From 5ee858c7471bbfb1d0dca75343ea8a3b8987a9a1 Mon Sep 17 00:00:00 2001 From: Brian Flad Date: Wed, 22 Jul 2020 14:22:30 -0400 Subject: [PATCH] resource/aws_iam_access_key: Remove deprecated ses_smtp_password attribute Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/11144 Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398 Output from acceptance testing: ``` --- PASS: TestAccAWSAccessKey_basic (5.87s) --- PASS: TestAccAWSAccessKey_encrypted (5.97s) --- PASS: TestAccAWSAccessKey_inactive (9.72s) ``` --- aws/resource_aws_iam_access_key.go | 32 ------------------- aws/resource_aws_iam_access_key_test.go | 20 ------------ website/docs/guides/version-3-upgrade.html.md | 7 ++++ website/docs/r/iam_access_key.html.markdown | 2 -- 4 files changed, 7 insertions(+), 54 deletions(-) diff --git a/aws/resource_aws_iam_access_key.go b/aws/resource_aws_iam_access_key.go index af8f853f67b..f6dfdc3c1e1 100644 --- a/aws/resource_aws_iam_access_key.go +++ b/aws/resource_aws_iam_access_key.go @@ -42,12 +42,6 @@ func resourceAwsIamAccessKey() *schema.Resource { Computed: true, Sensitive: true, }, - "ses_smtp_password": { - Type: schema.TypeString, - Computed: true, - Sensitive: true, - Deprecated: "AWS SigV2 for SES SMTP passwords isy deprecated.\nUse 'ses_smtp_password_v4' for region-specific AWS SigV4 signed SES SMTP password instead.", - }, "ses_smtp_password_v4": { Type: schema.TypeString, Computed: true, @@ -111,14 +105,6 @@ func resourceAwsIamAccessKeyCreate(d *schema.ResourceData, meta interface{}) err } } - // AWS SigV2 - sesSMTPPassword, err := sesSmtpPasswordFromSecretKeySigV2(createResp.AccessKey.SecretAccessKey) - if err != nil { - return fmt.Errorf("error getting SES SigV2 SMTP Password from Secret Access Key: %s", err) - } - d.Set("ses_smtp_password", sesSMTPPassword) - - // AWS SigV4 sesSMTPPasswordV4, err := sesSmtpPasswordFromSecretKeySigV4(createResp.AccessKey.SecretAccessKey, meta.(*AWSClient).region) if err != nil { return fmt.Errorf("error getting SES SigV4 SMTP Password from Secret Access Key: %s", err) @@ -252,21 +238,3 @@ func sesSmtpPasswordFromSecretKeySigV4(key *string, region string) (string, erro versionedSig = append(versionedSig, rawSig...) return base64.StdEncoding.EncodeToString(versionedSig), nil } - -func sesSmtpPasswordFromSecretKeySigV2(key *string) (string, error) { - if key == nil { - return "", nil - } - version := byte(0x02) - message := []byte("SendRawEmail") - hmacKey := []byte(*key) - h := hmac.New(sha256.New, hmacKey) - if _, err := h.Write(message); err != nil { - return "", err - } - rawSig := h.Sum(nil) - versionedSig := make([]byte, 0, len(rawSig)+1) - versionedSig = append(versionedSig, version) - versionedSig = append(versionedSig, rawSig...) - return base64.StdEncoding.EncodeToString(versionedSig), nil -} diff --git a/aws/resource_aws_iam_access_key_test.go b/aws/resource_aws_iam_access_key_test.go index 03e400834c0..69ab499fb64 100644 --- a/aws/resource_aws_iam_access_key_test.go +++ b/aws/resource_aws_iam_access_key_test.go @@ -256,23 +256,3 @@ func TestSesSmtpPasswordFromSecretKeySigV4(t *testing.T) { } } } - -func TestSesSmtpPasswordFromSecretKeySigV2(t *testing.T) { - cases := []struct { - Input string - Expected string - }{ - {"some+secret+key", "AnkqhOiWEcszZZzTMCQbOY1sPGoLFgMH9zhp4eNgSjo4"}, - {"another+secret+key", "Akwqr0Giwi8FsQFgW3DXWCC2DiiQ/jZjqLDWK8TeTBgL"}, - } - - for _, tc := range cases { - actual, err := sesSmtpPasswordFromSecretKeySigV2(&tc.Input) - if err != nil { - t.Fatalf("unexpected error: %s", err) - } - if actual != tc.Expected { - t.Fatalf("%q: expected %q, got %q", tc.Input, tc.Expected, actual) - } - } -} diff --git a/website/docs/guides/version-3-upgrade.html.md b/website/docs/guides/version-3-upgrade.html.md index d5bbc03dac8..280b1b79bce 100644 --- a/website/docs/guides/version-3-upgrade.html.md +++ b/website/docs/guides/version-3-upgrade.html.md @@ -29,6 +29,7 @@ Upgrade topics: - [Resource: aws_ebs_volume](#resource-aws_ebs_volume) - [Resource: aws_elastic_transcoder_preset](#resource-aws_elastic_transcoder_preset) - [Resource: aws_emr_cluster](#resource-aws_emr_cluster) +- [Resource: aws_iam_access_key](#resource-aws_iam_access_key) - [Resource: aws_instance](#resource-aws_instance) - [Resource: aws_lambda_alias](#resource-aws_lambda_alias) - [Resource: aws_launch_template](#resource-aws_launch_template) @@ -727,6 +728,12 @@ resource "aws_emr_cluster" "example" { } ``` +## Resource: aws_iam_access_key + +### ses_smtp_password Attribute Removal + +In many regions today and in all regions after October 1, 2020, the [SES API will only accept version 4 signatures](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/using-ses-api-authentication.html). If referencing the `ses_smtp_password` attribute, switch your Terraform configuration to the `ses_smtp_password_v4` attribute instead. Please note that this signature is based on the region of the Terraform AWS Provider. If you need the SES v4 password in multiple regions, it may require using [multiple provider instances](/docs/configuration/providers.html#alias-multiple-provider-instances). + ## Resource: aws_instance ### ebs_block_device.iops and root_block_device.iops Argument Apply-Time Validations diff --git a/website/docs/r/iam_access_key.html.markdown b/website/docs/r/iam_access_key.html.markdown index 1a2d039d06e..3c4e3a83409 100644 --- a/website/docs/r/iam_access_key.html.markdown +++ b/website/docs/r/iam_access_key.html.markdown @@ -90,8 +90,6 @@ the use of the secret key in automation. * `encrypted_secret` - The encrypted secret, base64 encoded, if `pgp_key` was specified. ~> **NOTE:** The encrypted secret may be decrypted using the command line, for example: `terraform output encrypted_secret | base64 --decode | keybase pgp decrypt`. -* `ses_smtp_password` - **DEPRECATED** The secret access key converted into an SES SMTP - password by applying AWS's SigV2 conversion algorithm * `ses_smtp_password_v4` - The secret access key converted into an SES SMTP password by applying [AWS's documented Sigv4 conversion algorithm](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html#smtp-credentials-convert).