Merge pull request #8114 from TimeIncOSS/f-aws-skip-options

aws: Change names of new skip_* fields + document those
2016-08-12 07:00:14 +01:00 · 2016-08-12 07:00:14 +01:00 · e251d5c7bd
parent 7bc10c62b8 d1272808d8
commit e251d5c7bd
4 changed files with 66 additions and 41 deletions
--- a/builtin/providers/aws/auth_helpers.go
+++ b/builtin/providers/aws/auth_helpers.go
@ -117,10 +117,10 @@ func GetCredentials(c *Config) *awsCredentials.Credentials {
 	}
 	usedEndpoint := setOptionalEndpoint(cfg)

-	// Real AWS should reply to a simple metadata request.
-	// We check it actually does to ensure something else didn't just
-	// happen to be listening on the same IP:Port
-	if c.SkipMetadataApiCheck == false {
+	if !c.SkipMetadataApiCheck {
+		// Real AWS should reply to a simple metadata request.
+		// We check it actually does to ensure something else didn't just
+		// happen to be listening on the same IP:Port
 		metadataClient := ec2metadata.New(session.New(cfg))
 		if metadataClient.Available() {
 			providers = append(providers, &ec2rolecreds.EC2RoleProvider{
--- a/builtin/providers/aws/config.go
+++ b/builtin/providers/aws/config.go
@ -69,16 +69,17 @@ type Config struct {
 	AllowedAccountIds   []interface{}
 	ForbiddenAccountIds []interface{}

-	DynamoDBEndpoint       string
-	KinesisEndpoint        string
-	Ec2Endpoint            string
-	IamEndpoint            string
-	ElbEndpoint            string
-	S3Endpoint             string
-	Insecure               bool
-	SkipIamCredsValidation bool
-	SkipIamAccountId       bool
-	SkipMetadataApiCheck   bool
+	DynamoDBEndpoint string
+	KinesisEndpoint  string
+	Ec2Endpoint      string
+	IamEndpoint      string
+	ElbEndpoint      string
+	S3Endpoint       string
+	Insecure         bool
+
+	SkipCredsValidation     bool
+	SkipRequestingAccountId bool
+	SkipMetadataApiCheck    bool
 }

 type AWSClient struct {
@ -205,7 +206,7 @@ func (c *Config) Client() (interface{}, error) {
 		client.iamconn = iam.New(awsIamSess)
 		client.stsconn = sts.New(sess)

-		if c.SkipIamCredsValidation == false {
+		if !c.SkipCredsValidation {
 			err = c.ValidateCredentials(client.stsconn)
 			if err != nil {
 				errs = append(errs, err)
@ -213,16 +214,16 @@ func (c *Config) Client() (interface{}, error) {
 			}
 		}

-		if c.SkipIamAccountId == false {
+		if !c.SkipRequestingAccountId {
 			accountId, err := GetAccountId(client.iamconn, client.stsconn, cp.ProviderName)
 			if err == nil {
 				client.accountid = accountId
 			}
+		}

-			authErr := c.ValidateAccountId(client.accountid)
-			if authErr != nil {
-				errs = append(errs, authErr)
-			}
+		authErr := c.ValidateAccountId(client.accountid)
+		if authErr != nil {
+			errs = append(errs, authErr)
 		}

 		client.apigateway = apigateway.New(sess)
--- a/builtin/providers/aws/provider.go
+++ b/builtin/providers/aws/provider.go
@ -110,18 +110,18 @@ func Provider() terraform.ResourceProvider {
 				Description: descriptions["insecure"],
 			},

-			"skip_iam_creds_validation": &schema.Schema{
+			"skip_credentials_validation": &schema.Schema{
 				Type:        schema.TypeBool,
 				Optional:    true,
 				Default:     false,
-				Description: descriptions["skip_iam_creds_validation"],
+				Description: descriptions["skip_credentials_validation"],
 			},

-			"skip_iam_account_id": &schema.Schema{
+			"skip_requesting_account_id": &schema.Schema{
 				Type:        schema.TypeBool,
 				Optional:    true,
 				Default:     false,
-				Description: descriptions["skip_iam_account_id"],
+				Description: descriptions["skip_requesting_account_id"],
 			},

 			"skip_metadata_api_check": &schema.Schema{
@ -356,11 +356,11 @@ func init() {
 		"insecure": "Explicitly allow the provider to perform \"insecure\" SSL requests. If omitted," +
 			"default value is `false`",

-		"skip_iam_creds_validation": "Skip the IAM/STS credentials validation. " +
-			"Used for AWS API implementations that do not use IAM.",
+		"skip_credentials_validation": "Skip the credentials validation via STS API. " +
+			"Used for AWS API implementations that do not have STS available/implemented.",

-		"skip_iam_account_id": "Skip the request of account id to IAM/STS. " +
-			"Used for AWS API implementations that do not use IAM.",
+		"skip_requesting_account_id": "Skip requesting the account ID. " +
+			"Used for AWS API implementations that do not have IAM/STS API and/or metadata API.",

 		"skip_medatadata_api_check": "Skip the AWS Metadata API check. " +
 			"Used for AWS API implementations that do not have a metadata api endpoint.",
@ -369,19 +369,19 @@ func init() {

 func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 	config := Config{
-		AccessKey:              d.Get("access_key").(string),
-		SecretKey:              d.Get("secret_key").(string),
-		Profile:                d.Get("profile").(string),
-		CredsFilename:          d.Get("shared_credentials_file").(string),
-		Token:                  d.Get("token").(string),
-		Region:                 d.Get("region").(string),
-		MaxRetries:             d.Get("max_retries").(int),
-		DynamoDBEndpoint:       d.Get("dynamodb_endpoint").(string),
-		KinesisEndpoint:        d.Get("kinesis_endpoint").(string),
-		Insecure:               d.Get("insecure").(bool),
-		SkipIamCredsValidation: d.Get("skip_iam_creds_validation").(bool),
-		SkipIamAccountId:       d.Get("skip_iam_account_id").(bool),
-		SkipMetadataApiCheck:   d.Get("skip_metadata_api_check").(bool),
+		AccessKey:               d.Get("access_key").(string),
+		SecretKey:               d.Get("secret_key").(string),
+		Profile:                 d.Get("profile").(string),
+		CredsFilename:           d.Get("shared_credentials_file").(string),
+		Token:                   d.Get("token").(string),
+		Region:                  d.Get("region").(string),
+		MaxRetries:              d.Get("max_retries").(int),
+		DynamoDBEndpoint:        d.Get("dynamodb_endpoint").(string),
+		KinesisEndpoint:         d.Get("kinesis_endpoint").(string),
+		Insecure:                d.Get("insecure").(bool),
+		SkipCredsValidation:     d.Get("skip_credentials_validation").(bool),
+		SkipRequestingAccountId: d.Get("skip_requesting_account_id").(bool),
+		SkipMetadataApiCheck:    d.Get("skip_metadata_api_check").(bool),
 	}

 	endpointsSet := d.Get("endpoints").(*schema.Set)
--- a/website/source/docs/providers/aws/index.html.markdown
+++ b/website/source/docs/providers/aws/index.html.markdown
@ -159,6 +159,30 @@ The following arguments are supported in the `provider` block:
  URL constructed from the `region`. It's typically used to connect to
  kinesalite.

+* `skip_credentials_validation` - (Optional) Skip the credentials validation via STS API.
+  Useful for AWS API implementations that do not have STS available/implemented.
+
+* `skip_requesting_account_id` - (Optional) Skip requesting the account ID.
+  Useful for AWS API implementations that do not have IAM/STS API and/or metadata API.
+  `true` (enabling this option) prevents you from managing any resource that requires Account ID to construct an ARN, e.g.
+  - `aws_db_instance`
+  - `aws_db_option_group`
+  - `aws_db_parameter_group`
+  - `aws_db_security_group`
+  - `aws_db_subnet_group`
+  - `aws_elasticache_cluster`
+  - `aws_glacier_vault`
+  - `aws_rds_cluster`
+  - `aws_rds_cluster_instance`
+  - `aws_rds_cluster_parameter_group`
+  - `aws_redshift_cluster`
+
+* `skip_metadata_api_check` - (Optional) Skip the AWS Metadata API check.
+  Useful for AWS API implementations that do not have a metadata API endpoint.
+  `true` prevents Terraform from authenticating via Metadata API - i.e. you may need to use other auth methods
+  (static credentials set as ENV vars or config)
+
+
 Nested `endpoints` block supports the followings:

 * `iam` - (Optional) Use this to override the default endpoint