Merge pull request #191 from robmorgan/fix/s3-virtual-host-dns

fix(s3): use nip.io for virtual-hosted style DNS resolution

Author: robmorgan

internal/emulator/core/s3_utils.go

@@ -12,9 +12,11 @@ type S3HostInfo struct {
 // It handles the following patterns:
 //   - bucket-name.s3.infraspec.sh (virtual-hosted, bucket = "bucket-name")
 //   - bucket-name.s3.localhost (virtual-hosted, bucket = "bucket-name")
+//   - bucket-name.s3.127.0.0.1.nip.io (virtual-hosted with nip.io, bucket = "bucket-name")
 //   - bucket-name.localhost (legacy virtual-hosted, bucket = "bucket-name")
 //   - s3.infraspec.sh (path-style base S3 endpoint)
 //   - s3.localhost (path-style base S3 endpoint)
+//   - s3.127.0.0.1.nip.io (path-style with nip.io)
 //
 // The host parameter should be the value of the Host header (with or without port).
 func ParseS3Host(host string) S3HostInfo {
@@ -30,6 +32,26 @@ func ParseS3Host(host string) S3HostInfo {
 		return S3HostInfo{}
 	}
 
+	// Check for nip.io/sslip.io DNS service patterns first
+	// Pattern: bucket-name.s3.127.0.0.1.nip.io (virtual-hosted with nip.io)
+	// Pattern: s3.127.0.0.1.nip.io (path-style with nip.io)
+	if isNipIOHost(parts) {
+		// Virtual-hosted: bucket-name.s3.IP.nip.io (parts[0]=bucket, parts[1]=s3)
+		if len(parts) >= 5 && parts[1] == "s3" {
+			return S3HostInfo{
+				IsVirtualHosted: true,
+				BucketName:      parts[0],
+			}
+		}
+		// Path-style: s3.IP.nip.io (parts[0]=s3)
+		if parts[0] == "s3" {
+			return S3HostInfo{
+				IsVirtualHosted: false,
+				BucketName:      "",
+			}
+		}
+	}
+
 	// Pattern: bucket-name.s3.infraspec.sh or bucket-name.s3.localhost
 	// This is virtual-hosted style where bucket name is the first subdomain
 	if len(parts) >= 3 && parts[1] == "s3" {
@@ -60,6 +82,17 @@ func ParseS3Host(host string) S3HostInfo {
 	return S3HostInfo{}
 }
 
+// isNipIOHost checks if the host parts indicate a nip.io or sslip.io DNS service.
+// These services provide wildcard DNS for IP addresses (e.g., bucket.s3.127.0.0.1.nip.io → 127.0.0.1)
+func isNipIOHost(parts []string) bool {
+	if len(parts) < 2 {
+		return false
+	}
+	lastPart := parts[len(parts)-1]
+	secondLast := parts[len(parts)-2]
+	return lastPart == "io" && (secondLast == "nip" || secondLast == "sslip")
+}
+
 // IsS3VirtualHostedRequest checks if the given host represents an S3 virtual-hosted style request.
 // This includes patterns like:
 //   - bucket-name.s3.infraspec.sh
@@ -75,9 +108,11 @@ func IsS3VirtualHostedRequest(host string) bool {
 // This includes patterns like:
 //   - bucket-name.s3.infraspec.sh (virtual-hosted)
 //   - bucket-name.s3.localhost (virtual-hosted)
+//   - bucket-name.s3.127.0.0.1.nip.io (virtual-hosted with nip.io)
 //   - bucket-name.localhost (legacy virtual-hosted)
 //   - s3.infraspec.sh (path-style)
 //   - s3.localhost (path-style)
+//   - s3.127.0.0.1.nip.io (path-style with nip.io)
 //
 // The host parameter should be the value of the Host header (with or without port).
 func IsS3Request(host string) bool {
@@ -93,6 +128,14 @@ func IsS3Request(host string) bool {
 		return false
 	}
 
+	// Check for nip.io/sslip.io patterns: *.s3.IP.nip.io or s3.IP.nip.io
+	if isNipIOHost(parts) {
+		// Look for "s3" in the first or second position
+		if parts[0] == "s3" || (len(parts) >= 2 && parts[1] == "s3") {
+			return true
+		}
+	}
+
 	// Pattern: bucket-name.s3.something or s3.something
 	if len(parts) >= 2 && (parts[0] == "s3" || (len(parts) >= 3 && parts[1] == "s3")) {
 		return true

internal/emulator/core/s3_utils_test.go

@@ -48,6 +48,37 @@ func TestParseS3Host(t *testing.T) {
 			wantVirtual:    true,
 			wantBucketName: "my-test-bucket-123",
 		},
+		// nip.io DNS service patterns
+		{
+			name:           "virtual-hosted with nip.io",
+			host:           "my-bucket.s3.127.0.0.1.nip.io",
+			wantVirtual:    true,
+			wantBucketName: "my-bucket",
+		},
+		{
+			name:           "virtual-hosted with nip.io and port",
+			host:           "my-bucket.s3.127.0.0.1.nip.io:8000",
+			wantVirtual:    true,
+			wantBucketName: "my-bucket",
+		},
+		{
+			name:           "virtual-hosted with sslip.io",
+			host:           "my-bucket.s3.127.0.0.1.sslip.io",
+			wantVirtual:    true,
+			wantBucketName: "my-bucket",
+		},
+		{
+			name:           "path-style with nip.io",
+			host:           "s3.127.0.0.1.nip.io",
+			wantVirtual:    false,
+			wantBucketName: "",
+		},
+		{
+			name:           "path-style with nip.io and port",
+			host:           "s3.127.0.0.1.nip.io:8000",
+			wantVirtual:    false,
+			wantBucketName: "",
+		},
 		// Path-style patterns (not virtual-hosted)
 		{
 			name:           "path-style s3.infraspec.sh",
@@ -130,8 +161,11 @@ func TestIsS3VirtualHostedRequest(t *testing.T) {
 		{"virtual-hosted bucket.s3.domain", "my-bucket.s3.infraspec.sh", true},
 		{"virtual-hosted bucket.s3.localhost", "my-bucket.s3.localhost", true},
 		{"legacy bucket.localhost", "my-bucket.localhost", true},
+		{"virtual-hosted nip.io", "my-bucket.s3.127.0.0.1.nip.io", true},
+		{"virtual-hosted sslip.io", "my-bucket.s3.127.0.0.1.sslip.io", true},
 		{"path-style s3.domain", "s3.infraspec.sh", false},
 		{"path-style s3.localhost", "s3.localhost", false},
+		{"path-style nip.io", "s3.127.0.0.1.nip.io", false},
 		{"empty", "", false},
 		{"localhost", "localhost", false},
 		{"other service", "dynamodb.infraspec.sh", false},
@@ -160,6 +194,12 @@ func TestIsS3Request(t *testing.T) {
 		{"path-style s3.domain", "s3.infraspec.sh", true},
 		{"path-style s3.localhost", "s3.localhost", true},
 		{"path-style with port", "s3.localhost:8000", true},
+		// nip.io DNS service patterns
+		{"virtual-hosted nip.io", "my-bucket.s3.127.0.0.1.nip.io", true},
+		{"virtual-hosted nip.io with port", "my-bucket.s3.127.0.0.1.nip.io:8000", true},
+		{"virtual-hosted sslip.io", "my-bucket.s3.127.0.0.1.sslip.io", true},
+		{"path-style nip.io", "s3.127.0.0.1.nip.io", true},
+		{"path-style nip.io with port", "s3.127.0.0.1.nip.io:8000", true},
 		// Non-S3 requests
 		{"empty", "", false},
 		{"plain localhost", "localhost", false},
@@ -188,8 +228,12 @@ func TestExtractBucketNameFromHost(t *testing.T) {
 		{"virtual-hosted bucket.s3.localhost", "my-bucket.s3.localhost", "my-bucket"},
 		{"legacy bucket.localhost", "my-bucket.localhost", "my-bucket"},
 		{"with port", "my-bucket.s3.localhost:8000", "my-bucket"},
+		{"virtual-hosted nip.io", "my-bucket.s3.127.0.0.1.nip.io", "my-bucket"},
+		{"virtual-hosted nip.io with port", "my-bucket.s3.127.0.0.1.nip.io:8000", "my-bucket"},
+		{"virtual-hosted sslip.io", "my-bucket.s3.127.0.0.1.sslip.io", "my-bucket"},
 		{"path-style s3.domain", "s3.infraspec.sh", ""},
 		{"path-style s3.localhost", "s3.localhost", ""},
+		{"path-style nip.io", "s3.127.0.0.1.nip.io", ""},
 		{"empty", "", ""},
 		{"localhost", "localhost", ""},
 		{"other service", "dynamodb.infraspec.sh", ""},

pkg/awshelpers/endpoints.go

@@ -1,6 +1,7 @@
 package awshelpers
 
 import (
+	"fmt"
 	"net/url"
 	"os"
 	"strings"
@@ -38,27 +39,38 @@ func GetVirtualCloudEndpoint(service string) (string, bool) {
 // to the base endpoint. For example:
 //   - Base: "https://infraspec.sh" + Subdomain: "s3" = "https://s3.infraspec.sh"
 //   - Base: "https://infraspec.sh" + Subdomain: "dynamodb" = "https://dynamodb.infraspec.sh"
-//   - Base: "http://localhost:8000" + Subdomain: "s3" = "http://localhost:8000" (no subdomain for localhost)
-//   - Base: "http://127.0.0.1:8000" + Subdomain: "sts" = "http://127.0.0.1:8000" (no subdomain for 127.0.0.1)
+//   - Base: "http://localhost:8000" + Subdomain: "s3" = "http://s3.127.0.0.1.nip.io:8000"
+//   - Base: "http://127.0.0.1:8000" + Subdomain: "s3" = "http://s3.127.0.0.1.nip.io:8000"
+//
+// For localhost/127.0.0.1, nip.io is used to enable wildcard DNS resolution for virtual-hosted
+// style S3 addressing (e.g., bucket.s3.127.0.0.1.nip.io resolves to 127.0.0.1).
 func BuildServiceEndpoint(baseEndpoint, subdomain string) string {
 	parsedURL, err := url.Parse(baseEndpoint)
 	if err != nil {
 		// If parsing fails, return the base endpoint as-is
 		return baseEndpoint
 	}
 
-	// Extract host and port
 	host := parsedURL.Hostname()
+	port := parsedURL.Port()
 
-	// For localhost or 127.0.0.1, don't use subdomains as they don't resolve properly
-	// The emulator handles all services on the same endpoint
+	// For localhost or 127.0.0.1, use nip.io for wildcard DNS support
+	// This enables virtual-hosted style S3 addressing (bucket.s3.127.0.0.1.nip.io)
 	if host == "localhost" || host == "127.0.0.1" || host == "::1" {
-		return baseEndpoint
+		// Convert to IP format that nip.io understands
+		if host == "localhost" || host == "::1" {
+			host = "127.0.0.1"
+		}
+		// Build: subdomain.IP.nip.io (e.g., s3.127.0.0.1.nip.io)
+		newHost := fmt.Sprintf("%s.%s.nip.io", subdomain, host)
+		if port != "" {
+			newHost = newHost + ":" + port
+		}
+		parsedURL.Host = newHost
+		return parsedURL.String()
 	}
 
-	port := parsedURL.Port()
-
-	// Build new host with subdomain prefix
+	// For remote endpoints, add subdomain as prefix
 	newHost := subdomain + "." + host
 
 	if port != "" {

pkg/awshelpers/endpoints_test.go

@@ -33,17 +33,17 @@ func TestGetVirtualCloudEndpoint(t *testing.T) {
 			expectedOk:            true,
 		},
 		{
-			name:             "returns localhost endpoint without subdomain",
+			name:             "builds nip.io endpoint for localhost",
 			service:          "rds",
 			awsEndpointURL:   "http://localhost:8000",
-			expectedEndpoint: "http://localhost:8000",
+			expectedEndpoint: "http://rds.127.0.0.1.nip.io:8000",
 			expectedOk:       true,
 		},
 		{
-			name:             "returns 127.0.0.1 endpoint without subdomain",
+			name:             "builds nip.io endpoint for 127.0.0.1",
 			service:          "s3",
 			awsEndpointURL:   "http://127.0.0.1:9000",
-			expectedEndpoint: "http://127.0.0.1:9000",
+			expectedEndpoint: "http://s3.127.0.0.1.nip.io:9000",
 			expectedOk:       true,
 		},
 		{
@@ -110,22 +110,28 @@ func TestBuildServiceEndpoint(t *testing.T) {
 			expected:     "https://dynamodb.example.com",
 		},
 		{
-			name:         "no subdomain for localhost",
+			name:         "builds nip.io for localhost",
 			baseEndpoint: "http://localhost:8000",
 			subdomain:    "rds",
-			expected:     "http://localhost:8000",
+			expected:     "http://rds.127.0.0.1.nip.io:8000",
 		},
 		{
-			name:         "no subdomain for 127.0.0.1",
+			name:         "builds nip.io for 127.0.0.1",
 			baseEndpoint: "http://127.0.0.1:8000",
 			subdomain:    "s3",
-			expected:     "http://127.0.0.1:8000",
+			expected:     "http://s3.127.0.0.1.nip.io:8000",
 		},
 		{
-			name:         "no subdomain for ::1",
+			name:         "builds nip.io for ::1",
 			baseEndpoint: "http://[::1]:8000",
 			subdomain:    "sts",
-			expected:     "http://[::1]:8000",
+			expected:     "http://sts.127.0.0.1.nip.io:8000",
+		},
+		{
+			name:         "builds nip.io for localhost without port",
+			baseEndpoint: "http://localhost",
+			subdomain:    "ec2",
+			expected:     "http://ec2.127.0.0.1.nip.io",
 		},
 		{
 			name:         "handles custom domain with port",

pkg/steps/terraform/terraform.go

@@ -195,7 +195,9 @@ func newTerraformOutputContainsStep(ctx context.Context, outputName, expectedVal
 // This configures Terraform/OpenTofu to use the embedded emulator instead of real AWS.
 //
 // The function sets service-specific AWS_ENDPOINT_URL_* environment variables that are
-// automatically recognized by the AWS provider. All services use the same localhost endpoint.
+// automatically recognized by the AWS provider. For localhost endpoints, nip.io is used
+// to enable wildcard DNS resolution for services like S3 Control that use account-ID-prefixed
+// hostnames (e.g., 123456789012.s3-control.127.0.0.1.nip.io resolves to 127.0.0.1).
 // See: https://search.opentofu.org/provider/opentofu/aws/v6.1.0/docs/guides/custom-service-endpoints
 func configureVirtualCloudEndpoints(options *iacprovisioner.Options, workingDir string) error {
 	// Check if AWS_ENDPOINT_URL is set (indicates embedded emulator mode)
@@ -207,27 +209,29 @@ func configureVirtualCloudEndpoints(options *iacprovisioner.Options, workingDir
 
 	config.Logging.Logger.Infof("Configuring embedded emulator endpoints for Terraform/OpenTofu")
 
-	// List of AWS services to configure endpoints for
-	// All services use the same localhost endpoint in embedded mode
-	services := []string{
-		"DYNAMODB",
-		"STS",
-		"RDS",
-		"S3",
-		"S3_CONTROL",
-		"EC2",
-		"SSM",
-		"APPLICATION_AUTO_SCALING",
-		"IAM",
-		"SQS",
-		"LAMBDA",
+	// Map of AWS SDK service identifiers to subdomain names
+	// For localhost endpoints, BuildServiceEndpoint uses nip.io for wildcard DNS support
+	serviceMap := map[string]string{
+		"DYNAMODB":                 "dynamodb",
+		"STS":                      "sts",
+		"RDS":                      "rds",
+		"S3":                       "s3",
+		"S3_CONTROL":               "s3-control",
+		"EC2":                      "ec2",
+		"SSM":                      "ssm",
+		"APPLICATION_AUTO_SCALING": "autoscaling",
+		"IAM":                      "iam",
+		"SQS":                      "sqs",
+		"LAMBDA":                   "lambda",
 	}
 
 	// Set service-specific endpoint environment variables
-	for _, svc := range services {
-		envVar := fmt.Sprintf("AWS_ENDPOINT_URL_%s", svc)
-		options.EnvVars[envVar] = endpoint
-		config.Logging.Logger.Debugf("Setting %s=%s", envVar, endpoint)
+	for envVarSuffix, subdomain := range serviceMap {
+		envVar := fmt.Sprintf("AWS_ENDPOINT_URL_%s", envVarSuffix)
+		// Build service-specific endpoint (uses nip.io for localhost to enable wildcard DNS)
+		serviceEndpoint := awshelpers.BuildServiceEndpoint(endpoint, subdomain)
+		options.EnvVars[envVar] = serviceEndpoint
+		config.Logging.Logger.Debugf("Setting %s=%s", envVar, serviceEndpoint)
 	}
 
 	// Set dummy credentials for embedded emulator