Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: upgrading from 4.67.0 to 5.10.0 cause error: MissingSecurityHeader: Your request was missing a required header #32772

Closed
EugenKon opened this issue Jul 31, 2023 · 5 comments
Closed

[Bug]: upgrading from 4.67.0 to 5.10.0 cause error: MissingSecurityHeader: Your request was missing a required header #32772

EugenKon opened this issue Jul 31, 2023 · 5 comments
Labels
bug Addresses a defect in current functionality. service/s3 Issues and PRs that pertain to the s3 service.

Comments

@EugenKon
Copy link

EugenKon commented Jul 31, 2023
edited
Loading

Terraform Core Version

1.5.4

AWS Provider Version

5.10.0

Affected Resource(s)

on version 4.0.67 I had some problems described here. So I upgraded aws provider and now I get next errors:

module.dns.aws_route53_zone.private-cloud[0]: Modifying... [id=Z0803079GS4S3AQWFY1V]
module.private-cloud.aws_s3_object.backups_postgres: Modifying... [id=backups/postgres/]
module.private-cloud.aws_s3_object.logs: Modifying... [id=logs/]
module.private-cloud.aws_s3_object.tmp: Modifying... [id=tmp/]
module.private-cloud.aws_s3_object.job-queue: Modifying... [id=job-queue/]
module.private-cloud.aws_s3_object.backups_redis: Modifying... [id=backups/redis/]
module.private-cloud.aws_s3_object.tmp_2: Modifying... [id=tmp/]
╷
│ Error: associating Route53 Hosted Zone (Z0803079GS4S3AQWFY1V) to VPC (vpc-0d639d3e779362f6b): PublicZoneVPCAssociation: Attempting to associate public zone: Z0803079GS4S3AQWFY1V with vpc: vpc-0d639d3e779362f6b
│ 	status code: 400, request id: a118e2f8-53d1-4a47-bc8b-fd12bb633026
│
│   with module.dns.aws_route53_zone.private-cloud[0],
│   on modules/dns/route53.tf line 1, in resource "aws_route53_zone" "private-cloud":
│    1: resource "aws_route53_zone" "private-cloud" {
│
╵
╷
│ Error: putting S3 object ACL: MissingSecurityHeader: Your request was missing a required header
│ 	status code: 400, request id: 5HXEXX6N3HSMR6V8, host id: 5R/vIUQY5KNh*==
│
│   with module.private-cloud.aws_s3_object.job-queue,
│   on modules/private-cloud/s3.tf line 125, in resource "aws_s3_object" "job-queue":
│  125: resource "aws_s3_object" "job-queue" {
│
╵
╷
│ Error: putting S3 object ACL: MissingSecurityHeader: Your request was missing a required header
│ 	status code: 400, request id: 5HXBM0SADN7B904G, host id: 7396N3TyQ*==
│
│   with module.private-cloud.aws_s3_object.tmp,
│   on modules/private-cloud/s3.tf line 131, in resource "aws_s3_object" "tmp":
│  131: resource "aws_s3_object" "tmp" {
│
╵
╷
│ Error: putting S3 object ACL: MissingSecurityHeader: Your request was missing a required header
│ 	status code: 400, request id: 5HXDYDJCXMTYAZ5Y, host id: /5qy3Dsr8*==
│
│   with module.private-cloud.aws_s3_object.logs,
│   on modules/private-cloud/s3.tf line 286, in resource "aws_s3_object" "logs":
│  286: resource "aws_s3_object" "logs" {
│
╵
╷
│ Error: putting S3 object ACL: MissingSecurityHeader: Your request was missing a required header
│ 	status code: 400, request id: 5HXD22JR6WY6AQQT, host id: WSotDv3Tif*==
│
│   with module.private-cloud.aws_s3_object.tmp_2,
│   on modules/private-cloud/s3.tf line 292, in resource "aws_s3_object" "tmp_2":
│  292: resource "aws_s3_object" "tmp_2" {
│
╵
╷
│ Error: putting S3 object ACL: MissingSecurityHeader: Your request was missing a required header
│ 	status code: 400, request id: 5HXDWSW246M0T50M, host id: ixXmGdg*==
│
│   with module.private-cloud.aws_s3_object.backups_postgres,
│   on modules/private-cloud/s3.tf line 298, in resource "aws_s3_object" "backups_postgres":
│  298: resource "aws_s3_object" "backups_postgres" {
│
╵
╷
│ Error: putting S3 object ACL: MissingSecurityHeader: Your request was missing a required header
│ 	status code: 400, request id: 5HXERCR02078G0TN, host id: BtnHB*==
│
│   with module.private-cloud.aws_s3_object.backups_redis,
│   on modules/private-cloud/s3.tf line 304, in resource "aws_s3_object" "backups_redis":
│  304: resource "aws_s3_object" "backups_redis" {
│

Expected Behavior

Terraform should send all required headers

Actual Behavior

MissingSecurityHeader: Your request was missing a required header

Relevant Error/Panic Output Snippet

see above

Terraform Configuration Files

# our-s3-bucket
resource "aws_s3_bucket" "our-s3" {
  bucket        = var.our_bucket_name
  force_destroy = true
}

resource "aws_s3_bucket_ownership_controls" "our-s3" {
  bucket = aws_s3_bucket.our-s3.id

  rule {
    object_ownership = "BucketOwnerEnforced"
  }
}

resource "aws_s3_bucket_logging" "our-s3" {
  bucket        = aws_s3_bucket.our-s3.id
  target_bucket = aws_s3_bucket.logs-s3.id
  target_prefix = "logs/s3/"
}

resource "aws_s3_bucket_versioning" "our-s3" {
  bucket = aws_s3_bucket.our-s3.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_lifecycle_configuration" "our-s3" {
  bucket = aws_s3_bucket.our-s3.id

  # Delete object old versions after 30 days
  rule {
    id     = "delete-old-version-after-30-days"
    status = "Enabled"

    filter {}

    abort_incomplete_multipart_upload {
      days_after_initiation = 7
    }

    expiration {
      expired_object_delete_marker = true
    }

    noncurrent_version_expiration {
      noncurrent_days = 30
    }
  }

  # Delete tmp/ after 30 days
  rule {
    id     = "tmp"
    status = "Enabled"

    filter {
      prefix = "tmp/"
    }

    expiration {
      days = 30
    }
  }

  # Delete job-queue/ after 30 days
  rule {
    id     = "job-queue"
    status = "Enabled"

    filter {
      prefix = "job-queue/"
    }

    expiration {
      days = 30
    }
  }
}

resource "aws_s3_bucket_cors_configuration" "our-s3" {
  bucket = aws_s3_bucket.our-s3.id

  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["GET", "HEAD", "POST", "PUT", "DELETE"]
    allowed_origins = [
      "https://p.${var.domain_name}",
      "https://p.${var.domain_name}/",
      "http://localhost:1111",
      "http://localhost:2222",
    ]
    expose_headers  = ["ETag", "Date"]
    max_age_seconds = 3000
  }

  cors_rule {
    allowed_headers = ["Authorization"]
    allowed_methods = ["GET"]
    allowed_origins = ["*"]
    expose_headers  = []
    max_age_seconds = 3000
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "our-s3" {
  bucket = aws_s3_bucket.our-s3.id

  rule {
    bucket_key_enabled = true
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

resource "aws_s3_bucket_public_access_block" "our-s3" {
  bucket = aws_s3_bucket.our-s3.id

  block_public_acls       = true
  block_public_policy     = true
  restrict_public_buckets = true
  ignore_public_acls      = true
}

resource "aws_s3_object" "job-queue" {
  key           = "job-queue/"
  bucket        = aws_s3_bucket.our-s3.id
  force_destroy = false
}

resource "aws_s3_object" "tmp" {
  key           = "tmp/"
  bucket        = aws_s3_bucket.our-s3.id
  force_destroy = false
}


# users-s3-bucket
resource "aws_s3_bucket" "users-s3" {
  bucket        = var.user_bucket_name
  force_destroy = true
}

resource "aws_s3_bucket_ownership_controls" "users-s3" {
  bucket = aws_s3_bucket.users-s3.id

  rule {
    object_ownership = "BucketOwnerEnforced"
  }
}

resource "aws_s3_bucket_logging" "users-s3" {
  bucket        = aws_s3_bucket.users-s3.id
  target_bucket = aws_s3_bucket.logs-s3.id
  target_prefix = "logs/s3/"
}

resource "aws_s3_bucket_versioning" "users-s3" {
  bucket = aws_s3_bucket.users-s3.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_lifecycle_configuration" "users-s3" {
  bucket = aws_s3_bucket.users-s3.id

  # Delete object old versions after 30 days
  rule {
    id     = "delete-old-version-after-30-days"
    status = "Enabled"

    filter {}

    abort_incomplete_multipart_upload {
      days_after_initiation = 7
    }

    expiration {
      expired_object_delete_marker = true
    }

    noncurrent_version_expiration {
      noncurrent_days = 30
    }
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "users-s3" {
  bucket = aws_s3_bucket.users-s3.id

  rule {
    bucket_key_enabled = true
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

resource "aws_s3_bucket_cors_configuration" "users-s3" {
  bucket = aws_s3_bucket.users-s3.id

  cors_rule {
    allowed_headers = []
    allowed_methods = ["GET"]
    allowed_origins = ["*"]
    expose_headers  = []
    max_age_seconds = 86400
  }
}

resource "aws_s3_bucket_public_access_block" "users-s3" {
  bucket = aws_s3_bucket.users-s3.id

  block_public_acls       = true
  block_public_policy     = true
  restrict_public_buckets = true
  ignore_public_acls      = true
}

# logs-s3-bucket
resource "aws_s3_bucket" "logs-s3" {
  bucket        = var.system_bucket_name
  force_destroy = true
}

resource "aws_s3_bucket_ownership_controls" "logs-s3" {
  bucket = aws_s3_bucket.logs-s3.id

  rule {
    object_ownership = "BucketOwnerEnforced"
  }
}

resource "aws_s3_bucket_versioning" "logs-s3" {
  bucket = aws_s3_bucket.logs-s3.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_lifecycle_configuration" "logs-s3" {
  bucket = aws_s3_bucket.logs-s3.id

  # Delete object old versions after 30 days
  rule {
    id     = "delete-old-version-after-30-days"
    status = "Enabled"

    filter {}

    abort_incomplete_multipart_upload {
      days_after_initiation = 7
    }

    expiration {
      expired_object_delete_marker = true
    }

    noncurrent_version_expiration {
      noncurrent_days = 30
    }
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "logs-s3" {
  bucket = aws_s3_bucket.logs-s3.id

  rule {
    bucket_key_enabled = true
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

resource "aws_s3_bucket_public_access_block" "logs-s3" {
  bucket = aws_s3_bucket.logs-s3.id

  block_public_acls       = true
  block_public_policy     = true
  restrict_public_buckets = true
  ignore_public_acls      = true
}

resource "aws_s3_object" "logs" {
  key           = "logs/"
  bucket        = aws_s3_bucket.logs-s3.id
  force_destroy = false
}

resource "aws_s3_object" "tmp_2" {
  key           = "tmp/"
  bucket        = aws_s3_bucket.logs-s3.id
  force_destroy = false
}

resource "aws_s3_object" "backups_postgres" {
  key           = "backups/postgres/"
  bucket        = aws_s3_bucket.logs-s3.id
  force_destroy = false
}

resource "aws_s3_object" "backups_redis" {
  key           = "backups/redis/"
  bucket        = aws_s3_bucket.logs-s3.id
  force_destroy = false
}

Steps to Reproduce

terraform init -upgrade
terraform plan
terraform apply

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None
@EugenKon EugenKon added the bug Addresses a defect in current functionality. label Jul 31, 2023
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added service/route53 Issues and PRs that pertain to the route53 service. service/s3 Issues and PRs that pertain to the s3 service. needs-triage Waiting for first response or review from a maintainer. labels Jul 31, 2023
@EugenKon
Copy link
Author

When I rerun plan/apply few times. Error about missed headers gone.

@EugenKon EugenKon changed the title [Bug]: upgrading from 4.0.67 to 5.10.0 cause error: MissingSecurityHeader: Your request was missing a required header [Bug]: upgrading from 4.67.0 to 5.10.0 cause error: MissingSecurityHeader: Your request was missing a required header Jul 31, 2023
@justinretzolk
Copy link
Member

Related: #31633

@justinretzolk justinretzolk removed needs-triage Waiting for first response or review from a maintainer. service/route53 Issues and PRs that pertain to the route53 service. labels Jul 31, 2023
@EugenKon
Copy link
Author

yes, it is.

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 31, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/s3 Issues and PRs that pertain to the s3 service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@justinretzolk @EugenKon