issuer/route53: respect 'ambient' flag for region

This notably results in the region being a required field if the 'ambient' option is not set for a given issuer.
2018-03-24 14:05:08 -07:00 · 2018-03-24 14:05:08 -07:00 · faac0701ab
commit faac0701ab
parent 8857ea55b3
2 changed files with 22 additions and 2 deletions
--- a/pkg/issuer/acme/dns/route53/route53.go
+++ b/pkg/issuer/acme/dns/route53/route53.go
@ -70,6 +70,7 @@ func NewDNSProvider(accessKeyID, secretAccessKey, hostedZoneID, region string, a
 	r := customRetryer{}
 	r.NumMaxRetries = maxRetries
 	config := request.WithRetryer(aws.NewConfig(), r)
+	sessionOpts := session.Options{}

 	if useAmbientCredentials {
 		glog.V(5).Infof("using ambient credentials")
@ -79,12 +80,20 @@ func NewDNSProvider(accessKeyID, secretAccessKey, hostedZoneID, region string, a
 	} else {
 		glog.V(5).Infof("not using ambient credentials")
 		config.WithCredentials(credentials.NewStaticCredentials(accessKeyID, secretAccessKey, ""))
+		// also disable 'ambient' region sources
+		sessionOpts.SharedConfigState = session.SharedConfigDisable
 	}

-	if region != "" {
+	// If ambient credentials aren't permitted, always set the region, even if to
+	// empty string, to avoid it falling back on the environment.
+	if region != "" || !useAmbientCredentials {
 		config.WithRegion(region)
 	}
-	client := route53.New(session.New(config))
+	sess, err := session.NewSessionWithOptions(sessionOpts)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create aws session: %s", err)
+	}
+	client := route53.New(sess, config)

 	return &DNSProvider{
 		client:       client,
--- a/pkg/issuer/acme/dns/route53/route53_test.go
+++ b/pkg/issuer/acme/dns/route53/route53_test.go
@ -54,6 +54,7 @@ func TestAmbientCredentialsFromEnv(t *testing.T) {

 	_, err = provider.client.Config.Credentials.Get()
 	assert.NoError(t, err, "Expected credentials to be set from environment")
+	assert.Equal(t, provider.client.Config.Region, aws.String("us-east-1"))
 }

 func TestNoCredentialsFromEnv(t *testing.T) {
@ -76,6 +77,16 @@ func TestAmbientRegionFromEnv(t *testing.T) {
 	assert.Equal(t, "us-east-1", *provider.client.Config.Region, "Expected Region to be set from environment")
 }

+func TestNoRegionFromEnv(t *testing.T) {
+	os.Setenv("AWS_REGION", "us-east-1")
+	defer restoreRoute53Env()
+
+	provider, err := NewDNSProvider("marx", "swordfish", "", "", false)
+	assert.NoError(t, err, "Expected no error constructing DNSProvider")
+
+	assert.Equal(t, "", *provider.client.Config.Region, "Expected Region to not be set from environment")
+}
+
 func TestRoute53Present(t *testing.T) {
 	mockResponses := MockResponseMap{
 		"/2013-04-01/hostedzonesbyname":         MockResponse{StatusCode: 200, Body: ListHostedZonesByNameResponse},