IntenseWebs/opentofu
3
0
Fork 0
mirror of https://github.com/opentofu/opentofu.git synced 2025-02-25 18:45:20 -06:00
Code Issues Packages Projects Releases Wiki Activity

Restores conflict between kms_key_id and envvar AWS_SSE_CUSTOMER_KEY

Browse Source
This commit is contained in:
Graham Davison 2022-10-27 16:25:16 -07:00
parent 827d7bd384
commit e8c7722d3e
2 changed files with 41 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
internal/backend/remote-state/s3/backend.go
View File

@ -266,6 +266,12 @@ func (b *Backend) PrepareConfig(obj cty.Value) (cty.Value, tfdiags.Diagnostics)
encryptionKeyConflictError, encryptionKeyConflictError,
cty.Path{}, cty.Path{},
)) ))
} else if customerKey := os.Getenv("AWS_SSE_CUSTOMER_KEY"); customerKey != "" {
diags = diags.Append(tfdiags.Sourceless(
tfdiags.Error,
"Invalid encryption configuration",
encryptionKeyConflictEnvVarError,
))
} }
} }
@ -334,23 +340,21 @@ func (b *Backend) Configure(obj cty.Value) tfdiags.Diagnostics {
)) ))
} }
} }
} else { } else if customerKey := os.Getenv("AWS_SSE_CUSTOMER_KEY"); customerKey != "" {
if customerKey := os.Getenv("AWS_SSE_CUSTOMER_KEY"); customerKey != "" { if len(customerKey) != 44 {
if len(customerKey) != 44 { diags = diags.Append(tfdiags.Sourceless(
tfdiags.Error,
"Invalid AWS_SSE_CUSTOMER_KEY value",
`The environment variable "AWS_SSE_CUSTOMER_KEY" must be 44 characters in length`,
))
} else {
var err error
if b.customerEncryptionKey, err = base64.StdEncoding.DecodeString(customerKey); err != nil {
diags = diags.Append(tfdiags.Sourceless( diags = diags.Append(tfdiags.Sourceless(
tfdiags.Error, tfdiags.Error,
"Invalid AWS_SSE_CUSTOMER_KEY value", "Invalid AWS_SSE_CUSTOMER_KEY value",
"AWS_SSE_CUSTOMER_KEY must be 44 characters in length", fmt.Sprintf(`The environment variable "AWS_SSE_CUSTOMER_KEY" must be base64 encoded: %s`, err),
)) ))
} else {
var err error
if b.customerEncryptionKey, err = base64.StdEncoding.DecodeString(customerKey); err != nil {
diags = diags.Append(tfdiags.Sourceless(
tfdiags.Error,
"Invalid AWS_SSE_CUSTOMER_KEY value",
fmt.Sprintf("AWS_SSE_CUSTOMER_KEY must be base64 encoded: %s", err),
))
}
} }
} }
} }
@ -532,6 +536,12 @@ func intAttrDefault(obj cty.Value, name string, def int) int {
const encryptionKeyConflictError = `Only one of "kms_key_id" and "sse_customer_key" can be set. const encryptionKeyConflictError = `Only one of "kms_key_id" and "sse_customer_key" can be set.
The kms_key_id is used for encryption with KMS-Managed Keys (SSE-KMS) The "kms_key_id" is used for encryption with KMS-Managed Keys (SSE-KMS)
while sse_customer_key is used for encryption with customer-managed keys (SSE-C). while "sse_customer_key" is used for encryption with customer-managed keys (SSE-C).
Please choose one or the other.`
const encryptionKeyConflictEnvVarError = `Only one of "kms_key_id" and the environment variable "AWS_SSE_CUSTOMER_KEY" can be set.
The "kms_key_id" is used for encryption with KMS-Managed Keys (SSE-KMS)
while "AWS_SSE_CUSTOMER_KEY" is used for encryption with customer-managed keys (SSE-C).
Please choose one or the other.` Please choose one or the other.`

19
internal/backend/remote-state/s3/backend_test.go
View File

@ -584,7 +584,7 @@ func TestBackendConfig_PrepareConfigValidation(t *testing.T) {
"bucket": cty.StringVal("test"), "bucket": cty.StringVal("test"),
"key": cty.StringVal("test"), "key": cty.StringVal("test"),
"region": cty.StringVal("us-west-2"), "region": cty.StringVal("us-west-2"),
"workspace_key_prefix": cty.StringVal("env/"), "workspace_key_prefix": cty.StringVal("env"),
"sse_customer_key": cty.StringVal("1hwbcNPGWL+AwDiyGmRidTWAEVmCWMKbEHA+Es8w75o="), "sse_customer_key": cty.StringVal("1hwbcNPGWL+AwDiyGmRidTWAEVmCWMKbEHA+Es8w75o="),
"kms_key_id": cty.StringVal("arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"), "kms_key_id": cty.StringVal("arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"),
}), }),
@ -642,6 +642,19 @@ func TestBackendConfig_PrepareConfigWithEnvVars(t *testing.T) {
"AWS_DEFAULT_REGION": "us-west-1", "AWS_DEFAULT_REGION": "us-west-1",
}, },
}, },
"encyrption key conflict": {
config: cty.ObjectVal(map[string]cty.Value{
"bucket": cty.StringVal("test"),
"key": cty.StringVal("test"),
"region": cty.StringVal("us-west-2"),
"workspace_key_prefix": cty.StringVal("env"),
"kms_key_id": cty.StringVal("arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"),
}),
vars: map[string]string{
"AWS_SSE_CUSTOMER_KEY": "1hwbcNPGWL+AwDiyGmRidTWAEVmCWMKbEHA+Es8w75o=",
},
expectedErr: `Only one of "kms_key_id" and the environment variable "AWS_SSE_CUSTOMER_KEY" can be set`,
},
} }
for name, tc := range cases { for name, tc := range cases {
@ -789,11 +802,11 @@ func TestBackendSSECustomerKeyEnvVar(t *testing.T) {
}{ }{
"invalid length": { "invalid length": {
customerKey: "test", customerKey: "test",
expectedErr: `AWS_SSE_CUSTOMER_KEY must be 44 characters in length`, expectedErr: `The environment variable "AWS_SSE_CUSTOMER_KEY" must be 44 characters in length`,
}, },
"invalid encoding": { "invalid encoding": {
customerKey: "====CT70aTYB2JGff7AjQtwbiLkwH4npICay1PWtmdka", customerKey: "====CT70aTYB2JGff7AjQtwbiLkwH4npICay1PWtmdka",
expectedErr: `AWS_SSE_CUSTOMER_KEY must be base64 encoded`, expectedErr: `The environment variable "AWS_SSE_CUSTOMER_KEY" must be base64 encoded`,
}, },
"valid": { "valid": {
customerKey: "4Dm1n4rphuFgawxuzY/bEfvLf6rYK0gIjfaDSLlfXNk=", customerKey: "4Dm1n4rphuFgawxuzY/bEfvLf6rYK0gIjfaDSLlfXNk=",