Merge pull request #23965 from tpaschalis/disallow-s3-backend-key-trailing-slash

S3 Backend : Bucket key should not contain trailing slash
2025-02-25 18:45:20 -06:00 · 2022-11-01 13:56:43 -07:00 · 2022-11-01 13:56:43 -07:00 · 6663cde619
commit 6663cde619
parent bb68075e8c 4cb355f3d6
2 changed files with 18 additions and 0 deletions
--- a/internal/backend/remote-state/s3/backend.go
+++ b/internal/backend/remote-state/s3/backend.go
@ -37,6 +37,11 @@ func New() backend.Backend {
 					if strings.HasPrefix(v.(string), "/") {
 						return nil, []error{errors.New("key must not start with '/'")}
 					}
+					// s3 will recognize objects with a trailing slash as a directory
+					// so they should not be valid keys
+					if strings.HasSuffix(v.(string), "/") {
+						return nil, []error{errors.New("key must not end with '/'")}
+					}
 					return nil, nil
 				},
 			},
--- a/internal/backend/remote-state/s3/backend_test.go
+++ b/internal/backend/remote-state/s3/backend_test.go
@ -326,6 +326,19 @@ func TestBackendConfig_invalidKey(t *testing.T) {
 	if !diags.HasErrors() {
 		t.Fatal("expected config validation error")
 	}
+
+	cfg = hcl2shim.HCL2ValueFromConfigValue(map[string]interface{}{
+		"region":         "us-west-1",
+		"bucket":         "tf-test",
+		"key":            "trailing-slash/",
+		"encrypt":        true,
+		"dynamodb_table": "dynamoTable",
+	})
+
+	_, diags = New().PrepareConfig(cfg)
+	if !diags.HasErrors() {
+		t.Fatal("expected config validation error")
+	}
 }

 func TestBackendConfig_invalidSSECustomerKeyLength(t *testing.T) {