r/aws_bedrockagentcore_oauth2_credential_provider: add atlassian/linkedin providers and external secret config#48723
Conversation
…edin providers and external secret config Adds the atlassian_oauth2_provider_config and linkedin_oauth2_provider_config provider variants (matching the SDK Oauth2ProviderConfigInput union), plus the client_secret_source and client_secret_config arguments on every provider block for externally-managed (AWS Secrets Manager) client secrets. Verified against aws-sdk-go-v2 service/bedrockagentcorecontrol v1.45.1.
Protocol v5 cannot have a nested attribute (ListNestedAttribute) inside a block; client_secret_config must be a ListNestedBlock like oauth_discovery.
…tten The zero value of fwtypes.ListNestedObjectValueOf has no element type and panics when serialized. Initialize ClientSecretConfig to a valid null when propagating client credentials that were never set in configuration.
Community GuidelinesThis comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀 Voting for Prioritization
Pull Request Authors
|
|
Closing in favor of #48517 (which already adds the |
|
Warning This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them. Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed. |
Rollback Plan
If a change needs to be reverted, we will publish an updated version of the library.
Changes to Security Controls
This adds support for referencing an externally-managed client secret stored in AWS Secrets Manager (
client_secret_source = "EXTERNAL"+client_secret_config). It surfaces an existing service capability; it does not change provider-side access controls, encryption, or logging.Description
Brings
aws_bedrockagentcore_oauth2_credential_providercloser to full parity with theOauth2ProviderConfigInputunion in the AgentCore SDK. Two categories of gap are closed:atlassian_oauth2_provider_configandlinkedin_oauth2_provider_config, matching the SDK union variants of the same names. Both follow the existing predefined-provider shape (client credentials + computedoauth_discovery).client_secret_source(MANAGED/EXTERNAL) and theclient_secret_configblock (secret_id,json_key) to every OAuth2 provider configuration block, so a client secret can be sourced from an AWS Secrets Manager secret you manage.The
Oauth2ProviderConfigInputunion has additional members (included) and the custom provider has further fields (private_endpoint,on_behalf_of_token_exchange_config,client_authentication_method) that are more complex and depend on nested union/struct shapes; those are deliberately left to a follow-up PR to keep this change reviewable.Source of truth:
aws-sdk-go-v2service/bedrockagentcorecontrolv1.45.1(the version pinned by the provider).Relations
Relates #0000
References
Oauth2ProviderConfigInput/AtlassianOauth2ProviderConfigInput/LinkedinOauth2ProviderConfigInput/SecretReferenceinaws-sdk-go-v2service/bedrockagentcorecontrol@v1.45.1Output from Acceptance Testing