Update Service Endpoint URL for AWS Network Firewall in GovCloud

[apotter-engr]

Relates #21641

Region where issue is encountered: us-gov-west-1

AWS publishes the AWS Network Firewall endpoints here: https://docs.aws.amazon.com/general/latest/gr/network-firewall.html, which states that for us-gov-west-1 the endpoint is https://network-firewall-fips.us-gov-west-1.amazonaws.com.

Currently, when I incorporate any AWS Network Firewall Terraform Resource: aws_networkfirewall_rule_group, aws_networkfirewall_firewall_policy, and aws_networkfirewall_firewall; it fails with the error:

Error: error creating NetworkFirewall Rule Group exfil: RequestError: send request failed
caused by: Post "https://network-firewall.us-gov-west-1.amazonaws.com/": dial tcp: lookup network-firewall.us-gov-west-1.amazonaws.com on [2001:558:feed::1]:53: no such host

It appears that terraform is following the service naming convention for non-govcloud service endpoints and is inadvertently trying to use the service endpoint in us-west-1. The govcloud endpoint should include the word "fips".

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.0.9
on darwin_amd64
provider registry.terraform.io/hashicorp/aws v3.63.0

Affected Resource(s)

aws_networkfirewall_rule_group, aws_networkfirewall_firewall_policy, and aws_networkfirewall_firewall

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

provider "aws" {
  region = "us-gov-west-1"
}



############################################################################
##  Create Stateless Rules
############################################################################

resource "aws_networkfirewall_rule_group" "exfil" {
  description = "Prevent traffic from private subnets to the internet gateway"
  capacity = 10
  name     = "exfil"
  type     = "STATELESS"
  rule_group {
    rules_source {
      stateless_rules_and_custom_actions {
        stateless_rule {
          priority = 1
          rule_definition {
            actions = ["aws:drop"]
            match_attributes {
              source {
                address_definition = "10.1.0.0/16"
              }
              destination {
                address_definition = "0.0.0.0/0"
              }
            }
          }
        }
      }
    }
  }
}

Debug Output

│ Error: error creating NetworkFirewall Rule Group exfil: RequestError: send request failed
│ caused by: Post "https://network-firewall.us-gov-west-1.amazonaws.com/": dial tcp: lookup network-firewall.us-gov-west-1.amazonaws.com on [2001:558:feed::1]:53: no such host
│
│ with aws_networkfirewall_rule_group.exfil,
│ on main.tf line 37, in resource "aws_networkfirewall_rule_group" "exfil":
│ 37: resource "aws_networkfirewall_rule_group" "exfil" {
│
╵

Panic Output

None

Expected Behavior

AWS Network Firewall Rule Group Created

Actual Behavior

Error

Steps to Reproduce

1. terraform apply

Important Factoids

GovCloud

References

• #0000

[YakDriver]

@apotter-engr I agree that by default it should select the correct endpoint. Until we are able to resolve this, you can set the endpoint manually:

provider "aws" {
  endpoints {
    networkfirewall = "https://network-firewall-fips.us-gov-west-1.amazonaws.com"
  }
}

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.