-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
S3 backend doesn't respect region argument for DynamoDB anymore #36129
Comments
Hey @mwacc2, Thank you for reporting this! The S3 backend is managed by the AWS Provider team at HashiCorp, and this issue has been added to their triage queue. Thanks again! |
Hi @mwacc2, Thanks again for filing this issue. Unfortunately I wasn’t able to replicate the problem on my end. Could you verify if my attempt is correct? I’ve set the
Here's an attached debug log: https://gist.github.com/bschaatsbergen/5169e72bde3ace9488fd3bb6bc748305—Let me know if this matches your setup or if there’s anything different on your end. Thanks! |
Hi, I was able to reproduce, both right away and after deleting the Maybe a factor is that I use
AWS Vault sets the following environment variables:
When the custom DynamoDB endpoint argument is commented, and using DEBUG logs, I get the following:
Note that according to Terraform logs there are no HTTP request sent to DynamoDB (unlike seen for S3 calls or in the Gist you pasted). I did not find in my logs entries like in yours ( Thus the WARN entry above does not seem to be the consequence of an API forbidden/unauthorised/not found response (unless HTTP requests/responses are not logged in some failure cases). So IMHO I suspect that the DynamoDB client doesn't figure out its configuration and thus doesn't even get to sending an API call. After uncommenting the custom DynamoDB endpoint and reconfiguring the backend with
I tried to use the |
Hey @mwacc2, Thank you for sharing more details about the environment and tooling used to fetch and inject dynamic credentials. I believe the issue comes from how one of the underlying libraries is sourcing and setting the Account ID from the provided credentials or profile. Leading to an error when the DynamoDB client is instantiated and attempts to resolve its endpoint config. Specifically, the error is triggered when the AccountId parameter is not a valid host label in a non-FIPS, non-DualStack AWS partition configuration. See: https://github.com/aws/aws-sdk-go-v2/blob/main/service/dynamodb/endpoints.go#L423-L435 Could you confirm if you’re only experiencing this issue on Terraform 1.10.0? And, are you aware if there's an Account ID in the profile configuration you’re targeting with aws-vault? Thanks! |
I have no issues with Terraform v1.9.8. (in that working production configuration, the backend block does not declare argument
In the AWS profile file I use with aws-vault, the account ID is only there as part of the assumed role ARN and the MFA device ARN (properties |
Hey @mwacc2, A change we inherited in Terraform 1.10:
Perhaps another approach to troubleshoot is setting I still suspect that the underlying AWS library responsible for sourcing and setting the AccountID is retrieving an incompatible value for the account ID, which is triggering the error. Something that was previously compatible with how endpoints were constructed, but now conflicts with the way the AWS library builds the endpoint for DynamoDB. Could you try either of these options and share your findings to help with troubleshooting? |
So I ran the following:
And the lock was successfully locked and released 🥳 I also tried with So I guess it's not a bug, and I need to squint my eyes harder while reading the CHANGELOGs 😳 Although the important information was perhaps a bit hidden/not obvious? Because the linked changelog entry is part of the AWS provider repo, and not part of the Tfstate backend docs/main Terraform repo changelog? How does the backend and provider relate? Thanks for your help @bschaatsbergen 🙏 |
Terraform Version
Terraform Configuration Files
Debug Output
Expected Behavior
When environment variable
AWS_REGION = "REGION-2"
The S3 backend should have tried to reach DynamoDB in region
REGION-1
as defined by theregion
argument.Actual Behavior
When environment variable
AWS_REGION = "REGION-2"
The S3 backend seems to respect the
AWS_REGION
environment variable instead of theregion
argument, and attempts to read the DynamoDB table inREGION-2
.Steps to Reproduce
Additional Context
Using the explicit endpoint argument with the appropriate (but repeated)
REGION-1
endpoint URL will fix this issue as commented in the source above.But according to documentation this should not be necessary:
References
No response
The text was updated successfully, but these errors were encountered: