From b7bcc13ea53cd41ccdbef11381b4cfc33469395a Mon Sep 17 00:00:00 2001 From: ian <141902143+yumosx@users.noreply.github.com> Date: Sat, 18 Oct 2025 03:08:51 +0800 Subject: [PATCH] encryption/keyprovider/aws_kms: Use APNInfo instead of UserAgent --- CHANGELOG.md | 1 + .../encryption/keyprovider/aws_kms/config.go | 8 +++++--- .../keyprovider/aws_kms/config_test.go | 17 ++++++++++------- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1c18ad118b..1f5c25ff00 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -74,6 +74,7 @@ ENHANCEMENTS: BUG FIXES: * The `s3` state storage backend now correctly sends the `x-amz-server-side-encryption` header when working with S3 objects representing state locks. ([#2970](https://github.com/opentofu/opentofu/issues/2970)) +* The `aws_kms` key provider for state and plan encryption no longer returns a confusing error when the `TF_APPEND_USER_AGENT` environment variable is set. ([#3390](https://github.com/opentofu/opentofu/pull/3390)) * The `issensitive` function now returns an unknown result when its argument is unknown, because a sensitive unknown value can potentially become non-sensitive once more information is available. ([#3008](https://github.com/opentofu/opentofu/pull/3008)) * Provider references like `null.some_alias[each.key]` in `.tf.json` files are now accepted in the same way as in native syntax files. ([#2915](https://github.com/opentofu/opentofu/issues/2915)) * Fixed "slice bounds out of range" crash when processing multiple deprecated values inside a complex object. ([#3105](https://github.com/opentofu/opentofu/pull/3105)) diff --git a/internal/encryption/keyprovider/aws_kms/config.go b/internal/encryption/keyprovider/aws_kms/config.go index 24a41627fc..e89a1f991c 100644 --- a/internal/encryption/keyprovider/aws_kms/config.go +++ b/internal/encryption/keyprovider/aws_kms/config.go @@ -160,9 +160,11 @@ func (c Config) asAWSBase() (*awsbase.Config, error) { Insecure: c.Insecure, UseDualStackEndpoint: c.UseDualStackEndpoint, UseFIPSEndpoint: c.UseFIPSEndpoint, - UserAgent: awsbase.UserAgentProducts{ - {Name: "APN", Version: "1.0"}, - {Name: httpclient.DefaultApplicationName, Version: version.String()}, + APNInfo: &awsbase.APNInfo{ + PartnerName: "OpenTofu-AWS-KMS", + Products: []awsbase.UserAgentProduct{ + {Name: httpclient.DefaultApplicationName, Version: version.String()}, + }, }, CustomCABundle: stringAttrEnvFallback(c.CustomCABundle, "AWS_CA_BUNDLE"), diff --git a/internal/encryption/keyprovider/aws_kms/config_test.go b/internal/encryption/keyprovider/aws_kms/config_test.go index 84b0033636..c5ffb324e5 100644 --- a/internal/encryption/keyprovider/aws_kms/config_test.go +++ b/internal/encryption/keyprovider/aws_kms/config_test.go @@ -40,9 +40,11 @@ func TestConfig_asAWSBase(t *testing.T) { CallerDocumentationURL: "https://opentofu.org/docs/language/settings/backends/s3", CallerName: "KMS Key Provider", MaxRetries: 5, - UserAgent: awsbase.UserAgentProducts{ - {Name: "APN", Version: "1.0"}, - {Name: httpclient.DefaultApplicationName, Version: version.String()}, + APNInfo: &awsbase.APNInfo{ + PartnerName: "OpenTofu-AWS-KMS", + Products: []awsbase.UserAgentProduct{ + {Name: httpclient.DefaultApplicationName, Version: version.String()}, + }, }, }, }, @@ -105,11 +107,12 @@ func TestConfig_asAWSBase(t *testing.T) { expected: awsbase.Config{ CallerDocumentationURL: "https://opentofu.org/docs/language/settings/backends/s3", CallerName: "KMS Key Provider", - UserAgent: awsbase.UserAgentProducts{ - {Name: "APN", Version: "1.0"}, - {Name: httpclient.DefaultApplicationName, Version: version.String()}, + APNInfo: &awsbase.APNInfo{ + PartnerName: "OpenTofu-AWS-KMS", + Products: []awsbase.UserAgentProduct{ + {Name: httpclient.DefaultApplicationName, Version: version.String()}, + }, }, - AccessKey: "my-access-key", IamEndpoint: "https://endpoint-iam", MaxRetries: 42,