Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

provider: Adds support for IAM role chaining #39255

Merged
merged 7 commits into from
Sep 11, 2024
Merged

provider: Adds support for IAM role chaining #39255

merged 7 commits into from
Sep 11, 2024
+298 −77

Conversation

gdavison
Copy link
Contributor

@gdavison gdavison commented Sep 10, 2024
edited
Loading

Description

Adds IAM role chaining when authenticating the provider

Relations

Closes #22728

Depends on hashicorp/aws-sdk-go-base#1170

References

Output from Acceptance Testing

% make testacc PKG_NAME=internal/provider TESTS=TestProviderConfig_AssumeRole

--- PASS: TestProviderConfig_AssumeRole (0.57s)
    --- PASS: TestProviderConfig_AssumeRole/config_single (0.13s)
    --- PASS: TestProviderConfig_AssumeRole/config_multiple (0.12s)
    --- PASS: TestProviderConfig_AssumeRole/config_empty (0.12s)
    --- PASS: TestProviderConfig_AssumeRole/config_multiple_first_empty (0.11s)
    --- PASS: TestProviderConfig_AssumeRole/config_multiple_last_empty (0.10s)

@gdavison gdavison requested a review from a team as a code owner September 10, 2024 19:25
@github-actions GitHub Actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added documentation Introduces or discusses updates to documentation. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. provider Pertains to the provider itself, rather than any interaction with AWS. sweeper Pertains to changes to or issues with the sweeper. client-connections Pertains to the AWS Client and service connections. prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. labels Sep 10, 2024
ewbankkit
ewbankkit approved these changes Sep 11, 2024
View reviewed changes
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

% make testacc TESTARGS='-run=TestProviderConfig_' PKG_NAME=internal/provider ACCTEST_PARALLELISM=3
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.22.6 test ./internal/provider/... -v -count 1 -parallel 3  -run=TestProviderConfig_ -timeout 360m
?   	github.com/hashicorp/terraform-provider-aws/internal/provider/fwprovider	[no test files]
=== RUN   TestProviderConfig_Authentication_SSO
=== RUN   TestProviderConfig_Authentication_SSO/shared_configuration_file
=== RUN   TestProviderConfig_Authentication_SSO/use_FIPS
--- PASS: TestProviderConfig_Authentication_SSO (0.20s)
    --- PASS: TestProviderConfig_Authentication_SSO/shared_configuration_file (0.10s)
    --- PASS: TestProviderConfig_Authentication_SSO/use_FIPS (0.10s)
=== RUN   TestProviderConfig_Authentication_LegacySSO
=== RUN   TestProviderConfig_Authentication_LegacySSO/shared_configuration_file
=== RUN   TestProviderConfig_Authentication_LegacySSO/use_FIPS
--- PASS: TestProviderConfig_Authentication_LegacySSO (0.20s)
    --- PASS: TestProviderConfig_Authentication_LegacySSO/shared_configuration_file (0.10s)
    --- PASS: TestProviderConfig_Authentication_LegacySSO/use_FIPS (0.10s)
=== RUN   TestProviderConfig_AssumeRole
=== RUN   TestProviderConfig_AssumeRole/config_multiple_first_empty
=== RUN   TestProviderConfig_AssumeRole/config_multiple_last_empty
=== RUN   TestProviderConfig_AssumeRole/config_single
2024/09/11 15:20:00 [DEBUG] Received STS API "POST" request to "/": Action=AssumeRole&DurationSeconds=900&RoleArn=arn%3Aaws%3Aiam%3A%3A555555555555%3Arole%2FAssumeRole&RoleSessionName=AssumeRoleSessionName&Version=2011-06-15
2024/09/11 15:20:00 [DEBUG] Mocked STS API responding with 200: <AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<AssumeRoleResult>
  <AssumedRoleUser>
    <Arn>arn:aws:sts::555555555555:assumed-role/role/AssumeRoleSessionName</Arn>
    <AssumedRoleId>ARO123EXAMPLE123:AssumeRoleSessionName</AssumedRoleId>
  </AssumedRoleUser>
  <Credentials>
    <AccessKeyId>AssumeRoleAccessKey</AccessKeyId>
    <SecretAccessKey>AssumeRoleSecretKey</SecretAccessKey>
    <SessionToken>AssumeRoleSessionToken</SessionToken>
    <Expiration>2099-12-31T23:59:59Z</Expiration>
  </Credentials>
</AssumeRoleResult>
<ResponseMetadata>
  <RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId>
</ResponseMetadata>
</AssumeRoleResponse>
=== RUN   TestProviderConfig_AssumeRole/config_multiple
2024/09/11 15:20:00 [DEBUG] Received STS API "POST" request to "/": Action=AssumeRole&DurationSeconds=900&RoleArn=arn%3Aaws%3Aiam%3A%3A555555555555%3Arole%2FAssumeRole&RoleSessionName=AssumeRoleSessionName&Version=2011-06-15
2024/09/11 15:20:00 [DEBUG] Mocked STS API responding with 200: <AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<AssumeRoleResult>
  <AssumedRoleUser>
    <Arn>arn:aws:sts::555555555555:assumed-role/role/AssumeRoleSessionName</Arn>
    <AssumedRoleId>ARO123EXAMPLE123:AssumeRoleSessionName</AssumedRoleId>
  </AssumedRoleUser>
  <Credentials>
    <AccessKeyId>AssumeRoleAccessKey</AccessKeyId>
    <SecretAccessKey>AssumeRoleSecretKey</SecretAccessKey>
    <SessionToken>AssumeRoleSessionToken</SessionToken>
    <Expiration>2099-12-31T23:59:59Z</Expiration>
  </Credentials>
</AssumeRoleResult>
<ResponseMetadata>
  <RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId>
</ResponseMetadata>
</AssumeRoleResponse>
2024/09/11 15:20:00 [DEBUG] Received STS API "POST" request to "/": Action=AssumeRole&DurationSeconds=900&RoleArn=arn%3Aaws%3Aiam%3A%3A555555555555%3Arole%2FAssumeRole&RoleSessionName=AssumeRoleSessionName&Version=2011-06-15
2024/09/11 15:20:00 [DEBUG] Mocked STS API responding with 200: <AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<AssumeRoleResult>
  <AssumedRoleUser>
    <Arn>arn:aws:sts::555555555555:assumed-role/role/AssumeRoleSessionName</Arn>
    <AssumedRoleId>ARO123EXAMPLE123:AssumeRoleSessionName</AssumedRoleId>
  </AssumedRoleUser>
  <Credentials>
    <AccessKeyId>AssumeRoleAccessKey</AccessKeyId>
    <SecretAccessKey>AssumeRoleSecretKey</SecretAccessKey>
    <SessionToken>AssumeRoleSessionToken</SessionToken>
    <Expiration>2099-12-31T23:59:59Z</Expiration>
  </Credentials>
</AssumeRoleResult>
<ResponseMetadata>
  <RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId>
</ResponseMetadata>
</AssumeRoleResponse>
2024/09/11 15:20:00 [DEBUG] Received STS API "POST" request to "/": Action=AssumeRole&DurationSeconds=900&RoleArn=arn%3Aaws%3Aiam%3A%3A555555555555%3Arole%2FAssumeRole2&RoleSessionName=AssumeRoleSessionName2&Version=2011-06-15
2024/09/11 15:20:00 [DEBUG] Mocked STS API responding with 200: <AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<AssumeRoleResult>
  <AssumedRoleUser>
    <Arn>arn:aws:sts::555555555555:assumed-role/role/AssumeRoleSessionName</Arn>
    <AssumedRoleId>ARO123EXAMPLE123:AssumeRoleSessionName</AssumedRoleId>
  </AssumedRoleUser>
  <Credentials>
    <AccessKeyId>AssumeRoleAccessKey</AccessKeyId>
    <SecretAccessKey>AssumeRoleSecretKey</SecretAccessKey>
    <SessionToken>AssumeRoleSessionToken</SessionToken>
    <Expiration>2099-12-31T23:59:59Z</Expiration>
  </Credentials>
</AssumeRoleResult>
<ResponseMetadata>
  <RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId>
</ResponseMetadata>
</AssumeRoleResponse>
=== RUN   TestProviderConfig_AssumeRole/config_empty
--- PASS: TestProviderConfig_AssumeRole (0.48s)
    --- PASS: TestProviderConfig_AssumeRole/config_multiple_first_empty (0.09s)
    --- PASS: TestProviderConfig_AssumeRole/config_multiple_last_empty (0.09s)
    --- PASS: TestProviderConfig_AssumeRole/config_single (0.10s)
    --- PASS: TestProviderConfig_AssumeRole/config_multiple (0.10s)
    --- PASS: TestProviderConfig_AssumeRole/config_empty (0.10s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/provider	5.945s

ewbankkit
ewbankkit reviewed Sep 11, 2024
View reviewed changes
go.mod Outdated Show resolved Hide resolved
@gdavison gdavison merged commit 6dc8aad into main Sep 11, 2024
47 checks passed
@gdavison gdavison deleted the f-role-chaining branch September 11, 2024 23:35
@github-actions github-actions bot added this to the v5.67.0 milestone Sep 11, 2024
terraform-aws-provider bot pushed a commit that referenced this pull request Sep 11, 2024
Update CHANGELOG.md for #39255
3b17684
@gdavison gdavison mentioned this pull request Sep 12, 2024
Merged
@evan-cleary evan-cleary mentioned this pull request Sep 13, 2024
Closed
@github-actions GitHub Actions
Copy link

This functionality has been released in v5.67.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions github-actions bot removed the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Sep 13, 2024
@devdootkim devdootkim mentioned this pull request Sep 13, 2024
Closed
This was referenced Sep 13, 2024
Merged
Merged
@github-actions GitHub Actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ewbankkit ewbankkit ewbankkit approved these changes

Assignees
No one assigned
Labels
client-connections Pertains to the AWS Client and service connections. documentation Introduces or discusses updates to documentation. provider Pertains to the provider itself, rather than any interaction with AWS. sweeper Pertains to changes to or issues with the sweeper. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
v5.67.0
Development

Successfully merging this pull request may close these issues.

Support for IAM "Role Chaining"
2 participants
@gdavison @ewbankkit