Merge pull request #29850 from hashicorp/backport/xiaozhu/moderately-ample-gelding

jbardin · web-flow · commit 3534df865959 · 2021-11-01T15:58:50.000-04:00
Backport of backend/oss: Supports the new attribute sts_endpoint into v1.0
diff --git a/internal/backend/remote-state/oss/backend.go b/internal/backend/remote-state/oss/backend.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/endpoints"
 	"io/ioutil"
 	"log"
 	"net/http"
@@ -69,6 +70,12 @@ func New() backend.Backend {
 				Description: "The region of the OSS bucket.",
 				DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_REGION", os.Getenv("ALICLOUD_DEFAULT_REGION")),
 			},
+			"sts_endpoint": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "A custom endpoint for the STS API",
+				DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_STS_ENDPOINT", ""),
+			},
 			"tablestore_endpoint": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -262,6 +269,7 @@ func (b *Backend) configure(ctx context.Context) error {
 	securityToken := getBackendConfig(d.Get("security_token").(string), "sts_token")
 	region := getBackendConfig(d.Get("region").(string), "region_id")
 
+	stsEndpoint := d.Get("sts_endpoint").(string)
 	endpoint := d.Get("endpoint").(string)
 	schma := "https"
 
@@ -311,7 +319,7 @@ func (b *Backend) configure(ctx context.Context) error {
 	}
 
 	if roleArn != "" {
-		subAccessKeyId, subAccessKeySecret, subSecurityToken, err := getAssumeRoleAK(accessKey, secretKey, securityToken, region, roleArn, sessionName, policy, sessionExpiration)
+		subAccessKeyId, subAccessKeySecret, subSecurityToken, err := getAssumeRoleAK(accessKey, secretKey, securityToken, region, roleArn, sessionName, policy, stsEndpoint, sessionExpiration)
 		if err != nil {
 			return err
 		}
@@ -383,7 +391,7 @@ func (b *Backend) getOSSEndpointByRegion(access_key, secret_key, security_token,
 	return endpointsResponse, nil
 }
 
-func getAssumeRoleAK(accessKey, secretKey, stsToken, region, roleArn, sessionName, policy string, sessionExpiration int) (string, string, string, error) {
+func getAssumeRoleAK(accessKey, secretKey, stsToken, region, roleArn, sessionName, policy, stsEndpoint string, sessionExpiration int) (string, string, string, error) {
 	request := sts.CreateAssumeRoleRequest()
 	request.RoleArn = roleArn
 	request.RoleSessionName = sessionName
@@ -401,6 +409,9 @@ func getAssumeRoleAK(accessKey, secretKey, stsToken, region, roleArn, sessionNam
 	if err != nil {
 		return "", "", "", err
 	}
+	if stsEndpoint != "" {
+		endpoints.AddEndpointMapping(region, "STS", stsEndpoint)
+	}
 	response, err := client.AssumeRole(request)
 	if err != nil {
 		return "", "", "", err
diff --git a/website/docs/language/settings/backends/oss.html.md b/website/docs/language/settings/backends/oss.html.md
@@ -88,6 +88,7 @@ The following configuration options or environment variables are supported:
  * `key` - (Optional) The name of the state file. Defaults to `terraform.tfstate`.
  * `tablestore_endpoint` / `ALICLOUD_TABLESTORE_ENDPOINT` - (Optional) A custom endpoint for the TableStore API.
  * `tablestore_table` - (Optional) A TableStore table for state locking and consistency. The table must have a primary key named `LockID` of type `String`.
+ * `sts_endpoint` - (Optional, Available in 1.0.11+) Custom endpoint for the AliCloud Security Token Service (STS) API. It supports environment variable `ALICLOUD_STS_ENDPOINT`.
  * `encrypt` - (Optional) Whether to enable server side
    encryption of the state file. If it is true, OSS will use 'AES256' encryption algorithm to encrypt state file.
  * `acl` - (Optional) [Object
