Merge pull request #23279 from hashicorp/f-add-ca-custom-bundle

provider: Add custom_ca_bundle

.changelog/23279.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+ provider: Add `custom_ca_bundle` argument
+ ```

internal/conns/conns.go

@@ -858,6 +858,7 @@ type Config struct {
 	AccessKey                      string
 	AllowedAccountIds              []string
 	AssumeRole                     *awsbase.AssumeRole
+	CustomCABundle                 string
 	DefaultTagsConfig              *tftags.DefaultConfig
 	EC2MetadataServiceEndpoint     string
 	EC2MetadataServiceEndpointMode string
@@ -1219,6 +1220,10 @@ func (c *Config) Client() (interface{}, error) {
 		awsbaseConfig.AssumeRole = c.AssumeRole
 	}
 
+	if c.CustomCABundle != "" {
+		awsbaseConfig.CustomCABundle = c.CustomCABundle
+	}
+
 	if c.EC2MetadataServiceEndpoint != "" {
 		awsbaseConfig.EC2MetadataServiceEndpoint = c.EC2MetadataServiceEndpoint
 		awsbaseConfig.EC2MetadataServiceEndpointMode = c.EC2MetadataServiceEndpointMode

internal/provider/provider.go

@@ -191,6 +191,13 @@ func Provider() *schema.Provider {
 				Set:           schema.HashString,
 			},
 			"assume_role": assumeRoleSchema(),
+			"custom_ca_bundle": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Description: "File containing custom root and intermediate certificates. " +
+					"Can also be configured using the `AWS_CA_BUNDLE` environment variable. " +
+					"(Setting `ca_bundle` in the shared config file is not supported.)",
+			},
 			"default_tags": {
 				Type:        schema.TypeList,
 				Optional:    true,
@@ -1915,6 +1922,7 @@ func providerConfigure(d *schema.ResourceData, terraformVersion string) (interfa
 	config := conns.Config{
 		AccessKey:                      d.Get("access_key").(string),
 		DefaultTagsConfig:              expandProviderDefaultTags(d.Get("default_tags").([]interface{})),
+		CustomCABundle:                 d.Get("custom_ca_bundle").(string),
 		EC2MetadataServiceEndpoint:     d.Get("ec2_metadata_service_endpoint").(string),
 		EC2MetadataServiceEndpointMode: d.Get("ec2_metadata_service_endpoint_mode").(string),
 		Endpoints:                      make(map[string]string),

website/docs/guides/version-4-upgrade.html.md

@@ -157,6 +157,7 @@ provider "aws" {
 Version 4.x adds these new `provider` arguments:
 
 * `assume_role.duration` - Assume role duration as a string, _e.g._, `"1h"` or `"1h30s"`. Terraform AWS Provider v4.0.0 deprecates `assume_role.duration_seconds` and a future version will remove it.
+* `custom_ca_bundle` - File containing custom root and intermediate certificates. Can also be configured using the `AWS_CA_BUNDLE` environment variable. (Setting `ca_bundle` in the shared config file is not supported.)
 * `ec2_metadata_service_endpoint` - Address of the EC2 metadata service (IMDS) endpoint to use. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT` environment variable.
 * `ec2_metadata_service_endpoint_mode` - Mode to use in communicating with the metadata service. Valid values are `IPv4` and `IPv6`. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` environment variable.
 * `s3_use_path_style` - Replaces `s3_force_path_style`, which has been deprecated in Terraform AWS Provider v4.0.0 and support will be removed in a future version.

website/docs/index.html.markdown

@@ -201,6 +201,7 @@ In addition to [generic `provider` arguments](https://www.terraform.io/docs/conf
 * `access_key` - (Optional) AWS access key. Can also be set with the `AWS_ACCESS_KEY_ID` environment variable, or via a shared credentials file if `profile` is specified. See also `secret_key`.
 * `allowed_account_ids` - (Optional) List of allowed AWS account IDs to prevent you from mistakenly using an incorrect one (and potentially end up destroying a live environment). Conflicts with `forbidden_account_ids`.
 * `assume_role` - (Optional) Configuration block for an assumed role. See below. Only one `assume_role` block may be in the configuration.
+* `custom_ca_bundle` - (Optional) File containing custom root and intermediate certificates. Can also be set using the `AWS_CA_BUNDLE` environment variable. (Setting `ca_bundle` in the shared config file is not supported.)
 * `default_tags` - (Optional) Configuration block with resource tag settings to apply across all resources handled by this provider (see the [Terraform multiple provider instances documentation](/docs/configuration/providers.html#alias-multiple-provider-instances) for more information about additional provider configurations). This is designed to replace redundant per-resource `tags` configurations. Provider tags can be overridden with new values, but not excluded from specific resources. To override provider tag values, use the `tags` argument within a resource to configure new tag values for matching keys. See the [`default_tags`](#default_tags-configuration-block) Configuration Block section below for example usage and available arguments. This functionality is supported in all resources that implement `tags`, with the exception of the `aws_autoscaling_group` resource.
 * `ec2_metadata_service_endpoint` - (Optional) Address of the EC2 metadata service (IMDS) endpoint to use. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT` environment variable.
 * `ec2_metadata_service_endpoint_mode` - (Optional) Mode to use in communicating with the metadata service. Valid values are `IPv4` and `IPv6`. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` environment variable.