Add execution_role to Athena Workgroup

.changelog/28420.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_athena_workgroup: Add `execution_role` attribute
+```

internal/service/athena/workgroup.go

@@ -69,6 +69,11 @@ func ResourceWorkGroup() *schema.Resource {
 								},
 							},
 						},
+						"execution_role": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ValidateFunc: verify.ValidARN,
+						},
 						"publish_cloudwatch_metrics_enabled": {
 							Type:     schema.TypeBool,
 							Optional: true,
@@ -350,6 +355,10 @@ func expandWorkGroupConfiguration(l []interface{}) *athena.WorkGroupConfiguratio
 		configuration.EngineVersion = expandWorkGroupEngineVersion(v)
 	}
 
+	if v, ok := m["execution_role"]; ok {
+		configuration.ExecutionRole = aws.String(v.(string))
+	}
+
 	if v, ok := m["publish_cloudwatch_metrics_enabled"]; ok {
 		configuration.PublishCloudWatchMetricsEnabled = aws.Bool(v.(bool))
 	}
@@ -404,6 +413,10 @@ func expandWorkGroupConfigurationUpdates(l []interface{}) *athena.WorkGroupConfi
 		configurationUpdates.EngineVersion = expandWorkGroupEngineVersion(v)
 	}
 
+	if v, ok := m["execution_role"]; ok {
+		configurationUpdates.ExecutionRole = aws.String(v.(string))
+	}
+
 	if v, ok := m["publish_cloudwatch_metrics_enabled"]; ok {
 		configurationUpdates.PublishCloudWatchMetricsEnabled = aws.Bool(v.(bool))
 	}
@@ -512,6 +525,7 @@ func flattenWorkGroupConfiguration(configuration *athena.WorkGroupConfiguration)
 		"bytes_scanned_cutoff_per_query":     aws.Int64Value(configuration.BytesScannedCutoffPerQuery),
 		"enforce_workgroup_configuration":    aws.BoolValue(configuration.EnforceWorkGroupConfiguration),
 		"engine_version":                     flattenWorkGroupEngineVersion(configuration.EngineVersion),
+		"execution_role":                     aws.StringValue(configuration.ExecutionRole),
 		"publish_cloudwatch_metrics_enabled": aws.BoolValue(configuration.PublishCloudWatchMetricsEnabled),
 		"result_configuration":               flattenWorkGroupResultConfiguration(configuration.ResultConfiguration),
 		"requester_pays_enabled":             aws.BoolValue(configuration.RequesterPaysEnabled),

internal/service/athena/workgroup_test.go

@@ -238,6 +238,36 @@ func TestAccAthenaWorkGroup_configurationEngineVersion(t *testing.T) {
 	})
 }
 
+func TestAccAthenaWorkGroup_configurationExecutionRole(t *testing.T) {
+	var workgroup1 athena.WorkGroup
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_athena_workgroup.test"
+	iamRoleResourceName := "aws_iam_role.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t) },
+		ErrorCheck:               acctest.ErrorCheck(t, athena.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckWorkGroupDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccWorkGroupConfig_configurationExecutionRole(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckWorkGroupExists(resourceName, &workgroup1),
+					resource.TestCheckResourceAttr(resourceName, "configuration.#", "1"),
+					resource.TestCheckResourceAttrPair(resourceName, "configuration.0.execution_role", iamRoleResourceName, "arn"),
+				),
+			},
+			{
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"force_destroy"},
+			},
+		},
+	})
+}
+
 func TestAccAthenaWorkGroup_publishCloudWatchMetricsEnabled(t *testing.T) {
 	var workgroup1, workgroup2 athena.WorkGroup
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
@@ -755,6 +785,51 @@ resource "aws_athena_workgroup" "test" {
 `, rName, engineVersion)
 }
 
+func testAccWorkGroupConfig_configurationExecutionRole(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_iam_role" "test" {
+  name               = %[1]q
+  assume_role_policy = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+  {
+   "Action": "sts:AssumeRole",
+   "Principal": {
+     "Service": "athena.amazonaws.com"
+   },
+   "Effect": "Allow",
+   "Sid": ""
+  }
+ ]
+}
+EOF
+}
+
+resource "aws_s3_bucket" "test" {
+  bucket = %[1]q
+}
+
+resource "aws_athena_workgroup" "test" {
+  name = %[1]q
+
+  configuration {
+    execution_role                     = aws_iam_role.test.arn
+    enforce_workgroup_configuration    = false
+    publish_cloudwatch_metrics_enabled = false
+
+    engine_version {
+      selected_engine_version = "PySpark engine version 3"
+    }
+
+    result_configuration {
+      output_location = "s3://${aws_s3_bucket.test.id}/logs/athena_spark/"
+    }
+  }
+}
+`, rName)
+}
+
 func testAccWorkGroupConfig_configurationPublishCloudWatchMetricsEnabled(rName string, publishCloudwatchMetricsEnabled bool) string {
 	return fmt.Sprintf(`
 resource "aws_athena_workgroup" "test" {

website/docs/r/athena_workgroup.html.markdown

@@ -48,6 +48,7 @@ The following arguments are supported:
 * `bytes_scanned_cutoff_per_query` - (Optional) Integer for the upper data usage limit (cutoff) for the amount of bytes a single query in a workgroup is allowed to scan. Must be at least `10485760`.
 * `enforce_workgroup_configuration` - (Optional) Boolean whether the settings for the workgroup override client-side settings. For more information, see [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html). Defaults to `true`.
 * `engine_version` - (Optional) Configuration block for the Athena Engine Versioning. For more information, see [Athena Engine Versioning](https://docs.aws.amazon.com/athena/latest/ug/engine-versions.html). See [Engine Version](#engine-version) below.
+* `execution_role` - (Optional) Role used in a notebook session for accessing the user's resources.
 * `publish_cloudwatch_metrics_enabled` - (Optional) Boolean whether Amazon CloudWatch metrics are enabled for the workgroup. Defaults to `true`.
 * `result_configuration` - (Optional) Configuration block with result settings. See [Result Configuration](#result-configuration) below.
 * `requester_pays_enabled` - (Optional) If set to true , allows members assigned to a workgroup to reference Amazon S3 Requester Pays buckets in queries. If set to false , workgroup members cannot query data from Requester Pays buckets, and queries that retrieve data from Requester Pays buckets cause an error. The default is false . For more information about Requester Pays buckets, see [Requester Pays Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/RequesterPaysBuckets.html) in the Amazon Simple Storage Service Developer Guide.