provider/aws: add ses_smtp_password to iam_access_key
AWS gives instructions for converting AWS credentials into SES SMTP credentials here: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html#smtp-credentials-convert This implements their algorithm and yields the result as an attribute on `iam_access_key`.
This commit is contained in:
parent
7d142134f2
commit
eb150ae025
|
@ -1,6 +1,9 @@
|
||||||
package aws
|
package aws
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/hmac"
|
||||||
|
"crypto/sha256"
|
||||||
|
"encoding/base64"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
"github.com/aws/aws-sdk-go/aws"
|
"github.com/aws/aws-sdk-go/aws"
|
||||||
|
@ -32,6 +35,10 @@ func resourceAwsIamAccessKey() *schema.Resource {
|
||||||
Type: schema.TypeString,
|
Type: schema.TypeString,
|
||||||
Computed: true,
|
Computed: true,
|
||||||
},
|
},
|
||||||
|
"ses_smtp_password": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Computed: true,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -55,6 +62,10 @@ func resourceAwsIamAccessKeyCreate(d *schema.ResourceData, meta interface{}) err
|
||||||
if err := d.Set("secret", createResp.AccessKey.SecretAccessKey); err != nil {
|
if err := d.Set("secret", createResp.AccessKey.SecretAccessKey); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
d.Set("ses_smtp_password",
|
||||||
|
sesSmtpPasswordFromSecretKey(createResp.AccessKey.SecretAccessKey))
|
||||||
|
|
||||||
return resourceAwsIamAccessKeyReadResult(d, &iam.AccessKeyMetadata{
|
return resourceAwsIamAccessKeyReadResult(d, &iam.AccessKeyMetadata{
|
||||||
AccessKeyId: createResp.AccessKey.AccessKeyId,
|
AccessKeyId: createResp.AccessKey.AccessKeyId,
|
||||||
CreateDate: createResp.AccessKey.CreateDate,
|
CreateDate: createResp.AccessKey.CreateDate,
|
||||||
|
@ -115,3 +126,19 @@ func resourceAwsIamAccessKeyDelete(d *schema.ResourceData, meta interface{}) err
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func sesSmtpPasswordFromSecretKey(key *string) string {
|
||||||
|
if key == nil {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
version := byte(0x02)
|
||||||
|
message := []byte("SendRawEmail")
|
||||||
|
hmacKey := []byte(*key)
|
||||||
|
h := hmac.New(sha256.New, hmacKey)
|
||||||
|
h.Write(message)
|
||||||
|
rawSig := h.Sum(nil)
|
||||||
|
versionedSig := make([]byte, 0, len(rawSig)+1)
|
||||||
|
versionedSig = append(versionedSig, version)
|
||||||
|
versionedSig = append(versionedSig, rawSig...)
|
||||||
|
return base64.StdEncoding.EncodeToString(versionedSig)
|
||||||
|
}
|
||||||
|
|
|
@ -116,3 +116,20 @@ resource "aws_iam_access_key" "a_key" {
|
||||||
user = "${aws_iam_user.a_user.name}"
|
user = "${aws_iam_user.a_user.name}"
|
||||||
}
|
}
|
||||||
`
|
`
|
||||||
|
|
||||||
|
func TestSesSmtpPasswordFromSecretKey(t *testing.T) {
|
||||||
|
cases := []struct {
|
||||||
|
Input string
|
||||||
|
Expected string
|
||||||
|
}{
|
||||||
|
{"some+secret+key", "AnkqhOiWEcszZZzTMCQbOY1sPGoLFgMH9zhp4eNgSjo4"},
|
||||||
|
{"another+secret+key", "Akwqr0Giwi8FsQFgW3DXWCC2DiiQ/jZjqLDWK8TeTBgL"},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tc := range cases {
|
||||||
|
actual := sesSmtpPasswordFromSecretKey(&tc.Input)
|
||||||
|
if actual != tc.Expected {
|
||||||
|
t.Fatalf("%q: expected %q, got %q", tc.Input, tc.Expected, actual)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -55,5 +55,8 @@ The following attributes are exported:
|
||||||
* `id` - The access key ID.
|
* `id` - The access key ID.
|
||||||
* `user` - The IAM user associated with this access key.
|
* `user` - The IAM user associated with this access key.
|
||||||
* `secret` - The secret access key. Note that this will be written to the state file.
|
* `secret` - The secret access key. Note that this will be written to the state file.
|
||||||
|
* `ses_smtp_password` - The secret access key converted into an SES SMTP
|
||||||
|
password by applying [AWS's documented conversion
|
||||||
|
algorithm](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html#smtp-credentials-convert).
|
||||||
* `status` - "Active" or "Inactive". Keys are initially active, but can be made
|
* `status` - "Active" or "Inactive". Keys are initially active, but can be made
|
||||||
inactive by other means.
|
inactive by other means.
|
||||||
|
|
Loading…
Reference in New Issue