r/aws_bedrockagentcore_oauth2_credential_provider: add custom provider endpoint and token-exchange config#48726
Conversation
…edin providers and external secret config Adds the atlassian_oauth2_provider_config and linkedin_oauth2_provider_config provider variants (matching the SDK Oauth2ProviderConfigInput union), plus the client_secret_source and client_secret_config arguments on every provider block for externally-managed (AWS Secrets Manager) client secrets. Verified against aws-sdk-go-v2 service/bedrockagentcorecontrol v1.45.1.
Protocol v5 cannot have a nested attribute (ListNestedAttribute) inside a block; client_secret_config must be a ListNestedBlock like oauth_discovery.
…tten The zero value of fwtypes.ListNestedObjectValueOf has no element type and panics when serialized. Initialize ClientSecretConfig to a valid null when propagating client credentials that were never set in configuration.
…r endpoint and token-exchange config Adds the remaining CustomOauth2ProviderConfigInput fields: client_authentication_method, on_behalf_of_token_exchange_config (with nested token_exchange_grant_type_config), private_endpoint, and private_endpoint_overrides. Reuses the existing private endpoint models from gateway_target. Verified against aws-sdk-go-v2 service/bedrockagentcorecontrol v1.45.1.
Community GuidelinesThis comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀 Voting for Prioritization
Pull Request Authors
|
|
Closing to avoid duplication. The |
|
Warning This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them. Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed. |
Rollback Plan
If a change needs to be reverted, we will publish an updated version of the library.
Changes to Security Controls
This adds configuration for private (VPC Lattice) connectivity and on-behalf-of token exchange for the custom OAuth2 provider. It surfaces existing service capabilities; it does not change provider-side access controls, encryption, or logging.
Description
Completes parity for the
CustomOauth2ProviderConfigInputshape in the AgentCore SDK by adding the remaining custom-provider fields tocustom_oauth2_provider_config:client_authentication_method- client authentication method used with the token endpoint (CLIENT_SECRET_BASIC,CLIENT_SECRET_POST,AWS_IAM_ID_TOKEN_JWT).on_behalf_of_token_exchange_config- on-behalf-of token exchange configuration (RFC 8693 / RFC 7523), with nestedtoken_exchange_grant_type_config(actor_token_content,actor_token_scopes).private_endpoint- default private endpoint (managed_vpc_resource/self_managed_lattice_resource), reusing the existing private-endpoint models fromaws_bedrockagentcore_gateway_target.private_endpoint_overrides- per-domain private endpoint overrides.Source of truth:
aws-sdk-go-v2service/bedrockagentcorecontrolv1.45.1(the version pinned by the provider).Relations
Relates #0000
References
CustomOauth2ProviderConfigInput/OnBehalfOfTokenExchangeConfigType/PrivateEndpointinaws-sdk-go-v2service/bedrockagentcorecontrol@v1.45.1Output from Acceptance Testing
private_endpoint/private_endpoint_overridesrequire VPC Lattice infrastructure and are exercised via unit-level flatten/expand and plan validation rather than a full acceptance test; the shapes reuse the provenaws_bedrockagentcore_gateway_targetprivate-endpoint implementation.