From c56f1eb169835122fb094e805db89083cbce7d94 Mon Sep 17 00:00:00 2001
From: Alex Diehl <asdiehl.aws@gmail.com>
Date: Fri, 7 Dec 2018 15:24:52 -0800
Subject: [PATCH 1/3] Use HTTP_PROXY environment variable when AWS_CA_BUNDLE is
 specified

---
 aws/session/session.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/aws/session/session.go b/aws/session/session.go
index 9bdbafd65c..272ff0bb0d 100644
--- a/aws/session/session.go
+++ b/aws/session/session.go
@@ -407,7 +407,9 @@ func loadCustomCABundle(s *Session, bundle io.Reader) error {
 		}
 	}
 	if t == nil {
-		t = &http.Transport{}
+		t = &http.Transport{
+			Proxy:  http.ProxyFromEnvironment,
+		}
 	}
 
 	p, err := loadCertPool(bundle)

From 7066f7121e23e637da5776128fc88d6363f76577 Mon Sep 17 00:00:00 2001
From: Jason Del Ponte <delpontej@gmail.com>
Date: Thu, 21 Feb 2019 15:54:44 -0800
Subject: [PATCH 2/3] Add unit tests for Transports proxy with CA Bundle

---
 aws/session/custom_ca_bundle_test.go | 30 ++++++++++++++++++++++++++++
 aws/session/session.go               | 16 ++++++++++++++-
 2 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/aws/session/custom_ca_bundle_test.go b/aws/session/custom_ca_bundle_test.go
index 68b59682ad..ae25c483ca 100644
--- a/aws/session/custom_ca_bundle_test.go
+++ b/aws/session/custom_ca_bundle_test.go
@@ -140,6 +140,36 @@ func TestNewSession_WithCustomCABundle_Option(t *testing.T) {
 	}
 }
 
+func TestNewSession_WithCustomCABundle_HTTPProxyAvailable(t *testing.T) {
+	skipTravisTest(t)
+
+	oldEnv := initSessionTestEnv()
+	defer awstesting.PopEnv(oldEnv)
+
+	s, err := NewSessionWithOptions(Options{
+		Config: aws.Config{
+			HTTPClient:  &http.Client{},
+			Region:      aws.String("mock-region"),
+			Credentials: credentials.AnonymousCredentials,
+		},
+		CustomCABundle: bytes.NewReader(awstesting.TLSBundleCA),
+	})
+	if err != nil {
+		t.Fatalf("expect no error, got %v", err)
+	}
+	if s == nil {
+		t.Fatalf("expect session to be created, got none")
+	}
+
+	tr := s.Config.HTTPClient.Transport.(*http.Transport)
+	if tr.Proxy == nil {
+		t.Fatalf("expect transport proxy, was nil")
+	}
+	if tr.TLSClientConfig.RootCAs == nil {
+		t.Fatalf("expect TLS config to have root CAs")
+	}
+}
+
 func TestNewSession_WithCustomCABundle_OptionPriority(t *testing.T) {
 	skipTravisTest(t)
 
diff --git a/aws/session/session.go b/aws/session/session.go
index 272ff0bb0d..9318bdc6ec 100644
--- a/aws/session/session.go
+++ b/aws/session/session.go
@@ -6,8 +6,10 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"net"
 	"net/http"
 	"os"
+	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
@@ -407,8 +409,20 @@ func loadCustomCABundle(s *Session, bundle io.Reader) error {
 		}
 	}
 	if t == nil {
+		// Nil transport implies `http.DefaultTransport` should be used. Since
+		// the SDK cannot modify, nor copy the `DefaultTransport` specifying
+		// the values the next closest behavior.
 		t = &http.Transport{
-			Proxy:  http.ProxyFromEnvironment,
+			Proxy: http.ProxyFromEnvironment,
+			DialContext: (&net.Dialer{
+				Timeout:   30 * time.Second,
+				KeepAlive: 30 * time.Second,
+				DualStack: true,
+			}).DialContext,
+			MaxIdleConns:          100,
+			IdleConnTimeout:       90 * time.Second,
+			TLSHandshakeTimeout:   10 * time.Second,
+			ExpectContinueTimeout: 1 * time.Second,
 		}
 	}
 

From e413fe6c393e8363f6ce75915b5c90f2b41f9e9b Mon Sep 17 00:00:00 2001
From: Jason Del Ponte <delpontej@gmail.com>
Date: Tue, 26 Feb 2019 16:45:49 -0800
Subject: [PATCH 3/3] Use correct transport for Go version

---
 aws/session/cabundle_transport.go     | 26 ++++++++++++++++++++++++++
 aws/session/cabundle_transport_1_5.go | 22 ++++++++++++++++++++++
 aws/session/cabundle_transport_1_6.go | 23 +++++++++++++++++++++++
 aws/session/session.go                | 15 +--------------
 4 files changed, 72 insertions(+), 14 deletions(-)
 create mode 100644 aws/session/cabundle_transport.go
 create mode 100644 aws/session/cabundle_transport_1_5.go
 create mode 100644 aws/session/cabundle_transport_1_6.go

diff --git a/aws/session/cabundle_transport.go b/aws/session/cabundle_transport.go
new file mode 100644
index 0000000000..ea9ebb6f6a
--- /dev/null
+++ b/aws/session/cabundle_transport.go
@@ -0,0 +1,26 @@
+// +build go1.7
+
+package session
+
+import (
+	"net"
+	"net/http"
+	"time"
+)
+
+// Transport that should be used when a custom CA bundle is specified with the
+// SDK.
+func getCABundleTransport() *http.Transport {
+	return &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+			DualStack: true,
+		}).DialContext,
+		MaxIdleConns:          100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+}
diff --git a/aws/session/cabundle_transport_1_5.go b/aws/session/cabundle_transport_1_5.go
new file mode 100644
index 0000000000..fec39dfc12
--- /dev/null
+++ b/aws/session/cabundle_transport_1_5.go
@@ -0,0 +1,22 @@
+// +build !go1.6,go1.5
+
+package session
+
+import (
+	"net"
+	"net/http"
+	"time"
+)
+
+// Transport that should be used when a custom CA bundle is specified with the
+// SDK.
+func getCABundleTransport() *http.Transport {
+	return &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		Dial: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).Dial,
+		TLSHandshakeTimeout: 10 * time.Second,
+	}
+}
diff --git a/aws/session/cabundle_transport_1_6.go b/aws/session/cabundle_transport_1_6.go
new file mode 100644
index 0000000000..1c5a5391e6
--- /dev/null
+++ b/aws/session/cabundle_transport_1_6.go
@@ -0,0 +1,23 @@
+// +build !go1.7,go1.6
+
+package session
+
+import (
+	"net"
+	"net/http"
+	"time"
+)
+
+// Transport that should be used when a custom CA bundle is specified with the
+// SDK.
+func getCABundleTransport() *http.Transport {
+	return &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		Dial: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).Dial,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+}
diff --git a/aws/session/session.go b/aws/session/session.go
index 9318bdc6ec..be4b5f0777 100644
--- a/aws/session/session.go
+++ b/aws/session/session.go
@@ -6,10 +6,8 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
-	"net"
 	"net/http"
 	"os"
-	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
@@ -412,18 +410,7 @@ func loadCustomCABundle(s *Session, bundle io.Reader) error {
 		// Nil transport implies `http.DefaultTransport` should be used. Since
 		// the SDK cannot modify, nor copy the `DefaultTransport` specifying
 		// the values the next closest behavior.
-		t = &http.Transport{
-			Proxy: http.ProxyFromEnvironment,
-			DialContext: (&net.Dialer{
-				Timeout:   30 * time.Second,
-				KeepAlive: 30 * time.Second,
-				DualStack: true,
-			}).DialContext,
-			MaxIdleConns:          100,
-			IdleConnTimeout:       90 * time.Second,
-			TLSHandshakeTimeout:   10 * time.Second,
-			ExpectContinueTimeout: 1 * time.Second,
-		}
+		t = getCABundleTransport()
 	}
 
 	p, err := loadCertPool(bundle)