From 6088002a2db9a5229f01e6f8c8972000881bcb98 Mon Sep 17 00:00:00 2001 From: Andrew den Hertog Date: Thu, 5 Oct 2023 11:46:38 -0400 Subject: [PATCH 1/2] fix(s3): allow aliases for kms key --- internal/backend/remote-state/s3/validate.go | 15 +++++++++++++-- .../backend/remote-state/s3/validate_test.go | 16 ---------------- 2 files changed, 13 insertions(+), 18 deletions(-) diff --git a/internal/backend/remote-state/s3/validate.go b/internal/backend/remote-state/s3/validate.go index 4fdda0ce51..2865acd5b2 100644 --- a/internal/backend/remote-state/s3/validate.go +++ b/internal/backend/remote-state/s3/validate.go @@ -21,6 +21,7 @@ import ( const ( multiRegionKeyIdPattern = `mrk-[a-f0-9]{32}` uuidRegexPattern = `[a-f0-9]{8}-[a-f0-9]{4}-[1-5][a-f0-9]{3}-[ab89][a-f0-9]{3}-[a-f0-9]{12}` + aliasRegexPattern = `alias/(.*)` ) func validateKMSKey(path cty.Path, s string) (diags tfdiags.Diagnostics) { @@ -31,7 +32,7 @@ func validateKMSKey(path cty.Path, s string) (diags tfdiags.Diagnostics) { } func validateKMSKeyID(path cty.Path, s string) (diags tfdiags.Diagnostics) { - keyIdRegex := regexp.MustCompile(`^` + uuidRegexPattern + `|` + multiRegionKeyIdPattern + `$`) + keyIdRegex := regexp.MustCompile(`^` + uuidRegexPattern + `|` + multiRegionKeyIdPattern + `|` + aliasRegexPattern + `$`) if !keyIdRegex.MatchString(s) { diags = diags.Append(tfdiags.AttributeValue( tfdiags.Error, @@ -71,7 +72,7 @@ func validateKMSKeyARN(path cty.Path, s string) (diags tfdiags.Diagnostics) { } func isKeyARN(arn arn.ARN) bool { - return keyIdFromARNResource(arn.Resource) != "" + return keyIdFromARNResource(arn.Resource) != "" || aliasIdFromARNResource(arn.Resource) != "" } func keyIdFromARNResource(s string) string { @@ -84,6 +85,16 @@ func keyIdFromARNResource(s string) string { return matches[1] } +func aliasIdFromARNResource(s string) string { + aliasIdResourceRegex := regexp.MustCompile(`^` + aliasRegexPattern + `$`) + matches := aliasIdResourceRegex.FindStringSubmatch(s) + if matches == nil || len(matches) != 2 { + return "" + } + + return matches[1] +} + type stringValidator func(val string, path cty.Path, diags *tfdiags.Diagnostics) func validateStringNotEmpty(val string, path cty.Path, diags *tfdiags.Diagnostics) { diff --git a/internal/backend/remote-state/s3/validate_test.go b/internal/backend/remote-state/s3/validate_test.go index 4dad4f838c..6354356df7 100644 --- a/internal/backend/remote-state/s3/validate_test.go +++ b/internal/backend/remote-state/s3/validate_test.go @@ -38,25 +38,9 @@ func TestValidateKMSKey(t *testing.T) { }, "kms key alias": { in: "alias/arbitrary-key", - expected: tfdiags.Diagnostics{ - tfdiags.AttributeValue( - tfdiags.Error, - "Invalid KMS Key ID", - `Value must be a valid KMS Key ID, got "alias/arbitrary-key"`, - path, - ), - }, }, "kms key alias arn": { in: "arn:aws:kms:us-west-2:111122223333:alias/arbitrary-key", - expected: tfdiags.Diagnostics{ - tfdiags.AttributeValue( - tfdiags.Error, - "Invalid KMS Key ARN", - `Value must be a valid KMS Key ARN, got "arn:aws:kms:us-west-2:111122223333:alias/arbitrary-key"`, - path, - ), - }, }, "invalid key": { in: "$%wrongkey", From a87a7eb4041fa23489b622b229d4a54dd6779190 Mon Sep 17 00:00:00 2001 From: Jared Baker Date: Mon, 9 Oct 2023 15:57:18 -0400 Subject: [PATCH 2/2] backend/s3: use aws alias name regex pattern --- internal/backend/remote-state/s3/validate.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/backend/remote-state/s3/validate.go b/internal/backend/remote-state/s3/validate.go index 2865acd5b2..01fcbd11bc 100644 --- a/internal/backend/remote-state/s3/validate.go +++ b/internal/backend/remote-state/s3/validate.go @@ -21,7 +21,7 @@ import ( const ( multiRegionKeyIdPattern = `mrk-[a-f0-9]{32}` uuidRegexPattern = `[a-f0-9]{8}-[a-f0-9]{4}-[1-5][a-f0-9]{3}-[ab89][a-f0-9]{3}-[a-f0-9]{12}` - aliasRegexPattern = `alias/(.*)` + aliasRegexPattern = `alias/[a-zA-Z0-9/_-]+` ) func validateKMSKey(path cty.Path, s string) (diags tfdiags.Diagnostics) { @@ -86,7 +86,7 @@ func keyIdFromARNResource(s string) string { } func aliasIdFromARNResource(s string) string { - aliasIdResourceRegex := regexp.MustCompile(`^` + aliasRegexPattern + `$`) + aliasIdResourceRegex := regexp.MustCompile(`^(` + aliasRegexPattern + `)$`) matches := aliasIdResourceRegex.FindStringSubmatch(s) if matches == nil || len(matches) != 2 { return ""