S3 restores - Improve handling, docs and tests (#10137)

ClaudioESSilva · potatoqualitee · web-flow · commit c583c61c8dd7 · 2026-02-08T11:47:02.000+01:00
Co-authored-by: Chrissy LeMaire &lt;potatoqualitee@users.noreply.github.com&gt;
diff --git a/.github/scripts/gh-s3actions.ps1 b/.github/scripts/gh-s3actions.ps1
@@ -300,13 +300,224 @@ Describe "S3 Backup Integration Tests" -Tag "IntegrationTests", "S3" {
         }
     }
 
+    Context "S3 directory enumeration limitations" {
+        BeforeAll {
+            # This context validates that SQL Server cannot enumerate S3 bucket contents using T-SQL
+            # (xp_dirtree/sys.dm_os_enumerate_filesystem don't support S3 protocol)
+            # Get-DbaBackupInformation should detect S3 URLs and handle them appropriately
+
+            $script:TestDbName5 = "dbatoolsci_s3enum"
+
+            # Create and backup a database to S3 for enumeration testing
+            $null = New-DbaDatabase -SqlInstance localhost -SqlCredential $cred -Name $script:TestDbName5 -RecoveryModel Full
+
+            # Create multiple backup files in S3 to test enumeration behavior
+            $script:S3EnumFolder = "enumtest"
+            $splatBackup1 = @{
+                SqlInstance       = "localhost"
+                SqlCredential     = $cred
+                Database          = $script:TestDbName5
+                StorageBaseUrl    = "$($script:S3BaseUrl)/$($script:S3EnumFolder)"
+                StorageCredential = $script:S3CredentialName
+                FilePath          = "$($script:TestDbName5)_full1.bak"
+                Type              = "Full"
+            }
+            $null = Backup-DbaDatabase @splatBackup1
+
+            $splatBackup2 = @{
+                SqlInstance       = "localhost"
+                SqlCredential     = $cred
+                Database          = $script:TestDbName5
+                StorageBaseUrl    = "$($script:S3BaseUrl)/$($script:S3EnumFolder)"
+                StorageCredential = $script:S3CredentialName
+                FilePath          = "$($script:TestDbName5)_log1.trn"
+                Type              = "Log"
+            }
+            $null = Backup-DbaDatabase @splatBackup2
+        }
+
+        AfterAll {
+            $null = Remove-DbaDatabase -SqlInstance localhost -SqlCredential $cred -Database $script:TestDbName5 -Confirm:$false
+        }
+
+        It "Should handle S3 folder paths when NoXpDirTree is not specified" {
+            # Get-DbaBackupInformation internally uses xp_dirtree/sys.dm_os_enumerate_filesystem
+            # When given an S3 folder path, it should detect S3 and skip enumeration
+            $s3FolderPath = "$($script:S3BaseUrl)/$($script:S3EnumFolder)/"
+
+            $splatBackupInfo = @{
+                SqlInstance       = "localhost"
+                SqlCredential     = $cred
+                Path              = $s3FolderPath
+                StorageCredential = $script:S3CredentialName
+                WarningAction     = "SilentlyContinue"
+            }
+            $result = Get-DbaBackupInformation @splatBackupInfo
+
+            # Should return empty because S3 enumeration is not supported via T-SQL
+            $result | Should -BeNullOrEmpty
+        }
+
+        It "Should write warning message when S3 folder enumeration is attempted" {
+            $s3FolderPath = "$($script:S3BaseUrl)/$($script:S3EnumFolder)/"
+
+            # Capture warning messages
+            $warningMessages = @()
+            $splatBackupInfo = @{
+                SqlInstance       = "localhost"
+                SqlCredential     = $cred
+                Path              = $s3FolderPath
+                StorageCredential = $script:S3CredentialName
+                WarningVariable   = "warningMessages"
+                WarningAction     = "SilentlyContinue"
+            }
+            $null = Get-DbaBackupInformation @splatBackupInfo
+
+            # Should have written a warning about S3 enumeration not being supported
+            $warningMessages | Should -Not -BeNullOrEmpty
+            $warningMessages -join " " | Should -BeLike "*S3 paths cannot be enumerated using T-SQL*"
+        }
+
+        It "Should work with explicit S3 file paths (not folders)" {
+            # While folder enumeration doesn't work, explicit file paths should work
+            $s3FilePath = "$($script:S3BaseUrl)/$($script:S3EnumFolder)/$($script:TestDbName5)_full1.bak"
+
+            $splatBackupInfo = @{
+                SqlInstance       = "localhost"
+                SqlCredential     = $cred
+                Path              = $s3FilePath
+                StorageCredential = $script:S3CredentialName
+            }
+            $result = Get-DbaBackupInformation @splatBackupInfo
+
+            # Should successfully read the specific file
+            $result | Should -Not -BeNullOrEmpty
+            $result.Database | Should -Be $script:TestDbName5
+            $result.Type | Should -Be "Database"
+        }
+
+        It "Should successfully enumerate local file system paths (contrast with S3)" {
+            # Create a local backup to verify enumeration works for non-S3 paths
+            # IMPORTANT: On Linux CI, SQL Server runs in Docker with an isolated filesystem.
+            # We must use a path INSIDE the container that SQL Server can access.
+            # Using SQL Server's default backup directory ensures accessibility.
+            $server = Connect-DbaInstance -SqlInstance localhost -SqlCredential $cred
+            $defaultPaths = Get-DbaDefaultPath -SqlInstance $server
+            $localBackupPath = Join-Path -Path $defaultPaths.Backup -ChildPath "dbatools_s3test"
+
+            # Create the subdirectory using SQL Server's xp_create_subdir (runs inside the container)
+            $server.Query("EXEC master.dbo.xp_create_subdir '$localBackupPath'")
+
+            # Verify the backup path is accessible via SQL Server
+            Test-DbaPath -SqlInstance $server -Path $localBackupPath | Should -BeTrue
+
+            $localBackupFile = Join-Path -Path $localBackupPath -ChildPath "local_test.bak"
+            $splatLocalBackup = @{
+                SqlInstance   = "localhost"
+                SqlCredential = $cred
+                Database      = $script:TestDbName5
+                FilePath      = $localBackupFile
+                Type          = "Full"
+            }
+            $localBackupResult = Backup-DbaDatabase @splatLocalBackup
+            $localBackupResult.BackupComplete | Should -BeTrue
+
+            # Verify the backup file exists after the backup
+            Test-DbaPath -SqlInstance $server -Path $localBackupFile | Should -BeTrue
+
+            # Restore using folder path - this tests that local folder enumeration works
+            # (in contrast to S3 where folder enumeration is not supported)
+            # Drop the source database so we can restore with the original name
+            $null = Remove-DbaDatabase -SqlInstance localhost -SqlCredential $cred -Database $script:TestDbName5 -Confirm:$false -ErrorAction SilentlyContinue
+
+            $splatRestore = @{
+                SqlInstance   = "localhost"
+                SqlCredential = $cred
+                Path          = $localBackupPath
+            }
+            $result = Restore-DbaDatabase @splatRestore
+
+            # Should successfully restore - proving local folder enumeration works
+            # Database name comes from the backup file itself
+            $result | Should -Not -BeNullOrEmpty
+            $result.RestoreComplete | Should -BeTrue
+            $result.Database | Should -Be $script:TestDbName5
+
+            # Note: Backup files inside the container are cleaned up when container stops
+        }
+
+        It "Should require PowerShell-based enumeration for S3 (validation test)" {
+            # This test demonstrates the correct approach: using PowerShell to enumerate S3
+            # Since we're using MinIO in tests, we need to use AWS PowerShell module
+            # This is a validation that the workaround approach is correct
+
+            # Skip if AWS.Tools.S3 not available (CI environments may not have it)
+            $hasAwsModule = $null -ne (Get-Module -ListAvailable -Name AWS.Tools.S3)
+            if (-not $hasAwsModule) {
+                Set-ItResult -Skipped -Because "AWS.Tools.S3 module not available"
+                return
+            }
+
+            # This demonstrates the recommended approach from the documentation
+            # Users should use Get-S3Object to list files, then pass paths to Get-DbaBackupInformation/Restore-DbaDatabase
+            Import-Module AWS.Tools.S3 -ErrorAction Stop
+
+            # For MinIO (S3-compatible), use EndpointUrl with ForcePathStyleAddressing
+            # Note: $script:S3Endpoint is "minio:9000" which is a Docker network hostname
+            # The AWS SDK runs on the host, so we need to use localhost:9000 instead
+            $hostEndpoint = $script:S3Endpoint -replace "^minio:", "localhost:"
+            $splatListObjects = @{
+                BucketName               = $script:S3Bucket
+                Prefix                   = "$($script:S3EnumFolder)/"
+                EndpointUrl              = "https://$hostEndpoint"
+                AccessKey                = $script:S3AccessKey
+                SecretKey                = $script:S3SecretKey
+                ForcePathStyleAddressing = $true
+            }
+
+            # Try to enumerate S3 objects - may fail with SSL errors if certificate not trusted
+            try {
+                $s3Objects = Get-S3Object @splatListObjects
+            } catch {
+                if ($_.Exception.Message -like "*SSL*" -or $_.Exception.Message -like "*certificate*") {
+                    Set-ItResult -Skipped -Because "SSL certificate validation failed for self-signed MinIO certificate. In production, use a trusted certificate or configure certificate trust."
+                    return
+                }
+                throw
+            }
+
+            # PowerShell CAN enumerate S3 - this is the correct approach
+            $s3Objects | Should -Not -BeNullOrEmpty
+            $s3Objects.Key | Should -Contain "$($script:S3EnumFolder)/$($script:TestDbName5)_full1.bak"
+            $s3Objects.Key | Should -Contain "$($script:S3EnumFolder)/$($script:TestDbName5)_log1.trn"
+
+            # Now demonstrate using those paths with Get-DbaBackupInformation
+            $backupPaths = $s3Objects | ForEach-Object {
+                "$($script:S3BaseUrl)/$($_.Key)"
+            }
+
+            $splatBackupInfo = @{
+                SqlInstance       = "localhost"
+                SqlCredential     = $cred
+                Path              = $backupPaths
+                StorageCredential = $script:S3CredentialName
+            }
+            $backupInfo = Get-DbaBackupInformation @splatBackupInfo
+
+            # Should successfully read backup information for all files
+            $backupInfo | Should -Not -BeNullOrEmpty
+            $backupInfo.Count | Should -Be 2
+            $backupInfo.Database | Should -Contain $script:TestDbName5
+        }
+    }
+
     #Context "Test-DbaBackupInformation with S3" {
     #    BeforeAll {
     #        $script:TestDbName4 = "dbatoolsci_s3test"
-#
+    #
     #        # Create and backup test database
     #        $null = New-DbaDatabase -SqlInstance localhost -SqlCredential $cred -Name $script:TestDbName4 -RecoveryModel Full
-#
+    #
     #        $script:S3TestBackupFile = "$($script:TestDbName4)_test.bak"
     #        $splatBackup = @{
     #            SqlInstance       = "localhost"
@@ -319,30 +530,30 @@ Describe "S3 Backup Integration Tests" -Tag "IntegrationTests", "S3" {
     #        }
     #        $null = Backup-DbaDatabase @splatBackup
     #    }
-#
+    #
     #    AfterAll {
     #        $null = Remove-DbaDatabase -SqlInstance localhost -SqlCredential $cred -Database $script:TestDbName4 -Confirm:$false
     #    }
-#
+    #
     #    It "Should validate S3 backup information" {
     #        $s3Path = "$($script:S3BaseUrl)/$($script:S3TestBackupFile)"
-#
+    #
     #        $splatInfo = @{
     #            SqlInstance       = "localhost"
     #            SqlCredential     = $cred
     #            Path              = $s3Path
     #            StorageCredential = $script:S3CredentialName
     #        }
     #        $backupInfo = Get-DbaBackupInformation @splatInfo
-#
+    #
     #        $splatTest = @{
     #            BackupHistory = $backupInfo
     #            SqlInstance   = "localhost"
     #            SqlCredential = $cred
     #            VerifyOnly    = $true
     #        }
     #        $result = Test-DbaBackupInformation @splatTest
-#
+    #
     #        $result | Should -Not -BeNullOrEmpty
     #        # S3 URLs should pass validation - they are skipped for cloud paths
     #    }
@@ -362,4 +573,4 @@ Describe "S3 Backup Integration Tests" -Tag "IntegrationTests", "S3" {
             $deletedCred | Should -BeNullOrEmpty
         }
     }
-}
+}
diff --git a/.github/workflows/integration-tests-s3.yml b/.github/workflows/integration-tests-s3.yml
@@ -198,6 +198,26 @@ jobs:
               throw "Failed to connect to SQL Server after $maxAttempts attempts"
           }
 
+      - name: Add MinIO certificate to system trust store
+        shell: bash
+        run: |
+          # Add MinIO's self-signed certificate to the system CA trust store
+          # This allows the AWS PowerShell SDK to connect to MinIO over HTTPS
+          sudo cp $HOME/.minio/certs/public.crt /usr/local/share/ca-certificates/minio.crt
+          sudo update-ca-certificates
+          echo "MinIO certificate added to system trust store"
+
+      - name: Install AWS.Tools.S3 for S3 enumeration tests
+        run: |
+          Write-Host "Installing AWS.Tools.Installer..."
+          Install-Module -Name AWS.Tools.Installer -Force -Scope CurrentUser
+
+          Write-Host "Installing AWS.Tools.S3 (includes AWS.Tools.Common dependency)..."
+          Install-AWSToolsModule AWS.Tools.S3 -Force -Scope CurrentUser
+
+          Write-Host "Verifying installation..."
+          Get-Module -ListAvailable -Name AWS.Tools.S3, AWS.Tools.Common | Select-Object Name, Version
+
       - name: Run S3 backup tests
         env:
           S3_ENDPOINT: minio:9000
diff --git a/private/functions/Get-XpDirTreeRestoreFile.ps1 b/private/functions/Get-XpDirTreeRestoreFile.ps1
@@ -43,6 +43,12 @@ function Get-XpDirTreeRestoreFile {
     # Determine the correct path separator based on whether this is a URL or file system path
     if ($Path -match '^https?://') {
         $pathSep = "/"
+    } elseif ($Path -match '^s3://') {
+        # S3 paths cannot be enumerated via T-SQL (xp_dirtree/dm_os_enumerate_filesystem don't support S3)
+        # SQL Server 2022+ supports S3 for BACKUP/RESTORE but has no built-in function to list S3 objects
+        # Return empty array - caller should handle S3 enumeration in PowerShell or use explicit file paths
+        Write-Message -Level Warning -Message "S3 paths cannot be enumerated using T-SQL. Use explicit file paths or PowerShell-based enumeration for S3 storage."
+        Stop-Function -Message "S3 path enumeration not supported. Path: $Path"
     } else {
         $pathSep = Get-DbaPathSep -Server $server
     }
diff --git a/public/Get-DbaBackupInformation.ps1 b/public/Get-DbaBackupInformation.ps1
@@ -262,8 +262,9 @@ function Get-DbaBackupInformation {
         } else {
             $Files = @()
             $groupResults = @()
+
             # Detect cloud storage URLs (Azure http:// or S3 s3://)
-            if ($Path[0] -match 'http' -or $Path[0] -match 's3') { $NoXpDirTree = $true }
+            if ($Path[0] -match '^https?://' -or $Path[0] -match '^s3://') { $NoXpDirTree = $true }
             if ($NoXpDirTree -ne $true) {
                 foreach ($f in $path) {
                     if ([System.IO.Path]::GetExtension($f).Length -gt 1) {
diff --git a/public/Restore-DbaDatabase.ps1 b/public/Restore-DbaDatabase.ps1
@@ -27,10 +27,12 @@ function Restore-DbaDatabase {
         For MFA support, please use Connect-DbaInstance.
 
     .PARAMETER Path
-        Specifies the location of backup files to restore from, supporting local drives, UNC paths, or Azure blob storage URLs.
+        Specifies the location of backup files to restore from, supporting local drives, UNC paths, Azure blob storage URLs, or S3 URLs.
         Use this when you need to restore from a specific backup location or when piping backup files from Get-ChildItem.
         Accepts multiple comma-separated paths for complex restore scenarios spanning multiple locations.
 
+        For S3 storage (SQL Server 2022+): S3 bucket contents cannot be enumerated using T-SQL. You must provide explicit file paths or use PowerShell's Get-S3Object cmdlet (from AWS.Tools.S3 module) to retrieve the list of backup files first, then pass them to this command. See examples for S3 usage patterns.
+
     .PARAMETER DatabaseName
         Defines the target database name for the restored database when different from the original name.
         Use this when creating a copy of a production database for testing or when restoring to avoid name conflicts.
@@ -164,7 +166,7 @@ function Restore-DbaDatabase {
         Use this for log shipping secondary servers or when you need read-only access during restore operations.
         The directory must exist and be writable by the SQL Server service account for undo file creation.
 
-    .PARAMETER StorageCredential
+.PARAMETER StorageCredential
         Specifies the SQL Server credential name for authenticating to Azure blob storage or S3-compatible object storage during restore operations.
         Use this when restoring from Azure blob storage or S3 backups that require authentication.
         For Azure: The credential must contain valid Azure storage account keys or SAS tokens.
@@ -329,7 +331,7 @@ function Restore-DbaDatabase {
         c:\DataFiles and all the log files into c:\LogFiles
 
     .EXAMPLE
-        PS C:\> Restore-DbaDatabase -SqlInstance server1\instance1 -Path http://demo.blob.core.windows.net/backups/dbbackup.bak -StorageCredential MyAzureCredential
+        PS C:\> Restore-DbaDatabase -SqlInstance server1\instance1 -Path http://demo.blob.core.windows.net/backups/dbbackup.bak -AzureCredential MyAzureCredential
 
         Will restore the backup held at  http://demo.blob.core.windows.net/backups/dbbackup.bak to server1\instance1. The connection to Azure will be made using the
         credential MyAzureCredential held on instance Server1\instance1
@@ -344,7 +346,7 @@ function Restore-DbaDatabase {
 
         Will restore the backup from S3-compatible storage to sql2022. Requires SQL Server 2022 or higher. The credential must be configured with Identity = 'S3 Access Key' and Secret containing the access key and secret key.
 
-    .EXAMPLE
+        .EXAMPLE
         PS C:\> $File = Get-ChildItem c:\backups, \\server1\backups
         PS C:\> $File | Restore-DbaDatabase -SqlInstance Server1\Instance -UseDestinationDefaultDirectories
 
@@ -429,6 +431,18 @@ function Restore-DbaDatabase {
         Restores the backups from \\ServerName\ShareName\File as database, stops before the first 'OvernightStart' mark that occurs after '21:00 10/05/2020'.
 
         Note that Date time needs to be specified in your local SQL Server culture
+
+    .EXAMPLE
+        PS C:\> # Restore from S3 storage folder (SQL Server 2022+)
+        PS C:\> # First, enumerate S3 bucket contents using AWS PowerShell module - You need to be authenticated!
+        PS C:\> $s3Files = Get-S3Object -BucketName "mybucket" -KeyPrefix "backups/AdventureWorks/" -Region "us-west-2"
+        PS C:\> $backupPaths = $s3Files | Where-Object { $_.Key -match '\.(bak|trn|dif)$' } | ForEach-Object { "s3://mybucket.s3.us-west-2.amazonaws.com/$($_.Key)" }
+        PS C:\>
+        PS C:\> # Then restore using the enumerated file paths
+        PS C:\> Restore-DbaDatabase -SqlInstance sql2022 -Path $backupPaths -StorageCredential MyS3Credential
+
+        Demonstrates the recommended workflow for restoring from S3 storage. Since SQL Server cannot enumerate S3 bucket contents via T-SQL, you must first use PowerShell's Get-S3Object cmdlet to list backup files, then pass the full S3 URLs to Restore-DbaDatabase.
+        The StorageCredential parameter should reference a SQL Server credential configured for S3 access.
     #>
     [CmdletBinding(SupportsShouldProcess, DefaultParameterSetName = "Restore")]
     [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingPlainTextForPassword", "StorageCredential", Justification = "For Parameter StorageCredential")]
