mirror of
https://github.com/opentofu/opentofu.git
synced 2025-01-18 12:42:58 -06:00
73dda868cc
This is part of a general effort to move all of Terraform's non-library package surface under internal in order to reinforce that these are for internal use within Terraform only. If you were previously importing packages under this prefix into an external codebase, you could pin to an earlier release tag as an interim solution until you've make a plan to achieve the same functionality some other way.
409 lines
12 KiB
Go
409 lines
12 KiB
Go
package s3
|
|
|
|
import (
|
|
"context"
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/aws/aws-sdk-go/aws"
|
|
"github.com/aws/aws-sdk-go/service/dynamodb"
|
|
"github.com/aws/aws-sdk-go/service/s3"
|
|
awsbase "github.com/hashicorp/aws-sdk-go-base"
|
|
"github.com/hashicorp/terraform/internal/backend"
|
|
"github.com/hashicorp/terraform/internal/legacy/helper/schema"
|
|
"github.com/hashicorp/terraform/internal/logging"
|
|
"github.com/hashicorp/terraform/version"
|
|
)
|
|
|
|
// New creates a new backend for S3 remote state.
|
|
func New() backend.Backend {
|
|
s := &schema.Backend{
|
|
Schema: map[string]*schema.Schema{
|
|
"bucket": {
|
|
Type: schema.TypeString,
|
|
Required: true,
|
|
Description: "The name of the S3 bucket",
|
|
},
|
|
|
|
"key": {
|
|
Type: schema.TypeString,
|
|
Required: true,
|
|
Description: "The path to the state file inside the bucket",
|
|
ValidateFunc: func(v interface{}, s string) ([]string, []error) {
|
|
// s3 will strip leading slashes from an object, so while this will
|
|
// technically be accepted by s3, it will break our workspace hierarchy.
|
|
if strings.HasPrefix(v.(string), "/") {
|
|
return nil, []error{errors.New("key must not start with '/'")}
|
|
}
|
|
return nil, nil
|
|
},
|
|
},
|
|
|
|
"region": {
|
|
Type: schema.TypeString,
|
|
Required: true,
|
|
Description: "AWS region of the S3 Bucket and DynamoDB Table (if used).",
|
|
DefaultFunc: schema.MultiEnvDefaultFunc([]string{
|
|
"AWS_REGION",
|
|
"AWS_DEFAULT_REGION",
|
|
}, nil),
|
|
},
|
|
|
|
"dynamodb_endpoint": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "A custom endpoint for the DynamoDB API",
|
|
DefaultFunc: schema.EnvDefaultFunc("AWS_DYNAMODB_ENDPOINT", ""),
|
|
},
|
|
|
|
"endpoint": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "A custom endpoint for the S3 API",
|
|
DefaultFunc: schema.EnvDefaultFunc("AWS_S3_ENDPOINT", ""),
|
|
},
|
|
|
|
"iam_endpoint": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "A custom endpoint for the IAM API",
|
|
DefaultFunc: schema.EnvDefaultFunc("AWS_IAM_ENDPOINT", ""),
|
|
},
|
|
|
|
"sts_endpoint": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "A custom endpoint for the STS API",
|
|
DefaultFunc: schema.EnvDefaultFunc("AWS_STS_ENDPOINT", ""),
|
|
},
|
|
|
|
"encrypt": {
|
|
Type: schema.TypeBool,
|
|
Optional: true,
|
|
Description: "Whether to enable server side encryption of the state file",
|
|
Default: false,
|
|
},
|
|
|
|
"acl": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "Canned ACL to be applied to the state file",
|
|
Default: "",
|
|
},
|
|
|
|
"access_key": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "AWS access key",
|
|
Default: "",
|
|
},
|
|
|
|
"secret_key": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "AWS secret key",
|
|
Default: "",
|
|
},
|
|
|
|
"kms_key_id": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "The ARN of a KMS Key to use for encrypting the state",
|
|
Default: "",
|
|
},
|
|
|
|
"dynamodb_table": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "DynamoDB table for state locking and consistency",
|
|
Default: "",
|
|
},
|
|
|
|
"profile": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "AWS profile name",
|
|
Default: "",
|
|
},
|
|
|
|
"shared_credentials_file": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "Path to a shared credentials file",
|
|
Default: "",
|
|
},
|
|
|
|
"token": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "MFA token",
|
|
Default: "",
|
|
},
|
|
|
|
"skip_credentials_validation": {
|
|
Type: schema.TypeBool,
|
|
Optional: true,
|
|
Description: "Skip the credentials validation via STS API.",
|
|
Default: false,
|
|
},
|
|
|
|
"skip_region_validation": {
|
|
Type: schema.TypeBool,
|
|
Optional: true,
|
|
Description: "Skip static validation of region name.",
|
|
Default: false,
|
|
},
|
|
|
|
"skip_metadata_api_check": {
|
|
Type: schema.TypeBool,
|
|
Optional: true,
|
|
Description: "Skip the AWS Metadata API check.",
|
|
Default: false,
|
|
},
|
|
|
|
"sse_customer_key": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "The base64-encoded encryption key to use for server-side encryption with customer-provided keys (SSE-C).",
|
|
DefaultFunc: schema.EnvDefaultFunc("AWS_SSE_CUSTOMER_KEY", ""),
|
|
Sensitive: true,
|
|
ValidateFunc: func(v interface{}, s string) ([]string, []error) {
|
|
key := v.(string)
|
|
if key != "" && len(key) != 44 {
|
|
return nil, []error{errors.New("sse_customer_key must be 44 characters in length (256 bits, base64 encoded)")}
|
|
}
|
|
return nil, nil
|
|
},
|
|
},
|
|
|
|
"role_arn": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "The role to be assumed",
|
|
Default: "",
|
|
},
|
|
|
|
"session_name": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "The session name to use when assuming the role.",
|
|
Default: "",
|
|
},
|
|
|
|
"external_id": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "The external ID to use when assuming the role",
|
|
Default: "",
|
|
},
|
|
|
|
"assume_role_duration_seconds": {
|
|
Type: schema.TypeInt,
|
|
Optional: true,
|
|
Description: "Seconds to restrict the assume role session duration.",
|
|
},
|
|
|
|
"assume_role_policy": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.",
|
|
Default: "",
|
|
},
|
|
|
|
"assume_role_policy_arns": {
|
|
Type: schema.TypeSet,
|
|
Optional: true,
|
|
Description: "Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.",
|
|
Elem: &schema.Schema{Type: schema.TypeString},
|
|
},
|
|
|
|
"assume_role_tags": {
|
|
Type: schema.TypeMap,
|
|
Optional: true,
|
|
Description: "Assume role session tags.",
|
|
Elem: &schema.Schema{Type: schema.TypeString},
|
|
},
|
|
|
|
"assume_role_transitive_tag_keys": {
|
|
Type: schema.TypeSet,
|
|
Optional: true,
|
|
Description: "Assume role session tag keys to pass to any subsequent sessions.",
|
|
Elem: &schema.Schema{Type: schema.TypeString},
|
|
},
|
|
|
|
"workspace_key_prefix": {
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
Description: "The prefix applied to the non-default state path inside the bucket.",
|
|
Default: "env:",
|
|
ValidateFunc: func(v interface{}, s string) ([]string, []error) {
|
|
prefix := v.(string)
|
|
if strings.HasPrefix(prefix, "/") || strings.HasSuffix(prefix, "/") {
|
|
return nil, []error{errors.New("workspace_key_prefix must not start or end with '/'")}
|
|
}
|
|
return nil, nil
|
|
},
|
|
},
|
|
|
|
"force_path_style": {
|
|
Type: schema.TypeBool,
|
|
Optional: true,
|
|
Description: "Force s3 to use path style api.",
|
|
Default: false,
|
|
},
|
|
|
|
"max_retries": {
|
|
Type: schema.TypeInt,
|
|
Optional: true,
|
|
Description: "The maximum number of times an AWS API request is retried on retryable failure.",
|
|
Default: 5,
|
|
},
|
|
},
|
|
}
|
|
|
|
result := &Backend{Backend: s}
|
|
result.Backend.ConfigureFunc = result.configure
|
|
return result
|
|
}
|
|
|
|
type Backend struct {
|
|
*schema.Backend
|
|
|
|
// The fields below are set from configure
|
|
s3Client *s3.S3
|
|
dynClient *dynamodb.DynamoDB
|
|
|
|
bucketName string
|
|
keyName string
|
|
serverSideEncryption bool
|
|
customerEncryptionKey []byte
|
|
acl string
|
|
kmsKeyID string
|
|
ddbTable string
|
|
workspaceKeyPrefix string
|
|
}
|
|
|
|
func (b *Backend) configure(ctx context.Context) error {
|
|
if b.s3Client != nil {
|
|
return nil
|
|
}
|
|
|
|
// Grab the resource data
|
|
data := schema.FromContextBackendConfig(ctx)
|
|
|
|
if !data.Get("skip_region_validation").(bool) {
|
|
if err := awsbase.ValidateRegion(data.Get("region").(string)); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
b.bucketName = data.Get("bucket").(string)
|
|
b.keyName = data.Get("key").(string)
|
|
b.acl = data.Get("acl").(string)
|
|
b.workspaceKeyPrefix = data.Get("workspace_key_prefix").(string)
|
|
b.serverSideEncryption = data.Get("encrypt").(bool)
|
|
b.kmsKeyID = data.Get("kms_key_id").(string)
|
|
b.ddbTable = data.Get("dynamodb_table").(string)
|
|
|
|
customerKeyString := data.Get("sse_customer_key").(string)
|
|
if customerKeyString != "" {
|
|
if b.kmsKeyID != "" {
|
|
return errors.New(encryptionKeyConflictError)
|
|
}
|
|
|
|
var err error
|
|
b.customerEncryptionKey, err = base64.StdEncoding.DecodeString(customerKeyString)
|
|
if err != nil {
|
|
return fmt.Errorf("Failed to decode sse_customer_key: %s", err.Error())
|
|
}
|
|
}
|
|
|
|
cfg := &awsbase.Config{
|
|
AccessKey: data.Get("access_key").(string),
|
|
AssumeRoleARN: data.Get("role_arn").(string),
|
|
AssumeRoleDurationSeconds: data.Get("assume_role_duration_seconds").(int),
|
|
AssumeRoleExternalID: data.Get("external_id").(string),
|
|
AssumeRolePolicy: data.Get("assume_role_policy").(string),
|
|
AssumeRoleSessionName: data.Get("session_name").(string),
|
|
CallerDocumentationURL: "https://www.terraform.io/docs/language/settings/backends/s3.html",
|
|
CallerName: "S3 Backend",
|
|
CredsFilename: data.Get("shared_credentials_file").(string),
|
|
DebugLogging: logging.IsDebugOrHigher(),
|
|
IamEndpoint: data.Get("iam_endpoint").(string),
|
|
MaxRetries: data.Get("max_retries").(int),
|
|
Profile: data.Get("profile").(string),
|
|
Region: data.Get("region").(string),
|
|
SecretKey: data.Get("secret_key").(string),
|
|
SkipCredsValidation: data.Get("skip_credentials_validation").(bool),
|
|
SkipMetadataApiCheck: data.Get("skip_metadata_api_check").(bool),
|
|
StsEndpoint: data.Get("sts_endpoint").(string),
|
|
Token: data.Get("token").(string),
|
|
UserAgentProducts: []*awsbase.UserAgentProduct{
|
|
{Name: "APN", Version: "1.0"},
|
|
{Name: "HashiCorp", Version: "1.0"},
|
|
{Name: "Terraform", Version: version.String()},
|
|
},
|
|
}
|
|
|
|
if policyARNSet := data.Get("assume_role_policy_arns").(*schema.Set); policyARNSet.Len() > 0 {
|
|
for _, policyARNRaw := range policyARNSet.List() {
|
|
policyARN, ok := policyARNRaw.(string)
|
|
|
|
if !ok {
|
|
continue
|
|
}
|
|
|
|
cfg.AssumeRolePolicyARNs = append(cfg.AssumeRolePolicyARNs, policyARN)
|
|
}
|
|
}
|
|
|
|
if tagMap := data.Get("assume_role_tags").(map[string]interface{}); len(tagMap) > 0 {
|
|
cfg.AssumeRoleTags = make(map[string]string)
|
|
|
|
for k, vRaw := range tagMap {
|
|
v, ok := vRaw.(string)
|
|
|
|
if !ok {
|
|
continue
|
|
}
|
|
|
|
cfg.AssumeRoleTags[k] = v
|
|
}
|
|
}
|
|
|
|
if transitiveTagKeySet := data.Get("assume_role_transitive_tag_keys").(*schema.Set); transitiveTagKeySet.Len() > 0 {
|
|
for _, transitiveTagKeyRaw := range transitiveTagKeySet.List() {
|
|
transitiveTagKey, ok := transitiveTagKeyRaw.(string)
|
|
|
|
if !ok {
|
|
continue
|
|
}
|
|
|
|
cfg.AssumeRoleTransitiveTagKeys = append(cfg.AssumeRoleTransitiveTagKeys, transitiveTagKey)
|
|
}
|
|
}
|
|
|
|
sess, err := awsbase.GetSession(cfg)
|
|
if err != nil {
|
|
return fmt.Errorf("error configuring S3 Backend: %w", err)
|
|
}
|
|
|
|
b.dynClient = dynamodb.New(sess.Copy(&aws.Config{
|
|
Endpoint: aws.String(data.Get("dynamodb_endpoint").(string)),
|
|
}))
|
|
b.s3Client = s3.New(sess.Copy(&aws.Config{
|
|
Endpoint: aws.String(data.Get("endpoint").(string)),
|
|
S3ForcePathStyle: aws.Bool(data.Get("force_path_style").(bool)),
|
|
}))
|
|
|
|
return nil
|
|
}
|
|
|
|
const encryptionKeyConflictError = `Cannot have both kms_key_id and sse_customer_key set.
|
|
|
|
The kms_key_id is used for encryption with KMS-Managed Keys (SSE-KMS)
|
|
while sse_customer_key is used for encryption with customer-managed keys (SSE-C).
|
|
Please choose one or the other.`
|