hashicorp · psantus · Nov 6, 2025
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_sagemaker_domain: Add trusted_identity_propagation_enabled argument to domain_settings
+```
@@ -5,13 +5,15 @@ package sagemaker
 
 import (
 	"context"
+	"fmt"
 	"log"
 
 	"github.com/YakDriver/regexache"
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/sagemaker"
 	awstypes "github.com/aws/aws-sdk-go-v2/service/sagemaker/types"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
@@ -38,6 +40,22 @@ func resourceDomain() *schema.Resource {
 			StateContext: schema.ImportStatePassthroughContext,
 		},
 
+		CustomizeDiff: customdiff.Sequence(
+			func(ctx context.Context, diff *schema.ResourceDiff, meta any) error {
+				if domainSettings := diff.Get("domain_settings").([]any); len(domainSettings) > 0 {
+					if settings := domainSettings[0].(map[string]any); settings != nil {
+						if trustedIdentityEnabled, ok := settings["trusted_identity_propagation_enabled"].(bool); ok && trustedIdentityEnabled {
+							authMode := diff.Get("auth_mode").(string)
+							if authMode != string(awstypes.AuthModeSso) {
+								return fmt.Errorf("trusted_identity_propagation_enabled can only be true when auth_mode is 'SSO'")
+							}
+						}
+					}
+				}
+				return nil
+			},
+		),
+
 		Schema: map[string]*schema.Schema{
 			"app_network_access_type": {
 				Type:             schema.TypeString,
@@ -1388,6 +1406,11 @@ func resourceDomain() *schema.Resource {
 							MaxItems: 3,
 							Elem:     &schema.Schema{Type: schema.TypeString},
 						},
+						"trusted_identity_propagation_enabled": {
+							Type:     schema.TypeBool,
+							Optional: true,
+							Default:  false,
+						},
 					},
 				},
 			},
@@ -1675,6 +1698,12 @@ func expandDomainSettings(l []any) *awstypes.DomainSettings {
 		config.RStudioServerProDomainSettings = expandRStudioServerProDomainSettings(v)
 	}
 
+	if v := m["trusted_identity_propagation_enabled"].(bool); v {
+		config.TrustedIdentityPropagationSettings = &awstypes.TrustedIdentityPropagationSettings{
+			Status: awstypes.FeatureStatusEnabled,
+		}
+	}
+
 	return config
 }
 
@@ -1751,6 +1780,12 @@ func expandDomainSettingsUpdate(l []any) *awstypes.DomainSettingsForUpdate {
 		config.RStudioServerProDomainSettingsForUpdate = expandRStudioServerProDomainSettingsUpdate(v)
 	}
 
+	if v := m["trusted_identity_propagation_enabled"].(bool); v {
+		config.TrustedIdentityPropagationSettings = &awstypes.TrustedIdentityPropagationSettings{
+			Status: awstypes.FeatureStatusEnabled,
+		}
+	}
+
 	return config
 }
 
@@ -3024,10 +3059,11 @@ func flattenDomainSettings(config *awstypes.DomainSettings) []map[string]any {
 	}
 
 	m := map[string]any{
-		"docker_settings":                     flattenDockerSettings(config.DockerSettings),
-		"execution_role_identity_config":      config.ExecutionRoleIdentityConfig,
-		"r_studio_server_pro_domain_settings": flattenRStudioServerProDomainSettings(config.RStudioServerProDomainSettings),
-		names.AttrSecurityGroupIDs:            flex.FlattenStringValueSet(config.SecurityGroupIds),
+		"docker_settings":                      flattenDockerSettings(config.DockerSettings),
+		"execution_role_identity_config":       config.ExecutionRoleIdentityConfig,
+		"r_studio_server_pro_domain_settings":  flattenRStudioServerProDomainSettings(config.RStudioServerProDomainSettings),
+		names.AttrSecurityGroupIDs:             flex.FlattenStringValueSet(config.SecurityGroupIds),
+		"trusted_identity_propagation_enabled": config.TrustedIdentityPropagationSettings != nil && config.TrustedIdentityPropagationSettings.Status == awstypes.FeatureStatusEnabled,
 	}
 
 	return []map[string]any{m}

@@ -1799,6 +1799,36 @@ func testAccDomain_spaceSettingsCustomFileSystemConfigs(t *testing.T) {
 	})
 }
 
+func testAccDomain_trustedIdentityPropagation(t *testing.T) {
+	ctx := acctest.Context(t)
+	var domain sagemaker.DescribeDomainOutput
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_sagemaker_domain.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.SageMakerServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckDomainDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDomainConfig_trustedIdentityPropagation(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckDomainExists(ctx, resourceName, &domain),
+					resource.TestCheckResourceAttr(resourceName, names.AttrDomainName, rName),
+					resource.TestCheckResourceAttr(resourceName, "auth_mode", "SSO"),
+					resource.TestCheckResourceAttr(resourceName, "domain_settings.0.trusted_identity_propagation_enabled", acctest.CtTrue),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccCheckDomainDestroy(ctx context.Context) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		conn := acctest.Provider.Meta().(*conns.AWSClient).SageMakerClient(ctx)
@@ -3358,3 +3388,22 @@ resource "aws_sagemaker_domain" "test" {
 }
 `, rName, efsName))
 }
+
+func testAccDomainConfig_trustedIdentityPropagation(rName string) string {
+	return acctest.ConfigCompose(testAccDomainConfig_base(rName), fmt.Sprintf(`
+resource "aws_sagemaker_domain" "test" {
+  domain_name = %[1]q
+  auth_mode   = "SSO"
+  vpc_id      = aws_vpc.test.id
+  subnet_ids  = aws_subnet.test[*].id
+
+  default_user_settings {
+    execution_role = aws_iam_role.test.arn
+  }
+
+  domain_settings {
+    trusted_identity_propagation_enabled = true
+  }
+}
+`, rName))
+}
@@ -87,6 +87,7 @@ func TestAccSageMaker_serial(t *testing.T) {
 			"studioWebPortalSettings_hiddenAppTypes":                  testAccDomain_studioWebPortalSettings_hiddenAppTypes,
 			"studioWebPortalSettings_hiddenInstanceTypes":             testAccDomain_studioWebPortalSettings_hiddenInstanceTypes,
 			"studioWebPortalSettings_hiddenMlTools":                   testAccDomain_studioWebPortalSettings_hiddenMlTools,
+			"trustedIdentityPropagation":                              testAccDomain_trustedIdentityPropagation,
 		},
 		"FlowDefinition": {
 			acctest.CtBasic:                  testAccFlowDefinition_basic,

@@ -282,6 +282,7 @@ The following arguments are optional:
 * `execution_role_identity_config` - (Optional) The configuration for attaching a SageMaker AI user profile name to the execution role as a sts:SourceIdentity key [AWS Docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html). Valid values are `USER_PROFILE_NAME` and `DISABLED`.
 * `r_studio_server_pro_domain_settings` - (Optional) A collection of settings that configure the RStudioServerPro Domain-level app. see [`r_studio_server_pro_domain_settings` Block](#r_studio_server_pro_domain_settings-block) below.
 * `security_group_ids` - (Optional) The security groups for the Amazon Virtual Private Cloud that the Domain uses for communication between Domain-level apps and user apps.
+* `trusted_identity_propagation_enabled` - (Optional) Whether to enable Trusted Identity Propagation (TIP) for the domain. When enabled, user identities from IAM Identity Center are propagated through the domain to TIP enabled AWS services. Defaults to `false`. Can only be `true` when `auth_mode` is `SSO`.
 
 #### `docker_settings` Block