Don't force the use of FIPS endpoints for DynamoDB Streams and Application Auto Scaling #34876

reedloden · 2023-11-22T08:19:43Z

DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard.

See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

Regression from #34170.

Fixes #34804.

Additionally, clean-up a few more AWS session initiations to be consistent and clear.

changelog: Don't force the use of FIPS endpoints for DynamoDB Streams and Application Auto Scaling

github-actions · 2023-11-22T08:20:19Z

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

rosstimothy

Could you please add some tests that validate the behavior change?

GavinFrazar · 2023-11-22T17:23:27Z

LGTM but I didn't test it.

I think the same issue can happen with AWS Application Auto Scaling though, since it also does not have fips endpoints in non-gov cloud.

We use that here:

teleport/lib/backend/dynamo/dynamodbbk.go

Lines 348 to 360 in 8aee840

    
           // Enable auto scaling if requested. 
        
           if b.Config.EnableAutoScaling { 
        
           	if err := SetAutoScaling(ctx, applicationautoscaling.New(b.session), GetTableID(b.TableName), AutoScalingParams{ 
        
           		ReadMinCapacity:  b.Config.ReadMinCapacity, 
        
           		ReadMaxCapacity:  b.Config.ReadMaxCapacity, 
        
           		ReadTargetValue:  b.Config.ReadTargetValue, 
        
           		WriteMinCapacity: b.Config.WriteMinCapacity, 
        
           		WriteMaxCapacity: b.Config.WriteMaxCapacity, 
        
           		WriteTargetValue: b.Config.WriteTargetValue, 
        
           	}); err != nil { 
        
           		return nil, trace.Wrap(err) 
        
           	} 
        
           }

If you've already tested this could you try setting auto_scaling: true in your teleport.storage dynamodb config?

reedloden · 2023-11-25T07:27:21Z

Could you please add some tests that validate the behavior change?

I flipped the logic so that we only force FIPS endpoints for the services we know support it (mainly DynamoDB in this case). This obliviated the need for extra complexity, so I don't think a separate test is needed.

reedloden · 2023-11-25T07:29:14Z

I think the same issue can happen with AWS Application Auto Scaling though, since it also does not have fips endpoints in non-gov cloud.

Good catch. As mentioned above, I flipped the logic so that we're only forcing FIPS endpoints for DynamoDB in this case (and not DynamoDB Streams or Application Auto Scaling). So, that should address this issue.

rosstimothy

Tests would still be useful to verify that we are using the correct endpoints to prevent regressions.

lib/backend/dynamo/dynamodbbk.go

…ation Auto Scaling DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.

public-teleport-github-review-bot · 2023-11-29T21:45:37Z

@reedloden See the table below for backport results.

Branch	Result
branch/v14	Create PR

…Application Auto Scaling Backport of #34876. DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.

reedloden added aws Used for AWS Related Issues. backport-required backport/branch/v14 labels Nov 22, 2023

reedloden requested a review from rosstimothy November 22, 2023 08:19

reedloden self-assigned this Nov 22, 2023

reedloden requested review from nklaassen and GavinFrazar November 22, 2023 08:20

github-actions bot requested review from klizhentas and zmb3 November 22, 2023 08:20

github-actions bot added the size/sm label Nov 22, 2023

reedloden force-pushed the reed/dynamodbstreams-fips-endpoint branch 2 times, most recently from 65fd404 to 8aee840 Compare November 22, 2023 08:49

rosstimothy reviewed Nov 22, 2023

View reviewed changes

reedloden force-pushed the reed/dynamodbstreams-fips-endpoint branch from 8aee840 to 4a50d18 Compare November 25, 2023 07:24

reedloden force-pushed the reed/dynamodbstreams-fips-endpoint branch 5 times, most recently from 94050d1 to e453ffa Compare November 25, 2023 07:50

reedloden requested a review from rosstimothy November 25, 2023 07:56

reedloden force-pushed the reed/dynamodbstreams-fips-endpoint branch 2 times, most recently from 738777a to 642665f Compare November 25, 2023 08:38

reedloden changed the title ~~Don't force the use of FIPS endpoints for DynamoDB Streams in AWS Standard regions~~ Don't force the use of FIPS endpoints for DynamoDB Streams and Application Auto Scaling Nov 25, 2023

rosstimothy reviewed Nov 27, 2023

View reviewed changes

lib/backend/dynamo/dynamodbbk.go Outdated Show resolved Hide resolved

reedloden force-pushed the reed/dynamodbstreams-fips-endpoint branch from 642665f to 970bca8 Compare November 27, 2023 22:14

rosstimothy approved these changes Nov 29, 2023

View reviewed changes

AntonAM approved these changes Nov 29, 2023

View reviewed changes

public-teleport-github-review-bot bot removed request for klizhentas, zmb3, nklaassen and GavinFrazar November 29, 2023 20:58

reedloden force-pushed the reed/dynamodbstreams-fips-endpoint branch from 970bca8 to 4a1017b Compare November 29, 2023 21:00

reedloden enabled auto-merge November 29, 2023 21:01

reedloden added this pull request to the merge queue Nov 29, 2023

Merged via the queue into master with commit 6cd68f0 Nov 29, 2023
35 checks passed

reedloden deleted the reed/dynamodbstreams-fips-endpoint branch November 29, 2023 21:44

reedloden mentioned this pull request Nov 29, 2023

[v14] Don't force the use of FIPS endpoints for DynamoDB Streams and Application Auto Scaling #35163

Closed

reedloden mentioned this pull request Nov 29, 2023

[v13] Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints #35164

Closed

reedloden mentioned this pull request Nov 29, 2023

[v12] Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints #35165

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Don't force the use of FIPS endpoints for DynamoDB Streams and Application Auto Scaling #34876

Don't force the use of FIPS endpoints for DynamoDB Streams and Application Auto Scaling #34876

reedloden commented Nov 22, 2023 •

edited

github-actions bot commented Nov 22, 2023

rosstimothy left a comment

GavinFrazar commented Nov 22, 2023

reedloden commented Nov 25, 2023

reedloden commented Nov 25, 2023

rosstimothy left a comment

public-teleport-github-review-bot bot commented Nov 29, 2023

Don't force the use of FIPS endpoints for DynamoDB Streams and Application Auto Scaling #34876

Don't force the use of FIPS endpoints for DynamoDB Streams and Application Auto Scaling #34876

Conversation

reedloden commented Nov 22, 2023 • edited

github-actions bot commented Nov 22, 2023

rosstimothy left a comment

Choose a reason for hiding this comment

GavinFrazar commented Nov 22, 2023

reedloden commented Nov 25, 2023

reedloden commented Nov 25, 2023

rosstimothy left a comment

Choose a reason for hiding this comment

public-teleport-github-review-bot bot commented Nov 29, 2023

reedloden commented Nov 22, 2023 •

edited