provider/aws: Add diff suppression & validation for OpenID URL

builtin/providers/aws/diff_suppress_funcs.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"log"
+	"net/url"
 	"strings"
 
 	"github.com/hashicorp/terraform/helper/schema"
@@ -58,3 +59,19 @@ func suppressEquivalentJsonDiffs(k, old, new string, d *schema.ResourceData) boo
 
 	return jsonBytesEqual(ob.Bytes(), nb.Bytes())
 }
+
+func suppressOpenIdURL(k, old, new string, d *schema.ResourceData) bool {
+	oldUrl, err := url.Parse(old)
+	if err != nil {
+		return false
+	}
+
+	newUrl, err := url.Parse(new)
+	if err != nil {
+		return false
+	}
+
+	oldUrl.Scheme = "https"
+
+	return oldUrl.String() == newUrl.String()
+}

builtin/providers/aws/provider.go

@@ -309,6 +309,7 @@ func Provider() terraform.ResourceProvider {
 			"aws_iam_group_membership":                     resourceAwsIamGroupMembership(),
 			"aws_iam_group_policy_attachment":              resourceAwsIamGroupPolicyAttachment(),
 			"aws_iam_instance_profile":                     resourceAwsIamInstanceProfile(),
+			"aws_iam_openid_connect_provider":              resourceAwsIamOpenIDConnectProvider(),
 			"aws_iam_policy":                               resourceAwsIamPolicy(),
 			"aws_iam_policy_attachment":                    resourceAwsIamPolicyAttachment(),
 			"aws_iam_role_policy_attachment":               resourceAwsIamRolePolicyAttachment(),

builtin/providers/aws/resource_aws_iam_openid_connect_provider.go

@@ -27,6 +27,8 @@ func resourceAwsIamOpenIDConnectProvider() *schema.Resource {
 				Computed:         false,
 				Required:         true,
 				ForceNew:         true,
+				ValidateFunc:     validateOpenIdURL,
+				DiffSuppressFunc: suppressOpenIdURL,
 			},
 			"client-id-list": &schema.Schema{
 				Elem:     &schema.Schema{Type: schema.TypeString},

builtin/providers/aws/validators.go

@@ -3,6 +3,7 @@ package aws
 import (
 	"fmt"
 	"net"
+	"net/url"
 	"regexp"
 	"strings"
 	"time"
@@ -1170,3 +1171,19 @@ func validateAwsAlbTargetGroupNamePrefix(v interface{}, k string) (ws []string,
 	}
 	return
 }
+
+func validateOpenIdURL(v interface{}, k string) (ws []string, errors []error) {
+	value := v.(string)
+	u, err := url.Parse(value)
+	if err != nil {
+		errors = append(errors, fmt.Errorf("%q has to be a valid URL", k))
+		return
+	}
+	if u.Scheme != "https" {
+		errors = append(errors, fmt.Errorf("%q has to use HTTPS scheme (i.e. begin with https://)", k))
+	}
+	if len(u.Query()) > 0 {
+		errors = append(errors, fmt.Errorf("%q cannot contain query parameters per the OIDC standard", k))
+	}
+	return
+}

builtin/providers/aws/validators_test.go

@@ -1913,3 +1913,35 @@ func TestValidateDbOptionGroupNamePrefix(t *testing.T) {
 		}
 	}
 }
+
+func TestValidateOpenIdURL(t *testing.T) {
+	cases := []struct {
+		Value    string
+		ErrCount int
+	}{
+		{
+			Value:    "http://wrong.scheme.com",
+			ErrCount: 1,
+		},
+		{
+			Value:    "ftp://wrong.scheme.co.uk",
+			ErrCount: 1,
+		},
+		{
+			Value:    "%@invalidUrl",
+			ErrCount: 1,
+		},
+		{
+			Value:    "https://example.com/?query=param",
+			ErrCount: 1,
+		},
+	}
+
+	for _, tc := range cases {
+		_, errors := validateOpenIdURL(tc.Value, "url")
+
+		if len(errors) != tc.ErrCount {
+			t.Fatalf("Expected %d of OpenID URL validation errors, got %d", tc.ErrCount, len(errors))
+		}
+	}
+}