Merge pull request #5114 from hashicorp/pr-4263

provider/aws: support custom endpoints for AWS EC2 ELB and IAM [GH-4263]
2016-02-12 10:09:17 -06:00 · 2016-02-12 10:09:17 -06:00 · a1df07c919
parent a6d3c4e181 766dac4d79
commit a1df07c919
3 changed files with 124 additions and 5 deletions
--- a/builtin/providers/aws/config.go
+++ b/builtin/providers/aws/config.go
@ -11,6 +11,8 @@ import (
 	"github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/go-multierror"

+	"crypto/tls"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	awsCredentials "github.com/aws/aws-sdk-go/aws/credentials"
@ -61,6 +63,10 @@ type Config struct {

 	DynamoDBEndpoint string
 	KinesisEndpoint  string
+	Ec2Endpoint      string
+	IamEndpoint      string
+	ElbEndpoint      string
+	Insecure         bool
 }

 type AWSClient struct {
@ -136,9 +142,21 @@ func (c *Config) Client() (interface{}, error) {
 			HTTPClient:  cleanhttp.DefaultClient(),
 		}

+		if c.Insecure {
+			transport := awsConfig.HTTPClient.Transport.(*http.Transport)
+			transport.TLSClientConfig = &tls.Config{
+				InsecureSkipVerify: true,
+			}
+		}
+
 		log.Println("[INFO] Initializing IAM Connection")
 		sess := session.New(awsConfig)
-		client.iamconn = iam.New(sess)
+
+		awsIamConfig := *awsConfig
+		awsIamConfig.Endpoint = aws.String(c.IamEndpoint)
+
+		awsIamSess := session.New(&awsIamConfig)
+		client.iamconn = iam.New(awsIamSess)

 		err = c.ValidateCredentials(client.iamconn)
 		if err != nil {
@ -166,7 +184,12 @@ func (c *Config) Client() (interface{}, error) {
 		client.dynamodbconn = dynamodb.New(dynamoSess)

 		log.Println("[INFO] Initializing ELB connection")
-		client.elbconn = elb.New(sess)
+		awsElbConfig := *awsConfig
+		awsElbConfig.Endpoint = aws.String(c.ElbEndpoint)
+
+		awsElbSess := session.New(&awsElbConfig)
+
+		client.elbconn = elb.New(awsElbSess)

 		log.Println("[INFO] Initializing S3 connection")
 		client.s3conn = s3.New(sess)
@ -199,7 +222,12 @@ func (c *Config) Client() (interface{}, error) {
 		client.autoscalingconn = autoscaling.New(sess)

 		log.Println("[INFO] Initializing EC2 Connection")
-		client.ec2conn = ec2.New(sess)
+
+		awsEc2Config := *awsConfig
+		awsEc2Config.Endpoint = aws.String(c.Ec2Endpoint)
+
+		awsEc2Sess := session.New(&awsEc2Config)
+		client.ec2conn = ec2.New(awsEc2Sess)

 		log.Println("[INFO] Initializing ECR Connection")
 		client.ecrconn = ecr.New(sess)
--- a/builtin/providers/aws/provider.go
+++ b/builtin/providers/aws/provider.go
@ -1,6 +1,10 @@
 package aws

 import (
+	"bytes"
+	"fmt"
+
+	"github.com/hashicorp/terraform/helper/hashcode"
 	"github.com/hashicorp/terraform/helper/mutexkv"
 	"github.com/hashicorp/terraform/helper/schema"
 	"github.com/hashicorp/terraform/terraform"
@ -96,6 +100,14 @@ func Provider() terraform.ResourceProvider {
 				Default:     "",
 				Description: descriptions["kinesis_endpoint"],
 			},
+			"endpoints": endpointsSchema(),
+
+			"insecure": &schema.Schema{
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				Description: descriptions["insecure"],
+			},
 		},

 		ResourcesMap: map[string]*schema.Resource{
@ -249,6 +261,15 @@ func init() {

 		"kinesis_endpoint": "Use this to override the default endpoint URL constructed from the `region`.\n" +
 			"It's typically used to connect to kinesalite.",
+
+		"iam_endpoint": "Use this to override the default endpoint URL constructed from the `region`.\n",
+
+		"ec2_endpoint": "Use this to override the default endpoint URL constructed from the `region`.\n",
+
+		"elb_endpoint": "Use this to override the default endpoint URL constructed from the `region`.\n",
+
+		"insecure": "Explicitly allow the provider to perform \"insecure\" SSL requests. If omitted," +
+			"default value is `false`",
 	}
 }

@ -263,6 +284,16 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		MaxRetries:       d.Get("max_retries").(int),
 		DynamoDBEndpoint: d.Get("dynamodb_endpoint").(string),
 		KinesisEndpoint:  d.Get("kinesis_endpoint").(string),
+		Insecure:         d.Get("insecure").(bool),
+	}
+
+	endpointsSet := d.Get("endpoints").(*schema.Set)
+
+	for _, endpointsSetI := range endpointsSet.List() {
+		endpoints := endpointsSetI.(map[string]interface{})
+		config.IamEndpoint = endpoints["iam"].(string)
+		config.Ec2Endpoint = endpoints["ec2"].(string)
+		config.ElbEndpoint = endpoints["elb"].(string)
 	}

 	if v, ok := d.GetOk("allowed_account_ids"); ok {
@ -278,3 +309,45 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {

 // This is a global MutexKV for use within this plugin.
 var awsMutexKV = mutexkv.NewMutexKV()
+
+func endpointsSchema() *schema.Schema {
+	return &schema.Schema{
+		Type:     schema.TypeSet,
+		Optional: true,
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"iam": &schema.Schema{
+					Type:        schema.TypeString,
+					Optional:    true,
+					Default:     "",
+					Description: descriptions["iam_endpoint"],
+				},
+
+				"ec2": &schema.Schema{
+					Type:        schema.TypeString,
+					Optional:    true,
+					Default:     "",
+					Description: descriptions["ec2_endpoint"],
+				},
+
+				"elb": &schema.Schema{
+					Type:        schema.TypeString,
+					Optional:    true,
+					Default:     "",
+					Description: descriptions["elb_endpoint"],
+				},
+			},
+		},
+		Set: endpointsToHash,
+	}
+}
+
+func endpointsToHash(v interface{}) int {
+	var buf bytes.Buffer
+	m := v.(map[string]interface{})
+	buf.WriteString(fmt.Sprintf("%s-", m["iam"].(string)))
+	buf.WriteString(fmt.Sprintf("%s-", m["ec2"].(string)))
+	buf.WriteString(fmt.Sprintf("%s-", m["elb"].(string)))
+
+	return hashcode.String(buf.String())
+}
--- a/website/source/docs/providers/aws/index.html.markdown
+++ b/website/source/docs/providers/aws/index.html.markdown
@ -133,9 +133,27 @@ The following arguments are supported in the `provider` block:
  to prevent you mistakenly using a wrong one (and end up destroying live environment).
  Conflicts with `allowed_account_ids`.

+* `insecure` - (Optional) Optional) Explicitly allow the provider to
+  perform "insecure" SSL requests. If omitted, default value is `false`
+
 * `dynamodb_endpoint` - (Optional) Use this to override the default endpoint
  URL constructed from the `region`. It's typically used to connect to
  dynamodb-local.

-* `kinesis_endpoint` - (Optional) Use this to override the default endpoint URL
-  constructed from the `region`. It's typically used to connect to kinesalite.
+* `kinesis_endpoint` - (Optional) Use this to override the default endpoint
+  URL constructed from the `region`. It's typically used to connect to
+  kinesalite.
+
+Nested `endpoints` block supports the followings:
+
+* `iam` - (Optional) Use this to override the default endpoint
+  URL constructed from the `region`. It's typically used to connect to
+  custom iam endpoints.
+
+* `ec2` - (Optional) Use this to override the default endpoint
+  URL constructed from the `region`. It's typically used to connect to
+  custom ec2 endpoints.
+
+* `elb` - (Optional) Use this to override the default endpoint
+  URL constructed from the `region`. It's typically used to connect to
+  custom elb endpoints.