mark fields as required and add back change check

Author: skarimo

datadog-integrations-awsaccount-handler/datadog-integrations-awsaccount.json

@@ -57,7 +57,10 @@
           "description": "Your Datadog role delegation name.",
           "type": "string"
         }
-      }
+      },
+      "required": [
+        "RoleName"
+      ]
     },
     "AWSRegions": {
       "description": "The configuration for which regions to collect data from.",
@@ -247,7 +250,10 @@
       "type": "string"
     }
   },
-  "required": [],
+  "required": [
+    "AuthConfig",
+    "AWSPartition"
+  ],
   "primaryIdentifier": [
     "/properties/Id"
   ],

datadog-integrations-awsaccount-handler/docs/README.md

@@ -60,7 +60,7 @@ _Update requires_: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/l
 
 The AWS partition to use. This should be set to 'aws' for commercial accounts, 'aws-us-gov' for GovCloud accounts, and 'aws-cn' for China accounts.
 
-_Required_: No
+_Required_: Yes
 
 _Type_: String
 
@@ -72,7 +72,7 @@ _Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormati
 
 The configuration for the AWS role delegation.
 
-_Required_: No
+_Required_: Yes
 
 _Type_: <a href="authconfig.md">AuthConfig</a>
 

datadog-integrations-awsaccount-handler/docs/authconfig.md

@@ -26,7 +26,7 @@ To declare this entity in your AWS CloudFormation template, use the following sy
 
 Your Datadog role delegation name.
 
-_Required_: No
+_Required_: Yes
 
 _Type_: String
 

datadog-integrations-awsaccount-handler/src/datadog_integrations_awsaccount/handlers.py

@@ -291,6 +291,7 @@ def update_handler(
     callback_context: MutableMapping[str, Any],
 ) -> ProgressEvent:
     LOG.info("Starting %s Update Handler", TYPE_NAME)
+    previousState = request.previousResourceState
     model = request.desiredResourceState
     type_configuration = request.typeConfiguration
 
@@ -303,6 +304,23 @@ def update_handler(
             errorCode=HandlerErrorCode.NotFound,
         )
 
+    # Check if createOnly fields are being updated
+    if previousState.AccountID != model.AccountID:
+        return ProgressEvent(
+            status=OperationStatus.FAILED,
+            resourceModel=model,
+            message="Cannot update `AccountID`. Please delete it and create a new one instead.",
+            errorCode=HandlerErrorCode.NotUpdatable,
+        )
+    if previousState.AuthConfig and model.AuthConfig:
+        if previousState.AuthConfig.RoleName != model.AuthConfig.RoleName:
+            return ProgressEvent(
+                status=OperationStatus.FAILED,
+                resourceModel=model,
+                message="Cannot update `AuthConfig.RoleName`. Please delete it and create a new one instead.",
+                errorCode=HandlerErrorCode.NotUpdatable,
+            )
+
     aws_account = build_api_request_from_model(AWSAccountUpdateRequestAttributes, model)
 
     with client(