-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Health uses invalid endpoints when region is set #8745
Comments
Hi @bryanhiestand, thanks for reaching out. This behavior makes sense; AWS Health only has two endpoints as you mentioned, and you should make requests to those endpoints. What behavior were you anticipating in the event of a request being sent to an endpoint that isn't supported? |
Hi @RyanFitzSimmonsAK, thank you for taking a look! I agree that it's a bit silly to expect Since Health appears to be a global service, I would actually expect to not have to specify a region, similar to the way IAM works. So I would expect to be able to have the This isn't quite what I am trying to do, but perhaps this untested script will illustrate what I am getting at. If one wanted to see if any of their instances tagged environment=production had health events, they might try a script like this, running it with the AWS_REGION environment variable for each of their regions: # List EC2 instances tagged with "environment=production"
INSTANCE_IDS=$(aws ec2 describe-instances --filter "Name=tag:environment,Values=production" --query 'Reservations[*].Instances[*].[InstanceId]' --output json | jq -r '.[][]')
# Get all upcoming AWS health events
EVENTS=$(aws health describe-events --filter eventStatusCodes=upcoming,eventTypeCodes=AWS_EC2_INSTANCE_MAINTENANCE_SCHEDULED --query 'events[*].arn' --output json | jq -r '.[]')
for event in $EVENTS
do
# Get details for each event
EVENT_DETAILS=$(aws health describe-event-details --filter eventArns=$event --query 'successfulSet[*].eventDescription.latestDescription' --output text)
for id in $INSTANCE_IDS
do
# Check if the event details contain the instance ID
if echo "$EVENT_DETAILS" | grep -q "$id"; then
echo "Scheduled events for instance $id: $EVENT_DETAILS"
fi
done
done However, the above will only work in us-east-1 or us-east-2. For any other region, we must override the region only when calling health. This seems like either a burdensome design or a bug: export AWS_REGION=us-west-2
# List EC2 instances tagged with "environment=production"
INSTANCE_IDS=$(aws ec2 describe-instances --filter "Name=tag:environment,Values=production" --query 'Reservations[*].Instances[*].[InstanceId]' --output json | jq -r '.[][]')
# some more regional commands
# Health is only available in us-east-1
aws health describe-event-details --region us-east-1 ... With IAM, this would not be required: export AWS_REGION='us-west-2'
# Get all IAM instance profiles
ALL_ROLES=$(aws iam list-instance-profiles --query 'InstanceProfiles[*].Roles[*].RoleName' --output json | jq -r '.[][]')
# Get roles used by EC2 instances in the specified region
USED_ROLES=$(aws ec2 describe-instances --query 'Reservations[*].Instances[*].IamInstanceProfile.Arn' --output json | jq -r '.[][]' | awk -F '/' '{print $2}') I hope this helps clarify. Thanks again for looking. |
Describe the bug
When the region is set through either
AWS_REGION
orAWS_DEFAULT_REGION
environment variables or with the--region
argument passed toaws health
, the CLI attempts to use an endpoint in that region. This fails because AWS Health only offers endpoints in us-east-1 and us-east-2.Expected Behavior
health
should only use valid endpointsCurrent Behavior
Having the
AWS_REGION
environment variable set to anything other than us-east-1 or us-east-2 results in an error. Examples:invalid region
valid region lacking Health endpoints
Passing
--region
for anything other than us-east-1 or us-east-2 results in an errorHaving
AWS_DEFAULT_REGION
set to anything other than us-east-1 or us-east-2 results in an errorReproduction Steps
Install a current version of aws-cli, set
us-west-2
as either theAWS_REGION
orAWS_DEFAULT_REGION
environment variable or with--region
, andYou should see
We reproduced on
This behavior appears to have been introduced between 2.9.21 and 2.16.7, as the following version works as expected
Possible Solution
It looks like AWS only has multi-region support for active-passive failover. If so, would it make sense to only use
global.health.amazonaws.com
?Otherwise, this could be part of improved region validation, or aws-cli could only use the two valid regions
Additional Information/Context
This may be a regression of #4183 and may be related to #2266
I am wondering if this bug might have been introduced when boto added regional support for health
CLI version used
2.16.7
Environment details (OS name and version, etc.)
Darwin/23.4.0 source/arm64 and Linux/6.2.0-1018-aws
Edit: fixed some typos/bad grammar, meaning unchanged
The text was updated successfully, but these errors were encountered: