Merge branch 'main' into HEAD

Author: ewbankkit

.changelog/23384.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+provider: Makes `region` an optional parameter to allow sourcing from shared config files and IMDS
+```

.changelog/23388.txt

@@ -0,0 +1,11 @@
+```release-note:enhancement
+provider: Retrieves region from IMDS when credentials retrieved from IMDS.
+```
+
+```release-note:enhancement
+provider: Improves error message when `Profile` and static credential environment variables are set.
+```
+
+```release-note:bug
+provider: Validates names of named profiles before use.
+```

.markdownlint.yml

@@ -2,23 +2,47 @@
 # https://github.com/DavidAnson/markdownlint#configuration
 
 default: true
-MD007:
+
+# MD007
+ul-indent:
   indent: 4
-MD010:
+
+# MD010
+no-hard-tabs:
   code_blocks: false
 
 # Disabled Rules
 # https://github.com/DavidAnson/markdownlint/blob/master/doc/Rules.md
 
-MD001: false
-MD004: false
-MD006: false
-MD012: false
-MD013: false
-MD014: false
-MD022: false
-MD024: false
-MD034: false
-MD038: false
-MD040: false
-MD047: false
+# MD001
+heading-increment: false
+
+# MD004
+ul-style: false
+
+# MD012
+no-multiple-blanks: false
+
+# MD013
+line-length: false
+
+# MD014
+commands-show-output: false
+
+# MD022
+blanks-around-headings: false
+
+# MD024
+no-duplicate-heading: false
+
+# MD034
+no-bare-urls: false
+
+# MD038
+no-space-in-code: false
+
+# MD040
+fenced-code-language: false
+
+# MD047
+single-trailing-newline: false

.semgrep.yml

@@ -693,3 +693,13 @@ rules:
     patterns:
       - pattern: validation.Any(..., validation.StringIsEmpty, ...)
     severity: ERROR
+
+  - id: use-error-code-equals-if-not-checking-message
+    languages: [go]
+    message: Use tfawserr.ErrCodeEquals() when message parameter is empty string
+    paths:
+      include:
+        - internal/
+    patterns:
+      - pattern: tfawserr.ErrMessageContains(err, ..., "")
+    severity: ERROR

CHANGELOG.md

@@ -20,6 +20,9 @@ FEATURES:
 ENHANCEMENTS:
 
 * data-source/aws_ec2_transit_gateway: Add `multicast_support` attribute ([#22756](https://github.com/hashicorp/terraform-provider-aws/issues/22756))
+* provider: Improves error message when `Profile` and static credential environment variables are set. ([#23388](https://github.com/hashicorp/terraform-provider-aws/issues/23388))
+* provider: Makes `region` an optional parameter to allow sourcing from shared config files and IMDS ([#23384](https://github.com/hashicorp/terraform-provider-aws/issues/23384))
+* provider: Retrieves region from IMDS when credentials retrieved from IMDS. ([#23388](https://github.com/hashicorp/terraform-provider-aws/issues/23388))
 * resource/aws_ec2_fleet: Add `context` argument ([#23304](https://github.com/hashicorp/terraform-provider-aws/issues/23304))
 * resource/aws_ec2_transit_gateway: Add `multicast_support` argument ([#22756](https://github.com/hashicorp/terraform-provider-aws/issues/22756))
 * resource/aws_imagebuilder_image_pipeline: Add `schedule.timezone` argument ([#23322](https://github.com/hashicorp/terraform-provider-aws/issues/23322))
@@ -29,6 +32,7 @@ ENHANCEMENTS:
 
 BUG FIXES:
 
+* provider: Validates names of named profiles before use. ([#23388](https://github.com/hashicorp/terraform-provider-aws/issues/23388))
 * resource/aws_dms_replication_task: Allow `cdc_start_position` to be computed ([#23328](https://github.com/hashicorp/terraform-provider-aws/issues/23328))
 * resource/aws_ecs_cluster: Fix bug preventing describing clusters in ISO regions ([#23341](https://github.com/hashicorp/terraform-provider-aws/issues/23341))
 

docs/contributing/data-handling-and-conversion.md

@@ -96,7 +96,7 @@ To expand on the data handling that occurs specifically within the Terraform AWS
 
 To further understand the necessary data conversions used throughout the Terraform AWS Provider codebase between AWS Go SDK types and the Terraform Plugin SDK, the following table can be referenced for most scenarios:
 
-<!-- markdownlint-disable MD033 --->
+<!-- markdownlint-disable no-inline-html --->
 
 | AWS API Model | AWS Go SDK | Terraform Plugin SDK | Terraform Language/State |
 |---------------|------------|----------------------|--------------------------|
@@ -109,7 +109,7 @@ To further understand the necessary data conversions used throughout the Terrafo
 | `structure` | `struct` | `TypeList` (`[]interface{}` of `map[string]interface{}`) | `list(object(any))` |
 | `timestamp` | `*time.Time` | `TypeString` (typically RFC3339 formatted) | `string` |
 
-<!-- markdownlint-enable MD033 --->
+<!-- markdownlint-enable no-inline-html --->
 
 You may notice there are type encoding differences the AWS Go SDK and Terraform Plugin SDK:
 

go.mod

@@ -10,8 +10,8 @@ require (
 	github.com/beevik/etree v1.1.0
 	github.com/google/go-cmp v0.5.7
 	github.com/hashicorp/aws-cloudformation-resource-schema-sdk-go v0.16.0
-	github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.8
-	github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.9
+	github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.10
+	github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.11
 	github.com/hashicorp/awspolicyequivalence v1.5.0
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320

go.sum

@@ -196,10 +196,10 @@ github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/hashicorp/aws-cloudformation-resource-schema-sdk-go v0.16.0 h1:r2RUzeK2gAitl0HY9SLH1axAEu+6aPBY20g1jOoBepM=
 github.com/hashicorp/aws-cloudformation-resource-schema-sdk-go v0.16.0/go.mod h1:C6GVuO9RWOrt6QCGTmLCOYuSHpkfQSBDuRqTteOlo0g=
-github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.8 h1:BlV2HAJxG5/UHMgBQ9rKrGLg6ThIkqTs6Hnr3OHOjps=
-github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.8/go.mod h1:O0d2KtdvgHuWVQ9go3oK6BFPLht6254JIHjLfEzo+lM=
-github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.9 h1:sFb+svRVSNWtVd4JDHen7R+rd0TB3yKt8+OgbYcpamU=
-github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.9/go.mod h1:bUMECpdj5Vo+mLFC8gYUb+epVTg1ocf6xx9T7QVeK18=
+github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.10 h1:HvzuTawTMw+enUgu4plvLJ3kgH/Gaz1MRFmZcVAnEeo=
+github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.10/go.mod h1:O0d2KtdvgHuWVQ9go3oK6BFPLht6254JIHjLfEzo+lM=
+github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.11 h1:GQ5vECuNqulzr2Jizlvrf4C8JcK50BFqieB/PprHYc8=
+github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.11/go.mod h1:rDvk2q2KbYHahKgYmFHJh0eM310hYWUSTTJ1LAZY4Vs=
 github.com/hashicorp/awspolicyequivalence v1.5.0 h1:tGw6h9qN1AWNBaUf4OUcdCyE/kqNBItTiyTPQeV/KUg=
 github.com/hashicorp/awspolicyequivalence v1.5.0/go.mod h1:9IOaIHx+a7C0NfUNk1A93M7kHd5rJ19aoUx37LZGC14=
 github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=

internal/acctest/acctest.go

@@ -673,7 +673,7 @@ func PreCheckOrganizationsAccount(t *testing.T) {
 	conn := Provider.Meta().(*conns.AWSClient).OrganizationsConn
 	input := &organizations.DescribeOrganizationInput{}
 	_, err := conn.DescribeOrganization(input)
-	if tfawserr.ErrMessageContains(err, organizations.ErrCodeAWSOrganizationsNotInUseException, "") {
+	if tfawserr.ErrCodeEquals(err, organizations.ErrCodeAWSOrganizationsNotInUseException) {
 		return
 	}
 	if err != nil {
@@ -686,7 +686,7 @@ func PreCheckOrganizationsEnabled(t *testing.T) {
 	conn := Provider.Meta().(*conns.AWSClient).OrganizationsConn
 	input := &organizations.DescribeOrganizationInput{}
 	_, err := conn.DescribeOrganization(input)
-	if tfawserr.ErrMessageContains(err, organizations.ErrCodeAWSOrganizationsNotInUseException, "") {
+	if tfawserr.ErrCodeEquals(err, organizations.ErrCodeAWSOrganizationsNotInUseException) {
 		t.Skip("this AWS account must be an existing member of an AWS Organization")
 	}
 	if err != nil {
@@ -748,7 +748,7 @@ func PreCheckHasIAMRole(t *testing.T, roleName string) {
 	}
 	_, err := conn.GetRole(input)
 
-	if tfawserr.ErrMessageContains(err, iam.ErrCodeNoSuchEntityException, "") {
+	if tfawserr.ErrCodeEquals(err, iam.ErrCodeNoSuchEntityException) {
 		t.Skipf("skipping acceptance test: required IAM role \"%s\" is not present", roleName)
 	}
 	if PreCheckSkipError(err) {
@@ -1087,18 +1087,18 @@ func PreCheckSkipError(err error) bool {
 	// GovCloud has endpoints that respond with (no message provided after the error code):
 	// AccessDeniedException:
 	// Ignore these API endpoints that exist but are not officially enabled
-	if tfawserr.ErrMessageContains(err, "AccessDeniedException", "") {
+	if tfawserr.ErrCodeEquals(err, "AccessDeniedException") {
 		return true
 	}
 	// Ignore missing API endpoints
 	if tfawserr.ErrMessageContains(err, "RequestError", "send request failed") {
 		return true
 	}
 	// Ignore unsupported API calls
-	if tfawserr.ErrMessageContains(err, "UnknownOperationException", "") {
+	if tfawserr.ErrCodeEquals(err, "UnknownOperationException") {
 		return true
 	}
-	if tfawserr.ErrMessageContains(err, "UnsupportedOperation", "") {
+	if tfawserr.ErrCodeEquals(err, "UnsupportedOperation") {
 		return true
 	}
 	if tfawserr.ErrMessageContains(err, "InvalidInputException", "Unknown operation") {

internal/conns/conns.go

@@ -1194,14 +1194,6 @@ func (client *AWSClient) RegionalHostname(prefix string) string {
 
 // Client configures and returns a fully initialized AWSClient
 func (c *Config) Client(ctx context.Context) (interface{}, diag.Diagnostics) {
-	// Get the auth and region. This can fail if keys/regions were not
-	// specified and we're attempting to use the environment.
-	if !c.SkipRegionValidation {
-		if err := awsbase.ValidateRegion(c.Region); err != nil {
-			return nil, diag.FromErr(err)
-		}
-	}
-
 	awsbaseConfig := awsbase.Config{
 		AccessKey:               c.AccessKey,
 		APNInfo:                 StdUserAgentProducts(c.TerraformVersion),
@@ -1253,6 +1245,12 @@ func (c *Config) Client(ctx context.Context) (interface{}, diag.Diagnostics) {
 		return nil, diag.Errorf("error configuring Terraform AWS Provider: %s", err)
 	}
 
+	if !c.SkipRegionValidation {
+		if err := awsbase.ValidateRegion(cfg.Region); err != nil {
+			return nil, diag.FromErr(err)
+		}
+	}
+
 	sess, err := awsbasev1.GetSession(&cfg, &awsbaseConfig)
 	if err != nil {
 		return nil, diag.Errorf("error creating AWS SDK v1 session: %s", err)

internal/provider/provider.go

@@ -291,14 +291,9 @@ func Provider() *schema.Provider {
 			},
 			"region": {
 				Type:     schema.TypeString,
-				Required: true,
-				DefaultFunc: schema.MultiEnvDefaultFunc([]string{
-					"AWS_REGION",
-					"AWS_DEFAULT_REGION",
-				}, nil),
+				Optional: true,
 				Description: "The region where AWS operations will take place. Examples\n" +
 					"are us-east-1, us-west-2, etc.", // lintignore:AWSAT003,
-				InputDefault: "us-east-1", // lintignore:AWSAT003
 			},
 			"s3_force_path_style": {
 				Type:       schema.TypeBool,

internal/service/accessanalyzer/README.md

@@ -1,9 +1,10 @@
 # Terraform AWS Provider AccessAnalyzer Package
-<!-- markdownlint-disable MD026 -->
+
 This area is primarily for AWS provider contributors and maintainers. For information on _using_ Terraform and the AWS provider, see the links below.
 
 
 ## Handy Links
+
 * [Find out about contributing](../../../docs/contributing) to the AWS provider!
 * AWS Provider Docs: [Home](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
 * AWS Provider Docs: [One of the AccessAnalyzer resources](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer)

internal/service/accessanalyzer/analyzer_test.go

@@ -165,7 +165,7 @@ func testAccCheckAccessAnalyzerAnalyzerDestroy(s *terraform.State) error {
 
 		output, err := conn.GetAnalyzer(input)
 
-		if tfawserr.ErrMessageContains(err, accessanalyzer.ErrCodeResourceNotFoundException, "") {
+		if tfawserr.ErrCodeEquals(err, accessanalyzer.ErrCodeResourceNotFoundException) {
 			continue
 		}
 

internal/service/acm/README.md

@@ -1,9 +1,10 @@
 # Terraform AWS Provider ACM Package
-<!-- markdownlint-disable MD026 -->
+
 This area is primarily for AWS provider contributors and maintainers. For information on _using_ Terraform and the AWS provider, see the links below.
 
 
 ## Handy Links
+
 * [Find out about contributing](../../../docs/contributing) to the AWS provider!
 * AWS Provider Docs: [Home](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
 * AWS Provider Docs: [One of the ACM resources](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate)

internal/service/acm/certificate_test.go

@@ -780,7 +780,7 @@ func testAccCheckAcmCertificateDestroy(s *terraform.State) error {
 		}
 
 		// Verify the error is what we want
-		if !tfawserr.ErrMessageContains(err, acm.ErrCodeResourceNotFoundException, "") {
+		if !tfawserr.ErrCodeEquals(err, acm.ErrCodeResourceNotFoundException) {
 			return err
 		}
 	}

internal/service/acmpca/README.md

@@ -1,9 +1,10 @@
 # Terraform AWS Provider ACMPCA Package
-<!-- markdownlint-disable MD026 -->
+
 This area is primarily for AWS provider contributors and maintainers. For information on _using_ Terraform and the AWS provider, see the links below.
 
 
 ## Handy Links
+
 * [Find out about contributing](../../../docs/contributing) to the AWS provider!
 * AWS Provider Docs: [Home](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
 * AWS Provider Docs: [One of the ACMPCA resources](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_certificate)

internal/service/acmpca/certificate_authority_test.go

@@ -514,7 +514,7 @@ func testAccCheckCertificateAuthorityDestroy(s *terraform.State) error {
 		output, err := conn.DescribeCertificateAuthority(input)
 
 		if err != nil {
-			if tfawserr.ErrMessageContains(err, acmpca.ErrCodeResourceNotFoundException, "") {
+			if tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) {
 				return nil
 			}
 			return err

internal/service/acmpca/sweep.go

@@ -54,7 +54,7 @@ func sweepCertificateAuthorities(region string) error {
 				CertificateAuthorityArn: aws.String(arn),
 				Status:                  aws.String(acmpca.CertificateAuthorityStatusDisabled),
 			})
-			if tfawserr.ErrMessageContains(err, acmpca.ErrCodeResourceNotFoundException, "") {
+			if tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) {
 				continue
 			}
 			if err != nil {
@@ -70,7 +70,7 @@ func sweepCertificateAuthorities(region string) error {
 			CertificateAuthorityArn:     aws.String(arn),
 			PermanentDeletionTimeInDays: aws.Int64(7),
 		})
-		if tfawserr.ErrMessageContains(err, acmpca.ErrCodeResourceNotFoundException, "") {
+		if tfawserr.ErrCodeEquals(err, acmpca.ErrCodeResourceNotFoundException) {
 			continue
 		}
 		if err != nil {

internal/service/amp/README.md

@@ -1,11 +1,12 @@
 # Terraform AWS Provider AMP Package
-<!-- markdownlint-disable MD026 -->
+
 This area is primarily for AWS provider contributors and maintainers. For information on _using_ Terraform and the AWS provider, see the links below.
 
 AMP (**A**mazon **M**anaged Service for **P**rometheus) is also called just _Prometheus_ or _Prometheus Service_.
 
 
 ## Handy Links
+
 * [Find out about contributing](../../../docs/contributing) to the AWS provider!
 * AWS Provider Docs: [Home](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
 * AWS Provider Docs: [One of the Prometheus resources](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/prometheus_workspace)

internal/service/amp/workspace_test.go

@@ -171,7 +171,7 @@ func testAccCheckAMPWorkspaceDestroy(s *terraform.State) error {
 		_, err := conn.DescribeWorkspace(&prometheusservice.DescribeWorkspaceInput{
 			WorkspaceId: aws.String(rs.Primary.ID),
 		})
-		if tfawserr.ErrMessageContains(err, prometheusservice.ErrCodeResourceNotFoundException, "") {
+		if tfawserr.ErrCodeEquals(err, prometheusservice.ErrCodeResourceNotFoundException) {
 			continue
 		}
 

internal/service/amplify/README.md

@@ -1,9 +1,10 @@
 # Terraform AWS Provider Amplify Package
-<!-- markdownlint-disable MD026 -->
+
 This area is primarily for AWS provider contributors and maintainers. For information on _using_ Terraform and the AWS provider, see the links below.
 
 
 ## Handy Links
+
 * [Find out about contributing](../../../docs/contributing) to the AWS provider!
 * AWS Provider Docs: [Home](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
 * AWS Provider Docs: [One of the Amplify resources](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/amplify_app)

internal/service/apigateway/README.md

@@ -1,9 +1,10 @@
 # Terraform AWS Provider APIGateway Package
-<!-- markdownlint-disable MD026 -->
+
 This area is primarily for AWS provider contributors and maintainers. For information on _using_ Terraform and the AWS provider, see the links below.
 
 
 ## Handy Links
+
 * [Find out about contributing](../../../docs/contributing) to the AWS provider!
 * AWS Provider Docs: [Home](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
 * AWS Provider Docs: [One of the APIGateway resources](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_account)

internal/service/apigateway/api_key.go

@@ -209,7 +209,7 @@ func resourceAPIKeyDelete(d *schema.ResourceData, meta interface{}) error {
 		ApiKey: aws.String(d.Id()),
 	})
 
-	if tfawserr.ErrMessageContains(err, apigateway.ErrCodeNotFoundException, "") {
+	if tfawserr.ErrCodeEquals(err, apigateway.ErrCodeNotFoundException) {
 		return nil
 	}