backend/s3: Reinstate region validation and update copy for skip_requesting_account_id deprecation message

7 years ago · a41e545198
parent 43f12bbfe0
commit a41e545198
6 changed files with 61 additions and 6 deletions
--- a/backend/remote-state/s3/backend.go
+++ b/backend/remote-state/s3/backend.go
@ -163,7 +163,6 @@ func New() backend.Backend {
 				Optional:    true,
 				Description: "Skip static validation of region name.",
 				Default:     false,
-				Deprecated:  "This attribute is no longer used.",
 			},

 			"skip_requesting_account_id": {
@ -171,7 +170,7 @@ func New() backend.Backend {
 				Optional:    true,
 				Description: "Skip requesting the account ID.",
 				Default:     false,
-				Deprecated:  "The S3 Backend no longer automatically uses IAM or STS functionality to lookup the AWS Account ID and this attribute is no longer used.",
+				Deprecated:  "The S3 Backend no longer automatically looks up the AWS Account ID and this attribute is no longer used.",
 			},

 			"skip_metadata_api_check": {
@ -261,6 +260,12 @@ func (b *Backend) configure(ctx context.Context) error {
 	// Grab the resource data
 	data := schema.FromContextBackendConfig(ctx)

+	if !data.Get("skip_region_validation").(bool) {
+		if err := awsbase.ValidateRegion(data.Get("region").(string)); err != nil {
+			return err
+		}
+	}
+
 	b.bucketName = data.Get("bucket").(string)
 	b.keyName = data.Get("key").(string)
 	b.serverSideEncryption = data.Get("encrypt").(bool)
--- a/go.mod
+++ b/go.mod
@ -51,7 +51,7 @@ require (
 	github.com/grpc-ecosystem/go-grpc-middleware v1.0.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway v1.5.1 // indirect
-	github.com/hashicorp/aws-sdk-go-base v0.1.0
+	github.com/hashicorp/aws-sdk-go-base v0.2.0
 	github.com/hashicorp/consul v0.0.0-20171026175957-610f3c86a089
 	github.com/hashicorp/errwrap v1.0.0
 	github.com/hashicorp/go-azure-helpers v0.0.0-20190129193224-166dfd221bb2
--- a/go.sum
+++ b/go.sum
@ -115,8 +115,8 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92Bcuy
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.5.1 h1:3scN4iuXkNOyP98jF55Lv8a9j1o/IwvnDIZ0LHJK1nk=
 github.com/grpc-ecosystem/grpc-gateway v1.5.1/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw=
-github.com/hashicorp/aws-sdk-go-base v0.1.0 h1:f3eUqzUWiAVavKns7ot/IbrRz4uXdSTeU5diOTlNxAk=
-github.com/hashicorp/aws-sdk-go-base v0.1.0/go.mod h1:ZIWACGGi0N7a4DZbf15yuE1JQORmWLtBcVM6F5SXNFU=
+github.com/hashicorp/aws-sdk-go-base v0.2.0 h1:5bjZnWCvQg9Im5CHZr9t90IaFC4uvVlMl2fTh23IoCk=
+github.com/hashicorp/aws-sdk-go-base v0.2.0/go.mod h1:ZIWACGGi0N7a4DZbf15yuE1JQORmWLtBcVM6F5SXNFU=
 github.com/hashicorp/consul v0.0.0-20171026175957-610f3c86a089 h1:1eDpXAxTh0iPv+1kc9/gfSI2pxRERDsTk/lNGolwHn8=
 github.com/hashicorp/consul v0.0.0-20171026175957-610f3c86a089/go.mod h1:mFrjN1mfidgJfYP1xrJCF+AfRhr6Eaqhb2+sfyn/OOI=
 github.com/hashicorp/errwrap v0.0.0-20180715044906-d6c0cd880357/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
--- a/vendor/github.com/hashicorp/aws-sdk-go-base/CHANGELOG.md
+++ b/vendor/github.com/hashicorp/aws-sdk-go-base/CHANGELOG.md
@ -1,3 +1,9 @@
+# v0.2.0 (February 20, 2019)
+
+ENHANCEMENTS
+
+* validation: Add `ValidateAccountID` and `ValidateRegion` functions [GH-1]
+
 # v0.1.0 (February 18, 2019)

 * Initial release after split from github.com/terraform-providers/terraform-provider-aws
--- a/vendor/github.com/hashicorp/aws-sdk-go-base/validation.go
+++ b/vendor/github.com/hashicorp/aws-sdk-go-base/validation.go
@ -0,0 +1,44 @@
+package awsbase
+
+import (
+	"fmt"
+
+	"github.com/aws/aws-sdk-go/aws/endpoints"
+)
+
+// ValidateAccountID checks if the given AWS account ID is specifically allowed or forbidden.
+// The allowedAccountIDs can be used as a whitelist and forbiddenAccountIDs can be used as a blacklist.
+func ValidateAccountID(accountID string, allowedAccountIDs, forbiddenAccountIDs []string) error {
+	if len(forbiddenAccountIDs) > 0 {
+		for _, forbiddenAccountID := range forbiddenAccountIDs {
+			if accountID == forbiddenAccountID {
+				return fmt.Errorf("Forbidden AWS Account ID: %s", accountID)
+			}
+		}
+	}
+
+	if len(allowedAccountIDs) > 0 {
+		for _, allowedAccountID := range allowedAccountIDs {
+			if accountID == allowedAccountID {
+				return nil
+			}
+		}
+
+		return fmt.Errorf("AWS Account ID not allowed: %s)", accountID)
+	}
+
+	return nil
+}
+
+// ValidateRegion checks if the given region is a valid AWS region.
+func ValidateRegion(region string) error {
+	for _, partition := range endpoints.DefaultPartitions() {
+		for _, partitionRegion := range partition.Regions() {
+			if region == partitionRegion.ID() {
+				return nil
+			}
+		}
+	}
+
+	return fmt.Errorf("Invalid AWS Region: %s", region)
+}
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -253,7 +253,7 @@ github.com/gophercloud/gophercloud/openstack/db/v1/datastores
 github.com/gophercloud/gophercloud/internal
 # github.com/gophercloud/utils v0.0.0-20190128072930-fbb6ab446f01
 github.com/gophercloud/utils/openstack/clientconfig
-# github.com/hashicorp/aws-sdk-go-base v0.1.0
+# github.com/hashicorp/aws-sdk-go-base v0.2.0
 github.com/hashicorp/aws-sdk-go-base
 # github.com/hashicorp/consul v0.0.0-20171026175957-610f3c86a089
 github.com/hashicorp/consul/api