Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

provider: Adjust globalaccelerator, route53, and shield service client regions to only configure in appropriate partition #9010

Merged
merged 1 commit into from
Jun 19, 2019
Merged

provider: Adjust globalaccelerator, route53, and shield service client regions to only configure in appropriate partition #9010

merged 1 commit into from
Jun 19, 2019

Conversation

bflad
Copy link
Contributor

@bflad bflad commented Jun 17, 2019

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Closes #8999
Reference: https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-route-53-launches-private-dns-and-health-checks-in-the-aws-govcloud-us-west-region/

Previously, the provider service client customizations would hardcode the following region configurations:

  • globalaccelerator: us-west-2
  • route53: us-east-1
  • shield: us-east-1

With the launch of private Route 53 Hosted Zones in AWS GovCloud (US), hardcoding the Route 53 service region to us-east-1 is no longer appropriate in all cases. Instead of fixing just Route 53, the provider initialization logic now uses the inferred AWS partition information to set these each of these service clients to known regions in known partitions.

To also support the launch of Route 53 in AWS GovCloud (US), the provider initialization will configure the endpoint in that partition to the appropriate hostname (route53.us-gov.amazonaws.com), until the AWS Go SDK is updated to include that endpoint information.

Release note for CHANGELOG:

* provider: Properly configure Route 53 service client in AWS GovCloud (US)

Previous output from acceptance testing in AWS GovCloud (US):

--- FAIL: TestAccAwsGlobalAcceleratorAccelerator_basic (4.14s)
    testing.go:568: Step 0 error: errors during apply:

        Error: Error creating Global Accelerator accelerator: UnrecognizedClientException: The security token included in the request is invalid.

--- FAIL: TestAccAWSRoute53Zone_VPC_Single (17.10s)
    testing.go:568: Step 0 error: errors during apply:

        Error: error creating Route53 Hosted Zone: InvalidClientTokenId: The security token included in the request is invalid.

--- FAIL: TestAccAWSRoute53Zone_VPC_Multiple (17.12s)
    testing.go:568: Step 0 error: errors during apply:

        Error: error creating Route53 Hosted Zone: InvalidClientTokenId: The security token included in the request is invalid.

--- FAIL: TestAccAWSRoute53Zone_VPC_Updates (17.35s)
    testing.go:568: Step 0 error: errors during apply:

        Error: error creating Route53 Hosted Zone: InvalidClientTokenId: The security token included in the request is invalid.

--- FAIL: TestAccAWSShieldProtection_ElasticIPAddress (1.53s)
    resource_aws_shield_protection_test.go:225: unexpected PreCheck error: UnrecognizedClientException: The security token included in the request is invalid.

Output from acceptance testing in AWS Commercial:

--- PASS: TestAccAWSProvider_Endpoints_Deprecated (2.45s)
--- PASS: TestAccAWSProvider_Endpoints (2.48s)

--- PASS: TestAccAwsGlobalAcceleratorAccelerator_basic (67.03s)

--- PASS: TestAccAWSRoute53Zone_VPC_Single (65.90s)
--- PASS: TestAccAWSRoute53Zone_VPC_Multiple (110.68s)
--- PASS: TestAccAWSRoute53Zone_VPC_Updates (195.53s)

--- PASS: TestAccAWSShieldProtection_ElasticIPAddress (13.39s)

Output from acceptance testing in AWS GovCloud (US) (handling now correct for partition):

--- FAIL: TestAccAwsGlobalAcceleratorAccelerator_basic (5.42s)
    testing.go:568: Step 0 error: errors during apply:

        Error: Error creating Global Accelerator accelerator: RequestError: send request failed
        caused by: Post https://globalaccelerator.us-gov-west-1.amazonaws.com/: dial tcp: lookup globalaccelerator.us-gov-west-1.amazonaws.com: no such host

--- PASS: TestAccAWSRoute53Zone_VPC_Single (62.37s)
--- PASS: TestAccAWSRoute53Zone_VPC_Multiple (93.66s)
--- PASS: TestAccAWSRoute53Zone_VPC_Updates (164.85s)

--- SKIP: TestAccAWSShieldProtection_ElasticIPAddress (1.48s)
    resource_aws_shield_protection_test.go:221: skipping acceptance testing: RequestError: send request failed
        caused by: Post https://shield.us-gov-west-1.amazonaws.com/: dial tcp: lookup shield.us-gov-west-1.amazonaws.com: no such host

@bflad
provider: Adjust globalaccelerator, route53, and shield service clien…
7214515 
…t regions to only configure in appropriate partition

Reference: #8999
Reference: https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-route-53-launches-private-dns-and-health-checks-in-the-aws-govcloud-us-west-region/

Previously, the provider service client customizations would hardcode the following region configurations:

* globalaccelerator: us-west-2
* route53: us-east-1
* shield: us-east-1

With the launch of private Route 53 Hosted Zones in AWS GovCloud (US), hardcoding the Route 53 service region to us-east-1 is no longer appropriate in all cases. The provider initialization logic now uses the inferred AWS partition information to set these clients to known regions in known partitions now.

To also support the launch of Route 53 in AWS GovCloud (US), the provider initialization will configure the endpoint in that partition to the appropriate hostname, until the AWS Go SDK is updated to include that endpoint information.

Previous output from acceptance testing in AWS GovCloud (US):

```
--- FAIL: TestAccAwsGlobalAcceleratorAccelerator_basic (4.14s)
    testing.go:568: Step 0 error: errors during apply:

        Error: Error creating Global Accelerator accelerator: UnrecognizedClientException: The security token included in the request is invalid.

--- FAIL: TestAccAWSRoute53Zone_VPC_Single (17.10s)
    testing.go:568: Step 0 error: errors during apply:

        Error: error creating Route53 Hosted Zone: InvalidClientTokenId: The security token included in the request is invalid.

--- FAIL: TestAccAWSRoute53Zone_VPC_Multiple (17.12s)
    testing.go:568: Step 0 error: errors during apply:

        Error: error creating Route53 Hosted Zone: InvalidClientTokenId: The security token included in the request is invalid.

--- FAIL: TestAccAWSRoute53Zone_VPC_Updates (17.35s)
    testing.go:568: Step 0 error: errors during apply:

        Error: error creating Route53 Hosted Zone: InvalidClientTokenId: The security token included in the request is invalid.

--- FAIL: TestAccAWSShieldProtection_ElasticIPAddress (1.53s)
    resource_aws_shield_protection_test.go:225: unexpected PreCheck error: UnrecognizedClientException: The security token included in the request is invalid.
```

Output from acceptance testing in AWS Commercial:

```
--- PASS: TestAccAwsGlobalAcceleratorAccelerator_basic (67.03s)

--- PASS: TestAccAWSRoute53Zone_VPC_Single (65.90s)
--- PASS: TestAccAWSRoute53Zone_VPC_Multiple (110.68s)
--- PASS: TestAccAWSRoute53Zone_VPC_Updates (195.53s)

--- PASS: TestAccAWSShieldProtection_ElasticIPAddress (13.39s)
```

Output from acceptance testing in AWS GovCloud (US) (handling now correct for partition):

```
--- FAIL: TestAccAwsGlobalAcceleratorAccelerator_basic (5.42s)
    testing.go:568: Step 0 error: errors during apply:

        Error: Error creating Global Accelerator accelerator: RequestError: send request failed
        caused by: Post https://globalaccelerator.us-gov-west-1.amazonaws.com/: dial tcp: lookup globalaccelerator.us-gov-west-1.amazonaws.com: no such host

--- PASS: TestAccAWSRoute53Zone_VPC_Single (62.37s)
--- PASS: TestAccAWSRoute53Zone_VPC_Multiple (93.66s)
--- PASS: TestAccAWSRoute53Zone_VPC_Updates (164.85s)

--- SKIP: TestAccAWSShieldProtection_ElasticIPAddress (1.48s)
    resource_aws_shield_protection_test.go:221: skipping acceptance testing: RequestError: send request failed
        caused by: Post https://shield.us-gov-west-1.amazonaws.com/: dial tcp: lookup shield.us-gov-west-1.amazonaws.com: no such host
```
@bflad bflad added bug Addresses a defect in current functionality. service/route53 Issues and PRs that pertain to the route53 service. service/shield Issues and PRs that pertain to the shield service. partition/aws-us-gov Pertains to the aws-us-gov partition. service/globalaccelerator Issues and PRs that pertain to the globalaccelerator service. labels Jun 17, 2019
@bflad bflad requested a review from a team June 17, 2019 02:44
@ghost ghost added size/S Managed by automation to categorize the size of a PR. provider Pertains to the provider itself, rather than any interaction with AWS. labels Jun 17, 2019
@bflad bflad mentioned this pull request Jun 17, 2019
Closed
@ericfrederich
Copy link

Perfect Timing ! 🥂

I ran into this problem last week. I was unable to create a hosted zone in us-gov-east-1.
After setting log level to trace and grepping for "Host: " I noticed it was going after route53.amazonaws.com instead of route53.us-gov.amazonaws.com

I compiled the provider at this commit and it worked for me. Thanks!

nywilken
nywilken approved these changes Jun 19, 2019
View reviewed changes
Copy link
Contributor

@nywilken nywilken left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍 👍

@bflad bflad added this to the v2.16.0 milestone Jun 19, 2019
@bflad bflad merged commit 331db9a into master Jun 19, 2019
@bflad bflad deleted the b-route53-govcloud branch June 19, 2019 13:55
bflad added a commit that referenced this pull request Jun 19, 2019
@bflad
Update CHANGELOG for #9010
9f157c2
@bflad bflad mentioned this pull request Jun 19, 2019
Closed
@bflad
Copy link
Contributor Author

bflad commented Jun 20, 2019

This has been released in version 2.16.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@ghost
Copy link

ghost commented Nov 3, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Nov 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@nywilken nywilken nywilken approved these changes

Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. partition/aws-us-gov Pertains to the aws-us-gov partition. provider Pertains to the provider itself, rather than any interaction with AWS. service/globalaccelerator Issues and PRs that pertain to the globalaccelerator service. service/route53 Issues and PRs that pertain to the route53 service. service/shield Issues and PRs that pertain to the shield service. size/S Managed by automation to categorize the size of a PR.
Projects
None yet
Milestone
v2.16.0
Development

Successfully merging this pull request may close these issues.

Creating Route53 Hosted zone fails with InvalidClientTokenId
3 participants
@bflad @ericfrederich @nywilken