Specify the region name and region-specific endpoint URL for boto3 ST…

…S calls STS used to be un-regioned, like S3, but now it is regioned. This is the one case where boto3 _does not_ do the right thing when you set the region. We have to set the region-specific endpint URL manually. This is important since the STS VPC endpoint _only_ sets a local DNS record to override the _local region's_ public STS endpoint. If we don't do this then boto3 will reach out to the _global_ https://sts.amazonaws.com URL, and that DNS entry will still point to an external IP. See this boto/boto3#1859 for more information about boto3's perverse behavior in the case of STS.
cisagov · Jan 22, 2021 · 6bc7a6a · 6bc7a6a
1 parent 24d3c09
commit 6bc7a6a
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 2 deletions.
diff --git a/cloud-init/install-certificates.py b/cloud-init/install-certificates.py
@@ -14,6 +14,7 @@
 # Inputs from terraform
 CERT_BUCKET_NAME = "${cert_bucket_name}"
 CERT_READ_ROLE_ARN = "${cert_read_role_arn}"
+REGION = "${region}"
 SERVER_FQDN = "${server_fqdn}"
 
 # These files will be copied from the bucket
@@ -24,7 +25,23 @@
 }
 
 # Create STS client
-sts = boto3.client("sts")
+#
+# STS used to be un-regioned, like S3, but now it is regioned.  This
+# is the one case where boto3 _does not_ do the right thing when you
+# set the region.  We have to set the region-specific endpint URL
+# manually.
+#
+# This is important since the STS VPC endpoint _only_ sets a local DNS
+# record to override the _local region's_ public STS endpoint.  If we
+# don't do this then boto3 will reach out to the _global_
+# https://sts.amazonaws.com URL, and that DNS entry will still point
+# to an external IP.
+#
+# See this link for more information about boto3's perverse behavior
+# in the case of STS: https://github.com/boto/boto3/issues/1859.
+sts = boto3.client(
+    "sts", region_name=REGION, endpoint_url=f"https://sts.{REGION}.amazonaws.com"
+)
 
 # Assume the role that can read the certificate
 stsresponse = sts.assume_role(

diff --git a/cloud-init/render-guac-connection-sql-template.py b/cloud-init/render-guac-connection-sql-template.py
@@ -23,6 +23,7 @@
 )
 
 # Inputs from terraform
+REGION = "${region}"
 SSM_READ_ROLE_ARN = "${ssm_vnc_read_role_arn}"
 # nosec on following line tells bandit (pre-commit hook) to ignore security
 # warnings; otherwise bandit complains about "Possible hardcoded password"
@@ -31,7 +32,23 @@
 SSM_KEY_VNC_USER_PRIVATE_SSH_KEY = "${ssm_key_vnc_user_private_ssh_key}"
 
 # Create STS client
-sts = boto3.client("sts")
+#
+# STS used to be un-regioned, like S3, but now it is regioned.  This
+# is the one case where boto3 _does not_ do the right thing when you
+# set the region.  We have to set the region-specific endpint URL
+# manually.
+#
+# This is important since the STS VPC endpoint _only_ sets a local DNS
+# record to override the _local region's_ public STS endpoint.  If we
+# don't do this then boto3 will reach out to the _global_
+# https://sts.amazonaws.com URL, and that DNS entry will still point
+# to an external IP.
+#
+# See this link for more information about boto3's perverse behavior
+# in the case of STS: https://github.com/boto/boto3/issues/1859.
+sts = boto3.client(
+    "sts", region_name=REGION, endpoint_url=f"https://sts.{REGION}.amazonaws.com"
+)
 
 # Assume the role that can read the SSM parameters
 stsresponse = sts.assume_role(

diff --git a/guacamole_cloud_init.tf b/guacamole_cloud_init.tf
@@ -56,6 +56,7 @@ data "cloudinit_config" "guacamole_cloud_init_tasks" {
       "${path.module}/cloud-init/install-certificates.py", {
         cert_bucket_name   = var.cert_bucket_name
         cert_read_role_arn = module.guacamole_certreadrole.role.arn
+        region             = var.aws_region
         server_fqdn        = local.guacamole_fqdn
     })
   }
@@ -81,6 +82,7 @@ data "cloudinit_config" "guacamole_cloud_init_tasks" {
         guac_connection_setup_filename   = "01_setup_guac_connections"
         guac_connection_setup_path       = var.guac_connection_setup_path
         instance_hostnames               = join(",", concat(aws_route53_record.debiandesktop_A[*].name, aws_route53_record.gophish_A[*].name, aws_route53_record.kali_A[*].name, aws_route53_record.pentestportal_A[*].name, aws_route53_record.teamserver_A[*].name))
+        region                           = var.aws_region
         ssm_vnc_read_role_arn            = aws_iam_role.vnc_parameterstorereadonly_role.arn
         ssm_key_vnc_password             = var.ssm_key_vnc_password
         ssm_key_vnc_user                 = var.ssm_key_vnc_username