acc test cases for new field on transfer server

internal/service/transfer/server.go

@@ -305,10 +305,6 @@ func resourceServerCreate(ctx context.Context, d *schema.ResourceData, meta inte
 		input.Certificate = aws.String(v.(string))
 	}
 
-	if v, ok := d.GetOk("structured_log_destinations"); ok {
-		input.StructuredLogDestinations = flex.ExpandStringSet(v.(*schema.Set))
-	}
-
 	if v, ok := d.GetOk("directory_id"); ok {
 		if input.IdentityProviderDetails == nil {
 			input.IdentityProviderDetails = &transfer.IdentityProviderDetails{}
@@ -384,6 +380,10 @@ func resourceServerCreate(ctx context.Context, d *schema.ResourceData, meta inte
 		input.SecurityPolicyName = aws.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("structured_log_destinations"); ok {
+		input.StructuredLogDestinations = flex.ExpandStringSet(v.(*schema.Set))
+	}
+
 	if v, ok := d.GetOk("url"); ok {
 		if input.IdentityProviderDetails == nil {
 			input.IdentityProviderDetails = &transfer.IdentityProviderDetails{}
@@ -450,7 +450,6 @@ func resourceServerRead(ctx context.Context, d *schema.ResourceData, meta interf
 	}
 
 	d.Set("arn", output.Arn)
-	d.Set("structured_log_destinations", aws.StringValueSlice(output.StructuredLogDestinations))
 	d.Set("certificate", output.Certificate)
 	if output.IdentityProviderDetails != nil {
 		d.Set("directory_id", output.IdentityProviderDetails.DirectoryId)
@@ -503,6 +502,7 @@ func resourceServerRead(ctx context.Context, d *schema.ResourceData, meta interf
 	}
 	d.Set("protocols", aws.StringValueSlice(output.Protocols))
 	d.Set("security_policy_name", output.SecurityPolicyName)
+	d.Set("structured_log_destinations", aws.StringValueSlice(output.StructuredLogDestinations))
 	if output.IdentityProviderDetails != nil {
 		d.Set("url", output.IdentityProviderDetails.Url)
 	} else {
@@ -544,12 +544,6 @@ func resourceServerUpdate(ctx context.Context, d *schema.ResourceData, meta inte
 			input.Certificate = aws.String(d.Get("certificate").(string))
 		}
 
-		// per the docs it does not matter if this field has changed,
-		// if the update passes this as empty the structured logging will be turned off,
-		// so we need to always pass the new.
-		_, newStructuredLogDestinations := d.GetChange("structured_log_destinations")
-		input.StructuredLogDestinations = flex.ExpandStringSet(newStructuredLogDestinations.(*schema.Set))
-
 		if d.HasChange("endpoint_details") {
 			if v, ok := d.GetOk("endpoint_details"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
 				input.EndpointDetails = expandEndpointDetails(v.([]interface{})[0].(map[string]interface{}))
@@ -686,6 +680,11 @@ func resourceServerUpdate(ctx context.Context, d *schema.ResourceData, meta inte
 			input.SecurityPolicyName = aws.String(d.Get("security_policy_name").(string))
 		}
 
+		// per the docs it does not matter if this field has changed,
+		// if the update passes this as empty the structured logging will be turned off,
+		// so we need to always pass the new.
+		input.StructuredLogDestinations = flex.ExpandStringSet(d.Get("structured_log_destinations").(*schema.Set))
+
 		if d.HasChange("workflow_details") {
 			input.WorkflowDetails = expandWorkflowDetails(d.Get("workflow_details").([]interface{}))
 		}

internal/service/transfer/server_test.go

@@ -5,6 +5,7 @@ package transfer_test
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"regexp"
 	"testing"
@@ -740,6 +741,90 @@ func testAccServer_updateEndpointType_vpcToPublic(t *testing.T) {
 	})
 }
 
+func testAccServer_structuredLogDestinations(t *testing.T) {
+	ctx := acctest.Context(t)
+	var s transfer.DescribedServer
+	resourceName := "aws_transfer_server.test"
+	cloudwatchLogGroupName := "aws_cloudwatch_log_group.test"
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t); testAccPreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, transfer.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckServerDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccServerConfig_structuredLogDestinations(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckServerExists(ctx, resourceName, &s),
+					// resource.TestCheckTypeSetElemAttr(resourceName, "structured_logging_destinations.*", *s.StructuredLogDestinations[0]),
+					resource.ComposeTestCheckFunc(func(s *terraform.State) error {
+						cwResource, ok := s.RootModule().Resources[cloudwatchLogGroupName]
+						if !ok {
+							return fmt.Errorf("resource not found: %s", cloudwatchLogGroupName)
+						}
+						cwARN, ok := cwResource.Primary.Attributes["arn"]
+						if !ok {
+							return errors.New("cloudwatch group arn missing")
+						}
+						expectedSLD := fmt.Sprintf("%s:*", cwARN)
+						transferServerResource, ok := s.RootModule().Resources[resourceName]
+						if !ok {
+							return fmt.Errorf("resource not found: %s", resourceName)
+						}
+						slds, ok := transferServerResource.Primary.Attributes["structured_log_destinations"]
+						if !ok {
+							return errors.New("transfer server structured logging destinations missing")
+						}
+						if expectedSLD != slds {
+							return fmt.Errorf("'%s' != '%s'", expectedSLD, slds)
+						}
+						return nil
+					}),
+				),
+			},
+			{
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"force_destroy"},
+			},
+			{
+				Config: testAccServerConfig_structuredLogDestinationsUpdate(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckServerExists(ctx, resourceName, &s),
+					// resource.TestCheckTypeSetElemAttr(resourceName, "structured_logging_destinations.*", *s.StructuredLogDestinations[0]),
+					// resource.TestCheckTypeSetElemAttr(resourceName, "structured_logging_destinations.*", fmt.Sprintf("\"${%s.arn}:*\"", cloudwatchLogGroupName)),
+					resource.ComposeTestCheckFunc(func(s *terraform.State) error {
+						cwResource, ok := s.RootModule().Resources[cloudwatchLogGroupName]
+						if !ok {
+							return fmt.Errorf("resource not found: %s", cloudwatchLogGroupName)
+						}
+						cwARN, ok := cwResource.Primary.Attributes["arn"]
+						if !ok {
+							return errors.New("cloudwatch group arn missing")
+						}
+						expectedSLD := fmt.Sprintf("%s:*", cwARN)
+						transferServerResource, ok := s.RootModule().Resources[resourceName]
+						if !ok {
+							return fmt.Errorf("resource not found: %s", resourceName)
+						}
+						slds, ok := transferServerResource.Primary.Attributes["structured_logging_destinations"]
+						if !ok {
+							return errors.New("transfer server structured logging destinations missing")
+						}
+						if expectedSLD != slds {
+							return fmt.Errorf("'%s' != '%s'", expectedSLD, slds)
+						}
+						return nil
+					}),
+				),
+			},
+		},
+	})
+}
+
 func testAccServer_protocols(t *testing.T) {
 	ctx := acctest.Context(t)
 	var s transfer.DescribedServer
@@ -1784,6 +1869,85 @@ resource "aws_transfer_server" "test" {
 `, rName, hostKey)
 }
 
+func testAccServerConfig_structuredLogDestinations(rName string) string {
+	return acctest.ConfigCompose(
+		fmt.Sprintf(`
+		resource "aws_cloudwatch_log_group" "test" {
+			name_prefix = "transfer_test_"
+		  }
+		  
+		  data "aws_iam_policy_document" "test" {
+			statement {
+			  effect = "Allow"
+		  
+			  principals {
+				type        = "Service"
+				identifiers = ["transfer.amazonaws.com"]
+			  }
+		  
+			  actions = ["sts:AssumeRole"]
+			}
+		  }
+		  
+		  resource "aws_iam_role" "test" {
+			name_prefix         = "iam_for_transfer_"
+			assume_role_policy  = data.aws_iam_policy_document.test.json
+			managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSTransferLoggingAccess"]
+		  }
+		  
+		  resource "aws_transfer_server" "test" {
+			endpoint_type = "PUBLIC"
+			logging_role  = aws_iam_role.test.arn
+			protocols     = ["SFTP"]
+			structured_log_destinations = [
+			  "${aws_cloudwatch_log_group.test.arn}:*"
+			]
+			tags = {
+			  Name = %[1]q
+			}
+		  }
+		`, rName),
+	)
+}
+
+func testAccServerConfig_structuredLogDestinationsUpdate() string {
+	return acctest.ConfigCompose(
+		fmt.Sprintf(`
+		resource "aws_cloudwatch_log_group" "test" {
+			name_prefix = "transfer_test_"
+		  }
+		  
+		  data "aws_iam_policy_document" "test" {
+			statement {
+			  effect = "Allow"
+		  
+			  principals {
+				type        = "Service"
+				identifiers = ["transfer.amazonaws.com"]
+			  }
+		  
+			  actions = ["sts:AssumeRole"]
+			}
+		  }
+		  
+		  resource "aws_iam_role" "test" {
+			name_prefix         = "iam_for_transfer_"
+			assume_role_policy  = data.aws_iam_policy_document.test.json
+			managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSTransferLoggingAccess"]
+		  }
+		  
+		  resource "aws_transfer_server" "test" {
+			endpoint_type = "PUBLIC"
+			logging_role  = aws_iam_role.test.arn
+			protocols     = ["SFTP"]
+			structured_log_destinations = [
+			  "${aws_cloudwatch_log_group.test.arn}:*"
+			]
+		  }
+		`),
+	)
+}
+
 func testAccServerConfig_protocols(rName string) string {
 	return acctest.ConfigCompose(
 		testAccServerConfig_vpcBase(rName),

internal/service/transfer/transfer_test.go

@@ -42,6 +42,7 @@ func TestAccTransfer_serial(t *testing.T) {
 			"Protocols":                     testAccServer_protocols,
 			"ProtocolDetails":               testAccServer_protocolDetails,
 			"SecurityPolicy":                testAccServer_securityPolicy,
+			"StructuredLogDestinations":     testAccServer_structuredLogDestinations,
 			"UpdateEndpointTypePublicToVPC": testAccServer_updateEndpointType_publicToVPC,
 			"UpdateEndpointTypePublicToVPCAddressAllocationIDs":      testAccServer_updateEndpointType_publicToVPC_addressAllocationIDs,
 			"UpdateEndpointTypeVPCEndpointToVPC":                     testAccServer_updateEndpointType_vpcEndpointToVPC,

website/docs/r/transfer_server.html.markdown

@@ -86,6 +86,7 @@ resource "aws_transfer_server" "example" {
 ```
 
 ### Using Structured Logging Destinations
+
 ```terraform
 resource "aws_cloudwatch_log_group" "transfer" {
   name_prefix = "transfer_test_"