diff --git a/.changelog/23080.txt b/.changelog/23080.txt new file mode 100644 index 00000000000..55faf0668e1 --- /dev/null +++ b/.changelog/23080.txt @@ -0,0 +1,7 @@ +```release-note:enhancement +provider: Add support for `shared_credentials_files` parameter and deprecates `shared_credentials_file` +``` + +```release-note:enhancement +provider: Changes `shared_config_file` parameter to `shared_config_files` +``` diff --git a/internal/conns/conns.go b/internal/conns/conns.go index 2da001f444f..adc707f50d1 100644 --- a/internal/conns/conns.go +++ b/internal/conns/conns.go @@ -871,8 +871,8 @@ type Config struct { Region string S3UsePathStyle bool SecretKey string - SharedConfigFile string - SharedCredentialsFile string + SharedConfigFiles []string + SharedCredentialsFiles []string SkipCredsValidation bool SkipGetEC2Platforms bool SkipMetadataApiCheck bool @@ -1225,12 +1225,12 @@ func (c *Config) Client() (interface{}, error) { awsbaseConfig.EC2MetadataServiceEndpointMode = c.EC2MetadataServiceEndpointMode } - if c.SharedConfigFile != "" { - awsbaseConfig.SharedConfigFiles = []string{c.SharedConfigFile} + if len(c.SharedConfigFiles) != 0 { + awsbaseConfig.SharedConfigFiles = c.SharedConfigFiles } - if c.SharedCredentialsFile != "" { - awsbaseConfig.SharedCredentialsFiles = []string{c.SharedCredentialsFile} + if len(c.SharedCredentialsFiles) != 0 { + awsbaseConfig.SharedCredentialsFiles = c.SharedCredentialsFiles } ctx := context.Background() diff --git a/internal/provider/provider.go b/internal/provider/provider.go index a242f5d2df6..c6958e9e33b 100644 --- a/internal/provider/provider.go +++ b/internal/provider/provider.go @@ -315,18 +315,26 @@ func Provider() *schema.Provider { Description: "The secret key for API operations. You can retrieve this\n" + "from the 'Security & Credentials' section of the AWS console.", }, - "shared_config_file": { - Type: schema.TypeString, + "shared_config_files": { + Type: schema.TypeList, Optional: true, - Default: "", - Description: "The path to the shared config file. If not set, defaults to ~/.aws/config.", + Description: "List of paths to shared config files. If not set, defaults to [~/.aws/config].", + Elem: &schema.Schema{Type: schema.TypeString}, }, "shared_credentials_file": { - Type: schema.TypeString, - Optional: true, - Default: "", - Description: "The path to the shared credentials file. If not set\n" + - "this defaults to ~/.aws/credentials.", + Type: schema.TypeString, + Optional: true, + Default: "", + Deprecated: "Use shared_credentials_files instead.", + ConflictsWith: []string{"shared_credentials_files"}, + Description: "The path to the shared credentials file. If not set, defaults to ~/.aws/credentials.", + }, + "shared_credentials_files": { + Type: schema.TypeList, + Optional: true, + ConflictsWith: []string{"shared_credentials_file"}, + Description: "List of paths to shared credentials files. If not set, defaults to [~/.aws/credentials].", + Elem: &schema.Schema{Type: schema.TypeString}, }, "skip_credentials_validation": { Type: schema.TypeBool, @@ -1891,8 +1899,6 @@ func providerConfigure(d *schema.ResourceData, terraformVersion string) (interfa Region: d.Get("region").(string), S3UsePathStyle: d.Get("s3_use_path_style").(bool) || d.Get("s3_force_path_style").(bool), SecretKey: d.Get("secret_key").(string), - SharedConfigFile: d.Get("shared_config_file").(string), - SharedCredentialsFile: d.Get("shared_credentials_file").(string), SkipCredsValidation: d.Get("skip_credentials_validation").(bool), SkipGetEC2Platforms: d.Get("skip_get_ec2_platforms").(bool), SkipMetadataApiCheck: d.Get("skip_metadata_api_check").(bool), @@ -1904,6 +1910,25 @@ func providerConfigure(d *schema.ResourceData, terraformVersion string) (interfa UseFIPSEndpoint: d.Get("use_fips_endpoint").(bool), } + if raw := d.Get("shared_config_files").([]interface{}); len(raw) != 0 { + l := make([]string, len(raw)) + for i, v := range raw { + l[i] = v.(string) + } + config.SharedConfigFiles = l + } + + if v := d.Get("shared_credentials_file").(string); v != "" { + config.SharedCredentialsFiles = []string{v} + } + if raw := d.Get("shared_credentials_files").([]interface{}); len(raw) != 0 { + l := make([]string, len(raw)) + for i, v := range raw { + l[i] = v.(string) + } + config.SharedCredentialsFiles = l + } + if l, ok := d.Get("assume_role").([]interface{}); ok && len(l) > 0 && l[0] != nil { config.AssumeRole = expandAssumeRole(l[0].(map[string]interface{})) log.Printf("[INFO] assume_role configuration set: (ARN: %q, SessionID: %q, ExternalID: %q)", config.AssumeRole.RoleARN, config.AssumeRole.SessionName, config.AssumeRole.ExternalID) diff --git a/website/docs/guides/version-4-upgrade.html.md b/website/docs/guides/version-4-upgrade.html.md index 71ecfc9dce7..45e43fef2a8 100644 --- a/website/docs/guides/version-4-upgrade.html.md +++ b/website/docs/guides/version-4-upgrade.html.md @@ -102,6 +102,13 @@ Version 4.0.0 adds these new provider arguments: * `ec2_metadata_service_endpoint` - Address of the EC2 metadata service (IMDS) endpoint to use. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT` environment variable. * `ec2_metadata_service_endpoint_mode` - Mode to use in communicating with the metadata service. Valid values are `IPv4` and `IPv6`. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` environment variable. * `s3_use_path_style` - Replaces `s3_force_path_style`, which has been deprecated in Terraform AWS Provider v4.0.0 and support will be removed in a future version. +* `shared_config_files` - List of paths to AWS shared config files. + If not set, the default is `[~/.aws/config]`. + A single value can also be set with the `AWS_CONFIG_FILE` environment variable. +* `shared_credentials_files` - List of paths to the shared credentials file. + If not set, the default is `[~/.aws/credentials]`. + A single value can also be set with the `AWS_SHARED_CREDENTIALS_FILE` environment variable. + Replaces `shared_credentials_file`, which has been deprecated in Terraform AWS Provider v4.0.0 and support will be removed in a future version. * `use_dualstack_endpoint` - Force the provider to resolve endpoints with DualStack capability. Can also be set with the `AWS_USE_DUALSTACK_ENDPOINT` environment variable or in a shared config file (`use_dualstack_endpoint`). * `use_fips_endpoint` - Force the provider to resolve endpoints with FIPS capability. Can also be set with the `AWS_USE_FIPS_ENDPOINT` environment variable or in a shared config file (`use_fips_endpoint`). diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown index 8d3995ae943..8bef96dcbac 100644 --- a/website/docs/index.html.markdown +++ b/website/docs/index.html.markdown @@ -117,7 +117,7 @@ $ terraform plan You can use [AWS credentials or configuration files](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) to specify your credentials and configuration. The default locations are `$HOME/.aws/credentials` and `$HOME/.aws/config` on Linux and macOS, or `"%USERPROFILE%\.aws\credentials"` and `"%USERPROFILE%\.aws\config"`on Windows. -You can optionally specify a different location in the Terraform configuration by providing the `shared_credentials_file` and `shared_config_file` arguments or +You can optionally specify a different location in the Terraform configuration by providing the `shared_credentials_files` and `shared_config_files` arguments or using the `AWS_SHARED_CREDENTIALS_FILE` and `AWS_CONFIG_FILE` environment variables. This method also supports the `profile` configuration or corresponding `AWS_PROFILE` environment variable: @@ -125,10 +125,10 @@ Usage: ```terraform provider "aws" { - region = "us-west-2" - shared_config_file = "/Users/tf_user/.aws/config" - shared_credentials_file = "/Users/tf_user/.aws/creds" - profile = "customprofile" + region = "us-west-2" + shared_config_files = ["/Users/tf_user/.aws/conf"] + shared_credentials_files = ["/Users/tf_user/.aws/creds"] + profile = "customprofile" } ``` @@ -205,8 +205,9 @@ In addition to [generic `provider` arguments](https://www.terraform.io/docs/conf * `s3_force_path_style` - (Optional, **Deprecated**) Whether to enable the request to use path-style addressing, i.e., `https://s3.amazonaws.com/BUCKET/KEY`. By default, the S3 client will use virtual hosted bucket addressing, `https://BUCKET.s3.amazonaws.com/KEY`, when possible. Specific to the Amazon S3 service. * `s3_use_path_style` - (Optional) Whether to enable the request to use path-style addressing, i.e., `https://s3.amazonaws.com/BUCKET/KEY`. By default, the S3 client will use virtual hosted bucket addressing, `https://BUCKET.s3.amazonaws.com/KEY`, when possible. Specific to the Amazon S3 service. * `secret_key` - (Optional) AWS secret key. Can also be set with the `AWS_SECRET_ACCESS_KEY` environment variable, or via a shared credentials file if `profile` is used. See also `access_key`. -* `shared_config_file` = (Optional) Path to the AWS shared config file. If not set, the default is `~/.aws/config`. Can also be set with the `AWS_CONFIG_FILE` environment variable. -* `shared_credentials_file` = (Optional) Path to the shared credentials file. If not set and a profile is used, the default value is `~/.aws/credentials`. Can also be set with the `AWS_SHARED_CREDENTIALS_FILE` environment variable. +* `shared_config_files` = (Optional) List of paths to AWS shared config files. If not set, the default is `[~/.aws/config]`. A single value can also be set with the `AWS_CONFIG_FILE` environment variable. +* `shared_credentials_file` = (Optional, **Deprecated**) Path to the shared credentials file. If not set and a profile is used, the default value is `~/.aws/credentials`. Can also be set with the `AWS_SHARED_CREDENTIALS_FILE` environment variable. +* `shared_credentials_files` = (Optional) List of paths to the shared credentials file. If not set and a profile is used, the default value is `[~/.aws/credentials]`. A single value can also be set with the `AWS_SHARED_CREDENTIALS_FILE` environment variable. * `skip_credentials_validation` - (Optional) Whether to skip credentials validation via the STS API. This can be useful for testing and for AWS API implementations that do not have STS available. * `skip_get_ec2_platforms` - (Optional) Whether to skip getting the supported EC2 platforms. Can be used when you do not have `ec2:DescribeAccountAttributes` permissions. * `skip_metadata_api_check` - (Optional) Whether to skip the AWS Metadata API check. Useful for AWS API implementations that do not have a metadata API endpoint. Setting to `true` prevents Terraform from authenticating via the Metadata API. You may need to use other authentication methods like static credentials, configuration variables, or environment variables.