diff --git a/aws/resource_aws_iam_access_key.go b/aws/resource_aws_iam_access_key.go index caee6abfe45..af8f853f67b 100644 --- a/aws/resource_aws_iam_access_key.go +++ b/aws/resource_aws_iam_access_key.go @@ -43,6 +43,12 @@ func resourceAwsIamAccessKey() *schema.Resource { Sensitive: true, }, "ses_smtp_password": { + Type: schema.TypeString, + Computed: true, + Sensitive: true, + Deprecated: "AWS SigV2 for SES SMTP passwords isy deprecated.\nUse 'ses_smtp_password_v4' for region-specific AWS SigV4 signed SES SMTP password instead.", + }, + "ses_smtp_password_v4": { Type: schema.TypeString, Computed: true, Sensitive: true, @@ -105,12 +111,20 @@ func resourceAwsIamAccessKeyCreate(d *schema.ResourceData, meta interface{}) err } } - sesSMTPPassword, err := sesSmtpPasswordFromSecretKey(createResp.AccessKey.SecretAccessKey) + // AWS SigV2 + sesSMTPPassword, err := sesSmtpPasswordFromSecretKeySigV2(createResp.AccessKey.SecretAccessKey) if err != nil { - return fmt.Errorf("error getting SES SMTP Password from Secret Access Key: %s", err) + return fmt.Errorf("error getting SES SigV2 SMTP Password from Secret Access Key: %s", err) } d.Set("ses_smtp_password", sesSMTPPassword) + // AWS SigV4 + sesSMTPPasswordV4, err := sesSmtpPasswordFromSecretKeySigV4(createResp.AccessKey.SecretAccessKey, meta.(*AWSClient).region) + if err != nil { + return fmt.Errorf("error getting SES SigV4 SMTP Password from Secret Access Key: %s", err) + } + d.Set("ses_smtp_password_v4", sesSMTPPasswordV4) + return resourceAwsIamAccessKeyReadResult(d, &iam.AccessKeyMetadata{ AccessKeyId: createResp.AccessKey.AccessKeyId, CreateDate: createResp.AccessKey.CreateDate, @@ -197,7 +211,49 @@ func resourceAwsIamAccessKeyStatusUpdate(iamconn *iam.IAM, d *schema.ResourceDat return nil } -func sesSmtpPasswordFromSecretKey(key *string) (string, error) { +func hmacSignature(key []byte, value []byte) ([]byte, error) { + h := hmac.New(sha256.New, key) + if _, err := h.Write(value); err != nil { + return []byte(""), err + } + return h.Sum(nil), nil +} + +func sesSmtpPasswordFromSecretKeySigV4(key *string, region string) (string, error) { + if key == nil { + return "", nil + } + version := byte(0x04) + date := []byte("11111111") + service := []byte("ses") + terminal := []byte("aws4_request") + message := []byte("SendRawEmail") + + rawSig, err := hmacSignature([]byte("AWS4"+*key), date) + if err != nil { + return "", err + } + + if rawSig, err = hmacSignature(rawSig, []byte(region)); err != nil { + return "", err + } + if rawSig, err = hmacSignature(rawSig, service); err != nil { + return "", err + } + if rawSig, err = hmacSignature(rawSig, terminal); err != nil { + return "", err + } + if rawSig, err = hmacSignature(rawSig, message); err != nil { + return "", err + } + + versionedSig := make([]byte, 0, len(rawSig)+1) + versionedSig = append(versionedSig, version) + versionedSig = append(versionedSig, rawSig...) + return base64.StdEncoding.EncodeToString(versionedSig), nil +} + +func sesSmtpPasswordFromSecretKeySigV2(key *string) (string, error) { if key == nil { return "", nil } diff --git a/aws/resource_aws_iam_access_key_test.go b/aws/resource_aws_iam_access_key_test.go index 0c79e22e158..03e400834c0 100644 --- a/aws/resource_aws_iam_access_key_test.go +++ b/aws/resource_aws_iam_access_key_test.go @@ -234,7 +234,30 @@ resource "aws_iam_access_key" "a_key" { `, rName) } -func TestSesSmtpPasswordFromSecretKey(t *testing.T) { +func TestSesSmtpPasswordFromSecretKeySigV4(t *testing.T) { + cases := []struct { + Region string + Input string + Expected string + }{ + {"eu-central-1", "some+secret+key", "BMXhUYlu5Z3gSXVQORxlVa7XPaz91aGWdfHxvkOZdWZ2"}, + {"eu-central-1", "another+secret+key", "BBbphbrQmrKMx42d1N6+C7VINYEBGI5v9VsZeTxwskfh"}, + {"us-west-1", "some+secret+key", "BH+jbMzper5WwlwUar9E1ySBqHa9whi0GPo+sJ0mVYJj"}, + {"us-west-1", "another+secret+key", "BKVmjjMDFk/qqw8EROW99bjCS65PF8WKvK5bSr4Y6EqF"}, + } + + for _, tc := range cases { + actual, err := sesSmtpPasswordFromSecretKeySigV4(&tc.Input, tc.Region) + if err != nil { + t.Fatalf("unexpected error: %s", err) + } + if actual != tc.Expected { + t.Fatalf("%q: expected %q, got %q", tc.Input, tc.Expected, actual) + } + } +} + +func TestSesSmtpPasswordFromSecretKeySigV2(t *testing.T) { cases := []struct { Input string Expected string @@ -244,7 +267,7 @@ func TestSesSmtpPasswordFromSecretKey(t *testing.T) { } for _, tc := range cases { - actual, err := sesSmtpPasswordFromSecretKey(&tc.Input) + actual, err := sesSmtpPasswordFromSecretKeySigV2(&tc.Input) if err != nil { t.Fatalf("unexpected error: %s", err) } diff --git a/website/docs/r/iam_access_key.html.markdown b/website/docs/r/iam_access_key.html.markdown index d08ac09ef32..76ab70a6abc 100644 --- a/website/docs/r/iam_access_key.html.markdown +++ b/website/docs/r/iam_access_key.html.markdown @@ -48,6 +48,21 @@ output "secret" { } ``` +```hcl +resource "aws_iam_user" "test" { + name = "test" + path = "/test/" +} + +resource "aws_iam_access_key" "test" { + user = aws_iam_user.test.name +} + +output "aws_iam_smtp_password_v4" { + value = aws_iam_access_key.test.ses_smtp_password_v4 +} +``` + ## Argument Reference The following arguments are supported: @@ -75,6 +90,9 @@ the use of the secret key in automation. * `encrypted_secret` - The encrypted secret, base64 encoded, if `pgp_key` was specified. ~> **NOTE:** The encrypted secret may be decrypted using the command line, for example: `terraform output encrypted_secret | base64 --decode | keybase pgp decrypt`. -* `ses_smtp_password` - The secret access key converted into an SES SMTP - password by applying [AWS's documented conversion +* `ses_smtp_password` - **DEPRECATED** The secret access key converted into an SES SMTP + password by applying AWS's SigV2 conversion algorithm +* `ses_smtp_password_v4` - The secret access key converted into an SES SMTP + password by applying [AWS's documented Sigv4 conversion algorithm](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html#smtp-credentials-convert). + As SigV4 is region specific, valid Provider regions are `ap-south-1`, `ap-southeast-2`, `eu-central-1`, `eu-west-1`, `us-east-1` and `us-west-2`. See current [AWS SES regions](https://docs.aws.amazon.com/general/latest/gr/rande.html#ses_region)