fix(codedeploy): the Service Principal is wrong in isolated regions (#19729)

skinny85 · web-flow · commit 7e9a43dcad55 · 2022-04-02T17:14:42.000Z
Turns out, the Service Principal for CodeDeploy in the isolated regions is not regional like in all other regions, but rather universal (`codedeploy.amazonaws.com`). Fixes #19399 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `cdk-integ` to deploy the infrastructure and generate the snapshot (i.e. `cdk-integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-codedeploy/test/lambda/deployment-group.test.ts b/packages/@aws-cdk/aws-codedeploy/test/lambda/deployment-group.test.ts
@@ -115,7 +115,6 @@ describe('CodeDeploy Lambda DeploymentGroup', () => {
     });
   });
 
-
   test('can be created with explicit name', () => {
     const stack = new cdk.Stack();
     const application = new codedeploy.LambdaApplication(stack, 'MyApp');
@@ -589,6 +588,32 @@ describe('CodeDeploy Lambda DeploymentGroup', () => {
       },
     });
   });
+
+  test('uses the correct Service Principal in the us-isob-east-1 region', () => {
+    const app = new cdk.App();
+    const stack = new cdk.Stack(app, 'CodeDeployLambdaStack', {
+      env: { region: 'us-isob-east-1' },
+    });
+    const alias = mockAlias(stack);
+    new codedeploy.LambdaDeploymentGroup(stack, 'MyDG', {
+      alias,
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', {
+      AssumeRolePolicyDocument: {
+        Statement: [
+          {
+            Action: 'sts:AssumeRole',
+            Effect: 'Allow',
+            Principal: {
+              Service: 'codedeploy.amazonaws.com',
+            },
+          },
+        ],
+        Version: '2012-10-17',
+      },
+    });
+  });
 });
 
 describe('imported with fromLambdaDeploymentGroupAttributes', () => {
diff --git a/packages/@aws-cdk/aws-iam/lib/principals.ts b/packages/@aws-cdk/aws-iam/lib/principals.ts
@@ -767,14 +767,8 @@ class ServicePrincipalToken implements cdk.IResolvable {
   public resolve(ctx: cdk.IResolveContext) {
     if (this.opts.region) {
       // Special case, handle it separately to not break legacy behavior.
-      return (
-        RegionInfo.get(this.opts.region).servicePrincipal(this.service) ??
-        Default.servicePrincipal(
-          this.service,
-          this.opts.region,
-          cdk.Aws.URL_SUFFIX,
-        )
-      );
+      return RegionInfo.get(this.opts.region).servicePrincipal(this.service) ??
+        Default.servicePrincipal(this.service, this.opts.region, cdk.Aws.URL_SUFFIX);
     }
 
     const stack = cdk.Stack.of(ctx.scope);
diff --git a/packages/@aws-cdk/region-info/lib/aws-entities.ts b/packages/@aws-cdk/region-info/lib/aws-entities.ts
@@ -133,14 +133,3 @@ export function partitionInformation(region: string): Region {
   }
   return PARTITION_MAP.default;
 }
-
-/**
- * Build a lookup map for all regions
- */
-export function generateRegionMap(cb: (region: string) => string): Record<string, string> {
-  const ret: Record<string, string> = {};
-  for (const region of AWS_REGIONS) {
-    ret[region] = cb(region);
-  }
-  return ret;
-}
diff --git a/packages/@aws-cdk/region-info/lib/default.ts b/packages/@aws-cdk/region-info/lib/default.ts
@@ -35,10 +35,10 @@ export class Default {
     }
 
     function determineConfiguration(service: string): (service: string, region: string, urlSuffix: string) => string {
-      function universal(s: string) { return `${s}.amazonaws.com`; };
-      function partitional(s: string, _: string, u: string) { return `${s}.${u}`; };
-      function regional(s: string, r: string) { return `${s}.${r}.amazonaws.com`; };
-      function regionalPartitional(s: string, r: string, u: string) { return `${s}.${r}.${u}`; };
+      function universal(s: string) { return `${s}.amazonaws.com`; }
+      function partitional(s: string, _: string, u: string) { return `${s}.${u}`; }
+      function regional(s: string, r: string) { return `${s}.${r}.amazonaws.com`; }
+      function regionalPartitional(s: string, r: string, u: string) { return `${s}.${r}.${u}`; }
 
       // Exceptions for Service Principals in us-iso-*
       const US_ISO_EXCEPTIONS = new Set([
@@ -91,7 +91,8 @@ export class Default {
         case 'codedeploy':
           return region.startsWith('cn-')
             ? regionalPartitional
-            : regional;
+            // ...except in the isolated regions, where it's universal
+            : (region.startsWith('us-iso') ? universal : regional);
 
         // Services with a regional AND partitional principal
         case 'logs':
diff --git a/packages/@aws-cdk/region-info/lib/fact.ts b/packages/@aws-cdk/region-info/lib/fact.ts
@@ -182,7 +182,7 @@ export class FactName {
    *                The `.amazonaws.com` and `.amazonaws.com.cn` domains are stripped from service names, so they are
    *                canonicalized in that respect.
    */
-  public static servicePrincipal(service: string) {
+  public static servicePrincipal(service: string): string {
     return `service-principal:${service.replace(/\.amazonaws\.com(\.cn)?$/, '')}`;
   }
 }
diff --git a/packages/@aws-cdk/region-info/test/__snapshots__/region-info.test.js.snap b/packages/@aws-cdk/region-info/test/__snapshots__/region-info.test.js.snap
@@ -795,7 +795,7 @@ Object {
     "servicePrincipals": Object {
       "application-autoscaling": "application-autoscaling.amazonaws.com",
       "autoscaling": "autoscaling.amazonaws.com",
-      "codedeploy": "codedeploy.us-iso-east-1.amazonaws.com",
+      "codedeploy": "codedeploy.amazonaws.com",
       "ec2": "ec2.c2s.ic.gov",
       "events": "events.amazonaws.com",
       "lambda": "lambda.amazonaws.com",
@@ -826,7 +826,7 @@ Object {
     "servicePrincipals": Object {
       "application-autoscaling": "application-autoscaling.amazonaws.com",
       "autoscaling": "autoscaling.amazonaws.com",
-      "codedeploy": "codedeploy.us-iso-west-1.amazonaws.com",
+      "codedeploy": "codedeploy.amazonaws.com",
       "ec2": "ec2.c2s.ic.gov",
       "events": "events.amazonaws.com",
       "lambda": "lambda.amazonaws.com",
@@ -857,7 +857,7 @@ Object {
     "servicePrincipals": Object {
       "application-autoscaling": "application-autoscaling.amazonaws.com",
       "autoscaling": "autoscaling.amazonaws.com",
-      "codedeploy": "codedeploy.us-isob-east-1.amazonaws.com",
+      "codedeploy": "codedeploy.amazonaws.com",
       "ec2": "ec2.sc2s.sgov.gov",
       "events": "events.amazonaws.com",
       "lambda": "lambda.amazonaws.com",

Original file line number	Diff line number	Diff line change
`@@ -182,7 +182,7 @@ export class FactName {`
`182`	`182`	* The `.amazonaws.com` and `.amazonaws.com.cn` domains are stripped from service names, so they are
`183`	`183`	`* canonicalized in that respect.`
`184`	`184`	`*/`
`185`		`- public static servicePrincipal(service: string) {`
	`185`	`+ public static servicePrincipal(service: string): string {`
`186`	`186`	return `service-principal:${service.replace(/\.amazonaws\.com(\.cn)?$/, '')}`;
`187`	`187`	`}`
`188`	`188`	`}`