Add aws_identitystore_users data source

[liath]

Description

Adds a data source for listing all users in an Identity Store instance. Part of a few PRs to cover #26770.

Same as #31681, I'm unsure of the test on this and would appreciate feedback.

Relations

Relates #26770
Closes #39859

References

https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListUsers.html

Wrt to server-side filtering being deprecated in the SDK:
https://github.com/aws/aws-sdk-go-v2/blob/service/identitystore/v1.16.11/service/identitystore/api_op_ListUsers.go#L46

Output from Acceptance Testing

$ make testacc TESTS=TestAccIdentityStoreUsersDataSource PKG=identitystore                                                                                            <aws:personal> <region:us-east-1>
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/identitystore/... -v -count 1 -parallel 20 -run='TestAccIdentityStoreUsersDataSource'  -timeout 180m
=== RUN   TestAccIdentityStoreUsersDataSource_basic
=== PAUSE TestAccIdentityStoreUsersDataSource_basic
=== CONT  TestAccIdentityStoreUsersDataSource_basic
--- PASS: TestAccIdentityStoreUsersDataSource_basic (22.67s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/identitystore      27.690s

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

• Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
• Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

[guyzyl]

Can this be merged?

[liath]

Can this be merged?

I would like that very much, if you have an in at Hashicorp or are paying them or some consultant they actually listen to you should ask them to prioritize it.

These days Hashicorp doesn't seem to care much for PRs unless some paying customer is demanding it and then 99.99999% most likely outcome is some Hashicorp employee will submit and insta-merge their bit perfect copy of this PR and close this one as outdated. ¯_(ツ)_/¯

[justinretzolk]

Hey @liath 👋 Thank you for this and your other contributions. I spoke with a colleague of mine that you'd also spoken with, and wanted to touch base with you here as a follow up (I'm the community manager for the AWS Provider specifically).

I can totally see where you're coming from in your last comment, and how you could come to that conclusion. This repository receives between 250 and 400 pull requests every month, around half of which are from the community, so prioritization is something we have to think about a lot. That's why I wrote our prioritization guide as one of my first changes when taking my current role -- having no clear picture of when your pull request is going to be reviewed isn't awesome.

This particular data source doesn't seem to be as sought after as something like, for instance, the new S3 features announced at re:Invent that the provider had day 1 support for, or additions to more 'core' resources that get more 👍 reactions, and so have gotten prioritized before this pull request. That said, I'm going to start looking at how we can factor age into prioritization as well, to see if we can help prevent experiences like this.

[liath]

Migrated to the plugin framework as @aristosvo has done for #31681 / #36993, hopefully that helps it get merged.

[nevstokes]

It seems odd that #36993 was merged months ago and this is still open.

[liath]

@nevstokes Big agree but here we are. If it's helpful, I use something like the following as a workaround:

data "external" "users" {
  program = [ "${path.module}/fetch-users.sh" ]
  query = { identity_store_id = tolist(data.aws_ssoadmin_instances.default.identity_store_ids)[0] }
}

and fetch-users.sh:

eval "$(jq -r '@sh "IDENTITY_STORE_ID=\(.identity_store_id)"')"
aws identitystore list-users --identity-store-id "$IDENTITY_STORE_ID" \
  --query '{ names: Users[].UserName | join(`,`, @), ids: Users[].UserId | join(`,`, @) }'

[aristosvo]

Hi @liath 👋,

What I would do if I were you, is to create a new issue and write the exact use-case you are chasing that is supported by these resources and connect it to the PRs. Prior issue for all data resources is closed with the merged PR, and didn't contain that level of detail in the first place.

The difference between the merged PR and this one is (besides contributing more regularly) the description of usage. As written down in prior communication on this issue, it is important for the HC maintainers that new resources are supporting healthy use-cases and not edgy one-off patterns (not saying that this one is!).

[ghicks-novaprime]

I just created an issue #39859 requesting this data source and explaining my use case. I'd love to see this merged so I'm not relying on installing JQ and AWSCLI.

[ohookins]

Anything I can do to help move this along?

[jar-b]

LGTM 🎉

% make testacc PKG=identitystore TESTS=TestAccIdentityStoreUsersDataSource_
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.23.7 test ./internal/service/identitystore/... -v -count 1 -parallel 20 -run='TestAccIdentityStoreUsersDataSource_'  -timeout 360m -vet=off
2025/03/18 16:28:09 Initializing Terraform AWS Provider...
=== RUN   TestAccIdentityStoreUsersDataSource_basic
=== PAUSE TestAccIdentityStoreUsersDataSource_basic
=== CONT  TestAccIdentityStoreUsersDataSource_basic
--- PASS: TestAccIdentityStoreUsersDataSource_basic (9.05s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/identitystore      15.782s

[ewbankkit]

LGTM 🚀.

[jar-b]

Thanks for your contribution, @liath! 👍

[github-actions]

Warning

This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v5.92.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!