Merge pull request #25779 from mattburgess/rolesanywhere-trustanchor-…

…resource

Rolesanywhere trustanchor resource

.changelog/25779.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+aws_rolesanywhere_trust_anchor
+```

internal/acctest/crypto.go

@@ -193,6 +193,68 @@ func TLSRSAX509SelfSignedCACertificatePEM(keyPem string) string {
 	return string(pem.EncodeToMemory(certificateBlock))
 }
 
+// TLSRSAX509SelfSignedCACertificateForRolesAnywhereTrustAnchorPEM generates a x509 CA certificate PEM string.
+// The CA certificate is suitable for use as an IAM RolesAnywhere Trust Anchor.
+// See https://docs.aws.amazon.com/rolesanywhere/latest/userguide/trust-model.html#signature-verification.
+// Wrap with TLSPEMEscapeNewlines() to allow simple fmt.Sprintf()
+// configurations such as: root_certificate_pem = "%[1]s"
+func TLSRSAX509SelfSignedCACertificateForRolesAnywhereTrustAnchorPEM(keyPem string) string {
+	keyBlock, _ := pem.Decode([]byte(keyPem))
+
+	key, err := x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
+
+	if err != nil {
+		//lintignore:R009
+		panic(err)
+	}
+
+	publicKeyBytes, err := x509.MarshalPKIXPublicKey(&key.PublicKey)
+
+	if err != nil {
+		//lintignore:R009
+		panic(err)
+	}
+
+	publicKeyBytesSha1 := sha1.Sum(publicKeyBytes)
+
+	serialNumber, err := rand.Int(rand.Reader, tlsX509CertificateSerialNumberLimit)
+
+	if err != nil {
+		//lintignore:R009
+		panic(err)
+	}
+
+	certificate := &x509.Certificate{
+		BasicConstraintsValid: true,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		IsCA:                  true,
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		NotAfter:              time.Now().Add(24 * time.Hour), //nolint:gomnd
+		NotBefore:             time.Now(),
+		SerialNumber:          serialNumber,
+		SignatureAlgorithm:    x509.SHA256WithRSA,
+		Subject: pkix.Name{
+			CommonName:   "ACME Root CA",
+			Organization: []string{"ACME Examples, Inc"},
+		},
+		SubjectKeyId: publicKeyBytesSha1[:],
+	}
+
+	certificateBytes, err := x509.CreateCertificate(rand.Reader, certificate, certificate, &key.PublicKey, key)
+
+	if err != nil {
+		//lintignore:R009
+		panic(err)
+	}
+
+	certificateBlock := &pem.Block{
+		Bytes: certificateBytes,
+		Type:  pemBlockTypeCertificate,
+	}
+
+	return string(pem.EncodeToMemory(certificateBlock))
+}
+
 // TLSRSAX509SelfSignedCertificatePEM generates a x509 certificate PEM string.
 // Wrap with TLSPEMEscapeNewlines() to allow simple fmt.Sprintf()
 // configurations such as: private_key_pem = "%[1]s"

internal/conns/config.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
 	"github.com/aws/aws-sdk-go-v2/service/kendra"
+	"github.com/aws/aws-sdk-go-v2/service/rolesanywhere"
 	"github.com/aws/aws-sdk-go-v2/service/route53domains"
 	"github.com/aws/aws-sdk-go-v2/service/transcribe"
 	"github.com/aws/aws-sdk-go/aws"
@@ -198,6 +199,12 @@ func (c *Config) Client(ctx context.Context) (interface{}, diag.Diagnostics) {
 		}
 	})
 
+	client.RolesAnywhereConn = rolesanywhere.NewFromConfig(cfg, func(o *rolesanywhere.Options) {
+		if endpoint := c.Endpoints[names.RolesAnywhere]; endpoint != "" {
+			o.EndpointResolver = rolesanywhere.EndpointResolverFromURL(endpoint)
+		}
+	})
+
 	client.Route53DomainsConn = route53domains.NewFromConfig(cfg, func(o *route53domains.Options) {
 		if endpoint := c.Endpoints[names.Route53Domains]; endpoint != "" {
 			o.EndpointResolver = route53domains.EndpointResolverFromURL(endpoint)

internal/provider/provider.go

@@ -144,6 +144,7 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/internal/service/redshiftdata"
 	"github.com/hashicorp/terraform-provider-aws/internal/service/resourcegroups"
 	"github.com/hashicorp/terraform-provider-aws/internal/service/resourcegroupstaggingapi"
+	"github.com/hashicorp/terraform-provider-aws/internal/service/rolesanywhere"
 	"github.com/hashicorp/terraform-provider-aws/internal/service/route53"
 	"github.com/hashicorp/terraform-provider-aws/internal/service/route53domains"
 	"github.com/hashicorp/terraform-provider-aws/internal/service/route53recoverycontrolconfig"
@@ -1824,6 +1825,8 @@ func Provider() *schema.Provider {
 
 			"aws_resourcegroups_group": resourcegroups.ResourceGroup(),
 
+			"aws_rolesanywhere_trust_anchor": rolesanywhere.ResourceTrustAnchor(),
+
 			"aws_route53_delegation_set":                route53.ResourceDelegationSet(),
 			"aws_route53_health_check":                  route53.ResourceHealthCheck(),
 			"aws_route53_hosted_zone_dnssec":            route53.ResourceHostedZoneDNSSEC(),

internal/service/rolesanywhere/find.go

@@ -0,0 +1,38 @@
+package rolesanywhere
+
+import (
+	"context"
+	"errors"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/rolesanywhere"
+	"github.com/aws/aws-sdk-go-v2/service/rolesanywhere/types"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
+)
+
+func FindTrustAnchorByID(ctx context.Context, conn *rolesanywhere.Client, id string) (*types.TrustAnchorDetail, error) {
+	in := &rolesanywhere.GetTrustAnchorInput{
+		TrustAnchorId: aws.String(id),
+	}
+
+	out, err := conn.GetTrustAnchor(ctx, in)
+
+	var resourceNotFoundException *types.ResourceNotFoundException
+	if errors.As(err, &resourceNotFoundException) {
+		return nil, &resource.NotFoundError{
+			LastError:   err,
+			LastRequest: in,
+		}
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	if out == nil || out.TrustAnchor == nil {
+		return nil, tfresource.NewEmptyResultError(in)
+	}
+
+	return out.TrustAnchor, nil
+}

internal/service/rolesanywhere/generate.go

@@ -0,0 +1,4 @@
+//go:generate go run ../../generate/tags/main.go -AwsSdkVersion=2 -ListTags -ServiceTagsSlice -UpdateTags
+// ONLY generate directives and package declaration! Do not add anything else to this file.
+
+package rolesanywhere