hashicorp · gdavison · Feb 10, 2022 · Feb 9, 2022 · Feb 9, 2022 · Feb 9, 2022
@@ -0,0 +1,7 @@
+```release-note:enhancement
+provider: Add support for `shared_credentials_files` parameter and deprecates `shared_credentials_file`
+```
+
+```release-note:enhancement
+provider: Changes `shared_config_file` parameter to `shared_config_files`
+```
@@ -871,8 +871,8 @@ type Config struct {
 	Region                         string
 	S3UsePathStyle                 bool
 	SecretKey                      string
-	SharedConfigFile               string
-	SharedCredentialsFile          string
+	SharedConfigFiles              []string
+	SharedCredentialsFiles         []string
 	SkipCredsValidation            bool
 	SkipGetEC2Platforms            bool
 	SkipMetadataApiCheck           bool
@@ -1225,12 +1225,12 @@ func (c *Config) Client() (interface{}, error) {
 		awsbaseConfig.EC2MetadataServiceEndpointMode = c.EC2MetadataServiceEndpointMode
 	}
 
-	if c.SharedConfigFile != "" {
-		awsbaseConfig.SharedConfigFiles = []string{c.SharedConfigFile}
+	if len(c.SharedConfigFiles) != 0 {
+		awsbaseConfig.SharedConfigFiles = c.SharedConfigFiles
 	}
 
-	if c.SharedCredentialsFile != "" {
-		awsbaseConfig.SharedCredentialsFiles = []string{c.SharedCredentialsFile}
+	if len(c.SharedCredentialsFiles) != 0 {
+		awsbaseConfig.SharedCredentialsFiles = c.SharedCredentialsFiles
 	}
 
 	ctx := context.Background()

@@ -315,18 +315,26 @@ func Provider() *schema.Provider {
 				Description: "The secret key for API operations. You can retrieve this\n" +
 					"from the 'Security & Credentials' section of the AWS console.",
 			},
-			"shared_config_file": {
-				Type:        schema.TypeString,
+			"shared_config_files": {
+				Type:        schema.TypeList,
 				Optional:    true,
-				Default:     "",
-				Description: "The path to the shared config file. If not set, defaults to ~/.aws/config.",
+				Description: "List of paths to shared config files. If not set, defaults to [~/.aws/config].",
+				Elem:        &schema.Schema{Type: schema.TypeString},
 			},
 			"shared_credentials_file": {
-				Type:     schema.TypeString,
-				Optional: true,
-				Default:  "",
-				Description: "The path to the shared credentials file. If not set\n" +
-					"this defaults to ~/.aws/credentials.",
+				Type:          schema.TypeString,
+				Optional:      true,
+				Default:       "",
+				Deprecated:    "Use shared_credentials_files instead.",
+				ConflictsWith: []string{"shared_credentials_files"},
+				Description:   "The path to the shared credentials file. If not set, defaults to ~/.aws/credentials.",
+			},
+			"shared_credentials_files": {
+				Type:          schema.TypeList,
+				Optional:      true,
+				ConflictsWith: []string{"shared_credentials_file"},
+				Description:   "List of paths to shared credentials files. If not set, defaults to [~/.aws/credentials].",
+				Elem:          &schema.Schema{Type: schema.TypeString},
 			},
 			"skip_credentials_validation": {
 				Type:     schema.TypeBool,
@@ -1891,8 +1899,6 @@ func providerConfigure(d *schema.ResourceData, terraformVersion string) (interfa
 		Region:                         d.Get("region").(string),
 		S3UsePathStyle:                 d.Get("s3_use_path_style").(bool) || d.Get("s3_force_path_style").(bool),
 		SecretKey:                      d.Get("secret_key").(string),
-		SharedConfigFile:               d.Get("shared_config_file").(string),
-		SharedCredentialsFile:          d.Get("shared_credentials_file").(string),
 		SkipCredsValidation:            d.Get("skip_credentials_validation").(bool),
 		SkipGetEC2Platforms:            d.Get("skip_get_ec2_platforms").(bool),
 		SkipMetadataApiCheck:           d.Get("skip_metadata_api_check").(bool),
@@ -1904,6 +1910,25 @@ func providerConfigure(d *schema.ResourceData, terraformVersion string) (interfa
 		UseFIPSEndpoint:                d.Get("use_fips_endpoint").(bool),
 	}
 
+	if raw := d.Get("shared_config_files").([]interface{}); len(raw) != 0 {
+		l := make([]string, len(raw))
+		for i, v := range raw {
+			l[i] = v.(string)
+		}
+		config.SharedConfigFiles = l
+	}
+
+	if v := d.Get("shared_credentials_file").(string); v != "" {
+		config.SharedCredentialsFiles = []string{v}
+	}
+	if raw := d.Get("shared_credentials_files").([]interface{}); len(raw) != 0 {
+		l := make([]string, len(raw))
+		for i, v := range raw {
+			l[i] = v.(string)
+		}
+		config.SharedCredentialsFiles = l
+	}
+
 	if l, ok := d.Get("assume_role").([]interface{}); ok && len(l) > 0 && l[0] != nil {
 		config.AssumeRole = expandAssumeRole(l[0].(map[string]interface{}))
 		log.Printf("[INFO] assume_role configuration set: (ARN: %q, SessionID: %q, ExternalID: %q)", config.AssumeRole.RoleARN, config.AssumeRole.SessionName, config.AssumeRole.ExternalID)

@@ -102,6 +102,13 @@ Version 4.0.0 adds these new provider arguments:
 * `ec2_metadata_service_endpoint` - Address of the EC2 metadata service (IMDS) endpoint to use. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT` environment variable.
 * `ec2_metadata_service_endpoint_mode` - Mode to use in communicating with the metadata service. Valid values are `IPv4` and `IPv6`. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` environment variable.
 * `s3_use_path_style` - Replaces `s3_force_path_style`, which has been deprecated in Terraform AWS Provider v4.0.0 and support will be removed in a future version.
+* `shared_config_files` - List of paths to AWS shared config files.
+  If not set, the default is `[~/.aws/config]`.
+  A single value can also be set with the `AWS_CONFIG_FILE` environment variable.
+* `shared_credentials_files` - List of paths to the shared credentials file.
+  If not set, the default  is `[~/.aws/credentials]`.
+  A single value can also be set with the `AWS_SHARED_CREDENTIALS_FILE` environment variable.
+  Replaces `shared_credentials_file`, which has been deprecated in Terraform AWS Provider v4.0.0 and support will be removed in a future version.
 * `use_dualstack_endpoint` - Force the provider to resolve endpoints with DualStack capability. Can also be set with the `AWS_USE_DUALSTACK_ENDPOINT` environment variable or in a shared config file (`use_dualstack_endpoint`).
 * `use_fips_endpoint` - Force the provider to resolve endpoints with FIPS capability. Can also be set with the `AWS_USE_FIPS_ENDPOINT` environment variable or in a shared config file (`use_fips_endpoint`).
 

@@ -117,18 +117,18 @@ $ terraform plan
 You can use [AWS credentials or configuration files](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) to specify your credentials and configuration.
 The default locations are `$HOME/.aws/credentials` and `$HOME/.aws/config` on Linux and macOS,
 or `"%USERPROFILE%\.aws\credentials"` and `"%USERPROFILE%\.aws\config"`on Windows.
-You can optionally specify a different location in the Terraform configuration by providing the `shared_credentials_file` and `shared_config_file` arguments or
+You can optionally specify a different location in the Terraform configuration by providing the `shared_credentials_files` and `shared_config_files` arguments or
 using the `AWS_SHARED_CREDENTIALS_FILE` and `AWS_CONFIG_FILE` environment variables.
 This method also supports the `profile` configuration or corresponding `AWS_PROFILE` environment variable:
 
 Usage:
 
 ```terraform
 provider "aws" {
-  region                  = "us-west-2"
-  shared_config_file      = "/Users/tf_user/.aws/config"
-  shared_credentials_file = "/Users/tf_user/.aws/creds"
-  profile                 = "customprofile"
+  region                   = "us-west-2"
+  shared_config_files      = ["/Users/tf_user/.aws/conf"]
+  shared_credentials_files = ["/Users/tf_user/.aws/creds"]
+  profile                  = "customprofile"
 }
 ```
 
@@ -205,8 +205,9 @@ In addition to [generic `provider` arguments](https://www.terraform.io/docs/conf
 * `s3_force_path_style` - (Optional, **Deprecated**) Whether to enable the request to use path-style addressing, i.e., `https://s3.amazonaws.com/BUCKET/KEY`. By default, the S3 client will use virtual hosted bucket addressing, `https://BUCKET.s3.amazonaws.com/KEY`, when possible. Specific to the Amazon S3 service.
 * `s3_use_path_style` - (Optional) Whether to enable the request to use path-style addressing, i.e., `https://s3.amazonaws.com/BUCKET/KEY`. By default, the S3 client will use virtual hosted bucket addressing, `https://BUCKET.s3.amazonaws.com/KEY`, when possible. Specific to the Amazon S3 service.
 * `secret_key` - (Optional) AWS secret key. Can also be set with the `AWS_SECRET_ACCESS_KEY` environment variable, or via a shared credentials file if `profile` is used. See also `access_key`.
-* `shared_config_file` = (Optional) Path to the AWS shared config file. If not set, the default is `~/.aws/config`. Can also be set with the `AWS_CONFIG_FILE` environment variable.
-* `shared_credentials_file` = (Optional) Path to the shared credentials file. If not set and a profile is used, the default value is `~/.aws/credentials`. Can also be set with the `AWS_SHARED_CREDENTIALS_FILE` environment variable.
+* `shared_config_files` = (Optional) List of paths to AWS shared config files. If not set, the default is `[~/.aws/config]`. A single value can also be set with the `AWS_CONFIG_FILE` environment variable.
+* `shared_credentials_file` = (Optional, **Deprecated**) Path to the shared credentials file. If not set and a profile is used, the default value is `~/.aws/credentials`. Can also be set with the `AWS_SHARED_CREDENTIALS_FILE` environment variable.
+* `shared_credentials_files` = (Optional) List of paths to the shared credentials file. If not set and a profile is used, the default value is `[~/.aws/credentials]`. A single value can also be set with the `AWS_SHARED_CREDENTIALS_FILE` environment variable.
 * `skip_credentials_validation` - (Optional) Whether to skip credentials validation via the STS API. This can be useful for testing and for AWS API implementations that do not have STS available.
 * `skip_get_ec2_platforms` - (Optional) Whether to skip getting the supported EC2 platforms. Can be used when you do not have `ec2:DescribeAccountAttributes` permissions.
 * `skip_metadata_api_check` - (Optional) Whether to skip the AWS Metadata API check.  Useful for AWS API implementations that do not have a metadata API endpoint.  Setting to `true` prevents Terraform from authenticating via the Metadata API. You may need to use other authentication methods like static credentials, configuration variables, or environment variables.