Restores conflict between kms_key_id and envvar AWS_SSE_CUSTOMER_KEY

2025-02-25 18:45:20 -06:00 · 2022-10-27 16:25:16 -07:00 · 2022-10-27 16:25:16 -07:00 · e8c7722d3e
commit e8c7722d3e
parent 827d7bd384
2 changed files with 41 additions and 18 deletions
--- a/internal/backend/remote-state/s3/backend.go
+++ b/internal/backend/remote-state/s3/backend.go
@ -266,6 +266,12 @@ func (b *Backend) PrepareConfig(obj cty.Value) (cty.Value, tfdiags.Diagnostics)
 				encryptionKeyConflictError,
 				cty.Path{},
 			))
+		} else if customerKey := os.Getenv("AWS_SSE_CUSTOMER_KEY"); customerKey != "" {
+			diags = diags.Append(tfdiags.Sourceless(
+				tfdiags.Error,
+				"Invalid encryption configuration",
+				encryptionKeyConflictEnvVarError,
+			))
 		}
 	}

@ -334,13 +340,12 @@ func (b *Backend) Configure(obj cty.Value) tfdiags.Diagnostics {
 				))
 			}
 		}
-	} else {
-		if customerKey := os.Getenv("AWS_SSE_CUSTOMER_KEY"); customerKey != "" {
+	} else if customerKey := os.Getenv("AWS_SSE_CUSTOMER_KEY"); customerKey != "" {
 		if len(customerKey) != 44 {
 			diags = diags.Append(tfdiags.Sourceless(
 				tfdiags.Error,
 				"Invalid AWS_SSE_CUSTOMER_KEY value",
-					"AWS_SSE_CUSTOMER_KEY must be 44 characters in length",
+				`The environment variable "AWS_SSE_CUSTOMER_KEY" must be 44 characters in length`,
 			))
 		} else {
 			var err error
@ -348,12 +353,11 @@ func (b *Backend) Configure(obj cty.Value) tfdiags.Diagnostics {
 				diags = diags.Append(tfdiags.Sourceless(
 					tfdiags.Error,
 					"Invalid AWS_SSE_CUSTOMER_KEY value",
-						fmt.Sprintf("AWS_SSE_CUSTOMER_KEY must be base64 encoded: %s", err),
+					fmt.Sprintf(`The environment variable "AWS_SSE_CUSTOMER_KEY" must be base64 encoded: %s`, err),
 				))
 			}
 		}
 	}
-	}

 	cfg := &awsbase.Config{
 		AccessKey:                 stringAttr(obj, "access_key"),
@ -532,6 +536,12 @@ func intAttrDefault(obj cty.Value, name string, def int) int {

 const encryptionKeyConflictError = `Only one of "kms_key_id" and "sse_customer_key" can be set.

-The kms_key_id is used for encryption with KMS-Managed Keys (SSE-KMS)
-while sse_customer_key is used for encryption with customer-managed keys (SSE-C).
+The "kms_key_id" is used for encryption with KMS-Managed Keys (SSE-KMS)
+while "sse_customer_key" is used for encryption with customer-managed keys (SSE-C).
+Please choose one or the other.`
+
+const encryptionKeyConflictEnvVarError = `Only one of "kms_key_id" and the environment variable "AWS_SSE_CUSTOMER_KEY" can be set.
+
+The "kms_key_id" is used for encryption with KMS-Managed Keys (SSE-KMS)
+while "AWS_SSE_CUSTOMER_KEY" is used for encryption with customer-managed keys (SSE-C).
 Please choose one or the other.`
--- a/internal/backend/remote-state/s3/backend_test.go
+++ b/internal/backend/remote-state/s3/backend_test.go
@ -584,7 +584,7 @@ func TestBackendConfig_PrepareConfigValidation(t *testing.T) {
 				"bucket":               cty.StringVal("test"),
 				"key":                  cty.StringVal("test"),
 				"region":               cty.StringVal("us-west-2"),
-				"workspace_key_prefix": cty.StringVal("env/"),
+				"workspace_key_prefix": cty.StringVal("env"),
 				"sse_customer_key":     cty.StringVal("1hwbcNPGWL+AwDiyGmRidTWAEVmCWMKbEHA+Es8w75o="),
 				"kms_key_id":           cty.StringVal("arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"),
 			}),
@ -642,6 +642,19 @@ func TestBackendConfig_PrepareConfigWithEnvVars(t *testing.T) {
 				"AWS_DEFAULT_REGION": "us-west-1",
 			},
 		},
+		"encyrption key conflict": {
+			config: cty.ObjectVal(map[string]cty.Value{
+				"bucket":               cty.StringVal("test"),
+				"key":                  cty.StringVal("test"),
+				"region":               cty.StringVal("us-west-2"),
+				"workspace_key_prefix": cty.StringVal("env"),
+				"kms_key_id":           cty.StringVal("arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"),
+			}),
+			vars: map[string]string{
+				"AWS_SSE_CUSTOMER_KEY": "1hwbcNPGWL+AwDiyGmRidTWAEVmCWMKbEHA+Es8w75o=",
+			},
+			expectedErr: `Only one of "kms_key_id" and the environment variable "AWS_SSE_CUSTOMER_KEY" can be set`,
+		},
 	}

 	for name, tc := range cases {
@ -789,11 +802,11 @@ func TestBackendSSECustomerKeyEnvVar(t *testing.T) {
 	}{
 		"invalid length": {
 			customerKey: "test",
-			expectedErr: `AWS_SSE_CUSTOMER_KEY must be 44 characters in length`,
+			expectedErr: `The environment variable "AWS_SSE_CUSTOMER_KEY" must be 44 characters in length`,
 		},
 		"invalid encoding": {
 			customerKey: "====CT70aTYB2JGff7AjQtwbiLkwH4npICay1PWtmdka",
-			expectedErr: `AWS_SSE_CUSTOMER_KEY must be base64 encoded`,
+			expectedErr: `The environment variable "AWS_SSE_CUSTOMER_KEY" must be base64 encoded`,
 		},
 		"valid": {
 			customerKey: "4Dm1n4rphuFgawxuzY/bEfvLf6rYK0gIjfaDSLlfXNk=",