From a02c7cec536ced84f4e732e712b09eab3d81123d Mon Sep 17 00:00:00 2001 From: Jared Baker Date: Thu, 24 Aug 2023 15:19:44 -0400 Subject: [PATCH] backend/s3: add http_proxy and related arguments --- CHANGELOG.md | 1 + internal/backend/remote-state/s3/backend.go | 54 +++++++++++++++++++ .../docs/language/settings/backends/s3.mdx | 6 ++- 3 files changed, 60 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6a8fd11412..a965c571fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,7 @@ ENHANCEMENTS: * Internally the backend now uses AWS SDK for Go v2, which should address various other missing behaviors that are handled by the SDK rather than by Terraform itself. ([#30443](https://github.com/hashicorp/terraform/issues/30443)) * `custom_ca_bundle` argument and support for the corresponding AWS environment variable, `AWS_CA_BUNDLE`, for providing custom root and intermediate certificates. ([#33689](https://github.com/hashicorp/terraform/issues/33689)) * `ec2_metadata_service_endpoint` and `ec2_metadata_service_endpoint_mode` arguments and support for the corresponding AWS environment variables, `AWS_EC2_METADATA_SERVICE_ENDPOINT` and `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` for setting the EC2 metadata service (IMDS) endpoint. The environment variable `AWS_METADATA_URL` is also supported for compatibility with the AWS provider, but is deprecated. ([#30444](https://github.com/hashicorp/terraform/issues/30444)) + * `http_proxy`, `insecure`, `use_fips_endpoint`, and `use_dualstack_endpoint` arguments and support for the corresponding environment variables, `HTTP_PROXY` and `HTTPS_PROXY`, which enable custom HTTP proxy configurations and the use of alternative AWS endpoints. ([#30496](https://github.com/hashicorp/terraform/issues/30496)) * backend/cos: Support custom HTTP(S) endpoint and root domain for the API client. [#33656] BUG FIXES: diff --git a/internal/backend/remote-state/s3/backend.go b/internal/backend/remote-state/s3/backend.go index e12f697a39..79128edceb 100644 --- a/internal/backend/remote-state/s3/backend.go +++ b/internal/backend/remote-state/s3/backend.go @@ -301,6 +301,27 @@ func (b *Backend) ConfigSchema() *configschema.Block { Optional: true, Description: "File containing custom root and intermediate certificates.", }, + + "http_proxy": { + Type: cty.String, + Optional: true, + Description: "Address of an HTTP proxy to use when accessing the AWS API.", + }, + "insecure": { + Type: cty.Bool, + Optional: true, + Description: "Whether to explicitly allow the backend to perform insecure SSL requests.", + }, + "use_fips_endpoint": { + Type: cty.Bool, + Optional: true, + Description: "Force the backend to resolve endpoints with FIPS capability.", + }, + "use_dualstack_endpoint": { + Type: cty.Bool, + Optional: true, + Description: "Force the backend to resolve endpoints with DualStack capability.", + }, }, } } @@ -748,6 +769,23 @@ func (b *Backend) Configure(obj cty.Value) tfdiags.Diagnostics { cfg.AssumeRoleWithWebIdentity = ar } + if v, ok := retrieveArgument(&diags, + newAttributeRetriever(obj, cty.GetAttrPath("http_proxy")), + newEnvvarRetriever("HTTP_PROXY"), + newEnvvarRetriever("HTTPS_PROXY"), + ); ok { + cfg.HTTPProxy = v + } + if val, ok := boolAttrOk(obj, "insecure"); ok { + cfg.Insecure = val + } + if val, ok := boolAttrDefaultEnvVarOk(obj, "use_fips_endpoint", "AWS_USE_FIPS_ENDPOINT"); ok { + cfg.UseFIPSEndpoint = val + } + if val, ok := boolAttrDefaultEnvVarOk(obj, "use_dualstack_endpoint", "AWS_USE_DUALSTACK_ENDPOINT"); ok { + cfg.UseDualStackEndpoint = val + } + _ /* ctx */, awsConfig, cfgDiags := awsbase.GetAwsConfig(ctx, cfg) for _, diag := range cfgDiags { var severity tfdiags.Severity @@ -979,6 +1017,22 @@ func boolAttrOk(obj cty.Value, name string) (bool, bool) { } } +// boolAttrDefaultEnvVarOk checks for a configured bool argument or a non-empty +// value in any of the provided environment variables. If any of the environment +// variables are non-empty, to boolean is considered true. +func boolAttrDefaultEnvVarOk(obj cty.Value, name string, envvars ...string) (bool, bool) { + if val := obj.GetAttr(name); val.IsNull() { + for _, envvar := range envvars { + if v := os.Getenv(envvar); v != "" { + return true, true + } + } + return false, false + } else { + return val.True(), true + } +} + func intAttr(obj cty.Value, name string) int { v, _ := intAttrOk(obj, name) return v diff --git a/website/docs/language/settings/backends/s3.mdx b/website/docs/language/settings/backends/s3.mdx index 752552b836..7edcb692e5 100644 --- a/website/docs/language/settings/backends/s3.mdx +++ b/website/docs/language/settings/backends/s3.mdx @@ -154,13 +154,15 @@ The following configuration is optional: * `access_key` - (Optional) AWS access key. If configured, must also configure `secret_key`. This can also be sourced from the `AWS_ACCESS_KEY_ID` environment variable, AWS shared credentials file (e.g. `~/.aws/credentials`), or AWS shared configuration file (e.g. `~/.aws/config`). * `custom_ca_bundle` - (Optional) File containing custom root and intermediate certificates. Can also be set using the `AWS_CA_BUNDLE` environment variable. Setting ca_bundle in the shared config file is not supported. -* `secret_key` - (Optional) AWS access key. If configured, must also configure `access_key`. This can also be sourced from the `AWS_SECRET_ACCESS_KEY` environment variable, AWS shared credentials file (e.g. `~/.aws/credentials`), or AWS shared configuration file (e.g. `~/.aws/config`). * `ec2_metadata_service_endpoint` - (Optional) Address of the EC2 metadata service (IMDS) endpoint to use. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT` environment variable. * `ec2_metadata_service_endpoint_mode` - (Optional) Mode to use in communicating with the metadata service. Valid values are `IPv4` and `IPv6`. Can also be set with the `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` environment variable. +* `http_proxy` - (Optional) Address of an HTTP proxy to use when accessing the AWS API. Can also be set using the `HTTP_PROXY` or `HTTPS_PROXY` environment variables. * `iam_endpoint` - (Optional, **Deprecated**) Custom endpoint for the AWS Identity and Access Management (IAM) API. Use `endpoints.iam` instead. +* `insecure` - (Optional) Whether to explicitly allow the backend to perform "insecure" SSL requests. If omitted, the default value is `false`. * `max_retries` - (Optional) The maximum number of times an AWS API request is retried on retryable failure. Defaults to 5. * `profile` - (Optional) Name of AWS profile in AWS shared credentials file (e.g. `~/.aws/credentials`) or AWS shared configuration file (e.g. `~/.aws/config`) to use for credentials and/or configuration. This can also be sourced from the `AWS_PROFILE` environment variable. +* `secret_key` - (Optional) AWS access key. If configured, must also configure `access_key`. This can also be sourced from the `AWS_SECRET_ACCESS_KEY` environment variable, AWS shared credentials file (e.g. `~/.aws/credentials`), or AWS shared configuration file (e.g. `~/.aws/config`). * `shared_config_files` - (Optional) List of paths to AWS shared configuration files. Defaults to `~/.aws/config`. * `shared_credentials_file` - (Optional, **Deprecated**, use `shared_credentials_files` instead) Path to the AWS shared credentials file. Defaults to `~/.aws/credentials`. * `shared_credentials_files` - (Optional) List of paths to AWS shared credentials files. Defaults to `~/.aws/credentials`. @@ -170,6 +172,8 @@ The following configuration is optional: * `sts_endpoint` - (Optional, **Deprecated**) Custom endpoint for the AWS Security Token Service (STS) API. Use `endpoints.sts` instead. * `token` - (Optional) Multi-Factor Authentication (MFA) token. This can also be sourced from the `AWS_SESSION_TOKEN` environment variable. +* `use_dualstack_endpoint` - (Optional) Force the backend to resolve endpoints with DualStack capability. Can also be set with the `AWS_USE_DUALSTACK_ENDPOINT` environment variable or in a shared config file (`use_dualstack_endpoint`). +* `use_fips_endpoint` - (Optional) Force the backend to resolve endpoints with FIPS capability. Can also be set with the `AWS_USE_FIPS_ENDPOINT` environment variable or in a shared config file (`use_fips_endpoint`). * `use_legacy_workflow` - (Optional) Use the legacy authentication workflow, preferring environment variables over backend configuration. Defaults to `true`. This behavior does not align with the authentication flow of the AWS CLI or SDK's, and will be removed in the future. #### Overriding AWS API endpoints