feat!: upgrade to go-aws-sdk-v2, workflows, release configs and drops…

… some attributes (#220)

feat!: upgrade to go-aws-sdk-v2, workflows, release configs and drops some attributes

BREAKING CHANGE: drops some optional attributes that are not needed with go-aws-sdk-v2/config and drops assume_role schema

attributes are: skip_credentials_validation, skip_requesting_account_id, skip_metadata_api_check, asumme_role

.github/workflows/release.yml

@@ -18,31 +18,28 @@ jobs:
   goreleaser:
     runs-on: ubuntu-latest
     steps:
-      -
-        name: Checkout
+
+      - name: Checkout
         uses: actions/checkout@v4
-      -
-        name: Unshallow
-        run: git fetch --prune --unshallow
-      -
-        name: Set up Go
+
+      - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version-file: 'go.mod'
-      -
-        name: Import GPG key
+          cache: true
+
+      - name: Import GPG key
         id: import_gpg
-        uses: hashicorp/ghaction-import-gpg@v2.1.0
-        env:
-          # These secrets will need to be configured for the repository:
-          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
-          PASSPHRASE: ${{ secrets.PASSPHRASE }}
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.PASSPHRASE }}
       -
         name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
         with:
-          version: latest
-          args: release --rm-dist
+          version: 2
+          args: release --clean
         env:
           GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
           # GitHub sets this automatically

.github/workflows/test.yml

@@ -9,12 +9,6 @@ on:
   push:
     paths-ignore:
       - 'README.md'
-  # For systems with an upstream API that could drift unexpectedly (like most SaaS systems, etc.),
-  # we recommend testing at a regular interval not necessarily tied to code changes. This will
-  # ensure you are alerted to something breaking due to an API change, even if the code did not
-  # change.
-  # schedule:
-  #   - cron: '0 13 * * *'
 jobs:
   # ensure the code builds...
   build:
@@ -29,15 +23,14 @@ jobs:
       uses: actions/setup-go@v5
       with:
         go-version-file: 'go.mod'
+        cache: true
       id: go
 
     - name: Get dependencies
-      run: |
-        go mod download
+      run: go mod download
 
     - name: Build
-      run: |
-        go build -v .
+      run: make build
 
   # run acceptance tests in a matrix with Terraform core versions
   test:
@@ -50,8 +43,12 @@ jobs:
       matrix:
         # list whatever Terraform versions here you would like to support
         terraform:
-          - '0.15.5'
-          - '1.0.3'
+          - '1.5.*'
+          - '1.6.*'
+          - '1.7.*'
+          - '1.8.*'
+          - '1.9.*'
+          - '1.10.*'
     steps:
     - name: Check out code into the Go module directory
       uses: actions/checkout@v4
@@ -72,10 +69,5 @@ jobs:
         TF_ACC: "1"
         TF_ACC_TERRAFORM_VERSION: ${{ matrix.terraform }}
 
-        # Set whatever additional acceptance test env vars here. You can
-        # optionally use data from your repository secrets using the
-        # following syntax:
-        # SOME_VAR: ${{ secrets.SOME_VAR }}
-
       run: |
-        go test -v -cover ./internal/provider/
+        make testacc

.goreleaser.yml

@@ -1,44 +1,48 @@
 # Visit https://goreleaser.com for documentation on how to customize this
 # behavior.
+version: 2
 before:
   hooks:
     # this is just an example and not a requirement for provider building/publishing
     - go mod tidy
 builds:
-- env:
-    # goreleaser does not work with CGO, it could also complicate
-    # usage by users in CI/CD systems like Terraform Cloud where
-    # they are unable to install libraries.
-    - CGO_ENABLED=0
-  mod_timestamp: '{{ .CommitTimestamp }}'
-  flags:
-    - -trimpath
-  ldflags:
-    - '-s -w -X main.version={{.Version}} -X main.commit={{.Commit}}'
-  goos:
-    - freebsd
-    - windows
-    - linux
-    - darwin
-  goarch:
-    - amd64
-    - '386'
-    - arm
-    - arm64
-  ignore:
-    - goos: darwin
-      goarch: '386'
-  binary: '{{ .ProjectName }}_v{{ .Version }}'
+  - env:
+      # goreleaser does not work with CGO, it could also complicate
+      # usage by users in CI/CD systems like HCP Terraform where
+      # they are unable to install libraries.
+      - CGO_ENABLED=0
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    flags:
+      - -trimpath
+    ldflags:
+      - '-s -w -X main.version={{.Version}} -X main.commit={{.Commit}}'
+    goos:
+      - freebsd
+      - windows
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - '386'
+      - arm
+      - arm64
+    ignore:
+      - goos: darwin
+        goarch: '386'
+    binary: '{{ .ProjectName }}_v{{ .Version }}'
 archives:
-- format: zip
-  name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
+  - format: zip
+    name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
 checksum:
+  extra_files:
+    - glob: 'terraform-registry-manifest.json'
+      name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'
   name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS'
   algorithm: sha256
 signs:
   - artifacts: checksum
     args:
-      # if you are using this in a GitHub action or some other automated pipeline, you 
+      # if you are using this in a GitHub action or some other automated pipeline, you
       # need to pass the batch flag to indicate its not interactive.
       - "--batch"
       - "--local-user"
@@ -48,7 +52,11 @@ signs:
       - "--detach-sign"
       - "${artifact}"
 release:
+  prerelease: auto # this recognizes if a tag has a -alpha or -beta in it and marks it as a pre-release in GitHub.
+  extra_files:
+    - glob: 'terraform-registry-manifest.json'
+      name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'
   # If you want to manually examine the release before its live, uncomment this line:
   # draft: true
 changelog:
-  skip: true
+  disable: true

GNUmakefile

@@ -3,4 +3,9 @@ default: testacc
 # Run acceptance tests
 .PHONY: testacc
 testacc:
-	TF_ACC=1 go test ./... -v $(TESTARGS) -timeout 120m
+	TF_ACC=1 go test ./... -v -cover -timeout 120m
+
+# Build the provider
+.PHONY: build
+build:
+	go build -v -o bin/terraform-provider-controltower .

README.md

@@ -8,7 +8,7 @@ You can browse documentation on the [Terraform provider registry](https://regist
 
 If you wish to work on the provider, you'll first need [Go](http://www.golang.org) installed on your machine.
 
-To compile the provider, run `go install`. This will build the provider and put the provider binary in the `$GOPATH/bin` directory.
+To compile the provider, run `make build`. This will build the provider and put the provider binary in the `bin` directory under the project's root folder.
 
 To generate or update documentation, run `go generate`.
 
@@ -19,3 +19,19 @@ In order to run the full suite of Acceptance tests, run `make testacc`.
 ```sh
 $ make testacc
 ```
+
+## Testing the Provider Locally
+
+You can test the provider locally before creating a PR by following the steps below:
+
+```sh
+$ make build # make sure to have the build version in the executable name as a postfix e.g. terraform-provider-controltower_v2.0.0
+$ mkdir -p ~/.terraform.d/plugins/registry.terraform.io/idealo/controltower/<some version>/darwin_arm64 # arch can be different depending on your system
+$ mv bin/terraform-provider-controltower_<some version> ~/.terraform.d/plugins/registry.terraform.io/idealo/controltower/<some version>/darwin_arm64 # some version should be the future version of the provider after the changes.
+```
+
+Then you can test your changes in your terraform configuration by running `terraform init` in the directory where your terraform configuration is located. 
+
+Make sure to define the new version under the `required_providers` block. 
+
+Alternatively, if you're using terraform 0.14 or later, you can make use of `dev_overrides` as described [here](https://developer.hashicorp.com/terraform/cli/config/config-file#development-overrides-for-provider-developers) and point the provider to your `~/.terraformrc`.

docs/index.md

@@ -38,26 +38,9 @@ provider "controltower" {
 ### Optional
 
 - `access_key` (String) This is the AWS access key. It must be provided, but it can also be sourced from the `AWS_ACCESS_KEY_ID` environment variable, or via a shared credentials file if `profile` is specified.
-- `assume_role` (Block List, Max: 1) Settings for making use of the AWS Assume Role functionality. (see [below for nested schema](#nestedblock--assume_role))
 - `max_retries` (Number) This is the maximum number of times an API call is retried, in the case where requests are being throttled or experiencing transient failures. The delay between the subsequent API calls increases exponentially. If omitted, the default value is `25`.
 - `profile` (String) This is the AWS profile name as set in the shared credentials file.
+- `provider_version` (String) The version of the provider, just used for logging.
 - `secret_key` (String) This is the AWS secret key. It must be provided, but it can also be sourced from the `AWS_SECRET_ACCESS_KEY` environment variable, or via a shared credentials file if `profile` is specified.
 - `shared_credentials_file` (String) This is the path to the shared credentials file. If this is not set and a profile is specified, `~/.aws/credentials` will be used.
-- `skip_credentials_validation` (Boolean) Skip the credentials validation via the STS API. Useful for AWS API implementations that do not have STS available or implemented.
-- `skip_metadata_api_check` (Boolean) Skip the AWS Metadata API check. Useful for AWS API implementations that do not have a metadata API endpoint. Setting to `true` prevents Terraform from authenticating via the Metadata API. You may need to use other authentication methods like static credentials, configuration variables, or environment variables.
-- `skip_requesting_account_id` (Boolean) Skip requesting the account ID. Useful for AWS API implementations that do not have the IAM, STS API, or metadata API.
-- `token` (String) Session token for validating temporary credentials. Typically provided after successful identity federation or Multi-Factor Authentication (MFA) login. With MFA login, this is the session token provided afterward, not the 6 digit MFA code used to get temporary credentials. It can also be sourced from the `AWS_SESSION_TOKEN` environment variable.
-
-<a id="nestedblock--assume_role"></a>
-### Nested Schema for `assume_role`
-
-Optional:
-
-- `duration_seconds` (Number) Seconds to restrict the assume role session duration.
-- `external_id` (String) Unique identifier that might be required for assuming a role in another account.
-- `policy` (String) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
-- `policy_arns` (Set of String) Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
-- `role_arn` (String) Amazon Resource Name of an IAM Role to assume prior to making API calls.
-- `session_name` (String) Identifier for the assumed role session.
-- `tags` (Map of String) Assume role session tags.
-- `transitive_tag_keys` (Set of String) Assume role session tag keys to pass to any subsequent sessions.
+- `token` (String) Session token for validating temporary credentials. Typically provided after successful identity federation or Multi-Factor Authentication (MFA) login. With MFA login, this is the session token provided afterward, not the 6 digit MFA code used to get temporary credentials. It can also be sourced from the AWS_SESSION_TOKEN environment variable.

docs/resources/aws_account.md

@@ -18,7 +18,7 @@ resource "controltower_aws_account" "account" {
   email               = "aws-admin@example.com"
   organizational_unit = "Sandbox"
 
-  organizational_unit_id_on_delete = "Suspended"
+  organizational_unit_id_on_delete = "ou-some-id"
 
   sso {
     first_name = "John"
@@ -41,7 +41,6 @@ resource "controltower_aws_account" "account" {
 ### Optional
 
 - `close_account_on_delete` (Boolean) If enabled, this will close the AWS account on resource deletion, beginning the 90-day suspension period. Otherwise, the account will just be unenrolled from Control Tower.
-- `id` (String) The ID of this resource.
 - `organizational_unit_id_on_delete` (String) ID of the Organizational Unit to which the account should be moved when the resource is deleted. If no value is provided, the account will not be moved.
 - `path_id` (String) Name of the path identifier of the product. This value is optional if the product has a default path, and required if the product has more than one path. To list the paths for a product, use ListLaunchPaths.
 - `provisioned_product_name` (String) Name of the service catalog product that is provisioned. Defaults to a slugified version of the account name.
@@ -50,6 +49,7 @@ resource "controltower_aws_account" "account" {
 ### Read-Only
 
 - `account_id` (String) ID of the AWS account.
+- `id` (String) The ID of this resource.
 
 <a id="nestedblock--sso"></a>
 ### Nested Schema for `sso`
@@ -59,5 +59,3 @@ Required:
 - `email` (String) Email address of the user. If you use automatic provisioning this email address should already exist in AWS SSO.
 - `first_name` (String) First name of the user.
 - `last_name` (String) Last name of the user.
-
-

examples/resources/controltower_aws_account/resource.tf

@@ -3,7 +3,7 @@ resource "controltower_aws_account" "account" {
   email               = "aws-admin@example.com"
   organizational_unit = "Sandbox"
 
-  organizational_unit_id_on_delete = "Suspended"
+  organizational_unit_id_on_delete = "ou-some-id"
 
   sso {
     first_name = "John"

go.mod

@@ -5,13 +5,18 @@ go 1.22.7
 toolchain go1.23.4
 
 require (
-	github.com/aws/aws-sdk-go v1.55.5
-	github.com/hashicorp/aws-sdk-go-base v1.1.0
+	github.com/aws/aws-sdk-go-v2 v1.32.7
+	github.com/aws/aws-sdk-go-v2/config v1.28.7
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.48
+	github.com/aws/aws-sdk-go-v2/service/organizations v1.36.2
+	github.com/aws/aws-sdk-go-v2/service/servicecatalog v1.32.8
+	github.com/aws/smithy-go v1.22.1
 	github.com/hashicorp/terraform-plugin-docs v0.20.1
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.35.0
 )
 
 require (
+	github.com/BurntSushi/toml v1.2.1 // indirect
 	github.com/Kunde21/markdownfmt/v3 v3.1.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.2.0 // indirect
@@ -20,7 +25,17 @@ require (
 	github.com/agext/levenshtein v1.2.2 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.22 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.26 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.26 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.24.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.3 // indirect
 	github.com/bgentry/speakeasy v0.1.0 // indirect
+	github.com/bmatcuk/doublestar/v4 v4.7.1 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
@@ -34,6 +49,7 @@ require (
 	github.com/hashicorp/go-hclog v1.6.3 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-plugin v1.6.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/hashicorp/hc-install v0.9.0 // indirect
@@ -48,19 +64,16 @@ require (
 	github.com/hashicorp/yamux v0.1.1 // indirect
 	github.com/huandu/xstrings v1.3.3 // indirect
 	github.com/imdario/mergo v0.3.15 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.9 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/oklog/run v1.0.0 // indirect
 	github.com/posener/complete v1.2.3 // indirect
-	github.com/russross/blackfriday v1.6.0 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect
@@ -69,6 +82,7 @@ require (
 	github.com/yuin/goldmark v1.7.7 // indirect
 	github.com/yuin/goldmark-meta v1.1.0 // indirect
 	github.com/zclconf/go-cty v1.15.0 // indirect
+	go.abhg.dev/goldmark/frontmatter v0.2.0 // indirect
 	golang.org/x/crypto v0.28.0 // indirect
 	golang.org/x/exp v0.0.0-20230626212559-97b1e661b5df // indirect
 	golang.org/x/mod v0.21.0 // indirect
@@ -82,4 +96,5 @@ require (
 	google.golang.org/grpc v1.67.1 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/yaml.v2 v2.3.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )