[Integration][AWS] Handle region policy for global resources (#1188)

port-labs · Nov 29, 2024 · 782b822 · 782b822
1 parent 6aee581
commit 782b822
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 30 deletions.
diff --git a/integrations/aws/CHANGELOG.md b/integrations/aws/CHANGELOG.md
@@ -7,13 +7,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- towncrier release notes start -->
 
+## 0.2.64 (2024-11-27)
+
+
+### Bug Fixes
+
+- Fixed an issue where the region policy was not properly handled for global resources. Now, when a region policy is specified, it strictly adheres to the allowed regions only.
+
+
 ## 0.2.63 (2024-11-25)
 
 
 ### Bug Fixes
 
 - Do not break delete entities when a region is not accessible
 
+
 ## 0.2.62 (2024-11-25)
 
 

diff --git a/integrations/aws/aws/aws_credentials.py b/integrations/aws/aws/aws_credentials.py
@@ -1,4 +1,4 @@
-from typing import AsyncIterator, Optional
+from typing import AsyncIterator, Optional, Iterable
 import aioboto3
 
 
@@ -49,7 +49,8 @@ async def create_session(self, region: Optional[str] = None) -> aioboto3.Session
             )
 
     async def create_session_for_each_region(
-        self,
+        self, allowed_regions: Optional[Iterable[str]] = None
     ) -> AsyncIterator[aioboto3.Session]:
-        for region in self.enabled_regions:
+        regions = allowed_regions or self.enabled_regions
+        for region in regions:
             yield await self.create_session(region)
diff --git a/integrations/aws/main.py b/integrations/aws/main.py
@@ -20,7 +20,6 @@
 from utils.aws import (
     describe_accessible_accounts,
     get_accounts,
-    get_default_region_from_credentials,
     get_sessions,
     update_available_access_credentials,
     validate_request,
@@ -52,32 +51,21 @@ async def _handle_global_resource_resync(
     credentials: AwsCredentials,
     aws_resource_config: AWSResourceConfig,
 ) -> ASYNC_GENERATOR_RESYNC_TYPE:
-    denied_access_to_default_region = False
-    default_region = get_default_region_from_credentials(credentials)
-    default_session = await credentials.create_session(default_region)
-    try:
-        async for batch in resync_cloudcontrol(
-            kind, default_session, aws_resource_config
-        ):
-            yield batch
-    except Exception as e:
-        if is_access_denied_exception(e):
-            denied_access_to_default_region = True
-        else:
-            raise e
+    aws_resource_config = typing.cast(AWSResourceConfig, event.resource_config)
 
-    if denied_access_to_default_region:
-        logger.info(f"Trying to resync {kind} in all regions until success")
-        async for session in credentials.create_session_for_each_region():
-            try:
-                async for batch in resync_cloudcontrol(
-                    kind, session, aws_resource_config
-                ):
-                    yield batch
-                break
-            except Exception as e:
-                if not is_access_denied_exception(e):
-                    raise e
+    allowed_regions = filter(
+        aws_resource_config.selector.is_region_allowed, credentials.enabled_regions
+    )
+    async for session in credentials.create_session_for_each_region(allowed_regions):
+        try:
+            async for batch in resync_cloudcontrol(kind, session, aws_resource_config):
+                yield batch
+            return
+        except Exception as e:
+            if is_access_denied_exception(e):
+                continue
+            else:
+                raise e
 
 
 async def resync_resources_for_account(

diff --git a/integrations/aws/pyproject.toml b/integrations/aws/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "aws"
-version = "0.2.63"
+version = "0.2.64"
 description = "This integration will map all your resources in all the available accounts to your Port entities"
 authors = ["Shalev Avhar <[email protected]>", "Erik Zaadi <[email protected]>"]