provider/aws: Add diff suppression & validation for OpenID URL
This commit is contained in:
parent
3640bdd6e1
commit
668a09aa00
|
@ -4,6 +4,7 @@ import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"log"
|
"log"
|
||||||
|
"net/url"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/hashicorp/terraform/helper/schema"
|
"github.com/hashicorp/terraform/helper/schema"
|
||||||
|
@ -58,3 +59,19 @@ func suppressEquivalentJsonDiffs(k, old, new string, d *schema.ResourceData) boo
|
||||||
|
|
||||||
return jsonBytesEqual(ob.Bytes(), nb.Bytes())
|
return jsonBytesEqual(ob.Bytes(), nb.Bytes())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func suppressOpenIdURL(k, old, new string, d *schema.ResourceData) bool {
|
||||||
|
oldUrl, err := url.Parse(old)
|
||||||
|
if err != nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
newUrl, err := url.Parse(new)
|
||||||
|
if err != nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
oldUrl.Scheme = "https"
|
||||||
|
|
||||||
|
return oldUrl.String() == newUrl.String()
|
||||||
|
}
|
||||||
|
|
|
@ -309,6 +309,7 @@ func Provider() terraform.ResourceProvider {
|
||||||
"aws_iam_group_membership": resourceAwsIamGroupMembership(),
|
"aws_iam_group_membership": resourceAwsIamGroupMembership(),
|
||||||
"aws_iam_group_policy_attachment": resourceAwsIamGroupPolicyAttachment(),
|
"aws_iam_group_policy_attachment": resourceAwsIamGroupPolicyAttachment(),
|
||||||
"aws_iam_instance_profile": resourceAwsIamInstanceProfile(),
|
"aws_iam_instance_profile": resourceAwsIamInstanceProfile(),
|
||||||
|
"aws_iam_openid_connect_provider": resourceAwsIamOpenIDConnectProvider(),
|
||||||
"aws_iam_policy": resourceAwsIamPolicy(),
|
"aws_iam_policy": resourceAwsIamPolicy(),
|
||||||
"aws_iam_policy_attachment": resourceAwsIamPolicyAttachment(),
|
"aws_iam_policy_attachment": resourceAwsIamPolicyAttachment(),
|
||||||
"aws_iam_role_policy_attachment": resourceAwsIamRolePolicyAttachment(),
|
"aws_iam_role_policy_attachment": resourceAwsIamRolePolicyAttachment(),
|
||||||
|
|
|
@ -27,6 +27,8 @@ func resourceAwsIamOpenIDConnectProvider() *schema.Resource {
|
||||||
Computed: false,
|
Computed: false,
|
||||||
Required: true,
|
Required: true,
|
||||||
ForceNew: true,
|
ForceNew: true,
|
||||||
|
ValidateFunc: validateOpenIdURL,
|
||||||
|
DiffSuppressFunc: suppressOpenIdURL,
|
||||||
},
|
},
|
||||||
"client-id-list": &schema.Schema{
|
"client-id-list": &schema.Schema{
|
||||||
Elem: &schema.Schema{Type: schema.TypeString},
|
Elem: &schema.Schema{Type: schema.TypeString},
|
||||||
|
|
|
@ -3,6 +3,7 @@ package aws
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
|
"net/url"
|
||||||
"regexp"
|
"regexp"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
@ -1170,3 +1171,19 @@ func validateAwsAlbTargetGroupNamePrefix(v interface{}, k string) (ws []string,
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func validateOpenIdURL(v interface{}, k string) (ws []string, errors []error) {
|
||||||
|
value := v.(string)
|
||||||
|
u, err := url.Parse(value)
|
||||||
|
if err != nil {
|
||||||
|
errors = append(errors, fmt.Errorf("%q has to be a valid URL", k))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if u.Scheme != "https" {
|
||||||
|
errors = append(errors, fmt.Errorf("%q has to use HTTPS scheme (i.e. begin with https://)", k))
|
||||||
|
}
|
||||||
|
if len(u.Query()) > 0 {
|
||||||
|
errors = append(errors, fmt.Errorf("%q cannot contain query parameters per the OIDC standard", k))
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
|
@ -1913,3 +1913,35 @@ func TestValidateDbOptionGroupNamePrefix(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestValidateOpenIdURL(t *testing.T) {
|
||||||
|
cases := []struct {
|
||||||
|
Value string
|
||||||
|
ErrCount int
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
Value: "http://wrong.scheme.com",
|
||||||
|
ErrCount: 1,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Value: "ftp://wrong.scheme.co.uk",
|
||||||
|
ErrCount: 1,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Value: "%@invalidUrl",
|
||||||
|
ErrCount: 1,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Value: "https://example.com/?query=param",
|
||||||
|
ErrCount: 1,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tc := range cases {
|
||||||
|
_, errors := validateOpenIdURL(tc.Value, "url")
|
||||||
|
|
||||||
|
if len(errors) != tc.ErrCount {
|
||||||
|
t.Fatalf("Expected %d of OpenID URL validation errors, got %d", tc.ErrCount, len(errors))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue