Merge pull request #34233 from danielgmyers-figma/allow-endpoints-to-override-fips-flag

Allow custom endpoints to override the use_fips_endpoint flag for individual services.

Author: gdavison

.changelog/34233.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+provider: The `use_fips_endpoint` flag is now ignored for any service with a custom endpoint configured in `endpoints`.
+```

internal/conns/awsclient.go

@@ -23,6 +23,7 @@ import (
 	opsworks_sdkv1 "github.com/aws/aws-sdk-go/service/opsworks"
 	rds_sdkv1 "github.com/aws/aws-sdk-go/service/rds"
 	baselogging "github.com/hashicorp/aws-sdk-go-base/v2/logging"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/hashicorp/terraform-provider-aws/internal/errs"
 	tftags "github.com/hashicorp/terraform-provider-aws/internal/tags"
 	"github.com/hashicorp/terraform-provider-aws/names"
@@ -344,6 +345,8 @@ func resolveServiceBaseEndpoint(ctx context.Context, sdkID string, configs []any
 // The default service client (`extra` is empty) is cached. In this case the AWSClient lock is held.
 // This function is not a method on `AWSClient` as methods can't be parameterized (https://go.googlesource.com/proposal/+/refs/heads/master/design/43651-type-parameters.md#no-parameterized-methods).
 func conn[T any](ctx context.Context, c *AWSClient, servicePackageName string, extra map[string]any) (T, error) {
+	ctx = tflog.SetField(ctx, "tf_aws.service_package", servicePackageName)
+
 	isDefault := len(extra) == 0
 	// Default service client is cached.
 	if isDefault {
@@ -404,6 +407,8 @@ func conn[T any](ctx context.Context, c *AWSClient, servicePackageName string, e
 // The default service client (`extra` is empty) is cached. In this case the AWSClient lock is held.
 // This function is not a method on `AWSClient` as methods can't be parameterized (https://go.googlesource.com/proposal/+/refs/heads/master/design/43651-type-parameters.md#no-parameterized-methods).
 func client[T any](ctx context.Context, c *AWSClient, servicePackageName string, extra map[string]any) (T, error) {
+	ctx = tflog.SetField(ctx, "tf_aws.service_package", servicePackageName)
+
 	isDefault := len(extra) == 0
 	// Default service client is cached.
 	if isDefault {

…/generate/serviceendpointtests/file.tmpl …/generate/serviceendpointtests/file.gtplinternal/generate/serviceendpointtests/file.tmpl renamed to internal/generate/serviceendpointtests/file.gtpl internal/generate/serviceendpointtests/file.tmpl renamed to internal/generate/serviceendpointtests/file.gtpl

@@ -449,6 +449,23 @@ func TestEndpointConfiguration(t *testing.T) { //nolint:paralleltest // uses t.S
 			},
 			expected: expectBaseConfigFileEndpoint(),
 		},
+
+		// Use FIPS endpoint on Config
+
+		"use fips config": {
+			with: []setupFunc{
+				withUseFIPSInConfig,
+			},
+			expected: expectDefaultFIPSEndpoint(region),
+		},
+
+		"use fips config with package name endpoint config": {
+			with: []setupFunc{
+				withUseFIPSInConfig,
+				withPackageNameEndpointInConfig,
+			},
+			expected: expectPackageNameConfigEndpoint(),
+		},
 	}
 
 	{{ if and (ne .GoV1Package "") (ne .GoV2Package "") }}
@@ -521,6 +538,44 @@ func defaultEndpoint(region string) string {
 {{ end -}}
 }
 
+func defaultFIPSEndpoint(region string) string {
+{{- if ne .GoV2Package "" }}
+	r := {{ .GoV2Package }}_sdkv2.NewDefaultEndpointResolverV2()
+
+	ep, err := r.ResolveEndpoint(context.Background(), {{ .GoV2Package }}_sdkv2.EndpointParameters{
+		Region:  aws_sdkv2.String(region),
+		UseFIPS: aws_sdkv2.Bool(true),
+	})
+	if err != nil {
+		return err.Error()
+	}
+
+	if ep.URI.Path == "" {
+		ep.URI.Path = "/"
+	}
+
+	return ep.URI.String()
+{{ else }}
+	r := endpoints.DefaultResolver()
+
+	ep, err := r.EndpointFor({{ .GoV1Package }}_sdkv1.EndpointsID, region, func(opt *endpoints.Options) {
+		{{- if .V1NameResolverNeedsUnknownService }}opt.ResolveUnknownService = true{{ end }}
+		opt.UseFIPSEndpoint = endpoints.FIPSEndpointStateEnabled
+	})
+	if err != nil {
+		return err.Error()
+	}
+
+	url, _ := url.Parse(ep.URL)
+
+	if url.Path == "" {
+		url.Path = "/"
+	}
+
+	return url.String()
+{{ end -}}
+}
+
 {{ if ne .GoV2Package "" }}
 func callService{{ if ne .GoV1Package "" }}V2{{ end }}(ctx context.Context, t *testing.T, meta *conns.AWSClient) string {
 	t.Helper()
@@ -637,12 +692,22 @@ func withBaseEndpointInConfigFile(setup *caseSetup) {
 	setup.configFile.baseUrl = baseConfigFileEndpoint
 }
 
+func withUseFIPSInConfig(setup *caseSetup) {
+	setup.config["use_fips_endpoint"] = true
+}
+
 func expectDefaultEndpoint(region string) caseExpectations {
 	return caseExpectations{
 		endpoint: defaultEndpoint(region),
 	}
 }
 
+func expectDefaultFIPSEndpoint(region string) caseExpectations {
+	return caseExpectations{
+		endpoint: defaultFIPSEndpoint(region),
+	}
+}
+
 func expectPackageNameConfigEndpoint() caseExpectations {
 	return caseExpectations{
 		endpoint: packageNameConfigEndpoint,

internal/generate/serviceendpointtests/main.go

@@ -133,5 +133,5 @@ type TemplateData struct {
 	ImportAwsTypes                    bool
 }
 
-//go:embed file.tmpl
+//go:embed file.gtpl
 var tmpl string

internal/generate/servicepackage/file.tmpl

@@ -8,13 +8,17 @@ import (
 {{if not .SkipClientGenerate }}
 	{{- if eq .SDKVersion "1" "1,2" }}
 	aws_sdkv1 "github.com/aws/aws-sdk-go/aws"
+	endpoints_sdkv1 "github.com/aws/aws-sdk-go/aws/endpoints"
 	session_sdkv1 "github.com/aws/aws-sdk-go/aws/session"
 	{{ .GoV1Package }}_sdkv1 "github.com/aws/aws-sdk-go/service/{{ .GoV1Package }}"
 	{{- end }}
 	{{- if eq .SDKVersion "2" "1,2" }}
 	aws_sdkv2 "github.com/aws/aws-sdk-go-v2/aws"
 	{{ .GoV2Package }}_sdkv2 "github.com/aws/aws-sdk-go-v2/service/{{ .GoV2Package }}"
 	{{- end }}
+	{{- if .SDKVersion }}
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+	{{- end }}
 {{- end }}
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
 	"github.com/hashicorp/terraform-provider-aws/internal/types"
@@ -133,7 +137,21 @@ func (p *servicePackage) ServicePackageName() string {
 func (p *servicePackage) NewConn(ctx context.Context, config map[string]any) (*{{ .GoV1Package }}_sdkv1.{{ .GoV1ClientTypeName }}, error) {
 	sess := config[names.AttrSession].(*session_sdkv1.Session)
 
-	return {{ .GoV1Package }}_sdkv1.New(sess.Copy(&aws_sdkv1.Config{Endpoint: aws_sdkv1.String(config[names.AttrEndpoint].(string))})), nil
+	cfg := aws_sdkv1.Config{}
+
+	if endpoint := config[names.AttrEndpoint].(string); endpoint != "" {
+		tflog.Debug(ctx, "setting endpoint", map[string]any{
+			"tf_aws.endpoint": endpoint,
+		})
+		cfg.Endpoint = aws_sdkv1.String(endpoint)
+
+		if sess.Config.UseFIPSEndpoint == endpoints_sdkv1.FIPSEndpointStateEnabled {
+			tflog.Debug(ctx, "endpoint set, ignoring UseFIPSEndpoint setting")
+			cfg.UseFIPSEndpoint = endpoints_sdkv1.FIPSEndpointStateDisabled
+		}
+	}
+
+	return {{ .GoV1Package }}_sdkv1.New(sess.Copy(&cfg)), nil
 }
 	{{- end }}
 
@@ -144,7 +162,15 @@ func (p *servicePackage) NewClient(ctx context.Context, config map[string]any) (
 
 	return {{ .GoV2Package }}_sdkv2.NewFromConfig(cfg, func(o *{{ .GoV2Package }}_sdkv2.Options) {
 		if endpoint := config[names.AttrEndpoint].(string); endpoint != "" {
+			tflog.Debug(ctx, "setting endpoint", map[string]any{
+				"tf_aws.endpoint": endpoint,
+			})
 			o.BaseEndpoint = aws_sdkv2.String(endpoint)
+
+			if (o.EndpointOptions.UseFIPSEndpoint == aws_sdkv2.FIPSEndpointStateEnabled) {
+				tflog.Debug(ctx, "endpoint set, ignoring UseFIPSEndpoint setting")
+				o.EndpointOptions.UseFIPSEndpoint = aws_sdkv2.FIPSEndpointStateDisabled
+			}
 		}
 	}), nil
 }

internal/provider/provider_acc_test.go

@@ -158,7 +158,7 @@ func TestAccProvider_endpoints(t *testing.T) {
 	})
 }
 
-func TestAccProvider_fipsEndpoint(t *testing.T) {
+func TestAccProvider_customEndpoint(t *testing.T) {
 	ctx := acctest.Context(t)
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
 	resourceName := "aws_s3_bucket.test"
@@ -170,7 +170,8 @@ func TestAccProvider_fipsEndpoint(t *testing.T) {
 		CheckDestroy:             nil,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccProviderConfig_fipsEndpoint(fmt.Sprintf("https://s3-fips.%s.%s", acctest.Region(), acctest.PartitionDNSSuffix()), rName),
+				// The fips endpoint is used here just because it's a valid endpoint that isn't the normal endpoint.
+				Config: testAccProviderConfig_customS3Endpoint(fmt.Sprintf("https://s3-fips.%s.%s", acctest.Region(), acctest.PartitionDNSSuffix()), rName),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(resourceName, "bucket", rName),
 				),
@@ -210,6 +211,48 @@ func TestAccProvider_unusualEndpoints(t *testing.T) {
 	})
 }
 
+func TestAccProvider_useFipsEndpointFlag(t *testing.T) {
+	ctx := acctest.Context(t)
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_s3_bucket.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             nil,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccProviderConfig_useFipsEndpointFlag(rName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "bucket", rName),
+				),
+			},
+		},
+	})
+}
+
+func TestAccProvider_overrideUseFipsEndpointFlagForOneService(t *testing.T) {
+	ctx := acctest.Context(t)
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_appconfig_application.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             nil,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccProviderConfig_overridesUseFipsEndpointFlagForAppConfig(rName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", rName),
+				),
+			},
+		},
+	})
+}
+
 func TestAccProvider_IgnoreTags_emptyBlock(t *testing.T) {
 	ctx := acctest.Context(t)
 	var provider *schema.Provider
@@ -970,7 +1013,7 @@ provider "aws" {
 `, endpoints))
 }
 
-func testAccProviderConfig_fipsEndpoint(endpoint, rName string) string {
+func testAccProviderConfig_customS3Endpoint(endpoint, rName string) string {
 	//lintignore:AT004
 	return acctest.ConfigCompose(testAccProviderConfig_base, fmt.Sprintf(`
 provider "aws" {
@@ -1003,6 +1046,37 @@ provider "aws" {
 `, unusual1.fieldName, unusual1.url, unusual2.fieldName, unusual2.url, unusual3.fieldName, unusual3.url))
 }
 
+func testAccProviderConfig_useFipsEndpointFlag(rName string) string {
+	//lintignore:AT004
+	return acctest.ConfigCompose(testAccProviderConfig_base, fmt.Sprintf(`
+provider "aws" {
+  use_fips_endpoint = true
+}
+
+resource "aws_s3_bucket" "test" {
+  bucket        = %[1]q
+  force_destroy = true
+}
+`, rName))
+}
+
+func testAccProviderConfig_overridesUseFipsEndpointFlagForAppConfig(rName string) string {
+	appconfig_endpoint := fmt.Sprintf("https://appconfig.%s.%s", acctest.Region(), acctest.PartitionDNSSuffix())
+	//lintignore:AT004
+	return acctest.ConfigCompose(testAccProviderConfig_base, fmt.Sprintf(`
+provider "aws" {
+  use_fips_endpoint = true
+  endpoints {
+	appconfig = %[1]q
+  }
+}
+
+resource "aws_appconfig_application" "test" {
+  name = %[2]q
+}
+`, appconfig_endpoint, rName))
+}
+
 func testAccProviderConfig_ignoreTagsKeys0() string {
 	//lintignore:AT004
 	return acctest.ConfigCompose(testAccProviderConfig_base, `