Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 16 additions & 4 deletions internal/service/bedrockagentcore/oauth2_credential_provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -379,6 +379,17 @@ func (r *oauth2CredentialProviderResource) Schema(ctx context.Context, request r
"token_endpoint": schema.StringAttribute{
Required: true,
},
"token_endpoint_auth_methods": schema.SetAttribute{
CustomType: fwtypes.SetOfStringType,
ElementType: types.StringType,
Optional: true,
Validators: []validator.Set{
setvalidator.SizeBetween(1, 2),
setvalidator.ValueStringsAre(
stringvalidator.RegexMatches(regexache.MustCompile(`^(client_secret_post|client_secret_basic)$`), ""),
),
},
},
},
},
},
Expand Down Expand Up @@ -1148,8 +1159,9 @@ func (m oauth2DiscoveryModel) Expand(ctx context.Context) (any, diag.Diagnostics
}

type oauth2AuthorizationServerMetadataModel struct {
AuthorizationEndpoint types.String `tfsdk:"authorization_endpoint"`
Issuer types.String `tfsdk:"issuer"`
ResponseTypes fwtypes.SetOfString `tfsdk:"response_types"`
TokenEndpoint types.String `tfsdk:"token_endpoint"`
AuthorizationEndpoint types.String `tfsdk:"authorization_endpoint"`
Issuer types.String `tfsdk:"issuer"`
ResponseTypes fwtypes.SetOfString `tfsdk:"response_types"`
TokenEndpoint types.String `tfsdk:"token_endpoint"`
TokenEndpointAuthMethods fwtypes.SetOfString `tfsdk:"token_endpoint_auth_methods"`
}
Original file line number Diff line number Diff line change
Expand Up @@ -178,16 +178,48 @@ func TestAccBedrockAgentCoreOAuth2CredentialProvider_authorizationServerMetadata
CheckDestroy: testAccCheckOAuth2CredentialProviderDestroy(ctx, t),
Steps: []resource.TestStep{
{
Config: testAccOAuth2CredentialProviderConfig_customWithAuthServerMetadata(rName, "keycloak-client-id", "keycloak-client-secret", 1, "https://auth.company.com/realms/production", "https://auth.company.com/realms/production/protocol/openid-connect/auth", "https://auth.company.com/realms/production/protocol/openid-connect/token", "code", "id_token"),
Config: testAccOAuth2CredentialProviderConfig_customWithAuthServerMetadata(rName, "keycloak-client-id", "keycloak-client-secret", 1, "https://auth.company.com/realms/production", "https://auth.company.com/realms/production/protocol/openid-connect/auth", "https://auth.company.com/realms/production/protocol/openid-connect/token", "code", "id_token", `["client_secret_post", "client_secret_basic"]`),
Check: resource.ComposeAggregateTestCheckFunc(
testAccCheckOAuth2CredentialProviderExists(ctx, t, resourceName, &oauth2credentialprovider),
resource.TestCheckResourceAttr(resourceName, "oauth2_provider_config.0.custom_oauth2_provider_config.0.oauth_discovery.0.authorization_server_metadata.0.token_endpoint_auth_methods.#", "2"),
resource.TestCheckTypeSetElemAttr(resourceName, "oauth2_provider_config.0.custom_oauth2_provider_config.0.oauth_discovery.0.authorization_server_metadata.0.token_endpoint_auth_methods.*", "client_secret_post"),
resource.TestCheckTypeSetElemAttr(resourceName, "oauth2_provider_config.0.custom_oauth2_provider_config.0.oauth_discovery.0.authorization_server_metadata.0.token_endpoint_auth_methods.*", "client_secret_basic"),
),
ConfigPlanChecks: resource.ConfigPlanChecks{
PreApply: []plancheck.PlanCheck{
plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionCreate),
},
},
},
{
// Update the set from two methods to one: proves token_endpoint_auth_methods
// mutates in place and round-trips (not a spurious replace).
Config: testAccOAuth2CredentialProviderConfig_customWithAuthServerMetadata(rName, "keycloak-client-id", "keycloak-client-secret", 1, "https://auth.company.com/realms/production", "https://auth.company.com/realms/production/protocol/openid-connect/auth", "https://auth.company.com/realms/production/protocol/openid-connect/token", "code", "id_token", `["client_secret_basic"]`),
Check: resource.ComposeAggregateTestCheckFunc(
testAccCheckOAuth2CredentialProviderExists(ctx, t, resourceName, &oauth2credentialprovider),
resource.TestCheckResourceAttr(resourceName, "oauth2_provider_config.0.custom_oauth2_provider_config.0.oauth_discovery.0.authorization_server_metadata.0.token_endpoint_auth_methods.#", "1"),
resource.TestCheckTypeSetElemAttr(resourceName, "oauth2_provider_config.0.custom_oauth2_provider_config.0.oauth_discovery.0.authorization_server_metadata.0.token_endpoint_auth_methods.*", "client_secret_basic"),
),
ConfigPlanChecks: resource.ConfigPlanChecks{
PreApply: []plancheck.PlanCheck{
plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
},
},
},
{
// Remove token_endpoint_auth_methods entirely (set->unset): the API clears
// it and the null read-back matches, so there is no perpetual diff.
Config: testAccOAuth2CredentialProviderConfig_customWithAuthServerMetadataNoAuthMethods(rName, "keycloak-client-id", "keycloak-client-secret", 1, "https://auth.company.com/realms/production", "https://auth.company.com/realms/production/protocol/openid-connect/auth", "https://auth.company.com/realms/production/protocol/openid-connect/token", "code", "id_token"),
Check: resource.ComposeAggregateTestCheckFunc(
testAccCheckOAuth2CredentialProviderExists(ctx, t, resourceName, &oauth2credentialprovider),
resource.TestCheckResourceAttr(resourceName, "oauth2_provider_config.0.custom_oauth2_provider_config.0.oauth_discovery.0.authorization_server_metadata.0.token_endpoint_auth_methods.#", "0"),
),
ConfigPlanChecks: resource.ConfigPlanChecks{
PreApply: []plancheck.PlanCheck{
plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
},
},
},
{
ResourceName: resourceName,
ImportState: true,
Expand Down Expand Up @@ -621,7 +653,34 @@ resource "aws_bedrockagentcore_oauth2_credential_provider" "test" {
`, rName, clientId, clientSecret, version, discoveryURL)
}

func testAccOAuth2CredentialProviderConfig_customWithAuthServerMetadata(rName, clientId, clientSecret string, version int, issuer, authEndpoint, tokenEndpoint, responseType1, responseType2 string) string {
func testAccOAuth2CredentialProviderConfig_customWithAuthServerMetadata(rName, clientId, clientSecret string, version int, issuer, authEndpoint, tokenEndpoint, responseType1, responseType2, authMethods string) string {
return fmt.Sprintf(`
resource "aws_bedrockagentcore_oauth2_credential_provider" "test" {
name = %[1]q

credential_provider_vendor = "CustomOauth2"
oauth2_provider_config {
custom_oauth2_provider_config {
client_id_wo = %[2]q
client_secret_wo = %[3]q
client_credentials_wo_version = %[4]d

oauth_discovery {
authorization_server_metadata {
issuer = %[5]q
authorization_endpoint = %[6]q
token_endpoint = %[7]q
response_types = [%[8]q, %[9]q]
token_endpoint_auth_methods = %[10]s
}
}
}
}
}
`, rName, clientId, clientSecret, version, issuer, authEndpoint, tokenEndpoint, responseType1, responseType2, authMethods)
}

func testAccOAuth2CredentialProviderConfig_customWithAuthServerMetadataNoAuthMethods(rName, clientId, clientSecret string, version int, issuer, authEndpoint, tokenEndpoint, responseType1, responseType2 string) string {
return fmt.Sprintf(`
resource "aws_bedrockagentcore_oauth2_credential_provider" "test" {
name = %[1]q
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,13 +99,13 @@ The `oauth2_provider_config` block must contain exactly one of the following pro
* `github_oauth2_provider_config` - (Optional) GitHub OAuth provider configuration. See [`predefined providers`](#predefined-providers) below.
* `google_oauth2_provider_config` - (Optional) Google OAuth provider configuration. See [`predefined providers`](#predefined-providers) below.
* `included_oauth2_provider_config` - (Optional) Configuration for an included (vendor-supported) OAuth2 provider, used for the additional supported vendors. See [`predefined providers`](#predefined-providers) below.

-> **Note:** `included_oauth2_provider_config` currently supports only vendors that have fixed, AWS-known OAuth2 endpoints (for example `XOauth2`, `FacebookOauth2`, `SpotifyOauth2`), which require nothing beyond `client_id` and `client_secret`. Isolated-tenant vendors such as `OktaOauth2`, `PingOneOauth2`, and `OneLoginOauth2` require provider-specific endpoints (`issuer`, `authorization_endpoint`, `token_endpoint`) that are not yet exposed by this resource, and will fail at create time with a `Missing TokenEndpoint` error. Support for those fields is planned in a follow-up.
* `linkedin_oauth2_provider_config` - (Optional) LinkedIn OAuth provider configuration. See [`predefined providers`](#predefined-providers) below.
* `microsoft_oauth2_provider_config` - (Optional) Microsoft OAuth provider configuration. See [`predefined providers`](#predefined-providers) below.
* `salesforce_oauth2_provider_config` - (Optional) Salesforce OAuth provider configuration. See [`predefined providers`](#predefined-providers) below.
* `slack_oauth2_provider_config` - (Optional) Slack OAuth provider configuration. See [`predefined providers`](#predefined-providers) below.

-> **Note:** `included_oauth2_provider_config` currently supports only vendors that have fixed, AWS-known OAuth2 endpoints (for example `XOauth2`, `FacebookOauth2`, `SpotifyOauth2`), which require nothing beyond `client_id` and `client_secret`. Isolated-tenant vendors such as `OktaOauth2`, `PingOneOauth2`, and `OneLoginOauth2` require provider-specific endpoints (`issuer`, `authorization_endpoint`, `token_endpoint`) that are not yet exposed by this resource, and will fail at create time with a `Missing TokenEndpoint` error. Support for those fields is planned in a follow-up.

### `custom`

The `custom_oauth2_provider_config` block supports the following:
Expand Down Expand Up @@ -221,6 +221,7 @@ The `authorization_server_metadata` block supports the following:
* `authorization_endpoint` - (Required) OAuth2 authorization endpoint URL.
* `token_endpoint` - (Required) OAuth2 token endpoint URL.
* `response_types` - (Optional) Set of OAuth2 response types supported by the authorization server.
* `token_endpoint_auth_methods` - (Optional) Set of one or two client authentication methods supported by the token endpoint. Valid values are `client_secret_post` and `client_secret_basic`.

## Attribute Reference

Expand Down
Loading