Internal IAM and STS clients to use configured HTTP client

[ewbankkit]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The AWS IAM and STS clients created in https://github.com/hashicorp/aws-sdk-go-base/blob/main/clients.go and used for role assumption and the like should use any custom HTTP client configured in the Config parameter.

Relates (?):

• https://github.com/hashicorp/terraform-provider-aws/issues/39110
• https://github.com/hashicorp/terraform-provider-aws/issues/39125

[marlonparmentier]

@ewbankkit this would be great, after a ton of troubleshooting it seems that the 5.65.0 provider uses the HTTP/2 gRPC protocol for services such as AWS IAM. The problem we have with this in our environment is that we use an egress filter on our AWS network firewall and we had to conclude that there is no way to filter destinations when HTTP/2 is used.

The current filtering is done on TLS.SNI and this filtering drops the gRPC packets. Once we update, we cannot filter anything useable as there are no details in the traffic to filter on. This seems to be because from 5.65.0 the server name is not set in the request sent to the service endpoint.

[ewbankkit]

After a more thorough review of the terraform-provider-aws code I see that the internal API clients are using the same HTTP client as that used directly by the provider. @marlonparmentier We continue to investigate the underlying issue.