Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Replace dynamic DNS suffix resolution for trusted service endpoints with static *.amazonaws.com #125

Merged
merged 6 commits into from
Oct 31, 2023
Merged

feat: Replace dynamic DNS suffix resolution for trusted service endpoints with static *.amazonaws.com #125

merged 6 commits into from
Oct 31, 2023

Conversation

hsalluri259
Copy link
Contributor

@hsalluri259 hsalluri259 commented Oct 27, 2023
edited by bryantbiggs
Loading

Hard coding it to amazonaws.com for identifiers. It is same in AWS China as well. I have created the resource manually in AWS China to test it. I was not able to create when I was using the value that is coming from data source (data.aws_partition.current.dns_suffix) which is amazonaws.com.cn. It accepts only amazonaws.com https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html#procedure_check_execution_role

This Change is tested in my local. It works for both AWS Commercial and AWS China.
Without this change, I get the below error in AWS China.
Screen Shot 2023-10-24 at 3 48 29 PM

Description

Motivation and Context

Breaking Changes

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

@hsalluri259
Update main.tf
f035285 
Hard coding it to amazonaws.com for identifiers. It is same in AWS China as well. I have created the resource manually in AWS China to test it. I was not able to create when I was using the value that is coming from data source (data.aws_partition.current.dns_suffix) which is amazonaws.com.cn. It accepts only amazonaws.com https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html#procedure_check_execution_role
@hsalluri259 hsalluri259 changed the title Update main.tf Hard Coding identifier to support AWS China for aws_iam_policy_document Oct 27, 2023
@hsalluri259 hsalluri259 changed the title Hard Coding identifier to support AWS China for aws_iam_policy_document Fix identifier to support AWS China for aws_iam_policy_document Oct 27, 2023
@hsalluri259 hsalluri259 changed the title Fix identifier to support AWS China for aws_iam_policy_document fix: Hard coding identifier to support AWS China for aws_iam_policy_document Oct 27, 2023
antonbabenko
antonbabenko requested changes Oct 28, 2023
View reviewed changes
Copy link
Member

@antonbabenko antonbabenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Could you please fix the broken CI and we can merge it?

@bryantbiggs bryantbiggs changed the title fix: Hard coding identifier to support AWS China for aws_iam_policy_document feat: Replace dynamic DNS suffix resolution for trusted service endpoints with static *.amazonaws.com Oct 30, 2023
@bryantbiggs
Copy link
Member

I've asked internally if all trusted endpoint identifers should simply be *.amazonaws.com as well, but this appears to align with docs and with other areas https://github.com/terraform-aws-modules/terraform-aws-eks/blob/51cc6bec880ac8dc361b60a4b05d5f2bcd98eb6a/main.tf#L256-L257 (which I will clean that up on the upcoming v20.0 release - new service features coming 😬 )

this should be all set @antonbabenko

@bryantbiggs
Copy link
Member

@antonbabenko if you get a moment, thank you 🙏🏽 !

@antonbabenko antonbabenko merged commit f84dc7d into terraform-aws-modules:master Oct 31, 2023
12 checks passed
antonbabenko pushed a commit that referenced this pull request Oct 31, 2023
@semantic-release-bot
chore(release): version 5.5.0 [skip ci]
38dab0a 
## [5.5.0](v5.4.0...v5.5.0) (2023-10-31)

### Features

* Replace dynamic DNS suffix resolution for trusted service endpoints with static `*.amazonaws.com` ([#125](#125)) ([f84dc7d](f84dc7d))
@antonbabenko
Copy link
Member

This PR is included in version 5.5.0 🎉

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 1, 2023

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 1, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@antonbabenko antonbabenko antonbabenko approved these changes

@bryantbiggs bryantbiggs bryantbiggs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Failed to update trust policy. Invalid principal in policy for aws china
3 participants
@hsalluri259 @bryantbiggs @antonbabenko