Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot pull modules from S3 buckets in AWS China regions #29418

Open
julian7 opened this issue Aug 19, 2021 · 9 comments
Open

Cannot pull modules from S3 buckets in AWS China regions #29418

julian7 opened this issue Aug 19, 2021 · 9 comments
Labels
bug cli dependencies Auto-pinning modules v1.0 Issues (primarily bugs) reported against v1.0 releases

Comments

@julian7
Copy link

julian7 commented Aug 19, 2021

Terraform Version

Terraform v1.0.5
on darwin_amd64

Terraform Configuration Files

module "example" {
    source = "s3::https://s3.cn-north-1.amazonaws.com.cn/example-bucket/example.zip"
}

Debug Output

...
Initializing modules...
2021-08-19T08:48:35.420+0200 [TRACE] ModuleInstaller: installing child modules for . into .terraform/modules
2021-08-19T08:48:35.421+0200 [DEBUG] Module installer: begin example
2021-08-19T08:48:35.421+0200 [TRACE] ModuleInstaller: example is not yet installed
2021-08-19T08:48:35.421+0200 [TRACE] ModuleInstaller: cleaning directory .terraform/modules/example prior to install of example
2021-08-19T08:48:35.421+0200 [TRACE] ModuleInstaller: example address "s3::https://s3.cn-north-1.amazonaws.com.cn/example-bucket/example.zip" will be handled by go-getter
Downloading s3::https://s3.cn-north-1.amazonaws.com.cn/example-bucket/example.zip for example...
2021-08-19T08:48:35.421+0200 [DEBUG] will download "s3::https://s3.cn-north-1.amazonaws.com.cn/example-bucket/example.zip" to .terraform/modules/example
2021-08-19T08:48:35.421+0200 [TRACE] fetching "s3::https://s3.cn-north-1.amazonaws.com.cn/example-bucket/example.zip" to ".terraform/modules/example"
2021-08-19T08:48:35.728+0200 [TRACE] modsdir: writing modules manifest to .terraform/modules/modules.json

(sry, considered making a gist, but for ten lines?)

Crash Output

N/A

Expected Behavior

I expected the example to fail because of invalid S3 bucket or nonexisting file. I expect terraform to download modules correctly when correct source is present.

Actual Behavior

terraform init returns the following error:

│ Error: Failed to download module
│
│ Could not download module "example" (main.tf:1) source code from "s3::https://s3.cn-north-1.amazonaws.com.cn/example-bucket/example.zip": RequestError: send request failed
│ caused by: Get "https://s3.amazonaws.amazonaws.com/s3/example-bucket/example.zip": dial tcp: lookup s3.amazonaws.amazonaws.com: no such host

The host name s3.amazonaws.amazonaws.com is totally not what the original URL was.

Steps to Reproduce

terraform init

Additional Context

I've updated go-getter at my end to honor amazonaws.com.cn S3 URLs (see references), and it works for me.

References
@julian7 julian7 added bug new new issue not yet triaged labels Aug 19, 2021
@ewbankkit
Copy link
Contributor

ewbankkit commented Aug 19, 2021
edited
Loading

@julian7 It looks like there is a problem with your module's source URL: s3::https://s3.cn-north-1.amazonaws.com.cn/example-bucket/example.zip.
According to the list of supported protocols the URL should be either s3://example-bucket/example.zip or https://s3.cn-north-1.amazonaws.com.cn/example-bucket/example.zip.

@julian7
Copy link
Author

julian7 commented Aug 19, 2021

@ewbankkit I couldn't see the s3://example-bucket/example.zip format anywhere in the list of supported protocols. If I'm not mistaken, prefixing the URL with s3:: is just forcing the protocol, and it can be any (read: any if it's HTTP) protocol underneath.

I've tested both of your suggestions on AWS-CN in cn-northwest-1 region:

Downloading s3://example-bucket/example.zip for example...
╷
│ Error: Failed to download module
│
│ Could not download module "example" (test.tf:1) source code from "s3://example-bucket/example.zip": URL is not a valid S3 complaint URL

Downloading https://s3.cn-north-1.amazonaws.com.cn/example-bucket/example.zip for example...
╷
│ Error: Failed to download module
│
│ Could not download module "example" (test.tf:1) source code from "https://s3.cn-north-1.amazonaws.com.cn/example-bucket/example.zip": Get
│ "https://s3.cn-north-1.amazonaws.com.cn/example-bucket/example.zip": 301 response missing Location header

While, if I use the original test with my patched version, I'm getting the following error:

Downloading s3::https://s3.cn-north-1.amazonaws.com.cn/example-bucket/example.zip for example...
╷
│ Error: Failed to download module
│
│ Could not download module "example" (test.tf:1) source code from "s3::https://s3.cn-north-1.amazonaws.com.cn/example-bucket/example.zip": BucketRegionError: incorrect region, the
│ bucket is not in 'cn-north-1' region at endpoint ''
│ 	status code: 301, request id: , host id:

This latter has merit, or at least nobody has ever created example-bucket in cn-north-1 yet.

@apparentlymart
Copy link
Contributor

apparentlymart commented Aug 19, 2021
edited
Loading

It does seem reasonable that go-getter would be the cause of this, because it has its special "detector" behavior that tries to recognize and normalize the given URL, but the current version of that seems too eager in its normalization and only supports the URL schemes supported by the main AWS partition, and not the other separated partitions like China and GovCloud.

A logistical problem here is that go-getter doesn't have any dedicated maintainers, and yet go-getter is a shared dependency across many HashiCorp products and so we'll need to be careful about merging a change to it. Something like what's proposed in hashicorp/go-getter#335 does seem plausible to me, though I wonder if someone with more knowledge about the alternative AWS partitions can comment on whether there's a more generalized way to do this that would also work for GovCloud, or perhaps correct me that GovCloud already works due to it having a similar enough URL scheme to the primary partition. (Ideally I'd prefer a solution that won't need ongoing additions as AWS introduces new partitions or URL schemes, but I don't know if that's actually a feasible requirement to meet.) 🤔

@apparentlymart apparentlymart added cli dependencies Auto-pinning modules and removed new new issue not yet triaged labels Aug 19, 2021
@julian7
Copy link
Author

julian7 commented Aug 20, 2021

@apparentlymart for the record, here are the S3 endpoint URLs: https://docs.aws.amazon.com/general/latest/gr/s3.html#s3_region

@julian7
Copy link
Author

julian7 commented Aug 20, 2021

Also, I was able to use the following source setting (which I don't know whether it's mentioned anywhere) with vanilla terraform v1.0.5 CLI:

module "example" {
  source = "s3::/example-bucket/path/to/example.zip?region=cn-north-1"
  ...
}

@apparentlymart
Copy link
Contributor

Thanks for sharing the docs and that other example, @julian7!

I'm honestly a bit baffled as to how that last example is working, because I'd expect it to be asking the S3 getter to fetch file:///example-bucket/path/to/example.zip?region=cn-north-1, which doesn't really make any sense. I guess it must be falling into the fallback codepath, and just kinda magically working out because that codepath ignores the scheme of the URL and only looks at the path portion, and so it doesn't really matter that it's a file:// URL.

Go-getter is generally far too clever for its own good, but I'm glad you found something that works, at least. There isn't any test case shaped like that in go-getter so I have to assume this is by accident rather than by design, but since it's covered by our compatibility promises we can't change it now and ought to go add some additional test coverage to go-getter for it.

@apparentlymart
Copy link
Contributor

(Incidentally, the forthcoming Terraform v1.1 includes an improvement to make terraform init report back the result of go-getter's detection in its status messages, instead of just echoing back the string you wrote, and so I think it would've at least then admitted in the UI that it was using the wrong URL in the original case here, rather than the confusing situation you saw where the status message said one URL but the error message reported a completely different one.)

@julian7
Copy link
Author

julian7 commented Aug 23, 2021

@apparentlymart you're right, it makes no sense. However, I think at this stage the best what we can do is to use whatever is working, it's very hard to add more features to an already convoluted system. Especially, when there is a solid workaround. I'd say the workaround should be documented instead of any code changes at the moment.

@apparentlymart apparentlymart added the v1.0 Issues (primarily bugs) reported against v1.0 releases label Sep 16, 2022
@rishabhjain1510
Copy link

rishabhjain1510 commented Jan 17, 2023
edited
Loading

also facing the same issue while pulling terraform modules from s3 bucket in china.

Method 1

module "s3-bucket" {
          source = "s3::https://s3.amazonaws.com/bucket-name/path-of-file/0.0.1.zip"
}

Error :
NoSuchBucket: The specified bucket does not exist
status code: 404, request id: KRH3T65N55QXTS39, host id:
/Unk8/nvH+f2u7MEnPiaA+xG7tforJMWfFSNecgxjCfgahzXJBOtIoNQuVYoSzx6HT0woRb2hs0=

Method 2

module "s3-bucket" {
          source = "s3::https://s3.amazonaws.com.cn/bucket-name/path-of-file/0.0.1.zip"
}

Error :
URL is not a valid S3 URL

Method 3

also tried what @julian7 suggested

module "example" {
  source = "s3::/example-bucket/path/to/example.zip?region=cn-north-1"
  ...
}

Error:
URL is not a valid s3 URL

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug cli dependencies Auto-pinning modules v1.0 Issues (primarily bugs) reported against v1.0 releases
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@apparentlymart @julian7 @ewbankkit @rishabhjain1510