don't allow leading slashes in s3 remote state key

S3 accepts objects with a leading slash and strips them off. This works
fine except in our workspace hierarchy, which then can no longer find
suffixes matching the full key name.
This commit is contained in:
James Bardin 2017-08-04 18:26:19 -04:00
parent 3600f0b730
commit 4c7cd549cd
2 changed files with 33 additions and 0 deletions

View File

@ -2,6 +2,8 @@ package s3
import (
"context"
"fmt"
"strings"
"github.com/aws/aws-sdk-go/service/dynamodb"
"github.com/aws/aws-sdk-go/service/s3"
@ -25,6 +27,14 @@ func New() backend.Backend {
Type: schema.TypeString,
Required: true,
Description: "The path to the state file inside the bucket",
ValidateFunc: func(v interface{}, s string) ([]string, []error) {
// s3 will strip leading slashes from an object, so while this will
// technically be accepted by s3, it will break our workspace hierarchy.
if strings.HasPrefix(v.(string), "/") {
return nil, []error{fmt.Errorf("key must not start with '/'")}
}
return nil, nil
},
},
"region": {

View File

@ -11,6 +11,7 @@ import (
"github.com/aws/aws-sdk-go/service/dynamodb"
"github.com/aws/aws-sdk-go/service/s3"
"github.com/hashicorp/terraform/backend"
"github.com/hashicorp/terraform/config"
"github.com/hashicorp/terraform/state/remote"
"github.com/hashicorp/terraform/terraform"
)
@ -65,6 +66,28 @@ func TestBackendConfig(t *testing.T) {
}
}
func TestBackendConfig_invalidKey(t *testing.T) {
testACC(t)
cfg := map[string]interface{}{
"region": "us-west-1",
"bucket": "tf-test",
"key": "/leading-slash",
"encrypt": true,
"dynamodb_table": "dynamoTable",
}
rawCfg, err := config.NewRawConfig(cfg)
if err != nil {
t.Fatal(err)
}
resCfg := terraform.NewResourceConfig(rawCfg)
_, errs := New().Validate(resCfg)
if len(errs) != 1 {
t.Fatal("expected config validation error")
}
}
func TestBackend(t *testing.T) {
testACC(t)