Merge pull request #13456 from hashicorp/iam_openid

provider/aws: Add support for iam_openid_connect_provider

builtin/providers/aws/diff_suppress_funcs.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"log"
+	"net/url"
 	"strings"
 
 	"github.com/hashicorp/terraform/helper/schema"
@@ -58,3 +59,19 @@ func suppressEquivalentJsonDiffs(k, old, new string, d *schema.ResourceData) boo
 
 	return jsonBytesEqual(ob.Bytes(), nb.Bytes())
 }
+
+func suppressOpenIdURL(k, old, new string, d *schema.ResourceData) bool {
+	oldUrl, err := url.Parse(old)
+	if err != nil {
+		return false
+	}
+
+	newUrl, err := url.Parse(new)
+	if err != nil {
+		return false
+	}
+
+	oldUrl.Scheme = "https"
+
+	return oldUrl.String() == newUrl.String()
+}

builtin/providers/aws/provider.go

@@ -309,6 +309,7 @@ func Provider() terraform.ResourceProvider {
 			"aws_iam_group_membership":                     resourceAwsIamGroupMembership(),
 			"aws_iam_group_policy_attachment":              resourceAwsIamGroupPolicyAttachment(),
 			"aws_iam_instance_profile":                     resourceAwsIamInstanceProfile(),
+			"aws_iam_openid_connect_provider":              resourceAwsIamOpenIDConnectProvider(),
 			"aws_iam_policy":                               resourceAwsIamPolicy(),
 			"aws_iam_policy_attachment":                    resourceAwsIamPolicyAttachment(),
 			"aws_iam_role_policy_attachment":               resourceAwsIamRolePolicyAttachment(),

builtin/providers/aws/resource_aws_iam_openid_connect_provider.go

@@ -0,0 +1,141 @@
+package aws
+
+import (
+	"fmt"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/iam"
+
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsIamOpenIDConnectProvider() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsIamOpenIDConnectProviderCreate,
+		Read:   resourceAwsIamOpenIDConnectProviderRead,
+		Update: resourceAwsIamOpenIDConnectProviderUpdate,
+		Delete: resourceAwsIamOpenIDConnectProviderDelete,
+		Exists: resourceAwsIamOpenIDConnectProviderExists,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"arn": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"url": &schema.Schema{
+				Type:             schema.TypeString,
+				Computed:         false,
+				Required:         true,
+				ForceNew:         true,
+				ValidateFunc:     validateOpenIdURL,
+				DiffSuppressFunc: suppressOpenIdURL,
+			},
+			"client_id_list": &schema.Schema{
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Type:     schema.TypeList,
+				Required: true,
+				ForceNew: true,
+			},
+			"thumbprint_list": &schema.Schema{
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Type:     schema.TypeList,
+				Required: true,
+			},
+		},
+	}
+}
+
+func resourceAwsIamOpenIDConnectProviderCreate(d *schema.ResourceData, meta interface{}) error {
+	iamconn := meta.(*AWSClient).iamconn
+
+	input := &iam.CreateOpenIDConnectProviderInput{
+		Url:            aws.String(d.Get("url").(string)),
+		ClientIDList:   expandStringList(d.Get("client_id_list").([]interface{})),
+		ThumbprintList: expandStringList(d.Get("thumbprint_list").([]interface{})),
+	}
+
+	out, err := iamconn.CreateOpenIDConnectProvider(input)
+	if err != nil {
+		return err
+	}
+
+	d.SetId(*out.OpenIDConnectProviderArn)
+
+	return resourceAwsIamOpenIDConnectProviderRead(d, meta)
+}
+
+func resourceAwsIamOpenIDConnectProviderRead(d *schema.ResourceData, meta interface{}) error {
+	iamconn := meta.(*AWSClient).iamconn
+
+	input := &iam.GetOpenIDConnectProviderInput{
+		OpenIDConnectProviderArn: aws.String(d.Id()),
+	}
+	out, err := iamconn.GetOpenIDConnectProvider(input)
+	if err != nil {
+		return err
+	}
+
+	d.Set("arn", d.Id())
+	d.Set("url", out.Url)
+	d.Set("client_id_list", flattenStringList(out.ClientIDList))
+	d.Set("thumbprint_list", flattenStringList(out.ThumbprintList))
+
+	return nil
+}
+
+func resourceAwsIamOpenIDConnectProviderUpdate(d *schema.ResourceData, meta interface{}) error {
+	iamconn := meta.(*AWSClient).iamconn
+
+	if d.HasChange("thumbprint_list") {
+		input := &iam.UpdateOpenIDConnectProviderThumbprintInput{
+			OpenIDConnectProviderArn: aws.String(d.Id()),
+			ThumbprintList:           expandStringList(d.Get("thumbprint_list").([]interface{})),
+		}
+
+		_, err := iamconn.UpdateOpenIDConnectProviderThumbprint(input)
+		if err != nil {
+			return err
+		}
+	}
+
+	return resourceAwsIamOpenIDConnectProviderRead(d, meta)
+}
+
+func resourceAwsIamOpenIDConnectProviderDelete(d *schema.ResourceData, meta interface{}) error {
+	iamconn := meta.(*AWSClient).iamconn
+
+	input := &iam.DeleteOpenIDConnectProviderInput{
+		OpenIDConnectProviderArn: aws.String(d.Id()),
+	}
+	_, err := iamconn.DeleteOpenIDConnectProvider(input)
+
+	if err != nil {
+		if err, ok := err.(awserr.Error); ok && err.Code() == "NoSuchEntity" {
+			return nil
+		}
+		return fmt.Errorf("Error deleting platform application %s", err)
+	}
+
+	return nil
+}
+
+func resourceAwsIamOpenIDConnectProviderExists(d *schema.ResourceData, meta interface{}) (bool, error) {
+	iamconn := meta.(*AWSClient).iamconn
+
+	input := &iam.GetOpenIDConnectProviderInput{
+		OpenIDConnectProviderArn: aws.String(d.Id()),
+	}
+	_, err := iamconn.GetOpenIDConnectProvider(input)
+	if err != nil {
+		if err, ok := err.(awserr.Error); ok && err.Code() == "NoSuchEntity" {
+			return false, nil
+		}
+		return true, err
+	}
+
+	return true, nil
+}

builtin/providers/aws/resource_aws_iam_openid_connect_provider_test.go

@@ -0,0 +1,187 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSIAMOpenIDConnectProvider_basic(t *testing.T) {
+	rString := acctest.RandString(5)
+	url := "accounts.google.com/" + rString
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckIAMOpenIDConnectProviderDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccIAMOpenIDConnectProviderConfig(rString),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckIAMOpenIDConnectProvider("aws_iam_openid_connect_provider.goog"),
+					resource.TestCheckResourceAttr("aws_iam_openid_connect_provider.goog", "url", url),
+					resource.TestCheckResourceAttr("aws_iam_openid_connect_provider.goog", "client_id_list.#", "1"),
+					resource.TestCheckResourceAttr("aws_iam_openid_connect_provider.goog", "client_id_list.0",
+						"266362248691-re108qaeld573ia0l6clj2i5ac7r7291.apps.googleusercontent.com"),
+					resource.TestCheckResourceAttr("aws_iam_openid_connect_provider.goog", "thumbprint_list.#", "0"),
+				),
+			},
+			resource.TestStep{
+				Config: testAccIAMOpenIDConnectProviderConfig_modified(rString),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckIAMOpenIDConnectProvider("aws_iam_openid_connect_provider.goog"),
+					resource.TestCheckResourceAttr("aws_iam_openid_connect_provider.goog", "url", url),
+					resource.TestCheckResourceAttr("aws_iam_openid_connect_provider.goog", "client_id_list.#", "1"),
+					resource.TestCheckResourceAttr("aws_iam_openid_connect_provider.goog", "client_id_list.0",
+						"266362248691-re108qaeld573ia0l6clj2i5ac7r7291.apps.googleusercontent.com"),
+					resource.TestCheckResourceAttr("aws_iam_openid_connect_provider.goog", "thumbprint_list.#", "2"),
+					resource.TestCheckResourceAttr("aws_iam_openid_connect_provider.goog", "thumbprint_list.0", "cf23df2207d99a74fbe169e3eba035e633b65d94"),
+					resource.TestCheckResourceAttr("aws_iam_openid_connect_provider.goog", "thumbprint_list.1", "c784713d6f9cb67b55dd84f4e4af7832d42b8f55"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSIAMOpenIDConnectProvider_importBasic(t *testing.T) {
+	resourceName := "aws_iam_openid_connect_provider.goog"
+	rString := acctest.RandString(5)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckIAMOpenIDConnectProviderDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccIAMOpenIDConnectProviderConfig_modified(rString),
+			},
+
+			resource.TestStep{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccAWSIAMOpenIDConnectProvider_disappears(t *testing.T) {
+	rString := acctest.RandString(5)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckIAMOpenIDConnectProviderDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccIAMOpenIDConnectProviderConfig(rString),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckIAMOpenIDConnectProvider("aws_iam_openid_connect_provider.goog"),
+					testAccCheckIAMOpenIDConnectProviderDisappears("aws_iam_openid_connect_provider.goog"),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
+func testAccCheckIAMOpenIDConnectProviderDestroy(s *terraform.State) error {
+	iamconn := testAccProvider.Meta().(*AWSClient).iamconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_iam_openid_connect_provider" {
+			continue
+		}
+
+		input := &iam.GetOpenIDConnectProviderInput{
+			OpenIDConnectProviderArn: aws.String(rs.Primary.ID),
+		}
+		out, err := iamconn.GetOpenIDConnectProvider(input)
+		if err != nil {
+			if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" {
+				// none found, that's good
+				return nil
+			}
+			return fmt.Errorf("Error reading IAM OpenID Connect Provider, out: %s, err: %s", out, err)
+		}
+
+		if out != nil {
+			return fmt.Errorf("Found IAM OpenID Connect Provider, expected none: %s", out)
+		}
+	}
+
+	return nil
+}
+
+func testAccCheckIAMOpenIDConnectProviderDisappears(id string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[id]
+		if !ok {
+			return fmt.Errorf("Not Found: %s", id)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No ID is set")
+		}
+
+		iamconn := testAccProvider.Meta().(*AWSClient).iamconn
+		_, err := iamconn.DeleteOpenIDConnectProvider(&iam.DeleteOpenIDConnectProviderInput{
+			OpenIDConnectProviderArn: aws.String(rs.Primary.ID),
+		})
+		return err
+	}
+}
+
+func testAccCheckIAMOpenIDConnectProvider(id string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[id]
+		if !ok {
+			return fmt.Errorf("Not Found: %s", id)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No ID is set")
+		}
+
+		iamconn := testAccProvider.Meta().(*AWSClient).iamconn
+		_, err := iamconn.GetOpenIDConnectProvider(&iam.GetOpenIDConnectProviderInput{
+			OpenIDConnectProviderArn: aws.String(rs.Primary.ID),
+		})
+
+		if err != nil {
+			return err
+		}
+
+		return nil
+	}
+}
+
+func testAccIAMOpenIDConnectProviderConfig(rString string) string {
+	return fmt.Sprintf(`
+resource "aws_iam_openid_connect_provider" "goog" {
+  url="https://accounts.google.com/%s"
+  client_id_list = [
+     "266362248691-re108qaeld573ia0l6clj2i5ac7r7291.apps.googleusercontent.com"
+  ]
+  thumbprint_list = []
+}
+`, rString)
+}
+
+func testAccIAMOpenIDConnectProviderConfig_modified(rString string) string {
+	return fmt.Sprintf(`
+resource "aws_iam_openid_connect_provider" "goog" {
+  url="https://accounts.google.com/%s"
+  client_id_list = [
+     "266362248691-re108qaeld573ia0l6clj2i5ac7r7291.apps.googleusercontent.com"
+  ]
+  thumbprint_list = ["cf23df2207d99a74fbe169e3eba035e633b65d94", "c784713d6f9cb67b55dd84f4e4af7832d42b8f55"]
+}
+`, rString)
+}

builtin/providers/aws/validators.go

@@ -3,6 +3,7 @@ package aws
 import (
 	"fmt"
 	"net"
+	"net/url"
 	"regexp"
 	"strings"
 	"time"
@@ -1170,3 +1171,19 @@ func validateAwsAlbTargetGroupNamePrefix(v interface{}, k string) (ws []string,
 	}
 	return
 }
+
+func validateOpenIdURL(v interface{}, k string) (ws []string, errors []error) {
+	value := v.(string)
+	u, err := url.Parse(value)
+	if err != nil {
+		errors = append(errors, fmt.Errorf("%q has to be a valid URL", k))
+		return
+	}
+	if u.Scheme != "https" {
+		errors = append(errors, fmt.Errorf("%q has to use HTTPS scheme (i.e. begin with https://)", k))
+	}
+	if len(u.Query()) > 0 {
+		errors = append(errors, fmt.Errorf("%q cannot contain query parameters per the OIDC standard", k))
+	}
+	return
+}

builtin/providers/aws/validators_test.go

@@ -1913,3 +1913,35 @@ func TestValidateDbOptionGroupNamePrefix(t *testing.T) {
 		}
 	}
 }
+
+func TestValidateOpenIdURL(t *testing.T) {
+	cases := []struct {
+		Value    string
+		ErrCount int
+	}{
+		{
+			Value:    "http://wrong.scheme.com",
+			ErrCount: 1,
+		},
+		{
+			Value:    "ftp://wrong.scheme.co.uk",
+			ErrCount: 1,
+		},
+		{
+			Value:    "%@invalidUrl",
+			ErrCount: 1,
+		},
+		{
+			Value:    "https://example.com/?query=param",
+			ErrCount: 1,
+		},
+	}
+
+	for _, tc := range cases {
+		_, errors := validateOpenIdURL(tc.Value, "url")
+
+		if len(errors) != tc.ErrCount {
+			t.Fatalf("Expected %d of OpenID URL validation errors, got %d", tc.ErrCount, len(errors))
+		}
+	}
+}

website/source/docs/providers/aws/r/iam_openid_connect_provider.html.markdown

@@ -0,0 +1,45 @@
+---
+layout: "aws"
+page_title: "AWS: aws_iam_openid_connect_provider"
+sidebar_current: "docs-aws-resource-iam-openid-connect-provider"
+description: |-
+  Provides an IAM OpenID Connect provider.
+---
+
+# aws\_iam\_openid\_connect\_provider
+
+Provides an IAM OpenID Connect provider.
+
+## Example Usage
+
+```
+resource "aws_iam_openid_connect_provider" "default" {
+    url = "https://accounts.google.com"
+    client_id_list = [
+     "266362248691-342342xasdasdasda-apps.googleusercontent.com"
+    ]
+    thumbprint_list = []
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `url` - (Required) The URL of the identity provider. Corresponds to the _iss_ claim.
+* `client_id_list` - (Required) A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client_id parameter on OAuth requests.)
+* `thumbprint_list` - (Required) A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s). 
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `arn` - The ARN assigned by AWS for this provider.
+
+## Import
+
+IAM OpenID Connect Providers can be imported using the `arn`, e.g.
+
+```
+$ terraform import aws_iam_openid_connect_provider.default arn:aws:iam::123456789012:oidc-provider/accounts.google.com
+```

website/source/layouts/aws.erb

@@ -745,6 +745,10 @@
                             <a href="/docs/providers/aws/r/iam_instance_profile.html">aws_iam_instance_profile</a>
                         </li>
 
+                        <li<%= sidebar_current("docs-aws-resource-iam-openid-connect-provider") %>>
+                            <a href="/docs/providers/aws/r/iam_openid_connect_provider.html">aws_iam_openid_connect_provider</a>
+                        </li>
+
                         <li<%= sidebar_current("docs-aws-resource-iam-policy") %>>
                             <a href="/docs/providers/aws/r/iam_policy.html">aws_iam_policy</a>
                         </li>