Closed tmccombs closed 3 weeks ago
If I add
endpoints {
ram = "https://ram.us-gov-west-1.amazonaws.com"
}
to the provider definition, then it works.
the route53resolver
endpoint is also incorrect. terraform is trying to use "https://route53resolver-fips.us-gov-west-1.amazonaws.com/"
instead of https://route53resolver.us-gov-west-1.amazonaws.com. (that endpoint may not actually support fips though...)
Also, kinesis should be "https://kinesis.us-gov-west-1.amazonaws.com"
instead of kinesis-fips.us-gov-west-1.amazonaws.com
Same with cloudfront:
│ caused by: Get "https://cloudfront-fips.us-east-1.amazonaws.com/2020-05-31/response-headers-policy/fb6bbcb5-d38d-4a16-a859-62644c6d0839": dial tcp: lookup cloudfront-fips.us-east-1.amazonaws.com on 10.124.124.1:53: no such host
Also for the following services, with what ti should be in us-gov-west-1 in parentheses
the tagging endpoint is also broken when use_fips_endpoint = true
, additionally the tagging endpoint is not customizable in provider "aws" { endpoints {} }
used by aws_resourcegroupstaggingapi_resources, e.g.:
data "aws_resourcegroupstaggingapi_resources" "this" {
resource_type_filters = ["route53:hostedzone"]
}
WAF endpoint is also broken in us-gov-west-1
; should be https://waf-regional-fips.us-gov-west-1.amazonaws.com.
Add servicequotas
to the list. The only correct ones are servicequotas.us-gov-east-1.amazonaws.com
and servicequotas.us-gov-west-1.amazonaws.com
but it tries to connect to servicequotas-fips.us-east-1.amazonaws.com
.
Is there an update on when this may get worked on. I have a scenario where there are multiple environments some need fips and some don't so trying to set the AWS_USE_FIPS_ENDPOINT=true for the environments that do require fips to be used and the plans blow up with the environment and not without.
It would be nice to possibly make a list of all the services that are messed up, so that maybe it could be turned on for some of those terraform environment runs.
I'm curious if this is an issue with terraform, or actually an underlying issue with the AWS SDK. The option use_fips_endpoint
is really a feature of the AWS SDK... See: https://docs.aws.amazon.com/sdkref/latest/guide/feature-endpoints.html. Anyone test the problem outside of terraform, maybe just using the aws-cli?
The cli uses the python sdk, but it is not an issue there.
It's possible that upgrading to v2 of the go aws sdk would fix this problem.
Hello all, Go SDK maintainer here.
We are still waiting on the SSO and Redshift service teams to fix their FIPS endpoint configurations. AFAIK the rest of the services are all fixed. If you are seeing this still is being an issue, you need to update your SDK version.
If anyone here is blocked from onboarding to FIPS, please consider using the AWS console to file an additional support ticket and reference the existing internal tickets (SSO: P80341048
, Redshift P80336641
) the more people escalate this, the faster it would get resolved.
Apologies for the inconvenience. P.S. I don't monitor the correspondence not on AWS repos so will likely not see future comments on this thread.
All the best, Ran~
On a related note, it would be helpful if you could specify use_fips_endpoint
per service, instead of having it only at the global level.
Is this now broken in 5.x with custom endpoints? After an upgrade I now get an error Invalid Configuration: FIPS and custom endpoint are not supported
. I see PR https://github.com/hashicorp/terraform-provider-aws/pull/34233 but not sure when this broke. Does anyone know the last version to work?
Indeed it is broken
On a related note, it would be helpful if you could specify
use_fips_endpoint
per service, instead of having it only at the global level.
With the behaviour of AWS SDK for Go v2, it does seem that this would be a better design, for both the provider and the AWS SDKs
@tmccombs, @andyshinn custom endpoints can be used along with use_fips_endpoint
as of v5.53.0 thanks to #34233.
It doesn't resolve the similar issue with use_dualstack_endpoint
and several deeper issues around FIPS endpoints, such as #33952
[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.
Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.
This functionality has been released in v5.55.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!
Community Note
Terraform CLI and Terraform AWS Provider Version
Affected Resource(s)
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
Debug Output
Relevant portion:
Expected Behavior
The resource share is created
Actual Behavior
The following error:
Notice that the url used is ram-fips.us-gov-west-1.amazonaws.com, but it should be ram.us-gov-west-1.amazonaws.com. See https://aws.amazon.com/compliance/fips/.
Steps to Reproduce
terraform apply