeV5_95_0":             testAccAnalyzer_upgradeV5_95_0,
+			"nullInResourceTags":         testAccAnalyzer_nullInResourceTags,
 		},
 		"ArchiveRule": {
 			acctest.CtBasic:      testAccAnalyzerArchiveRule_basic,

internal/service/accessanalyzer/analyzer.go

@@ -397,25 +397,15 @@ func expandInternalAccessAnalysisRuleCriteria(tfMap map[string]any) *types.Inter
 	apiObject := &types.InternalAccessAnalysisRuleCriteria{}
 
 	if tfList, ok := tfMap["account_ids"].([]any); ok && len(tfList) > 0 {
-		for _, v := range tfList {
-			accountID, ok := v.(string)
-			if !ok {
-				continue
-			}
-			apiObject.AccountIds = append(apiObject.AccountIds, accountID)
-		}
+		apiObject.AccountIds = flex.ExpandStringValueList(tfList)
 	}
 
 	if tfList, ok := tfMap["resource_arns"].([]any); ok && len(tfList) > 0 {
-		for _, v := range tfList {
-			apiObject.ResourceArns = append(apiObject.ResourceArns, v.(string))
-		}
+		apiObject.ResourceArns = flex.ExpandStringValueList(tfList)
 	}
 
 	if tfList, ok := tfMap["resource_types"].([]any); ok && len(tfList) > 0 {
-		for _, v := range tfList {
-			apiObject.ResourceTypes = append(apiObject.ResourceTypes, types.ResourceType(v.(string)))
-		}
+		apiObject.ResourceTypes = flex.ExpandStringyValueList[types.ResourceType](tfList)
 	}
 
 	return apiObject
@@ -478,17 +468,14 @@ func expandAnalysisRuleCriteria(tfMap map[string]any) *types.AnalysisRuleCriteri
 	apiObject := &types.AnalysisRuleCriteria{}
 
 	if tfList, ok := tfMap["account_ids"].([]any); ok && len(tfList) > 0 {
-		for _, v := range tfList {
-			accountID, ok := v.(string)
-			if !ok {
-				continue
-			}
-			apiObject.AccountIds = append(apiObject.AccountIds, accountID)
-		}
+		apiObject.AccountIds = flex.ExpandStringValueList(tfList)
 	}
 
 	if tfList, ok := tfMap[names.AttrResourceTags].([]any); ok && len(tfList) > 0 {
 		for _, v := range tfList {
+			if v == nil {
+				continue
+			}
 			apiObject.ResourceTags = append(apiObject.ResourceTags, flex.ExpandStringValueMap(v.(map[string]any)))
 		}
 	}

internal/service/accessanalyzer/analyzer_test.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/YakDriver/regexache"
 	"github.com/aws/aws-sdk-go-v2/service/accessanalyzer/types"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/plancheck"
@@ -358,6 +359,29 @@ func testAccAnalyzer_upgradeV5_95_0(t *testing.T) {
 	})
 }
 
+// https://github.com/hashicorp/terraform-provider-aws/issues/45136.
+func testAccAnalyzer_nullInResourceTags(t *testing.T) {
+	ctx := acctest.Context(t)
+	rName := acctest.RandomWithPrefix(t, acctest.ResourcePrefix)
+
+	acctest.Test(ctx, t, resource.TestCase{
+		PreCheck: func() {
+			acctest.PreCheck(ctx, t)
+			testAccPreCheck(ctx, t)
+		},
+		ErrorCheck:               acctest.ErrorCheck(t, names.AccessAnalyzerServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckAnalyzerDestroy(ctx, t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAnalyzerConfig_nullInResourceTags(rName),
+				// Error, but no crash.
+				ExpectError: regexache.MustCompile(`External Access analyzers cannot be created with the configuration`),
+			},
+		},
+	})
+}
+
 func testAccCheckAnalyzerDestroy(ctx context.Context, t *testing.T) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		conn := acctest.ProviderMeta(ctx, t).AccessAnalyzerClient(ctx)
@@ -603,3 +627,30 @@ resource "aws_accessanalyzer_analyzer" "test" {
 }
 `, rName)
 }
+
+func testAccAnalyzerConfig_nullInResourceTags(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_accessanalyzer_analyzer" "test" {
+  analyzer_name = %[1]q
+
+  configuration {
+    unused_access {
+      unused_access_age = 180
+      analysis_rule {
+        exclusion {
+          account_ids = [
+            "123456789012",
+            "234567890123",
+          ]
+        }
+        exclusion {
+          resource_tags = [
+            { key1 = null },
+          ]
+        }
+      }
+    }
+  }
+}
+`, rName)
+}