provider/aws: add ses_smtp_password to iam_access_key
AWS gives instructions for converting AWS credentials into SES SMTP credentials here: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html#smtp-credentials-convert This implements their algorithm and yields the result as an attribute on `iam_access_key`.
This commit is contained in:
parent
7d142134f2
commit
eb150ae025
|
@ -1,6 +1,9 @@
|
|||
package aws
|
||||
|
||||
import (
|
||||
"crypto/hmac"
|
||||
"crypto/sha256"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
|
||||
"github.com/aws/aws-sdk-go/aws"
|
||||
|
@ -32,6 +35,10 @@ func resourceAwsIamAccessKey() *schema.Resource {
|
|||
Type: schema.TypeString,
|
||||
Computed: true,
|
||||
},
|
||||
"ses_smtp_password": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Computed: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
@ -55,6 +62,10 @@ func resourceAwsIamAccessKeyCreate(d *schema.ResourceData, meta interface{}) err
|
|||
if err := d.Set("secret", createResp.AccessKey.SecretAccessKey); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
d.Set("ses_smtp_password",
|
||||
sesSmtpPasswordFromSecretKey(createResp.AccessKey.SecretAccessKey))
|
||||
|
||||
return resourceAwsIamAccessKeyReadResult(d, &iam.AccessKeyMetadata{
|
||||
AccessKeyId: createResp.AccessKey.AccessKeyId,
|
||||
CreateDate: createResp.AccessKey.CreateDate,
|
||||
|
@ -115,3 +126,19 @@ func resourceAwsIamAccessKeyDelete(d *schema.ResourceData, meta interface{}) err
|
|||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func sesSmtpPasswordFromSecretKey(key *string) string {
|
||||
if key == nil {
|
||||
return ""
|
||||
}
|
||||
version := byte(0x02)
|
||||
message := []byte("SendRawEmail")
|
||||
hmacKey := []byte(*key)
|
||||
h := hmac.New(sha256.New, hmacKey)
|
||||
h.Write(message)
|
||||
rawSig := h.Sum(nil)
|
||||
versionedSig := make([]byte, 0, len(rawSig)+1)
|
||||
versionedSig = append(versionedSig, version)
|
||||
versionedSig = append(versionedSig, rawSig...)
|
||||
return base64.StdEncoding.EncodeToString(versionedSig)
|
||||
}
|
||||
|
|
|
@ -116,3 +116,20 @@ resource "aws_iam_access_key" "a_key" {
|
|||
user = "${aws_iam_user.a_user.name}"
|
||||
}
|
||||
`
|
||||
|
||||
func TestSesSmtpPasswordFromSecretKey(t *testing.T) {
|
||||
cases := []struct {
|
||||
Input string
|
||||
Expected string
|
||||
}{
|
||||
{"some+secret+key", "AnkqhOiWEcszZZzTMCQbOY1sPGoLFgMH9zhp4eNgSjo4"},
|
||||
{"another+secret+key", "Akwqr0Giwi8FsQFgW3DXWCC2DiiQ/jZjqLDWK8TeTBgL"},
|
||||
}
|
||||
|
||||
for _, tc := range cases {
|
||||
actual := sesSmtpPasswordFromSecretKey(&tc.Input)
|
||||
if actual != tc.Expected {
|
||||
t.Fatalf("%q: expected %q, got %q", tc.Input, tc.Expected, actual)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -55,5 +55,8 @@ The following attributes are exported:
|
|||
* `id` - The access key ID.
|
||||
* `user` - The IAM user associated with this access key.
|
||||
* `secret` - The secret access key. Note that this will be written to the state file.
|
||||
* `ses_smtp_password` - The secret access key converted into an SES SMTP
|
||||
password by applying [AWS's documented conversion
|
||||
algorithm](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html#smtp-credentials-convert).
|
||||
* `status` - "Active" or "Inactive". Keys are initially active, but can be made
|
||||
inactive by other means.
|
||||
|
|
Loading…
Reference in New Issue