Commits on Apr 24, 2024

1. common: use regional STS on non-default regions …

   STS is the service used by AWS for emitting authentication tokens for
   API clients.
   
   This comes in two variants: v1 (global) and v2 (regional).
   As of today (2024-04-24), the default for the Go SDK is "legacy", i.e.
   if the connection is used to communicate with a non-default region it
   will use a regional endpoint, otherwise it'll use the global endpoint.
   
   Builds are generally not affected by operations like these as the SDK
   will pick the right type of endpoint for that, but problems may arise
   later, when copying AMIs for example, as they will need tokens
   compatible with both the source and destination regions.
   
   This means that if the build was performed in a default region, then
   copied to a non-default region, we'll have gotten a v1 (global) token,
   which will be rejected by the target region, causing the build to fail.
   
   This is already fixable by user-action, through either a setting in
   their AWS config file, or through an environment variable, but this may
   come as a surprise if users aren't aware of that pitfall.
   
   Therefore, this commit attempts to heuristically determine if an action
   may fail in the process, and enable regional endpoints for the EC2
   session we create during a build.
   
   Note: the volume builder and the post-processor are not affected by
   this, as they only work within one region at a time, so the SDK will
   choose the right type of endpoint/token for the action, and no
   cross-region action will be done.

   

   lbajolet-hashicorp committed Apr 24, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 8afb1fc
   • Browse repository at this point

   Copy the full SHA

   8afb1fc View commit details

   Browse the repository at this point in the history