Merge pull request #2043 from hashicorp/b-iam-rolechaining-breaking-c…

…hange

provider: Revert breaking change from IAM role chaining

CHANGELOG.md

@@ -1,9 +1,16 @@
 ## 1.17.0 (Unreleased)
+
+## 1.16.1 (September 27, 2024)
+
+BUG FIXES:
+
+* provider: Rolls back breaking change introduced in #2029. IAM role chaining is no longer supported, but will be reintroduced in a future version. ([#2043](https://github.com/hashicorp/terraform-provider-awscc/pull/2043))
+
 ## 1.16.0 (September 26, 2024)
 
 FEATURES:
 
-* provider: Adds support for IAM role chaining. The provider attribute `assume_role` now accepts multiple elements.
+* provider: Adds support for IAM role chaining. The provider attribute `assume_role` now accepts multiple elements. ([#2029](https://github.com/hashicorp/terraform-provider-awscc/pull/2029))
 
 * **New Data Source:** `awscc_amazonmq_configuration`
 * **New Data Source:** `awscc_amazonmq_configurations`

docs/index.md

@@ -234,7 +234,7 @@ credential_process = custom-process --username jdoe
 ### Optional
 
 - `access_key` (String) This is the AWS access key. It must be provided, but it can also be sourced from the `AWS_ACCESS_KEY_ID` environment variable, or via a shared credentials file if `profile` is specified.
-- `assume_role` (Attributes List) List of IAM Roles to assume. See the `assume_role` block (documented below). (see [below for nested schema](#nestedatt--assume_role))
+- `assume_role` (Attributes) An `assume_role` block (documented below). Only one `assume_role` block may be in the configuration. (see [below for nested schema](#nestedatt--assume_role))
 - `assume_role_with_web_identity` (Attributes) An `assume_role_with_web_identity` block (documented below). Only one `assume_role_with_web_identity` block may be in the configuration. (see [below for nested schema](#nestedatt--assume_role_with_web_identity))
 - `endpoints` (Attributes) An `endpoints` block (documented below). Only one `endpoints` block may be in the configuration. (see [below for nested schema](#nestedatt--endpoints))
 - `http_proxy` (String) URL of a proxy to use for HTTP requests when accessing the AWS API. Can also be set using the `HTTP_PROXY` or `http_proxy` environment variables.

internal/provider/provider.go

@@ -24,7 +24,6 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/hashicorp/terraform-provider-awscc/internal/flex"
 	"github.com/hashicorp/terraform-provider-awscc/internal/registry"
-	"github.com/hashicorp/terraform-provider-awscc/internal/slices"
 	cctypes "github.com/hashicorp/terraform-provider-awscc/internal/types"
 )
 
@@ -83,51 +82,49 @@ func (p *ccProvider) Schema(ctx context.Context, request provider.SchemaRequest,
 				Description: "This is the AWS access key. It must be provided, but it can also be sourced from the `AWS_ACCESS_KEY_ID` environment variable, or via a shared credentials file if `profile` is specified.",
 				Optional:    true,
 			},
-			"assume_role": schema.ListNestedAttribute{
-				NestedObject: schema.NestedAttributeObject{
-					Attributes: map[string]schema.Attribute{
-						"duration": schema.StringAttribute{
-							CustomType:  cctypes.DurationType,
-							Description: "The duration, between 15 minutes and 12 hours, of the role session. Valid time units are ns, us (or µs), ms, s, h, or m.",
-							Optional:    true,
-						},
-						"external_id": schema.StringAttribute{
-							Description: "External identifier to use when assuming the role.",
-							Optional:    true,
-						},
-						"policy": schema.StringAttribute{
-							CustomType:  jsontypes.ExactType{},
-							Description: "IAM policy in JSON format to use as a session policy. The effective permissions for the session will be the intersection between this polcy and the role's policies.",
-							Optional:    true,
-						},
-						"policy_arns": schema.ListAttribute{
-							ElementType: cctypes.ARNType,
-							Description: "Amazon Resource Names (ARNs) of IAM Policies to use as managed session policies. The effective permissions for the session will be the intersection between these polcy and the role's policies.",
-							Optional:    true,
-						},
-						"role_arn": schema.StringAttribute{
-							CustomType:  cctypes.ARNType,
-							Description: "Amazon Resource Name (ARN) of the IAM Role to assume.",
-							Required:    true,
-						},
-						"session_name": schema.StringAttribute{
-							Description: "Session name to use when assuming the role.",
-							Optional:    true,
-						},
-						"tags": schema.MapAttribute{
-							ElementType: types.StringType,
-							Description: "Map of assume role session tags.",
-							Optional:    true,
-						},
-						"transitive_tag_keys": schema.SetAttribute{
-							ElementType: types.StringType,
-							Description: "Set of assume role session tag keys to pass to any subsequent sessions.",
-							Optional:    true,
-						},
+			"assume_role": schema.SingleNestedAttribute{
+				Attributes: map[string]schema.Attribute{
+					"duration": schema.StringAttribute{
+						CustomType:  cctypes.DurationType,
+						Description: "The duration, between 15 minutes and 12 hours, of the role session. Valid time units are ns, us (or µs), ms, s, h, or m.",
+						Optional:    true,
+					},
+					"external_id": schema.StringAttribute{
+						Description: "External identifier to use when assuming the role.",
+						Optional:    true,
+					},
+					"policy": schema.StringAttribute{
+						CustomType:  jsontypes.ExactType{},
+						Description: "IAM policy in JSON format to use as a session policy. The effective permissions for the session will be the intersection between this polcy and the role's policies.",
+						Optional:    true,
+					},
+					"policy_arns": schema.ListAttribute{
+						ElementType: cctypes.ARNType,
+						Description: "Amazon Resource Names (ARNs) of IAM Policies to use as managed session policies. The effective permissions for the session will be the intersection between these polcy and the role's policies.",
+						Optional:    true,
+					},
+					"role_arn": schema.StringAttribute{
+						CustomType:  cctypes.ARNType,
+						Description: "Amazon Resource Name (ARN) of the IAM Role to assume.",
+						Required:    true,
+					},
+					"session_name": schema.StringAttribute{
+						Description: "Session name to use when assuming the role.",
+						Optional:    true,
+					},
+					"tags": schema.MapAttribute{
+						ElementType: types.StringType,
+						Description: "Map of assume role session tags.",
+						Optional:    true,
+					},
+					"transitive_tag_keys": schema.SetAttribute{
+						ElementType: types.StringType,
+						Description: "Set of assume role session tag keys to pass to any subsequent sessions.",
+						Optional:    true,
 					},
 				},
 				Optional:    true,
-				Description: "List of IAM Roles to assume. See the `assume_role` block (documented below).",
+				Description: "An `assume_role` block (documented below). Only one `assume_role` block may be in the configuration.",
 			},
 			"assume_role_with_web_identity": schema.SingleNestedAttribute{
 				Attributes: map[string]schema.Attribute{
@@ -278,7 +275,7 @@ func (p *ccProvider) Schema(ctx context.Context, request provider.SchemaRequest,
 
 type configModel struct {
 	AccessKey                 types.String                   `tfsdk:"access_key"`
-	AssumeRole                types.List                     `tfsdk:"assume_role"`
+	AssumeRole                *assumeRoleModel               `tfsdk:"assume_role"`
 	AssumeRoleWithWebIdentity *assumeRoleWithWebIdentityData `tfsdk:"assume_role_with_web_identity"`
 	Endpoints                 *endpointData                  `tfsdk:"endpoints"`
 	HTTPProxy                 types.String                   `tfsdk:"http_proxy"`
@@ -507,18 +504,8 @@ func newProviderData(ctx context.Context, c *configModel) (*providerData, diag.D
 		}
 		awsbaseConfig.SharedCredentialsFiles = cf
 	}
-	// if c.AssumeRole != nil {
-	// 	awsbaseConfig.AssumeRole = c.AssumeRole.Config()
-	// }
-	if !c.AssumeRole.IsNull() {
-		var assumeRole []assumeRoleModel
-		diags.Append(c.AssumeRole.ElementsAs(ctx, &assumeRole, false)...)
-		if diags.HasError() {
-			return nil, diags
-		}
-		awsbaseConfig.AssumeRole = slices.ApplyToAll(assumeRole, func(m assumeRoleModel) awsbase.AssumeRole {
-			return m.Config()
-		})
+	if c.AssumeRole != nil {
+		awsbaseConfig.AssumeRole = []awsbase.AssumeRole{c.AssumeRole.Config()}
 	}
 
 	if c.AssumeRoleWithWebIdentity != nil {