-
Notifications
You must be signed in to change notification settings - Fork 214
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Taskcat communicates with the sts endpoint in the China partition even though it is not specified in an aws profile or taskcat config #837
Comments
@craigcraigcraig, If you want to deploy to one of the Canadian regions, specify either the |
@tlindsay42 , apologies - I thought cn was Canada. I edited the original post to reflect that it's the China partition I'm having issues with. My use case is to only deploy/test in GovCloud regions. The problem is that taskcat tries to communicate with the sts endpoint in China, even though I don't specify a region in the China partition in my aws profile or in taskcat. Network traffic to China is blocked in my environment, and taskcat times out. There doesn't seem to be a way to tell taskcat not to communicate with the China sts endpoint. In the additional context, it looks like taskcat tries to determine the partition using an array that it loops through. |
Got it. Skimmed on the first read. As evident from my response, I thought there was a misunderstanding about aws partitions & regions. Makes sense now. Looking now. |
That... shouldn't be doing that. |
Would you be open to submitting a pull request for this? |
yep |
Describe the bug
When trying to determine partition, taskcat times out when trying the sts endpoint in the China partition : sts.cn-north-1.amazonaws.com.cn. I am running taskcat in a highly restricted environment, and calls to endpoints outside the US are blocked.
My aws profile and the .taskcat.yml specify only the us-gov-west-1 region. I would expect that Taskcat would not make calls to partitions whose regions are not specified in my aws profile or the .taskcat.yml file
taskcat is executed using this command: taskcat --profile pipeline test run
My aws config looks like this:
[profile pipeline]
region = us-gov-west-1
See additional context below for more information.
To Reproduce
Steps to reproduce the behavior:
project:
name: demo
package_lambda: false
template: ./some-template.yml
regions:
- us-gov-west-1
auth:
default: pipeline
tests:
default:
s3_regional_buckets: true
parameters:
pDesiredCount: 1
pEcrName: "TEST-redacted"
pEcsClusterName: "TEST-redacted"
pSecurityGroupIds: $[taskcat_secretsmanager_redacted/redacted/securitygroupid]
pVpcId: $[taskcat_secretsmanager_redacted/redacted/vpcid]
pSubnetId: $[taskcat_secretsmanager_redacted/redacted/subnetid]
3. Provide the parameters that you passed. (remove any sensitive info)
4. How did you install taskcat? (docker or pip3). pip3
5. Are you using a profile, an instance role or access keys to run taskcat? profile
6. Is your AWS environment configured via
aws configure
? yesExpected behavior
Taskcat determines the partition to be aws-us-gov without making calls to the Canada partition.
Screenshots
If applicable, add screenshots to help explain your problem.
**Version (Please make sure you are running the latest version of taskcat)
0.9.54
Python: 3.12.3
Additional context
When inspecting the code that determines the partition (specifically _get_partition in _client_factory.py), it looks like the code tries the commercial partition (aws) first, then it tries China (aws-cn), finally it tries GovCloud (aws-us-gov). What is happening in my environment is when the code tries to make calls to the China partition, taskcat times out trying to communicate with the "cn-north-1" sts endpoint because any call outside the US is blocked in my environment (i.e., https://sts.cn-north-1.amazonaws.com.cn/ is blocked and taskcat times out waiting for a response).
I fully own that this is due to the environment I'm running taskcat in, however, I imagine this could be an issue for other folks running taskcat in the govcloud partition that are subject to similar network restrictions.
The text was updated successfully, but these errors were encountered: