Commit Graph

31 Commits

Author SHA1 Message Date
James Bardin 4d00c29706 Merge pull request #11836 from hashicorp/jbardin/state-locking
Add locking during backend configuration
2017-02-09 18:30:10 -05:00
Daren Desjardins 5718294386 state/remote/s3: Fix Bug with Assume Role for Federated IAM Account (#10067)
* Enable remote s3 state support for assume role

- provide role_arn in backend config to enable assume role

Fixes #8739

* Check for errors after obtaining credentials
2017-02-09 16:54:49 +00:00
James Bardin 5c2e945b3c Fix format string and typos 2017-02-09 10:27:42 -05:00
James Bardin 14d965722e Use single state.LockInfo struct
Remove redundant structures
2017-02-08 11:34:31 -05:00
James Bardin a2b5811f50 Remove "expires" from lock info.
We are not going to handle lock expiration, at least at this time, so
remove the Expires fields to avoid any confusion.
2017-02-03 14:55:21 -05:00
James Bardin 10f6d7f30f Add locking for s3 state
Use a DynamoDB table to coodinate state locking in S3.

We use a simple strategy here, defining a key containing the value of
the bucket/key of the state file as the lock. If the keys exists, the
locks fails.

TODO: decide if locks should automatically be expired, or require manual
intervention.
2017-01-30 17:16:57 -05:00
Ian Duffy 767914bbdc [GH-1275] Support for AWS access via IAMs AssumeRole functionality
This commit enables terraform to utilise the assume role functionality
of sts to execute commands with different privileges than the API
keys specified.

Signed-off-by: Ian Duffy <ian@ianduffy.ie>
2016-09-02 10:22:57 -07:00
Renier Morales c2bcb5fbe5 Skip IAM/STS validation and metadata check (#7874)
* Skip IAM/STS validation and metadata check

* Skip IAM/STS identity validation - For environments or other api
  implementations where there are no IAM/STS endpoints available, this
  option lets you opt out from that provider initialization step.
* Skip metdata api check - For environments in which you know ahead of
  time there isn't going to be a metadta api endpoint, this option lets
  you opt out from that check to save time.

* Allow iam/sts initialization even if skipping account/cred validation

(#7874)

* Split out skip of IAM validation into credentials and account id

(#7874)
2016-08-10 15:10:34 +01:00
John Engelman 14f6f90621 Support standard AWS config in the S3 remote backend. (#5270) 2016-05-06 17:52:18 +01:00
Paul Hinze ba21769083 Merge pull request #2903 from kjmkznr/remote-s3-sse-kms
state/remote/s3: Allows KMS Key Encryption setting when using S3 backend with encrypt
2016-01-19 18:54:03 -06:00
Sander van Harmelen 9b27db6fea Add the option to specify a custom (AWS compatible) S3 endpoint
Same fix/option as I added in Vault not too long ago:
https://github.com/hashicorp/vault/pull/750
2016-01-11 14:28:52 +01:00
Rafal Jeczalik 9e66e18334 provider/aws: fix for https://github.com/aws/aws-sdk-go/issues/452 2015-11-24 09:30:21 +01:00
Paul Hinze cadbbbae08 aws: fix build after upstream breaking change
see
1a69d06935
2015-10-29 18:52:10 -05:00
Jeff Mitchell 1373a6086b Use cleanhttp for new http clients 2015-10-22 14:23:59 -04:00
Jeff Mitchell b0ceffc322 Remove usage from dependencies as well. Other dependencies need upstream merging to completely solve this. 2015-10-19 12:06:34 -04:00
Kazunori Kojima 9186c29dd8 Fix typo 2015-10-07 23:39:08 +09:00
Kazunori Kojima 576b2d1109 Change KMS Key ID configuration name to used in other 2015-10-07 23:09:03 +09:00
Kazunori Kojima ba8f1fa1f0 Add support S3 server side encryption with KMS.
* Example

```
terraform remote config \
  -backend=s3
  -backend-config="bucket=bucket-tfstate"
  -backend-config="key=terraform.tfstate"
  -backend-config="region=ap-northeast-1"
  -backend-config="encrypt=1"
  -backend-config="kmsKeyID=arn:aws:kms:ap-northeast-1:123456789:key/ac54dbd2-f301-42c1-bab9-88e6a84292a9"
```
2015-10-07 23:03:55 +09:00
Martin Atkins ccc8f0d0fb S3 remote state use application/json Content-Type.
The state is always JSON, in spite of the fact that this interface
presents it as an opaque byte array. It's more helpful to those interacting
with the state object outside of Terraform for it to have a more specific
content-type.
2015-10-03 18:02:36 -07:00
Radek Simko 3d77d158f7 remote/s3: Add support for ACL 2015-09-14 10:40:46 +01:00
Paul Hinze 1a44b427a7 state/remote/s3: match with upstream changes 2015-08-10 15:46:22 -05:00
Clint Shryock 579ccbefea provider/aws: Update source to comply with upstream breaking change 2015-07-28 15:29:46 -05:00
Mitchell Hashimoto e135ff546a state/remote: clean up the encryption flag stuff
/cc @hobbeswalsh
2015-06-25 09:23:12 -07:00
Robin Walsh ad17cf55a0 Allowing at-rest encryption when using S3
This change allows the user to specify `-backend-config="encrypt=1"`
to tell S3 to encrypt the data that's in the bucket when using S3
for remote config storage.

The encryption uses "Amazon S3-managed encryption keys" so it should
not require any further user intervention.

A line was added to the unit test just for coverage.
The acceptance test was modified to:
  a) Use encryption
  b) Push some test data up to the bucket created to ensure
     that Amazon accepts the header.
2015-06-19 11:33:03 -07:00
Paul Hinze b71fa3d0ae provider/aws: handle upstream aws-sdk-go repo move
`awslabs/aws-sdk-go => aws/aws-sdk-go`

Congrats to upstream on the promotion. :)
2015-06-03 13:36:57 -05:00
Clint Shryock 883e2848c6 update remote state s3 file to fix error 2015-05-20 15:20:30 -05:00
Paul Hinze 31258e06c6 provider/aws: fix breakages from awserr refactor
This landed in aws-sdk-go yesterday, breaking the AWS provider in many places:

3c259c9586

Here, with much sedding, grepping, and manual massaging, we attempt to
catch Terraform up to the new `awserr.Error` interface world.
2015-05-20 06:21:23 -05:00
Sander van Harmelen 897bf5e53d Added `SharedCredentialsProvider` and `EC2RoleProvider` as well... 2015-05-05 20:38:35 +02:00
Sander van Harmelen 5435815524 Fixing PR #1804 2015-05-05 20:30:35 +02:00
Sander van Harmelen 7274de3c1d Small fix needed to be inline with the updated AWS SDK again...
Executed a couple of AWS ACC test as well to make sure everything works
properly again after this fix…
2015-05-05 12:26:26 +02:00
Martin Atkins 53e93d6f63 S3 remote stage storage backend, against the new remote state API.
Stores state in a particular key in a given S3 bucket.
2015-04-30 09:21:49 -07:00