backend/s3: add sts_region argument

3 years ago · b47201de73
parent a02c7cec53
commit b47201de73
3 changed files with 11 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -32,6 +32,7 @@ ENHANCEMENTS:
    * `custom_ca_bundle` argument and support for the corresponding AWS environment variable, `AWS_CA_BUNDLE`, for providing custom root and intermediate certificates. ([#33689](https://github.com/hashicorp/terraform/issues/33689))
    * `ec2_metadata_service_endpoint` and `ec2_metadata_service_endpoint_mode` arguments and support for the corresponding AWS environment variables, `AWS_EC2_METADATA_SERVICE_ENDPOINT` and `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` for setting the EC2 metadata service (IMDS) endpoint. The environment variable `AWS_METADATA_URL` is also supported for compatibility with the AWS provider, but is deprecated. ([#30444](https://github.com/hashicorp/terraform/issues/30444))
    * `http_proxy`, `insecure`, `use_fips_endpoint`, and `use_dualstack_endpoint` arguments and support for the corresponding environment variables, `HTTP_PROXY` and `HTTPS_PROXY`, which enable custom HTTP proxy configurations and the use of alternative AWS endpoints. ([#30496](https://github.com/hashicorp/terraform/issues/30496))
+    * `sts_region` argument to use an alternative region for STS operations. ([#33693](https://github.com/hashicorp/terraform/issues/33693))
 * backend/cos: Support custom HTTP(S) endpoint and root domain for the API client. [#33656]

 BUG FIXES:
--- a/internal/backend/remote-state/s3/backend.go
+++ b/internal/backend/remote-state/s3/backend.go
@ -127,6 +127,11 @@ func (b *Backend) ConfigSchema() *configschema.Block {
 				Description: "A custom endpoint for the STS API",
 				Deprecated:  true,
 			},
+			"sts_region": {
+				Type:        cty.String,
+				Optional:    true,
+				Description: "AWS region for STS.",
+			},
 			"encrypt": {
 				Type:        cty.Bool,
 				Optional:    true,
@ -691,6 +696,10 @@ func (b *Backend) Configure(obj cty.Value) tfdiags.Diagnostics {
 		cfg.StsEndpoint = v
 	}

+	if v, ok := retrieveArgument(&diags, newAttributeRetriever(obj, cty.GetAttrPath("sts_region"))); ok {
+		cfg.StsRegion = v
+	}
+
 	if assumeRole := obj.GetAttr("assume_role"); !assumeRole.IsNull() {
 		ar := &awsbase.AssumeRole{}
 		if val, ok := stringAttrOk(assumeRole, "role_arn"); ok {
--- a/website/docs/language/settings/backends/s3.mdx
+++ b/website/docs/language/settings/backends/s3.mdx
@ -171,6 +171,7 @@ The following configuration is optional:
 * `skip_metadata_api_check` - (Optional) Skip usage of EC2 Metadata API.
 * `sts_endpoint` - (Optional, **Deprecated**) Custom endpoint for the AWS Security Token Service (STS) API.
  Use `endpoints.sts` instead.
+* `sts_region` - (Optional) AWS region for STS. If unset, AWS will use the same region for STS as other non-STS operations.
 * `token` - (Optional) Multi-Factor Authentication (MFA) token. This can also be sourced from the `AWS_SESSION_TOKEN` environment variable.
 * `use_dualstack_endpoint` - (Optional) Force the backend to resolve endpoints with DualStack capability. Can also be set with the `AWS_USE_DUALSTACK_ENDPOINT` environment variable or in a shared config file (`use_dualstack_endpoint`).
 * `use_fips_endpoint` - (Optional) Force the backend to resolve endpoints with FIPS capability. Can also be set with the `AWS_USE_FIPS_ENDPOINT` environment variable or in a shared config file (`use_fips_endpoint`).