diff --git a/aws/resource_aws_iam_access_key.go b/aws/resource_aws_iam_access_key.go index af8f853f67b..f6dfdc3c1e1 100644 --- a/aws/resource_aws_iam_access_key.go +++ b/aws/resource_aws_iam_access_key.go @@ -42,12 +42,6 @@ func resourceAwsIamAccessKey() *schema.Resource { Computed: true, Sensitive: true, }, - "ses_smtp_password": { - Type: schema.TypeString, - Computed: true, - Sensitive: true, - Deprecated: "AWS SigV2 for SES SMTP passwords isy deprecated.\nUse 'ses_smtp_password_v4' for region-specific AWS SigV4 signed SES SMTP password instead.", - }, "ses_smtp_password_v4": { Type: schema.TypeString, Computed: true, @@ -111,14 +105,6 @@ func resourceAwsIamAccessKeyCreate(d *schema.ResourceData, meta interface{}) err } } - // AWS SigV2 - sesSMTPPassword, err := sesSmtpPasswordFromSecretKeySigV2(createResp.AccessKey.SecretAccessKey) - if err != nil { - return fmt.Errorf("error getting SES SigV2 SMTP Password from Secret Access Key: %s", err) - } - d.Set("ses_smtp_password", sesSMTPPassword) - - // AWS SigV4 sesSMTPPasswordV4, err := sesSmtpPasswordFromSecretKeySigV4(createResp.AccessKey.SecretAccessKey, meta.(*AWSClient).region) if err != nil { return fmt.Errorf("error getting SES SigV4 SMTP Password from Secret Access Key: %s", err) @@ -252,21 +238,3 @@ func sesSmtpPasswordFromSecretKeySigV4(key *string, region string) (string, erro versionedSig = append(versionedSig, rawSig...) return base64.StdEncoding.EncodeToString(versionedSig), nil } - -func sesSmtpPasswordFromSecretKeySigV2(key *string) (string, error) { - if key == nil { - return "", nil - } - version := byte(0x02) - message := []byte("SendRawEmail") - hmacKey := []byte(*key) - h := hmac.New(sha256.New, hmacKey) - if _, err := h.Write(message); err != nil { - return "", err - } - rawSig := h.Sum(nil) - versionedSig := make([]byte, 0, len(rawSig)+1) - versionedSig = append(versionedSig, version) - versionedSig = append(versionedSig, rawSig...) - return base64.StdEncoding.EncodeToString(versionedSig), nil -} diff --git a/aws/resource_aws_iam_access_key_test.go b/aws/resource_aws_iam_access_key_test.go index 03e400834c0..69ab499fb64 100644 --- a/aws/resource_aws_iam_access_key_test.go +++ b/aws/resource_aws_iam_access_key_test.go @@ -256,23 +256,3 @@ func TestSesSmtpPasswordFromSecretKeySigV4(t *testing.T) { } } } - -func TestSesSmtpPasswordFromSecretKeySigV2(t *testing.T) { - cases := []struct { - Input string - Expected string - }{ - {"some+secret+key", "AnkqhOiWEcszZZzTMCQbOY1sPGoLFgMH9zhp4eNgSjo4"}, - {"another+secret+key", "Akwqr0Giwi8FsQFgW3DXWCC2DiiQ/jZjqLDWK8TeTBgL"}, - } - - for _, tc := range cases { - actual, err := sesSmtpPasswordFromSecretKeySigV2(&tc.Input) - if err != nil { - t.Fatalf("unexpected error: %s", err) - } - if actual != tc.Expected { - t.Fatalf("%q: expected %q, got %q", tc.Input, tc.Expected, actual) - } - } -} diff --git a/website/docs/guides/version-3-upgrade.html.md b/website/docs/guides/version-3-upgrade.html.md index b73b9116e4b..01ca4f88767 100644 --- a/website/docs/guides/version-3-upgrade.html.md +++ b/website/docs/guides/version-3-upgrade.html.md @@ -28,6 +28,7 @@ Upgrade topics: - [Resource: aws_dx_gateway](#resource-aws_dx_gateway) - [Resource: aws_elastic_transcoder_preset](#resource-aws_elastic_transcoder_preset) - [Resource: aws_emr_cluster](#resource-aws_emr_cluster) +- [Resource: aws_iam_access_key](#resource-aws_iam_access_key) - [Resource: aws_lambda_alias](#resource-aws_lambda_alias) - [Resource: aws_launch_template](#resource-aws_launch_template) - [Resource: aws_lb_listener_rule](#resource-aws_lb_listener_rule) @@ -386,6 +387,12 @@ resource "aws_emr_cluster" "example" { } ``` +## Resource: aws_iam_access_key + +### ses_smtp_password Attribute Removal + +In many regions today and in all regions after October 1, 2020, the [SES API will only accept version 4 signatures](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/using-ses-api-authentication.html). If referencing the `ses_smtp_password` attribute, switch your Terraform configuration to the `ses_smtp_password_v4` attribute instead. Please note that this signature is based on the region of the Terraform AWS Provider. If you need the SES v4 password in multiple regions, it may require using [multiple provider instances](/docs/configuration/providers.html#alias-multiple-provider-instances). + ## Resource: aws_lambda_alias ### Import No Longer Converts Function Name to ARN diff --git a/website/docs/r/iam_access_key.html.markdown b/website/docs/r/iam_access_key.html.markdown index 1a2d039d06e..3c4e3a83409 100644 --- a/website/docs/r/iam_access_key.html.markdown +++ b/website/docs/r/iam_access_key.html.markdown @@ -90,8 +90,6 @@ the use of the secret key in automation. * `encrypted_secret` - The encrypted secret, base64 encoded, if `pgp_key` was specified. ~> **NOTE:** The encrypted secret may be decrypted using the command line, for example: `terraform output encrypted_secret | base64 --decode | keybase pgp decrypt`. -* `ses_smtp_password` - **DEPRECATED** The secret access key converted into an SES SMTP - password by applying AWS's SigV2 conversion algorithm * `ses_smtp_password_v4` - The secret access key converted into an SES SMTP password by applying [AWS's documented Sigv4 conversion algorithm](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html#smtp-credentials-convert).