Cannot create AWS session in 3.23.0 with custom CA bundle

[aclarknexient]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

At least Terraform versions 0.14.4, 0.14.3, 0.13.6
AWS Provider version 3.23.0

Affected Resource(s)

• n/a

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

terraform {
  required_version = "> 0.13.0"

  required_providers {
    aws = {
      version = "= 3.23.0"
      source = "hashicorp/aws"
    }
  }
}

provider "aws" {
  region  = "us-west-2"
  profile = "fakedev"
  allowed_account_ids = ["993211233211"] # fake account number
}

terraform {
  backend "s3" {
    bucket         = "fakedev-terraform-state-storage-fakedev-dev"
    dynamodb_table = "fakedev-terraform-locks-fakedev-dev"
    encrypt        = true
    key            = "non-prod/dev/neptune-cluster/terraform.tfstate"
    region         = "us-west-2"
  }
}

Expected Behavior

The Terraform Plan run should have completed without error.

Actual Behavior

After acquiring the state lock, the following error message is shown:

Acquiring state lock. This may take a few moments...

Error: error configuring Terraform AWS Provider: Error creating AWS session: LoadCustomCABundleError: failed to open custom CA bundle PEM file
caused by: open ~/.aws/fakedev-aws-cert-bundle.pem: no such file or directory

Releasing state lock. This may take a few moments...

Steps to Reproduce

1. terraform plan

Notes

Downgrading to a previous version of the AWS provider fixed this issue.

• #0000

[ewbankkit]

@aclarknexient Thanks for raising this issue.
Did you you downgrade to v3.22.0 to resolve this, or an earlier version?
Where is ~/.aws/fakedev-aws-cert-bundle.pem defined (environment variable, shared config file, ...)?
It looks like the handling of custom CA bundles changed subtly in aws/aws-sdk-go#3654, released in AWS SDK v1.36.5 and merged into the Terraform AWS Provider via #16726, ending up in provider v3.22.0.

[breathingdust]

Closing due to lack of response.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.