feat: modules/iam-user - Output SMTP password generated with SigV4 algorithm

[vutny]

Description

This PR changes output value of this_iam_access_key_ses_smtp_password in iam-user submodule from deprecated attribute ses_smtp_password to new one ses_smtp_password_v4, referencing secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm.

Motivation and Context

The SES SMTP interface no longer supports legacy AWS's SigV2 conversion algorithm and only works with Sigv4:
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html
The change was introduced in AWS provider version 2.50.
https://www.terraform.io/docs/providers/aws/r/iam_access_key.html#ses_smtp_password_v4
hashicorp/terraform-provider-aws#11143
hashicorp/terraform-provider-aws#11144

Breaking Changes

Since the old SigV2 signed passwords no longer work for AWS SES SMTP authentication, there is really no breaking changes. The module will output the SMTP password by converting existing secret access key with the new algorithm.

How Has This Been Tested?

This could be tested by applying the following Terraform file and sending email via regional AWS SES SMTP interface with outputted login and password.

variable "region" {
  type = string
}

provider "aws" {
  region = var.region
}

module "send_email_iam_policy" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
  version = "2.8.0"

  name        = "AWSSESSendEmail"
  path        = "/"
  description = "Allow to send email via AWS SES SMTP interface"

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ses:SendRawEmail",
            "Resource": "*"
        }
    ]
}
EOF
}

module "smtp_user" {
  # Patched module with secret access key converted into an SES SMTP password
  # by applying AWS's documented Sigv4 conversion algorithm.
  source = "github.com/vutny/terraform-aws-iam//modules/iam-user?ref=ses-smtp-password-sigv4"

  name                          = "smtp-user"
  force_destroy                 = true
  create_iam_user_login_profile = false
  password_reset_required       = false
}

module "iam_group_with_policies" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-group-with-policies"
  version = "2.8.0"

  name = "smtp"

  group_users = [
    "smtp-user",
  ]

  attach_iam_self_management_policy = false

  custom_group_policy_arns = [
    module.send_email_iam_policy.arn,
  ]
}

output "smtp_user" {
  value       = module.smtp_user.this_iam_access_key_id
  description = "SMTP user"
}

output "smtp_password" {
  value       = module.smtp_user.this_iam_access_key_ses_smtp_password_v4
  description = "SMTP password"
}

[antonbabenko]

Please add another output instead of replacing it.

[vutny]

Alright, thanks for quick review!

[vutny]

Done. Updated README as well.

[antonbabenko]

Thanks, @vutny !

v2.9.0 has been just released.

[vutny]

Thanks a lot for speedy merge!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.