Skip to content

fix(audit): derive SigV4 aws_host from audit_api_url#224

Merged
brandonmontijo merged 5 commits into
mainfrom
bmontijo/derive-audit-aws-host
May 26, 2026
Merged

fix(audit): derive SigV4 aws_host from audit_api_url#224
brandonmontijo merged 5 commits into
mainfrom
bmontijo/derive-audit-aws-host

Conversation

@brandonmontijo

Copy link
Copy Markdown
Contributor

Summary

  • Derive the SigV4 aws_host in _post_audit_info from audit_api_url instead of the hardcoded prod hostname.
  • Add a test asserting the host passed to BotoAWSRequestsAuth matches the URL's hostname.

Without this, any audit_api_url override (e.g., for a per-environment audit API) signs requests for the prod host and fails auth at the destination API.

Part of a 4-PR sequence to stand up a separate audit API in amplify-devops-testing. This PR must be released and rolled out to the terraform-config runtime image before the matching .tf_wrapper override in terraform-config is merged.

Test plan

  • tox -e py39 passes.
  • After release, smoke-test by running terrawrap against a config dir that uses the default audit URL and confirm the prod audit API still works.
  • Verify in debug logs that aws_host resolves to the URL's hostname.

The SigV4 host was hardcoded to the prod audit API hostname, so any
audit_api_url override would fail auth against a different host. Derive
the host from the URL so wrapper configs can route different terraform
directories to different audit API endpoints.
@brandonmontijo brandonmontijo requested a review from a team as a code owner May 26, 2026 17:17
Without the scheme, urlparse('foo.bar').hostname returns None and the
test silently bypasses the real aws_host derivation.
@sonarqubecloud

Copy link
Copy Markdown

@brandonmontijo brandonmontijo merged commit 66cb2d6 into main May 26, 2026
12 of 13 checks passed
@brandonmontijo brandonmontijo deleted the bmontijo/derive-audit-aws-host branch May 26, 2026 21:14
kkozik-amplify pushed a commit that referenced this pull request May 27, 2026
…aws-host

fix(audit): derive SigV4 aws_host from audit_api_url
jconstance-amplify added a commit that referenced this pull request Jun 9, 2026
Add entries for version bumps that shipped without changelog notes: 0.10.24
(plan_check deletion fix, this PR) and 0.10.23 (504 Gateway Timeout retry,
PR #228). Relabel the existing multipath-SSM / tf_validate block to [0.10.22]
-- it was mislabeled [0.10.21]: the commit that added it (2bd33e2) landed
after the 0.10.21 bump, so it actually released as 0.10.22. Add the real
[0.10.21]: the `tf audit` SigV4 aws_host fix (PR #224), previously
undocumented.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants