Skip to content

Commit

Permalink
resource/aws_iam_access_key: Remove deprecated ses_smtp_password attr…
Browse files Browse the repository at this point in the history
…ibute

Reference: #11144
Reference: #13398

Output from acceptance testing:

```
--- PASS: TestAccAWSAccessKey_basic (5.87s)
--- PASS: TestAccAWSAccessKey_encrypted (5.97s)
--- PASS: TestAccAWSAccessKey_inactive (9.72s)
```
  • Loading branch information
bflad committed Jul 24, 2020
1 parent 33116d1 commit 5ee858c
Show file tree
Hide file tree
Showing 4 changed files with 7 additions and 54 deletions.
32 changes: 0 additions & 32 deletions aws/resource_aws_iam_access_key.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,6 @@ func resourceAwsIamAccessKey() *schema.Resource {
Computed: true,
Sensitive: true,
},
"ses_smtp_password": {
Type: schema.TypeString,
Computed: true,
Sensitive: true,
Deprecated: "AWS SigV2 for SES SMTP passwords isy deprecated.\nUse 'ses_smtp_password_v4' for region-specific AWS SigV4 signed SES SMTP password instead.",
},
"ses_smtp_password_v4": {
Type: schema.TypeString,
Computed: true,
Expand Down Expand Up @@ -111,14 +105,6 @@ func resourceAwsIamAccessKeyCreate(d *schema.ResourceData, meta interface{}) err
}
}

// AWS SigV2
sesSMTPPassword, err := sesSmtpPasswordFromSecretKeySigV2(createResp.AccessKey.SecretAccessKey)
if err != nil {
return fmt.Errorf("error getting SES SigV2 SMTP Password from Secret Access Key: %s", err)
}
d.Set("ses_smtp_password", sesSMTPPassword)

// AWS SigV4
sesSMTPPasswordV4, err := sesSmtpPasswordFromSecretKeySigV4(createResp.AccessKey.SecretAccessKey, meta.(*AWSClient).region)
if err != nil {
return fmt.Errorf("error getting SES SigV4 SMTP Password from Secret Access Key: %s", err)
Expand Down Expand Up @@ -252,21 +238,3 @@ func sesSmtpPasswordFromSecretKeySigV4(key *string, region string) (string, erro
versionedSig = append(versionedSig, rawSig...)
return base64.StdEncoding.EncodeToString(versionedSig), nil
}

func sesSmtpPasswordFromSecretKeySigV2(key *string) (string, error) {
if key == nil {
return "", nil
}
version := byte(0x02)
message := []byte("SendRawEmail")
hmacKey := []byte(*key)
h := hmac.New(sha256.New, hmacKey)
if _, err := h.Write(message); err != nil {
return "", err
}
rawSig := h.Sum(nil)
versionedSig := make([]byte, 0, len(rawSig)+1)
versionedSig = append(versionedSig, version)
versionedSig = append(versionedSig, rawSig...)
return base64.StdEncoding.EncodeToString(versionedSig), nil
}
20 changes: 0 additions & 20 deletions aws/resource_aws_iam_access_key_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -256,23 +256,3 @@ func TestSesSmtpPasswordFromSecretKeySigV4(t *testing.T) {
}
}
}

func TestSesSmtpPasswordFromSecretKeySigV2(t *testing.T) {
cases := []struct {
Input string
Expected string
}{
{"some+secret+key", "AnkqhOiWEcszZZzTMCQbOY1sPGoLFgMH9zhp4eNgSjo4"},
{"another+secret+key", "Akwqr0Giwi8FsQFgW3DXWCC2DiiQ/jZjqLDWK8TeTBgL"},
}

for _, tc := range cases {
actual, err := sesSmtpPasswordFromSecretKeySigV2(&tc.Input)
if err != nil {
t.Fatalf("unexpected error: %s", err)
}
if actual != tc.Expected {
t.Fatalf("%q: expected %q, got %q", tc.Input, tc.Expected, actual)
}
}
}
7 changes: 7 additions & 0 deletions website/docs/guides/version-3-upgrade.html.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ Upgrade topics:
- [Resource: aws_ebs_volume](#resource-aws_ebs_volume)
- [Resource: aws_elastic_transcoder_preset](#resource-aws_elastic_transcoder_preset)
- [Resource: aws_emr_cluster](#resource-aws_emr_cluster)
- [Resource: aws_iam_access_key](#resource-aws_iam_access_key)
- [Resource: aws_instance](#resource-aws_instance)
- [Resource: aws_lambda_alias](#resource-aws_lambda_alias)
- [Resource: aws_launch_template](#resource-aws_launch_template)
Expand Down Expand Up @@ -727,6 +728,12 @@ resource "aws_emr_cluster" "example" {
}
```

## Resource: aws_iam_access_key

### ses_smtp_password Attribute Removal

In many regions today and in all regions after October 1, 2020, the [SES API will only accept version 4 signatures](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/using-ses-api-authentication.html). If referencing the `ses_smtp_password` attribute, switch your Terraform configuration to the `ses_smtp_password_v4` attribute instead. Please note that this signature is based on the region of the Terraform AWS Provider. If you need the SES v4 password in multiple regions, it may require using [multiple provider instances](/docs/configuration/providers.html#alias-multiple-provider-instances).

## Resource: aws_instance

### ebs_block_device.iops and root_block_device.iops Argument Apply-Time Validations
Expand Down
2 changes: 0 additions & 2 deletions website/docs/r/iam_access_key.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -90,8 +90,6 @@ the use of the secret key in automation.
* `encrypted_secret` - The encrypted secret, base64 encoded, if `pgp_key` was specified.
~> **NOTE:** The encrypted secret may be decrypted using the command line,
for example: `terraform output encrypted_secret | base64 --decode | keybase pgp decrypt`.
* `ses_smtp_password` - **DEPRECATED** The secret access key converted into an SES SMTP
password by applying AWS's SigV2 conversion algorithm
* `ses_smtp_password_v4` - The secret access key converted into an SES SMTP
password by applying [AWS's documented Sigv4 conversion
algorithm](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html#smtp-credentials-convert).
Expand Down

0 comments on commit 5ee858c

Please sign in to comment.