From 26609c5a7d522b85b4c2545107728d70445d8ce3 Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Tue, 4 Oct 2022 14:03:15 +0200 Subject: [PATCH] fix(region-info): SSM service principals are incorrect in opt-in regions (#22327) The change in https://github.com/aws/aws-cdk/pull/17047 was based on an eager reading of the documentation. The documentation referenced only applies to "SSM Inventory", not to "SSM Automation". And in fact there is no need for that change at all, since all accounts included in the regional service principal are also included in the global service principal. We therefore revert all use of SSM service principals to the global one. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-iam/test/principals.test.ts | 12 ++++++------ packages/@aws-cdk/region-info/lib/aws-entities.ts | 6 ------ packages/@aws-cdk/region-info/lib/default.ts | 8 -------- .../test/__snapshots__/region-info.test.js.snap | 14 +++++++------- packages/@aws-cdk/region-info/test/default.test.ts | 10 +++++++--- 5 files changed, 20 insertions(+), 30 deletions(-) diff --git a/packages/@aws-cdk/aws-iam/test/principals.test.ts b/packages/@aws-cdk/aws-iam/test/principals.test.ts index e3b1078d2a933..37dc662121854 100644 --- a/packages/@aws-cdk/aws-iam/test/principals.test.ts +++ b/packages/@aws-cdk/aws-iam/test/principals.test.ts @@ -311,10 +311,10 @@ test('ServicePrincipalName returns just a string representing the principal', () // GIVEN const usEastStack = new Stack(undefined, undefined, { env: { region: 'us-east-1' } }); const afSouthStack = new Stack(undefined, undefined, { env: { region: 'af-south-1' } }); - const principalName = iam.ServicePrincipal.servicePrincipalName('ssm.amazonaws.com'); + const principalName = iam.ServicePrincipal.servicePrincipalName('states.amazonaws.com'); - expect(usEastStack.resolve(principalName)).toEqual('ssm.amazonaws.com'); - expect(afSouthStack.resolve(principalName)).toEqual('ssm.af-south-1.amazonaws.com'); + expect(usEastStack.resolve(principalName)).toEqual('states.us-east-1.amazonaws.com'); + expect(afSouthStack.resolve(principalName)).toEqual('states.af-south-1.amazonaws.com'); }); test('Passing non-string as accountId parameter in AccountPrincipal constructor should throw error', () => { @@ -327,14 +327,14 @@ test('ServicePrincipal in agnostic stack generates lookup table', () => { // WHEN new iam.Role(stack, 'Role', { - assumedBy: new iam.ServicePrincipal('ssm.amazonaws.com'), + assumedBy: new iam.ServicePrincipal('states.amazonaws.com'), }); // THEN const template = Template.fromStack(stack); const mappings = template.findMappings('ServiceprincipalMap'); - expect(mappings.ServiceprincipalMap['af-south-1']?.ssm).toEqual('ssm.af-south-1.amazonaws.com'); - expect(mappings.ServiceprincipalMap['us-east-1']?.ssm).toEqual('ssm.amazonaws.com'); + expect(mappings.ServiceprincipalMap['af-south-1']?.states).toEqual('states.af-south-1.amazonaws.com'); + expect(mappings.ServiceprincipalMap['us-east-1']?.states).toEqual('states.us-east-1.amazonaws.com'); }); test('Can enable session tags', () => { diff --git a/packages/@aws-cdk/region-info/lib/aws-entities.ts b/packages/@aws-cdk/region-info/lib/aws-entities.ts index 0c28399449434..d91e34848c73f 100644 --- a/packages/@aws-cdk/region-info/lib/aws-entities.ts +++ b/packages/@aws-cdk/region-info/lib/aws-entities.ts @@ -1,8 +1,3 @@ -/** - * After this point, SSM only creates regional principals - */ -export const RULE_SSM_PRINCIPALS_ARE_REGIONAL = Symbol('SSM_PRINCIPALS_ARE_REGIONAL'); - /** * After this point, S3 website domains look like `s3-website.REGION.s3.amazonaws.com` * @@ -49,7 +44,6 @@ export const AWS_REGIONS_AND_RULES: readonly (string | symbol)[] = [ 'ap-northeast-3', // Asia Pacific (Osaka) 'us-gov-east-1', // AWS GovCloud (US-East) 'eu-north-1', // Europe (Stockholm) - RULE_SSM_PRINCIPALS_ARE_REGIONAL, 'ap-east-1', // Asia Pacific (Hong Kong) 'me-south-1', // Middle East (Bahrain) 'eu-south-1', // Europe (Milan) diff --git a/packages/@aws-cdk/region-info/lib/default.ts b/packages/@aws-cdk/region-info/lib/default.ts index 39a8db5ddedc9..c240c55ec1068 100644 --- a/packages/@aws-cdk/region-info/lib/default.ts +++ b/packages/@aws-cdk/region-info/lib/default.ts @@ -1,5 +1,3 @@ -import { before, RULE_SSM_PRINCIPALS_ARE_REGIONAL } from './aws-entities'; - /** * Provides default values for certain regional information points. */ @@ -81,12 +79,6 @@ export class Default { } switch (service) { - // SSM turned from global to regional at some point - case 'ssm': - return before(region, RULE_SSM_PRINCIPALS_ARE_REGIONAL) - ? universal - : regional; - // CodeDeploy is regional+partitional in CN, only regional everywhere else case 'codedeploy': return region.startsWith('cn-') diff --git a/packages/@aws-cdk/region-info/test/__snapshots__/region-info.test.js.snap b/packages/@aws-cdk/region-info/test/__snapshots__/region-info.test.js.snap index dae9b4dda9d16..2ce71cae5df83 100644 --- a/packages/@aws-cdk/region-info/test/__snapshots__/region-info.test.js.snap +++ b/packages/@aws-cdk/region-info/test/__snapshots__/region-info.test.js.snap @@ -30,7 +30,7 @@ Object { "s3": "s3.amazonaws.com", "sns": "sns.amazonaws.com", "sqs": "sqs.amazonaws.com", - "ssm": "ssm.af-south-1.amazonaws.com", + "ssm": "ssm.amazonaws.com", "states": "states.af-south-1.amazonaws.com", }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", @@ -63,7 +63,7 @@ Object { "s3": "s3.amazonaws.com", "sns": "sns.amazonaws.com", "sqs": "sqs.amazonaws.com", - "ssm": "ssm.ap-east-1.amazonaws.com", + "ssm": "ssm.amazonaws.com", "states": "states.ap-east-1.amazonaws.com", }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", @@ -294,7 +294,7 @@ Object { "s3": "s3.amazonaws.com", "sns": "sns.amazonaws.com", "sqs": "sqs.amazonaws.com", - "ssm": "ssm.ap-southeast-3.amazonaws.com", + "ssm": "ssm.amazonaws.com", "states": "states.ap-southeast-3.amazonaws.com", }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", @@ -492,7 +492,7 @@ Object { "s3": "s3.amazonaws.com", "sns": "sns.amazonaws.com", "sqs": "sqs.amazonaws.com", - "ssm": "ssm.eu-south-1.amazonaws.com", + "ssm": "ssm.amazonaws.com", "states": "states.eu-south-1.amazonaws.com", }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", @@ -525,7 +525,7 @@ Object { "s3": "s3.amazonaws.com", "sns": "sns.amazonaws.com", "sqs": "sqs.amazonaws.com", - "ssm": "ssm.eu-south-2.amazonaws.com", + "ssm": "ssm.amazonaws.com", "states": "states.eu-south-2.amazonaws.com", }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", @@ -657,7 +657,7 @@ Object { "s3": "s3.amazonaws.com", "sns": "sns.amazonaws.com", "sqs": "sqs.amazonaws.com", - "ssm": "ssm.me-south-1.amazonaws.com", + "ssm": "ssm.amazonaws.com", "states": "states.me-south-1.amazonaws.com", }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", @@ -888,7 +888,7 @@ Object { "s3": "s3.amazonaws.com", "sns": "sns.amazonaws.com", "sqs": "sqs.amazonaws.com", - "ssm": "ssm.us-iso-west-1.amazonaws.com", + "ssm": "ssm.amazonaws.com", "states": "states.amazonaws.com", }, "vpcEndPointServiceNamePrefix": "gov.ic.c2s.vpce", diff --git a/packages/@aws-cdk/region-info/test/default.test.ts b/packages/@aws-cdk/region-info/test/default.test.ts index b9c7a4375f8fd..10651a4788070 100644 --- a/packages/@aws-cdk/region-info/test/default.test.ts +++ b/packages/@aws-cdk/region-info/test/default.test.ts @@ -5,7 +5,7 @@ const urlSuffix = '.nowhere.null'; describe('servicePrincipal', () => { for (const suffix of ['', '.amazonaws.com', '.amazonaws.com.cn']) { - for (const service of ['codedeploy', 'states', 'ssm']) { + for (const service of ['codedeploy', 'states']) { test(`${service}${suffix}`, () => { expect(Default.servicePrincipal(`${service}${suffix}`, region, urlSuffix)).toBe(`${service}.${region}.amazonaws.com`); }); @@ -58,11 +58,15 @@ describe('servicePrincipal', () => { describe('spot-check some service principals', () => { test('ssm', () => { + // SSM has advertised in its documentation that it is regional after a certain point, but that + // documentation only applies to SSM Inventory, not SSM Automation. Plus, there is no need for + // a different service principal, as all accounts are (at least currently) included in the global + // one. expectServicePrincipals('ssm.amazonaws.com', { 'us-east-1': 'ssm.amazonaws.com', 'eu-north-1': 'ssm.amazonaws.com', - 'ap-east-1': 'ssm.ap-east-1.amazonaws.com', - 'eu-south-1': 'ssm.eu-south-1.amazonaws.com', + 'ap-east-1': 'ssm.amazonaws.com', + 'eu-south-1': 'ssm.amazonaws.com', }); });