From 9fbd1827249574f1495d10137e5d61084e5db9a0 Mon Sep 17 00:00:00 2001 From: Dirk Avery Date: Fri, 18 Feb 2022 13:07:24 -0500 Subject: [PATCH 1/7] provider: Add custom_ca_bundle --- internal/conns/conns.go | 5 +++++ internal/provider/provider.go | 7 +++++++ 2 files changed, 12 insertions(+) diff --git a/internal/conns/conns.go b/internal/conns/conns.go index 9d4fedb5a6c..bcfdc25cc00 100644 --- a/internal/conns/conns.go +++ b/internal/conns/conns.go @@ -858,6 +858,7 @@ type Config struct { AccessKey string AllowedAccountIds []string AssumeRole *awsbase.AssumeRole + CustomCABundle string DefaultTagsConfig *tftags.DefaultConfig EC2MetadataServiceEndpoint string EC2MetadataServiceEndpointMode string @@ -1219,6 +1220,10 @@ func (c *Config) Client() (interface{}, error) { awsbaseConfig.AssumeRole = c.AssumeRole } + if c.CustomCABundle != "" { + //awsbaseConfig.CustomCABundle = c.CustomCABundle // needs new aws-sdk-go-base + } + if c.EC2MetadataServiceEndpoint != "" { awsbaseConfig.EC2MetadataServiceEndpoint = c.EC2MetadataServiceEndpoint awsbaseConfig.EC2MetadataServiceEndpointMode = c.EC2MetadataServiceEndpointMode diff --git a/internal/provider/provider.go b/internal/provider/provider.go index 542bfa3864b..ed112a79e27 100644 --- a/internal/provider/provider.go +++ b/internal/provider/provider.go @@ -191,6 +191,12 @@ func Provider() *schema.Provider { Set: schema.HashString, }, "assume_role": assumeRoleSchema(), + "custom_ca_bundle": { + Type: schema.TypeString, + Optional: true, + Description: "File containing custom root and intermediate certificates. " + + "Can also be configured using the `AWS_CA_BUNDLE` environment variable.", + }, "default_tags": { Type: schema.TypeList, Optional: true, @@ -1915,6 +1921,7 @@ func providerConfigure(d *schema.ResourceData, terraformVersion string) (interfa config := conns.Config{ AccessKey: d.Get("access_key").(string), DefaultTagsConfig: expandProviderDefaultTags(d.Get("default_tags").([]interface{})), + CustomCABundle: d.Get("custom_ca_bundle").(string), EC2MetadataServiceEndpoint: d.Get("ec2_metadata_service_endpoint").(string), EC2MetadataServiceEndpointMode: d.Get("ec2_metadata_service_endpoint_mode").(string), Endpoints: make(map[string]string), From 730d85faa1c990bbc8d4d835571de075526f50b2 Mon Sep 17 00:00:00 2001 From: Dirk Avery Date: Fri, 18 Feb 2022 13:08:34 -0500 Subject: [PATCH 2/7] Add changelog --- .changelog/23279.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/23279.txt diff --git a/.changelog/23279.txt b/.changelog/23279.txt new file mode 100644 index 00000000000..2627fe48c1f --- /dev/null +++ b/.changelog/23279.txt @@ -0,0 +1,3 @@ +```release-note:enhancement + provider: Add `custom_ca_bundle` argument + ``` From 59486aae53306c34b1986f898d1f6540d77b97c0 Mon Sep 17 00:00:00 2001 From: Dirk Avery Date: Fri, 18 Feb 2022 13:08:42 -0500 Subject: [PATCH 3/7] Update docs --- website/docs/guides/version-4-upgrade.html.md | 1 + website/docs/index.html.markdown | 1 + 2 files changed, 2 insertions(+) diff --git a/website/docs/guides/version-4-upgrade.html.md b/website/docs/guides/version-4-upgrade.html.md index fbfd66e8337..415ad936766 100644 --- a/website/docs/guides/version-4-upgrade.html.md +++ b/website/docs/guides/version-4-upgrade.html.md @@ -157,6 +157,7 @@ provider "aws" { Version 4.x adds these new `provider` arguments: * `assume_role.duration` - Assume role duration as a string, _e.g._, `"1h"` or `"1h30s"`. Terraform AWS Provider v4.0.0 deprecates `assume_role.duration_seconds` and a future version will remove it. +* `custom_ca_bundle` - File containing custom root and intermediate certificates. Can also be configured using the `AWS_CA_BUNDLE` environment variable. * `ec2_metadata_service_endpoint` - Address of the EC2 metadata service (IMDS) endpoint to use. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT` environment variable. * `ec2_metadata_service_endpoint_mode` - Mode to use in communicating with the metadata service. Valid values are `IPv4` and `IPv6`. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` environment variable. * `s3_use_path_style` - Replaces `s3_force_path_style`, which has been deprecated in Terraform AWS Provider v4.0.0 and support will be removed in a future version. diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown index a9ab5405a11..97b07857f98 100644 --- a/website/docs/index.html.markdown +++ b/website/docs/index.html.markdown @@ -201,6 +201,7 @@ In addition to [generic `provider` arguments](https://www.terraform.io/docs/conf * `access_key` - (Optional) AWS access key. Can also be set with the `AWS_ACCESS_KEY_ID` environment variable, or via a shared credentials file if `profile` is specified. See also `secret_key`. * `allowed_account_ids` - (Optional) List of allowed AWS account IDs to prevent you from mistakenly using an incorrect one (and potentially end up destroying a live environment). Conflicts with `forbidden_account_ids`. * `assume_role` - (Optional) Configuration block for an assumed role. See below. Only one `assume_role` block may be in the configuration. +* `custom_ca_bundle` - (Optional) File containing custom root and intermediate certificates. Can also be set using the `AWS_CA_BUNDLE` environment variable. * `default_tags` - (Optional) Configuration block with resource tag settings to apply across all resources handled by this provider (see the [Terraform multiple provider instances documentation](/docs/configuration/providers.html#alias-multiple-provider-instances) for more information about additional provider configurations). This is designed to replace redundant per-resource `tags` configurations. Provider tags can be overridden with new values, but not excluded from specific resources. To override provider tag values, use the `tags` argument within a resource to configure new tag values for matching keys. See the [`default_tags`](#default_tags-configuration-block) Configuration Block section below for example usage and available arguments. This functionality is supported in all resources that implement `tags`, with the exception of the `aws_autoscaling_group` resource. * `ec2_metadata_service_endpoint` - (Optional) Address of the EC2 metadata service (IMDS) endpoint to use. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT` environment variable. * `ec2_metadata_service_endpoint_mode` - (Optional) Mode to use in communicating with the metadata service. Valid values are `IPv4` and `IPv6`. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` environment variable. From 502e5acdd85bf56a4c6c234d43d5a698d34d63af Mon Sep 17 00:00:00 2001 From: Dirk Avery Date: Fri, 18 Feb 2022 14:43:09 -0500 Subject: [PATCH 4/7] Add note about shared config --- internal/provider/provider.go | 3 ++- website/docs/guides/version-4-upgrade.html.md | 2 +- website/docs/index.html.markdown | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/internal/provider/provider.go b/internal/provider/provider.go index ed112a79e27..b10aaf6041a 100644 --- a/internal/provider/provider.go +++ b/internal/provider/provider.go @@ -195,7 +195,8 @@ func Provider() *schema.Provider { Type: schema.TypeString, Optional: true, Description: "File containing custom root and intermediate certificates. " + - "Can also be configured using the `AWS_CA_BUNDLE` environment variable.", + "Can also be configured using the `AWS_CA_BUNDLE` environment variable. " + + "(Setting `ca_bundle` in the shared config file is not supported.)", }, "default_tags": { Type: schema.TypeList, diff --git a/website/docs/guides/version-4-upgrade.html.md b/website/docs/guides/version-4-upgrade.html.md index 415ad936766..4fd7ec77a58 100644 --- a/website/docs/guides/version-4-upgrade.html.md +++ b/website/docs/guides/version-4-upgrade.html.md @@ -157,7 +157,7 @@ provider "aws" { Version 4.x adds these new `provider` arguments: * `assume_role.duration` - Assume role duration as a string, _e.g._, `"1h"` or `"1h30s"`. Terraform AWS Provider v4.0.0 deprecates `assume_role.duration_seconds` and a future version will remove it. -* `custom_ca_bundle` - File containing custom root and intermediate certificates. Can also be configured using the `AWS_CA_BUNDLE` environment variable. +* `custom_ca_bundle` - File containing custom root and intermediate certificates. Can also be configured using the `AWS_CA_BUNDLE` environment variable. (Setting `ca_bundle` in the shared config file is not supported.) * `ec2_metadata_service_endpoint` - Address of the EC2 metadata service (IMDS) endpoint to use. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT` environment variable. * `ec2_metadata_service_endpoint_mode` - Mode to use in communicating with the metadata service. Valid values are `IPv4` and `IPv6`. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` environment variable. * `s3_use_path_style` - Replaces `s3_force_path_style`, which has been deprecated in Terraform AWS Provider v4.0.0 and support will be removed in a future version. diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown index 97b07857f98..daa67653366 100644 --- a/website/docs/index.html.markdown +++ b/website/docs/index.html.markdown @@ -201,7 +201,7 @@ In addition to [generic `provider` arguments](https://www.terraform.io/docs/conf * `access_key` - (Optional) AWS access key. Can also be set with the `AWS_ACCESS_KEY_ID` environment variable, or via a shared credentials file if `profile` is specified. See also `secret_key`. * `allowed_account_ids` - (Optional) List of allowed AWS account IDs to prevent you from mistakenly using an incorrect one (and potentially end up destroying a live environment). Conflicts with `forbidden_account_ids`. * `assume_role` - (Optional) Configuration block for an assumed role. See below. Only one `assume_role` block may be in the configuration. -* `custom_ca_bundle` - (Optional) File containing custom root and intermediate certificates. Can also be set using the `AWS_CA_BUNDLE` environment variable. +* `custom_ca_bundle` - (Optional) File containing custom root and intermediate certificates. Can also be set using the `AWS_CA_BUNDLE` environment variable. (Setting `ca_bundle` in the shared config file is not supported.) * `default_tags` - (Optional) Configuration block with resource tag settings to apply across all resources handled by this provider (see the [Terraform multiple provider instances documentation](/docs/configuration/providers.html#alias-multiple-provider-instances) for more information about additional provider configurations). This is designed to replace redundant per-resource `tags` configurations. Provider tags can be overridden with new values, but not excluded from specific resources. To override provider tag values, use the `tags` argument within a resource to configure new tag values for matching keys. See the [`default_tags`](#default_tags-configuration-block) Configuration Block section below for example usage and available arguments. This functionality is supported in all resources that implement `tags`, with the exception of the `aws_autoscaling_group` resource. * `ec2_metadata_service_endpoint` - (Optional) Address of the EC2 metadata service (IMDS) endpoint to use. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT` environment variable. * `ec2_metadata_service_endpoint_mode` - (Optional) Mode to use in communicating with the metadata service. Valid values are `IPv4` and `IPv6`. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` environment variable. From ba8fccbc8d1f2ff6280003660969a0ff242daff0 Mon Sep 17 00:00:00 2001 From: Graham Davison Date: Fri, 18 Feb 2022 10:55:31 -0800 Subject: [PATCH 5/7] Updates `aws-sdk-go-base` to v2.0.0-beta.8 and `awsv1shim` to v2.0.0-beta.9 --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 87d688bae73..35878a98ed8 100644 --- a/go.mod +++ b/go.mod @@ -7,8 +7,8 @@ require ( github.com/aws/aws-sdk-go v1.42.53 github.com/beevik/etree v1.1.0 github.com/hashicorp/aws-cloudformation-resource-schema-sdk-go v0.15.0 - github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.7 - github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.8 + github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.8 + github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.9 github.com/hashicorp/awspolicyequivalence v1.5.0 github.com/hashicorp/go-cleanhttp v0.5.2 github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 diff --git a/go.sum b/go.sum index 13fee3ca353..d61763b5cc7 100644 --- a/go.sum +++ b/go.sum @@ -190,10 +190,10 @@ github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+ github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/hashicorp/aws-cloudformation-resource-schema-sdk-go v0.15.0 h1:n/ICe8cTnmPQfvn2bupsrubnwIEXcHLrE18RUAdVcgY= github.com/hashicorp/aws-cloudformation-resource-schema-sdk-go v0.15.0/go.mod h1:C6GVuO9RWOrt6QCGTmLCOYuSHpkfQSBDuRqTteOlo0g= -github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.7 h1:mpbJgtDU5ZFf7BpfIyfQ+xIQ0W3dmU/RAPGauQCuzBo= -github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.7/go.mod h1:+rBj0Eul0DsW5zh3R0kGkKyMFCZ8YN9XS050+LhAMgQ= -github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.8 h1:kAFKwL/fO13N2WxwWFOwvHkrGLw/MfbmaBCSl0RVpks= -github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.8/go.mod h1:ftipQbxbUlwj82BbmH6vduVHoYMi6aJygqo+XICfouY= +github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.8 h1:BlV2HAJxG5/UHMgBQ9rKrGLg6ThIkqTs6Hnr3OHOjps= +github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.8/go.mod h1:O0d2KtdvgHuWVQ9go3oK6BFPLht6254JIHjLfEzo+lM= +github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.9 h1:sFb+svRVSNWtVd4JDHen7R+rd0TB3yKt8+OgbYcpamU= +github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.9/go.mod h1:bUMECpdj5Vo+mLFC8gYUb+epVTg1ocf6xx9T7QVeK18= github.com/hashicorp/awspolicyequivalence v1.5.0 h1:tGw6h9qN1AWNBaUf4OUcdCyE/kqNBItTiyTPQeV/KUg= github.com/hashicorp/awspolicyequivalence v1.5.0/go.mod h1:9IOaIHx+a7C0NfUNk1A93M7kHd5rJ19aoUx37LZGC14= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= From 3923e45cefecdfcb94531e38551ac5b910338da5 Mon Sep 17 00:00:00 2001 From: Graham Davison Date: Fri, 18 Feb 2022 11:08:51 -0800 Subject: [PATCH 6/7] Adds CHANGELOG --- .changelog/23282.txt | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .changelog/23282.txt diff --git a/.changelog/23282.txt b/.changelog/23282.txt new file mode 100644 index 00000000000..971172b8bb3 --- /dev/null +++ b/.changelog/23282.txt @@ -0,0 +1,15 @@ +```release-note:enhancement +provider: Expands environment variables in file paths in provider configuration. +``` + +```release-note:bug +provider: Setting a custom CA bundle caused the provider to fail. +``` + +```release-note:enhancement +provider: Updates list of valid AWS regions +``` + +```release-note:bug +provider: Credentials with expiry, such as assuming a role, would not renew. +``` From 0d3780c25e5cb12a7d9b99257a4823ba04bba534 Mon Sep 17 00:00:00 2001 From: Dirk Avery Date: Fri, 18 Feb 2022 14:47:04 -0500 Subject: [PATCH 7/7] Set custom_ca_bundle --- internal/conns/conns.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/conns/conns.go b/internal/conns/conns.go index bcfdc25cc00..6a10fb32f33 100644 --- a/internal/conns/conns.go +++ b/internal/conns/conns.go @@ -1221,7 +1221,7 @@ func (c *Config) Client() (interface{}, error) { } if c.CustomCABundle != "" { - //awsbaseConfig.CustomCABundle = c.CustomCABundle // needs new aws-sdk-go-base + awsbaseConfig.CustomCABundle = c.CustomCABundle } if c.EC2MetadataServiceEndpoint != "" {