search

aws-amplify / amplify-backend

Home to all tools related to Amplify's code-first DX (Gen 2) for building fullstack apps on AWS
Apache License 2.0
175 stars 60 forks source link

Set Sandbox Secrets ignores AWS_DEFAULT_REGION environment variable #973

Closed bsmitches closed 9 months ago

bsmitches commented 9 months ago

Environment information

System:
    OS: macOS 13.5
    CPU: (8) arm64 Apple M1
    Memory: 82.25 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.11.0 - /opt/homebrew/bin/node
    Yarn: 1.22.19 - /opt/homebrew/bin/yarn
    npm: 10.2.4 - /opt/homebrew/bin/npm
    pnpm: Not Found
    bun: Not Found
    Watchman: Not Found
  npmPackages:
    @aws-amplify/backend: ^0.10.2 => 0.10.2 
    @aws-amplify/backend-cli: ^0.9.7 => 0.9.7 
    aws-amplify: ^6.0.13 => 6.0.13 
    aws-cdk: ^2.122.0 => 2.122.0 
    aws-cdk-lib: ^2.122.0 => 2.122.0 
    typescript: ^5.3.3 => 5.3.3

Description

I use us-east-1 for my workloads (defined in my environment variable). When using npx amplify sandbox secret set <name>, these secrets are always put in us-west-2 (set in CLI Profile Config), resulting in an error when running npx amplify sandbox, which uses us-east-1 (set in AWS_DEFAULT_REGION).

This results in a deployment error when CloudFormation can't resolve secret in other region using 

import { secret } from '@aws-amplify/backend';
...
secret('foo')

Replication steps

  1. Set profile to use us-west-2 
    [default]
region = us-west-2
output = json
  2. Update environment variable export AWS_DEFAULT_REGION=us-east-1
  3. npx amplify sandbox secret set foo (puts secret in us-west-2) 
    ? Enter secret value
  4. npx amplify sandbox secret get foo (retrieves secret from us-west-2) 
    name: foo
version: 1
value: bar
lastUpdated: Thu Feb 01 2024 14:56:42 GMT-0600 (Central Standard Time)`
  5. aws ssm describe-parameters --query "Parameters[].Name" (retrieves parameters from us-east-1) 
    [
"/cdk-bootstrap/hnb659fds/version"
]
  6. aws ssm describe-parameters --query "Parameters[].Name" --region us-west-2 
    [
"/amplify/mmgen2/smitheit-sandbox-4d6faf4bcc/foo",
"/cdk-bootstrap/hnb659fds/version"
]
  7. npx amplify sandbox tries to deploy in us-east-1 but fails with below error 
    Received response status [FAILED] from custom resource. Message returned: Failed to retrieve backend secret 'foo' for 'mm-gen2'. Reason: {"cause":{"name":"ParameterNotFound","$fault":"client","$metadata":{"httpStatusCode":400,"requestId":"fa745e1e-b19a-4e4c-8f06-c43829be7b73","attempts":1,"totalRetryDelay":0},"__type":"ParameterNotFound","message":"UnknownError"},"httpStatusCode":400,"name":"SecretError"} Logs: /aws/lambda/amplify-mmgen2-smitheit-s-SecretFetcherResourcePro-XbjeyifsPDff at handleCreateUpdateEvent (/var/task/index.js:5810:13) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async Runtime.handler (/var/task/index.js:5770:17) (RequestId: 8a41af80-8754-48e2-b021-935cf846a207)
edwardfoyle commented 9 months ago

Thanks for reporting this. I believe this is the same as (or very similar to) https://github.com/aws-amplify/amplify-backend/issues/965

edwardfoyle commented 9 months ago

I left a comment on that other issue to also note that we need to use the same env var resolution for amplify sandbox secret commands. Closing this issue in favor of that one.