provider/aws: add ses_smtp_password to iam_access_key

AWS gives instructions for converting AWS credentials into SES SMTP
credentials here:

https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html#smtp-credentials-convert

This implements their algorithm and yields the result as an attribute on
`iam_access_key`.
This commit is contained in:
Paul Hinze 2015-09-02 18:20:06 -05:00
parent 7d142134f2
commit eb150ae025
3 changed files with 47 additions and 0 deletions

View File

@ -1,6 +1,9 @@
package aws package aws
import ( import (
"crypto/hmac"
"crypto/sha256"
"encoding/base64"
"fmt" "fmt"
"github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws"
@ -32,6 +35,10 @@ func resourceAwsIamAccessKey() *schema.Resource {
Type: schema.TypeString, Type: schema.TypeString,
Computed: true, Computed: true,
}, },
"ses_smtp_password": &schema.Schema{
Type: schema.TypeString,
Computed: true,
},
}, },
} }
} }
@ -55,6 +62,10 @@ func resourceAwsIamAccessKeyCreate(d *schema.ResourceData, meta interface{}) err
if err := d.Set("secret", createResp.AccessKey.SecretAccessKey); err != nil { if err := d.Set("secret", createResp.AccessKey.SecretAccessKey); err != nil {
return err return err
} }
d.Set("ses_smtp_password",
sesSmtpPasswordFromSecretKey(createResp.AccessKey.SecretAccessKey))
return resourceAwsIamAccessKeyReadResult(d, &iam.AccessKeyMetadata{ return resourceAwsIamAccessKeyReadResult(d, &iam.AccessKeyMetadata{
AccessKeyId: createResp.AccessKey.AccessKeyId, AccessKeyId: createResp.AccessKey.AccessKeyId,
CreateDate: createResp.AccessKey.CreateDate, CreateDate: createResp.AccessKey.CreateDate,
@ -115,3 +126,19 @@ func resourceAwsIamAccessKeyDelete(d *schema.ResourceData, meta interface{}) err
} }
return nil return nil
} }
func sesSmtpPasswordFromSecretKey(key *string) string {
if key == nil {
return ""
}
version := byte(0x02)
message := []byte("SendRawEmail")
hmacKey := []byte(*key)
h := hmac.New(sha256.New, hmacKey)
h.Write(message)
rawSig := h.Sum(nil)
versionedSig := make([]byte, 0, len(rawSig)+1)
versionedSig = append(versionedSig, version)
versionedSig = append(versionedSig, rawSig...)
return base64.StdEncoding.EncodeToString(versionedSig)
}

View File

@ -116,3 +116,20 @@ resource "aws_iam_access_key" "a_key" {
user = "${aws_iam_user.a_user.name}" user = "${aws_iam_user.a_user.name}"
} }
` `
func TestSesSmtpPasswordFromSecretKey(t *testing.T) {
cases := []struct {
Input string
Expected string
}{
{"some+secret+key", "AnkqhOiWEcszZZzTMCQbOY1sPGoLFgMH9zhp4eNgSjo4"},
{"another+secret+key", "Akwqr0Giwi8FsQFgW3DXWCC2DiiQ/jZjqLDWK8TeTBgL"},
}
for _, tc := range cases {
actual := sesSmtpPasswordFromSecretKey(&tc.Input)
if actual != tc.Expected {
t.Fatalf("%q: expected %q, got %q", tc.Input, tc.Expected, actual)
}
}
}

View File

@ -55,5 +55,8 @@ The following attributes are exported:
* `id` - The access key ID. * `id` - The access key ID.
* `user` - The IAM user associated with this access key. * `user` - The IAM user associated with this access key.
* `secret` - The secret access key. Note that this will be written to the state file. * `secret` - The secret access key. Note that this will be written to the state file.
* `ses_smtp_password` - The secret access key converted into an SES SMTP
password by applying [AWS's documented conversion
algorithm](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html#smtp-credentials-convert).
* `status` - "Active" or "Inactive". Keys are initially active, but can be made * `status` - "Active" or "Inactive". Keys are initially active, but can be made
inactive by other means. inactive by other means.