Skip to content

Commit

Permalink
fix(region-info): SSM service principals are incorrect in opt-in regi…
Browse files Browse the repository at this point in the history
…ons (aws#22327)

The change in aws#17047 was based on an eager reading of the documentation. The documentation referenced only applies to "SSM Inventory", not to "SSM Automation".

And in fact there is no need for that change at all, since all accounts included in the regional service principal are also included in the global service principal.

We therefore revert all use of SSM service principals to the global one.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
rix0rrr authored Oct 4, 2022
1 parent 19c945e commit b7f0889
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 30 deletions.
12 changes: 6 additions & 6 deletions packages/@aws-cdk/aws-iam/test/principals.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -311,10 +311,10 @@ test('ServicePrincipalName returns just a string representing the principal', ()
// GIVEN
const usEastStack = new Stack(undefined, undefined, { env: { region: 'us-east-1' } });
const afSouthStack = new Stack(undefined, undefined, { env: { region: 'af-south-1' } });
const principalName = iam.ServicePrincipal.servicePrincipalName('ssm.amazonaws.com');
const principalName = iam.ServicePrincipal.servicePrincipalName('states.amazonaws.com');

expect(usEastStack.resolve(principalName)).toEqual('ssm.amazonaws.com');
expect(afSouthStack.resolve(principalName)).toEqual('ssm.af-south-1.amazonaws.com');
expect(usEastStack.resolve(principalName)).toEqual('states.us-east-1.amazonaws.com');
expect(afSouthStack.resolve(principalName)).toEqual('states.af-south-1.amazonaws.com');
});

test('Passing non-string as accountId parameter in AccountPrincipal constructor should throw error', () => {
Expand All @@ -327,14 +327,14 @@ test('ServicePrincipal in agnostic stack generates lookup table', () => {

// WHEN
new iam.Role(stack, 'Role', {
assumedBy: new iam.ServicePrincipal('ssm.amazonaws.com'),
assumedBy: new iam.ServicePrincipal('states.amazonaws.com'),
});

// THEN
const template = Template.fromStack(stack);
const mappings = template.findMappings('ServiceprincipalMap');
expect(mappings.ServiceprincipalMap['af-south-1']?.ssm).toEqual('ssm.af-south-1.amazonaws.com');
expect(mappings.ServiceprincipalMap['us-east-1']?.ssm).toEqual('ssm.amazonaws.com');
expect(mappings.ServiceprincipalMap['af-south-1']?.states).toEqual('states.af-south-1.amazonaws.com');
expect(mappings.ServiceprincipalMap['us-east-1']?.states).toEqual('states.us-east-1.amazonaws.com');
});

test('Can enable session tags', () => {
Expand Down
6 changes: 0 additions & 6 deletions packages/@aws-cdk/region-info/lib/aws-entities.ts
Original file line number Diff line number Diff line change
@@ -1,8 +1,3 @@
/**
* After this point, SSM only creates regional principals
*/
export const RULE_SSM_PRINCIPALS_ARE_REGIONAL = Symbol('SSM_PRINCIPALS_ARE_REGIONAL');

/**
* After this point, S3 website domains look like `s3-website.REGION.s3.amazonaws.com`
*
Expand Down Expand Up @@ -49,7 +44,6 @@ export const AWS_REGIONS_AND_RULES: readonly (string | symbol)[] = [
'ap-northeast-3', // Asia Pacific (Osaka)
'us-gov-east-1', // AWS GovCloud (US-East)
'eu-north-1', // Europe (Stockholm)
RULE_SSM_PRINCIPALS_ARE_REGIONAL,
'ap-east-1', // Asia Pacific (Hong Kong)
'me-south-1', // Middle East (Bahrain)
'eu-south-1', // Europe (Milan)
Expand Down
8 changes: 0 additions & 8 deletions packages/@aws-cdk/region-info/lib/default.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
import { before, RULE_SSM_PRINCIPALS_ARE_REGIONAL } from './aws-entities';

/**
* Provides default values for certain regional information points.
*/
Expand Down Expand Up @@ -81,12 +79,6 @@ export class Default {
}

switch (service) {
// SSM turned from global to regional at some point
case 'ssm':
return before(region, RULE_SSM_PRINCIPALS_ARE_REGIONAL)
? universal
: regional;

// CodeDeploy is regional+partitional in CN, only regional everywhere else
case 'codedeploy':
return region.startsWith('cn-')
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ Object {
"s3": "s3.amazonaws.com",
"sns": "sns.amazonaws.com",
"sqs": "sqs.amazonaws.com",
"ssm": "ssm.af-south-1.amazonaws.com",
"ssm": "ssm.amazonaws.com",
"states": "states.af-south-1.amazonaws.com",
},
"vpcEndPointServiceNamePrefix": "com.amazonaws.vpce",
Expand Down Expand Up @@ -63,7 +63,7 @@ Object {
"s3": "s3.amazonaws.com",
"sns": "sns.amazonaws.com",
"sqs": "sqs.amazonaws.com",
"ssm": "ssm.ap-east-1.amazonaws.com",
"ssm": "ssm.amazonaws.com",
"states": "states.ap-east-1.amazonaws.com",
},
"vpcEndPointServiceNamePrefix": "com.amazonaws.vpce",
Expand Down Expand Up @@ -294,7 +294,7 @@ Object {
"s3": "s3.amazonaws.com",
"sns": "sns.amazonaws.com",
"sqs": "sqs.amazonaws.com",
"ssm": "ssm.ap-southeast-3.amazonaws.com",
"ssm": "ssm.amazonaws.com",
"states": "states.ap-southeast-3.amazonaws.com",
},
"vpcEndPointServiceNamePrefix": "com.amazonaws.vpce",
Expand Down Expand Up @@ -492,7 +492,7 @@ Object {
"s3": "s3.amazonaws.com",
"sns": "sns.amazonaws.com",
"sqs": "sqs.amazonaws.com",
"ssm": "ssm.eu-south-1.amazonaws.com",
"ssm": "ssm.amazonaws.com",
"states": "states.eu-south-1.amazonaws.com",
},
"vpcEndPointServiceNamePrefix": "com.amazonaws.vpce",
Expand Down Expand Up @@ -525,7 +525,7 @@ Object {
"s3": "s3.amazonaws.com",
"sns": "sns.amazonaws.com",
"sqs": "sqs.amazonaws.com",
"ssm": "ssm.eu-south-2.amazonaws.com",
"ssm": "ssm.amazonaws.com",
"states": "states.eu-south-2.amazonaws.com",
},
"vpcEndPointServiceNamePrefix": "com.amazonaws.vpce",
Expand Down Expand Up @@ -657,7 +657,7 @@ Object {
"s3": "s3.amazonaws.com",
"sns": "sns.amazonaws.com",
"sqs": "sqs.amazonaws.com",
"ssm": "ssm.me-south-1.amazonaws.com",
"ssm": "ssm.amazonaws.com",
"states": "states.me-south-1.amazonaws.com",
},
"vpcEndPointServiceNamePrefix": "com.amazonaws.vpce",
Expand Down Expand Up @@ -888,7 +888,7 @@ Object {
"s3": "s3.amazonaws.com",
"sns": "sns.amazonaws.com",
"sqs": "sqs.amazonaws.com",
"ssm": "ssm.us-iso-west-1.amazonaws.com",
"ssm": "ssm.amazonaws.com",
"states": "states.amazonaws.com",
},
"vpcEndPointServiceNamePrefix": "gov.ic.c2s.vpce",
Expand Down
10 changes: 7 additions & 3 deletions packages/@aws-cdk/region-info/test/default.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ const urlSuffix = '.nowhere.null';

describe('servicePrincipal', () => {
for (const suffix of ['', '.amazonaws.com', '.amazonaws.com.cn']) {
for (const service of ['codedeploy', 'states', 'ssm']) {
for (const service of ['codedeploy', 'states']) {
test(`${service}${suffix}`, () => {
expect(Default.servicePrincipal(`${service}${suffix}`, region, urlSuffix)).toBe(`${service}.${region}.amazonaws.com`);
});
Expand Down Expand Up @@ -58,11 +58,15 @@ describe('servicePrincipal', () => {

describe('spot-check some service principals', () => {
test('ssm', () => {
// SSM has advertised in its documentation that it is regional after a certain point, but that
// documentation only applies to SSM Inventory, not SSM Automation. Plus, there is no need for
// a different service principal, as all accounts are (at least currently) included in the global
// one.
expectServicePrincipals('ssm.amazonaws.com', {
'us-east-1': 'ssm.amazonaws.com',
'eu-north-1': 'ssm.amazonaws.com',
'ap-east-1': 'ssm.ap-east-1.amazonaws.com',
'eu-south-1': 'ssm.eu-south-1.amazonaws.com',
'ap-east-1': 'ssm.amazonaws.com',
'eu-south-1': 'ssm.amazonaws.com',
});
});

Expand Down

0 comments on commit b7f0889

Please sign in to comment.