[Bug]: use_fips_endpoint causes Terraform plan to fail with DNS resolution error in AWS provider when using a proxy

[vamsi-muthe]

Terraform Core Version

1.9.5

AWS Provider Version

5.63.1

Affected Resource(s)

aws_sts and other aws services when use fips is set true

https://docs.aws.amazon.com/general/latest/gr/sts.html

Expected Behavior

The use_fips_endpoint = true setting without explicit endpoints should not trigger DNS resolution of the endpoint when a proxy is intended to be used. Additionally, in the code at line 47 of terraform-provider-aws/internal/service/sts/service_endpoint_resolver_gen.go, the service endpoint hostname is retrieved directly from the AWS SDK Go V2. Since this endpoint comes directly from AWS, it should be ok without requiring additional DNS lookup. DNS resolution should only occur if the endpoint is explicitly specified in the endpoints block within the Terraform configuration, to validate custom endpoints provided by the developer.

Actual Behavior

I am running terraform behind a proxy server and no local DNS service is set up. I encountered an issue when running a terraform plan with the use_fips_endpoint = true setting in the AWS provider block. The plan fails with an error that suggests Terraform is attempting to resolve the service endpoint via DNS instead of using the specified proxy. Below is the error message received:

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: reading STS Caller Identity
│ 
│   with data.aws_caller_identity.this,
│   on main.tf line 23, in data "aws_caller_identity" "this":
│   23: data "aws_caller_identity" "this" {}
│ 
│ operation error STS: GetCallerIdentity, failed to resolve service endpoint, looking up sts endpoint "sts.us-gov-east-1.amazonaws.com": lookup sts.us-gov-east-1.amazonaws.com on 192.168.0.1:53: server misbehaving
╵

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

The code block in steps to reproduce contains all the configurations and hence not repeating it here.

Steps to Reproduce

Below is the Terraform code block used to reproduce this issue:

terraform {
  required_version = ">= 1.5.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5"
    }
  }
}

provider "aws" {
  region            = "us-gov-east-1"
  use_fips_endpoint = true
#   endpoints{
#     sts="https://sts.us-gov-east-1.amazonaws.com"
#   } 
}

output "test" {
  value = data.aws_caller_identity.testing
}

data "aws_caller_identity" "testing" {}

Debug Output

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: reading STS Caller Identity
│ 
│   with data.aws_caller_identity.this,
│   on main.tf line 23, in data "aws_caller_identity" "this":
│   23: data "aws_caller_identity" "this" {}
│ 
│ operation error STS: GetCallerIdentity, failed to resolve service endpoint, looking up sts endpoint "sts.us-gov-east-1.amazonaws.com": lookup sts.us-gov-east-1.amazonaws.com on 192.168.0.1:53: server misbehaving
╵

Panic Output

No response

Important Factoids

Workaround:

As a workaround, if I explicitly specify the endpoints block in the provider configuration (as shown in the commented-out section of the code block), the terraform plan command runs successfully without any issues. This indicates that the provider does not attempt to perform DNS resolution when the endpoints block is used and successfully routes traffic through the intended proxy.

Suggested Solution:

The issue seems related to how the terraform-provider-aws/internal/service/sts/service_endpoint_resolver_gen.go file handles endpoint resolution. I suggest modifying the logic to:

1. Perform DNS lookup only if the endpoint is explicitly specified in the endpoints block.
2. Avoid DNS lookup if the endpoint is retrieved directly from AWS SDK Go V2, especially when use_fips_endpoint = true is set.

This would align with the expectation that DNS resolution is bypassed or not used when a proxy is intended to be utilized.

Request:

Please investigate this issue and suggest a workaround or provide a permanent fix that would allow the use_fips_endpoint setting to function correctly without requiring DNS resolution when using a proxy.

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

This particular area of the provider isn't my forte, but if I've understood correctly, potentially related to #37876.