Skip unauthorized AWS regions in multi-region fetches#2198
Skip unauthorized AWS regions in multi-region fetches#2198ravikiranvm wants to merge 2 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR addresses OPS-4065 by making multi-region AWS fetch workflows resilient to region-scoped authorization failures, skipping unauthorized/disabled regions instead of failing the entire operation.
Changes:
- Added shared utilities to detect AWS permission errors and aggregate array results across regions while skipping permission-denied regions.
- Updated OpenOps AWS EC2/EBS/RDS multi-region fetchers to use the new cross-region aggregation helper.
- Updated AWS Compute Optimizer clients to skip permission-denied regions/ARN-regions and added unit tests covering the new behavior.
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/openops/src/lib/aws/fetch-arrays-across-regions.ts | New helper to aggregate per-region array fetches while skipping permission errors. |
| packages/openops/src/lib/aws/is-aws-permission-error.ts | New utility to classify AWS permission/authorization failures. |
| packages/openops/src/lib/aws/rds/rds-describe.ts | Uses shared cross-region fetch helper for snapshots/instances. |
| packages/openops/src/lib/aws/ec2/ec2-get-instances.ts | Uses shared cross-region fetch helper for instance retrieval. |
| packages/openops/src/lib/aws/ebs/get-ebs-volumes.ts | Uses shared cross-region fetch helper for volume retrieval. |
| packages/openops/src/lib/aws/ebs/get-ebs-snapshots.ts | Uses shared cross-region fetch helper for snapshot retrieval. |
| packages/openops/src/index.ts | Exports new AWS utilities for downstream consumers. |
| packages/openops/test/aws/fetch-arrays-across-regions.test.ts | Adds unit tests for cross-region aggregation + permission skipping. |
| packages/openops/test/aws/rds/rds-describe.test.ts | Adds RDS tests to ensure denied regions are skipped. |
| packages/openops/test/aws/ec2/ec2-get-instances.test.ts | Adds EC2 tests to ensure denied regions are skipped. |
| packages/openops/test/aws/ebs/ebs-get-volumes.test.ts | Adds EBS volume tests to ensure denied regions are skipped. |
| packages/openops/test/aws/ebs/ebs-get-snapshots.test.ts | Adds EBS snapshot tests to ensure denied regions are skipped. |
| packages/blocks/aws-compute-optimizer/src/lib/common/compute-optimizer-client.ts | Skips permission-denied regions when fetching recommendation summaries. |
| packages/blocks/aws-compute-optimizer/src/lib/common/compute-optimizer-ec2-client.ts | Skips permission-denied regions for EC2 recommendations (regions + ARNs). |
| packages/blocks/aws-compute-optimizer/src/lib/common/compute-optimizer-ebs-client.ts | Skips permission-denied regions for EBS recommendations (regions + ARNs). |
| packages/blocks/aws-compute-optimizer/test/compute-optimizer-client.test.ts | Adds tests for skipping denied regions in summary fetch. |
| packages/blocks/aws-compute-optimizer/test/compute-optimizer-ec2-client.test.ts | Adds tests for skipping denied regions in EC2 recommendation fetches. |
| packages/blocks/aws-compute-optimizer/test/compute-optimizer-ebs-client.test.ts | Adds tests for skipping denied regions in EBS recommendation fetches. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| regions.map(fetchInstancesInRegion), | ||
| ); | ||
| return instancesFromAllRegions.flat(); | ||
| return fetchArraysAcrossRegions(regions, fetchInstancesInRegion); |
There was a problem hiding this comment.
getEc2Instances still calls getAccountId/getAccountName using regions[0] before any per-region skipping happens. If the first region is unauthorized/disabled, the function will throw early and won't return results from other accessible regions. Consider deriving account metadata from the first region that succeeds (or using a fixed STS region) so permission-denied regions can truly be skipped.
| regions.map(fetchVolumesInRegion), | ||
| ); | ||
| return volumesFromAllRegions.flat(); | ||
| return fetchArraysAcrossRegions(regions, fetchVolumesInRegion); |
There was a problem hiding this comment.
getEbsVolumes still fetches accountId/accountName using regions[0] before running the cross-region fetch. If the first region is unauthorized/disabled, the function will throw and won’t return volumes from other regions, undermining the new “skip unauthorized regions” behavior. Consider sourcing account metadata from a region that succeeds (or using a dedicated STS region) before/while aggregating results.
|
Fixes OPS-4065.
Additional Notes