From dbe32aaf359146d34a2b863d5850ec8dc0c49688 Mon Sep 17 00:00:00 2001 From: Jared Baker Date: Wed, 13 Sep 2023 16:46:34 -0400 Subject: [PATCH 1/6] deps: bump aws-sdk-go-base/v2 --- go.mod | 20 +++++++++++++------- go.sum | 41 ++++++++++++++++++++++++++-------------- internal/conns/config.go | 3 ++- 3 files changed, 42 insertions(+), 22 deletions(-) diff --git a/go.mod b/go.mod index a0a33ab4854..38553c27afe 100644 --- a/go.mod +++ b/go.mod @@ -74,8 +74,8 @@ require ( github.com/beevik/etree v1.2.0 github.com/google/go-cmp v0.5.9 github.com/hashicorp/aws-cloudformation-resource-schema-sdk-go v0.21.0 - github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.35 - github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.36 + github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.36 + github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.37 github.com/hashicorp/awspolicyequivalence v1.6.0 github.com/hashicorp/go-cleanhttp v0.5.2 github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 @@ -101,8 +101,8 @@ require ( github.com/pquerna/otp v1.4.0 github.com/shopspring/decimal v1.3.1 golang.org/x/crypto v0.13.0 - golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 - golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 + golang.org/x/exp v0.0.0-20230905200255-921286631fa9 + golang.org/x/tools v0.13.0 gopkg.in/dnaeon/go-vcr.v3 v3.1.2 gopkg.in/yaml.v2 v2.4.0 syreclabs.com/go/faker v1.2.3 @@ -121,12 +121,14 @@ require ( github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.3.43 // indirect github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.4 // indirect + github.com/aws/aws-sdk-go-v2/service/dynamodb v1.21.5 // indirect github.com/aws/aws-sdk-go-v2/service/iam v1.22.5 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.14 // indirect github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.36 // indirect github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.35 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 // indirect github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sqs v1.24.5 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.14.1 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.1 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.22.0 // indirect @@ -138,6 +140,8 @@ require ( github.com/evanphx/json-patch v0.5.2 // indirect github.com/fatih/color v1.15.0 // indirect github.com/frankban/quicktest v1.14.6 // indirect + github.com/go-logr/logr v1.2.4 // indirect + github.com/go-logr/stdr v1.2.2 // indirect github.com/go-test/deep v1.1.0 // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/google/uuid v1.3.1 // indirect @@ -170,10 +174,12 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/zclconf/go-cty v1.14.0 // indirect - go.opentelemetry.io/otel v1.16.0 // indirect - go.opentelemetry.io/otel/trace v1.16.0 // indirect + go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-sdk-go-v2/otelaws v0.44.0 // indirect + go.opentelemetry.io/otel v1.18.0 // indirect + go.opentelemetry.io/otel/metric v1.18.0 // indirect + go.opentelemetry.io/otel/trace v1.18.0 // indirect golang.org/x/mod v0.12.0 // indirect - golang.org/x/net v0.14.0 // indirect + golang.org/x/net v0.15.0 // indirect golang.org/x/sys v0.12.0 // indirect golang.org/x/text v0.13.0 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/go.sum b/go.sum index a2002011553..5c1d07ccb8f 100644 --- a/go.sum +++ b/go.sum @@ -74,6 +74,8 @@ github.com/aws/aws-sdk-go-v2/service/directoryservice v1.18.5 h1:prlnnmX0PYoho7c github.com/aws/aws-sdk-go-v2/service/directoryservice v1.18.5/go.mod h1:/kl14i35MzBB4oaVlmFVmTvdzTX5LiphIuRLyOJfoRU= github.com/aws/aws-sdk-go-v2/service/docdbelastic v1.3.0 h1:c9Ifajg9VU0b86Xd7B6KGpEUtbXbwAJj/8FAQN6ZBeg= github.com/aws/aws-sdk-go-v2/service/docdbelastic v1.3.0/go.mod h1:XLn8/EbqX+qGri306t4IPUBi+VmphNcsR+OJRxPlGqg= +github.com/aws/aws-sdk-go-v2/service/dynamodb v1.21.5 h1:EeNQ3bDA6hlx3vifHf7LT/l9dh9w7D2XgCdaD11TRU4= +github.com/aws/aws-sdk-go-v2/service/dynamodb v1.21.5/go.mod h1:X3ThW5RPV19hi7bnQ0RMAiBjZbzxj4rZlj+qdctbMWY= github.com/aws/aws-sdk-go-v2/service/ec2 v1.120.0 h1:ksT76SStTSqusv5PekSW/WqnbPMzwJIZXH+rDMhazpQ= github.com/aws/aws-sdk-go-v2/service/ec2 v1.120.0/go.mod h1:0FhI2Rzcv5BNM3dNnbcCx2qa2naFZoAidJi11cQgzL0= github.com/aws/aws-sdk-go-v2/service/emrserverless v1.10.5 h1:hhQPiPD696RlbY56NsMYVnVsS9ySrZc6eYC9yafauPk= @@ -158,6 +160,8 @@ github.com/aws/aws-sdk-go-v2/service/sesv2 v1.20.0 h1:BVjuGDN2ek2gjSB46aIODXIYq3 github.com/aws/aws-sdk-go-v2/service/sesv2 v1.20.0/go.mod h1:qpAr/ear7teIUoBd1gaPbvavdICoo1XyAIHPVlyawQc= github.com/aws/aws-sdk-go-v2/service/signer v1.16.5 h1:nqZqDR44/ao9zQXyuCJI8L/C3QQIo4wtZyLtgwJfpEY= github.com/aws/aws-sdk-go-v2/service/signer v1.16.5/go.mod h1:gHTmxtN3p6WKxFhcOSvWBFfEbxDRFtwfxjj1S7shS64= +github.com/aws/aws-sdk-go-v2/service/sqs v1.24.5 h1:RyDpTOMEJO6ycxw1vU/6s0KLFaH3M0z/z9gXHSndPTk= +github.com/aws/aws-sdk-go-v2/service/sqs v1.24.5/go.mod h1:RZBu4jmYz3Nikzpu/VuVvRnTEJ5a+kf36WT2fcl5Q+Q= github.com/aws/aws-sdk-go-v2/service/ssm v1.37.5 h1:s9QR0F1W5+11lq04OJ/mihpRpA2VDFIHmu+ktgAbNfg= github.com/aws/aws-sdk-go-v2/service/ssm v1.37.5/go.mod h1:JjBzoceyKkpQY3v1GPIdg6kHqUFHRJ7SDlwtwoH0Qh8= github.com/aws/aws-sdk-go-v2/service/ssmcontacts v1.17.0 h1:Edd9f7uEJkW6cWBqnXh93+s4tXUwojQrxiOZPnJ3/jg= @@ -214,6 +218,11 @@ github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7z github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= github.com/go-git/go-billy/v5 v5.4.1 h1:Uwp5tDRkPr+l/TnbHOQzp+tmJfLceOlbVucgpTz8ix4= github.com/go-git/go-git/v5 v5.8.1 h1:Zo79E4p7TRk0xoRgMq0RShiTHGKcKI4+DI6BfJc/Q+A= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg= github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= @@ -233,10 +242,10 @@ github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/hashicorp/aws-cloudformation-resource-schema-sdk-go v0.21.0 h1:IUypt/TbXiJBkBbE3926CgnjD8IltAitdn7Yive61DY= github.com/hashicorp/aws-cloudformation-resource-schema-sdk-go v0.21.0/go.mod h1:cdTE6F2pCKQobug+RqRaQp7Kz9hIEqiSvpPmb6E5G1w= -github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.35 h1:07rX0OEHNSmD4TXQzHcVnaZJGYXaSaJR4ZhN8/bBRY4= -github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.35/go.mod h1:cR5oVK+h10mSG4T9eHaBAYfacxUlYI5vNfJuIRMGfMA= -github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.36 h1:xfEmtc8kXanlT5O9m1xqYXJRgsz5m1uBzeAFcq5wBh4= -github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.36/go.mod h1:AQknW73NE5hbAZn/ruNomae0OJUNf5xzsAi6yDndWgs= +github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.36 h1:PeXF9Lm40Y54iEHlFoirPjwWGEJUocZgxFOAyeaeKg8= +github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.36/go.mod h1:CMRjoqBNDv6ic4UMXjyrUVss92suk8ANVnJxErubAQE= +github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.37 h1:KniXhpwH0GC5v1YCSMrD2n1qW/aeSCJV6hzIQ03Jv9I= +github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.37/go.mod h1:nmFy7OOHTVqTYyckN4oTzLRYRheTbar4+92MXonc5BA= github.com/hashicorp/awspolicyequivalence v1.6.0 h1:7aadmkalbc5ewStC6g3rljx1iNvP4QyAhg2KsHx8bU8= github.com/hashicorp/awspolicyequivalence v1.6.0/go.mod h1:9IOaIHx+a7C0NfUNk1A93M7kHd5rJ19aoUx37LZGC14= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -398,10 +407,14 @@ github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/zclconf/go-cty v1.14.0 h1:/Xrd39K7DXbHzlisFP9c4pHao4yyf+/Ug9LEz+Y/yhc= github.com/zclconf/go-cty v1.14.0/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= -go.opentelemetry.io/otel v1.16.0 h1:Z7GVAX/UkAXPKsy94IU+i6thsQS4nb7LviLpnaNeW8s= -go.opentelemetry.io/otel v1.16.0/go.mod h1:vl0h9NUa1D5s1nv3A5vZOYWn8av4K8Ml6JDeHrT/bx4= -go.opentelemetry.io/otel/trace v1.16.0 h1:8JRpaObFoW0pxuVPapkgH8UhHQj+bJW8jJsCZEu5MQs= -go.opentelemetry.io/otel/trace v1.16.0/go.mod h1:Yt9vYq1SdNz3xdjZZK7wcXv1qv2pwLkqr2QVwea0ef0= +go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-sdk-go-v2/otelaws v0.44.0 h1:u2wxpWcQ6px9ACaIUX27ttNDx7B2OtTGRaIzvZOBsCQ= +go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-sdk-go-v2/otelaws v0.44.0/go.mod h1:BmbXHiVZH22QIi98PXQtfD8YEA3lmnaEotGBn1vJ/X4= +go.opentelemetry.io/otel v1.18.0 h1:TgVozPGZ01nHyDZxK5WGPFB9QexeTMXEH7+tIClWfzs= +go.opentelemetry.io/otel v1.18.0/go.mod h1:9lWqYO0Db579XzVuCKFNPDl4s73Voa+zEck3wHaAYQI= +go.opentelemetry.io/otel/metric v1.18.0 h1:JwVzw94UYmbx3ej++CwLUQZxEODDj/pOuTCvzhtRrSQ= +go.opentelemetry.io/otel/metric v1.18.0/go.mod h1:nNSpsVDjWGfb7chbRLUNW+PBNdcSTHD4Uu5pfFMOI0k= +go.opentelemetry.io/otel/trace v1.18.0 h1:NY+czwbHbmndxojTEKiSMHkG2ClNH2PwmcHrdo0JY10= +go.opentelemetry.io/otel/trace v1.18.0/go.mod h1:T2+SGJGuYZY3bjj5rgh/hN7KIrlpWC5nS8Mjvzckz+0= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -411,8 +424,8 @@ golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2Uz golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ= -golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8= +golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g= +golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= @@ -426,8 +439,8 @@ golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14= -golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= +golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8= +golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -472,8 +485,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 h1:Vve/L0v7CXXuxUmaMGIEK/dEeq7uiqb5qBgQrZzIE7E= -golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= +golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= diff --git a/internal/conns/config.go b/internal/conns/config.go index d25bd6dbf2c..553e89335dc 100644 --- a/internal/conns/config.go +++ b/internal/conns/config.go @@ -14,6 +14,7 @@ import ( awsbasev1 "github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2" basediag "github.com/hashicorp/aws-sdk-go-base/v2/diag" "github.com/hashicorp/aws-sdk-go-base/v2/logging" + basevalidation "github.com/hashicorp/aws-sdk-go-base/v2/validation" "github.com/hashicorp/terraform-plugin-log/tflog" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-provider-aws/internal/errs" @@ -132,7 +133,7 @@ func (c *Config) ConfigureProvider(ctx context.Context, client *AWSClient) (*AWS } if !c.SkipRegionValidation { - if err := awsbase.ValidateRegion(cfg.Region); err != nil { + if err := basevalidation.SupportedRegion(cfg.Region); err != nil { return nil, sdkdiag.AppendFromErr(diags, err) } } From 0900dce62348d47050283a63f63f309e41feed2a Mon Sep 17 00:00:00 2001 From: Jared Baker Date: Wed, 13 Sep 2023 16:51:32 -0400 Subject: [PATCH 2/6] internal/verify: add duplicate key check to ValidIAMPolicyJSON validator --- internal/verify/validate.go | 3 +++ internal/verify/validate_test.go | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/internal/verify/validate.go b/internal/verify/validate.go index 65d3c573f45..f8408784fcd 100644 --- a/internal/verify/validate.go +++ b/internal/verify/validate.go @@ -13,6 +13,7 @@ import ( "github.com/YakDriver/regexache" "github.com/aws/aws-sdk-go/aws/arn" + basevalidation "github.com/hashicorp/aws-sdk-go-base/v2/validation" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/structure" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" @@ -186,6 +187,8 @@ func ValidIAMPolicyJSON(v interface{}, k string) (ws []string, errors []error) { errStr = fmt.Sprintf("%s, at byte offset %d", errStr, err.Offset) } errors = append(errors, fmt.Errorf("%q contains an invalid JSON policy: %s", k, errStr)) + } else if err := basevalidation.JSONNoDuplicateKeys(value); err != nil { + errors = append(errors, fmt.Errorf("%q contains duplicate JSON keys: %s", k, err)) } return //nolint:nakedret // Just a long function. diff --git a/internal/verify/validate_test.go b/internal/verify/validate_test.go index 60dac3ae818..198d2ca076d 100644 --- a/internal/verify/validate_test.go +++ b/internal/verify/validate_test.go @@ -410,6 +410,10 @@ func TestValidIAMPolicyJSONString(t *testing.T) { Value: `[{}]`, WantError: `"json" contains an invalid JSON policy: contains a JSON array, not a JSON object`, }, + { + Value: `{"a":"foo","a":"bar"}`, + WantError: `"json" contains duplicate JSON keys: duplicate key "a"`, + }, } for _, test := range tests { test := test From d186a61bc2e983f6d0df4522c6f095f163f3ce4f Mon Sep 17 00:00:00 2001 From: Jared Baker Date: Wed, 13 Sep 2023 16:52:02 -0400 Subject: [PATCH 3/6] r/aws_iam_role: switch assume_role_policy to stricter ValidIAMPolicyJSON validator --- internal/service/iam/role.go | 2 +- internal/service/iam/role_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/service/iam/role.go b/internal/service/iam/role.go index 3b025900e7b..d373cb1a0d2 100644 --- a/internal/service/iam/role.go +++ b/internal/service/iam/role.go @@ -60,7 +60,7 @@ func ResourceRole() *schema.Resource { "assume_role_policy": { Type: schema.TypeString, Required: true, - ValidateFunc: validation.StringIsJSON, + ValidateFunc: verify.ValidIAMPolicyJSON, DiffSuppressFunc: verify.SuppressEquivalentPolicyDiffs, DiffSuppressOnRefresh: true, StateFunc: func(v interface{}) string { diff --git a/internal/service/iam/role_test.go b/internal/service/iam/role_test.go index e5d1977728a..cfa1c5e6513 100644 --- a/internal/service/iam/role_test.go +++ b/internal/service/iam/role_test.go @@ -382,7 +382,7 @@ func TestAccIAMRole_badJSON(t *testing.T) { Steps: []resource.TestStep{ { Config: testAccRoleConfig_badJSON(rName), - ExpectError: regexache.MustCompile(`.*contains an invalid JSON:.*`), + ExpectError: regexache.MustCompile(`.*contains an invalid JSON policy:.*`), }, }, }) From c57370b230d86805ac5850db73e62b164a3cfd2b Mon Sep 17 00:00:00 2001 From: Jared Baker Date: Fri, 15 Sep 2023 16:11:45 -0400 Subject: [PATCH 4/6] r/aws_iam_policy(test): duplicate JSON keys --- internal/service/iam/policy_test.go | 47 +++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/internal/service/iam/policy_test.go b/internal/service/iam/policy_test.go index 5bc4aa1c242..bc80ee6ee2c 100644 --- a/internal/service/iam/policy_test.go +++ b/internal/service/iam/policy_test.go @@ -338,6 +338,24 @@ func TestAccIAMPolicy_diffs(t *testing.T) { }) } +func TestAccIAMPolicy_policyDuplicateKeys(t *testing.T) { + ctx := acctest.Context(t) + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(ctx, t) }, + ErrorCheck: acctest.ErrorCheck(t, iam.EndpointsID), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckPolicyDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccPolicyConfig_policyDuplicateKeys(rName), + ExpectError: regexache.MustCompile(`"policy" contains duplicate JSON keys: duplicate key "Statement.0.Condition.StringEquals"`), + }, + }, + }) +} + func testAccCheckPolicyExists(ctx context.Context, n string, v *iam.Policy) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] @@ -616,3 +634,32 @@ resource "aws_iam_policy" "test" { } `, rName, tags) } + +func testAccPolicyConfig_policyDuplicateKeys(rName string) string { + return fmt.Sprintf(` +resource "aws_iam_policy" "test" { + name = %q + + policy = < Date: Thu, 21 Sep 2023 11:37:53 -0400 Subject: [PATCH 5/6] chore: changelog --- .changelog/33570.txt | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .changelog/33570.txt diff --git a/.changelog/33570.txt b/.changelog/33570.txt new file mode 100644 index 00000000000..1a44fa1d8de --- /dev/null +++ b/.changelog/33570.txt @@ -0,0 +1,38 @@ +```release-note:note +resource/aws_iam_*: This release introduces additional validation of IAM policy JSON arguments to detect duplicate keys. Previously, arguments with duplicated keys resulted in all but one of the key values being overwritten. Since this results in unexpected IAM policies being submitted to AWS, we have updated the validation logic to error in these cases. This may cause existing IAM policy arguments to fail validation, however, those policies are likely not what was originally intended. +``` + +```release-note:bug +resource/aws_glacier_vault_lock: Fail validation if duplicated keys are found in `policy` +``` + +```release-note:bug +resource/aws_iam_role: Fail validation if duplicated keys are found in `assume_role_policy` +``` +```release-note:bug +resource/aws_iam_policy: Fail validation if duplicated keys are found in `policy` +``` +```release-note:bug +resource/aws_iam_group_policy: Fail validation if duplicated keys are found in `policy` +``` +```release-note:bug +resource/aws_iam_user_policy: Fail validation if duplicated keys are found in `policy` +``` +```release-note:bug +resource/aws_iam_role_policy: Fail validation if duplicated keys are found in `policy` +``` + +```release-note:bug +resource/aws_mediastore_container_policy: Fail validation if duplicated keys are found in `policy` +``` + +```release-note:bug +resource/aws_ssoadmin_permission_set_inline_policy: Fail validation if duplicated keys are found in `inline_policy` +``` + +```release-note:bug +resource/aws_transfer_access: Fail validation if duplicated keys are found in `policy` +``` +```release-note:bug +resource/aws_transfer_user: Fail validation if duplicated keys are found in `policy` +``` From 93743ec640f69cbc88d97b5a501ba857f53b37ee Mon Sep 17 00:00:00 2001 From: changelogbot Date: Tue, 26 Sep 2023 20:25:28 +0000 Subject: [PATCH 6/6] Update CHANGELOG.md for #33570 --- CHANGELOG.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ef928dc860..5a7abe51d5c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,13 @@ ## 5.19.0 (Unreleased) +NOTES: + +* resource/aws_iam_*: This release introduces additional validation of IAM policy JSON arguments to detect duplicate keys. Previously, arguments with duplicated keys resulted in all but one of the key values being overwritten. Since this results in unexpected IAM policies being submitted to AWS, we have updated the validation logic to error in these cases. This may cause existing IAM policy arguments to fail validation, however, those policies are likely not what was originally intended. ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) + FEATURES: * **New Resource:** `aws_dms_replication_config` ([#32908](https://github.com/hashicorp/terraform-provider-aws/issues/32908)) +* **New Resource:** `aws_rds_custom_db_engine_version` ([#33285](https://github.com/hashicorp/terraform-provider-aws/issues/33285)) ENHANCEMENTS: @@ -16,7 +21,17 @@ ENHANCEMENTS: BUG FIXES: +* resource/aws_glacier_vault_lock: Fail validation if duplicated keys are found in `policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) +* resource/aws_iam_group_policy: Fail validation if duplicated keys are found in `policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) +* resource/aws_iam_policy: Fail validation if duplicated keys are found in `policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) +* resource/aws_iam_role: Fail validation if duplicated keys are found in `assume_role_policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) +* resource/aws_iam_role_policy: Fail validation if duplicated keys are found in `policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) +* resource/aws_iam_user_policy: Fail validation if duplicated keys are found in `policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) +* resource/aws_mediastore_container_policy: Fail validation if duplicated keys are found in `policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) * resource/aws_s3_bucket_policy: Fix intermittent `couldn't find resource` errors on resource Create ([#33537](https://github.com/hashicorp/terraform-provider-aws/issues/33537)) +* resource/aws_ssoadmin_permission_set_inline_policy: Fail validation if duplicated keys are found in `inline_policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) +* resource/aws_transfer_access: Fail validation if duplicated keys are found in `policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) +* resource/aws_transfer_user: Fail validation if duplicated keys are found in `policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) ## 5.18.0 (September 21, 2023)