[Bug]: wrong region used for requests to route53

[tmccombs]

Terraform Core Version

1.5.0

AWS Provider Version

5.21.0

Affected Resource(s)

aws_route53_record

Expected Behavior

I should be able to use the fips endpoint: https://route53-fips.amazonaws.com. However, it seems the provider hard-codes the use of the us-west-2 region when making requests to route53 and that isn't a valid region for that endpoint.

Actual Behavior

If i use a provider configuration that uses the us-east-1 region, and specify

endpoints {
  route53 = "https://route53-fips.amazonaws.com"
}

then when I try to refresh the state (including as part of a plan) I get an error that the " SignatureDoesNotMatch: Credential should be scoped to a valid region"

Relevant Error/Panic Output Snippet

╷
│ Error: reading Route 53 Record (<REDACTED>): SignatureDoesNotMatch: Credential should be scoped to a valid region.
│ 	status code: 403, request id: c0729919-504b-4889-9b9a-ba49181f09fc
│ 
│   with aws_route53_record.example,
│   on ses.tf line 9, in resource "aws_route53_record" "example":
│    9: resource "aws_route53_record" "example" {
│ 
╵

Terraform Configuration Files

provider "aws" {
  alias = "example"
  # include AWS credentials source
  region = "us-east-1"

  endpoints {
    route53 = "https://route53-fips.amazonaws.com"
  }
}

resource "aws_route53_record" "example" {
  provider = aws.example
  zone_id  = var.zone_id
  name     = ""
  type     = "TXT"
  ttl      = 60
  records  = ["example"]
}

Steps to Reproduce

Create the resource without the custom route53 endpoint. Then run terraform apply -refresh-only to attempt to refresh the state.

Debug Output

2023-10-19T12:54:43.808-0600 [DEBUG] provider.terraform-provider-aws_v5.21.0_x5: HTTP Response Received: rpc.service="Route 53" tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=dda458c2-5606-1bb9-dc6f-4fc926b1e7b3 http.response.header.content_type=text/xml @module=aws http.duration=427 http.response.header.x_amzn_requestid=8617f94b-5f9e-44c8-9d50-98ce16a38644 http.status_code=403 rpc.system=aws-api tf_resource_type=aws_route53_record aws.region=us-west-2 http.response.header.date="Thu, 19 Oct 2023 18:54:42 GMT" rpc.method=GetHostedZone tf_rpc=ReadResource @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.38/logger.go:157 http.response.body="<?xml version="1.0"?>
<ErrorResponse xmlns="https://route53.amazonaws.com/doc/2013-04-01/"><Error><Type>Sender</Type><Code>SignatureDoesNotMatch</Code><Message>Credential should be scoped to a valid region. </Message></Error><RequestId>8617f94b-5f9e-44c8-9d50-98ce16a38644</RequestId></ErrorResponse>
" http.response_content_length=300 tf_aws.sdk=aws-sdk-go timestamp=2023-10-19T12:54:43.808-0600
2023-10-19T12:54:43.809-0600 [ERROR] provider.terraform-provider-aws_v5.21.0_x5: Response contains error diagnostic: tf_rpc=ReadResource @module=sdk.proto diagnostic_severity=ERROR diagnostic_summary="reading Route 53 Record (<REDACTED>__TXT): SignatureDoesNotMatch: Credential should be scoped to a valid region.
	status code: 403, request id: 8617f94b-5f9e-44c8-9d50-98ce16a38644" tf_proto_version=5.4 tf_resource_type=aws_route53_record @caller=github.com/hashicorp/terraform-plugin-go@v0.19.0/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_detail= tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=dda458c2-5606-1bb9-dc6f-4fc926b1e7b3 timestamp=2023-10-19T12:54:43.809-0600
2023-10-19T12:54:43.809-0600 [ERROR] vertex "aws_route53_record.example" error: reading Route 53 Record (<REDACTED>__TXT): SignatureDoesNotMatch: Credential should be scoped to a valid region.
	status code: 403, request id: 8617f94b-5f9e-44c8-9d50-98ce16a38644
2023-10-19T12:54:43.809-0600 [ERROR] vertex "aws_route53_record.example (expand)" error: reading Route 53 Record (<REDACTED>__TXT): SignatureDoesNotMatch: Credential should be scoped to a valid region.

Notice that the request uses the "us-west-2" region, despite the fact that I have specified the "us-east-1" region.

Panic Output

No response

Important Factoids

No response

References

• [Bug]: Wrong URL for SSO in us-east-1 if use_fips is true #33952 (which is why I am specifying the endpoint instead of using use_fips_endpoints)
• https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[AlexSchultz-clumio]

This also occurs with cloudfront-fips.amazonaws.com which also doesn't have the regional endpoint and suffers from #33952

[kopatsy]

From my experiments, it appears that the regression might have been introduced in v5.5.0 (v5.4.0 works on our workspace, v5.5.0 fails with the SignatureDoesNotMatch error on a route53_hosted_zone resource).

[cadepriest]

Can confirm this is still an issue this is the error if you set the route53 endpoint even to the amazonaws.com endpoint.

Error: finding Route 53 Hosted Zone: SignatureDoesNotMatch: Credential should be scoped to a valid region.

In this configuration I am using the default endpoint.

provider "aws" {
  region = "us-east-1"
  endpoints {
    route53        = "https://route53.amazonaws.com"
   }
 }

If you force the provider to 5.4 like the previous comment this configuration works

terraform {
 backend "http" {}
 required_providers {
   aws = {
     source  = "hashicorp/aws"
     version = ">= 5.4.0, < 5.5.0"
   }
 }
}

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v5.50.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[kopatsy]

It appears that this might have regressed. It works with 5.50.0 and breaks the same way in 5.51.0. I suspect that could be the commit that re-introduced the issue.

[gdavison]

Hi @kopatsy. Are you still seeing this error in v5.52.0? I can't reproduce the error.

If you are seeing it, can you please share your configuration and the debug log?

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v5.53.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.