From 12f322baec18fd9413859ac68a9f91385371b3a0 Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Mon, 3 Oct 2022 14:51:58 +0200 Subject: [PATCH 1/4] fix(region-info): SSM service principals are not regional The change in https://github.com/aws/aws-cdk/pull/17047 was based on an eager reading of the documentation. The documentation referenced only applies to "SSM Inventory", not to "SSM Automation". And in fact there is no need for that change at all, since all accounts included in the regional service principal are also included in the global service principal. We therefore revert all use of SSM service principals to the global one. --- packages/@aws-cdk/region-info/lib/aws-entities.ts | 6 ------ packages/@aws-cdk/region-info/lib/default.ts | 8 -------- packages/@aws-cdk/region-info/test/default.test.ts | 8 ++++++-- 3 files changed, 6 insertions(+), 16 deletions(-) diff --git a/packages/@aws-cdk/region-info/lib/aws-entities.ts b/packages/@aws-cdk/region-info/lib/aws-entities.ts index 0c28399449434..d91e34848c73f 100644 --- a/packages/@aws-cdk/region-info/lib/aws-entities.ts +++ b/packages/@aws-cdk/region-info/lib/aws-entities.ts @@ -1,8 +1,3 @@ -/** - * After this point, SSM only creates regional principals - */ -export const RULE_SSM_PRINCIPALS_ARE_REGIONAL = Symbol('SSM_PRINCIPALS_ARE_REGIONAL'); - /** * After this point, S3 website domains look like `s3-website.REGION.s3.amazonaws.com` * @@ -49,7 +44,6 @@ export const AWS_REGIONS_AND_RULES: readonly (string | symbol)[] = [ 'ap-northeast-3', // Asia Pacific (Osaka) 'us-gov-east-1', // AWS GovCloud (US-East) 'eu-north-1', // Europe (Stockholm) - RULE_SSM_PRINCIPALS_ARE_REGIONAL, 'ap-east-1', // Asia Pacific (Hong Kong) 'me-south-1', // Middle East (Bahrain) 'eu-south-1', // Europe (Milan) diff --git a/packages/@aws-cdk/region-info/lib/default.ts b/packages/@aws-cdk/region-info/lib/default.ts index 39a8db5ddedc9..c240c55ec1068 100644 --- a/packages/@aws-cdk/region-info/lib/default.ts +++ b/packages/@aws-cdk/region-info/lib/default.ts @@ -1,5 +1,3 @@ -import { before, RULE_SSM_PRINCIPALS_ARE_REGIONAL } from './aws-entities'; - /** * Provides default values for certain regional information points. */ @@ -81,12 +79,6 @@ export class Default { } switch (service) { - // SSM turned from global to regional at some point - case 'ssm': - return before(region, RULE_SSM_PRINCIPALS_ARE_REGIONAL) - ? universal - : regional; - // CodeDeploy is regional+partitional in CN, only regional everywhere else case 'codedeploy': return region.startsWith('cn-') diff --git a/packages/@aws-cdk/region-info/test/default.test.ts b/packages/@aws-cdk/region-info/test/default.test.ts index b9c7a4375f8fd..9325699e4bcdd 100644 --- a/packages/@aws-cdk/region-info/test/default.test.ts +++ b/packages/@aws-cdk/region-info/test/default.test.ts @@ -58,11 +58,15 @@ describe('servicePrincipal', () => { describe('spot-check some service principals', () => { test('ssm', () => { + // SSM has advertised in its documentation that it is regional after a certain point, but that + // documentation only applies to SSM Inventory, not SSM Automation. Plus, there is no need for + // a different service principal, as all accounts are (at least currently) included in the global + // one. expectServicePrincipals('ssm.amazonaws.com', { 'us-east-1': 'ssm.amazonaws.com', 'eu-north-1': 'ssm.amazonaws.com', - 'ap-east-1': 'ssm.ap-east-1.amazonaws.com', - 'eu-south-1': 'ssm.eu-south-1.amazonaws.com', + 'ap-east-1': 'ssm.amazonaws.com', + 'eu-south-1': 'ssm.amazonaws.com', }); }); From fb0780872e55758497802e3d7b49a2628167add6 Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Mon, 3 Oct 2022 18:34:53 +0200 Subject: [PATCH 2/4] Snapshooooooooots --- .../test/__snapshots__/region-info.test.js.snap | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/packages/@aws-cdk/region-info/test/__snapshots__/region-info.test.js.snap b/packages/@aws-cdk/region-info/test/__snapshots__/region-info.test.js.snap index dae9b4dda9d16..2ce71cae5df83 100644 --- a/packages/@aws-cdk/region-info/test/__snapshots__/region-info.test.js.snap +++ b/packages/@aws-cdk/region-info/test/__snapshots__/region-info.test.js.snap @@ -30,7 +30,7 @@ Object { "s3": "s3.amazonaws.com", "sns": "sns.amazonaws.com", "sqs": "sqs.amazonaws.com", - "ssm": "ssm.af-south-1.amazonaws.com", + "ssm": "ssm.amazonaws.com", "states": "states.af-south-1.amazonaws.com", }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", @@ -63,7 +63,7 @@ Object { "s3": "s3.amazonaws.com", "sns": "sns.amazonaws.com", "sqs": "sqs.amazonaws.com", - "ssm": "ssm.ap-east-1.amazonaws.com", + "ssm": "ssm.amazonaws.com", "states": "states.ap-east-1.amazonaws.com", }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", @@ -294,7 +294,7 @@ Object { "s3": "s3.amazonaws.com", "sns": "sns.amazonaws.com", "sqs": "sqs.amazonaws.com", - "ssm": "ssm.ap-southeast-3.amazonaws.com", + "ssm": "ssm.amazonaws.com", "states": "states.ap-southeast-3.amazonaws.com", }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", @@ -492,7 +492,7 @@ Object { "s3": "s3.amazonaws.com", "sns": "sns.amazonaws.com", "sqs": "sqs.amazonaws.com", - "ssm": "ssm.eu-south-1.amazonaws.com", + "ssm": "ssm.amazonaws.com", "states": "states.eu-south-1.amazonaws.com", }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", @@ -525,7 +525,7 @@ Object { "s3": "s3.amazonaws.com", "sns": "sns.amazonaws.com", "sqs": "sqs.amazonaws.com", - "ssm": "ssm.eu-south-2.amazonaws.com", + "ssm": "ssm.amazonaws.com", "states": "states.eu-south-2.amazonaws.com", }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", @@ -657,7 +657,7 @@ Object { "s3": "s3.amazonaws.com", "sns": "sns.amazonaws.com", "sqs": "sqs.amazonaws.com", - "ssm": "ssm.me-south-1.amazonaws.com", + "ssm": "ssm.amazonaws.com", "states": "states.me-south-1.amazonaws.com", }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", @@ -888,7 +888,7 @@ Object { "s3": "s3.amazonaws.com", "sns": "sns.amazonaws.com", "sqs": "sqs.amazonaws.com", - "ssm": "ssm.us-iso-west-1.amazonaws.com", + "ssm": "ssm.amazonaws.com", "states": "states.amazonaws.com", }, "vpcEndPointServiceNamePrefix": "gov.ic.c2s.vpce", From 79008a99e90a35b0222cb76076684b9781ff78da Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Mon, 3 Oct 2022 18:51:25 +0200 Subject: [PATCH 3/4] Fix one more test --- packages/@aws-cdk/region-info/test/default.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/region-info/test/default.test.ts b/packages/@aws-cdk/region-info/test/default.test.ts index 9325699e4bcdd..10651a4788070 100644 --- a/packages/@aws-cdk/region-info/test/default.test.ts +++ b/packages/@aws-cdk/region-info/test/default.test.ts @@ -5,7 +5,7 @@ const urlSuffix = '.nowhere.null'; describe('servicePrincipal', () => { for (const suffix of ['', '.amazonaws.com', '.amazonaws.com.cn']) { - for (const service of ['codedeploy', 'states', 'ssm']) { + for (const service of ['codedeploy', 'states']) { test(`${service}${suffix}`, () => { expect(Default.servicePrincipal(`${service}${suffix}`, region, urlSuffix)).toBe(`${service}.${region}.amazonaws.com`); }); From 216ba6178d94e81de0d2ab068c76668f67b4656d Mon Sep 17 00:00:00 2001 From: Naumel <104374999+Naumel@users.noreply.github.com> Date: Tue, 4 Oct 2022 13:23:46 +0200 Subject: [PATCH 4/4] Switching from ssm to states to keep the lookup table test. --- packages/@aws-cdk/aws-iam/test/principals.test.ts | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/@aws-cdk/aws-iam/test/principals.test.ts b/packages/@aws-cdk/aws-iam/test/principals.test.ts index e3b1078d2a933..37dc662121854 100644 --- a/packages/@aws-cdk/aws-iam/test/principals.test.ts +++ b/packages/@aws-cdk/aws-iam/test/principals.test.ts @@ -311,10 +311,10 @@ test('ServicePrincipalName returns just a string representing the principal', () // GIVEN const usEastStack = new Stack(undefined, undefined, { env: { region: 'us-east-1' } }); const afSouthStack = new Stack(undefined, undefined, { env: { region: 'af-south-1' } }); - const principalName = iam.ServicePrincipal.servicePrincipalName('ssm.amazonaws.com'); + const principalName = iam.ServicePrincipal.servicePrincipalName('states.amazonaws.com'); - expect(usEastStack.resolve(principalName)).toEqual('ssm.amazonaws.com'); - expect(afSouthStack.resolve(principalName)).toEqual('ssm.af-south-1.amazonaws.com'); + expect(usEastStack.resolve(principalName)).toEqual('states.us-east-1.amazonaws.com'); + expect(afSouthStack.resolve(principalName)).toEqual('states.af-south-1.amazonaws.com'); }); test('Passing non-string as accountId parameter in AccountPrincipal constructor should throw error', () => { @@ -327,14 +327,14 @@ test('ServicePrincipal in agnostic stack generates lookup table', () => { // WHEN new iam.Role(stack, 'Role', { - assumedBy: new iam.ServicePrincipal('ssm.amazonaws.com'), + assumedBy: new iam.ServicePrincipal('states.amazonaws.com'), }); // THEN const template = Template.fromStack(stack); const mappings = template.findMappings('ServiceprincipalMap'); - expect(mappings.ServiceprincipalMap['af-south-1']?.ssm).toEqual('ssm.af-south-1.amazonaws.com'); - expect(mappings.ServiceprincipalMap['us-east-1']?.ssm).toEqual('ssm.amazonaws.com'); + expect(mappings.ServiceprincipalMap['af-south-1']?.states).toEqual('states.af-south-1.amazonaws.com'); + expect(mappings.ServiceprincipalMap['us-east-1']?.states).toEqual('states.us-east-1.amazonaws.com'); }); test('Can enable session tags', () => {