Cloud-Architects / cloudiscovery

The tool to help you discover resources in the cloud environment
Apache License 2.0
779 stars 92 forks source link

Failures when trying against a us-gov based region #148

Open dbadrak opened 4 years ago

dbadrak commented 4 years ago

When using a profile that is in a GovCloud region (us-gov-east-1, us-gov-west-1), this fails in a number of different places.

When constructing an ssm client to pull the global configuration, it is true that it needs to use the us-east-1 region. However, if that's not the region selected or in the profile, it fails because the ssm global parameters /aws/service/global-infrastructure isn't available IN the us-gov regions. The data are available at /aws/service/global-infrastructure/us-gov-west-1/ (and east).

One cannot jump between regions in the same profile because they are different accounts. It appears that to use a GovCloud region, two profiles need to be specified one for non-gov (us-east-1, for example) and a second one for gov (in either gov region). Each GovCloud comes with two accounts, one EastWest (non-gov regions) and one Gov (us-gov regions).

meshuga commented 4 years ago

Hi, thanks for the info. We initially created the tool to work with the Public AWS partition and didn't think about other ones. The issue might also occur in AWS China.

leandrodamascena commented 4 years ago

Hi dudes. Yes, the same thing occurs in China regions (cn-north-1 and cn-northwest-1).

I'm trying to map all the points of failure and contact one friend with account in one of those regions. I have no idea a specific deadline to finish this, but I'll try to update the issue this week.

Thank you for the info.

meshuga commented 3 years ago

I think the best solution to that problem will be to be able to pass two profiles:

  1. --profile profile-name as the main profile, that can point to a region in any partition
  2. --aws-partition-profile profile-name as a profile that resides in the main AWS partition (partition aws), so that we are able to connect to SSM.

We should detect if a region in a profile is outside of the aws partition and if is, throw an error and ask a user to pass an additional profile in --aws-partition-profile parameter.

Although it will solve GovCloud partition, China partition can be problematic as users of AWS China usually have one account (for operations within that country).

I also need to research more what happens with global services like IAM or if in case of services outside main partition, it's possible to skip checks and necessary calls to us-east-1 region.

leandrodamascena commented 3 years ago

@dbadrak hei friend! @meshuga opened a PR to fix this and I merged. Can you clone/update the repository and try again? Thank you so much.