[Enhancement] aws_ec2_transit_gateway: Add encryption_support argument

.changelog/45317.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/aws_ec2_transit_gateway: Add `encryption_support` argument
+```
+
+```release-note:enhancement
+data-source/aws_ec2_transit_gateway: Add `encryption_support` attribute
+```

internal/service/ec2/transitgateway_.go

@@ -100,6 +100,12 @@ func resourceTransitGateway() *schema.Resource {
 				Default:          awstypes.DnsSupportValueEnable,
 				ValidateDiagFunc: enum.Validate[awstypes.DnsSupportValue](),
 			},
+			"encryption_support": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				Default:          awstypes.EncryptionSupportOptionValueDisable,
+				ValidateDiagFunc: enum.Validate[awstypes.EncryptionSupportOptionValue](),
+			},
 			"multicast_support": {
 				Type:             schema.TypeString,
 				Optional:         true,
@@ -190,6 +196,18 @@ func resourceTransitGatewayCreate(ctx context.Context, d *schema.ResourceData, m
 		return sdkdiag.AppendErrorf(diags, "waiting for EC2 Transit Gateway (%s) create: %s", d.Id(), err)
 	}
 
+	if v, ok := d.GetOk("encryption_support"); ok && v.(string) == string(awstypes.EncryptionSupportOptionValueEnable) {
+		input := &ec2.ModifyTransitGatewayInput{
+			TransitGatewayId: output.TransitGateway.TransitGatewayId,
+			Options: &awstypes.ModifyTransitGatewayOptions{
+				EncryptionSupport: awstypes.EncryptionSupportOptionValue(v.(string)),
+			},
+		}
+		if _, err := conn.ModifyTransitGateway(ctx, input); err != nil {
+			return sdkdiag.AppendErrorf(diags, "updating EC2 Transit Gateway (%s) encryption support: %s", d.Id(), err)
+		}
+	}
+
 	return append(diags, resourceTransitGatewayRead(ctx, d, meta)...)
 }
 
@@ -217,6 +235,14 @@ func resourceTransitGatewayRead(ctx context.Context, d *schema.ResourceData, met
 	d.Set("default_route_table_propagation", transitGateway.Options.DefaultRouteTablePropagation)
 	d.Set(names.AttrDescription, transitGateway.Description)
 	d.Set("dns_support", transitGateway.Options.DnsSupport)
+	var encryptionSupport string
+	encryptionState := transitGateway.Options.EncryptionSupport.EncryptionState
+	if encryptionState == awstypes.EncryptionStateValueEnabled || encryptionState == awstypes.EncryptionStateValueEnabling {
+		encryptionSupport = string(awstypes.EncryptionSupportOptionValueEnable)
+	} else {
+		encryptionSupport = string(awstypes.EncryptionSupportOptionValueDisable)
+	}
+	d.Set("encryption_support", encryptionSupport)
 	d.Set("multicast_support", transitGateway.Options.MulticastSupport)
 	d.Set(names.AttrOwnerID, transitGateway.OwnerId)
 	d.Set("propagation_default_route_table_id", transitGateway.Options.PropagationDefaultRouteTableId)
@@ -263,6 +289,10 @@ func resourceTransitGatewayUpdate(ctx context.Context, d *schema.ResourceData, m
 			input.Options.DnsSupport = awstypes.DnsSupportValue(d.Get("dns_support").(string))
 		}
 
+		if d.HasChange("encryption_support") {
+			input.Options.EncryptionSupport = awstypes.EncryptionSupportOptionValue(d.Get("encryption_support").(string))
+		}
+
 		if d.HasChange("security_group_referencing_support") {
 			input.Options.SecurityGroupReferencingSupport = awstypes.SecurityGroupReferencingSupportValue(d.Get("security_group_referencing_support").(string))
 		}

internal/service/ec2/transitgateway_data_source.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/ec2"
+	awstypes "github.com/aws/aws-sdk-go-v2/service/ec2/types"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
@@ -62,6 +63,10 @@ func dataSourceTransitGateway() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"encryption_support": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			names.AttrFilter: customFiltersSchema(),
 			names.AttrID: {
 				Type:     schema.TypeString,
@@ -132,6 +137,14 @@ func dataSourceTransitGatewayRead(ctx context.Context, d *schema.ResourceData, m
 	d.Set("default_route_table_propagation", transitGateway.Options.DefaultRouteTablePropagation)
 	d.Set(names.AttrDescription, transitGateway.Description)
 	d.Set("dns_support", transitGateway.Options.DnsSupport)
+	var encryptionSupport string
+	encryptionState := transitGateway.Options.EncryptionSupport.EncryptionState
+	if encryptionState == awstypes.EncryptionStateValueEnabled || encryptionState == awstypes.EncryptionStateValueEnabling {
+		encryptionSupport = string(awstypes.EncryptionSupportOptionValueEnable)
+	} else {
+		encryptionSupport = string(awstypes.EncryptionSupportOptionValueDisable)
+	}
+	d.Set("encryption_support", encryptionSupport)
 	d.Set("multicast_support", transitGateway.Options.MulticastSupport)
 	d.Set(names.AttrOwnerID, transitGateway.OwnerId)
 	d.Set("propagation_default_route_table_id", transitGateway.Options.PropagationDefaultRouteTableId)

internal/service/ec2/transitgateway_data_source_test.go

@@ -120,6 +120,7 @@ func testAccTransitGatewayDataSource_Filter(t *testing.T, semaphore tfsync.Semap
 					resource.TestCheckResourceAttrPair(resourceName, "default_route_table_propagation", dataSourceName, "default_route_table_propagation"),
 					resource.TestCheckResourceAttrPair(resourceName, names.AttrDescription, dataSourceName, names.AttrDescription),
 					resource.TestCheckResourceAttrPair(resourceName, "dns_support", dataSourceName, "dns_support"),
+					resource.TestCheckResourceAttrPair(resourceName, "encryption_support", dataSourceName, "encryption_support"),
 					resource.TestCheckResourceAttrPair(resourceName, "multicast_support", dataSourceName, "multicast_support"),
 					resource.TestCheckResourceAttrPair(resourceName, names.AttrOwnerID, dataSourceName, names.AttrOwnerID),
 					resource.TestCheckResourceAttrPair(resourceName, "propagation_default_route_table_id", dataSourceName, "propagation_default_route_table_id"),
@@ -160,6 +161,7 @@ func testAccTransitGatewayDataSource_ID(t *testing.T, semaphore tfsync.Semaphore
 					resource.TestCheckResourceAttrPair(resourceName, "default_route_table_propagation", dataSourceName, "default_route_table_propagation"),
 					resource.TestCheckResourceAttrPair(resourceName, names.AttrDescription, dataSourceName, names.AttrDescription),
 					resource.TestCheckResourceAttrPair(resourceName, "dns_support", dataSourceName, "dns_support"),
+					resource.TestCheckResourceAttrPair(resourceName, "encryption_support", dataSourceName, "encryption_support"),
 					resource.TestCheckResourceAttrPair(resourceName, names.AttrOwnerID, dataSourceName, names.AttrOwnerID),
 					resource.TestCheckResourceAttrPair(resourceName, "propagation_default_route_table_id", dataSourceName, "propagation_default_route_table_id"),
 					resource.TestCheckResourceAttrPair(resourceName, "security_group_referencing_support", dataSourceName, "security_group_referencing_support"),

internal/service/ec2/transitgateway_test.go

@@ -76,6 +76,8 @@ func TestAccTransitGateway_serial(t *testing.T) {
 			"securityGroupReferencingSupport":                    testAccTransitGateway_securityGroupReferencingSupport,
 			"securityGroupReferencingSupportExistingResource":    testAccTransitGateway_securityGroupReferencingSupportExistingResource,
 			"vpnEcmpSupport":                                     testAccTransitGateway_vpnECMPSupport,
+			"encryptionSupportWhenCreated":                       testAccTransitGateway_encryptionSupportWhenCreated,
+			"encryptionSupportWhenUpdated":                       testAccTransitGateway_encryptionSupportWhenUpdated,
 		},
 		"MulticastDomain": {
 			acctest.CtBasic:      testAccTransitGatewayMulticastDomain_basic,
@@ -733,6 +735,77 @@ func testAccTransitGateway_description(t *testing.T, semaphore tfsync.Semaphore)
 	})
 }
 
+// Encryption support is enabled when creating a transit gateway
+func testAccTransitGateway_encryptionSupportWhenCreated(t *testing.T, semaphore tfsync.Semaphore) {
+	ctx := acctest.Context(t)
+	var transitGateway1 awstypes.TransitGateway
+	resourceName := "aws_ec2_transit_gateway.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheckTransitGatewaySynchronize(t, semaphore)
+			acctest.PreCheck(ctx, t)
+			testAccPreCheckTransitGateway(ctx, t)
+		},
+		ErrorCheck:               acctest.ErrorCheck(t, names.EC2ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckTransitGatewayDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccTransitGatewayConfig_encryptionSupport(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTransitGatewayExists(ctx, resourceName, &transitGateway1),
+					resource.TestCheckResourceAttr(resourceName, "encryption_support", string(awstypes.EncryptionSupportOptionValueEnable)),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+// A transit gateway is created without encryption support, then updated to enable it
+func testAccTransitGateway_encryptionSupportWhenUpdated(t *testing.T, semaphore tfsync.Semaphore) {
+	ctx := acctest.Context(t)
+	var transitGateway1 awstypes.TransitGateway
+	resourceName := "aws_ec2_transit_gateway.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheckTransitGatewaySynchronize(t, semaphore)
+			acctest.PreCheck(ctx, t)
+			testAccPreCheckTransitGateway(ctx, t)
+		},
+		ErrorCheck:               acctest.ErrorCheck(t, names.EC2ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckTransitGatewayDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccTransitGatewayConfig_basic(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTransitGatewayExists(ctx, resourceName, &transitGateway1),
+					resource.TestCheckResourceAttr(resourceName, "encryption_support", string(awstypes.EncryptionSupportOptionValueDisable)),
+				),
+			},
+			{
+				Config: testAccTransitGatewayConfig_encryptionSupport(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTransitGatewayExists(ctx, resourceName, &transitGateway1),
+					resource.TestCheckResourceAttr(resourceName, "encryption_support", string(awstypes.EncryptionSupportOptionValueEnable)),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccTransitGateway_tags(t *testing.T, semaphore tfsync.Semaphore) {
 	ctx := acctest.Context(t)
 	var transitGateway1, transitGateway2, transitGateway3 awstypes.TransitGateway
@@ -1188,3 +1261,11 @@ resource "aws_ec2_transit_gateway" "test" {
 }
 `, rName)
 }
+
+func testAccTransitGatewayConfig_encryptionSupport() string {
+	return `
+resource "aws_ec2_transit_gateway" "test" {
+  encryption_support = "enable"
+}
+`
+}

website/docs/d/ec2_transit_gateway.html.markdown

@@ -56,6 +56,7 @@ This data source exports the following attributes in addition to the arguments a
 * `default_route_table_propagation` - Whether resource attachments automatically propagate routes to the default propagation route table
 * `description` - Description of the EC2 Transit Gateway
 * `dns_support` - Whether DNS support is enabled
+* `encryption_support` - Whether encryption support for VPC Encryption Control is enabled.
 * `security_group_referencing_support` - Whether Security Group Referencing Support is enabled
 * `multicast_support` - Whether Multicast support is enabled
 * `id` - EC2 Transit Gateway identifier

website/docs/r/ec2_transit_gateway.html.markdown

@@ -32,6 +32,7 @@ This resource supports the following arguments:
 * `default_route_table_propagation` - (Optional) Whether resource attachments automatically propagate routes to the default propagation route table. Valid values: `disable`, `enable`. Default value: `enable`.
 * `description` - (Optional) Description of the EC2 Transit Gateway.
 * `dns_support` - (Optional) Whether DNS support is enabled. Valid values: `disable`, `enable`. Default value: `enable`.
+* `encryption_support` - (Optional) Whether encryption support for VPC Encryption Control is enabled. Valid values: `disable`, `enable`. Default value: `disable`.
 * `security_group_referencing_support` - (Optional) Whether Security Group Referencing Support is enabled. Valid values: `disable`, `enable`. Default value: `disable`.
 * `multicast_support` - (Optional) Whether Multicast support is enabled. Required to use `ec2_transit_gateway_multicast_domain`. Valid values: `disable`, `enable`. Default value: `disable`.
 * `tags` - (Optional) Key-value tags for the EC2 Transit Gateway. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.