Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(region-info): SSM service principals are incorrect in opt-in regions #22327

Merged
merged 5 commits into from
Oct 4, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions packages/@aws-cdk/aws-iam/test/principals.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -311,10 +311,10 @@ test('ServicePrincipalName returns just a string representing the principal', ()
// GIVEN
const usEastStack = new Stack(undefined, undefined, { env: { region: 'us-east-1' } });
const afSouthStack = new Stack(undefined, undefined, { env: { region: 'af-south-1' } });
const principalName = iam.ServicePrincipal.servicePrincipalName('ssm.amazonaws.com');
const principalName = iam.ServicePrincipal.servicePrincipalName('states.amazonaws.com');

expect(usEastStack.resolve(principalName)).toEqual('ssm.amazonaws.com');
expect(afSouthStack.resolve(principalName)).toEqual('ssm.af-south-1.amazonaws.com');
expect(usEastStack.resolve(principalName)).toEqual('states.us-east-1.amazonaws.com');
expect(afSouthStack.resolve(principalName)).toEqual('states.af-south-1.amazonaws.com');
});

test('Passing non-string as accountId parameter in AccountPrincipal constructor should throw error', () => {
Expand All @@ -327,14 +327,14 @@ test('ServicePrincipal in agnostic stack generates lookup table', () => {

// WHEN
new iam.Role(stack, 'Role', {
assumedBy: new iam.ServicePrincipal('ssm.amazonaws.com'),
assumedBy: new iam.ServicePrincipal('states.amazonaws.com'),
});

// THEN
const template = Template.fromStack(stack);
const mappings = template.findMappings('ServiceprincipalMap');
expect(mappings.ServiceprincipalMap['af-south-1']?.ssm).toEqual('ssm.af-south-1.amazonaws.com');
expect(mappings.ServiceprincipalMap['us-east-1']?.ssm).toEqual('ssm.amazonaws.com');
expect(mappings.ServiceprincipalMap['af-south-1']?.states).toEqual('states.af-south-1.amazonaws.com');
expect(mappings.ServiceprincipalMap['us-east-1']?.states).toEqual('states.us-east-1.amazonaws.com');
});

test('Can enable session tags', () => {
Expand Down
6 changes: 0 additions & 6 deletions packages/@aws-cdk/region-info/lib/aws-entities.ts
Original file line number Diff line number Diff line change
@@ -1,8 +1,3 @@
/**
* After this point, SSM only creates regional principals
*/
export const RULE_SSM_PRINCIPALS_ARE_REGIONAL = Symbol('SSM_PRINCIPALS_ARE_REGIONAL');

/**
* After this point, S3 website domains look like `s3-website.REGION.s3.amazonaws.com`
*
Expand Down Expand Up @@ -49,7 +44,6 @@ export const AWS_REGIONS_AND_RULES: readonly (string | symbol)[] = [
'ap-northeast-3', // Asia Pacific (Osaka)
'us-gov-east-1', // AWS GovCloud (US-East)
'eu-north-1', // Europe (Stockholm)
RULE_SSM_PRINCIPALS_ARE_REGIONAL,
'ap-east-1', // Asia Pacific (Hong Kong)
'me-south-1', // Middle East (Bahrain)
'eu-south-1', // Europe (Milan)
Expand Down
8 changes: 0 additions & 8 deletions packages/@aws-cdk/region-info/lib/default.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
import { before, RULE_SSM_PRINCIPALS_ARE_REGIONAL } from './aws-entities';

/**
* Provides default values for certain regional information points.
*/
Expand Down Expand Up @@ -81,12 +79,6 @@ export class Default {
}

switch (service) {
// SSM turned from global to regional at some point
case 'ssm':
return before(region, RULE_SSM_PRINCIPALS_ARE_REGIONAL)
? universal
: regional;

// CodeDeploy is regional+partitional in CN, only regional everywhere else
case 'codedeploy':
return region.startsWith('cn-')
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ Object {
"s3": "s3.amazonaws.com",
"sns": "sns.amazonaws.com",
"sqs": "sqs.amazonaws.com",
"ssm": "ssm.af-south-1.amazonaws.com",
"ssm": "ssm.amazonaws.com",
"states": "states.af-south-1.amazonaws.com",
},
"vpcEndPointServiceNamePrefix": "com.amazonaws.vpce",
Expand Down Expand Up @@ -63,7 +63,7 @@ Object {
"s3": "s3.amazonaws.com",
"sns": "sns.amazonaws.com",
"sqs": "sqs.amazonaws.com",
"ssm": "ssm.ap-east-1.amazonaws.com",
"ssm": "ssm.amazonaws.com",
"states": "states.ap-east-1.amazonaws.com",
},
"vpcEndPointServiceNamePrefix": "com.amazonaws.vpce",
Expand Down Expand Up @@ -294,7 +294,7 @@ Object {
"s3": "s3.amazonaws.com",
"sns": "sns.amazonaws.com",
"sqs": "sqs.amazonaws.com",
"ssm": "ssm.ap-southeast-3.amazonaws.com",
"ssm": "ssm.amazonaws.com",
"states": "states.ap-southeast-3.amazonaws.com",
},
"vpcEndPointServiceNamePrefix": "com.amazonaws.vpce",
Expand Down Expand Up @@ -492,7 +492,7 @@ Object {
"s3": "s3.amazonaws.com",
"sns": "sns.amazonaws.com",
"sqs": "sqs.amazonaws.com",
"ssm": "ssm.eu-south-1.amazonaws.com",
"ssm": "ssm.amazonaws.com",
"states": "states.eu-south-1.amazonaws.com",
},
"vpcEndPointServiceNamePrefix": "com.amazonaws.vpce",
Expand Down Expand Up @@ -525,7 +525,7 @@ Object {
"s3": "s3.amazonaws.com",
"sns": "sns.amazonaws.com",
"sqs": "sqs.amazonaws.com",
"ssm": "ssm.eu-south-2.amazonaws.com",
"ssm": "ssm.amazonaws.com",
"states": "states.eu-south-2.amazonaws.com",
},
"vpcEndPointServiceNamePrefix": "com.amazonaws.vpce",
Expand Down Expand Up @@ -657,7 +657,7 @@ Object {
"s3": "s3.amazonaws.com",
"sns": "sns.amazonaws.com",
"sqs": "sqs.amazonaws.com",
"ssm": "ssm.me-south-1.amazonaws.com",
"ssm": "ssm.amazonaws.com",
"states": "states.me-south-1.amazonaws.com",
},
"vpcEndPointServiceNamePrefix": "com.amazonaws.vpce",
Expand Down Expand Up @@ -888,7 +888,7 @@ Object {
"s3": "s3.amazonaws.com",
"sns": "sns.amazonaws.com",
"sqs": "sqs.amazonaws.com",
"ssm": "ssm.us-iso-west-1.amazonaws.com",
"ssm": "ssm.amazonaws.com",
"states": "states.amazonaws.com",
},
"vpcEndPointServiceNamePrefix": "gov.ic.c2s.vpce",
Expand Down
10 changes: 7 additions & 3 deletions packages/@aws-cdk/region-info/test/default.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ const urlSuffix = '.nowhere.null';

describe('servicePrincipal', () => {
for (const suffix of ['', '.amazonaws.com', '.amazonaws.com.cn']) {
for (const service of ['codedeploy', 'states', 'ssm']) {
for (const service of ['codedeploy', 'states']) {
test(`${service}${suffix}`, () => {
expect(Default.servicePrincipal(`${service}${suffix}`, region, urlSuffix)).toBe(`${service}.${region}.amazonaws.com`);
});
Expand Down Expand Up @@ -58,11 +58,15 @@ describe('servicePrincipal', () => {

describe('spot-check some service principals', () => {
test('ssm', () => {
// SSM has advertised in its documentation that it is regional after a certain point, but that
// documentation only applies to SSM Inventory, not SSM Automation. Plus, there is no need for
// a different service principal, as all accounts are (at least currently) included in the global
// one.
expectServicePrincipals('ssm.amazonaws.com', {
'us-east-1': 'ssm.amazonaws.com',
'eu-north-1': 'ssm.amazonaws.com',
'ap-east-1': 'ssm.ap-east-1.amazonaws.com',
'eu-south-1': 'ssm.eu-south-1.amazonaws.com',
'ap-east-1': 'ssm.amazonaws.com',
'eu-south-1': 'ssm.amazonaws.com',
});
});

Expand Down