Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

provider: Authentication updates for Terraform AWS Provider v3.0.0 #14077

Merged
merged 3 commits into from
Jul 13, 2020
Merged

provider: Authentication updates for Terraform AWS Provider v3.0.0 #14077

merged 3 commits into from
Jul 13, 2020

Conversation

bflad
Copy link
Contributor

@bflad bflad commented Jul 7, 2020

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #5018
Closes #6913
Closes #7333
Closes #9236
Closes #9869
Closes #9898
Closes #9962
Closes #9986
Closes #10507
Closes #11429
Closes #12236
Closes #12727
Closes #12815
Closes #13057

Release note for CHANGELOG:

NOTES

* provider: Credential ordering has changed from static, environment, shared credentials, EC2 metadata, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) to static, environment, shared credentials, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata)
* provider: The `AWS_METADATA_TIMEOUT` environment variable no longer has any effect as we now depend on the default AWS Go SDK EC2 Metadata client timeout of one second with two retries

ENHANCEMENTS

* provider: Always enable shared configuration file support (no longer require `AWS_SDK_LOAD_CONFIG` environment variable)
* provider: Add `assume_role` configuration block `duration_seconds`, `policy_arns`, `tags`, and `transitive_tag_keys` arguments

BUG FIXES

* provider: Ensure configured STS endpoint is used during `AssumeRole` API calls
* provider: Prefer AWS shared configuration over EC2 metadata credentials by default
* provider: Prefer CodeBuild, ECS, EKS credentials over EC2 metadata credentials by default

Output from acceptance testing:

--- PASS: TestAccAWSProvider_Region_AwsCommercial (3.89s)
--- PASS: TestAccAWSProvider_Region_AwsGovCloudUs (3.90s)
--- PASS: TestAccAWSProvider_Region_AwsChina (3.99s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_None (4.22s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_None (4.29s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_One (4.37s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_Multiple (4.38s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_One (4.39s)
--- PASS: TestAccAWSProvider_IgnoreTags_EmptyConfigurationBlock (4.40s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_Multiple (4.40s)
--- PASS: TestAccAWSProvider_Endpoints_Deprecated (4.42s)
--- PASS: TestAccAWSProvider_Endpoints (4.53s)
--- PASS: TestAccAWSProvider_AssumeRole_Empty (8.32s)

renovate-bot and others added 2 commits June 30, 2020 18:49
@renovate-bot
Update module hashicorp/aws-sdk-go-base to v0.5.0
104630b
@bflad
provider: Authentication updates for Terraform AWS Provider v3.0.0
717f065 
Reference: #5018
Reference: #6913
Reference: #7333
Reference: #9236
Reference: #9869
Reference: #9898
Reference: #9962
Reference: #9986
Reference: #10507
Reference: #11429
Reference: #12236
Reference: #12727
Reference: #12815
Reference: #13057

Changes:

```
NOTES

* provider: Credential ordering has changed from static, environment, shared credentials, EC2 metadata, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) to static, environment, shared credentials, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata)
* provider: The `AWS_METADATA_TIMEOUT` environment variable no longer has any effect as we now depend on the default AWS Go SDK EC2 Metadata client timeout of one second with two retries

ENHANCEMENTS

* provider: Always enable shared configuration file support (no longer require `AWS_SDK_LOAD_CONFIG` environment variable)
* provider: Add `assume_role` configuration block `duration_seconds`, `policy_arns`, `tags`, and `transitive_tag_keys` arguments

BUG FIXES

* provider: Ensure configured STS endpoint is used during `AssumeRole` API calls
* provider: Prefer AWS shared configuration over EC2 metadata credentials by default
* provider: Prefer CodeBuild, ECS, EKS credentials over EC2 metadata credentials by default
```

Output from acceptance testing:

```
--- PASS: TestAccAWSProvider_Region_AwsCommercial (3.89s)
--- PASS: TestAccAWSProvider_Region_AwsGovCloudUs (3.90s)
--- PASS: TestAccAWSProvider_Region_AwsChina (3.99s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_None (4.22s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_None (4.29s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_One (4.37s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_Multiple (4.38s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_One (4.39s)
--- PASS: TestAccAWSProvider_IgnoreTags_EmptyConfigurationBlock (4.40s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_Multiple (4.40s)
--- PASS: TestAccAWSProvider_Endpoints_Deprecated (4.42s)
--- PASS: TestAccAWSProvider_Endpoints (4.53s)
--- PASS: TestAccAWSProvider_AssumeRole_Empty (8.32s)
```
@bflad bflad added bug Addresses a defect in current functionality. enhancement Requests to existing resources that expand the functionality or scope. breaking-change Introduces a breaking change in current functionality; usually deferred to the next major release. provider Pertains to the provider itself, rather than any interaction with AWS. labels Jul 7, 2020
@bflad bflad added this to the v3.0.0 milestone Jul 7, 2020
@bflad bflad requested a review from a team July 7, 2020 18:42
@ghost ghost added size/XL Managed by automation to categorize the size of a PR. dependencies Used to indicate dependency changes. documentation Introduces or discusses updates to documentation. labels Jul 7, 2020
@gdavison gdavison self-assigned this Jul 10, 2020
gdavison
gdavison approved these changes Jul 10, 2020
View reviewed changes
Copy link
Contributor

@gdavison gdavison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

--- PASS: TestAccAWSProvider_Region_AwsCommercial (11.19s)
--- PASS: TestAccAWSProvider_Region_AwsChina (11.05s)
--- PASS: TestAccAWSProvider_Region_AwsGovCloudUs (11.54s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_One (11.74s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_Multiple (11.83s)
--- PASS: TestAccAWSProvider_IgnoreTags_EmptyConfigurationBlock (11.68s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_None (12.01s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_None (12.00s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_Multiple (12.13s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_One (12.01s)
--- PASS: TestAccAWSProvider_Endpoints_Deprecated (12.42s)
--- PASS: TestAccAWSProvider_Endpoints (12.45s)
--- PASS: TestAccAWSProvider_AssumeRole_Empty (24.31s)

@bflad bflad merged commit 2e86bbd into master Jul 13, 2020
@bflad bflad deleted the f-provider-aws-sdk-go-base-breaking-updates branch July 13, 2020 14:01
bflad added a commit that referenced this pull request Jul 13, 2020
@bflad
Update CHANGELOG for #14077
9f19527
@ghost
Copy link

ghost commented Jul 31, 2020

This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost ghost mentioned this pull request Jul 31, 2020
Closed
@ghost
Copy link

ghost commented Aug 12, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Aug 12, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@gdavison gdavison gdavison approved these changes

Assignees

@gdavison gdavison

Labels
breaking-change Introduces a breaking change in current functionality; usually deferred to the next major release. bug Addresses a defect in current functionality. dependencies Used to indicate dependency changes. documentation Introduces or discusses updates to documentation. enhancement Requests to existing resources that expand the functionality or scope. provider Pertains to the provider itself, rather than any interaction with AWS. size/XL Managed by automation to categorize the size of a PR.
Projects
None yet
Milestone
v3.0.0
3 participants
@bflad @gdavison @renovate-bot