provider/aws: Add extra logging on AuthFailure

This pull request is intended to add a temporary control to Terraform to
output more verbose logging in the case of an AuthFailure error being
returned by the AWS API.

builtin/providers/aws/config.go

@@ -6,7 +6,9 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"os"
 	"strings"
+	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
@@ -54,6 +56,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/ssm"
 	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/aws/aws-sdk-go/service/waf"
+	"github.com/davecgh/go-spew/spew"
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/terraform/helper/logging"
@@ -199,6 +202,10 @@ func (c *Config) Client() (interface{}, error) {
 	}
 	sess.Handlers.Build.PushFrontNamed(addTerraformVersionToUserAgent)
 
+	if extraDebug := os.Getenv("TERRAFORM_AWS_AUTHFAILURE_DEBUG"); extraDebug != "" {
+		sess.Handlers.UnmarshalError.PushFrontNamed(debugAuthFailure)
+	}
+
 	// Some services exist only in us-east-1, e.g. because they manage
 	// resources that can span across multiple regions, or because
 	// signature format v4 requires region to be us-east-1 for global
@@ -351,6 +358,17 @@ var addTerraformVersionToUserAgent = request.NamedHandler{
 		"terraform", terraform.VersionString()),
 }
 
+var debugAuthFailure = request.NamedHandler{
+	Name: "terraform.AuthFailureAdditionalDebugHandler",
+	Fn: func(req *request.Request) {
+		if isAWSErr(req.Error, "AuthFailure", "AWS was not able to validate the provided access credentials") {
+			log.Printf("[INFO] Additional AuthFailure Debugging Context")
+			log.Printf("[INFO] Current system UTC time: %s", time.Now().UTC())
+			log.Printf("[INFO] Request object: %s", spew.Sdump(req))
+		}
+	},
+}
+
 type awsLogger struct{}
 
 func (l awsLogger) Log(args ...interface{}) {