heydonovan commented 9 months ago

Description

The thumbprint_list argument for aws_iam_openid_connect_provider is required. The AWS UI indicates this is a legacy setting. As a developer, I should be able to skip this argument without receiving this error in Terraform:

Required attribute "thumbprint_list" not specified: An attribute named "thumbprint_list" is required here

AWS secures communication with this OIDC identity provider (IdP) using our library of trusted CAs rather than using a certificate thumbprint to verify the server certificate of your IdP. Your legacy thumbprint(s) will remain in your configuration but will no longer be needed for validation.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider

Affected Resource(s) and/or Data Source(s)

aws_iam_openid_connect_provider

Potential Terraform Configuration

resource "aws_iam_openid_connect_provider" "gitlab" {
  url             = "https://gitlab.com"
  client_id_list  = ["https://gitlab.com"]
}

References

No response

Would you like to implement a fix?

None

github-actions[bot] commented 9 months ago

Community Note

Voting for Prioritization

Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
Please see our prioritization guide for information on how we prioritize.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.

tmatilai commented 8 months ago

Duplicate of #32480

The requirement comes from the AWS API and then from the SDK...

james-bjss commented 5 months ago

Duplicate of #32480

The requirement comes from the AWS API and then from the SDK...

Looks like this is now unblocked as the field is now optional in the SDK since 1.51.20: https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md#release-v15120-2024-04-11

dustindortch commented 1 month ago

Use the "tls_certificate" data source:

data "tls_certificate" "tfc" {
  url = var.hcp_terraform_url
}

resource "aws_iam_openid_connect_provider" "oidc" {
  url             = var.hcp_terraform_url
  client_id_list  = var.client_id_list
  thumbprint_list = [data.tls_certificate.tfc.certificates.0.sha1_fingerprint]
}

hashicorp / terraform-provider-aws