Skip to content

feat: Use aws_service_principal data source for deriving IAM service prinicpals #3539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat: Use aws_service_principal data source for deriving IAM service prinicpals #3539

wants to merge 4 commits into from
+8 −2

Conversation

myerscf
Copy link

@myerscf myerscf commented Oct 7, 2025

Using a Regions DNS Suffix is not an accurate way to determine the Service Principal Name for a service in different AWS Partitions.

This MR removes its use, in preference of the TF aws_service_principal resource, that will better determine the name and not cause deployment issues in Partitions.

@myerscf
fix: removed use of dns_suffix
bd3fe10 
use the service prinipal name in policies

Signed-off-by: Fred Myerscough <[email protected]>
@myerscf myerscf changed the title fix: removed use of dns_suffix fix: Removed use of dns_suffix Oct 7, 2025
@myerscf
fix: added missing data. accessor
10ae57a 
Signed-off-by: Fred Myerscough <[email protected]>
@bryantbiggs
Copy link
Member

Are you facing an issue

@myerscf
Copy link
Author

myerscf commented Oct 7, 2025
edited
Loading

Hi @bryantbiggs - yes, when trying to deploy into some AWS Partitions - using that Partitions domain to create the SPN, results in throwing an Invalid principal in policy validation error when deploying. Using the DNS suffix is an old, deprecated way of creating one.

aws_service_principal solves this, by creating the correct, backwards compatible SPN for a service, depending on which region you are deploying to :)

@bryantbiggs
Copy link
Member

I'd like to learn more about this error you encountered, the error message, and what partition. the aws_service_principal data source is a relatively new source

@myerscf
Copy link
Author

myerscf commented Oct 7, 2025

Sure!

So in some of the old AWS partitions, using the DNS suffix was accepted as part of the SPN, but this was quickly deprecated as more Partitions where created in favour of a standardised *.amazonaws.com. In the regions where it was first allowed, they will allow either - but all services where updated in favour of the standardised naming convention.

If you use the DNS suffix in the newer ones, where its not accepted you get an error like:

Error: creating IAM Role (<ROLE NAME>): operation error IAM: CreateRole, https response error StatusCode: 400,
RequestID: <REQUEST UUID>, MalformedPolicyDocument: Invalid principal in policy: "SERVICE":"ec2.c2s.ic.gov"

The aws_service_prinicipal resource was created, to match similar functionality in CDK - which allows users to create cross compatible SPNs in their policies, but enabling backwards compatibility for edge cases.
So for example if there is a region with an edge case say logs in the CN partition then it will return with the SPN with the DNS suffix - it not, the standardised one!

So, this change should keep things simple, and allow the modules to be easily deployed to different regions/partitions :D

@bryantbiggs
Copy link
Member

thanks for the information, we use this pattern quite a bit so I wanted to understand better, and we've also encountered issues with partitions (mostly because services don't do a great job at defining when the partition/suffix should change)

bryantbiggs
bryantbiggs reviewed Oct 7, 2025
View reviewed changes
bryantbiggs
bryantbiggs reviewed Oct 7, 2025
View reviewed changes
bryantbiggs
bryantbiggs reviewed Oct 7, 2025
View reviewed changes
bryantbiggs
bryantbiggs reviewed Oct 7, 2025
View reviewed changes
@bryantbiggs bryantbiggs changed the title fix: Removed use of dns_suffix feat: Use aws_service_principal data source for deriving IAM service prinicpals Oct 7, 2025
@myerscf
Copy link
Author

myerscf commented Oct 7, 2025

thanks for the information, we use this pattern quite a bit so I wanted to understand better, and we've also encountered issues with partitions (mostly because services don't do a great job at defining when the partition/suffix should change)

Updated to address the recommendations!

Will be happy to look through the other repos in terraform-aws-modules and PR similar changes to help with their use across AWS Partitions!

@myerscf
Copy link
Author

myerscf commented Oct 8, 2025

Leaving the dns_suffix prop leaves us with a linting issue :( do you still want it left in?

Warning: [Fixable] local.dns_suffix is declared but not used (terraform_unused_declarations)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bryantbiggs bryantbiggs bryantbiggs left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@myerscf @bryantbiggs