From fd9b299bdfdf39181f1d4e1cf3dfba8b9cda5dd7 Mon Sep 17 00:00:00 2001 From: Vladyslav Mihun Date: Wed, 6 Jul 2022 18:14:15 +0300 Subject: [PATCH 1/2] SCALRCORE-22362 Provider configuration > aws_external_id should not be required for role delegation credentials type if trusted entity type is service. --- docs/resources/scalr_provider_configuration.md | 8 +++++--- scalr/resource_scalr_provider_configuration.go | 8 ++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/docs/resources/scalr_provider_configuration.md b/docs/resources/scalr_provider_configuration.md index bf16e44a..c8bef567 100644 --- a/docs/resources/scalr_provider_configuration.md +++ b/docs/resources/scalr_provider_configuration.md @@ -21,8 +21,10 @@ resource "scalr_provider_configuration" "aws" { export_shell_variables = false environments = [scalr_environment.env1.id] aws { - secret_key = "my-secret-key" - access_key = "my-access-key" + account_type = "regular" + credentials_type = "access_keys" + secret_key = "my-secret-key" + access_key = "my-access-key" } } ``` @@ -106,7 +108,7 @@ resource "scalr_provider_configuration" "kubernetes" { * `credentials_type` - (Required) The type of AWS credentials, available options: `access_keys`, `role_delegation`. * `trusted_entity_type` - (Optional) Trusted entity type, available options: `aws_account`, `aws_service`. This option is required with `role_delegation` credentials type. * `role_arn` - (Optional) Amazon Resource Name (ARN) of the IAM Role to assume. This option is required with `role_delegation` credentials type. - * `external_id` - (Optional) External identifier to use when assuming the role. This option is required with `role_delegation` credentials type. + * `external_id` - (Optional) External identifier to use when assuming the role. This option is required with `role_delegation` credentials type and `aws_account` trusted entity type. * `secret_key` - (Optional) AWS secret key. This option is required with `access_keys` credentials type. * `access_key` - (Optional) AWS access key.This option is required with `access_keys` credentials type. * `google` - (Optional) Settings for the google provider configuraiton. Exactly one of the following attributes must be set: `aws`, `google`, `azurerm`, `scalr`, `custom`. diff --git a/scalr/resource_scalr_provider_configuration.go b/scalr/resource_scalr_provider_configuration.go index bd238dea..e8f95a14 100644 --- a/scalr/resource_scalr_provider_configuration.go +++ b/scalr/resource_scalr_provider_configuration.go @@ -262,8 +262,8 @@ func resourceScalrProviderConfigurationCreate(d *schema.ResourceData, meta inter if len(*configurationOptions.AwsRoleArn) == 0 { return fmt.Errorf("'role_arn' field is required for 'role_delegation' credentials type of aws provider configuration") } - if len(*configurationOptions.AwsExternalId) == 0 { - return fmt.Errorf("'external_id' field is required for 'role_delegation' credentials type of aws provider configuration") + if *configurationOptions.AwsTrustedEntityType == "aws_account" && len(*configurationOptions.AwsExternalId) == 0 { + return fmt.Errorf("'external_id' field is required for 'role_delegation' credentials type with 'aws_account' trusted entity type of aws provider configuration") } } else if *configurationOptions.AwsCredentialsType != "access_keys" { return fmt.Errorf("unknown aws provider configuration credentials type: %s, allowed: 'role_delegation', 'access_keys'", *configurationOptions.AwsCredentialsType) @@ -519,8 +519,8 @@ func resourceScalrProviderConfigurationUpdate(d *schema.ResourceData, meta inter if len(*configurationOptions.AwsRoleArn) == 0 { return fmt.Errorf("'role_arn' field is required for 'role_delegation' credentials type of aws provider configuration") } - if len(*configurationOptions.AwsExternalId) == 0 { - return fmt.Errorf("'external_id' field is required for 'role_delegation' credentials type of aws provider configuration") + if *configurationOptions.AwsTrustedEntityType == "aws_account" && len(*configurationOptions.AwsExternalId) == 0 { + return fmt.Errorf("'external_id' field is required for 'role_delegation' credentials type with 'aws_account' entity type of aws provider configuration") } } else if *configurationOptions.AwsCredentialsType != "access_keys" { return fmt.Errorf("unknown aws provider configuration credentials type: %s, allowed: 'role_delegation', 'access_keys'", *configurationOptions.AwsCredentialsType) From 164e8e5983be4804d9c39e4d428701de4bb274ed Mon Sep 17 00:00:00 2001 From: Vladyslav Mihun Date: Thu, 7 Jul 2022 13:03:03 +0300 Subject: [PATCH 2/2] SCALRCORE-22362 fix --- scalr/resource_scalr_provider_configuration.go | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/scalr/resource_scalr_provider_configuration.go b/scalr/resource_scalr_provider_configuration.go index e8f95a14..95b5db04 100644 --- a/scalr/resource_scalr_provider_configuration.go +++ b/scalr/resource_scalr_provider_configuration.go @@ -255,14 +255,17 @@ func resourceScalrProviderConfigurationCreate(d *schema.ResourceData, meta inter if *configurationOptions.AwsCredentialsType == "role_delegation" { configurationOptions.AwsTrustedEntityType = scalr.String(d.Get("aws.0.trusted_entity_type").(string)) configurationOptions.AwsRoleArn = scalr.String(d.Get("aws.0.role_arn").(string)) - configurationOptions.AwsExternalId = scalr.String(d.Get("aws.0.external_id").(string)) + externalIdI, externalIdExists := d.GetOk("aws.0.external_id") + if externalIdExists { + configurationOptions.AwsExternalId = scalr.String(externalIdI.(string)) + } if len(*configurationOptions.AwsTrustedEntityType) == 0 { return fmt.Errorf("'trusted_entity_type' field is required for 'role_delegation' credentials type of aws provider configuration") } if len(*configurationOptions.AwsRoleArn) == 0 { return fmt.Errorf("'role_arn' field is required for 'role_delegation' credentials type of aws provider configuration") } - if *configurationOptions.AwsTrustedEntityType == "aws_account" && len(*configurationOptions.AwsExternalId) == 0 { + if *configurationOptions.AwsTrustedEntityType == "aws_account" && (!externalIdExists || (len(externalIdI.(string)) == 0)) { return fmt.Errorf("'external_id' field is required for 'role_delegation' credentials type with 'aws_account' trusted entity type of aws provider configuration") } } else if *configurationOptions.AwsCredentialsType != "access_keys" { @@ -512,14 +515,17 @@ func resourceScalrProviderConfigurationUpdate(d *schema.ResourceData, meta inter if *configurationOptions.AwsCredentialsType == "role_delegation" { configurationOptions.AwsTrustedEntityType = scalr.String(d.Get("aws.0.trusted_entity_type").(string)) configurationOptions.AwsRoleArn = scalr.String(d.Get("aws.0.role_arn").(string)) - configurationOptions.AwsExternalId = scalr.String(d.Get("aws.0.external_id").(string)) + externalIdI, externalIdExists := d.GetOk("aws.0.external_id") + if externalIdExists { + configurationOptions.AwsExternalId = scalr.String(externalIdI.(string)) + } if len(*configurationOptions.AwsTrustedEntityType) == 0 { return fmt.Errorf("'trusted_entity_type' field is required for 'role_delegation' credentials type of aws provider configuration") } if len(*configurationOptions.AwsRoleArn) == 0 { return fmt.Errorf("'role_arn' field is required for 'role_delegation' credentials type of aws provider configuration") } - if *configurationOptions.AwsTrustedEntityType == "aws_account" && len(*configurationOptions.AwsExternalId) == 0 { + if *configurationOptions.AwsTrustedEntityType == "aws_account" && (!externalIdExists || (len(externalIdI.(string)) == 0)) { return fmt.Errorf("'external_id' field is required for 'role_delegation' credentials type with 'aws_account' entity type of aws provider configuration") } } else if *configurationOptions.AwsCredentialsType != "access_keys" {