S3 Backend: AWS_USE_FIPS_ENDPOINT incorrectly enables FIPS endpoints — env variable is not parsed as boolean

[aayushkhator1994]

Terraform Version

any version including 1.6 and above.

Terraform Configuration Files

terraform {
  backend "s3" {
  bucket = "<test bucket>"
  key    = "<test>/terraform.tfstate"
  region = "ap-southeast-2"
}

Debug Output

│ Error: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts-fips.ap-southeast-2.amazonaws.com/": dial tcp: lookup sts-fips.ap-southeast-2.amazonaws.com: no such host

Expected Behavior

Environment variable AWS_USE_FIPS_ENDPOINT = "false" or false (case-insensitive) should result in FIPS endpoints NOT being enabled.
Only setting "true", true, should enable FIPS.

Actual Behavior

Expected

v5testing % export AWS_USE_FIPS_ENDPOINT=true
v5testing % terraform init -reconfigure      
Initializing the backend...
╷
│ Error: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts-fips.ap-southeast-2.amazonaws.com/": dial tcp: lookup sts-fips.ap-southeast-2.amazonaws.com: no such host
│ 
│ 
╵


v5testing % export AWS_USE_FIPS_ENDPOINT=     
v5testing % terraform init -reconfigure  
Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Using previously-installed hashicorp/aws v5.100.0

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Not expected

v5testing % export AWS_USE_FIPS_ENDPOINT=false
v5testing % terraform init -reconfigure       
Initializing the backend...
╷
│ Error: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts-fips.ap-southeast-2.amazonaws.com/": dial tcp: lookup sts-fips.ap-southeast-2.amazonaws.com: no such host
│ 
│ 

Steps to Reproduce

1. export AWS_USE_FIPS_ENDPOINT=false
2. terraform init
3. Confirm that FIPS endpoints are enabled, which is not expected.
   (also try export AWS_USE_FIPS_ENDPOINT=no, etc.)

Additional Context

In internal/backend/remote-state/s3/backend.go, the function boolAttrDefaultEnvVarOk() returns true for any non-empty env value.

func boolAttrDefaultEnvVarOk(obj cty.Value, name string, envvars ...string) (bool, bool) {
    if val := obj.GetAttr(name); val.IsNull() {
        for _, envvar := range envvars {
            if v := os.Getenv(envvar); v != "" {
                return true, true      // BUG: Always returns true for any non-empty value
            }
        }
        return false, false
    } else {
        return val.True(), true
    }
}

References

None yet (user to update post submission if needed)

Generative AI / LLM assisted development?

No response

[aayushkhator1994]

the same will be true for AWS_USE_DUALSTACK_ENDPOINT

[crw]

Thanks for filing, the AWS Provider team at HashiCorp maintains the backend and has been notified.

[jar-b]

Hello and thank you for the bug report. This was introduced via #33765 in v1.6.0.

Parsing of the variable should match the AWS SDK for Go (see here and here), but we incorrectly treated any non-empty value as true instead. It's possible this was to match some behavior in the AWS provider or aws-sdk-go-base library at the time, but from what I can tell nothing like this still exists for these configuration options today.

With this context, I believe we should apply the fix from #37940, which ignores any value that is not true or false. This matches the behavior of the AWS SDK for Go (and therefore the AWS and AWSCC providers). Technically this represents a breaking change, even if to correct a long standing bug. Because the S3 backend is tied to the Terraform CLI release cycle we are unable to increment the major version and will instead plan to apply the fix in the next minor release (v1.15.0), consistent with how breaking backend changes have been made previously.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.