diff --git a/.changelog/23279.txt b/.changelog/23279.txt new file mode 100644 index 00000000000..2627fe48c1f --- /dev/null +++ b/.changelog/23279.txt @@ -0,0 +1,3 @@ +```release-note:enhancement + provider: Add `custom_ca_bundle` argument + ``` diff --git a/.changelog/23282.txt b/.changelog/23282.txt new file mode 100644 index 00000000000..971172b8bb3 --- /dev/null +++ b/.changelog/23282.txt @@ -0,0 +1,15 @@ +```release-note:enhancement +provider: Expands environment variables in file paths in provider configuration. +``` + +```release-note:bug +provider: Setting a custom CA bundle caused the provider to fail. +``` + +```release-note:enhancement +provider: Updates list of valid AWS regions +``` + +```release-note:bug +provider: Credentials with expiry, such as assuming a role, would not renew. +``` diff --git a/go.mod b/go.mod index 87d688bae73..35878a98ed8 100644 --- a/go.mod +++ b/go.mod @@ -7,8 +7,8 @@ require ( github.com/aws/aws-sdk-go v1.42.53 github.com/beevik/etree v1.1.0 github.com/hashicorp/aws-cloudformation-resource-schema-sdk-go v0.15.0 - github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.7 - github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.8 + github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.8 + github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.9 github.com/hashicorp/awspolicyequivalence v1.5.0 github.com/hashicorp/go-cleanhttp v0.5.2 github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 diff --git a/go.sum b/go.sum index 13fee3ca353..d61763b5cc7 100644 --- a/go.sum +++ b/go.sum @@ -190,10 +190,10 @@ github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+ github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/hashicorp/aws-cloudformation-resource-schema-sdk-go v0.15.0 h1:n/ICe8cTnmPQfvn2bupsrubnwIEXcHLrE18RUAdVcgY= github.com/hashicorp/aws-cloudformation-resource-schema-sdk-go v0.15.0/go.mod h1:C6GVuO9RWOrt6QCGTmLCOYuSHpkfQSBDuRqTteOlo0g= -github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.7 h1:mpbJgtDU5ZFf7BpfIyfQ+xIQ0W3dmU/RAPGauQCuzBo= -github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.7/go.mod h1:+rBj0Eul0DsW5zh3R0kGkKyMFCZ8YN9XS050+LhAMgQ= -github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.8 h1:kAFKwL/fO13N2WxwWFOwvHkrGLw/MfbmaBCSl0RVpks= -github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.8/go.mod h1:ftipQbxbUlwj82BbmH6vduVHoYMi6aJygqo+XICfouY= +github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.8 h1:BlV2HAJxG5/UHMgBQ9rKrGLg6ThIkqTs6Hnr3OHOjps= +github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.8/go.mod h1:O0d2KtdvgHuWVQ9go3oK6BFPLht6254JIHjLfEzo+lM= +github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.9 h1:sFb+svRVSNWtVd4JDHen7R+rd0TB3yKt8+OgbYcpamU= +github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.9/go.mod h1:bUMECpdj5Vo+mLFC8gYUb+epVTg1ocf6xx9T7QVeK18= github.com/hashicorp/awspolicyequivalence v1.5.0 h1:tGw6h9qN1AWNBaUf4OUcdCyE/kqNBItTiyTPQeV/KUg= github.com/hashicorp/awspolicyequivalence v1.5.0/go.mod h1:9IOaIHx+a7C0NfUNk1A93M7kHd5rJ19aoUx37LZGC14= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= diff --git a/internal/conns/conns.go b/internal/conns/conns.go index 9d4fedb5a6c..6a10fb32f33 100644 --- a/internal/conns/conns.go +++ b/internal/conns/conns.go @@ -858,6 +858,7 @@ type Config struct { AccessKey string AllowedAccountIds []string AssumeRole *awsbase.AssumeRole + CustomCABundle string DefaultTagsConfig *tftags.DefaultConfig EC2MetadataServiceEndpoint string EC2MetadataServiceEndpointMode string @@ -1219,6 +1220,10 @@ func (c *Config) Client() (interface{}, error) { awsbaseConfig.AssumeRole = c.AssumeRole } + if c.CustomCABundle != "" { + awsbaseConfig.CustomCABundle = c.CustomCABundle + } + if c.EC2MetadataServiceEndpoint != "" { awsbaseConfig.EC2MetadataServiceEndpoint = c.EC2MetadataServiceEndpoint awsbaseConfig.EC2MetadataServiceEndpointMode = c.EC2MetadataServiceEndpointMode diff --git a/internal/provider/provider.go b/internal/provider/provider.go index 542bfa3864b..b10aaf6041a 100644 --- a/internal/provider/provider.go +++ b/internal/provider/provider.go @@ -191,6 +191,13 @@ func Provider() *schema.Provider { Set: schema.HashString, }, "assume_role": assumeRoleSchema(), + "custom_ca_bundle": { + Type: schema.TypeString, + Optional: true, + Description: "File containing custom root and intermediate certificates. " + + "Can also be configured using the `AWS_CA_BUNDLE` environment variable. " + + "(Setting `ca_bundle` in the shared config file is not supported.)", + }, "default_tags": { Type: schema.TypeList, Optional: true, @@ -1915,6 +1922,7 @@ func providerConfigure(d *schema.ResourceData, terraformVersion string) (interfa config := conns.Config{ AccessKey: d.Get("access_key").(string), DefaultTagsConfig: expandProviderDefaultTags(d.Get("default_tags").([]interface{})), + CustomCABundle: d.Get("custom_ca_bundle").(string), EC2MetadataServiceEndpoint: d.Get("ec2_metadata_service_endpoint").(string), EC2MetadataServiceEndpointMode: d.Get("ec2_metadata_service_endpoint_mode").(string), Endpoints: make(map[string]string), diff --git a/website/docs/guides/version-4-upgrade.html.md b/website/docs/guides/version-4-upgrade.html.md index fbfd66e8337..4fd7ec77a58 100644 --- a/website/docs/guides/version-4-upgrade.html.md +++ b/website/docs/guides/version-4-upgrade.html.md @@ -157,6 +157,7 @@ provider "aws" { Version 4.x adds these new `provider` arguments: * `assume_role.duration` - Assume role duration as a string, _e.g._, `"1h"` or `"1h30s"`. Terraform AWS Provider v4.0.0 deprecates `assume_role.duration_seconds` and a future version will remove it. +* `custom_ca_bundle` - File containing custom root and intermediate certificates. Can also be configured using the `AWS_CA_BUNDLE` environment variable. (Setting `ca_bundle` in the shared config file is not supported.) * `ec2_metadata_service_endpoint` - Address of the EC2 metadata service (IMDS) endpoint to use. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT` environment variable. * `ec2_metadata_service_endpoint_mode` - Mode to use in communicating with the metadata service. Valid values are `IPv4` and `IPv6`. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` environment variable. * `s3_use_path_style` - Replaces `s3_force_path_style`, which has been deprecated in Terraform AWS Provider v4.0.0 and support will be removed in a future version. diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown index a9ab5405a11..daa67653366 100644 --- a/website/docs/index.html.markdown +++ b/website/docs/index.html.markdown @@ -201,6 +201,7 @@ In addition to [generic `provider` arguments](https://www.terraform.io/docs/conf * `access_key` - (Optional) AWS access key. Can also be set with the `AWS_ACCESS_KEY_ID` environment variable, or via a shared credentials file if `profile` is specified. See also `secret_key`. * `allowed_account_ids` - (Optional) List of allowed AWS account IDs to prevent you from mistakenly using an incorrect one (and potentially end up destroying a live environment). Conflicts with `forbidden_account_ids`. * `assume_role` - (Optional) Configuration block for an assumed role. See below. Only one `assume_role` block may be in the configuration. +* `custom_ca_bundle` - (Optional) File containing custom root and intermediate certificates. Can also be set using the `AWS_CA_BUNDLE` environment variable. (Setting `ca_bundle` in the shared config file is not supported.) * `default_tags` - (Optional) Configuration block with resource tag settings to apply across all resources handled by this provider (see the [Terraform multiple provider instances documentation](/docs/configuration/providers.html#alias-multiple-provider-instances) for more information about additional provider configurations). This is designed to replace redundant per-resource `tags` configurations. Provider tags can be overridden with new values, but not excluded from specific resources. To override provider tag values, use the `tags` argument within a resource to configure new tag values for matching keys. See the [`default_tags`](#default_tags-configuration-block) Configuration Block section below for example usage and available arguments. This functionality is supported in all resources that implement `tags`, with the exception of the `aws_autoscaling_group` resource. * `ec2_metadata_service_endpoint` - (Optional) Address of the EC2 metadata service (IMDS) endpoint to use. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT` environment variable. * `ec2_metadata_service_endpoint_mode` - (Optional) Mode to use in communicating with the metadata service. Valid values are `IPv4` and `IPv6`. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` environment variable.