backport of commit 6088002

hashicorp · Oct 5, 2023 · 76de03f · 76de03f
1 parent aca41b2
commit 76de03f
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 18 deletions.
diff --git a/internal/backend/remote-state/s3/validate.go b/internal/backend/remote-state/s3/validate.go
@@ -21,6 +21,7 @@ import (
 const (
 	multiRegionKeyIdPattern = `mrk-[a-f0-9]{32}`
 	uuidRegexPattern        = `[a-f0-9]{8}-[a-f0-9]{4}-[1-5][a-f0-9]{3}-[ab89][a-f0-9]{3}-[a-f0-9]{12}`
+	aliasRegexPattern       = `alias/(.*)`
 )
 
 func validateKMSKey(path cty.Path, s string) (diags tfdiags.Diagnostics) {
@@ -31,7 +32,7 @@ func validateKMSKey(path cty.Path, s string) (diags tfdiags.Diagnostics) {
 }
 
 func validateKMSKeyID(path cty.Path, s string) (diags tfdiags.Diagnostics) {
-	keyIdRegex := regexp.MustCompile(`^` + uuidRegexPattern + `|` + multiRegionKeyIdPattern + `$`)
+	keyIdRegex := regexp.MustCompile(`^` + uuidRegexPattern + `|` + multiRegionKeyIdPattern + `|` + aliasRegexPattern + `$`)
 	if !keyIdRegex.MatchString(s) {
 		diags = diags.Append(tfdiags.AttributeValue(
 			tfdiags.Error,
@@ -71,7 +72,7 @@ func validateKMSKeyARN(path cty.Path, s string) (diags tfdiags.Diagnostics) {
 }
 
 func isKeyARN(arn arn.ARN) bool {
-	return keyIdFromARNResource(arn.Resource) != ""
+	return keyIdFromARNResource(arn.Resource) != "" || aliasIdFromARNResource(arn.Resource) != ""
 }
 
 func keyIdFromARNResource(s string) string {
@@ -84,6 +85,16 @@ func keyIdFromARNResource(s string) string {
 	return matches[1]
 }
 
+func aliasIdFromARNResource(s string) string {
+	aliasIdResourceRegex := regexp.MustCompile(`^` + aliasRegexPattern + `$`)
+	matches := aliasIdResourceRegex.FindStringSubmatch(s)
+	if matches == nil || len(matches) != 2 {
+		return ""
+	}
+
+	return matches[1]
+}
+
 type stringValidator func(val string, path cty.Path, diags *tfdiags.Diagnostics)
 
 func validateStringNotEmpty(val string, path cty.Path, diags *tfdiags.Diagnostics) {

diff --git a/internal/backend/remote-state/s3/validate_test.go b/internal/backend/remote-state/s3/validate_test.go
@@ -38,25 +38,9 @@ func TestValidateKMSKey(t *testing.T) {
 		},
 		"kms key alias": {
 			in: "alias/arbitrary-key",
-			expected: tfdiags.Diagnostics{
-				tfdiags.AttributeValue(
-					tfdiags.Error,
-					"Invalid KMS Key ID",
-					`Value must be a valid KMS Key ID, got "alias/arbitrary-key"`,
-					path,
-				),
-			},
 		},
 		"kms key alias arn": {
 			in: "arn:aws:kms:us-west-2:111122223333:alias/arbitrary-key",
-			expected: tfdiags.Diagnostics{
-				tfdiags.AttributeValue(
-					tfdiags.Error,
-					"Invalid KMS Key ARN",
-					`Value must be a valid KMS Key ARN, got "arn:aws:kms:us-west-2:111122223333:alias/arbitrary-key"`,
-					path,
-				),
-			},
 		},
 		"invalid key": {
 			in: "$%wrongkey",