Terraform-provider-aws: Support Automatic Region Validation for af-south-1 (Africa (Cape Town))
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
https://aws.amazon.com/blogs/aws/now-open-aws-africa-cape-town-region/
The AWS Region in Africa that Jeff promised you in 2018 is now open. The official name is Africa (Cape Town) and the API name is af-south-1. You can start using this new Region today to deploy workloads and store your data in South Africa.
The region shorthand name is af-south-1.
New or Affected Resource(s)
Potential Terraform Configuration
provider "aws" {
region = "af-south-1"
}
References
cobusbernard
All 7 comments
@cobusbernard @Petrie65 You can try setting skip_region_validation = true in the Terraform AWS provider block:
provider "aws" {
region = "af-south-1"
skip_region_validation = true
}
This fixes the Error: Invalid AWS Region: af-south-1 message but I subsequently get HTTP 403s:
$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
Error: Error refreshing state: 1 error occurred:
* provider.aws: error using credentials to get account ID: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid.
status code: 403, request id: c2cb2d98-ff4a-417d-9263-e0085cf98039
2020-04-22T08:58:03.669-0400 [DEBUG] plugin.terraform-provider-aws: 2020/04/22 08:58:03 [DEBUG] Trying to get account information via sts:GetCallerIdentity
2020-04-22T08:58:03.670-0400 [DEBUG] plugin.terraform-provider-aws: 2020/04/22 08:58:03 [DEBUG] [aws-sdk-go] DEBUG: Request sts/GetCallerIdentity Details:
2020-04-22T08:58:03.671-0400 [DEBUG] plugin.terraform-provider-aws: ---[ REQUEST POST-SIGN ]-----------------------------
2020-04-22T08:58:03.671-0400 [DEBUG] plugin.terraform-provider-aws: POST / HTTP/1.1
2020-04-22T08:58:03.671-0400 [DEBUG] plugin.terraform-provider-aws: Host: sts.af-south-1.amazonaws.com
2020-04-22T08:58:03.671-0400 [DEBUG] plugin.terraform-provider-aws: User-Agent: aws-sdk-go/1.30.5 (go1.13.3; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11+compatible (+https://www.terraform.io)
2020-04-22T08:58:03.671-0400 [DEBUG] plugin.terraform-provider-aws: Content-Length: 43
2020-04-22T08:58:03.671-0400 [DEBUG] plugin.terraform-provider-aws: Authorization: AWS4-HMAC-SHA256 Credential=****************/20200422/af-south-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date, Signature=****************************************************************
2020-04-22T08:58:03.671-0400 [DEBUG] plugin.terraform-provider-aws: Content-Type: application/x-www-form-urlencoded; charset=utf-8
2020-04-22T08:58:03.671-0400 [DEBUG] plugin.terraform-provider-aws: X-Amz-Date: 20200422T125803Z
2020-04-22T08:58:03.671-0400 [DEBUG] plugin.terraform-provider-aws: Accept-Encoding: gzip
2020-04-22T08:58:03.671-0400 [DEBUG] plugin.terraform-provider-aws:
2020-04-22T08:58:03.671-0400 [DEBUG] plugin.terraform-provider-aws: Action=GetCallerIdentity&Version=2011-06-15
2020-04-22T08:58:03.671-0400 [DEBUG] plugin.terraform-provider-aws: -----------------------------------------------------
2020-04-22T08:58:04.799-0400 [DEBUG] plugin.terraform-provider-aws: 2020/04/22 08:58:04 [DEBUG] [aws-sdk-go] DEBUG: Response sts/GetCallerIdentity Details:
2020-04-22T08:58:04.799-0400 [DEBUG] plugin.terraform-provider-aws: ---[ RESPONSE ]--------------------------------------
2020-04-22T08:58:04.799-0400 [DEBUG] plugin.terraform-provider-aws: HTTP/1.1 403 Forbidden
2020-04-22T08:58:04.799-0400 [DEBUG] plugin.terraform-provider-aws: Connection: close
2020-04-22T08:58:04.799-0400 [DEBUG] plugin.terraform-provider-aws: Content-Length: 306
2020-04-22T08:58:04.799-0400 [DEBUG] plugin.terraform-provider-aws: Content-Type: text/xml
2020-04-22T08:58:04.800-0400 [DEBUG] plugin.terraform-provider-aws: Date: Wed, 22 Apr 2020 12:58:07 GMT
2020-04-22T08:58:04.800-0400 [DEBUG] plugin.terraform-provider-aws: X-Amzn-Requestid: a9d4e90b-f7ab-4738-b583-a40092ea6161
2020-04-22T08:58:04.800-0400 [DEBUG] plugin.terraform-provider-aws:
2020-04-22T08:58:04.800-0400 [DEBUG] plugin.terraform-provider-aws:
2020-04-22T08:58:04.800-0400 [DEBUG] plugin.terraform-provider-aws: -----------------------------------------------------
2020-04-22T08:58:04.800-0400 [DEBUG] plugin.terraform-provider-aws: 2020/04/22 08:58:04 [DEBUG] [aws-sdk-go] <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
2020-04-22T08:58:04.800-0400 [DEBUG] plugin.terraform-provider-aws: <Error>
2020-04-22T08:58:04.800-0400 [DEBUG] plugin.terraform-provider-aws: <Type>Sender</Type>
2020-04-22T08:58:04.800-0400 [DEBUG] plugin.terraform-provider-aws: <Code>InvalidClientTokenId</Code>
2020-04-22T08:58:04.800-0400 [DEBUG] plugin.terraform-provider-aws: <Message>The security token included in the request is invalid.</Message>
2020-04-22T08:58:04.800-0400 [DEBUG] plugin.terraform-provider-aws: </Error>
2020-04-22T08:58:04.800-0400 [DEBUG] plugin.terraform-provider-aws: <RequestId>a9d4e90b-f7ab-4738-b583-a40092ea6161</RequestId>
2020-04-22T08:58:04.800-0400 [DEBUG] plugin.terraform-provider-aws: </ErrorResponse>
2020-04-22T08:58:04.800-0400 [DEBUG] plugin.terraform-provider-aws: 2020/04/22 08:58:04 [DEBUG] [aws-sdk-go] DEBUG: Validate Response sts/GetCallerIdentity failed, attempt 0/25, error InvalidClientTokenId: The security token included in the request is invalid.
ewbankkit
on 22 Apr 2020
@ewbankkit have you enabled the region like explained in https://youtu.be/jSxVDiWPoak or https://aws.amazon.com/blogs/security/setting-permissions-to-enable-accounts-for-upcoming-aws-regions/l ?
tinuva
on 22 Apr 2020
@tinuva I did enable the region via the console but it's taking a while to prepare. I'll retest once the console allows me to look at the region.
Update: Yes, I have success now.
$ terraform apply
data.aws_availability_zones.available: Refreshing state...
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
$ cat terraform.tfstate
{
"version": 3,
"terraform_version": "0.11.14",
"serial": 46,
"lineage": "3d15b767-33de-1721-acce-21510949a9de",
"modules": [
{
"path": [
"root"
],
"outputs": {},
"resources": {
"data.aws_availability_zones.available": {
"type": "aws_availability_zones",
"depends_on": [],
"primary": {
"id": "2020-04-22 13:28:54.483831182 +0000 UTC",
"attributes": {
"group_names.#": "1",
"group_names.3830938908": "af-south-1",
"id": "2020-04-22 13:28:54.483831182 +0000 UTC",
"names.#": "3",
"names.0": "af-south-1a",
"names.1": "af-south-1b",
"names.2": "af-south-1c",
"state": "available",
"zone_ids.#": "3",
"zone_ids.0": "afs1-az1",
"zone_ids.1": "afs1-az2",
"zone_ids.2": "afs1-az3"
},
"meta": {},
"tainted": false
},
"deposed": [],
"provider": "provider.aws"
}
},
"depends_on": []
}
]
}
Today's AWS Go SDK update, v1.30.12, contains the new region information that will allow the provider to automatically validate it. The automatic dependency update for AWS Go SDK, https://github.com/terraform-providers/terraform-provider-aws/pull/12715, should automatically update shortly and we'll merge it in after verifying it works as expected.
bflad
on 22 Apr 2020
Support for automatic validation of this new region has been merged and will release with version 2.59.0 of the Terraform AWS Provider, tomorrow.
Please note that this new region requires a manual process to enable. Once enabled in the console, it takes a few minutes for everything to work properly.
If the region is not enabled properly, or the enablement process is still in progress, you can receive errors like these:
$ terraform apply
Error: error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid.
status code: 403, request id: 142f947b-b2c3-11e9-9959-c11ab17bcc63
on main.tf line 1, in provider "aws":
1: provider "aws" {
To use this new region before support has been added to Terraform AWS Provider version in use, you must disable the provider's automatic region validation via:
provider "aws" {
# ... potentially other configuration ...
region = "af-south-1"
skip_region_validation = true
}
This has been released in version 2.59.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 24 Apr 2020
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
hashibot[bot]
on 23 May 2020
Related issues
reedloden
·
3Comments
joelittlejohn
·
3Comments
hashibot
·
3Comments
andywirv
·
3Comments
carmas
·
3Comments
Most helpful comment
Support for automatic validation of this new region has been merged and will release with version 2.59.0 of the Terraform AWS Provider, tomorrow.
Please note that this new region requires a manual process to enable. Once enabled in the console, it takes a few minutes for everything to work properly.
If the region is not enabled properly, or the enablement process is still in progress, you can receive errors like these:
To use this new region before support has been added to Terraform AWS Provider version in use, you must disable the provider's automatic region validation via: