Backend/S3: Allow use of an alternative region for STS operations (#768)

Signed-off-by: Marcin Białoń <mbialon@spacelift.io>
2025-02-25 18:45:20 -06:00 · 2023-10-24 15:51:51 +02:00 · 2023-10-24 15:51:51 +02:00 · a4018f95cc
commit a4018f95cc
parent 4d38f26bf7
3 changed files with 8 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -56,6 +56,7 @@ S3 BACKEND:
 * Adds support for the `assume_role_with_web_identity` block. ([#689](https://github.com/opentofu/opentofu/issues/689))
 * Adds support for account whitelisting using the `forbidden_account_ids` and `allowed_account_ids` arguments. ([#699](https://github.com/opentofu/opentofu/issues/699))
 * Adds the `custom_ca_bundle` argument. ([#689](https://github.com/opentofu/opentofu/issues/689))
+* Adds support for the `sts_region` argument. ([#695](https://github.com/opentofu/opentofu/issues/695))

 ## Previous Releases

--- a/internal/backend/remote-state/s3/backend.go
+++ b/internal/backend/remote-state/s3/backend.go
@ -86,6 +86,11 @@ func (b *Backend) ConfigSchema(context.Context) *configschema.Block {
 				Optional:    true,
 				Description: "A custom endpoint for the STS API",
 			},
+			"sts_region": {
+				Type:        cty.String,
+				Optional:    true,
+				Description: "The region where AWS STS operations will take place",
+			},
 			"encrypt": {
 				Type:        cty.Bool,
 				Optional:    true,
@ -582,6 +587,7 @@ func (b *Backend) Configure(ctx context.Context, obj cty.Value) tfdiags.Diagnost
 		SecretKey:              stringAttr(obj, "secret_key"),
 		SkipCredsValidation:    boolAttr(obj, "skip_credentials_validation"),
 		StsEndpoint:            stringAttrDefaultEnvVar(obj, "sts_endpoint", "AWS_STS_ENDPOINT"),
+		StsRegion:              stringAttr(obj, "sts_region"),
 		Token:                  stringAttr(obj, "token"),
 		UserAgent: awsbase.UserAgentProducts{
 			{Name: "APN", Version: "1.0"},
--- a/website/docs/language/settings/backends/s3.mdx
+++ b/website/docs/language/settings/backends/s3.mdx
@ -169,6 +169,7 @@ The following configuration is optional:
 * `skip_region_validation` - (Optional) Skip validation of provided region name.
 * `skip_metadata_api_check` - (Optional) Skip usage of EC2 Metadata API.
 * `sts_endpoint` - (Optional) Custom endpoint for the AWS Security Token Service (STS) API. This can also be sourced from the `AWS_STS_ENDPOINT` environment variable.
+* `sts_region` - (Optional) AWS region for STS. If unset, AWS will use the same region for STS as other non-STS operations.
 * `token` - (Optional) Multi-Factor Authentication (MFA) token. This can also be sourced from the `AWS_SESSION_TOKEN` environment variable.
 * `allowed_account_ids` (Optional): A list of permitted AWS account IDs to safeguard against accidental disruption of a live environment. This option conflicts with `forbidden_account_ids`.
 * `forbidden_account_ids` (Optional): A list of prohibited AWS account IDs to prevent unintentional disruption of a live environment. This option conflicts with `allowed_account_ids`.