diff --git a/backend/remote-state/s3/backend.go b/backend/remote-state/s3/backend.go index 8fd6473fa1..ae9bf1fbc9 100644 --- a/backend/remote-state/s3/backend.go +++ b/backend/remote-state/s3/backend.go @@ -163,7 +163,6 @@ func New() backend.Backend { Optional: true, Description: "Skip static validation of region name.", Default: false, - Deprecated: "This attribute is no longer used.", }, "skip_requesting_account_id": { @@ -171,7 +170,7 @@ func New() backend.Backend { Optional: true, Description: "Skip requesting the account ID.", Default: false, - Deprecated: "The S3 Backend no longer automatically uses IAM or STS functionality to lookup the AWS Account ID and this attribute is no longer used.", + Deprecated: "The S3 Backend no longer automatically looks up the AWS Account ID and this attribute is no longer used.", }, "skip_metadata_api_check": { @@ -261,6 +260,12 @@ func (b *Backend) configure(ctx context.Context) error { // Grab the resource data data := schema.FromContextBackendConfig(ctx) + if !data.Get("skip_region_validation").(bool) { + if err := awsbase.ValidateRegion(data.Get("region").(string)); err != nil { + return err + } + } + b.bucketName = data.Get("bucket").(string) b.keyName = data.Get("key").(string) b.serverSideEncryption = data.Get("encrypt").(bool) diff --git a/go.mod b/go.mod index 9c0eb7d87a..b593cd591e 100644 --- a/go.mod +++ b/go.mod @@ -51,7 +51,7 @@ require ( github.com/grpc-ecosystem/go-grpc-middleware v1.0.0 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect github.com/grpc-ecosystem/grpc-gateway v1.5.1 // indirect - github.com/hashicorp/aws-sdk-go-base v0.1.0 + github.com/hashicorp/aws-sdk-go-base v0.2.0 github.com/hashicorp/consul v0.0.0-20171026175957-610f3c86a089 github.com/hashicorp/errwrap v1.0.0 github.com/hashicorp/go-azure-helpers v0.0.0-20190129193224-166dfd221bb2 diff --git a/go.sum b/go.sum index 4b9801b790..2ab0215310 100644 --- a/go.sum +++ b/go.sum @@ -115,8 +115,8 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92Bcuy github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.5.1 h1:3scN4iuXkNOyP98jF55Lv8a9j1o/IwvnDIZ0LHJK1nk= github.com/grpc-ecosystem/grpc-gateway v1.5.1/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw= -github.com/hashicorp/aws-sdk-go-base v0.1.0 h1:f3eUqzUWiAVavKns7ot/IbrRz4uXdSTeU5diOTlNxAk= -github.com/hashicorp/aws-sdk-go-base v0.1.0/go.mod h1:ZIWACGGi0N7a4DZbf15yuE1JQORmWLtBcVM6F5SXNFU= +github.com/hashicorp/aws-sdk-go-base v0.2.0 h1:5bjZnWCvQg9Im5CHZr9t90IaFC4uvVlMl2fTh23IoCk= +github.com/hashicorp/aws-sdk-go-base v0.2.0/go.mod h1:ZIWACGGi0N7a4DZbf15yuE1JQORmWLtBcVM6F5SXNFU= github.com/hashicorp/consul v0.0.0-20171026175957-610f3c86a089 h1:1eDpXAxTh0iPv+1kc9/gfSI2pxRERDsTk/lNGolwHn8= github.com/hashicorp/consul v0.0.0-20171026175957-610f3c86a089/go.mod h1:mFrjN1mfidgJfYP1xrJCF+AfRhr6Eaqhb2+sfyn/OOI= github.com/hashicorp/errwrap v0.0.0-20180715044906-d6c0cd880357/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= diff --git a/vendor/github.com/hashicorp/aws-sdk-go-base/CHANGELOG.md b/vendor/github.com/hashicorp/aws-sdk-go-base/CHANGELOG.md index 7810de13bc..f419a62f2b 100644 --- a/vendor/github.com/hashicorp/aws-sdk-go-base/CHANGELOG.md +++ b/vendor/github.com/hashicorp/aws-sdk-go-base/CHANGELOG.md @@ -1,3 +1,9 @@ +# v0.2.0 (February 20, 2019) + +ENHANCEMENTS + +* validation: Add `ValidateAccountID` and `ValidateRegion` functions [GH-1] + # v0.1.0 (February 18, 2019) * Initial release after split from github.com/terraform-providers/terraform-provider-aws diff --git a/vendor/github.com/hashicorp/aws-sdk-go-base/validation.go b/vendor/github.com/hashicorp/aws-sdk-go-base/validation.go new file mode 100644 index 0000000000..bf320351fc --- /dev/null +++ b/vendor/github.com/hashicorp/aws-sdk-go-base/validation.go @@ -0,0 +1,44 @@ +package awsbase + +import ( + "fmt" + + "github.com/aws/aws-sdk-go/aws/endpoints" +) + +// ValidateAccountID checks if the given AWS account ID is specifically allowed or forbidden. +// The allowedAccountIDs can be used as a whitelist and forbiddenAccountIDs can be used as a blacklist. +func ValidateAccountID(accountID string, allowedAccountIDs, forbiddenAccountIDs []string) error { + if len(forbiddenAccountIDs) > 0 { + for _, forbiddenAccountID := range forbiddenAccountIDs { + if accountID == forbiddenAccountID { + return fmt.Errorf("Forbidden AWS Account ID: %s", accountID) + } + } + } + + if len(allowedAccountIDs) > 0 { + for _, allowedAccountID := range allowedAccountIDs { + if accountID == allowedAccountID { + return nil + } + } + + return fmt.Errorf("AWS Account ID not allowed: %s)", accountID) + } + + return nil +} + +// ValidateRegion checks if the given region is a valid AWS region. +func ValidateRegion(region string) error { + for _, partition := range endpoints.DefaultPartitions() { + for _, partitionRegion := range partition.Regions() { + if region == partitionRegion.ID() { + return nil + } + } + } + + return fmt.Errorf("Invalid AWS Region: %s", region) +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 4b3457d091..3805393424 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -253,7 +253,7 @@ github.com/gophercloud/gophercloud/openstack/db/v1/datastores github.com/gophercloud/gophercloud/internal # github.com/gophercloud/utils v0.0.0-20190128072930-fbb6ab446f01 github.com/gophercloud/utils/openstack/clientconfig -# github.com/hashicorp/aws-sdk-go-base v0.1.0 +# github.com/hashicorp/aws-sdk-go-base v0.2.0 github.com/hashicorp/aws-sdk-go-base # github.com/hashicorp/consul v0.0.0-20171026175957-610f3c86a089 github.com/hashicorp/consul/api