AWS Asia Pacific (Hong Kong) Region now open

[ewbankkit]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

ap-east-1 is now open.

Guidance on adding support for a new AWS Region:

• https://github.com/terraform-providers/terraform-provider-aws/blob/master/.github/CONTRIBUTING.md#new-region

[christophermichaeljohnston2]

Submitted a PR to support this new region. However it seems that aws-sdk-go doesn't yet support ap-east-1.

[bflad]

AWS Go SDK v1.19.18 (#8440) should add automatic region validation. 👍

[bflad]

With #8440 it passes our region validation, but it looks like STS has not been fully initialized in the new region yet:

$ terraform apply

Error: Error refreshing state: 1 error(s) occurred:

* provider.aws: error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid.

Enabling debug logging shows 403 Forbidden errors while the same credentials work elsewhere.

---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: sts.ap-east-1.amazonaws.com
User-Agent: aws-sdk-go/1.19.18 (go1.12.4; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.12.0-beta2
Content-Length: 43
Authorization: AWS4-HMAC-SHA256 Credential=--OMITTED--/20190425/ap-east-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date, Signature=6162ddd5f5852353cfcc8377489832196a6d103e60b8eb7c738e00877ec6517e
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20190425T201613Z
Accept-Encoding: gzip
Action=GetCallerIdentity&Version=2011-06-15
-----------------------------------------------------
2019/04/25 16:16:14 [DEBUG] [aws-sdk-go] DEBUG: Response sts/GetCallerIdentity Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Content-Length: 306
[bflad-prod]
Content-Type: text/xml
Date: Thu, 25 Apr 2019 20:16:13 GMT
X-Amzn-Requestid: f9972bab-6796-11e9-be80-c32954b4fafb
-----------------------------------------------------
2019/04/25 16:16:14 [DEBUG] [aws-sdk-go] <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
[bflad-prod]
    <Code>InvalidClientTokenId</Code>
    <Message>The security token included in the request is invalid.</Message>
  </Error>
  <RequestId>f9972bab-6796-11e9-be80-c32954b4fafb</RequestId>
</ErrorResponse>

Setting the STS endpoint in Terraform to https://sts.amazonaws.com yields another interesting error:

$ terraform apply

Error: Error refreshing state: 1 error(s) occurred:

* provider.aws: error validating provider credentials: error calling sts:GetCallerIdentity: SignatureDoesNotMatch: Credential should be scoped to a valid region, not 'ap-east-1'.

[bflad]

Doh! Helps to read the blog post. 😅 Region needs to be enabled.

Using the Asia Pacific (Hong Kong) Region
As we announced last month, you need to explicitly enable this region for your AWS account in order to be able to create and manage resources within it.

[bflad]

The following support for the new ap-east-1 region has been merged in and will release with version 2.8.0 of the Terraform AWS Provider, likely tomorrow.

• data-source/aws_cloudtrail_service_account: Support new ap-east-1 region
• data-source/aws_elb_hosted_zone_id: Support new ap-east-1 region
• data-source/aws_elb_service_account: Support new ap-east-1 region
• data-source/aws_redshift_service_account: Support new ap-east-1 region
• data-source/aws_s3_bucket: Support new ap-east-1 region in hosted_zone_id attribute
• provider: Support automatic region validation for ap-east-1
• resource/aws_s3_bucket: Support new ap-east-1 region in hosted_zone_id attribute

For any additional feature requests or bug reports with this new region, please create new GitHub issues. Thanks!

[nywilken]

This has been released in version 2.8.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!