Merge pull request #23965 from tpaschalis/disallow-s3-backend-key-tra…

…iling-slash S3 Backend : Bucket key should not contain trailing slash
hashicorp · Nov 1, 2022 · 6663cde · 6663cde
2 parents bb68075 + 4cb355f
commit 6663cde
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/internal/backend/remote-state/s3/backend.go b/internal/backend/remote-state/s3/backend.go
@@ -37,6 +37,11 @@ func New() backend.Backend {
 					if strings.HasPrefix(v.(string), "/") {
 						return nil, []error{errors.New("key must not start with '/'")}
 					}
+					// s3 will recognize objects with a trailing slash as a directory
+					// so they should not be valid keys
+					if strings.HasSuffix(v.(string), "/") {
+						return nil, []error{errors.New("key must not end with '/'")}
+					}
 					return nil, nil
 				},
 			},

diff --git a/internal/backend/remote-state/s3/backend_test.go b/internal/backend/remote-state/s3/backend_test.go
@@ -326,6 +326,19 @@ func TestBackendConfig_invalidKey(t *testing.T) {
 	if !diags.HasErrors() {
 		t.Fatal("expected config validation error")
 	}
+
+	cfg = hcl2shim.HCL2ValueFromConfigValue(map[string]interface{}{
+		"region":         "us-west-1",
+		"bucket":         "tf-test",
+		"key":            "trailing-slash/",
+		"encrypt":        true,
+		"dynamodb_table": "dynamoTable",
+	})
+
+	_, diags = New().PrepareConfig(cfg)
+	if !diags.HasErrors() {
+		t.Fatal("expected config validation error")
+	}
 }
 
 func TestBackendConfig_invalidSSECustomerKeyLength(t *testing.T) {