Merge pull request #8114 from TimeIncOSS/f-aws-skip-options

aws: Change names of new skip_* fields + document those

builtin/providers/aws/auth_helpers.go

@@ -117,10 +117,10 @@ func GetCredentials(c *Config) *awsCredentials.Credentials {
 	}
 	usedEndpoint := setOptionalEndpoint(cfg)
 
+	if !c.SkipMetadataApiCheck {
 		// Real AWS should reply to a simple metadata request.
 		// We check it actually does to ensure something else didn't just
 		// happen to be listening on the same IP:Port
-	if c.SkipMetadataApiCheck == false {
 		metadataClient := ec2metadata.New(session.New(cfg))
 		if metadataClient.Available() {
 			providers = append(providers, &ec2rolecreds.EC2RoleProvider{

builtin/providers/aws/config.go

@@ -76,8 +76,9 @@ type Config struct {
 	ElbEndpoint      string
 	S3Endpoint       string
 	Insecure         bool
-	SkipIamCredsValidation bool
-	SkipIamAccountId       bool
+
+	SkipCredsValidation     bool
+	SkipRequestingAccountId bool
 	SkipMetadataApiCheck    bool
 }
 
@@ -205,7 +206,7 @@ func (c *Config) Client() (interface{}, error) {
 		client.iamconn = iam.New(awsIamSess)
 		client.stsconn = sts.New(sess)
 
-		if c.SkipIamCredsValidation == false {
+		if !c.SkipCredsValidation {
 			err = c.ValidateCredentials(client.stsconn)
 			if err != nil {
 				errs = append(errs, err)
@@ -213,17 +214,17 @@ func (c *Config) Client() (interface{}, error) {
 			}
 		}
 
-		if c.SkipIamAccountId == false {
+		if !c.SkipRequestingAccountId {
 			accountId, err := GetAccountId(client.iamconn, client.stsconn, cp.ProviderName)
 			if err == nil {
 				client.accountid = accountId
 			}
+		}
 
 		authErr := c.ValidateAccountId(client.accountid)
 		if authErr != nil {
 			errs = append(errs, authErr)
 		}
-		}
 
 		client.apigateway = apigateway.New(sess)
 		client.appautoscalingconn = applicationautoscaling.New(sess)

builtin/providers/aws/provider.go

@@ -110,18 +110,18 @@ func Provider() terraform.ResourceProvider {
 				Description: descriptions["insecure"],
 			},
 
-			"skip_iam_creds_validation": &schema.Schema{
+			"skip_credentials_validation": &schema.Schema{
 				Type:        schema.TypeBool,
 				Optional:    true,
 				Default:     false,
-				Description: descriptions["skip_iam_creds_validation"],
+				Description: descriptions["skip_credentials_validation"],
 			},
 
-			"skip_iam_account_id": &schema.Schema{
+			"skip_requesting_account_id": &schema.Schema{
 				Type:        schema.TypeBool,
 				Optional:    true,
 				Default:     false,
-				Description: descriptions["skip_iam_account_id"],
+				Description: descriptions["skip_requesting_account_id"],
 			},
 
 			"skip_metadata_api_check": &schema.Schema{
@@ -356,11 +356,11 @@ func init() {
 		"insecure": "Explicitly allow the provider to perform \"insecure\" SSL requests. If omitted," +
 			"default value is `false`",
 
-		"skip_iam_creds_validation": "Skip the IAM/STS credentials validation. " +
-			"Used for AWS API implementations that do not use IAM.",
+		"skip_credentials_validation": "Skip the credentials validation via STS API. " +
+			"Used for AWS API implementations that do not have STS available/implemented.",
 
-		"skip_iam_account_id": "Skip the request of account id to IAM/STS. " +
-			"Used for AWS API implementations that do not use IAM.",
+		"skip_requesting_account_id": "Skip requesting the account ID. " +
+			"Used for AWS API implementations that do not have IAM/STS API and/or metadata API.",
 
 		"skip_medatadata_api_check": "Skip the AWS Metadata API check. " +
 			"Used for AWS API implementations that do not have a metadata api endpoint.",
@@ -379,8 +379,8 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		DynamoDBEndpoint:        d.Get("dynamodb_endpoint").(string),
 		KinesisEndpoint:         d.Get("kinesis_endpoint").(string),
 		Insecure:                d.Get("insecure").(bool),
-		SkipIamCredsValidation: d.Get("skip_iam_creds_validation").(bool),
-		SkipIamAccountId:       d.Get("skip_iam_account_id").(bool),
+		SkipCredsValidation:     d.Get("skip_credentials_validation").(bool),
+		SkipRequestingAccountId: d.Get("skip_requesting_account_id").(bool),
 		SkipMetadataApiCheck:    d.Get("skip_metadata_api_check").(bool),
 	}
 

website/source/docs/providers/aws/index.html.markdown

@@ -159,6 +159,30 @@ The following arguments are supported in the `provider` block:
   URL constructed from the `region`. It's typically used to connect to
   kinesalite.
 
+* `skip_credentials_validation` - (Optional) Skip the credentials validation via STS API.
+  Useful for AWS API implementations that do not have STS available/implemented.
+
+* `skip_requesting_account_id` - (Optional) Skip requesting the account ID.
+  Useful for AWS API implementations that do not have IAM/STS API and/or metadata API.
+  `true` (enabling this option) prevents you from managing any resource that requires Account ID to construct an ARN, e.g.
+  - `aws_db_instance`
+  - `aws_db_option_group`
+  - `aws_db_parameter_group`
+  - `aws_db_security_group`
+  - `aws_db_subnet_group`
+  - `aws_elasticache_cluster`
+  - `aws_glacier_vault`
+  - `aws_rds_cluster`
+  - `aws_rds_cluster_instance`
+  - `aws_rds_cluster_parameter_group`
+  - `aws_redshift_cluster`
+
+* `skip_metadata_api_check` - (Optional) Skip the AWS Metadata API check.
+  Useful for AWS API implementations that do not have a metadata API endpoint.
+  `true` prevents Terraform from authenticating via Metadata API - i.e. you may need to use other auth methods
+  (static credentials set as ENV vars or config)
+
+
 Nested `endpoints` block supports the followings:
 
 * `iam` - (Optional) Use this to override the default endpoint