aws china

data/data/aws/bootstrap/main.tf

@@ -1,5 +1,8 @@
+data "aws_partition" "current" {}
+
 locals {
   public_endpoints = var.publish_strategy == "External" ? true : false
+  ec2_service_domain = "${data.aws_partition.current.partition}" == "aws-cn" ? "ec2.amazonaws.com.cn" : "ec2.amazonaws.com"
 }
 
 resource "aws_s3_bucket" "ignition" {
@@ -60,7 +63,7 @@ resource "aws_iam_role" "bootstrap" {
         {
             "Action": "sts:AssumeRole",
             "Principal": {
-                "Service": "ec2.amazonaws.com"
+                "Service": "${local.ec2_service_domain}"
             },
             "Effect": "Allow",
             "Sid": ""
@@ -104,7 +107,7 @@ resource "aws_iam_role_policy" "bootstrap" {
       "Action" : [
         "s3:GetObject"
       ],
-      "Resource": "arn:aws:s3:::*",
+      "Resource": "arn:${data.aws_partition.current.partition}:s3:::*",
       "Effect": "Allow"
     }
   ]

data/data/aws/iam/main.tf

@@ -1,5 +1,6 @@
+data "aws_partition" "current" {}
 locals {
-  arn = "aws"
+  ec2_service_domain = "${data.aws_partition.current.partition}" == "aws-cn" ? "ec2.amazonaws.com.cn" : "ec2.amazonaws.com"
 }
 
 resource "aws_iam_instance_profile" "worker" {
@@ -19,7 +20,7 @@ resource "aws_iam_role" "worker_role" {
         {
             "Action": "sts:AssumeRole",
             "Principal": {
-                "Service": "ec2.amazonaws.com"
+                "Service": "${local.ec2_service_domain}"
             },
             "Effect": "Allow",
             "Sid": ""

data/data/aws/main.tf

@@ -13,6 +13,9 @@ provider "aws" {
   # Validation of AWS Bahrain region was added in AWS TF provider v2.22
   # so we skip when installing in me-south-1.
   skip_region_validation = var.aws_region == "me-south-1"
+  endpoints {
+    route53 = var.aws_region == "cn-northwest-1" ? "api.route53.cn" : ""
+  }
 }
 
 module "bootstrap" {

data/data/aws/master/main.tf

@@ -1,5 +1,6 @@
+data "aws_partition" "current" {}
 locals {
-  arn = "aws"
+  ec2_service_domain = "${data.aws_partition.current.partition}" == "aws-cn" ? "ec2.amazonaws.com.cn" : "ec2.amazonaws.com"
 
   // Because of the issue https://github.com/hashicorp/terraform/issues/12570, the consumers cannot use a dynamic list for count
   // and therefore are force to implicitly assume that the list is of aws_lb_target_group_arns_length - 1, in case there is no api_external
@@ -23,7 +24,7 @@ resource "aws_iam_role" "master_role" {
         {
             "Action": "sts:AssumeRole",
             "Principal": {
-                "Service": "ec2.amazonaws.com"
+                "Service": "${local.ec2_service_domain}"
             },
             "Effect": "Allow",
             "Sid": ""
@@ -62,7 +63,7 @@ resource "aws_iam_role_policy" "master_policy" {
       "Action" : [
         "s3:GetObject"
       ],
-      "Resource": "arn:${local.arn}:s3:::*",
+      "Resource": "arn:${data.aws_partition.current.partition}:s3:::*",
       "Effect": "Allow"
     },
     {

data/data/rhcos.json

@@ -18,6 +18,9 @@
         "ca-central-1": {
             "hvm": "ami-04c260ce1f154b3c6"
         },
+        "cn-northwest-1": {
+            "hvm": "ami-0ffcfd88e7e2a84ef"
+        },
         "eu-central-1": {
             "hvm": "ami-044dcfcf5ea21cb3c"
         },
@@ -132,4 +135,5 @@
     },
     "ostree-commit": "64f3825d0417c5411700b685c4736bd6be487234293e9128a2bd8c54b85b6337",
     "ostree-version": "44.81.202002071430-0"
-}
+}
+

pkg/asset/installconfig/aws/basedomain.go

@@ -27,9 +27,13 @@ func GetBaseDomain() (string, error) {
 	if err != nil {
 		return "", err
 	}
-
+	awsConfig := &aws.Config{}
+	if *session.Config.Region == "cn-northwest-1"{
+		endpoint := "https://api.route53.cn"
+		awsConfig.Endpoint = &endpoint
+	}
 	logrus.Debugf("listing AWS hosted zones")
-	client := route53.New(session)
+	client := route53.New(session,awsConfig)
 	publicZoneMap := map[string]struct{}{}
 	exists := struct{}{}
 	if err := client.ListHostedZonesPages(
@@ -91,7 +95,12 @@ func GetPublicZone(name string) (*route53.HostedZone, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "getting AWS session")
 	}
-	client := route53.New(session)
+	awsConfig := &aws.Config{}
+	if *session.Config.Region == "cn-northwest-1"{
+		endpoint := "https://api.route53.cn"
+		awsConfig.Endpoint = &endpoint
+	}
+	client := route53.New(session,awsConfig)
 	if err := client.ListHostedZonesPages(&route53.ListHostedZonesInput{}, f); err != nil {
 		return nil, errors.Wrap(err, "listing hosted zones")
 	}

pkg/destroy/aws/aws.go

@@ -125,7 +125,7 @@ func (o *ClusterUninstaller) Run() error {
 	tagClientNames := map[*resourcegroupstaggingapi.ResourceGroupsTaggingAPI]string{
 		tagClients[0]: o.Region,
 	}
-	if o.Region != "us-east-1" {
+	if o.Region != "us-east-1" && o.Region != "cn-north-1" && o.Region != "cn-northwest-1" {
 		tagClient := resourcegroupstaggingapi.New(
 			awsSession, aws.NewConfig().WithRegion("us-east-1"),
 		)
@@ -1708,8 +1708,12 @@ func deleteRoute53(session *session.Session, arn arn.ARN, logger logrus.FieldLog
 	if resourceType != "hostedzone" {
 		return errors.Errorf("unrecognized Route 53 resource type %s", resourceType)
 	}
-
-	client := route53.New(session)
+	awsConfig := &aws.Config{}
+	if *session.Config.Region == "cn-northwest-1" {
+		endpoint := "https://api.route53.cn"
+		awsConfig.Endpoint = &endpoint
+	}
+	client := route53.New(session, awsConfig)
 
 	sharedZoneID, err := getSharedHostedZone(client, id, logger)
 	if err != nil {

pkg/types/aws/validation/platform.go

@@ -21,8 +21,8 @@ var (
 		"ap-southeast-1": "Singapore",
 		"ap-southeast-2": "Sydney",
 		"ca-central-1":   "Central",
-		//"cn-north-1":     "Beijing",
-		//"cn-northwest-1": "Ningxia",
+		"cn-north-1":     "Beijing",
+		"cn-northwest-1": "Ningxia",
 		"eu-central-1": "Frankfurt",
 		"eu-north-1":   "Stockholm",
 		"eu-west-1":    "Ireland",