The use_fips_endpoint = true setting without explicit endpoints should not trigger DNS resolution of the endpoint when a proxy is intended to be used. Additionally, in the code at line 47 of terraform-provider-aws/internal/service/sts/service_endpoint_resolver_gen.go, the service endpoint hostname is retrieved directly from the AWS SDK Go V2. Since this endpoint comes directly from AWS, it should be ok without requiring additional DNS lookup. DNS resolution should only occur if the endpoint is explicitly specified in the endpoints block within the Terraform configuration, to validate custom endpoints provided by the developer.
Actual Behavior
I am running terraform behind a proxy server and no local DNS service is set up. I encountered an issue when running a terraform plan with the use_fips_endpoint = true setting in the AWS provider block. The plan fails with an error that suggests Terraform is attempting to resolve the service endpoint via DNS instead of using the specified proxy. Below is the error message received:
Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: reading STS Caller Identity
│
│ with data.aws_caller_identity.this,
│ on main.tf line 23, in data "aws_caller_identity" "this":
│ 23: data "aws_caller_identity" "this" {}
│
│ operation error STS: GetCallerIdentity, failed to resolve service endpoint, looking up sts endpoint "sts.us-gov-east-1.amazonaws.com": lookup sts.us-gov-east-1.amazonaws.com on 192.168.0.1:53: server misbehaving
╵
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
The code block in steps to reproduce contains all the configurations and hence not repeating it here.
Steps to Reproduce
Below is the Terraform code block used to reproduce this issue:
Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: reading STS Caller Identity
│
│ with data.aws_caller_identity.this,
│ on main.tf line 23, in data "aws_caller_identity" "this":
│ 23: data "aws_caller_identity" "this" {}
│
│ operation error STS: GetCallerIdentity, failed to resolve service endpoint, looking up sts endpoint "sts.us-gov-east-1.amazonaws.com": lookup sts.us-gov-east-1.amazonaws.com on 192.168.0.1:53: server misbehaving
╵
Panic Output
No response
Important Factoids
Workaround:
As a workaround, if I explicitly specify the endpoints block in the provider configuration (as shown in the commented-out section of the code block), the terraform plan command runs successfully without any issues. This indicates that the provider does not attempt to perform DNS resolution when the endpoints block is used and successfully routes traffic through the intended proxy.
Perform DNS lookup only if the endpoint is explicitly specified in the endpoints block.
Avoid DNS lookup if the endpoint is retrieved directly from AWS SDK Go V2, especially when use_fips_endpoint = true is set.
This would align with the expectation that DNS resolution is bypassed or not used when a proxy is intended to be utilized.
Request:
Please investigate this issue and suggest a workaround or provide a permanent fix that would allow the use_fips_endpoint setting to function correctly without requiring DNS resolution when using a proxy.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
Terraform Core Version
1.9.5
AWS Provider Version
5.63.1
Affected Resource(s)
aws_sts and other aws services when use fips is set true
https://docs.aws.amazon.com/general/latest/gr/sts.html
Expected Behavior
The
use_fips_endpoint = true
setting without explicit endpoints should not trigger DNS resolution of the endpoint when a proxy is intended to be used. Additionally, in the code at line 47 of terraform-provider-aws/internal/service/sts/service_endpoint_resolver_gen.go, the service endpoint hostname is retrieved directly from the AWS SDK Go V2. Since this endpoint comes directly from AWS, it should be ok without requiring additional DNS lookup. DNS resolution should only occur if the endpoint is explicitly specified in theendpoints
block within the Terraform configuration, to validate custom endpoints provided by the developer.Actual Behavior
I am running terraform behind a proxy server and no local DNS service is set up. I encountered an issue when running a
terraform plan
with theuse_fips_endpoint = true
setting in the AWS provider block. The plan fails with an error that suggests Terraform is attempting to resolve the service endpoint via DNS instead of using the specified proxy. Below is the error message received:Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
The code block in steps to reproduce contains all the configurations and hence not repeating it here.
Steps to Reproduce
Below is the Terraform code block used to reproduce this issue:
Debug Output
Panic Output
No response
Important Factoids
Workaround:
As a workaround, if I explicitly specify the
endpoints
block in the provider configuration (as shown in the commented-out section of the code block), theterraform plan
command runs successfully without any issues. This indicates that the provider does not attempt to perform DNS resolution when theendpoints
block is used and successfully routes traffic through the intended proxy.Suggested Solution:
The issue seems related to how the terraform-provider-aws/internal/service/sts/service_endpoint_resolver_gen.go file handles endpoint resolution. I suggest modifying the logic to:
endpoints
block.use_fips_endpoint = true
is set.This would align with the expectation that DNS resolution is bypassed or not used when a proxy is intended to be utilized.
Request:
Please investigate this issue and suggest a workaround or provide a permanent fix that would allow the
use_fips_endpoint
setting to function correctly without requiring DNS resolution when using a proxy.References
No response
Would you like to implement a fix?
None