Feature s3 access with presigned url

[geronimo-iia]

First Idea was to add a blob api to get terraforn module stored in the bucket using api gateway. The api gateway is used as a proxy to aws s3 bucket, and use JWT token as authentication method.

Using aws api gateay as a s3 proxy:

• simplify sharing in a multi account context : we just manage JWT token
• permit us to use this registry from other platform with no direct credentials with aws

[geronimo-iia]

Testing terraform usage with this blob api

With blob api authentication, we had to configure a netrc file (https://everything.curl.dev/usingcurl/netrc).

see https://developer.hashicorp.com/terraform/language/modules/sources#http-urls

.netrc did not support JWT token (I find nothing about this)

With a netrc like this:

machine registry.my-domain.com login Bearer password My_JWT_Tokem

And adding support for Basic auth in lambda authorizer, things "work"....

But, we add to configure:

• .terraformrc for registry API
• .netrc for module download from registry

I did not like repeat myself... We will have to configure two file everywhere...

Rather than use API gateway as a s3 proxy, may we should use s3 presigned url in the "download response". With this solution, we should need a dedicated lambda to answer on this method, and confirm that we did not need public ACl on bucket.

[geronimo-iia]

By the way, gitlab api terraform registry, use "file" suffix to get module source.

[geronimo-iia]

Use presigned s3 URL

• add a lambda integration in order to presign URL
• add usage of "X-Terraform-Get" for download API

Terraform or terragunt client see just a public HTTPS URL.