diff --git a/internal/backend/remote-state/s3/backend_complete_test.go b/internal/backend/remote-state/s3/backend_complete_test.go index 3ab712201e..b9a0d52b82 100644 --- a/internal/backend/remote-state/s3/backend_complete_test.go +++ b/internal/backend/remote-state/s3/backend_complete_test.go @@ -2419,14 +2419,17 @@ func TestStsEndpoint(t *testing.T) { setInvalid ) testcases := map[string]struct { - Config map[string]any - SetServiceEndpoint settype - SetEnv string - SetInvalidEnv string + Config map[string]any + SetServiceEndpoint settype + SetServiceEndpointLegacy settype + SetEnv string + SetInvalidEnv string // Use string at index 1 for valid endpoint url and index 2 for invalid endpoint url ConfigFile string ExpectedCredentials aws.Credentials }{ + // Service Config + "service config": { Config: map[string]any{ "access_key": servicemocks.MockStaticAccessKey, @@ -2446,6 +2449,16 @@ func TestStsEndpoint(t *testing.T) { ExpectedCredentials: mockdata.MockStaticCredentials, }, + "service config overrides service envvar legacy": { + Config: map[string]any{ + "access_key": servicemocks.MockStaticAccessKey, + "secret_key": servicemocks.MockStaticSecretKey, + }, + SetServiceEndpoint: setValid, + SetInvalidEnv: "AWS_STS_ENDPOINT", + ExpectedCredentials: mockdata.MockStaticCredentials, + }, + "service config overrides base envvar": { Config: map[string]any{ "access_key": servicemocks.MockStaticAccessKey, @@ -2496,21 +2509,95 @@ endpoint_url = %[2]s }, }, - "service envvar": { + // Service Config Legacy + + "service config legacy": { Config: map[string]any{ "access_key": servicemocks.MockStaticAccessKey, "secret_key": servicemocks.MockStaticSecretKey, }, - SetEnv: "AWS_ENDPOINT_URL_STS", - ExpectedCredentials: mockdata.MockStaticCredentials, + SetServiceEndpointLegacy: setValid, + ExpectedCredentials: mockdata.MockStaticCredentials, }, - "base envvar": { + "service config legacy overrides service envvar": { Config: map[string]any{ "access_key": servicemocks.MockStaticAccessKey, "secret_key": servicemocks.MockStaticSecretKey, }, - SetEnv: "AWS_ENDPOINT_URL", + SetServiceEndpointLegacy: setValid, + SetInvalidEnv: "AWS_ENDPOINT_URL_STS", + ExpectedCredentials: mockdata.MockStaticCredentials, + }, + + "service config legacy overrides service envvar legacy": { + Config: map[string]any{ + "access_key": servicemocks.MockStaticAccessKey, + "secret_key": servicemocks.MockStaticSecretKey, + }, + SetServiceEndpointLegacy: setValid, + SetInvalidEnv: "AWS_STS_ENDPOINT", + ExpectedCredentials: mockdata.MockStaticCredentials, + }, + + "service config legacy overrides base envvar": { + Config: map[string]any{ + "access_key": servicemocks.MockStaticAccessKey, + "secret_key": servicemocks.MockStaticSecretKey, + }, + SetServiceEndpointLegacy: setValid, + SetInvalidEnv: "AWS_ENDPOINT_URL", + ExpectedCredentials: mockdata.MockStaticCredentials, + }, + + "service config legacy overrides service config_file": { + Config: map[string]any{ + "profile": "default", + }, + ConfigFile: ` +[default] +aws_access_key_id = DefaultSharedCredentialsAccessKey +aws_secret_access_key = DefaultSharedCredentialsSecretKey +services = sts-test + +[services sts-test] +sts = + endpoint_url = %[2]s +`, + SetServiceEndpointLegacy: setValid, + ExpectedCredentials: aws.Credentials{ + AccessKeyID: "DefaultSharedCredentialsAccessKey", + SecretAccessKey: "DefaultSharedCredentialsSecretKey", + Source: sharedConfigCredentialsProvider, + }, + }, + + "service config legacy overrides base config_file": { + Config: map[string]any{ + "profile": "default", + }, + ConfigFile: ` +[default] +aws_access_key_id = DefaultSharedCredentialsAccessKey +aws_secret_access_key = DefaultSharedCredentialsSecretKey +endpoint_url = %[2]s +`, + SetServiceEndpointLegacy: setValid, + ExpectedCredentials: aws.Credentials{ + AccessKeyID: "DefaultSharedCredentialsAccessKey", + SecretAccessKey: "DefaultSharedCredentialsSecretKey", + Source: sharedConfigCredentialsProvider, + }, + }, + + // Service Envvar + + "service envvar": { + Config: map[string]any{ + "access_key": servicemocks.MockStaticAccessKey, + "secret_key": servicemocks.MockStaticSecretKey, + }, + SetEnv: "AWS_ENDPOINT_URL_STS", ExpectedCredentials: mockdata.MockStaticCredentials, }, @@ -2524,10 +2611,11 @@ endpoint_url = %[2]s ExpectedCredentials: mockdata.MockStaticCredentials, }, - "service config_file": { + "service envvar overrides service config_file": { Config: map[string]any{ "profile": "default", }, + SetEnv: "AWS_ENDPOINT_URL_STS", ConfigFile: ` [default] aws_access_key_id = DefaultSharedCredentialsAccessKey @@ -2536,7 +2624,7 @@ services = sts-test [services sts-test] sts = - endpoint_url = %[1]s + endpoint_url = %[2]s `, ExpectedCredentials: aws.Credentials{ AccessKeyID: "DefaultSharedCredentialsAccessKey", @@ -2545,20 +2633,59 @@ sts = }, }, - "service config_file overrides base config_file": { + "service envvar overrides base config_file": { Config: map[string]any{ "profile": "default", }, + SetEnv: "AWS_ENDPOINT_URL_STS", ConfigFile: ` [default] aws_access_key_id = DefaultSharedCredentialsAccessKey aws_secret_access_key = DefaultSharedCredentialsSecretKey -services = sts-test endpoint_url = %[2]s +`, + ExpectedCredentials: aws.Credentials{ + AccessKeyID: "DefaultSharedCredentialsAccessKey", + SecretAccessKey: "DefaultSharedCredentialsSecretKey", + Source: sharedConfigCredentialsProvider, + }, + }, + + // Service Envvar Legacy + + "service envvar legacy": { + Config: map[string]any{ + "access_key": servicemocks.MockStaticAccessKey, + "secret_key": servicemocks.MockStaticSecretKey, + }, + SetEnv: "AWS_STS_ENDPOINT", + ExpectedCredentials: mockdata.MockStaticCredentials, + }, + + "service envvar legacy overrides base envvar": { + Config: map[string]any{ + "access_key": servicemocks.MockStaticAccessKey, + "secret_key": servicemocks.MockStaticSecretKey, + }, + SetEnv: "AWS_STS_ENDPOINT", + SetInvalidEnv: "AWS_ENDPOINT_URL", + ExpectedCredentials: mockdata.MockStaticCredentials, + }, + + "service envvar legacy overrides service config_file": { + Config: map[string]any{ + "profile": "default", + }, + SetEnv: "AWS_STS_ENDPOINT", + ConfigFile: ` +[default] +aws_access_key_id = DefaultSharedCredentialsAccessKey +aws_secret_access_key = DefaultSharedCredentialsSecretKey +services = sts-test [services sts-test] sts = - endpoint_url = %[1]s + endpoint_url = %[2]s `, ExpectedCredentials: aws.Credentials{ AccessKeyID: "DefaultSharedCredentialsAccessKey", @@ -2567,11 +2694,30 @@ sts = }, }, - "service envvar overrides service config_file": { + "service envvar legacy overrides base config_file": { + Config: map[string]any{ + "profile": "default", + }, + SetEnv: "AWS_STS_ENDPOINT", + ConfigFile: ` +[default] +aws_access_key_id = DefaultSharedCredentialsAccessKey +aws_secret_access_key = DefaultSharedCredentialsSecretKey +endpoint_url = %[2]s +`, + ExpectedCredentials: aws.Credentials{ + AccessKeyID: "DefaultSharedCredentialsAccessKey", + SecretAccessKey: "DefaultSharedCredentialsSecretKey", + Source: sharedConfigCredentialsProvider, + }, + }, + + // Service Config File + + "service config_file": { Config: map[string]any{ "profile": "default", }, - SetEnv: "AWS_ENDPOINT_URL_STS", ConfigFile: ` [default] aws_access_key_id = DefaultSharedCredentialsAccessKey @@ -2580,7 +2726,7 @@ services = sts-test [services sts-test] sts = - endpoint_url = %[2]s + endpoint_url = %[1]s `, ExpectedCredentials: aws.Credentials{ AccessKeyID: "DefaultSharedCredentialsAccessKey", @@ -2589,20 +2735,20 @@ sts = }, }, - "base envvar overrides service config_file": { + "service config_file overrides base config_file": { Config: map[string]any{ "profile": "default", }, - SetEnv: "AWS_ENDPOINT_URL", ConfigFile: ` [default] aws_access_key_id = DefaultSharedCredentialsAccessKey aws_secret_access_key = DefaultSharedCredentialsSecretKey services = sts-test +endpoint_url = %[2]s [services sts-test] sts = - endpoint_url = %[2]s + endpoint_url = %[1]s `, ExpectedCredentials: aws.Credentials{ AccessKeyID: "DefaultSharedCredentialsAccessKey", @@ -2611,15 +2757,31 @@ sts = }, }, - "base config_file": { + // Base envvar + + "base envvar": { + Config: map[string]any{ + "access_key": servicemocks.MockStaticAccessKey, + "secret_key": servicemocks.MockStaticSecretKey, + }, + SetEnv: "AWS_ENDPOINT_URL", + ExpectedCredentials: mockdata.MockStaticCredentials, + }, + + "base envvar overrides service config_file": { Config: map[string]any{ "profile": "default", }, + SetEnv: "AWS_ENDPOINT_URL", ConfigFile: ` [default] aws_access_key_id = DefaultSharedCredentialsAccessKey aws_secret_access_key = DefaultSharedCredentialsSecretKey -endpoint_url = %[1]s +services = sts-test + +[services sts-test] +sts = + endpoint_url = %[2]s `, ExpectedCredentials: aws.Credentials{ AccessKeyID: "DefaultSharedCredentialsAccessKey", @@ -2628,16 +2790,15 @@ endpoint_url = %[1]s }, }, - "base envvar overrides base config_file": { + "base config_file": { Config: map[string]any{ "profile": "default", }, - SetEnv: "AWS_ENDPOINT_URL", ConfigFile: ` [default] aws_access_key_id = DefaultSharedCredentialsAccessKey aws_secret_access_key = DefaultSharedCredentialsSecretKey -endpoint_url = %[2]s +endpoint_url = %[1]s `, ExpectedCredentials: aws.Credentials{ AccessKeyID: "DefaultSharedCredentialsAccessKey", @@ -2646,11 +2807,11 @@ endpoint_url = %[2]s }, }, - "service envvar overrides base config_file": { + "base envvar overrides base config_file": { Config: map[string]any{ "profile": "default", }, - SetEnv: "AWS_ENDPOINT_URL_STS", + SetEnv: "AWS_ENDPOINT_URL", ConfigFile: ` [default] aws_access_key_id = DefaultSharedCredentialsAccessKey @@ -2693,6 +2854,9 @@ endpoint_url = %[2]s "sts": stsEndpoint, } } + if testcase.SetServiceEndpointLegacy == setValid { + testcase.Config["sts_endpoint"] = stsEndpoint + } if testcase.SetEnv != "" { t.Setenv(testcase.SetEnv, stsEndpoint) }