lbajolet-hashicorp
commented
2 months ago Note: before merging this one, I'd like to make sure that it solves the issue at hand, and that we don't accidently break something (unlikely tbh, but I cannot be sure).
@williamb1024 may I ask you to test this version of the plugin before we can merge/release it? I believe this should fix the issue, but I couldn't test it for now since I don't have access to non-default regions (I'll have to see with who manages the AWS account for access, then will add an acceptance test later on).
williamb1024
STS is the service used by AWS for emitting authentication tokens for API clients.
This comes in two variants: v1 (global) and v2 (regional). As of today (2024-04-24), the default for the Go SDK is "legacy", i.e. if the connection is used to communicate with a non-default region it will use a regional endpoint, otherwise it'll use the global endpoint.
Builds are generally not affected by operations like these as the SDK will pick the right type of endpoint for that, but problems may arise later, when copying AMIs for example, as they will need tokens compatible with both the source and destination regions.
This means that if the build was performed in a default region, then copied to a non-default region, we'll have gotten a v1 (global) token, which will be rejected by the target region, causing the build to fail.
This is already fixable by user-action, through either a setting in their AWS config file, or through an environment variable, but this may come as a surprise if users aren't aware of that pitfall.
Therefore, this commit attempts to heuristically determine if an action may fail in the process, and enable regional endpoints for the EC2 session we create during a build.
Note: the volume builder and the post-processor are not affected by this, as they only work within one region at a time, so the SDK will choose the right type of endpoint/token for the action, and no cross-region action will be done.
Closes #469