Validate unknown AWS regions from discovery matchers

[greedy52]

Changelog: Support discovery for new AWS region il-central-1

As discussed in #31217, older branches may not get AWS SDK update to refresh the region list.

This change uses a regex to validate AWS regions from AWS discovery matchers. If a region is "valid" but "unknown", print a warning.

This avoids updating older branches for new regions.

Tested by cherry-picking the commit onto branch/v13 and enabling RDS discovery for il-central-1 in our dev account.

[marcoandredinis]

@kimlisa We should also update this list

teleport/web/packages/teleport/src/services/integrations/types.ts

Line 125 in 9759e76

export const awsRegionMap = {

cc @rudream

[greedy52]

@tigrato @smallinsky any thoughts on this approach? Or do we prefer a hard-coded list like the UI and IAM join? Then we can have a make script to upgrade them together.

[smallinsky]

I like this approach. But I have one concern:
Are we sure that DB agent/kube agent/discovery service will properly handle unknown region on their side without updating GO AWS SDK ?
For instance if we will allow to use "unknown region by SDK in teleport v11 the request most likely will fail in Teleport Discovery Service due to updated v11 GO AWS SDK.

[tigrato]

I like this approach. But I have one concern: Are we sure that DB agent/kube agent/discovery service will properly handle unknown region on their side without updating GO AWS SDK ? For instance if we will allow to use "unknown region by SDK in teleport v11 the request most likely will fail in Teleport Discovery Service due to updated v11 GO AWS SDK.

I am a bit reticent about this.
It solves the issue but it creates inconsistencies when we don't define the region - new regions won't be added - vs when we manually define it

[greedy52]

I like this approach. But I have one concern: Are we sure that DB agent/kube agent/discovery service will properly handle unknown region on their side without updating GO AWS SDK ? For instance if we will allow to use "unknown region by SDK in teleport v11 the request most likely will fail in Teleport Discovery Service due to updated v11 GO AWS SDK.

I've tested this fix on v13 where the SDK does not support il-central-1, and everything works fine for an RDS discovery in this new region (I've opened the new region in dev account).

Regular SDK calls can make endpoints with "unknown" regions, as long endpoints.StrictMatchingOption is not specified:

func TestEndpoint(t *testing.T) {                                
    resolver := endpoints.DefaultResolver()

    t.Run("default SDK behavior", func(t *testing.T) {
        endpoint, err := resolver.EndpointFor(rds.ServiceName, "xx-west-5")
        require.NoError(t, err)
        require.Equal(t, "https://rds.xx-west-5.amazonaws.com", endpoint.URL)
    })

    t.Run("strict", func(t *testing.T) {
        _, err := resolver.EndpointFor(rds.ServiceName, "xx-west-5", endpoints.StrictMatchingOption)
        // UnknownEndpointError: could not resolve endpoint
        // partition: "all partitions", service: "rds", region: "xx-west-5"
        require.Error(t, err)
    })
}

It solves the issue but it creates inconsistencies when we don't define the region - new regions won't be added - vs when we manually define it

It does create inconsistency. Consistency vs ease-of-use vs security. I don't mind doing the hard-coded list too. Or even an RFD?

[public-teleport-github-review-bot]

@greedy52 See the table below for backport results.

Branch	Result
branch/v12	Failed
branch/v13	Create PR
branch/v14	Create PR