Closed lorengordon closed 2 years ago
Looking at the request in the debug, appears that terraform is not passing the region at all, which is why it is defaulting to us-east-1
:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: sts-fips.us-west-2.amazonaws.com
User-Agent: aws-sdk-go/1.40.35 (go1.16; linux; amd64)
Content-Length: 159
Authorization: ...
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20210907T182613Z
Accept-Encoding: gzip
Action=AssumeRole&DurationSeconds=900&RoleArn=arn%3Aaws%3Aiam%3A%3AACCOUNT_ID%3Arole%2FROLE_NAME&RoleSessionName=1631039173085100400&Version=2011-06-15
Proving the cli works when passing the region:
❯ aws sts assume-role --role-arn arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME --role-session-name SESSION_NAME --endpoint-url https://sts-fips.us-west-2.amazonaws.com --region us-west-2
{
"Credentials": {
"AccessKeyId": "...",
"SecretAccessKey": "...",
"SessionToken": "...",
"Expiration": "2021-09-07T19:34:46Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "...",
"Arn": "arn:aws:sts::ACCOUNT_ID:assumed-role/ROLE_NAME/SESSION_NAME"
}
}
This is a bloody interesting problem. There are two distinct routes for getting creds and environment variables and creds based on environment variables. The testing harness uses its own whole process while the non-testing provider doesn't do a whole lot, letting AWS handle things like environment variables. I'm assuming you are not seeing this error in the testing harness so that eliminates one path.
I see this as two problems since it should work with either way. That neither seems to work is concerning.
region
set, it absolutely should be passed along. That should override whatever else including the environment variable. There're a few places where "global" services have their regions coerced to their home regions. STS is not one of those. Route53 and Shield are global and have home regions of us-east-1
.AWS_DEFAULT_REGION
is set since AWS will pick that up. (The testing cred path looks at envvars but normal does not.)I'm assuming you are not seeing this error in the testing harness so that eliminates one path.
Well, I'm not running the testing harness, so, no.... 😁
The good news, sort of, is that I can reproduce in the harness so.... hmmm...
Unfortunately, this cannot be resolved in the provider itself and requires fixes at https://github.com/hashicorp/aws-sdk-go-base. I'll leave this issue open to track the provider-side changes but the base and provider fixes will not be resolved until v4.0.
I saw the fips endpoint feature patches in aws-sdk-go-base... But v4!?! That stuff is held up on a major version change? What's the release date on that?
What's the release date on that?
ASAP
This functionality has been released in v4.0.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Community Note
Terraform CLI and Terraform AWS Provider Version
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
Debug Output
Expected Behavior
Expected Terraform to use the region from the provider config or the
AWS_DEFAULT_REGION
environment when performing the assume-role call.Actual Behavior
Terraform used the
us-east-1
region, which failed because the FIPS endpoint is scoped to the region.Steps to Reproduce
terraform plan