-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssm: service principals are incorrect for all regions since ap-east-1
#16188
Comments
Whether or not the region is rendered is controlled here, in the
Looks like we are missing the fact that SSM service principals need to be regionalized for all regions since 2019. Until this is fixed, you can override the fact database: https://github.com/aws/aws-cdk/tree/v1.125.0/packages/%40aws-cdk/region-info#supplying-new-or-missing-information |
ap-east-1
This should be a fairly straight-forward fix (adding aws-cdk/packages/@aws-cdk/region-info/lib/default.ts Lines 83 to 85 in 67b4921
The "gotcha" will just be testing & verifying that the regional service principals also work for the older regions (e.g., Contributions welcome! |
) fixes #16188 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
@njlynch @rix0rrr This appears to have broken our stack in us-east-1, after updating to 1.134.0 getting:
This is the relevant IAM role I'm creating with the SSM service principal:
|
Also running into the issue.
Results to:
Which obviously fails
|
Reopening since this seems unresolved. It's probably not that ALL |
Also fun: there is apparently no way to write this service principal in an environment-agnostic way.
There does not seem to be a single string that will work in both, and |
On further scouring of the docs, a
It wouldn't be pretty in the JSON, but who looks at that anyway eh? 😇 |
Workaround:
|
…ns (#17984) The SSM service principal format depends on the region. Older regions have a "global" service principal (`ssm.amazonaws.com`), while newer regions have only regional service principals (`ssm.ap-east-1.amazonaws.com`). A number of things have been changed to address this: * Add the notion of a "region order" into the `region-info` library. This allows us to express things like "does this region predate or postdate the change of some convention", and allows us to express that certain regions are *after* SSM introduced this change. * For region-agnostic stacks, it is no longer possible to supply a single value for the template that will suffice in all regions, as the *format itself* will have changed (neither `"ssm.amazonaws.com"` nor `"ssm.$REGION.amazonaws.com"` will work in all regions). That means we must always introduce a lookup map for region-agnostic stacks. Add `stack.regionalFact()` to generate lookup maps from facts in case it is necessary. * Detect if all map values are just an instantiation of a token pattern, and return the simplification if possible (e.g.: if the lookup values are `service.us-east-1.amazonaws.com`, `service.us-east-2.amazonaws.com`, etc, then simplify to `service.$REGION.$URL_SUFFIX` and avoid emitting a lookup). * Simplify existing usage sites of `RegionInfo.regionMap()` in Lambda and CodeBuild to use the new `stack.regionalFact()`. * Because lookup maps would always include information for all regions, including GovCloud regions, and those are only rarely necessary: add the infrastructure for users to restrict what partitions they want to include information for, by means of a context flag. Defaults to all regions if not specified (so we don't break old templates), but for new projects restricts itself to `['aws', 'aws-cn']`. Set to just `['aws']` for integration tests so we don't break all of our snapshot tests. Fixes #16188, fixes #17646. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
The #17984 (big kudos to @rix0rrr for that) introduced a fix for the SSM service principal format which depends on the region. However, due to a typo in that PR some of regions still don't have correct SSM service principal. Currently the SSM service principal for the following regions incorrectly include region, while according to the [issue #16188](#16188) it should be only added to all regions since `ap-east-1`. ``` cn-north-1 us-iso-east-1 eu-central-1 ap-northeast-2 ap-south-1 us-east-2 ca-central-1 eu-west-2 us-isob-east-1 cn-northwest-1 eu-west-3 ap-northeast-3 us-gov-east-1 eu-north-1 ``` It works like that because by accident `RULE_SSM_PRINCIPALS_ARE_REGIONAL` has the same value as `RULE_S3_WEBSITE_REGIONAL_SUBDOMAIN`. This causes incorrect results returned by the `aws-entities/before` function. This PR fixes that issue. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ns (aws#17984) The SSM service principal format depends on the region. Older regions have a "global" service principal (`ssm.amazonaws.com`), while newer regions have only regional service principals (`ssm.ap-east-1.amazonaws.com`). A number of things have been changed to address this: * Add the notion of a "region order" into the `region-info` library. This allows us to express things like "does this region predate or postdate the change of some convention", and allows us to express that certain regions are *after* SSM introduced this change. * For region-agnostic stacks, it is no longer possible to supply a single value for the template that will suffice in all regions, as the *format itself* will have changed (neither `"ssm.amazonaws.com"` nor `"ssm.$REGION.amazonaws.com"` will work in all regions). That means we must always introduce a lookup map for region-agnostic stacks. Add `stack.regionalFact()` to generate lookup maps from facts in case it is necessary. * Detect if all map values are just an instantiation of a token pattern, and return the simplification if possible (e.g.: if the lookup values are `service.us-east-1.amazonaws.com`, `service.us-east-2.amazonaws.com`, etc, then simplify to `service.$REGION.$URL_SUFFIX` and avoid emitting a lookup). * Simplify existing usage sites of `RegionInfo.regionMap()` in Lambda and CodeBuild to use the new `stack.regionalFact()`. * Because lookup maps would always include information for all regions, including GovCloud regions, and those are only rarely necessary: add the infrastructure for users to restrict what partitions they want to include information for, by means of a context flag. Defaults to all regions if not specified (so we don't break old templates), but for new projects restricts itself to `['aws', 'aws-cn']`. Set to just `['aws']` for integration tests so we don't break all of our snapshot tests. Fixes aws#16188, fixes aws#17646. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The aws#17984 (big kudos to @rix0rrr for that) introduced a fix for the SSM service principal format which depends on the region. However, due to a typo in that PR some of regions still don't have correct SSM service principal. Currently the SSM service principal for the following regions incorrectly include region, while according to the [issue aws#16188](aws#16188) it should be only added to all regions since `ap-east-1`. ``` cn-north-1 us-iso-east-1 eu-central-1 ap-northeast-2 ap-south-1 us-east-2 ca-central-1 eu-west-2 us-isob-east-1 cn-northwest-1 eu-west-3 ap-northeast-3 us-gov-east-1 eu-north-1 ``` It works like that because by accident `RULE_SSM_PRINCIPALS_ARE_REGIONAL` has the same value as `RULE_S3_WEBSITE_REGIONAL_SUBDOMAIN`. This causes incorrect results returned by the `aws-entities/before` function. This PR fixes that issue. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
🐛 Bug Report
The Issue
iam.ServicePrincipal (https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_iam/ServicePrincipal.html) offers a "region" parameter. Presumably this parameter is so you can say something like ssm.ap-us-east-1.amazonaws.com to be inclusive of regional-only service endpoints.
Such as the ones called out on this page: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html#systems-manager-inventory-resource-data-sync-AWS-Organizations
However
Here is a snippet of CDK Python that results in some odd behavior:
That snippet uses ServicePrincipal three different ways, two of which should result in regional endpoints, and yet none of them do.
That snippet spits out something that looks like...
Notice that none of the Principal -> Service definitions have 'ap-east-1' in their URLs.
This might be related to these two issues:
#2622
#2999
Where CDK was exclusively crafting regional endpoints
Environment
The text was updated successfully, but these errors were encountered: