From 52ca6cd236eab61c371a55dde7e019b70a6f7167 Mon Sep 17 00:00:00 2001
From: kangaechu <kangae2@gmail.com>
Date: Tue, 3 Sep 2024 16:47:50 +0900
Subject: [PATCH] Respect the AWS_STS_REGIONAL_ENDPOINTS parameter

This modification allows the use of STS regionalized endpoints by specifying the AWS_STS_REGIONAL_ENDPOINTS=regional environment variable.

AWS STS has global and per-region endpoints.
https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

AWS recommends STS regionalized endpoints (AWS_STS_REGIONAL_ENDPOINTS=regional), but defaults to STS global endpoints (AWS_STS_REGIONAL_ENDPOINTS=legacy ).

On August 29, 2024, an AWS STS failure occurred and requests using the STS global endpoints failed.
This failure did not affect requests using STS Regionalized endpoints.

The current implementation uses AWS SecurityTokenServiceClient when creating sts clients. This method is deprecated and does not read the STS endpoint configuration.

Instead, the AWSsecurityTokenServiceClientBuilder is used to allow the STS endpoint settings to be respected.
---
 .../resources/ec2/EC2ResourceModelSource.java     | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/main/java/com/dtolabs/rundeck/plugin/resources/ec2/EC2ResourceModelSource.java b/src/main/java/com/dtolabs/rundeck/plugin/resources/ec2/EC2ResourceModelSource.java
index 5875983e..dfaa08e2 100644
--- a/src/main/java/com/dtolabs/rundeck/plugin/resources/ec2/EC2ResourceModelSource.java
+++ b/src/main/java/com/dtolabs/rundeck/plugin/resources/ec2/EC2ResourceModelSource.java
@@ -25,7 +25,8 @@
 
 import com.amazonaws.auth.*;
 import com.amazonaws.ClientConfiguration;
-import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
+import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
+import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
 import com.amazonaws.services.securitytoken.model.*;
 import com.dtolabs.rundeck.core.common.*;
 import com.dtolabs.rundeck.core.plugins.configuration.ConfigurationException;
@@ -248,14 +249,18 @@ private void initialize() {
     }
 
     private AWSCredentials createAwsCredentials(AWSCredentialsProvider provider, String assumeRoleArn, String externalId) {
-        AWSSecurityTokenServiceClient sts_client;
+        AWSSecurityTokenService sts_client;
 
         if (provider != null) {
-            sts_client = new AWSSecurityTokenServiceClient(provider, clientConfiguration);
+            sts_client = AWSSecurityTokenServiceClientBuilder.standard()
+                    .withCredentials(provider)
+                    .withClientConfiguration(clientConfiguration)
+                    .build();
         } else {
-            sts_client = new AWSSecurityTokenServiceClient(clientConfiguration);
+            sts_client = AWSSecurityTokenServiceClientBuilder.standard()
+                    .withClientConfiguration(clientConfiguration)
+                    .build();
         }
-        //        sts_client.setEndpoint("sts-endpoint.amazonaws.com");
         AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
         assumeRoleRequest.setRoleArn(assumeRoleArn);
         if(externalId!=null){