d/aws_appmesh_route: Don't attempt to list tags if the current AWS ac…

…count is not the mesh owner.
hashicorp · Mar 23, 2023 · c027741 · c027741
1 parent a40da1c
commit c027741
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/internal/service/appmesh/route_data_source.go b/internal/service/appmesh/route_data_source.go
@@ -76,18 +76,26 @@ func dataSourceRouteRead(ctx context.Context, d *schema.ResourceData, meta inter
 	d.Set("created_date", route.Metadata.CreatedAt.Format(time.RFC3339))
 	d.Set("last_updated_date", route.Metadata.LastUpdatedAt.Format(time.RFC3339))
 	d.Set("mesh_name", route.MeshName)
-	d.Set("mesh_owner", route.Metadata.MeshOwner)
+	meshOwner := aws.StringValue(route.Metadata.MeshOwner)
+	d.Set("mesh_owner", meshOwner)
 	d.Set("name", route.RouteName)
 	d.Set("resource_owner", route.Metadata.ResourceOwner)
 	if err := d.Set("spec", flattenRouteSpec(route.Spec)); err != nil {
 		return sdkdiag.AppendErrorf(diags, "setting spec: %s", err)
 	}
 	d.Set("virtual_router_name", route.VirtualRouterName)
 
-	tags, err := ListTags(ctx, conn, arn)
+	// https://docs.aws.amazon.com/app-mesh/latest/userguide/sharing.html#sharing-permissions
+	// Owners and consumers can list tags and can tag/untag resources in a mesh that the account created.
+	// They can't list tags and tag/untag resources in a mesh that aren't created by the account.
+	var tags tftags.KeyValueTags
 
-	if err != nil {
-		return sdkdiag.AppendErrorf(diags, "listing tags for App Mesh Route (%s): %s", arn, err)
+	if meshOwner == meta.(*conns.AWSClient).AccountID {
+		tags, err = ListTags(ctx, conn, arn)
+
+		if err != nil {
+			return sdkdiag.AppendErrorf(diags, "listing tags for App Mesh Route (%s): %s", arn, err)
+		}
 	}
 
 	if err := d.Set("tags", tags.IgnoreAWS().IgnoreConfig(ignoreTagsConfig).Map()); err != nil {