diff --git a/.changelog/22804.txt b/.changelog/22804.txt new file mode 100644 index 000000000000..21ee460d5b0d --- /dev/null +++ b/.changelog/22804.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +provider: Add `ec2_metadata_service_endpoint`, `ec2_metadata_service_endpoint_mode`, `use_dualstack_endpoint`, `use_fips_endpoint` arguments +``` \ No newline at end of file diff --git a/internal/conns/conns.go b/internal/conns/conns.go index 124f02670a75..dda1293923b0 100644 --- a/internal/conns/conns.go +++ b/internal/conns/conns.go @@ -5,7 +5,6 @@ import ( "fmt" "log" "strings" - "time" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/endpoints" @@ -854,41 +853,34 @@ func init() { } type Config struct { - AccessKey string - SecretKey string - SharedConfigFile string - SharedCredentialsFile string - Profile string - Token string - Region string - MaxRetries int - - AssumeRoleARN string - AssumeRoleDurationSeconds int - AssumeRoleExternalID string - AssumeRolePolicy string - AssumeRolePolicyARNs []string - AssumeRoleSessionName string - AssumeRoleTags map[string]string - AssumeRoleTransitiveTagKeys []string - - AllowedAccountIds []string - ForbiddenAccountIds []string - - DefaultTagsConfig *tftags.DefaultConfig - Endpoints map[string]string - IgnoreTagsConfig *tftags.IgnoreConfig - Insecure bool - HTTPProxy string - - SkipCredsValidation bool - SkipGetEC2Platforms bool - SkipRegionValidation bool - SkipRequestingAccountId bool - SkipMetadataApiCheck bool - S3ForcePathStyle bool - - TerraformVersion string + AccessKey string + AllowedAccountIds []string + AssumeRole *awsbase.AssumeRole + DefaultTagsConfig *tftags.DefaultConfig + EC2MetadataServiceEndpoint string + EC2MetadataServiceEndpointMode string + Endpoints map[string]string + ForbiddenAccountIds []string + HTTPProxy string + IgnoreTagsConfig *tftags.IgnoreConfig + Insecure bool + MaxRetries int + Profile string + Region string + S3ForcePathStyle bool + SecretKey string + SharedConfigFile string + SharedCredentialsFile string + SkipCredsValidation bool + SkipGetEC2Platforms bool + SkipMetadataApiCheck bool + SkipRegionValidation bool + SkipRequestingAccountId bool + STSRegion string + TerraformVersion string + Token string + UseDualStackEndpoint bool + UseFIPSEndpoint bool } type AWSClient struct { @@ -1190,27 +1182,6 @@ func (client *AWSClient) RegionalHostname(prefix string) string { return fmt.Sprintf("%s.%s.%s", prefix, client.Region, client.DNSSuffix) } -func (c *Config) assumeRole() *awsbase.AssumeRole { - if c.AssumeRoleARN == "" { - return nil - } - - assumeRole := &awsbase.AssumeRole{ - RoleARN: c.AssumeRoleARN, - ExternalID: c.AssumeRoleExternalID, - Policy: c.AssumeRolePolicy, - PolicyARNs: c.AssumeRolePolicyARNs, - SessionName: c.AssumeRoleSessionName, - Tags: c.AssumeRoleTags, - TransitiveTagKeys: c.AssumeRoleTransitiveTagKeys, - } - - if c.AssumeRoleDurationSeconds != 0 { - assumeRole.Duration = time.Duration(c.AssumeRoleDurationSeconds) * time.Second - } - return assumeRole -} - // Client configures and returns a fully initialized AWSClient func (c *Config) Client() (interface{}, error) { // Get the auth and region. This can fail if keys/regions were not @@ -1223,6 +1194,7 @@ func (c *Config) Client() (interface{}, error) { awsbaseConfig := awsbase.Config{ AccessKey: c.AccessKey, + APNInfo: StdUserAgentProducts(c.TerraformVersion), CallerDocumentationURL: "https://registry.terraform.io/providers/hashicorp/aws", CallerName: "Terraform AWS Provider", DebugLogging: true, // Until https://github.com/hashicorp/aws-sdk-go-base/issues/96 is implemented @@ -1238,11 +1210,17 @@ func (c *Config) Client() (interface{}, error) { SkipRequestingAccountId: c.SkipRequestingAccountId, StsEndpoint: c.Endpoints[STS], Token: c.Token, - APNInfo: StdUserAgentProducts(c.TerraformVersion), + UseDualStackEndpoint: c.UseDualStackEndpoint, + UseFIPSEndpoint: c.UseFIPSEndpoint, + } + + if c.AssumeRole != nil && c.AssumeRole.RoleARN != "" { + awsbaseConfig.AssumeRole = c.AssumeRole } - if c.AssumeRoleARN != "" { - awsbaseConfig.AssumeRole = c.assumeRole() + if c.EC2MetadataServiceEndpoint != "" { + awsbaseConfig.EC2MetadataServiceEndpoint = c.EC2MetadataServiceEndpoint + awsbaseConfig.EC2MetadataServiceEndpointMode = c.EC2MetadataServiceEndpointMode } if c.SharedConfigFile != "" { diff --git a/internal/provider/provider.go b/internal/provider/provider.go index f8ba99415936..8802c878e694 100644 --- a/internal/provider/provider.go +++ b/internal/provider/provider.go @@ -4,7 +4,9 @@ import ( "fmt" "log" "regexp" + "time" + awsbase "github.com/hashicorp/aws-sdk-go-base/v2" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" "github.com/hashicorp/terraform-provider-aws/internal/conns" @@ -173,67 +175,12 @@ func Provider() *schema.Provider { provider := &schema.Provider{ Schema: map[string]*schema.Schema{ "access_key": { - Type: schema.TypeString, - Optional: true, - Default: "", - Description: descriptions["access_key"], - }, - - "secret_key": { - Type: schema.TypeString, - Optional: true, - Default: "", - Description: descriptions["secret_key"], - }, - - "profile": { - Type: schema.TypeString, - Optional: true, - Default: "", - Description: descriptions["profile"], - }, - - "assume_role": assumeRoleSchema(), - - "shared_config_file": { - Type: schema.TypeString, - Optional: true, - Default: "", - Description: "The path to the shared config file. If not set, defaults to ~/.aws/config.", - }, - - "shared_credentials_file": { - Type: schema.TypeString, - Optional: true, - Default: "", - Description: descriptions["shared_credentials_file"], - }, - - "token": { - Type: schema.TypeString, - Optional: true, - Default: "", - Description: descriptions["token"], - }, - - "region": { Type: schema.TypeString, - Required: true, - DefaultFunc: schema.MultiEnvDefaultFunc([]string{ - "AWS_REGION", - "AWS_DEFAULT_REGION", - }, nil), - Description: descriptions["region"], - InputDefault: "us-east-1", // lintignore:AWSAT003 + Optional: true, + Default: "", + Description: "The access key for API operations. You can retrieve this\n" + + "from the 'Security & Credentials' section of the AWS console.", }, - - "max_retries": { - Type: schema.TypeInt, - Optional: true, - Default: 25, - Description: descriptions["max_retries"], - }, - "allowed_account_ids": { Type: schema.TypeSet, Elem: &schema.Schema{Type: schema.TypeString}, @@ -241,15 +188,7 @@ func Provider() *schema.Provider { ConflictsWith: []string{"forbidden_account_ids"}, Set: schema.HashString, }, - - "forbidden_account_ids": { - Type: schema.TypeSet, - Elem: &schema.Schema{Type: schema.TypeString}, - Optional: true, - ConflictsWith: []string{"allowed_account_ids"}, - Set: schema.HashString, - }, - + "assume_role": assumeRoleSchema(), "default_tags": { Type: schema.TypeList, Optional: true, @@ -266,15 +205,32 @@ func Provider() *schema.Provider { }, }, }, - - "http_proxy": { - Type: schema.TypeString, - Optional: true, - Description: descriptions["http_proxy"], + "ec2_metadata_service_endpoint": { + Type: schema.TypeString, + Optional: true, + Description: "Address of the EC2 metadata service endpoint to use. " + + "Can also be configured using the `AWS_EC2_METADATA_SERVICE_ENDPOINT` environment variable.", + }, + "ec2_metadata_service_endpoint_mode": { + Type: schema.TypeString, + Optional: true, + Description: "Protocol to use with EC2 metadata service endpoint." + + "Valid values are `IPv4` and `IPv6`. Can also be configured using the `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` environment variable.", }, - "endpoints": endpointsSchema(), - + "forbidden_account_ids": { + Type: schema.TypeSet, + Elem: &schema.Schema{Type: schema.TypeString}, + Optional: true, + ConflictsWith: []string{"allowed_account_ids"}, + Set: schema.HashString, + }, + "http_proxy": { + Type: schema.TypeString, + Optional: true, + Description: "The address of an HTTP proxy to use when accessing the AWS API. " + + "Can also be configured using the `HTTP_PROXY` or `HTTPS_PROXY` environment variables.", + }, "ignore_tags": { Type: schema.TypeList, Optional: true, @@ -299,54 +255,121 @@ func Provider() *schema.Provider { }, }, }, - "insecure": { - Type: schema.TypeBool, + Type: schema.TypeBool, + Optional: true, + Default: false, + Description: "Explicitly allow the provider to perform \"insecure\" SSL requests. If omitted, " + + "default value is `false`", + }, + "max_retries": { + Type: schema.TypeInt, + Optional: true, + Default: 25, + Description: "The maximum number of times an AWS API request is\n" + + "being executed. If the API request still fails, an error is\n" + + "thrown.", + }, + "profile": { + Type: schema.TypeString, + Optional: true, + Default: "", + Description: "The profile for API operations. If not set, the default profile\n" + + "created with `aws configure` will be used.", + }, + "region": { + Type: schema.TypeString, + Required: true, + DefaultFunc: schema.MultiEnvDefaultFunc([]string{ + "AWS_REGION", + "AWS_DEFAULT_REGION", + }, nil), + Description: "The region where AWS operations will take place. Examples\n" + + "are us-east-1, us-west-2, etc.", // lintignore:AWSAT003, + InputDefault: "us-east-1", // lintignore:AWSAT003 + }, + "s3_force_path_style": { + Type: schema.TypeBool, + Optional: true, + Default: false, + Description: "Set this to true to force the request to use path-style addressing,\n" + + "i.e., http://s3.amazonaws.com/BUCKET/KEY. By default, the S3 client will\n" + + "use virtual hosted bucket addressing when possible\n" + + "(http://BUCKET.s3.amazonaws.com/KEY). Specific to the Amazon S3 service.", + }, + "secret_key": { + Type: schema.TypeString, + Optional: true, + Default: "", + Description: "The secret key for API operations. You can retrieve this\n" + + "from the 'Security & Credentials' section of the AWS console.", + }, + "shared_config_file": { + Type: schema.TypeString, Optional: true, - Default: false, - Description: descriptions["insecure"], + Default: "", + Description: "The path to the shared config file. If not set, defaults to ~/.aws/config.", + }, + "shared_credentials_file": { + Type: schema.TypeString, + Optional: true, + Default: "", + Description: "The path to the shared credentials file. If not set\n" + + "this defaults to ~/.aws/credentials.", }, - "skip_credentials_validation": { - Type: schema.TypeBool, - Optional: true, - Default: false, - Description: descriptions["skip_credentials_validation"], + Type: schema.TypeBool, + Optional: true, + Default: false, + Description: "Skip the credentials validation via STS API. " + + "Used for AWS API implementations that do not have STS available/implemented.", }, - "skip_get_ec2_platforms": { - Type: schema.TypeBool, - Optional: true, - Default: false, - Description: descriptions["skip_get_ec2_platforms"], + Type: schema.TypeBool, + Optional: true, + Default: false, + Description: "Skip getting the supported EC2 platforms. " + + "Used by users that don't have ec2:DescribeAccountAttributes permissions.", + }, + "skip_metadata_api_check": { + Type: schema.TypeBool, + Optional: true, + Default: false, + Description: "Skip the AWS Metadata API check. " + + "Used for AWS API implementations that do not have a metadata api endpoint.", }, - "skip_region_validation": { - Type: schema.TypeBool, - Optional: true, - Default: false, - Description: descriptions["skip_region_validation"], + Type: schema.TypeBool, + Optional: true, + Default: false, + Description: "Skip static validation of region name. " + + "Used by users of alternative AWS-like APIs or users w/ access to regions that are not public (yet).", }, - "skip_requesting_account_id": { - Type: schema.TypeBool, - Optional: true, - Default: false, - Description: descriptions["skip_requesting_account_id"], + Type: schema.TypeBool, + Optional: true, + Default: false, + Description: "Skip requesting the account ID. " + + "Used for AWS API implementations that do not have IAM/STS API and/or metadata API.", }, - - "skip_metadata_api_check": { + "token": { + Type: schema.TypeString, + Optional: true, + Default: "", + Description: "session token. A session token is only required if you are\n" + + "using temporary security credentials.", + }, + "use_dualstack_endpoint": { Type: schema.TypeBool, Optional: true, Default: false, - Description: descriptions["skip_metadata_api_check"], + Description: "Resolve an endpoint with DualStack capability", }, - - "s3_force_path_style": { + "use_fips_endpoint": { Type: schema.TypeBool, Optional: true, Default: false, - Description: descriptions["s3_force_path_style"], + Description: "Resolve an endpoint with FIPS capability", }, }, @@ -1830,148 +1853,37 @@ func Provider() *schema.Provider { return provider } -var descriptions map[string]string - -func init() { - descriptions = map[string]string{ - "region": "The region where AWS operations will take place. Examples\n" + - "are us-east-1, us-west-2, etc.", // lintignore:AWSAT003 - - "access_key": "The access key for API operations. You can retrieve this\n" + - "from the 'Security & Credentials' section of the AWS console.", - - "secret_key": "The secret key for API operations. You can retrieve this\n" + - "from the 'Security & Credentials' section of the AWS console.", - - "profile": "The profile for API operations. If not set, the default profile\n" + - "created with `aws configure` will be used.", - - "shared_credentials_file": "The path to the shared credentials file. If not set\n" + - "this defaults to ~/.aws/credentials.", - - "token": "session token. A session token is only required if you are\n" + - "using temporary security credentials.", - - "max_retries": "The maximum number of times an AWS API request is\n" + - "being executed. If the API request still fails, an error is\n" + - "thrown.", - - "http_proxy": "The address of an HTTP proxy to use when accessing the AWS API. " + - "Can also be configured using the `HTTP_PROXY` or `HTTPS_PROXY` environment variables.", - - "endpoint": "Use this to override the default service endpoint URL", - - "insecure": "Explicitly allow the provider to perform \"insecure\" SSL requests. If omitted, " + - "default value is `false`", - - "skip_credentials_validation": "Skip the credentials validation via STS API. " + - "Used for AWS API implementations that do not have STS available/implemented.", - - "skip_get_ec2_platforms": "Skip getting the supported EC2 platforms. " + - "Used by users that don't have ec2:DescribeAccountAttributes permissions.", - - "skip_region_validation": "Skip static validation of region name. " + - "Used by users of alternative AWS-like APIs or users w/ access to regions that are not public (yet).", - - "skip_requesting_account_id": "Skip requesting the account ID. " + - "Used for AWS API implementations that do not have IAM/STS API and/or metadata API.", - - "skip_medatadata_api_check": "Skip the AWS Metadata API check. " + - "Used for AWS API implementations that do not have a metadata api endpoint.", - - "s3_force_path_style": "Set this to true to force the request to use path-style addressing,\n" + - "i.e., http://s3.amazonaws.com/BUCKET/KEY. By default, the S3 client will\n" + - "use virtual hosted bucket addressing when possible\n" + - "(http://BUCKET.s3.amazonaws.com/KEY). Specific to the Amazon S3 service.", - } -} - func providerConfigure(d *schema.ResourceData, terraformVersion string) (interface{}, error) { config := conns.Config{ - AccessKey: d.Get("access_key").(string), - SecretKey: d.Get("secret_key").(string), - Profile: d.Get("profile").(string), - Token: d.Get("token").(string), - Region: d.Get("region").(string), - SharedConfigFile: d.Get("shared_config_file").(string), - SharedCredentialsFile: d.Get("shared_credentials_file").(string), - DefaultTagsConfig: expandProviderDefaultTags(d.Get("default_tags").([]interface{})), - Endpoints: make(map[string]string), - MaxRetries: d.Get("max_retries").(int), - IgnoreTagsConfig: expandProviderIgnoreTags(d.Get("ignore_tags").([]interface{})), - Insecure: d.Get("insecure").(bool), - HTTPProxy: d.Get("http_proxy").(string), - SkipCredsValidation: d.Get("skip_credentials_validation").(bool), - SkipGetEC2Platforms: d.Get("skip_get_ec2_platforms").(bool), - SkipRegionValidation: d.Get("skip_region_validation").(bool), - SkipRequestingAccountId: d.Get("skip_requesting_account_id").(bool), - SkipMetadataApiCheck: d.Get("skip_metadata_api_check").(bool), - S3ForcePathStyle: d.Get("s3_force_path_style").(bool), - TerraformVersion: terraformVersion, + AccessKey: d.Get("access_key").(string), + DefaultTagsConfig: expandProviderDefaultTags(d.Get("default_tags").([]interface{})), + EC2MetadataServiceEndpoint: d.Get("ec2_metadata_service_endpoint").(string), + EC2MetadataServiceEndpointMode: d.Get("ec2_metadata_service_endpoint_mode").(string), + Endpoints: make(map[string]string), + HTTPProxy: d.Get("http_proxy").(string), + IgnoreTagsConfig: expandProviderIgnoreTags(d.Get("ignore_tags").([]interface{})), + Insecure: d.Get("insecure").(bool), + MaxRetries: d.Get("max_retries").(int), + Profile: d.Get("profile").(string), + Region: d.Get("region").(string), + S3ForcePathStyle: d.Get("s3_force_path_style").(bool), + SecretKey: d.Get("secret_key").(string), + SharedConfigFile: d.Get("shared_config_file").(string), + SharedCredentialsFile: d.Get("shared_credentials_file").(string), + SkipCredsValidation: d.Get("skip_credentials_validation").(bool), + SkipGetEC2Platforms: d.Get("skip_get_ec2_platforms").(bool), + SkipMetadataApiCheck: d.Get("skip_metadata_api_check").(bool), + SkipRegionValidation: d.Get("skip_region_validation").(bool), + SkipRequestingAccountId: d.Get("skip_requesting_account_id").(bool), + TerraformVersion: terraformVersion, + Token: d.Get("token").(string), + UseDualStackEndpoint: d.Get("use_dualstack_endpoint").(bool), + UseFIPSEndpoint: d.Get("use_fips_endpoint").(bool), } if l, ok := d.Get("assume_role").([]interface{}); ok && len(l) > 0 && l[0] != nil { - m := l[0].(map[string]interface{}) - - if v, ok := m["duration_seconds"].(int); ok && v != 0 { - config.AssumeRoleDurationSeconds = v - } - - if v, ok := m["external_id"].(string); ok && v != "" { - config.AssumeRoleExternalID = v - } - - if v, ok := m["policy"].(string); ok && v != "" { - config.AssumeRolePolicy = v - } - - if policyARNSet, ok := m["policy_arns"].(*schema.Set); ok && policyARNSet.Len() > 0 { - for _, policyARNRaw := range policyARNSet.List() { - policyARN, ok := policyARNRaw.(string) - - if !ok { - continue - } - - config.AssumeRolePolicyARNs = append(config.AssumeRolePolicyARNs, policyARN) - } - } - - if v, ok := m["role_arn"].(string); ok && v != "" { - config.AssumeRoleARN = v - } - - if v, ok := m["session_name"].(string); ok && v != "" { - config.AssumeRoleSessionName = v - } - - if tagMapRaw, ok := m["tags"].(map[string]interface{}); ok && len(tagMapRaw) > 0 { - config.AssumeRoleTags = make(map[string]string) - - for k, vRaw := range tagMapRaw { - v, ok := vRaw.(string) - - if !ok { - continue - } - - config.AssumeRoleTags[k] = v - } - } - - if transitiveTagKeySet, ok := m["transitive_tag_keys"].(*schema.Set); ok && transitiveTagKeySet.Len() > 0 { - for _, transitiveTagKeyRaw := range transitiveTagKeySet.List() { - transitiveTagKey, ok := transitiveTagKeyRaw.(string) - - if !ok { - continue - } - - config.AssumeRoleTransitiveTagKeys = append(config.AssumeRoleTransitiveTagKeys, transitiveTagKey) - } - } - - log.Printf("[INFO] assume_role configuration set: (ARN: %q, SessionID: %q, ExternalID: %q)", config.AssumeRoleARN, config.AssumeRoleSessionName, config.AssumeRoleExternalID) + config.AssumeRole = expandAssumeRole(l[0].(map[string]interface{})) + log.Printf("[INFO] assume_role configuration set: (ARN: %q, SessionID: %q, ExternalID: %q)", config.AssumeRole.RoleARN, config.AssumeRole.SessionName, config.AssumeRole.ExternalID) } endpointsSet := d.Get("endpoints").(*schema.Set) @@ -2084,7 +1996,7 @@ func endpointsSchema() *schema.Schema { Type: schema.TypeString, Optional: true, Default: "", - Description: descriptions["endpoint"], + Description: "Use this to override the default service endpoint URL", } } @@ -2097,6 +2009,70 @@ func endpointsSchema() *schema.Schema { } } +func expandAssumeRole(m map[string]interface{}) *awsbase.AssumeRole { + assumeRole := awsbase.AssumeRole{} + + if v, ok := m["duration_seconds"].(int); ok && v != 0 { + assumeRole.Duration = time.Duration(v) * time.Second + } + + if v, ok := m["external_id"].(string); ok && v != "" { + assumeRole.ExternalID = v + } + + if v, ok := m["policy"].(string); ok && v != "" { + assumeRole.Policy = v + } + + if policyARNSet, ok := m["policy_arns"].(*schema.Set); ok && policyARNSet.Len() > 0 { + for _, policyARNRaw := range policyARNSet.List() { + policyARN, ok := policyARNRaw.(string) + + if !ok { + continue + } + + assumeRole.PolicyARNs = append(assumeRole.PolicyARNs, policyARN) + } + } + + if v, ok := m["role_arn"].(string); ok && v != "" { + assumeRole.RoleARN = v + } + + if v, ok := m["session_name"].(string); ok && v != "" { + assumeRole.SessionName = v + } + + if tagMapRaw, ok := m["tags"].(map[string]interface{}); ok && len(tagMapRaw) > 0 { + assumeRole.Tags = make(map[string]string) + + for k, vRaw := range tagMapRaw { + v, ok := vRaw.(string) + + if !ok { + continue + } + + assumeRole.Tags[k] = v + } + } + + if transitiveTagKeySet, ok := m["transitive_tag_keys"].(*schema.Set); ok && transitiveTagKeySet.Len() > 0 { + for _, transitiveTagKeyRaw := range transitiveTagKeySet.List() { + transitiveTagKey, ok := transitiveTagKeyRaw.(string) + + if !ok { + continue + } + + assumeRole.TransitiveTagKeys = append(assumeRole.TransitiveTagKeys, transitiveTagKey) + } + } + + return &assumeRole +} + func expandProviderDefaultTags(l []interface{}) *tftags.DefaultConfig { if len(l) == 0 || l[0] == nil { return nil diff --git a/internal/sweep/sweep.go b/internal/sweep/sweep.go index f3b277ee66fe..59120416b611 100644 --- a/internal/sweep/sweep.go +++ b/internal/sweep/sweep.go @@ -59,23 +59,23 @@ func SharedRegionalSweepClient(region string) (interface{}, error) { } if role := os.Getenv(conns.EnvVarAssumeRoleARN); role != "" { - conf.AssumeRoleARN = role + conf.AssumeRole.RoleARN = role - conf.AssumeRoleDurationSeconds = defaultSweeperAssumeRoleDurationSeconds + conf.AssumeRole.Duration = time.Duration(defaultSweeperAssumeRoleDurationSeconds) * time.Second if v := os.Getenv(conns.EnvVarAssumeRoleDuration); v != "" { d, err := strconv.Atoi(v) if err != nil { return nil, fmt.Errorf("environment variable %s: %w", conns.EnvVarAssumeRoleDuration, err) } - conf.AssumeRoleDurationSeconds = d + conf.AssumeRole.Duration = time.Duration(d) * time.Second } if v := os.Getenv(conns.EnvVarAssumeRoleExternalID); v != "" { - conf.AssumeRoleExternalID = v + conf.AssumeRole.ExternalID = v } if v := os.Getenv(conns.EnvVarAssumeRoleSessionName); v != "" { - conf.AssumeRoleSessionName = v + conf.AssumeRole.SessionName = v } } diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown index e4a46dbcc008..56323a2ddbb5 100644 --- a/website/docs/index.html.markdown +++ b/website/docs/index.html.markdown @@ -159,8 +159,7 @@ This is a preferred approach over any other when running in EC2 as you can avoid hard coding credentials. Instead these are leased on-the-fly by Terraform which reduces the chance of leakage. -You can provide the custom metadata API endpoint via the `AWS_METADATA_URL` variable -which expects the endpoint URL, including the version, and defaults to `http://169.254.169.254:80/latest`. +You can provide a custom metadata API endpoint via `ec2_metadata_service_endpoint` or the `AWS_EC2_METADATA_SERVICE_ENDPOINT` environment variable (the `AWS_METADATA_URL` variable is discouraged). Include the endpoint URL and version. The default is `http://169.254.169.254:80/latest`. ### Assume Role @@ -187,80 +186,29 @@ In addition to [generic `provider` arguments](https://www.terraform.io/docs/conf (e.g., `alias` and `version`), the following arguments are supported in the AWS `provider` block: -* `access_key` - (Optional) This is the AWS access key. It must be provided, but - it can also be sourced from the `AWS_ACCESS_KEY_ID` environment variable, or via - a shared credentials file if `profile` is specified. - -* `secret_key` - (Optional) This is the AWS secret key. It must be provided, but - it can also be sourced from the `AWS_SECRET_ACCESS_KEY` environment variable, or - via a shared credentials file if `profile` is specified. - -* `region` - (Optional) This is the AWS region. It must be provided, but - it can also be sourced from the `AWS_DEFAULT_REGION` environment variables, or - via a shared credentials file if `profile` is specified. - -* `profile` - (Optional) This is the AWS profile name as set in the shared credentials - file. - -* `assume_role` - (Optional) An `assume_role` block (documented below). Only one - `assume_role` block may be in the configuration. - -* `http_proxy` - (Optional) The address of an HTTP proxy to use when accessing the AWS API. - Can also be configured using the `HTTP_PROXY` or `HTTPS_PROXY` environment variables. - -* `endpoints` - (Optional) Configuration block for customizing service endpoints. See the -[Custom Service Endpoints Guide](/docs/providers/aws/guides/custom-service-endpoints.html) -for more information about connecting to alternate AWS endpoints or AWS compatible solutions. - -* `shared_config_file` = (Optional) This is the path to the shared config file. - If this is not set, `~/.aws/config` will be used. - Can also be configured using the `AWS_CONFIG_FILE` environment variable. - -* `shared_credentials_file` = (Optional) This is the path to the shared credentials file. - If this is not set and a profile is specified, `~/.aws/credentials` will be used. - Can also be configured using the `AWS_SHARED_CREDENTIALS_FILE` environment variable. - -* `token` - (Optional) Session token for validating temporary credentials. Typically provided after successful identity federation or Multi-Factor Authentication (MFA) login. With MFA login, this is the session token provided afterward, not the 6 digit MFA code used to get temporary credentials. It can also be sourced from the `AWS_SESSION_TOKEN` environment variable. - -* `max_retries` - (Optional) This is the maximum number of times an API - call is retried, in the case where requests are being throttled or - experiencing transient failures. The delay between the subsequent API - calls increases exponentially. If omitted, the default value is `25`. - -* `allowed_account_ids` - (Optional) List of allowed AWS - account IDs to prevent you from mistakenly using an incorrect one (and - potentially end up destroying a live environment). Conflicts with - `forbidden_account_ids`. - -* `forbidden_account_ids` - (Optional) List of forbidden - AWS account IDs to prevent you from mistakenly using the wrong one (and - potentially end up destroying a live environment). Conflicts with - `allowed_account_ids`. - +* `access_key` - (Optional) AWS access key. Can also be set with the `AWS_ACCESS_KEY_ID` environment variable, or via a shared credentials file if `profile` is specified. See also `secret_key`. +* `allowed_account_ids` - (Optional) List of allowed AWS account IDs to prevent you from mistakenly using an incorrect one (and potentially end up destroying a live environment). Conflicts with `forbidden_account_ids`. +* `assume_role` - (Optional) Configuration block for an assumed role. See below. Only one `assume_role` block may be in the configuration. * `default_tags` - (Optional) Configuration block with resource tag settings to apply across all resources handled by this provider (see the [Terraform multiple provider instances documentation](/docs/configuration/providers.html#alias-multiple-provider-instances) for more information about additional provider configurations). This is designed to replace redundant per-resource `tags` configurations. Provider tags can be overridden with new values, but not excluded from specific resources. To override provider tag values, use the `tags` argument within a resource to configure new tag values for matching keys. See the [`default_tags`](#default_tags-configuration-block) Configuration Block section below for example usage and available arguments. This functionality is supported in all resources that implement `tags`, with the exception of the `aws_autoscaling_group` resource. - +* `ec2_metadata_service_endpoint` - (Optional) Address of the EC2 metadata service (IMDS) endpoint to use. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT` environment variable. +* `ec2_metadata_service_endpoint_mode` - (Optional) Mode to use in communicating with the metadata service. Valid values are `IPv4` and `IPv6`. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` environment variable. +* `endpoints` - (Optional) Configuration block for customizing service endpoints. See the [Custom Service Endpoints Guide](/docs/providers/aws/guides/custom-service-endpoints.html) for more information about connecting to alternate AWS endpoints or AWS compatible solutions. See also `use_fips_endpoint`. +* `forbidden_account_ids` - (Optional) List of forbidden AWS account IDs to prevent you from mistakenly using the wrong one (and potentially end up destroying a live environment). Conflicts with `allowed_account_ids`. +* `http_proxy` - (Optional) Address of an HTTP proxy to use when accessing the AWS API. Can also be set using the `HTTP_PROXY` or `HTTPS_PROXY` environment variables. * `ignore_tags` - (Optional) Configuration block with resource tag settings to ignore across all resources handled by this provider (except any individual service tag resources such as `aws_ec2_tag`) for situations where external systems are managing certain resource tags. Arguments to the configuration block are described below in the `ignore_tags` Configuration Block section. See the [Terraform multiple provider instances documentation](https://www.terraform.io/docs/configuration/providers.html#alias-multiple-provider-configurations) for more information about additional provider configurations. - -* `insecure` - (Optional) Explicitly allow the provider to - perform "insecure" SSL requests. If omitted, the default value is `false`. - -* `skip_credentials_validation` - (Optional) Skip the credentials - validation via the STS API. Useful for AWS API implementations that do - not have STS available or implemented. - -* `skip_get_ec2_platforms` - (Optional) Skip getting the supported EC2 - platforms. Used by users that don't have ec2:DescribeAccountAttributes - permissions. - -* `skip_region_validation` - (Optional) Skip validation of provided region name. - Useful for AWS-like implementations that use their own region names - or to bypass the validation for regions that aren't publicly available yet. - -* `skip_requesting_account_id` - (Optional) Skip requesting the account - ID. Useful for AWS API implementations that do not have the IAM, STS - API, or metadata API. When set to `true` and not determined previously, - returns an empty account ID when manually constructing ARN attributes with - the following: +* `insecure` - (Optional) Whether to explicitly allow the provider to perform "insecure" SSL requests. If omitted, the default value is `false`. +* `max_retries` - (Optional) Maximum number of times an API call is retried when AWS throttles requests or you experience transient failures. The delay between the subsequent API calls increases exponentially. If omitted, the default value is `25`. +* `profile` - (Optional) AWS profile name as set in the shared credentials file. +* `region` - (Optional) AWS region. Can also be set with the `AWS_DEFAULT_REGION` environment variables, or via a shared credentials file if `profile` is used. +* `s3_force_path_style` - (Optional) Whether to force the request to use path-style addressing, i.e., `http://s3.amazonaws.com/BUCKET/KEY`. By default, the S3 client will use virtual hosted bucket addressing, `http://BUCKET.s3.amazonaws.com/KEY`, when possible. Specific to the Amazon S3 service. +* `secret_key` - (Optional) AWS secret key. Can also be set with the `AWS_SECRET_ACCESS_KEY` environment variable, or via a shared credentials file if `profile` is used. See also `access_key`. +* `shared_config_file` = (Optional) Path to the AWS shared config file. If not set, the default is `~/.aws/config`. Can also be set with the `AWS_CONFIG_FILE` environment variable. +* `shared_credentials_file` = (Optional) Path to the shared credentials file. If not set and a profile is used, the default value is `~/.aws/credentials`. Can also be set with the `AWS_SHARED_CREDENTIALS_FILE` environment variable. +* `skip_credentials_validation` - (Optional) Whether to skip credentials validation via the STS API. This can be useful for testing and for AWS API implementations that do not have STS available. +* `skip_get_ec2_platforms` - (Optional) Whether to skip getting the supported EC2 platforms. Can be used when you do not have `ec2:DescribeAccountAttributes` permissions. +* `skip_metadata_api_check` - (Optional) Whether to skip the AWS Metadata API check. Useful for AWS API implementations that do not have a metadata API endpoint. Setting to `true` prevents Terraform from authenticating via the Metadata API. You may need to use other authentication methods like static credentials, configuration variables, or environment variables. +* `skip_region_validation` - (Optional) Whether to skip validating the region. Useful for AWS-like implementations that use their own region names or to bypass the validation for regions that aren't publicly available yet. +* `skip_requesting_account_id` - (Optional) Whether to skip requesting the account ID. Useful for AWS API implementations that do not have the IAM, STS API, or metadata API. When set to `true` and not determined previously, returns an empty account ID when manually constructing ARN attributes with the following: - [`aws_api_gateway_deployment` resource](/docs/providers/aws/r/api_gateway_deployment.html) - [`aws_api_gateway_rest_api` resource](/docs/providers/aws/r/api_gateway_rest_api.html) - [`aws_api_gateway_stage` resource](/docs/providers/aws/r/api_gateway_stage.html) @@ -376,19 +324,9 @@ for more information about connecting to alternate AWS endpoints or AWS compatib - [`aws_waf_size_constraint_set` resource](/docs/providers/aws/r/waf_size_constraint_set.html) - [`aws_waf_web_acl` resource](/docs/providers/aws/r/waf_web_acl.html) - [`aws_waf_xss_match_set` resource](/docs/providers/aws/r/waf_xss_match_set.html) - -* `skip_metadata_api_check` - (Optional) Skip the AWS Metadata API - check. Useful for AWS API implementations that do not have a metadata - API endpoint. Setting to `true` prevents Terraform from authenticating - via the Metadata API. You may need to use other authentication methods - like static credentials, configuration variables, or environment - variables. - -* `s3_force_path_style` - (Optional) Set this to `true` to force the - request to use path-style addressing, i.e., - `http://s3.amazonaws.com/BUCKET/KEY`. By default, the S3 client will use - virtual hosted bucket addressing, `http://BUCKET.s3.amazonaws.com/KEY`, - when possible. Specific to the Amazon S3 service. +* `token` - (Optional) Session token for validating temporary credentials. Typically provided after successful identity federation or Multi-Factor Authentication (MFA) login. With MFA login, this is the session token provided afterward, not the 6 digit MFA code used to get temporary credentials. Can also be set with the `AWS_SESSION_TOKEN` environment variable. +* `use_dualstack_endpoint` - (Optional) Force the provider to resolve endpoints with DualStack capability. Can also be set with the `AWS_USE_DUALSTACK_ENDPOINT` environment variable or in a shared config file (`use_dualstack_endpoint`). +* `use_fips_endpoint` - (Optional) Force the provider to resolve endpoints with FIPS capability. Can also be set with the `AWS_USE_FIPS_ENDPOINT` environment variable or in a shared config file (`use_fips_endpoint`). ### assume_role Configuration Block