Add Support for fips regions. (#2805)

Signed-off-by: Tom Elliot <thomas.elliot@acquia.com>

pkg/provider/aws/provider.go

@@ -97,9 +97,18 @@ func validateRegion(prov *esv1beta1.AWSProvider) error {
 	partitions := resolver.(endpoints.EnumPartitions).Partitions()
 	found := false
 	for _, p := range partitions {
-		for id := range p.Regions() {
-			if id == prov.Region {
-				found = true
+		var serviceskey string
+		if prov.Service == esv1beta1.AWSServiceSecretsManager {
+			serviceskey = "secretsmanager"
+		} else if prov.Service == esv1beta1.AWSServiceParameterStore {
+			serviceskey = "ssm"
+		}
+		service, ok := p.Services()[serviceskey]
+		if ok {
+			for region := range service.Endpoints() {
+				if region == prov.Region {
+					found = true
+				}
 			}
 		}
 	}

pkg/provider/aws/provider_test.go

@@ -151,7 +151,11 @@ func TestProvider(t *testing.T) {
 	}
 }
 
-const validRegion = "eu-central-1"
+const (
+	validRegion                  = "eu-central-1"
+	validFipsSecretManagerRegion = "us-east-1-fips"
+	validFipsSsmRegion           = "fips-us-east-1"
+)
 
 func TestValidateStore(t *testing.T) {
 	type args struct {
@@ -178,13 +182,59 @@ func TestValidateStore(t *testing.T) {
 			},
 		},
 		{
-			name: "valid region",
+			name: "valid region secrets manager",
+			args: args{
+				store: &esv1beta1.SecretStore{
+					Spec: esv1beta1.SecretStoreSpec{
+						Provider: &esv1beta1.SecretStoreProvider{
+							AWS: &esv1beta1.AWSProvider{
+								Region:  validRegion,
+								Service: esv1beta1.AWSServiceSecretsManager,
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "valid region secrets manager",
+			args: args{
+				store: &esv1beta1.SecretStore{
+					Spec: esv1beta1.SecretStoreSpec{
+						Provider: &esv1beta1.SecretStoreProvider{
+							AWS: &esv1beta1.AWSProvider{
+								Region:  validRegion,
+								Service: esv1beta1.AWSServiceSecretsManager,
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "valid fips region secrets manager",
+			args: args{
+				store: &esv1beta1.SecretStore{
+					Spec: esv1beta1.SecretStoreSpec{
+						Provider: &esv1beta1.SecretStoreProvider{
+							AWS: &esv1beta1.AWSProvider{
+								Region:  validFipsSecretManagerRegion,
+								Service: esv1beta1.AWSServiceSecretsManager,
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "valid fips region parameter store",
 			args: args{
 				store: &esv1beta1.SecretStore{
 					Spec: esv1beta1.SecretStoreSpec{
 						Provider: &esv1beta1.SecretStoreProvider{
 							AWS: &esv1beta1.AWSProvider{
-								Region: validRegion,
+								Region:  validFipsSsmRegion,
+								Service: esv1beta1.AWSServiceParameterStore,
 							},
 						},
 					},
@@ -199,7 +249,8 @@ func TestValidateStore(t *testing.T) {
 					Spec: esv1beta1.SecretStoreSpec{
 						Provider: &esv1beta1.SecretStoreProvider{
 							AWS: &esv1beta1.AWSProvider{
-								Region: validRegion,
+								Region:  validRegion,
+								Service: esv1beta1.AWSServiceSecretsManager,
 								Auth: esv1beta1.AWSAuth{
 									SecretRef: &esv1beta1.AWSAuthSecretRef{
 										AccessKeyID: esmeta.SecretKeySelector{
@@ -222,7 +273,8 @@ func TestValidateStore(t *testing.T) {
 					Spec: esv1beta1.SecretStoreSpec{
 						Provider: &esv1beta1.SecretStoreProvider{
 							AWS: &esv1beta1.AWSProvider{
-								Region: validRegion,
+								Region:  validRegion,
+								Service: esv1beta1.AWSServiceSecretsManager,
 								Auth: esv1beta1.AWSAuth{
 									SecretRef: &esv1beta1.AWSAuthSecretRef{
 										SecretAccessKey: esmeta.SecretKeySelector{
@@ -248,7 +300,8 @@ func TestValidateStore(t *testing.T) {
 					Spec: esv1beta1.SecretStoreSpec{
 						Provider: &esv1beta1.SecretStoreProvider{
 							AWS: &esv1beta1.AWSProvider{
-								Region: validRegion,
+								Region:  validRegion,
+								Service: esv1beta1.AWSServiceSecretsManager,
 								Auth: esv1beta1.AWSAuth{
 									SecretRef: &esv1beta1.AWSAuthSecretRef{
 										SecretAccessKey: esmeta.SecretKeySelector{
@@ -273,7 +326,8 @@ func TestValidateStore(t *testing.T) {
 					Spec: esv1beta1.SecretStoreSpec{
 						Provider: &esv1beta1.SecretStoreProvider{
 							AWS: &esv1beta1.AWSProvider{
-								Region: validRegion,
+								Region:  validRegion,
+								Service: esv1beta1.AWSServiceSecretsManager,
 								Auth: esv1beta1.AWSAuth{
 									SecretRef: &esv1beta1.AWSAuthSecretRef{
 										AccessKeyID: esmeta.SecretKeySelector{
@@ -298,7 +352,8 @@ func TestValidateStore(t *testing.T) {
 					Spec: esv1beta1.SecretStoreSpec{
 						Provider: &esv1beta1.SecretStoreProvider{
 							AWS: &esv1beta1.AWSProvider{
-								Region: validRegion,
+								Region:  validRegion,
+								Service: esv1beta1.AWSServiceSecretsManager,
 								Auth: esv1beta1.AWSAuth{
 									JWTAuth: &esv1beta1.AWSJWTAuth{
 										ServiceAccountRef: &esmeta.ServiceAccountSelector{
@@ -320,7 +375,8 @@ func TestValidateStore(t *testing.T) {
 					Spec: esv1beta1.SecretStoreSpec{
 						Provider: &esv1beta1.SecretStoreProvider{
 							AWS: &esv1beta1.AWSProvider{
-								Region: validRegion,
+								Region:  validRegion,
+								Service: esv1beta1.AWSServiceSecretsManager,
 								Auth: esv1beta1.AWSAuth{
 									JWTAuth: &esv1beta1.AWSJWTAuth{
 										ServiceAccountRef: &esmeta.ServiceAccountSelector{