Merge branch 'master' into f-aws-security-group-remove-default-egress

* master: (113 commits)
  update cHANGELOG
  update cHANGELOG
  update CHANGELOG
  website: network interface for EIP
  Update CHANGELOG.md
  terraform: provisionedby prefixed
  Added the exit code as well...
  terraform: flattenable graphNodeMissingProvisioner
  Fixing a small vet warning introduced by PR #1796
  terraform: run prune destroy on validate
  Added `SharedCredentialsProvider` and `EC2RoleProvider` as well...
  Fixing PR #1804
  providers/aws: chain credentials
  Update CHANGELOG.md
  Add docs for various iam_* resources.
  Add acceptance tests
  Implement AWS IAM resources
  Implement a hash function for string sets
  provider/aws: Shorting retry timeout for Subnets to 2 minutes, from 5
  provider/aws: Shorting retry timeout for Security Groups to 2 minutes, from 5
  ...

CHANGELOG.md

@@ -10,6 +10,9 @@ FEATURES:
      `TF_VAR_name` and this will be checked last for a value.
   * **New remote state backend: `s3`**: You can now store remote state in
      an S3 bucket. [GH-1723]
+  * **Automatic AWS retries**: This release includes a lot of improvement
+     around automatic retries of transient errors in AWS. The number of
+     retry attempts is also configurable.
 
 IMPROVEMENTS:
 
@@ -21,27 +24,43 @@ IMPROVEMENTS:
   * **New resource: `aws_lb_cookie_stickiness_policy`**
   * **New resource: `aws_vpc_dhcp_options`**
   * **New resource: `aws_vpc_dhcp_options_association`**
+  * **New resource: `aws_vpn_connection_route`**
   * **New resource: `google_dns_managed_zone`**
   * **New resource: `google_dns_record_set`**
+  * **New resource: `aws_proxy_protocol_policy`**
+  * **New resource: `aws_iam_access_key`**
+  * **New resource: `aws_iam_group_policy`**
+  * **New resource: `aws_iam_group`**
+  * **New resource: `aws_iam_instance_profile`**
+  * **New resource: `aws_iam_policy`**
+  * **New resource: `aws_iam_role_policy`**
+  * **New resource: `aws_iam_role`**
+  * **New resource: `aws_iam_user_policy`**
+  * **New resource: `aws_iam_user`**
   * **Migrate to upstream AWS SDK:** Migrate the AWS provider to
       [awslabs/aws-sdk-go](https://github.com/awslabs/aws-sdk-go),
       the offical `awslabs` library. Previously we had forked the library for
       stability while `awslabs` refactored. Now that work has completed, and we've
       migrated back to the upstream version.
   * core: Improve error message on diff mismatch [GH-1501]
   * provisioner/file: expand `~` in source path [GH-1569]
+  * provider/aws: Better retry logic, now retries up to 11 times by default
+      with exponentional backoff. This number is configurable. [GH-1787]
   * provider/aws: Improved credential detection [GH-1470]
   * provider/aws: Can specify a `token` via the config file [GH-1601]
   * provider/aws: Added new `vpc_security_group_ids` attribute for AWS
       Instances. If using a VPC, you can now modify the security groups for that
       Instance without destroying it [GH-1539]
   * provider/aws: White or blacklist account IDs that can be used to
       protect against accidents. [GH-1595]
+  * provider/aws: Add a subset of IAM resources [GH-939]
   * provider/aws: `aws_instance` supports placement groups [GH-1358]
+  * provider/aws: `aws_eip` supports network interface attachment [GH-1681]
   * provider/aws: `aws_elb` supports in-place changing of listeners [GH-1619]
   * provider/aws: `aws_elb` supports connection draining settings [GH-1502]
   * provider/aws: `aws_elb` increase default idle timeout to 60s [GH-1646]
   * provider/aws: `aws_key_pair` name can be omitted and generated [GH-1751]
+  * provider/aws: `aws_route_table` can target network interfaces [GH-968]
   * provider/aws: `aws_route53_record` supports weighted sets [GH-1578]
   * provider/aws: `aws_route53_zone` exports nameservers [GH-1525]
   * provider/aws: `aws_security_group` name becomes optional and can be
@@ -52,6 +71,7 @@ IMPROVEMENTS:
   * provider/aws: automatically set the private IP as the SSH address
       if not specified and no public IP is available [GH-1623]
   * provider/aws: `aws_elb` exports `source_security_group` field [GH-1708]
+  * provider/aws: `aws_route53_record` supports alias targeting [GH-1775]
   * provider/docker: `docker_container` can specify links [GH-1564]
   * provider/google: `resource_compute_disk` supports snapshots [GH-1426]
   * provider/google: `resource_compute_instance` supports specifying the
@@ -61,6 +81,7 @@ IMPROVEMENTS:
 
 BUG FIXES:
 
+  * core: Fix graph cycle issues surrounding modules [GH-1582] [GH-1637]
   * core: math on arbitrary variables works if first operand isn't a
       numeric primitive. [GH-1381]
   * core: avoid unnecessary cycles by pruning tainted destroys from
@@ -83,6 +104,8 @@ BUG FIXES:
       that would previously only show up during apply [GH-1655]
   * core: Referencing invalid module output in module validates [GH-1448]
   * command: remote states with uppercase types work [GH-1356]
+  * provider/aws: Support `AWS_SECURITY_TOKEN` env var again [GH-1785]
+  * provider/aws: Don't save "instance" for EIP if association fails [GH-1776]
   * provider/aws: launch configuration ID set after create success [GH-1518]
   * provider/aws: Fixed an issue with creating ELBs without any tags [GH-1580]
   * provider/aws: Fix issue in Security Groups with empty IPRanges [GH-1612]
@@ -96,6 +119,7 @@ BUG FIXES:
   * provider/openstack: `enable_dhcp` for networking subnet should be bool [GH-1741]
   * provisioner/remote-exec: add random number to uploaded script path so
       that parallel provisions work [GH-1588]
+  * provisioner/remote-exec: chmod the script to 0755 properly [GH-1796]
 
 ## 0.4.2 (April 10, 2015)
 

builtin/providers/aws/config.go

@@ -8,6 +8,7 @@ import (
 	"github.com/hashicorp/terraform/helper/multierror"
 
 	"github.com/awslabs/aws-sdk-go/aws"
+	"github.com/awslabs/aws-sdk-go/aws/credentials"
 	"github.com/awslabs/aws-sdk-go/service/autoscaling"
 	"github.com/awslabs/aws-sdk-go/service/ec2"
 	"github.com/awslabs/aws-sdk-go/service/elasticache"
@@ -19,10 +20,11 @@ import (
 )
 
 type Config struct {
-	AccessKey string
-	SecretKey string
-	Token     string
-	Region    string
+	AccessKey  string
+	SecretKey  string
+	Token      string
+	Region     string
+	MaxRetries int
 
 	AllowedAccountIds   []interface{}
 	ForbiddenAccountIds []interface{}
@@ -60,10 +62,20 @@ func (c *Config) Client() (interface{}, error) {
 		client.region = c.Region
 
 		log.Println("[INFO] Building AWS auth structure")
-		creds := aws.DetectCreds(c.AccessKey, c.SecretKey, c.Token)
+		creds := credentials.NewChainCredentials([]credentials.Provider{
+			&credentials.StaticProvider{Value: credentials.Value{
+				AccessKeyID:     c.AccessKey,
+				SecretAccessKey: c.SecretKey,
+				SessionToken:    c.Token,
+			}},
+			&credentials.EnvProvider{},
+			&credentials.SharedCredentialsProvider{Filename: "", Profile: ""},
+			&credentials.EC2RoleProvider{},
+		})
 		awsConfig := &aws.Config{
 			Credentials: creds,
 			Region:      c.Region,
+			MaxRetries:  c.MaxRetries,
 		}
 
 		log.Println("[INFO] Initializing ELB connection")
@@ -96,6 +108,7 @@ func (c *Config) Client() (interface{}, error) {
 		client.r53conn = route53.New(&aws.Config{
 			Credentials: creds,
 			Region:      "us-east-1",
+			MaxRetries:  c.MaxRetries,
 		})
 
 		log.Println("[INFO] Initializing Elasticache Connection")

builtin/providers/aws/provider.go

@@ -38,6 +38,7 @@ func Provider() terraform.ResourceProvider {
 				Optional: true,
 				DefaultFunc: schema.MultiEnvDefaultFunc([]string{
 					"AWS_SESSION_TOKEN",
+					"AWS_SECURITY_TOKEN",
 				}, ""),
 				Description: descriptions["token"],
 			},
@@ -53,6 +54,13 @@ func Provider() terraform.ResourceProvider {
 				InputDefault: "us-east-1",
 			},
 
+			"max_retries": &schema.Schema{
+				Type:        schema.TypeInt,
+				Optional:    true,
+				Default:     11,
+				Description: descriptions["max_retries"],
+			},
+
 			"allowed_account_ids": &schema.Schema{
 				Type:          schema.TypeSet,
 				Elem:          &schema.Schema{Type: schema.TypeString},
@@ -75,19 +83,28 @@ func Provider() terraform.ResourceProvider {
 		},
 
 		ResourcesMap: map[string]*schema.Resource{
-			"aws_autoscaling_group":            resourceAwsAutoscalingGroup(),
 			"aws_app_cookie_stickiness_policy": resourceAwsAppCookieStickinessPolicy(),
+			"aws_autoscaling_group":            resourceAwsAutoscalingGroup(),
 			"aws_customer_gateway":             resourceAwsCustomerGateway(),
 			"aws_db_instance":                  resourceAwsDbInstance(),
 			"aws_db_parameter_group":           resourceAwsDbParameterGroup(),
 			"aws_db_security_group":            resourceAwsDbSecurityGroup(),
 			"aws_db_subnet_group":              resourceAwsDbSubnetGroup(),
 			"aws_ebs_volume":                   resourceAwsEbsVolume(),
-			"aws_elasticache":                  resourceAwsElasticache(),
-			"aws_elasticache_subnet_group":     resourceAwsElasticacheSubnetGroup(),
-			"aws_elasticache_security_group":   resourceAwsElasticacheSecurityGroup(),
 			"aws_eip":                          resourceAwsEip(),
+			"aws_elasticache_cluster":          resourceAwsElasticacheCluster(),
+			"aws_elasticache_security_group":   resourceAwsElasticacheSecurityGroup(),
+			"aws_elasticache_subnet_group":     resourceAwsElasticacheSubnetGroup(),
 			"aws_elb":                          resourceAwsElb(),
+			"aws_iam_access_key":               resourceAwsIamAccessKey(),
+			"aws_iam_group_policy":             resourceAwsIamGroupPolicy(),
+			"aws_iam_group":                    resourceAwsIamGroup(),
+			"aws_iam_instance_profile":         resourceAwsIamInstanceProfile(),
+			"aws_iam_policy":                   resourceAwsIamPolicy(),
+			"aws_iam_role_policy":              resourceAwsIamRolePolicy(),
+			"aws_iam_role":                     resourceAwsIamRole(),
+			"aws_iam_user_policy":              resourceAwsIamUserPolicy(),
+			"aws_iam_user":                     resourceAwsIamUser(),
 			"aws_instance":                     resourceAwsInstance(),
 			"aws_internet_gateway":             resourceAwsInternetGateway(),
 			"aws_key_pair":                     resourceAwsKeyPair(),
@@ -96,17 +113,20 @@ func Provider() terraform.ResourceProvider {
 			"aws_main_route_table_association": resourceAwsMainRouteTableAssociation(),
 			"aws_network_acl":                  resourceAwsNetworkAcl(),
 			"aws_network_interface":            resourceAwsNetworkInterface(),
+			"aws_proxy_protocol_policy":        resourceAwsProxyProtocolPolicy(),
 			"aws_route53_record":               resourceAwsRoute53Record(),
 			"aws_route53_zone":                 resourceAwsRoute53Zone(),
-			"aws_route_table":                  resourceAwsRouteTable(),
 			"aws_route_table_association":      resourceAwsRouteTableAssociation(),
+			"aws_route_table":                  resourceAwsRouteTable(),
 			"aws_s3_bucket":                    resourceAwsS3Bucket(),
 			"aws_security_group":               resourceAwsSecurityGroup(),
 			"aws_subnet":                       resourceAwsSubnet(),
-			"aws_vpc":                          resourceAwsVpc(),
-			"aws_vpc_peering_connection":       resourceAwsVpcPeeringConnection(),
-			"aws_vpc_dhcp_options":             resourceAwsVpcDhcpOptions(),
 			"aws_vpc_dhcp_options_association": resourceAwsVpcDhcpOptionsAssociation(),
+			"aws_vpc_dhcp_options":             resourceAwsVpcDhcpOptions(),
+			"aws_vpc_peering_connection":       resourceAwsVpcPeeringConnection(),
+			"aws_vpc":                          resourceAwsVpc(),
+			"aws_vpn_connection":               resourceAwsVpnConnection(),
+			"aws_vpn_connection_route":         resourceAwsVpnConnectionRoute(),
 			"aws_vpn_gateway":                  resourceAwsVpnGateway(),
 		},
 
@@ -129,15 +149,20 @@ func init() {
 
 		"token": "session token. A session token is only required if you are\n" +
 			"using temporary security credentials.",
+
+		"max_retries": "The maximum number of times an AWS API request is\n" +
+			"being executed. If the API request still fails, an error is\n" +
+			"thrown.",
 	}
 }
 
 func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 	config := Config{
-		AccessKey: d.Get("access_key").(string),
-		SecretKey: d.Get("secret_key").(string),
-		Token:     d.Get("token").(string),
-		Region:    d.Get("region").(string),
+		AccessKey:  d.Get("access_key").(string),
+		SecretKey:  d.Get("secret_key").(string),
+		Token:      d.Get("token").(string),
+		Region:     d.Get("region").(string),
+		MaxRetries: d.Get("max_retries").(int),
 	}
 
 	if v, ok := d.GetOk("allowed_account_ids"); ok {

builtin/providers/aws/resource_aws_app_cookie_stickiness_policy_test.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/awslabs/aws-sdk-go/aws"
 	"github.com/awslabs/aws-sdk-go/service/elb"
+
 	"github.com/hashicorp/terraform/helper/resource"
 	"github.com/hashicorp/terraform/terraform"
 )
@@ -30,7 +31,7 @@ func TestAccAWSAppCookieStickinessPolicy(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAppCookieStickinessPolicy(
 						"aws_elb.lb",
-						"aws_app_cookie_stickiness_policy.bar",
+						"aws_app_cookie_stickiness_policy.foo",
 					),
 				),
 			},
@@ -80,7 +81,7 @@ func testAccCheckAppCookieStickinessPolicy(elbResource string, policyResource st
 const testAccAppCookieStickinessPolicyConfig = `
 resource "aws_elb" "lb" {
 	name = "test-lb"
-	availability_zones = ["us-east-1a"]
+	availability_zones = ["us-west-2a"]
 	listener {
 		instance_port = 8000
 		instance_protocol = "http"
@@ -90,17 +91,18 @@ resource "aws_elb" "lb" {
 }
 
 resource "aws_app_cookie_stickiness_policy" "foo" {
-	name = "foo_policy"
-	load_balancer = "${aws_elb.lb}"
+	name = "foo-policy"
+	load_balancer = "${aws_elb.lb.id}"
 	lb_port = 80
 	cookie_name = "MyAppCookie"
 }
 `
 
+// Change the cookie_name to "MyOtherAppCookie".
 const testAccAppCookieStickinessPolicyConfigUpdate = `
 resource "aws_elb" "lb" {
 	name = "test-lb"
-	availability_zones = ["us-east-1a"]
+	availability_zones = ["us-west-2a"]
 	listener {
 		instance_port = 8000
 		instance_protocol = "http"
@@ -110,16 +112,9 @@ resource "aws_elb" "lb" {
 }
 
 resource "aws_app_cookie_stickiness_policy" "foo" {
-	name = "foo_policy"
-	load_balancer = "${aws_elb.lb}"
+	name = "foo-policy"
+	load_balancer = "${aws_elb.lb.id}"
 	lb_port = 80
-	cookie_name = "MyAppCookie"
-}
-
-resource "aws_app_cookie_stickiness_policy" "bar" {
-	name = "bar_policy"
-	load_balancer = "${aws_elb.lb}"
-	lb_port = 80
-	cookie_name = "MyAppCookie"
+	cookie_name = "MyOtherAppCookie"
 }
 `

builtin/providers/aws/resource_aws_autoscaling_group.go

@@ -6,7 +6,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/hashicorp/terraform/helper/hashcode"
 	"github.com/hashicorp/terraform/helper/resource"
 	"github.com/hashicorp/terraform/helper/schema"
 
@@ -81,19 +80,15 @@ func resourceAwsAutoscalingGroup() *schema.Resource {
 				Required: true,
 				ForceNew: true,
 				Elem:     &schema.Schema{Type: schema.TypeString},
-				Set: func(v interface{}) int {
-					return hashcode.String(v.(string))
-				},
+				Set:      schema.HashString,
 			},
 
 			"load_balancers": &schema.Schema{
 				Type:     schema.TypeSet,
 				Optional: true,
 				ForceNew: true,
 				Elem:     &schema.Schema{Type: schema.TypeString},
-				Set: func(v interface{}) int {
-					return hashcode.String(v.(string))
-				},
+				Set:      schema.HashString,
 			},
 
 			"vpc_zone_identifier": &schema.Schema{
@@ -102,9 +97,7 @@ func resourceAwsAutoscalingGroup() *schema.Resource {
 				Computed: true,
 				ForceNew: true,
 				Elem:     &schema.Schema{Type: schema.TypeString},
-				Set: func(v interface{}) int {
-					return hashcode.String(v.(string))
-				},
+				Set:      schema.HashString,
 			},
 
 			"termination_policies": &schema.Schema{
@@ -113,9 +106,7 @@ func resourceAwsAutoscalingGroup() *schema.Resource {
 				Computed: true,
 				ForceNew: true,
 				Elem:     &schema.Schema{Type: schema.TypeString},
-				Set: func(v interface{}) int {
-					return hashcode.String(v.(string))
-				},
+				Set:      schema.HashString,
 			},
 
 			"tag": autoscalingTagsSchema(),