diff --git a/CHANGELOG.md b/CHANGELOG.md index a965c571fb..3ff31985ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,6 +32,7 @@ ENHANCEMENTS: * `custom_ca_bundle` argument and support for the corresponding AWS environment variable, `AWS_CA_BUNDLE`, for providing custom root and intermediate certificates. ([#33689](https://github.com/hashicorp/terraform/issues/33689)) * `ec2_metadata_service_endpoint` and `ec2_metadata_service_endpoint_mode` arguments and support for the corresponding AWS environment variables, `AWS_EC2_METADATA_SERVICE_ENDPOINT` and `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` for setting the EC2 metadata service (IMDS) endpoint. The environment variable `AWS_METADATA_URL` is also supported for compatibility with the AWS provider, but is deprecated. ([#30444](https://github.com/hashicorp/terraform/issues/30444)) * `http_proxy`, `insecure`, `use_fips_endpoint`, and `use_dualstack_endpoint` arguments and support for the corresponding environment variables, `HTTP_PROXY` and `HTTPS_PROXY`, which enable custom HTTP proxy configurations and the use of alternative AWS endpoints. ([#30496](https://github.com/hashicorp/terraform/issues/30496)) + * `sts_region` argument to use an alternative region for STS operations. ([#33693](https://github.com/hashicorp/terraform/issues/33693)) * backend/cos: Support custom HTTP(S) endpoint and root domain for the API client. [#33656] BUG FIXES: diff --git a/internal/backend/remote-state/s3/backend.go b/internal/backend/remote-state/s3/backend.go index 79128edceb..8e127b02e8 100644 --- a/internal/backend/remote-state/s3/backend.go +++ b/internal/backend/remote-state/s3/backend.go @@ -127,6 +127,11 @@ func (b *Backend) ConfigSchema() *configschema.Block { Description: "A custom endpoint for the STS API", Deprecated: true, }, + "sts_region": { + Type: cty.String, + Optional: true, + Description: "AWS region for STS.", + }, "encrypt": { Type: cty.Bool, Optional: true, @@ -691,6 +696,10 @@ func (b *Backend) Configure(obj cty.Value) tfdiags.Diagnostics { cfg.StsEndpoint = v } + if v, ok := retrieveArgument(&diags, newAttributeRetriever(obj, cty.GetAttrPath("sts_region"))); ok { + cfg.StsRegion = v + } + if assumeRole := obj.GetAttr("assume_role"); !assumeRole.IsNull() { ar := &awsbase.AssumeRole{} if val, ok := stringAttrOk(assumeRole, "role_arn"); ok { diff --git a/website/docs/language/settings/backends/s3.mdx b/website/docs/language/settings/backends/s3.mdx index 7edcb692e5..3d357a9c5a 100644 --- a/website/docs/language/settings/backends/s3.mdx +++ b/website/docs/language/settings/backends/s3.mdx @@ -171,6 +171,7 @@ The following configuration is optional: * `skip_metadata_api_check` - (Optional) Skip usage of EC2 Metadata API. * `sts_endpoint` - (Optional, **Deprecated**) Custom endpoint for the AWS Security Token Service (STS) API. Use `endpoints.sts` instead. +* `sts_region` - (Optional) AWS region for STS. If unset, AWS will use the same region for STS as other non-STS operations. * `token` - (Optional) Multi-Factor Authentication (MFA) token. This can also be sourced from the `AWS_SESSION_TOKEN` environment variable. * `use_dualstack_endpoint` - (Optional) Force the backend to resolve endpoints with DualStack capability. Can also be set with the `AWS_USE_DUALSTACK_ENDPOINT` environment variable or in a shared config file (`use_dualstack_endpoint`). * `use_fips_endpoint` - (Optional) Force the backend to resolve endpoints with FIPS capability. Can also be set with the `AWS_USE_FIPS_ENDPOINT` environment variable or in a shared config file (`use_fips_endpoint`).