aws_iam_openid_connect_provider rejects valid "url"s

SKalt commented 1 year ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.9
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v4.27.0

Affected Resource(s)

aws_iam_openid_connect_provider

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

variable "my_bitbucket_org" {
  type        = string
  description = "the name of my bitbucket org"
  default     = "myorg"
}
provider "aws" {
  region = "us-east-1"
}
locals {
  oidc_url = "api.bitbucket.org/2.0/workspaces/${var.my_bitbucket_org}/pipelines-config/identity/oidc"
}
resource "aws_iam_openid_connect_provider" "bitbucket_pipelines_oidc" {
  url             = local.oidc_url
  thumbprint_list = [] # TODO
  client_id_list  = [] # TODO
}

Debug Output

plan debug logs

Expected Behavior

the provider should have accepted the protocol-less "url" that BitBucket provides. If I were to enter the same protocol-less url in the AWS IAM console, the OIDC-provider resource would be created successfully.

Actual Behavior

The resource marks my "url" as invalid, despite the fact that the "url" is a valid iss claim.

Steps to Reproduce

terraform plan

awolski commented 11 months ago

I hit the same _issue_when setting up GitHub OIDC provider. I don't think this is an issue though.

I think your problem is that you haven't specified https:// at the start of your URL. The error is misleading as it states that host is expected:

Error: expected "url" to have a host, got api.bitbucket.org/2.0/workspaces/myorg/pipelines-config/identity/oidc

I got a similar issue trying to use token.actions.githubusercontent.com as the resource url:

Error: expected "url" to have a host, got token.actions.githubusercontent.com
│  ...
│  445:   url = "token.actions.githubusercontent.com"

Changing this to url = "https://token.actions.githubusercontent.com" resolved the error.

Pretty sure this can be closed.

dancorne commented 5 months ago

I think it's a bug actually, due to how Terraform calculates it's outputs, here's an example:

resource "aws_iam_openid_connect_provider" "github_actions" {
  client_id_list = [
    "sts.amazonaws.com",
  ]
  thumbprint_list = [
    "1b511abead59c6ce207077c0bf0e0043b1382612",
  ]
  url = "https://token.actions.githubusercontent.com"
}

output "github_actions_url" {
  value = aws_iam_openid_connect_provider.github_actions.url
}

If you apply that it creates the resource and gives you output "https://token.actions.githubusercontent.com" however when you apply again, because AWS returns the URL without the protocol, the output gets updated to"token.actions.githubusercontent.com".

We hit this bug after passing an output similar to above into data.aws_iam_openid_connect_provider in a different module. The data resource fails without the protocol included, so everything worked as expected on the first apply but when the aws_iam_openid_connect_provider resource got refreshed, the output changed, and the data block started returning errors.

It's easy to workaround though: putting a bunch of startswith() logic to ensure the protocol is included if it's not present.

hashicorp / terraform-provider-aws