hashicorp · bflad · Jul 24, 2020 · Jul 22, 2020
diff --git a/aws/resource_aws_iam_access_key.go b/aws/resource_aws_iam_access_key.go
@@ -42,12 +42,6 @@ func resourceAwsIamAccessKey() *schema.Resource {
 				Computed:  true,
 				Sensitive: true,
 			},
-			"ses_smtp_password": {
-				Type:       schema.TypeString,
-				Computed:   true,
-				Sensitive:  true,
-				Deprecated: "AWS SigV2 for SES SMTP passwords isy deprecated.\nUse 'ses_smtp_password_v4' for region-specific AWS SigV4 signed SES SMTP password instead.",
-			},
 			"ses_smtp_password_v4": {
 				Type:      schema.TypeString,
 				Computed:  true,
@@ -111,14 +105,6 @@ func resourceAwsIamAccessKeyCreate(d *schema.ResourceData, meta interface{}) err
 		}
 	}
 
-	// AWS SigV2
-	sesSMTPPassword, err := sesSmtpPasswordFromSecretKeySigV2(createResp.AccessKey.SecretAccessKey)
-	if err != nil {
-		return fmt.Errorf("error getting SES SigV2 SMTP Password from Secret Access Key: %s", err)
-	}
-	d.Set("ses_smtp_password", sesSMTPPassword)
-
-	// AWS SigV4
 	sesSMTPPasswordV4, err := sesSmtpPasswordFromSecretKeySigV4(createResp.AccessKey.SecretAccessKey, meta.(*AWSClient).region)
 	if err != nil {
 		return fmt.Errorf("error getting SES SigV4 SMTP Password from Secret Access Key: %s", err)
@@ -252,21 +238,3 @@ func sesSmtpPasswordFromSecretKeySigV4(key *string, region string) (string, erro
 	versionedSig = append(versionedSig, rawSig...)
 	return base64.StdEncoding.EncodeToString(versionedSig), nil
 }
-
-func sesSmtpPasswordFromSecretKeySigV2(key *string) (string, error) {
-	if key == nil {
-		return "", nil
-	}
-	version := byte(0x02)
-	message := []byte("SendRawEmail")
-	hmacKey := []byte(*key)
-	h := hmac.New(sha256.New, hmacKey)
-	if _, err := h.Write(message); err != nil {
-		return "", err
-	}
-	rawSig := h.Sum(nil)
-	versionedSig := make([]byte, 0, len(rawSig)+1)
-	versionedSig = append(versionedSig, version)
-	versionedSig = append(versionedSig, rawSig...)
-	return base64.StdEncoding.EncodeToString(versionedSig), nil
-}
diff --git a/aws/resource_aws_iam_access_key_test.go b/aws/resource_aws_iam_access_key_test.go
@@ -256,23 +256,3 @@ func TestSesSmtpPasswordFromSecretKeySigV4(t *testing.T) {
 		}
 	}
 }
-
-func TestSesSmtpPasswordFromSecretKeySigV2(t *testing.T) {
-	cases := []struct {
-		Input    string
-		Expected string
-	}{
-		{"some+secret+key", "AnkqhOiWEcszZZzTMCQbOY1sPGoLFgMH9zhp4eNgSjo4"},
-		{"another+secret+key", "Akwqr0Giwi8FsQFgW3DXWCC2DiiQ/jZjqLDWK8TeTBgL"},
-	}
-
-	for _, tc := range cases {
-		actual, err := sesSmtpPasswordFromSecretKeySigV2(&tc.Input)
-		if err != nil {
-			t.Fatalf("unexpected error: %s", err)
-		}
-		if actual != tc.Expected {
-			t.Fatalf("%q: expected %q, got %q", tc.Input, tc.Expected, actual)
-		}
-	}
-}
diff --git a/website/docs/guides/version-3-upgrade.html.md b/website/docs/guides/version-3-upgrade.html.md
@@ -29,6 +29,7 @@ Upgrade topics:
 - [Resource: aws_ebs_volume](#resource-aws_ebs_volume)
 - [Resource: aws_elastic_transcoder_preset](#resource-aws_elastic_transcoder_preset)
 - [Resource: aws_emr_cluster](#resource-aws_emr_cluster)
+- [Resource: aws_iam_access_key](#resource-aws_iam_access_key)
 - [Resource: aws_instance](#resource-aws_instance)
 - [Resource: aws_lambda_alias](#resource-aws_lambda_alias)
 - [Resource: aws_launch_template](#resource-aws_launch_template)
@@ -727,6 +728,12 @@ resource "aws_emr_cluster" "example" {
 }
 ```
 
+## Resource: aws_iam_access_key
+
+### ses_smtp_password Attribute Removal
+
+In many regions today and in all regions after October 1, 2020, the [SES API will only accept version 4 signatures](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/using-ses-api-authentication.html). If referencing the `ses_smtp_password` attribute, switch your Terraform configuration to the `ses_smtp_password_v4` attribute instead. Please note that this signature is based on the region of the Terraform AWS Provider. If you need the SES v4 password in multiple regions, it may require using [multiple provider instances](/docs/configuration/providers.html#alias-multiple-provider-instances).
+
 ## Resource: aws_instance
 
 ### ebs_block_device.iops and root_block_device.iops Argument Apply-Time Validations

diff --git a/website/docs/r/iam_access_key.html.markdown b/website/docs/r/iam_access_key.html.markdown
@@ -90,8 +90,6 @@ the use of the secret key in automation.
 * `encrypted_secret` - The encrypted secret, base64 encoded, if `pgp_key` was specified.
 ~> **NOTE:** The encrypted secret may be decrypted using the command line,
    for example: `terraform output encrypted_secret | base64 --decode | keybase pgp decrypt`.
-* `ses_smtp_password` - **DEPRECATED** The secret access key converted into an SES SMTP
-  password by applying AWS's SigV2 conversion algorithm
 * `ses_smtp_password_v4` - The secret access key converted into an SES SMTP
   password by applying [AWS's documented Sigv4 conversion
   algorithm](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html#smtp-credentials-convert).