r/aws_bedrockagentcore_oauth2_credential_provider: support atlassian, linkedin, and included OAuth2 provider configs#48517
Open
jesseturner21 wants to merge 8 commits into
Conversation
…kedin, and included provider config types
Contributor
|
Welcome @jesseturner21 👋 It looks like this is your first Pull Request submission to the Terraform AWS Provider repository. Thank you very much for taking the time to do so, and welcome to the community! 🎉 Community GuidelinesThis comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀 Voting for Prioritization
Pull Request Authors
|
Adds TestAccBedrockAgentCoreOAuth2CredentialProvider_included covering the included_oauth2_provider_config block (using the XOauth2 vendor, verified to create with only client_id/client_secret). Documents that included_oauth2_provider_config currently supports only fixed-endpoint vendors (e.g. XOauth2, FacebookOauth2, SpotifyOauth2); isolated-tenant vendors (OktaOauth2, PingOneOauth2, OneLoginOauth2) require the issuer/authorization_endpoint/token_endpoint fields that remain deferred and fail at create with 'Missing TokenEndpoint'.
…t config and custom endpoint/token-exchange Stacked on hashicorp#48517 (jesseturner21). Adds the remaining CreateOauth2CredentialProviderInput gaps not covered by hashicorp#48517 or hashicorp#48658: - client_secret_source + client_secret_config (external AWS Secrets Manager secret) on all provider blocks - custom-only: client_authentication_method, on_behalf_of_token_exchange_config (+ token_exchange_grant_type_config), private_endpoint, private_endpoint_overrides Verified against aws-sdk-go-v2 service/bedrockagentcorecontrol v1.45.1. NOT PUSHED — awaiting coordination with hashicorp#48517 author before contributing upstream.
This was referenced Jul 1, 2026
…et-and-endpoint Add external secret config and custom endpoint/token-exchange to oauth2 credential provider
…and clearing bugs
- ValidateConfig enforces the MANAGED/EXTERNAL client-secret contract that
static AlsoRequires cannot express: EXTERNAL forbids inline client_secret
(the secret is referenced via client_secret_config), and client_id is
required for CLIENT_SECRET_BASIC/POST. Previously the AlsoRequires pairing
made every EXTERNAL configuration for BASIC/POST unrepresentable.
- listvalidator.AlsoRequires on private_endpoint_overrides moves the
"requires sibling private_endpoint" error from apply-time API rejection
to plan-time.
- listvalidator.ExactlyOneOf across the nine oauth2_provider_config blocks
(attached once; the framework tallies every sibling even when the
attached block is null) catches multi-member configs (which previously
silently dropped members and could leave orphaned resources on apply)
and empty oauth2_provider_config {} at plan time. Same treatment for
oauth_discovery discovery_url / authorization_server_metadata.
- Document via a comment on ImportState and the new EXTERNAL acctest that
client_secret_source, client_secret_config, client_id, and client_secret
are input-only fields (absent from GetOauth2CredentialProviderOutput);
they belong on ImportStateVerifyIgnore and a single subsequent apply
reconciles state.
Add acctests exercising the EXTERNAL secret path end-to-end and the new
plan-time validators (ExpectError for the invalid combinations).
…earing coverage Fills high-value acceptance-test gaps for transitions the suite did not exercise: - name change forces replacement (RequiresReplace) - credential_provider_vendor change forces replacement (RequiresReplace) - removing on_behalf_of_token_exchange_config converges (set->unset clearing)
…itation OAuth2 client credentials are input-only in the AgentCore API and absent from the read (GET) response, so on import client_id, client_secret, client_secret_source, client_secret_config, and the write-only credential arguments cannot be recovered from the service. The first plan after import shows them as additions until one apply reconciles state from configuration. The acceptance test already covers this via ImportStateVerifyIgnore; this adds the user-facing note under the Import section.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The AgentCore Control API's
Oauth2ProviderConfigInputunion (as exposed in theSDK) has grown three new variants that the Terraform schema did not yet expose.
This adds them to
aws_bedrockagentcore_oauth2_credential_provider, eachfollowing the existing "basic" provider-config pattern (client id/secret +
write-only credentials + computed
oauth_discovery):atlassian_oauth2_provider_configlinkedin_oauth2_provider_configincluded_oauth2_provider_configNote: the SDK Create-input member
oauth2ProviderConfigInputwas reported as acoverage gap, but it is already wired up via the existing
oauth2_provider_configblock (AutoFlEx
WithFieldNameSuffix("Input")). The real gaps were the unionvariants inside it.
Source
aws/aws-sdk-go-v2@dfa27a6c6ef442e9e27034e9b4992c7c3a3e9092(service/bedrockagentcorecontrol/api_op_CreateOauth2CredentialProvider.go#L30-L56)Testing
Deferred (intentionally out of scope)
These additional SDK fields exist but are not returned in the corresponding
*Outputshapes, so they require the same hand-written state-propagation theresource already uses for client credentials (otherwise they null out on refresh
→ "inconsistent result after apply"). Deferred to a focused follow-up:
client_secret_source/client_secret_config(all variants)microsoft_oauth2_provider_config.tenant_idincluded_oauth2_provider_configissuer / authorization_endpoint / token_endpointclient_authentication_method,on_behalf_of_token_exchange_config,private_endpoint,private_endpoint_overrides, andauthorization_server_metadata.token_endpoint_auth_methods