#8299 Consider opting in to new regions in Fedora AWS account
Closed: Fixed a month ago by kevin. Opened a month ago by bgilbert.

AWS regions launched after March 20, 2019 are not available to an AWS account unless an administrator explicitly enables them at the account level. As a result, we will not be able to publish Fedora CoreOS images to future regions without assistance from Fedora Infra. This currently affects ap-east-1 (Hong Kong) and me-south-1 (Bahrain).

Ideally Fedora CoreOS images would be available in every region where we're legally allowed to publish them. However, enabling a region also replicates IAM credentials into that region, and perhaps Infra would prefer those credentials not to be stored in some localities.

Should we enable new AWS regions, and under what conditions?


cc @davdunc @mattdm in case they have any input.

Ideally Fedora CoreOS images would be available in every region where we're legally allowed to publish them.

Agree

However, enabling a region also replicates IAM credentials into that region, and perhaps Infra would prefer those credentials not to be stored in some localities.

I'm not sure what you mean exactly. We couldn't use our existing credentials to upload to the new regions?

I'm not sure what you mean exactly. We couldn't use our existing credentials to upload to the new regions?

clarified - the IAM creds apply to all enabled regions, so we'd have to use the same ones everywhere if we want to use the same account. I'm +1 for this as we wouldn't have to change anything or request any new accounts.

So, I have enabled those two regions... but some questions:

  • Is there a way to be notified when new regions are available to be enabled (aside logging in and checking the interface)?

  • I guess there's no way to just say 'enable any new regions that appear' ?

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

a month ago

So, I have enabled those two regions... but some questions:

Is there a way to be notified when new regions are available to be enabled (aside logging in and checking the interface)?

Not sure other than monitoring aws marketing material or writing a script to ping the API.

I guess there's no way to just say 'enable any new regions that appear'

It doesn't appear so: https://aws.amazon.com/blogs/security/setting-permissions-to-enable-accounts-for-upcoming-aws-regions/

Thanks @kevin!

Is there a way to be notified when new regions are available to be enabled (aside logging in and checking the interface)?

https://github.com/coreos/mantle/pull/1102 teaches ore to list disabled regions, and https://github.com/coreos/fedora-coreos-pipeline/issues/152 requests a Fedora CoreOS pipeline job to complain if that list is non-empty.

Is there a way to be notified when new regions are available to be enabled (aside logging in and checking the interface)?

https://github.com/coreos/mantle/pull/1102 teaches ore to list disabled regions, and https://github.com/coreos/fedora-coreos-pipeline/issues/152 requests a Fedora CoreOS pipeline job to complain if that list is non-empty.

IOW - from the Fedora Infra side: wait until someone opens a ticket to request a new region?

IOW - from the Fedora Infra side: wait until someone opens a ticket to request a new region?

That's the proposal. Infra could handle the monitoring, if desired. It appears that there's no way to programmatically enable a region, so some manual intervention will be required anyway.

ok, fair enough then. Open tickets when you see any that should be enabled. :)

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a month ago

It appears that there's no way to programmatically enable a region, so some manual intervention will be required anyway.

I think the blog post I linked talked about being able to programmatically enable/disable https://aws.amazon.com/blogs/security/setting-permissions-to-enable-accounts-for-upcoming-aws-regions/. Not saying we want to go to that effort though

@dustymabe Where are you seeing that? I'm only seeing information on enabling/disabling IAM access to enable regions through the web console.

@bgilbert - I didn't realize the IAM permissions only allowed for it to be done via the web console. I assumed there was an API that could be used. Sorry for the noise.

Login to comment on this ticket.

Metadata