From 2073e80c667a6d1202fe163390d0509ec6084ec3 Mon Sep 17 00:00:00 2001 From: Radek Simko Date: Wed, 10 Aug 2016 15:25:16 +0100 Subject: [PATCH 1/4] aws/config: Shortened conditions [cleanup] --- builtin/providers/aws/auth_helpers.go | 8 ++++---- builtin/providers/aws/config.go | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/builtin/providers/aws/auth_helpers.go b/builtin/providers/aws/auth_helpers.go index 91671a801..33db566fd 100644 --- a/builtin/providers/aws/auth_helpers.go +++ b/builtin/providers/aws/auth_helpers.go @@ -111,10 +111,10 @@ func GetCredentials(c *Config) *awsCredentials.Credentials { } usedEndpoint := setOptionalEndpoint(cfg) - // Real AWS should reply to a simple metadata request. - // We check it actually does to ensure something else didn't just - // happen to be listening on the same IP:Port - if c.SkipMetadataApiCheck == false { + if !c.SkipMetadataApiCheck { + // Real AWS should reply to a simple metadata request. + // We check it actually does to ensure something else didn't just + // happen to be listening on the same IP:Port metadataClient := ec2metadata.New(session.New(cfg)) if metadataClient.Available() { providers = append(providers, &ec2rolecreds.EC2RoleProvider{ diff --git a/builtin/providers/aws/config.go b/builtin/providers/aws/config.go index 84a7b5d26..1a7a05c94 100644 --- a/builtin/providers/aws/config.go +++ b/builtin/providers/aws/config.go @@ -203,7 +203,7 @@ func (c *Config) Client() (interface{}, error) { client.iamconn = iam.New(awsIamSess) client.stsconn = sts.New(sess) - if c.SkipIamCredsValidation == false { + if !c.SkipIamCredsValidation { err = c.ValidateCredentials(client.stsconn) if err != nil { errs = append(errs, err) @@ -211,7 +211,7 @@ func (c *Config) Client() (interface{}, error) { } } - if c.SkipIamAccountId == false { + if !c.SkipIamAccountId { accountId, err := GetAccountId(client.iamconn, client.stsconn, cp.ProviderName) if err == nil { client.accountid = accountId From 0ab3bc4105a70ea34586506778fb86e7b503f0ce Mon Sep 17 00:00:00 2001 From: Radek Simko Date: Wed, 10 Aug 2016 16:46:02 +0100 Subject: [PATCH 2/4] aws: Change field names + desc according to reality - skip_iam_creds_validation => skip_credentials_validation - skip_iam_account_id => skip_requesting_account_id --- builtin/providers/aws/config.go | 25 +++++++++--------- builtin/providers/aws/provider.go | 42 +++++++++++++++---------------- 2 files changed, 34 insertions(+), 33 deletions(-) diff --git a/builtin/providers/aws/config.go b/builtin/providers/aws/config.go index 1a7a05c94..b0afbb65b 100644 --- a/builtin/providers/aws/config.go +++ b/builtin/providers/aws/config.go @@ -70,16 +70,17 @@ type Config struct { AllowedAccountIds []interface{} ForbiddenAccountIds []interface{} - DynamoDBEndpoint string - KinesisEndpoint string - Ec2Endpoint string - IamEndpoint string - ElbEndpoint string - S3Endpoint string - Insecure bool - SkipIamCredsValidation bool - SkipIamAccountId bool - SkipMetadataApiCheck bool + DynamoDBEndpoint string + KinesisEndpoint string + Ec2Endpoint string + IamEndpoint string + ElbEndpoint string + S3Endpoint string + Insecure bool + + SkipCredsValidation bool + SkipRequestingAccountId bool + SkipMetadataApiCheck bool } type AWSClient struct { @@ -203,7 +204,7 @@ func (c *Config) Client() (interface{}, error) { client.iamconn = iam.New(awsIamSess) client.stsconn = sts.New(sess) - if !c.SkipIamCredsValidation { + if !c.SkipCredsValidation { err = c.ValidateCredentials(client.stsconn) if err != nil { errs = append(errs, err) @@ -211,7 +212,7 @@ func (c *Config) Client() (interface{}, error) { } } - if !c.SkipIamAccountId { + if !c.SkipRequestingAccountId { accountId, err := GetAccountId(client.iamconn, client.stsconn, cp.ProviderName) if err == nil { client.accountid = accountId diff --git a/builtin/providers/aws/provider.go b/builtin/providers/aws/provider.go index af041e44e..fb1a53ba7 100644 --- a/builtin/providers/aws/provider.go +++ b/builtin/providers/aws/provider.go @@ -110,18 +110,18 @@ func Provider() terraform.ResourceProvider { Description: descriptions["insecure"], }, - "skip_iam_creds_validation": &schema.Schema{ + "skip_credentials_validation": &schema.Schema{ Type: schema.TypeBool, Optional: true, Default: false, - Description: descriptions["skip_iam_creds_validation"], + Description: descriptions["skip_credentials_validation"], }, - "skip_iam_account_id": &schema.Schema{ + "skip_requesting_account_id": &schema.Schema{ Type: schema.TypeBool, Optional: true, Default: false, - Description: descriptions["skip_iam_account_id"], + Description: descriptions["skip_requesting_account_id"], }, "skip_metadata_api_check": &schema.Schema{ @@ -355,11 +355,11 @@ func init() { "insecure": "Explicitly allow the provider to perform \"insecure\" SSL requests. If omitted," + "default value is `false`", - "skip_iam_creds_validation": "Skip the IAM/STS credentials validation. " + - "Used for AWS API implementations that do not use IAM.", + "skip_credentials_validation": "Skip the credentials validation via STS API. " + + "Used for AWS API implementations that do not have STS available/implemented.", - "skip_iam_account_id": "Skip the request of account id to IAM/STS. " + - "Used for AWS API implementations that do not use IAM.", + "skip_requesting_account_id": "Skip requesting the account ID. " + + "Used for AWS API implementations that do not have IAM/STS API and/or metadata API.", "skip_medatadata_api_check": "Skip the AWS Metadata API check. " + "Used for AWS API implementations that do not have a metadata api endpoint.", @@ -368,19 +368,19 @@ func init() { func providerConfigure(d *schema.ResourceData) (interface{}, error) { config := Config{ - AccessKey: d.Get("access_key").(string), - SecretKey: d.Get("secret_key").(string), - Profile: d.Get("profile").(string), - CredsFilename: d.Get("shared_credentials_file").(string), - Token: d.Get("token").(string), - Region: d.Get("region").(string), - MaxRetries: d.Get("max_retries").(int), - DynamoDBEndpoint: d.Get("dynamodb_endpoint").(string), - KinesisEndpoint: d.Get("kinesis_endpoint").(string), - Insecure: d.Get("insecure").(bool), - SkipIamCredsValidation: d.Get("skip_iam_creds_validation").(bool), - SkipIamAccountId: d.Get("skip_iam_account_id").(bool), - SkipMetadataApiCheck: d.Get("skip_metadata_api_check").(bool), + AccessKey: d.Get("access_key").(string), + SecretKey: d.Get("secret_key").(string), + Profile: d.Get("profile").(string), + CredsFilename: d.Get("shared_credentials_file").(string), + Token: d.Get("token").(string), + Region: d.Get("region").(string), + MaxRetries: d.Get("max_retries").(int), + DynamoDBEndpoint: d.Get("dynamodb_endpoint").(string), + KinesisEndpoint: d.Get("kinesis_endpoint").(string), + Insecure: d.Get("insecure").(bool), + SkipCredsValidation: d.Get("skip_credentials_validation").(bool), + SkipRequestingAccountId: d.Get("skip_requesting_account_id").(bool), + SkipMetadataApiCheck: d.Get("skip_metadata_api_check").(bool), } endpointsSet := d.Get("endpoints").(*schema.Set) From 0e1bccafed193d6cdb5884b658ceff7996938bd3 Mon Sep 17 00:00:00 2001 From: Radek Simko Date: Wed, 10 Aug 2016 17:29:07 +0100 Subject: [PATCH 3/4] aws: Let acc ID validation fail when we have no ID - we could've had ConflictsWith between affected fields, but that would make it fail even if skip_requesting_account_id=false and ConflictsWhen is not a thing (yet) --- builtin/providers/aws/config.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/builtin/providers/aws/config.go b/builtin/providers/aws/config.go index b0afbb65b..711362a69 100644 --- a/builtin/providers/aws/config.go +++ b/builtin/providers/aws/config.go @@ -217,11 +217,11 @@ func (c *Config) Client() (interface{}, error) { if err == nil { client.accountid = accountId } + } - authErr := c.ValidateAccountId(client.accountid) - if authErr != nil { - errs = append(errs, authErr) - } + authErr := c.ValidateAccountId(client.accountid) + if authErr != nil { + errs = append(errs, authErr) } client.apigateway = apigateway.New(sess) From d1272808d88ede8e93c58a9cd239e64b65efae4e Mon Sep 17 00:00:00 2001 From: Radek Simko Date: Wed, 10 Aug 2016 17:10:28 +0100 Subject: [PATCH 4/4] aws/docs: Document new skip_* fields --- .../docs/providers/aws/index.html.markdown | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/website/source/docs/providers/aws/index.html.markdown b/website/source/docs/providers/aws/index.html.markdown index de975ac51..90fe99584 100644 --- a/website/source/docs/providers/aws/index.html.markdown +++ b/website/source/docs/providers/aws/index.html.markdown @@ -159,6 +159,30 @@ The following arguments are supported in the `provider` block: URL constructed from the `region`. It's typically used to connect to kinesalite. +* `skip_credentials_validation` - (Optional) Skip the credentials validation via STS API. + Useful for AWS API implementations that do not have STS available/implemented. + +* `skip_requesting_account_id` - (Optional) Skip requesting the account ID. + Useful for AWS API implementations that do not have IAM/STS API and/or metadata API. + `true` (enabling this option) prevents you from managing any resource that requires Account ID to construct an ARN, e.g. + - `aws_db_instance` + - `aws_db_option_group` + - `aws_db_parameter_group` + - `aws_db_security_group` + - `aws_db_subnet_group` + - `aws_elasticache_cluster` + - `aws_glacier_vault` + - `aws_rds_cluster` + - `aws_rds_cluster_instance` + - `aws_rds_cluster_parameter_group` + - `aws_redshift_cluster` + +* `skip_metadata_api_check` - (Optional) Skip the AWS Metadata API check. + Useful for AWS API implementations that do not have a metadata API endpoint. + `true` prevents Terraform from authenticating via Metadata API - i.e. you may need to use other auth methods + (static credentials set as ENV vars or config) + + Nested `endpoints` block supports the followings: * `iam` - (Optional) Use this to override the default endpoint