From fad999e4c61d0195f0abfc90bc0b317601657ea7 Mon Sep 17 00:00:00 2001 From: Rhodri Davies Date: Fri, 23 Mar 2018 10:34:33 +0000 Subject: [PATCH 1/2] Remove hashing StateFunc on platform credential and principal When a APNS certificate is renewed and the private key remains the same the new certificate is detected and an attempt is made to update the SNS platform application. This fails because the hashed value for private key (platform credential) is sent along with the new certificate (platform principal) causing the AWS API to reject the request. --- aws/resource_aws_sns_platform_application.go | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/aws/resource_aws_sns_platform_application.go b/aws/resource_aws_sns_platform_application.go index e8b394b17597..92c4046e7e35 100644 --- a/aws/resource_aws_sns_platform_application.go +++ b/aws/resource_aws_sns_platform_application.go @@ -1,7 +1,6 @@ package aws import ( - "crypto/sha256" "fmt" "log" "strings" @@ -60,7 +59,7 @@ func resourceAwsSnsPlatformApplication() *schema.Resource { "platform_credential": { Type: schema.TypeString, Required: true, - StateFunc: hashSum, + Sensitive: true, }, "arn": { Type: schema.TypeString, @@ -89,7 +88,7 @@ func resourceAwsSnsPlatformApplication() *schema.Resource { "platform_principal": { Type: schema.TypeString, Optional: true, - StateFunc: hashSum, + Sensitive: true, }, "success_feedback_role_arn": { Type: schema.TypeString, @@ -271,10 +270,6 @@ func decodeResourceAwsSnsPlatformApplicationID(input string) (arnS, name, platfo return } -func hashSum(contents interface{}) string { - return fmt.Sprintf("%x", sha256.Sum256([]byte(contents.(string)))) -} - func validateAwsSnsPlatformApplication(d *schema.ResourceDiff) error { platform := d.Get("platform").(string) if snsPlatformRequiresPlatformPrincipal[platform] { From 3dd4c79acf28f84fe4e18c5b41192eaca0a56487 Mon Sep 17 00:00:00 2001 From: Rhodri Davies Date: Tue, 3 Jul 2018 15:46:16 +0100 Subject: [PATCH 2/2] Send the PlatformCredential if the PlatformPrincipal has changed --- aws/resource_aws_sns_platform_application.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/aws/resource_aws_sns_platform_application.go b/aws/resource_aws_sns_platform_application.go index 92c4046e7e35..217b32f221b4 100644 --- a/aws/resource_aws_sns_platform_application.go +++ b/aws/resource_aws_sns_platform_application.go @@ -157,6 +157,12 @@ func resourceAwsSnsPlatformApplicationUpdate(d *schema.ResourceData, meta interf } } + if d.HasChange("platform_principal") { + // If the principal has changed we must also send the credential, even if it didn't change, + // as they must be specified together in the request. + attributes["PlatformCredential"] = aws.String(d.Get("platform_credential").(string)) + } + // Make API call to update attributes req := &sns.SetPlatformApplicationAttributesInput{ PlatformApplicationArn: aws.String(d.Id()),