Skip to content

r/aws_bedrockagentcore_oauth2_credential_provider: support atlassian, linkedin, and included OAuth2 provider configs#48517

Open
jesseturner21 wants to merge 8 commits into
hashicorp:mainfrom
jesseturner21:agentcore/oauth2_credential_provider
Open

r/aws_bedrockagentcore_oauth2_credential_provider: support atlassian, linkedin, and included OAuth2 provider configs#48517
jesseturner21 wants to merge 8 commits into
hashicorp:mainfrom
jesseturner21:agentcore/oauth2_credential_provider

Conversation

@jesseturner21

@jesseturner21 jesseturner21 commented Jun 22, 2026

Copy link
Copy Markdown

Description

The AgentCore Control API's Oauth2ProviderConfigInput union (as exposed in the
SDK) has grown three new variants that the Terraform schema did not yet expose.
This adds them to aws_bedrockagentcore_oauth2_credential_provider, each
following the existing "basic" provider-config pattern (client id/secret +
write-only credentials + computed oauth_discovery):

  • atlassian_oauth2_provider_config
  • linkedin_oauth2_provider_config
  • included_oauth2_provider_config

Note: the SDK Create-input member oauth2ProviderConfigInput was reported as a
coverage gap, but it is already wired up via the existing oauth2_provider_config
block (AutoFlEx WithFieldNameSuffix("Input")). The real gaps were the union
variants inside it.

Source

Testing

TF_ACC=1 go test -v -timeout 60m ./internal/service/bedrockagentcore/ \
  -run "TestAccBedrockAgentCoreOAuth2CredentialProvider_(basic|atlassian|linkedin|included)$"

--- PASS: TestAccBedrockAgentCoreOAuth2CredentialProvider_included (27.56s)
--- PASS: TestAccBedrockAgentCoreOAuth2CredentialProvider_linkedin (27.57s)
--- PASS: TestAccBedrockAgentCoreOAuth2CredentialProvider_atlassian (27.59s)
--- PASS: TestAccBedrockAgentCoreOAuth2CredentialProvider_basic (28.57s)
PASS
ok  github.com/hashicorp/terraform-provider-aws/internal/service/bedrockagentcore	28.732s

Deferred (intentionally out of scope)

These additional SDK fields exist but are not returned in the corresponding
*Output shapes, so they require the same hand-written state-propagation the
resource already uses for client credentials (otherwise they null out on refresh
→ "inconsistent result after apply"). Deferred to a focused follow-up:

  • client_secret_source / client_secret_config (all variants)
  • microsoft_oauth2_provider_config.tenant_id
  • included_oauth2_provider_config issuer / authorization_endpoint / token_endpoint
  • custom-only: client_authentication_method, on_behalf_of_token_exchange_config,
    private_endpoint, private_endpoint_overrides, and
    authorization_server_metadata.token_endpoint_auth_methods

@github-actions

Copy link
Copy Markdown
Contributor

Welcome @jesseturner21 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider repository. Thank you very much for taking the time to do so, and welcome to the community! 🎉


Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

  • Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
  • Please see our prioritization guide for additional information on how the maintainers handle prioritization.
  • Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions Bot added needs-triage Waiting for first response or review from a maintainer. documentation Introduces or discusses updates to documentation. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/bedrockagentcore Issues and PRs that pertain to the bedrockagentcore service. size/L Managed by automation to categorize the size of a PR. labels Jun 22, 2026
Adds TestAccBedrockAgentCoreOAuth2CredentialProvider_included covering the
included_oauth2_provider_config block (using the XOauth2 vendor, verified to
create with only client_id/client_secret).

Documents that included_oauth2_provider_config currently supports only
fixed-endpoint vendors (e.g. XOauth2, FacebookOauth2, SpotifyOauth2);
isolated-tenant vendors (OktaOauth2, PingOneOauth2, OneLoginOauth2) require the
issuer/authorization_endpoint/token_endpoint fields that remain deferred and
fail at create with 'Missing TokenEndpoint'.
@github-actions github-actions Bot added size/XL Managed by automation to categorize the size of a PR. and removed size/L Managed by automation to categorize the size of a PR. labels Jun 23, 2026
@jesseturner21 jesseturner21 marked this pull request as ready for review June 23, 2026 21:06
@jesseturner21 jesseturner21 requested a review from a team as a code owner June 23, 2026 21:06
@dosubot dosubot Bot added the enhancement Requests to existing resources that expand the functionality or scope. label Jun 23, 2026
@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Jun 25, 2026
…t config and custom endpoint/token-exchange

Stacked on hashicorp#48517 (jesseturner21). Adds the remaining CreateOauth2CredentialProviderInput
gaps not covered by hashicorp#48517 or hashicorp#48658:
- client_secret_source + client_secret_config (external AWS Secrets Manager secret) on all provider blocks
- custom-only: client_authentication_method, on_behalf_of_token_exchange_config
  (+ token_exchange_grant_type_config), private_endpoint, private_endpoint_overrides

Verified against aws-sdk-go-v2 service/bedrockagentcorecontrol v1.45.1. NOT PUSHED —
awaiting coordination with hashicorp#48517 author before contributing upstream.
…et-and-endpoint

Add external secret config and custom endpoint/token-exchange to oauth2 credential provider
…and clearing bugs

- ValidateConfig enforces the MANAGED/EXTERNAL client-secret contract that
  static AlsoRequires cannot express: EXTERNAL forbids inline client_secret
  (the secret is referenced via client_secret_config), and client_id is
  required for CLIENT_SECRET_BASIC/POST. Previously the AlsoRequires pairing
  made every EXTERNAL configuration for BASIC/POST unrepresentable.
- listvalidator.AlsoRequires on private_endpoint_overrides moves the
  "requires sibling private_endpoint" error from apply-time API rejection
  to plan-time.
- listvalidator.ExactlyOneOf across the nine oauth2_provider_config blocks
  (attached once; the framework tallies every sibling even when the
  attached block is null) catches multi-member configs (which previously
  silently dropped members and could leave orphaned resources on apply)
  and empty oauth2_provider_config {} at plan time. Same treatment for
  oauth_discovery discovery_url / authorization_server_metadata.
- Document via a comment on ImportState and the new EXTERNAL acctest that
  client_secret_source, client_secret_config, client_id, and client_secret
  are input-only fields (absent from GetOauth2CredentialProviderOutput);
  they belong on ImportStateVerifyIgnore and a single subsequent apply
  reconciles state.

Add acctests exercising the EXTERNAL secret path end-to-end and the new
plan-time validators (ExpectError for the invalid combinations).
…earing coverage

Fills high-value acceptance-test gaps for transitions the suite did not exercise:
- name change forces replacement (RequiresReplace)
- credential_provider_vendor change forces replacement (RequiresReplace)
- removing on_behalf_of_token_exchange_config converges (set->unset clearing)
…itation

OAuth2 client credentials are input-only in the AgentCore API and absent from
the read (GET) response, so on import client_id, client_secret,
client_secret_source, client_secret_config, and the write-only credential
arguments cannot be recovered from the service. The first plan after import
shows them as additions until one apply reconciles state from configuration.
The acceptance test already covers this via ImportStateVerifyIgnore; this adds
the user-facing note under the Import section.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Introduces or discusses updates to documentation. enhancement Requests to existing resources that expand the functionality or scope. service/bedrockagentcore Issues and PRs that pertain to the bedrockagentcore service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants