From 5a342a183e2f69de5eae58e06eacbd65c348f599 Mon Sep 17 00:00:00 2001 From: Anton Tayanovskyy Date: Wed, 22 May 2024 14:17:31 -0400 Subject: [PATCH] Do not skip metadata API check by default (#3960) This PR explores reverting the default `aws:skipMetadataApiCheck=false` setting to enable the provider to be able to seamlessly authenticate against an IMDS(v2) endpoints in the AWS environment. It appears that doing so no longer slows down the provider startup time perceptibly. The way I tested the speed delta was by measuring local empty preview of an AWS s3 Bucket using AWS_PROFILE authentication with local <-> us-east-1 there is no perceptible difference. Fixes: https://github.com/pulumi/pulumi-aws/issues/1692 An integration test is added that exercises `pulumi preview` on an EC2 instance with IMDSv2 and asserts that the provider can authenticate successfully. Background: - https://github.com/pulumi/pulumi-aws/issues/873 - https://github.com/pulumi/pulumi-aws/pull/1288 --- provider/cmd/pulumi-resource-aws/schema.json | 6 +- provider/configure_test.go | 1 - provider/provider_yaml_test.go | 56 ++++- provider/resources.go | 41 ++-- .../imds-auth/imds-v2/Pulumi.yaml | 193 ++++++++++++++++++ .../imds-v2/remote-program/Pulumi.yaml | 16 ++ sdk/dotnet/Config/Config.cs | 2 +- sdk/dotnet/Provider.cs | 1 - sdk/go/aws/config/config.go | 8 +- sdk/go/aws/provider.go | 3 - .../src/main/java/com/pulumi/aws/Config.java | 2 +- .../java/com/pulumi/aws/ProviderArgs.java | 1 - sdk/nodejs/config/vars.ts | 4 +- sdk/nodejs/provider.ts | 2 +- sdk/python/pulumi_aws/config/__init__.pyi | 2 +- sdk/python/pulumi_aws/config/vars.py | 4 +- sdk/python/pulumi_aws/provider.py | 4 - 17 files changed, 297 insertions(+), 49 deletions(-) create mode 100644 provider/test-programs/imds-auth/imds-v2/Pulumi.yaml create mode 100644 provider/test-programs/imds-auth/imds-v2/remote-program/Pulumi.yaml diff --git a/provider/cmd/pulumi-resource-aws/schema.json b/provider/cmd/pulumi-resource-aws/schema.json index b7d43cce0a4..3b799c12a3b 100644 --- a/provider/cmd/pulumi-resource-aws/schema.json +++ b/provider/cmd/pulumi-resource-aws/schema.json @@ -390,8 +390,7 @@ }, "skipMetadataApiCheck": { "type": "boolean", - "description": "Skip the AWS Metadata API check. Used for AWS API implementations that do not have a metadata api endpoint.\n", - "default": true + "description": "Skip the AWS Metadata API check. Used for AWS API implementations that do not have a metadata api endpoint.\n" }, "skipRegionValidation": { "type": "boolean", @@ -157873,8 +157872,7 @@ }, "skipMetadataApiCheck": { "type": "boolean", - "description": "Skip the AWS Metadata API check. Used for AWS API implementations that do not have a metadata api endpoint.\n", - "default": true + "description": "Skip the AWS Metadata API check. Used for AWS API implementations that do not have a metadata api endpoint.\n" }, "skipRegionValidation": { "type": "boolean", diff --git a/provider/configure_test.go b/provider/configure_test.go index aab314a98ce..afe336d08b0 100644 --- a/provider/configure_test.go +++ b/provider/configure_test.go @@ -110,7 +110,6 @@ func TestCheckConfigFastWithCustomEndpoints(t *testing.T) { "s3UsePathStyle": "true", "secretKey": "*", "skipCredentialsValidation": "true", - "skipMetadataApiCheck": "true", "skipRegionValidation": "true", "skipRequestingAccountId": "true", "version": "6.5.0" diff --git a/provider/provider_yaml_test.go b/provider/provider_yaml_test.go index dff9a4d5e49..2e7b31a9cd5 100644 --- a/provider/provider_yaml_test.go +++ b/provider/provider_yaml_test.go @@ -1,4 +1,4 @@ -// Copyright 2016-2023, Pulumi Corporation. All rights reserved. +// Copyright 2016-2024, Pulumi Corporation. All rights reserved. //go:build !go && !nodejs && !python && !dotnet // +build !go,!nodejs,!python,!dotnet @@ -6,11 +6,15 @@ package provider import ( + "bytes" "context" "fmt" "math/rand" "os" + "os/exec" "path/filepath" + "runtime" + "strings" "testing" "github.com/aws/aws-sdk-go-v2/config" @@ -315,6 +319,56 @@ func TestRegress3674(t *testing.T) { require.NotContainsf(t, string(state), "MyTestTag", "Expected MyTestTag to be removed") } +// Ensure that pulumi-aws can authenticate using IMDS API when Pulumi is running in a context where that is made +// available such as an EC2 instance. +func TestIMDSAuth(t *testing.T) { + var localProviderBuild string + actual := fmt.Sprintf("%s/%s", runtime.GOOS, runtime.GOARCH) + expected := "linux/amd64" + cwd, err := os.Getwd() + require.NoError(t, err) + if actual == expected { + currentBinary, err := filepath.Abs(filepath.Join(cwd, "..", "bin", "pulumi-resource-aws")) + require.NoError(t, err) + t.Logf("Reusing prebuilt binary from %s to test %q", currentBinary, expected) + localProviderBuild = currentBinary + } else { + t.Logf("Cross-compiling provider-resource-aws under test to %q", expected) + localProviderBuild = filepath.Join(os.TempDir(), "pulumi-resource-aws") + ldFlags := []string{ + "-X", "github.com/pulumi/pulumi-aws/provider/v6/pkg/version.Version=6.0.0-alpha.0+dev", + "-X", "github.com/hashicorp/terraform-provider-aws/version.ProviderVersion=6.0.0-alpha.0+dev", + } + args := []string{ + "build", "-o", localProviderBuild, + "-ldflags", strings.Join(ldFlags, " "), + } + cmd := exec.Command("go", args...) + cmd.Dir = filepath.Join(cwd, "cmd", "pulumi-resource-aws") + cmd.Env = os.Environ() + cmd.Env = append(cmd.Env, + fmt.Sprintf("GOOS=linux"), + fmt.Sprintf("GOARCH=amd64"), + ) + var stderr, stdout bytes.Buffer + cmd.Stderr = &stderr + cmd.Stdout = &stdout + if err := cmd.Run(); err != nil { + t.Logf("go %s failed\nStdout:\n%s\nStderr:\n%s\n", strings.Join(args, " "), + stdout.String(), stderr.String()) + require.NoError(t, err) + } + } + t.Run("IDMSv2", func(t *testing.T) { + ptest := pulumiTest(t, filepath.Join("test-programs", "imds-auth", "imds-v2"), opttest.SkipInstall()) + ptest.SetConfig("localProviderBuild", localProviderBuild) + result := ptest.Up() + t.Logf("stdout: %s", result.StdOut) + t.Logf("stderr: %s", result.StdErr) + t.Logf("commandOut: %v", result.Outputs["commandOut"].Value) + }) +} + func configureS3() *s3sdk.Client { loadOpts := []func(*config.LoadOptions) error{} if p, ok := os.LookupEnv("AWS_PROFILE"); ok { diff --git a/provider/resources.go b/provider/resources.go index 89d14494a04..7afb217e0d4 100644 --- a/provider/resources.go +++ b/provider/resources.go @@ -522,22 +522,23 @@ func stringValue(vars resource.PropertyMap, prop resource.PropertyKey, envs []st } // boolValue gets a bool value from a property map if present, else false -func boolValue(vars resource.PropertyMap, prop resource.PropertyKey, envs []string) bool { +func boolValue(vars resource.PropertyMap, prop resource.PropertyKey, envs []string) (*bool, error) { val, ok := vars[prop] if ok && val.IsBool() { - return val.BoolValue() + result := val.BoolValue() + return &result, nil } for _, env := range envs { val, ok := os.LookupEnv(env) if ok { boolValue, err := strconv.ParseBool(val) if err != nil { - return false + return nil, err } - return boolValue + return &boolValue, nil } } - return false + return nil, nil } func arrayValue(vars resource.PropertyMap, prop resource.PropertyKey, envs []string) []string { @@ -641,15 +642,16 @@ func validateCredentials(vars resource.PropertyMap, c shim.ResourceConfig) error config.AssumeRoleWithWebIdentity = &assumeRole } - // By default `skipMetadataApiCheck` is true for Pulumi to speed operations - // if we want to authenticate against the AWS API Metadata Service then the user - // will specify that skipMetadataApiCheck: false - // therefore, if we have skipMetadataApiCheck false, then we are enabling the imds client - config.EC2MetadataServiceEnableState = imds.ClientDisabled - skipMetadataApiCheck := boolValue(vars, "skipMetadataApiCheck", + // Only set non-default EC2MetadataServiceEnableState if requested by skipMetadataApiCheck. + skipMetadataApiCheck, err := boolValue(vars, "skipMetadataApiCheck", []string{"AWS_SKIP_METADATA_API_CHECK"}) - if !skipMetadataApiCheck { - config.EC2MetadataServiceEnableState = imds.ClientEnabled + contract.AssertNoErrorf(err, "Failed to parse skipMetadataApiCheck configuration") + if skipMetadataApiCheck != nil { + if !*skipMetadataApiCheck { + config.EC2MetadataServiceEnableState = imds.ClientEnabled + } else { + config.EC2MetadataServiceEnableState = imds.ClientDisabled + } } // lastly let's set the sharedCreds and sharedConfig file. If these are not found then let's default to the @@ -751,17 +753,21 @@ func validateCredentials(vars resource.PropertyMap, c shim.ResourceConfig) error // before passing control to the TF provider to ensure we can report actionable errors. func preConfigureCallback(alreadyRun *atomic.Bool) func(vars resource.PropertyMap, c shim.ResourceConfig) error { return func(vars resource.PropertyMap, c shim.ResourceConfig) error { - skipCredentialsValidation := boolValue(vars, "skipCredentialsValidation", + var err error + skipCredentialsValidation, err := boolValue(vars, "skipCredentialsValidation", []string{"AWS_SKIP_CREDENTIALS_VALIDATION"}) + if err != nil { + return err + } + // if we skipCredentialsValidation then we don't need to do anything in // preConfigureCallback as this is an explicit operation - if skipCredentialsValidation { + if skipCredentialsValidation != nil && *skipCredentialsValidation { log.Printf("[INFO] pulumi-aws: skip credentials validation") return nil } - var err error if alreadyRun.CompareAndSwap(false, true) { log.Printf("[INFO] pulumi-aws: starting to validate credentials. " + "Disable this by AWS_SKIP_CREDENTIALS_VALIDATION or " + @@ -866,9 +872,6 @@ func ProviderFromMeta(metaInfo *tfbridge.MetadataInfo) *tfbridge.ProviderInfo { }, "skip_metadata_api_check": { Type: "boolean", - Default: &tfbridge.DefaultInfo{ - Value: true, - }, }, "access_key": { Secret: tfbridge.True(), diff --git a/provider/test-programs/imds-auth/imds-v2/Pulumi.yaml b/provider/test-programs/imds-auth/imds-v2/Pulumi.yaml new file mode 100644 index 00000000000..36578f1aa4c --- /dev/null +++ b/provider/test-programs/imds-auth/imds-v2/Pulumi.yaml @@ -0,0 +1,193 @@ +name: imds-v2 +runtime: yaml +description: Test the ability of pulumi-aws to authenticate on an EC2 instance with IMDSv2 enabled + +backend: + url: file://./pulumi-state + +config: + localProviderBuild: + type: string + + pulumi:tags: + value: + pulumi:template: aws-yaml + +variables: + ec2ami: + fn::invoke: + function: aws:ec2:getAmi + arguments: + filters: + - name: name + values: ["al2023*x86_64*"] + owners: + - amazon + mostRecent: true + return: id + + instanceType: t2.medium + policyArn: "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" # example policy + +resources: + + segroup: + type: aws:ec2:SecurityGroup + properties: + ingress: + - protocol: tcp + fromPort: 80 + toPort: 80 + cidrBlocks: ["0.0.0.0/0"] + - protocol: tcp + fromPort: 22 + toPort: 22 + cidrBlocks: ["0.0.0.0/0"] + egress: + - fromPort: 0 + toPort: 0 + protocol: '-1' + cidrBlocks: + - 0.0.0.0/0 + ipv6CidrBlocks: + - ::/0 + + priv-key: + type: tls:PrivateKey + properties: + algorithm: RSA + rsaBits: 2048 + + key-pair: + type: aws:ec2/keyPair:KeyPair + properties: + publicKey: ${priv-key.publicKeyOpenssh} + + my-role: + type: aws:iam/role:Role + properties: + assumeRolePolicy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": {"Service": "ec2.amazonaws.com"}, + "Effect": "Allow", + "Sid": "" + } + ] + } + + my-role-policy-attachment: + type: aws:iam/rolePolicyAttachment:RolePolicyAttachment + properties: + role: ${my-role.name} + policyArn: ${policyArn} + + my-instance-profile: + type: aws:iam/instanceProfile:InstanceProfile + properties: + role: ${my-role.name} + + inst: + type: aws:ec2/instance:Instance + properties: + ami: ${ec2ami} + instanceType: ${instanceType} + iamInstanceProfile: ${my-instance-profile.name} + keyName: ${key-pair.keyName} + # Enable and enforce IMDSv2 + metadataOptions: + httpTokens: required + httpEndpoint: enabled + httpPutResponseHopLimit: 1 + vpcSecurityGroupIds: + - ${segroup} + userData: | + #!/bin/bash + # Reconfigure SSHD - workaround for pulumi Command issues + cat /etc/ssh/ssh_config >/tmp/sshd_config + echo "AcceptEnv PULUMI_COMMAND_STDOUT" >> /tmp/sshd_config + echo "AcceptEnv PULUMI_COMMAND_STDERR" >> /tmp/sshd_config + sudo cp /tmp/sshd_config /etc/ssh/sshd_config || echo "FAILED to set sshd_config" + rm /tmp/sshd_config + + file-copy: + type: command:remote:CopyFile + properties: + connection: + host: ${inst.publicIp} + user: ec2-user # The default user for Amazon Linux AMI + privateKey: ${priv-key.privateKeyOpenssh} + localPath: remote-program/Pulumi.yaml + remotePath: "/tmp/Pulumi.yaml" + options: + ignoreChanges: + - connection + + provider-copy: + type: command:remote:CopyFile + properties: + connection: + host: ${inst.publicIp} + user: ec2-user # The default user for Amazon Linux AMI + privateKey: ${priv-key.privateKeyOpenssh} + localPath: ${localProviderBuild} + remotePath: "/tmp/pulumi-resource-aws" + options: + ignoreChanges: + - connection + + install-cmd: + type: command:remote:Command + properties: + create: | + echo "========" + curl -fsSL https://get.pulumi.com | sh + export PATH="/home/ec2-user/.pulumi/bin:$PATH" + echo "========" + pulumi version + echo "========" + connection: + host: ${inst.publicIp} + user: ec2-user # The default user for Amazon Linux AMI + privateKey: ${priv-key.privateKeyOpenssh} + options: + ignoreChanges: + - connection + dependsOn: + - ${file-copy} + + init-cmd: + type: command:remote:Command + properties: + create: | + cd /tmp + mkdir ./pulumi-state + export PULUMI_CONFIG_PASSPHRASE=123456 + export PATH="/tmp:$PATH" + export PATH="/home/ec2-user/.pulumi/bin:$PATH" + chmod a+x /tmp/pulumi-resource-aws + pulumi version # ensure in PATH + pulumi-resource-aws --help # ensure in PATH + pulumi stack init dev + pulumi stack select dev + pulumi config + pulumi preview + # SSH connection details to the remote machine + connection: + host: ${inst.publicIp} + user: ec2-user # The default user for Amazon Linux AMI + privateKey: ${priv-key.privateKeyOpenssh} + options: + ignoreChanges: + - connection + dependsOn: + - ${install-cmd} + - ${provider-copy} + +outputs: + instanceId: ${inst.id} + publicIp: ${inst.publicIp} + commandOut: ${init-cmd.stdout} diff --git a/provider/test-programs/imds-auth/imds-v2/remote-program/Pulumi.yaml b/provider/test-programs/imds-auth/imds-v2/remote-program/Pulumi.yaml new file mode 100644 index 00000000000..ac2ec710fdc --- /dev/null +++ b/provider/test-programs/imds-auth/imds-v2/remote-program/Pulumi.yaml @@ -0,0 +1,16 @@ +name: remote-program +runtime: yaml +description: A minimal AWS Pulumi YAML program +backend: + url: file://./pulumi-state +config: + pulumi:tags: + value: + pulumi:template: aws-yaml +outputs: + # Export the name of the bucket + bucketName: ${my-bucket.id} +resources: + # Create an AWS resource (S3 Bucket) + my-bucket: + type: aws:s3:Bucket diff --git a/sdk/dotnet/Config/Config.cs b/sdk/dotnet/Config/Config.cs index e8b6d8a1a81..84f2faa0f34 100644 --- a/sdk/dotnet/Config/Config.cs +++ b/sdk/dotnet/Config/Config.cs @@ -279,7 +279,7 @@ public static ImmutableArray SharedCredentialsFiles set => _skipCredentialsValidation.Set(value); } - private static readonly __Value _skipMetadataApiCheck = new __Value(() => __config.GetBoolean("skipMetadataApiCheck") ?? true); + private static readonly __Value _skipMetadataApiCheck = new __Value(() => __config.GetBoolean("skipMetadataApiCheck")); /// /// Skip the AWS Metadata API check. Used for AWS API implementations that do not have a metadata api endpoint. /// diff --git a/sdk/dotnet/Provider.cs b/sdk/dotnet/Provider.cs index 39020f2ac30..25d1c18f75f 100644 --- a/sdk/dotnet/Provider.cs +++ b/sdk/dotnet/Provider.cs @@ -402,7 +402,6 @@ public ProviderArgs() { Region = Utilities.GetEnv("AWS_REGION", "AWS_DEFAULT_REGION"); SkipCredentialsValidation = false; - SkipMetadataApiCheck = true; SkipRegionValidation = true; } public static new ProviderArgs Empty => new ProviderArgs(); diff --git a/sdk/go/aws/config/config.go b/sdk/go/aws/config/config.go index 0b644711ef4..63244c9bd31 100644 --- a/sdk/go/aws/config/config.go +++ b/sdk/go/aws/config/config.go @@ -154,13 +154,7 @@ func GetSkipCredentialsValidation(ctx *pulumi.Context) bool { // Skip the AWS Metadata API check. Used for AWS API implementations that do not have a metadata api endpoint. func GetSkipMetadataApiCheck(ctx *pulumi.Context) bool { - v, err := config.TryBool(ctx, "aws:skipMetadataApiCheck") - if err == nil { - return v - } - var value bool - value = true - return value + return config.GetBool(ctx, "aws:skipMetadataApiCheck") } // Skip static validation of region name. Used by users of alternative AWS-like APIs or users w/ access to regions that are diff --git a/sdk/go/aws/provider.go b/sdk/go/aws/provider.go index 394537a6c9c..96cba8a6190 100644 --- a/sdk/go/aws/provider.go +++ b/sdk/go/aws/provider.go @@ -72,9 +72,6 @@ func NewProvider(ctx *pulumi.Context, if args.SkipCredentialsValidation == nil { args.SkipCredentialsValidation = pulumi.BoolPtr(false) } - if args.SkipMetadataApiCheck == nil { - args.SkipMetadataApiCheck = pulumi.BoolPtr(true) - } if args.SkipRegionValidation == nil { args.SkipRegionValidation = pulumi.BoolPtr(true) } diff --git a/sdk/java/src/main/java/com/pulumi/aws/Config.java b/sdk/java/src/main/java/com/pulumi/aws/Config.java index 0dad7be5dc5..5032d7498da 100644 --- a/sdk/java/src/main/java/com/pulumi/aws/Config.java +++ b/sdk/java/src/main/java/com/pulumi/aws/Config.java @@ -191,7 +191,7 @@ public Optional skipCredentialsValidation() { * */ public Optional skipMetadataApiCheck() { - return Codegen.booleanProp("skipMetadataApiCheck").config(config).def(true).get(); + return Codegen.booleanProp("skipMetadataApiCheck").config(config).get(); } /** * Skip static validation of region name. Used by users of alternative AWS-like APIs or users w/ access to regions that are diff --git a/sdk/java/src/main/java/com/pulumi/aws/ProviderArgs.java b/sdk/java/src/main/java/com/pulumi/aws/ProviderArgs.java index 0e58eaa3fb1..b47e25491af 100644 --- a/sdk/java/src/main/java/com/pulumi/aws/ProviderArgs.java +++ b/sdk/java/src/main/java/com/pulumi/aws/ProviderArgs.java @@ -1255,7 +1255,6 @@ public Builder useFipsEndpoint(Boolean useFipsEndpoint) { public ProviderArgs build() { $.region = Codegen.stringProp("region").output().arg($.region).env("AWS_REGION", "AWS_DEFAULT_REGION").getNullable(); $.skipCredentialsValidation = Codegen.booleanProp("skipCredentialsValidation").output().arg($.skipCredentialsValidation).def(false).getNullable(); - $.skipMetadataApiCheck = Codegen.booleanProp("skipMetadataApiCheck").output().arg($.skipMetadataApiCheck).def(true).getNullable(); $.skipRegionValidation = Codegen.booleanProp("skipRegionValidation").output().arg($.skipRegionValidation).def(true).getNullable(); return $; } diff --git a/sdk/nodejs/config/vars.ts b/sdk/nodejs/config/vars.ts index 1e50a4732aa..c1c81eea03f 100644 --- a/sdk/nodejs/config/vars.ts +++ b/sdk/nodejs/config/vars.ts @@ -287,10 +287,10 @@ Object.defineProperty(exports, "skipCredentialsValidation", { /** * Skip the AWS Metadata API check. Used for AWS API implementations that do not have a metadata api endpoint. */ -export declare const skipMetadataApiCheck: boolean; +export declare const skipMetadataApiCheck: boolean | undefined; Object.defineProperty(exports, "skipMetadataApiCheck", { get() { - return __config.getObject("skipMetadataApiCheck") ?? true; + return __config.getObject("skipMetadataApiCheck"); }, enumerable: true, }); diff --git a/sdk/nodejs/provider.ts b/sdk/nodejs/provider.ts index 3bc383793c1..4ba0aecf274 100644 --- a/sdk/nodejs/provider.ts +++ b/sdk/nodejs/provider.ts @@ -132,7 +132,7 @@ export class Provider extends pulumi.ProviderResource { resourceInputs["sharedConfigFiles"] = pulumi.output(args ? args.sharedConfigFiles : undefined).apply(JSON.stringify); resourceInputs["sharedCredentialsFiles"] = pulumi.output(args ? args.sharedCredentialsFiles : undefined).apply(JSON.stringify); resourceInputs["skipCredentialsValidation"] = pulumi.output((args ? args.skipCredentialsValidation : undefined) ?? false).apply(JSON.stringify); - resourceInputs["skipMetadataApiCheck"] = pulumi.output((args ? args.skipMetadataApiCheck : undefined) ?? true).apply(JSON.stringify); + resourceInputs["skipMetadataApiCheck"] = pulumi.output(args ? args.skipMetadataApiCheck : undefined).apply(JSON.stringify); resourceInputs["skipRegionValidation"] = pulumi.output((args ? args.skipRegionValidation : undefined) ?? true).apply(JSON.stringify); resourceInputs["skipRequestingAccountId"] = pulumi.output(args ? args.skipRequestingAccountId : undefined).apply(JSON.stringify); resourceInputs["stsRegion"] = args ? args.stsRegion : undefined; diff --git a/sdk/python/pulumi_aws/config/__init__.pyi b/sdk/python/pulumi_aws/config/__init__.pyi index fe01fcab50f..96456ead994 100644 --- a/sdk/python/pulumi_aws/config/__init__.pyi +++ b/sdk/python/pulumi_aws/config/__init__.pyi @@ -132,7 +132,7 @@ Skip the credentials validation via STS API. Used for AWS API implementations th available/implemented. """ -skipMetadataApiCheck: bool +skipMetadataApiCheck: Optional[bool] """ Skip the AWS Metadata API check. Used for AWS API implementations that do not have a metadata api endpoint. """ diff --git a/sdk/python/pulumi_aws/config/vars.py b/sdk/python/pulumi_aws/config/vars.py index d7bc263a124..aec55e5ef78 100644 --- a/sdk/python/pulumi_aws/config/vars.py +++ b/sdk/python/pulumi_aws/config/vars.py @@ -189,11 +189,11 @@ def skip_credentials_validation(self) -> bool: return __config__.get_bool('skipCredentialsValidation') or False @property - def skip_metadata_api_check(self) -> bool: + def skip_metadata_api_check(self) -> Optional[bool]: """ Skip the AWS Metadata API check. Used for AWS API implementations that do not have a metadata api endpoint. """ - return __config__.get_bool('skipMetadataApiCheck') or True + return __config__.get_bool('skipMetadataApiCheck') @property def skip_region_validation(self) -> bool: diff --git a/sdk/python/pulumi_aws/provider.py b/sdk/python/pulumi_aws/provider.py index e8bc177670c..44f9377d57a 100644 --- a/sdk/python/pulumi_aws/provider.py +++ b/sdk/python/pulumi_aws/provider.py @@ -146,8 +146,6 @@ def __init__(__self__, *, skip_credentials_validation = False if skip_credentials_validation is not None: pulumi.set(__self__, "skip_credentials_validation", skip_credentials_validation) - if skip_metadata_api_check is None: - skip_metadata_api_check = True if skip_metadata_api_check is not None: pulumi.set(__self__, "skip_metadata_api_check", skip_metadata_api_check) if skip_region_validation is None: @@ -749,8 +747,6 @@ def _internal_init(__self__, if skip_credentials_validation is None: skip_credentials_validation = False __props__.__dict__["skip_credentials_validation"] = pulumi.Output.from_input(skip_credentials_validation).apply(pulumi.runtime.to_json) if skip_credentials_validation is not None else None - if skip_metadata_api_check is None: - skip_metadata_api_check = True __props__.__dict__["skip_metadata_api_check"] = pulumi.Output.from_input(skip_metadata_api_check).apply(pulumi.runtime.to_json) if skip_metadata_api_check is not None else None if skip_region_validation is None: skip_region_validation = True