aherman
/
terraform
mirror of https://github.com/hashicorp/terraform
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #33993 from andrewhertog/fix/s3-backend-kms-alias

Browse Source 
fix(s3): allow aliases for kms key
pull/34045/head
Jared Baker 3 years ago committed by GitHub
parent 4f26451cd3 a87a7eb404
commit 95d56b567d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 18 deletions
Show Stats Download Patch File Download Diff File

15
internal/backend/remote-state/s3/validate.go
Unescape View File

@ -21,6 +21,7 @@ import (
const (
multiRegionKeyIdPattern = `mrk-[a-f0-9]{32}`
uuidRegexPattern = `[a-f0-9]{8}-[a-f0-9]{4}-[1-5][a-f0-9]{3}-[ab89][a-f0-9]{3}-[a-f0-9]{12}`
aliasRegexPattern = `alias/[a-zA-Z0-9/_-]+`
)
func validateKMSKey(path cty.Path, s string) (diags tfdiags.Diagnostics) {
@ -31,7 +32,7 @@ func validateKMSKey(path cty.Path, s string) (diags tfdiags.Diagnostics) {
}
func validateKMSKeyID(path cty.Path, s string) (diags tfdiags.Diagnostics) {
keyIdRegex := regexp.MustCompile(`^` + uuidRegexPattern + `|` + multiRegionKeyIdPattern + `$`)
keyIdRegex := regexp.MustCompile(`^` + uuidRegexPattern + `|` + multiRegionKeyIdPattern + `|` + aliasRegexPattern + `$`)
if !keyIdRegex.MatchString(s) {
diags = diags.Append(tfdiags.AttributeValue(
tfdiags.Error,
@ -71,7 +72,7 @@ func validateKMSKeyARN(path cty.Path, s string) (diags tfdiags.Diagnostics) {
}
func isKeyARN(arn arn.ARN) bool {
return keyIdFromARNResource(arn.Resource) != ""
return keyIdFromARNResource(arn.Resource) != "" || aliasIdFromARNResource(arn.Resource) != ""
}
func keyIdFromARNResource(s string) string {
@ -84,6 +85,16 @@ func keyIdFromARNResource(s string) string {
return matches[1]
}
func aliasIdFromARNResource(s string) string {
aliasIdResourceRegex := regexp.MustCompile(`^(` + aliasRegexPattern + `)$`)
matches := aliasIdResourceRegex.FindStringSubmatch(s)
if matches == nil || len(matches) != 2 {
return ""
}
return matches[1]
}
type stringValidator func(val string, path cty.Path, diags *tfdiags.Diagnostics)
func validateStringNotEmpty(val string, path cty.Path, diags *tfdiags.Diagnostics) {

16
internal/backend/remote-state/s3/validate_test.go
Unescape View File

@ -38,25 +38,9 @@ func TestValidateKMSKey(t *testing.T) {
},
"kms key alias": {
in: "alias/arbitrary-key",
expected: tfdiags.Diagnostics{
tfdiags.AttributeValue(
tfdiags.Error,
"Invalid KMS Key ID",
`Value must be a valid KMS Key ID, got "alias/arbitrary-key"`,
path,
),
},
},
"kms key alias arn": {
in: "arn:aws:kms:us-west-2:111122223333:alias/arbitrary-key",
expected: tfdiags.Diagnostics{
tfdiags.AttributeValue(
tfdiags.Error,
"Invalid KMS Key ARN",
`Value must be a valid KMS Key ARN, got "arn:aws:kms:us-west-2:111122223333:alias/arbitrary-key"`,
path,
),
},
},
"invalid key": {
in: "$%wrongkey",

Write Preview
Loading…
Cancel
Save