Add region passing for non commercial regions (hashicorp#841)

* Add support for passing region information to vault backend This allows us to use non-inferrable regions * Remove unnecessary data passing when obtaining region * Remove root privilege check, add region as part of data source This allows the tf config to specify the region. It creates redundancy, however, it should allow people to use a different region without special permissions of any sort. If no region is given, it should default to us-east-1. * Rely on go zero values for modifying aws.Config This allows us to set the region ONLY if it was specified in the data section of the user's Terraform config.
dandandy · Aug 17, 2020 · a1160fe · a1160fe
1 parent 8a19e65
commit a1160fe
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 8 deletions.
diff --git a/vault/data_source_aws_access_credentials.go b/vault/data_source_aws_access_credentials.go
@@ -69,6 +69,11 @@ func awsAccessCredentialsDataSource() *schema.Resource {
 				Optional:    true,
 				Description: "ARN to use if multiple are available in the role. Required if the role has multiple ARNs.",
 			},
+			"region": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Region the read credentials belong to.",
+			},
 			"access_key": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -159,6 +164,12 @@ func awsAccessCredentialsDataSourceRead(d *schema.ResourceData, meta interface{}
 		Credentials: credentials.NewStaticCredentials(accessKey, secretKey, securityToken),
 		HTTPClient:  cleanhttp.DefaultClient(),
 	}
+
+	region := d.Get("region").(string)
+	if region != "" {
+		awsConfig.Region = &region
+	}
+
 	sess, err := session.NewSession(awsConfig)
 	if err != nil {
 		return fmt.Errorf("error creating AWS session: %s", err)

diff --git a/vault/data_source_aws_access_credentials_test.go b/vault/data_source_aws_access_credentials_test.go
@@ -19,19 +19,21 @@ import (
 func TestAccDataSourceAWSAccessCredentials_basic(t *testing.T) {
 	mountPath := acctest.RandomWithPrefix("tf-test-aws")
 	accessKey, secretKey := getTestAWSCreds(t)
+	region := getTestAWSRegion(t)
+
 	resource.Test(t, resource.TestCase{
 		Providers: testProviders,
 		PreCheck:  func() { testAccPreCheck(t) },
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDataSourceAWSAccessCredentialsConfig_basic(mountPath, accessKey, secretKey),
+				Config: testAccDataSourceAWSAccessCredentialsConfig_basic(mountPath, accessKey, secretKey, region),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", "access_key"),
 					resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", "secret_key"),
 					resource.TestCheckResourceAttr("data.vault_aws_access_credentials.test", "security_token", ""),
 					resource.TestCheckResourceAttr("data.vault_aws_access_credentials.test", "type", "creds"),
 					resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", "lease_id"),
-					testAccDataSourceAWSAccessCredentialsCheck_tokenWorks(),
+					testAccDataSourceAWSAccessCredentialsCheck_tokenWorks(region),
 				),
 			},
 		},
@@ -41,6 +43,7 @@ func TestAccDataSourceAWSAccessCredentials_basic(t *testing.T) {
 func TestAccDataSourceAWSAccessCredentials_sts(t *testing.T) {
 	mountPath := acctest.RandomWithPrefix("aws")
 	accessKey, secretKey := getTestAWSCreds(t)
+	region := getTestAWSRegion(t)
 
 	type testCase struct {
 		config string
@@ -54,6 +57,7 @@ func TestAccDataSourceAWSAccessCredentials_sts(t *testing.T) {
 					description = "Obtain AWS credentials."
 					access_key = "%s"
 					secret_key = "%s"
+					region = "%s"
 				}
 				
 				resource "vault_aws_secret_backend_role" "role" {
@@ -67,7 +71,8 @@ func TestAccDataSourceAWSAccessCredentials_sts(t *testing.T) {
 					backend = "${vault_aws_secret_backend.aws.path}"
 					role = "${vault_aws_secret_backend_role.role.name}"
 					type = "sts"
-				}`, mountPath, accessKey, secretKey),
+					region = "${vault_aws_secret_backend.aws.region}"
+				}`, mountPath, accessKey, secretKey, region),
 		},
 		"sts with role_arn": {
 			config: fmt.Sprintf(`
@@ -76,6 +81,7 @@ func TestAccDataSourceAWSAccessCredentials_sts(t *testing.T) {
 					description = "Obtain AWS credentials."
 					access_key = "%s"
 					secret_key = "%s"
+					region = "%s"
 				}
 				
 				resource "vault_aws_secret_backend_role" "role" {
@@ -90,7 +96,8 @@ func TestAccDataSourceAWSAccessCredentials_sts(t *testing.T) {
 					role     = "${vault_aws_secret_backend_role.role.name}"
 					type     = "sts"
 					role_arn = "arn:aws:iam::012345678901:role/foobar"
-				}`, mountPath, accessKey, secretKey),
+					region = "${vault_aws_secret_backend.aws.region}"
+				}`, mountPath, accessKey, secretKey, region),
 		},
 	}
 
@@ -108,7 +115,7 @@ func TestAccDataSourceAWSAccessCredentials_sts(t *testing.T) {
 							resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", "security_token"),
 							resource.TestCheckResourceAttr("data.vault_aws_access_credentials.test", "type", "sts"),
 							resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", "lease_id"),
-							testAccDataSourceAWSAccessCredentialsCheck_tokenWorks(),
+							testAccDataSourceAWSAccessCredentialsCheck_tokenWorks(region),
 						),
 					},
 				},
@@ -117,13 +124,14 @@ func TestAccDataSourceAWSAccessCredentials_sts(t *testing.T) {
 	}
 }
 
-func testAccDataSourceAWSAccessCredentialsConfig_basic(mountPath, accessKey, secretKey string) string {
+func testAccDataSourceAWSAccessCredentialsConfig_basic(mountPath, accessKey, secretKey, region string) string {
 	return fmt.Sprintf(`
 resource "vault_aws_secret_backend" "aws" {
     path = "%s"
     description = "Obtain AWS credentials."
     access_key = "%s"
     secret_key = "%s"
+	region = "%s"
 }
 
 resource "vault_aws_secret_backend_role" "role" {
@@ -137,10 +145,11 @@ data "vault_aws_access_credentials" "test" {
     backend = "${vault_aws_secret_backend.aws.path}"
     role = "${vault_aws_secret_backend_role.role.name}"
     type = "creds"
-}`, mountPath, accessKey, secretKey)
+	region = "${vault_aws_secret_backend.aws.region}"
+}`, mountPath, accessKey, secretKey, region)
 }
 
-func testAccDataSourceAWSAccessCredentialsCheck_tokenWorks() resource.TestCheckFunc {
+func testAccDataSourceAWSAccessCredentialsCheck_tokenWorks(region string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		resourceState := s.Modules[0].Resources["data.vault_aws_access_credentials.test"]
 		if resourceState == nil {
@@ -160,6 +169,7 @@ func testAccDataSourceAWSAccessCredentialsCheck_tokenWorks() resource.TestCheckF
 		awsConfig := &aws.Config{
 			Credentials: credentials.NewStaticCredentials(accessKey, secretKey, securityToken),
 			HTTPClient:  cleanhttp.DefaultClient(),
+			Region:      &region,
 		}
 		sess, err := session.NewSession(awsConfig)
 		if err != nil {

diff --git a/vault/provider_test.go b/vault/provider_test.go
@@ -79,6 +79,14 @@ func getTestAWSCreds(t *testing.T) (string, string) {
 	return accessKey, secretKey
 }
 
+func getTestAWSRegion(t *testing.T) string {
+	region := os.Getenv("AWS_DEFAULT_REGION")
+	if region == "" {
+		t.Skip("AWS_DEFAULT_REGION not set")
+	}
+	return region
+}
+
 type azureTestConf struct {
 	SubscriptionID, TenantID, ClientID, ClientSecret, Scope string
 }