Health uses invalid endpoints when region is set #8745
Comments
bryanhiestand
added
bug
RyanFitzSimmonsAK
added
investigating
|
Hi @bryanhiestand, thanks for reaching out. This behavior makes sense; AWS Health only has two endpoints as you mentioned, and you should make requests to those endpoints. What behavior were you anticipating in the event of a request being sent to an endpoint that isn't supported? |
RyanFitzSimmonsAK
added
response-requested
Hi @RyanFitzSimmonsAK, thank you for taking a look! I agree that it's a bit silly to expect Since Health appears to be a global service, I would actually expect to not have to specify a region, similar to the way IAM works. So I would expect to be able to have the This isn't quite what I am trying to do, but perhaps this untested script will illustrate what I am getting at. If one wanted to see if any of their instances tagged environment=production had health events, they might try a script like this, running it with the AWS_REGION environment variable for each of their regions: # List EC2 instances tagged with "environment=production"
INSTANCE_IDS=$(aws ec2 describe-instances --filter "Name=tag:environment,Values=production" --query 'Reservations[*].Instances[*].[InstanceId]' --output json | jq -r '.[][]')
# Get all upcoming AWS health events
EVENTS=$(aws health describe-events --filter eventStatusCodes=upcoming,eventTypeCodes=AWS_EC2_INSTANCE_MAINTENANCE_SCHEDULED --query 'events[*].arn' --output json | jq -r '.[]')
for event in $EVENTS
do
# Get details for each event
EVENT_DETAILS=$(aws health describe-event-details --filter eventArns=$event --query 'successfulSet[*].eventDescription.latestDescription' --output text)
for id in $INSTANCE_IDS
do
# Check if the event details contain the instance ID
if echo "$EVENT_DETAILS" | grep -q "$id"; then
echo "Scheduled events for instance $id: $EVENT_DETAILS"
fi
done
doneHowever, the above will only work in us-east-1 or us-east-2. For any other region, we must override the region only when calling health. This seems like either a burdensome design or a bug: export AWS_REGION=us-west-2
# List EC2 instances tagged with "environment=production"
INSTANCE_IDS=$(aws ec2 describe-instances --filter "Name=tag:environment,Values=production" --query 'Reservations[*].Instances[*].[InstanceId]' --output json | jq -r '.[][]')
# some more regional commands
# Health is only available in us-east-1
aws health describe-event-details --region us-east-1 ...With IAM, this would not be required: export AWS_REGION='us-west-2'
# Get all IAM instance profiles
ALL_ROLES=$(aws iam list-instance-profiles --query 'InstanceProfiles[*].Roles[*].RoleName' --output json | jq -r '.[][]')
# Get roles used by EC2 instances in the specified region
USED_ROLES=$(aws ec2 describe-instances --query 'Reservations[*].Instances[*].IamInstanceProfile.Arn' --output json | jq -r '.[][]' | awk -F '/' '{print $2}')I hope this helps clarify. Thanks again for looking. |
github-actions
bot
removed
the
response-requested
Describe the bug
When the region is set through either
AWS_REGIONorAWS_DEFAULT_REGIONenvironment variables or with the--regionargument passed toaws health, the CLI attempts to use an endpoint in that region. This fails because AWS Health only offers endpoints in us-east-1 and us-east-2.Expected Behavior
healthshould only use valid endpointsCurrent Behavior
Having the
AWS_REGIONenvironment variable set to anything other than us-east-1 or us-east-2 results in an error. Examples:invalid region
valid region lacking Health endpoints
Passing
--regionfor anything other than us-east-1 or us-east-2 results in an errorHaving
AWS_DEFAULT_REGIONset to anything other than us-east-1 or us-east-2 results in an errorReproduction Steps
Install a current version of aws-cli, set
us-west-2as either theAWS_REGIONorAWS_DEFAULT_REGIONenvironment variable or with--region, andYou should see
We reproduced on
This behavior appears to have been introduced between 2.9.21 and 2.16.7, as the following version works as expected
Possible Solution
It looks like AWS only has multi-region support for active-passive failover. If so, would it make sense to only use
global.health.amazonaws.com?Otherwise, this could be part of improved region validation, or aws-cli could only use the two valid regions
Additional Information/Context
This may be a regression of #4183 and may be related to #2266
I am wondering if this bug might have been introduced when boto added regional support for health
CLI version used
2.16.7
Environment details (OS name and version, etc.)
Darwin/23.4.0 source/arm64 and Linux/6.2.0-1018-aws
Edit: fixed some typos/bad grammar, meaning unchanged
The text was updated successfully, but these errors were encountered: