Feature: support for overriding the AWS Endpoints the provider users

CHANGELOG.md

@@ -1,4 +1,9 @@
 ## 1.8.0 (Unreleased)
+
+FEATURES:
+
+* provider: Add `endpoints` argument
+
 ## 1.7.0 (July 25, 2024)
 
 FEATURES:

docs/index.md

@@ -236,6 +236,7 @@ credential_process = custom-process --username jdoe
 - `access_key` (String) This is the AWS access key. It must be provided, but it can also be sourced from the `AWS_ACCESS_KEY_ID` environment variable, or via a shared credentials file if `profile` is specified.
 - `assume_role` (Attributes) An `assume_role` block (documented below). Only one `assume_role` block may be in the configuration. (see [below for nested schema](#nestedatt--assume_role))
 - `assume_role_with_web_identity` (Attributes) An `assume_role_with_web_identity` block (documented below). Only one `assume_role_with_web_identity` block may be in the configuration. (see [below for nested schema](#nestedatt--assume_role_with_web_identity))
+- `endpoints` (Attributes) An `endpoints` block (documented below). Only one `endpoints` block may be in the configuration. (see [below for nested schema](#nestedatt--endpoints))
 - `http_proxy` (String) URL of a proxy to use for HTTP requests when accessing the AWS API. Can also be set using the `HTTP_PROXY` or `http_proxy` environment variables.
 - `https_proxy` (String) URL of a proxy to use for HTTPS requests when accessing the AWS API. Can also be set using the `HTTPS_PROXY` or `https_proxy` environment variables.
 - `insecure` (Boolean) Explicitly allow the provider to perform "insecure" SSL requests. If not set, defaults to `false`.
@@ -287,6 +288,17 @@ Optional:
 - `web_identity_token_file` (String) File containing a web identity token from an OpenID Connect (OIDC) or OAuth provider. Can also be set with the  environment variable`AWS_WEB_IDENTITY_TOKEN_FILE`. One of `web_identity_token_file` or `web_identity_token` is required.
 
 
+<a id="nestedatt--endpoints"></a>
+### Nested Schema for `endpoints`
+
+Optional:
+
+- `cloudcontrolapi` (String) Use this to override the default Cloud Control API service endpoint URL
+- `iam` (String) Use this to override the default IAM service endpoint URL
+- `sso` (String) Use this to override the default SSO service endpoint URL
+- `sts` (String) Use this to override the default STS service endpoint URL
+
+
 <a id="nestedatt--user_agent"></a>
 ### Nested Schema for `user_agent`
 

internal/provider/provider.go

@@ -167,6 +167,28 @@ func (p *ccProvider) Schema(ctx context.Context, request provider.SchemaRequest,
 				Optional:    true,
 				Description: "An `assume_role_with_web_identity` block (documented below). Only one `assume_role_with_web_identity` block may be in the configuration.",
 			},
+			"endpoints": schema.SingleNestedAttribute{
+				Attributes: map[string]schema.Attribute{
+					"cloudcontrolapi": schema.StringAttribute{
+						Optional:    true,
+						Description: "Use this to override the default Cloud Control API service endpoint URL",
+					},
+					"iam": schema.StringAttribute{
+						Optional:    true,
+						Description: "Use this to override the default IAM service endpoint URL",
+					},
+					"sso": schema.StringAttribute{
+						Optional:    true,
+						Description: "Use this to override the default SSO service endpoint URL",
+					},
+					"sts": schema.StringAttribute{
+						Optional:    true,
+						Description: "Use this to override the default STS service endpoint URL",
+					},
+				},
+				Optional:    true,
+				Description: "An `endpoints` block (documented below). Only one `endpoints` block may be in the configuration.",
+			},
 			"http_proxy": schema.StringAttribute{
 				Description: "URL of a proxy to use for HTTP requests when accessing the AWS API. Can also be set using the `HTTP_PROXY` or `http_proxy` environment variables.",
 				Optional:    true,
@@ -255,6 +277,7 @@ type config struct {
 	AccessKey                 types.String                   `tfsdk:"access_key"`
 	AssumeRole                *assumeRoleData                `tfsdk:"assume_role"`
 	AssumeRoleWithWebIdentity *assumeRoleWithWebIdentityData `tfsdk:"assume_role_with_web_identity"`
+	Endpoints                 *endpointData                  `tfsdk:"endpoints"`
 	HTTPProxy                 types.String                   `tfsdk:"http_proxy"`
 	HTTPSProxy                types.String                   `tfsdk:"https_proxy"`
 	Insecure                  types.Bool                     `tfsdk:"insecure"`
@@ -291,6 +314,13 @@ type assumeRoleData struct {
 	TransitiveTagKeys types.Set        `tfsdk:"transitive_tag_keys"`
 }
 
+type endpointData struct {
+	CloudControlAPI types.String `tfsdk:"cloudcontrolapi"`
+	IAM             types.String `tfsdk:"iam"`
+	SSO             types.String `tfsdk:"sso"`
+	STS             types.String `tfsdk:"sts"`
+}
+
 func (a assumeRoleData) Config() *awsbase.AssumeRole {
 	assumeRole := &awsbase.AssumeRole{
 		Duration:    a.Duration.ValueDuration(),
@@ -495,6 +525,16 @@ func newProviderData(ctx context.Context, c *config) (*providerData, diag.Diagno
 		awsbaseConfig.EC2MetadataServiceEnableState = imds.ClientEnabled
 	}
 
+	if !c.Endpoints.IAM.IsNull() {
+		awsbaseConfig.IamEndpoint = c.Endpoints.IAM.ValueString()
+	}
+	if !c.Endpoints.SSO.IsNull() {
+		awsbaseConfig.SsoEndpoint = c.Endpoints.SSO.ValueString()
+	}
+	if !c.Endpoints.STS.IsNull() {
+		awsbaseConfig.StsEndpoint = c.Endpoints.STS.ValueString()
+	}
+
 	_, cfg, awsDiags := awsbase.GetAwsConfig(ctx, &awsbaseConfig)
 
 	for _, d := range awsDiags {
@@ -510,8 +550,14 @@ func newProviderData(ctx context.Context, c *config) (*providerData, diag.Diagno
 		return nil, diags
 	}
 
+	ccAPIClient := cloudcontrol.NewFromConfig(cfg, func(o *cloudcontrol.Options) {
+		if !c.Endpoints.CloudControlAPI.IsNull() {
+			o.BaseEndpoint = flex.StringFromFramework(ctx, c.Endpoints.CloudControlAPI)
+		}
+	})
+
 	providerData := &providerData{
-		ccAPIClient: cloudcontrol.NewFromConfig(cfg),
+		ccAPIClient: ccAPIClient,
 		logger:      logger,
 		region:      cfg.Region,
 		roleARN:     c.RoleARN.ValueString(),