Skip to content

Commit

Permalink
fix(codedeploy): the Service Principal is wrong in isolated regions (#…
Browse files Browse the repository at this point in the history
…19729)

Turns out, the Service Principal for CodeDeploy in the isolated regions is not regional like in all other regions,
but rather universal (`codedeploy.amazonaws.com`).

Fixes #19399

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `cdk-integ` to deploy the infrastructure and generate the snapshot (i.e. `cdk-integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
skinny85 authored Apr 2, 2022
1 parent 7c752e0 commit 7e9a43d
Show file tree
Hide file tree
Showing 6 changed files with 38 additions and 29 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,6 @@ describe('CodeDeploy Lambda DeploymentGroup', () => {
});
});


test('can be created with explicit name', () => {
const stack = new cdk.Stack();
const application = new codedeploy.LambdaApplication(stack, 'MyApp');
Expand Down Expand Up @@ -589,6 +588,32 @@ describe('CodeDeploy Lambda DeploymentGroup', () => {
},
});
});

test('uses the correct Service Principal in the us-isob-east-1 region', () => {
const app = new cdk.App();
const stack = new cdk.Stack(app, 'CodeDeployLambdaStack', {
env: { region: 'us-isob-east-1' },
});
const alias = mockAlias(stack);
new codedeploy.LambdaDeploymentGroup(stack, 'MyDG', {
alias,
});

Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', {
AssumeRolePolicyDocument: {
Statement: [
{
Action: 'sts:AssumeRole',
Effect: 'Allow',
Principal: {
Service: 'codedeploy.amazonaws.com',
},
},
],
Version: '2012-10-17',
},
});
});
});

describe('imported with fromLambdaDeploymentGroupAttributes', () => {
Expand Down
10 changes: 2 additions & 8 deletions packages/@aws-cdk/aws-iam/lib/principals.ts
Original file line number Diff line number Diff line change
Expand Up @@ -767,14 +767,8 @@ class ServicePrincipalToken implements cdk.IResolvable {
public resolve(ctx: cdk.IResolveContext) {
if (this.opts.region) {
// Special case, handle it separately to not break legacy behavior.
return (
RegionInfo.get(this.opts.region).servicePrincipal(this.service) ??
Default.servicePrincipal(
this.service,
this.opts.region,
cdk.Aws.URL_SUFFIX,
)
);
return RegionInfo.get(this.opts.region).servicePrincipal(this.service) ??
Default.servicePrincipal(this.service, this.opts.region, cdk.Aws.URL_SUFFIX);
}

const stack = cdk.Stack.of(ctx.scope);
Expand Down
11 changes: 0 additions & 11 deletions packages/@aws-cdk/region-info/lib/aws-entities.ts
Original file line number Diff line number Diff line change
Expand Up @@ -133,14 +133,3 @@ export function partitionInformation(region: string): Region {
}
return PARTITION_MAP.default;
}

/**
* Build a lookup map for all regions
*/
export function generateRegionMap(cb: (region: string) => string): Record<string, string> {
const ret: Record<string, string> = {};
for (const region of AWS_REGIONS) {
ret[region] = cb(region);
}
return ret;
}
11 changes: 6 additions & 5 deletions packages/@aws-cdk/region-info/lib/default.ts
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,10 @@ export class Default {
}

function determineConfiguration(service: string): (service: string, region: string, urlSuffix: string) => string {
function universal(s: string) { return `${s}.amazonaws.com`; };
function partitional(s: string, _: string, u: string) { return `${s}.${u}`; };
function regional(s: string, r: string) { return `${s}.${r}.amazonaws.com`; };
function regionalPartitional(s: string, r: string, u: string) { return `${s}.${r}.${u}`; };
function universal(s: string) { return `${s}.amazonaws.com`; }
function partitional(s: string, _: string, u: string) { return `${s}.${u}`; }
function regional(s: string, r: string) { return `${s}.${r}.amazonaws.com`; }
function regionalPartitional(s: string, r: string, u: string) { return `${s}.${r}.${u}`; }

// Exceptions for Service Principals in us-iso-*
const US_ISO_EXCEPTIONS = new Set([
Expand Down Expand Up @@ -91,7 +91,8 @@ export class Default {
case 'codedeploy':
return region.startsWith('cn-')
? regionalPartitional
: regional;
// ...except in the isolated regions, where it's universal
: (region.startsWith('us-iso') ? universal : regional);

// Services with a regional AND partitional principal
case 'logs':
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/region-info/lib/fact.ts
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ export class FactName {
* The `.amazonaws.com` and `.amazonaws.com.cn` domains are stripped from service names, so they are
* canonicalized in that respect.
*/
public static servicePrincipal(service: string) {
public static servicePrincipal(service: string): string {
return `service-principal:${service.replace(/\.amazonaws\.com(\.cn)?$/, '')}`;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -795,7 +795,7 @@ Object {
"servicePrincipals": Object {
"application-autoscaling": "application-autoscaling.amazonaws.com",
"autoscaling": "autoscaling.amazonaws.com",
"codedeploy": "codedeploy.us-iso-east-1.amazonaws.com",
"codedeploy": "codedeploy.amazonaws.com",
"ec2": "ec2.c2s.ic.gov",
"events": "events.amazonaws.com",
"lambda": "lambda.amazonaws.com",
Expand Down Expand Up @@ -826,7 +826,7 @@ Object {
"servicePrincipals": Object {
"application-autoscaling": "application-autoscaling.amazonaws.com",
"autoscaling": "autoscaling.amazonaws.com",
"codedeploy": "codedeploy.us-iso-west-1.amazonaws.com",
"codedeploy": "codedeploy.amazonaws.com",
"ec2": "ec2.c2s.ic.gov",
"events": "events.amazonaws.com",
"lambda": "lambda.amazonaws.com",
Expand Down Expand Up @@ -857,7 +857,7 @@ Object {
"servicePrincipals": Object {
"application-autoscaling": "application-autoscaling.amazonaws.com",
"autoscaling": "autoscaling.amazonaws.com",
"codedeploy": "codedeploy.us-isob-east-1.amazonaws.com",
"codedeploy": "codedeploy.amazonaws.com",
"ec2": "ec2.sc2s.sgov.gov",
"events": "events.amazonaws.com",
"lambda": "lambda.amazonaws.com",
Expand Down

0 comments on commit 7e9a43d

Please sign in to comment.