chore(provisioner/terraform): preserve existing AWS_SDK_UA_APP_ID#24606
Merged
Conversation
The Terraform provisioner hard-coded Coders AWS Partner Revenue Measurement User-Agent string and appended it unconditionally, which silently overrode any AWS_SDK_UA_APP_ID already present in the provisioner process environment. Operators who are themselves AWS Partners (and who set their own Application ID for their own revenue attribution) would lose attribution on every terraform apply. This change checks the inherited environment and, if an Application ID is already configured, appends Coders with a space delimiter so both attributions are preserved, as documented by AWS: https://docs.aws.amazon.com/PRM/latest/aws-prm-onboarding-guide/automated-user-agent.html
Member
|
@DevelopmentCats can you review this? Thanks |
DevelopmentCats
approved these changes
May 11, 2026
DevelopmentCats
left a comment
Contributor
There was a problem hiding this comment.
Im going to verify this through cloudtrail and my instance and we should be good.
Member
|
@DevelopmentCats Can you help verify this? |
DevelopmentCats
added a commit
that referenced
this pull request
May 28, 2026
…#25221) Adds middleware in `withAWSBedrockOptions` that appends the AWS Partner Revenue Measurement (PRM) attribution string to the User-Agent header on every Bedrock API call made through AI Bridge. This is the AI Bridge counterpart to the Terraform provisioner change merged in #23138. Together, they ensure all AWS API calls made by Coder (both workspace infrastructure via Terraform and LLM inference via Bedrock) include PRM attribution. ## How it works - A middleware is added before `bedrock.WithConfig(awsCfg)` that reads the existing `User-Agent` header and appends `sdk-ua-app-id/APN_1.1%2Fpc_cdfmjwn8i6u8l9fwz8h82e4w3%24` - Only affects Bedrock calls; OpenAI and direct Anthropic API calls are unaffected - Uses `option.WithMiddleware` rather than `option.WithHeader` because the existing User-Agent (set by the Anthropic SDK) must be preserved and appended to, not replaced ## Tests - **Positive**: `TestAWSBedrockIntegration` verifies PRM attribution is present in the User-Agent on Bedrock requests - **Negative**: `TestAnthropicMessages` verifies PRM attribution is absent on non-Bedrock requests ## References - Companion Terraform provisioner PR: #23138 (merged) - Backport: #24052 (merged) - Preserve existing `AWS_SDK_UA_APP_ID`: #24606 (open) - Original `coder/aibridge` PR: coder/aibridge#224 (superseded by this PR since aibridge was moved into coder/coder via #24190) - [AWS SDK Application ID docs](https://docs.aws.amazon.com/sdkref/latest/guide/feature-appid.html) - [AWS PRM Automated User Agent](https://prm.partner.aws.dev/automated-user-agent.html) (partner login required) > Generated with [Coder Agents](https://coder.com/agents) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Contributor
Sorry about the delay. I was able to test with this and it still comes through in cloud trail, and it gets passed the same way safely. |
Contributor
|
Applied the |
Contributor
|
All five backport PRs are open:
For #23138 to 2.29, see #26473. #23138 is already present on 2.32/2.33/2.34. Done by Coder Agents on behalf of @DevelopmentCats. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The Terraform provisioner hard-codes Coder's AWS Partner Revenue Measurement User-Agent string and appends it unconditionally to the subprocess environment:
"AWS_SDK_UA_APP_ID=APN_1.1/pc_cdfmjwn8i6u8l9fwz8h82e4w3$",Because the safe environment inherits the operator's OS env (only
CODER_variables are stripped), any pre-existingAWS_SDK_UA_APP_IDis silently overridden when the AWS SDK reads the last occurrence of the duplicated key in the child process. Operators who are themselves AWS Partners (e.g. MSPs, platform teams with their own APN listing) lose attribution on everyterraform apply, and there is no log signal.Fix
Check the inherited environment for an existing
AWS_SDK_UA_APP_IDvalue. If present, append Coder's User-Agent with a space delimiter so both attributions are preserved; otherwise use Coder's alone.This follows AWS's documented guidance for co-existing Application IDs: https://docs.aws.amazon.com/PRM/latest/aws-prm-onboarding-guide/automated-user-agent.html
A link to this AWS doc is also included in a code comment next to the product-code constant.
Changes
provisioner/terraform/safeenv.go: addsafeEnvironValuehelper, extract the product code into a named constant, and addawsSDKUserAgentEnvwhich returns the correctAWS_SDK_UA_APP_ID=line based on whether an existing value is present.provisioner/terraform/provision.go: use the new helper in place of the hard-coded line.provisioner/terraform/safeenv_test.go: unit tests for both helpers and both branches (no existing value + append-with-space).Existing behavior is preserved when the operator has not set
AWS_SDK_UA_APP_ID, so theTestProvision_SafeEnvassertion continues to hold unchanged.Created on behalf of @matifali