### Terraform Version ```shell Terraform v1.6.6 ``` ### Terraform Configuration Files ```terraform terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 6.18.0" } } } "aws" ">provider "aws" { region = "us-east-1" } # IAM Role for Gateway "aws_iam_role"">resource "aws_iam_role" "gateway" { name = "test-gateway-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [{ Effect = "Allow" Principal = { Service = "bedrock-agentcore.amazonaws.com" } Action = "sts:AssumeRole" Condition = { StringEquals = { "aws:SourceAccount" = "123456789012" } } }] }) } # Gateway with AWS_IAM authorizer "aws_bedrockagentcore_gateway"">resource "aws_bedrockagentcore_gateway" "test" { name = "test-gateway" authorizer_type = "AWS_IAM" protocol_type = "MCP" role_arn = aws_iam_role.gateway.arn # According to AWS API docs, authorizer_configuration should NOT be # required for AWS_IAM, but the provider marks it as required } ``` ### Debug Output The key error occurs during validation: ``` Error: Invalid Block with aws_bedrockagentcore_gateway.test, on main.tf line 28, in resource "aws_bedrockagentcore_gateway" "test": 28: resource "aws_bedrockagentcore_gateway" "test" { Block authorizer_configuration must have a configuration value as the provider has marked it as required ``` When attempting to provide an empty authorizer_configuration {} block: ``` Error: creating Bedrock AgentCore Gateway: Incompatible Types with aws_bedrockagentcore_gateway.test, on main.tf line 28, in resource "aws_bedrockagentcore_gateway" "test": 28: resource "aws_bedrockagentcore_gateway" "test" { Cause: An unexpected error occurred while expanding configuration. This is always an error in the provider. Please report the following to the provider developer: Expanding "github.com/hashicorp/terraform-provider-aws/internal/service/bedrockagentcore.authorizerConfigurationModel" returned nil. ``` ### Expected Behavior When `authorizer_type = "AWS_IAM"` is specified, the `authorizer_configuration` block should be **optional** or **not allowed**. According to the [AWS CreateGateway API documentation](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CreateGateway.html): **authorizerConfiguration** (Conditional): > "If you specify `CUSTOM_JWT` as the `authorizerType`, you must provide an `authorizerConfiguration`." This clearly indicates that: - For `CUSTOM_JWT`: `authorizerConfiguration` is **required** - For `AWS_IAM`: `authorizerConfiguration` is **not required** ### Actual Behavior The Terraform provider marks `authorizer_configuration` as **required** regardless of the `authorizer_type` value. **Scenario 1**: Without `authorizer_configuration` block - **Result**: Terraform validation fails - **Error**: "Block authorizer_configuration must have a configuration value as the provider has marked it as required" **Scenario 2**: With empty `authorizer_configuration {}` block - **Result**: Terraform apply fails - **Error**: "Incompatible Types" - expanding authorizerConfigurationModel returned nil **Scenario 3**: With `custom_jwt_authorizer` block (incorrect for AWS_IAM) - **Result**: Would be semantically incorrect and likely fail at AWS API level ### Steps to Reproduce 1. Create the Terraform configuration shown above 2. Run `terraform init` 3. Run `terraform validate` 4. Observe the error: "Block authorizer_configuration must have a configuration value as the provider has marked it as required" Alternative reproduction: 1. Add empty `authorizer_configuration {}` to the config 2. Run `terraform apply` 3. Observe the error: "Incompatible Types - expanding authorizerConfigurationModel returned nil" ### Additional Context The provider's schema definition appears to incorrectly mark `authorizer_configuration` as universally required: ```bash $ terraform providers schema -json | jq '.provider_schemas["registry.terraform.io/hashicorp/aws"].resource_schemas["aws_bedrockagentcore_gateway"].block.block_types.authorizer_configuration' ``` Shows that `authorizer_configuration` is a required block with only `custom_jwt_authorizer` as a sub-block option, with no conditional logic based on `authorizer_type`. ### References _No response_ ### Generative AI / LLM assisted development? _No response_