From 1be7da11d3f4f764372f9de17936e13f04ba66fc Mon Sep 17 00:00:00 2001
From: ljblakey <72445251+ljblakey@users.noreply.github.com>
Date: Thu, 30 Jun 2022 13:03:13 +0100
Subject: [PATCH] ssm connection: pull bucket region info rather than taking
 from region var (#1176)

SUMMARY

Fix issue where syntax error is reported if using ssm connection and the target node is located in a different region to the s3 bucket.

Fixes #1190, #637
ISSUE TYPE

    Bugfix Pull Request

COMPONENT NAME

aws_ssm connection plugin
ADDITIONAL INFORMATION

When using SSM for ansible connection and the target node is in a different region to the s3 bucket used, the playbook immediately errors with the following. (There are no issues when both target and s3 bucket are in the same region)

fatal: [i-04444a7f03cc2bffd]: FAILED! => {"ansible_facts": {}, "changed": false, "failed_modules": {"ansible.legacy.setup": {"failed": true, "module_stderr": "", "module_stdout": " File \"/tmp/ansible/ansible-tmp-1653576081.8378458-29658-258097978113216/AnsiballZ_setup.py\", line 1\r\r\n <?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\r\n ^\r\r\nSyntaxError: invalid syntax\r\r", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}}, "msg": "The following modules failed to execute: ansible.legacy.setup\n"}

The tmp file has the following contents

<?xml version="1.0" encoding="UTF-8"?> <Error><Code>AuthorizationQueryParametersError</Code><Message>Error parsing the X-Amz-Credential parameter; the region 'us-east-1' is wrong; expecting 'eu-west-1'</Message><Region>eu-west-1</Region><RequestId>4VTAGR4C1V9ATBJT</RequestId><HostId>OahjGsFQHlr3ihxobH/yyH7Mzxq98mwjcb6+J3Y2EifDU7FykCe8b6QJTNodIG5WSquVeJF+Zsk=</HostId></Error>

Steps to reproduce: run an ansible playbook using the following:

    aws_ec2 inventory
    aws_ssm connection type
    specify an s3 bucket (ansible_aws_ssm_bucket_name var) that is in a different location to the target node

The presigned url generated includes the region the s3 bucket is in, so this region must be used for the session obtained in the _get_url function.
---
 .../fragments/1176-ssm-connection-plugin-region-fix.yml    | 2 ++
 plugins/connection/aws_ssm.py                              | 7 ++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/1176-ssm-connection-plugin-region-fix.yml

diff --git a/changelogs/fragments/1176-ssm-connection-plugin-region-fix.yml b/changelogs/fragments/1176-ssm-connection-plugin-region-fix.yml
new file mode 100644
index 00000000000..a88a5ba84e9
--- /dev/null
+++ b/changelogs/fragments/1176-ssm-connection-plugin-region-fix.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - aws_ssm - pull S3 bucket region for session generated for file transfer during playbooks (https://github.com/ansible-collections/community.aws/issues/1190).
diff --git a/plugins/connection/aws_ssm.py b/plugins/connection/aws_ssm.py
index 6e0d2a1ec60..e447e8cb8f0 100644
--- a/plugins/connection/aws_ssm.py
+++ b/plugins/connection/aws_ssm.py
@@ -534,7 +534,12 @@ def _flush_stderr(self, subprocess):
 
     def _get_url(self, client_method, bucket_name, out_path, http_method, profile_name, extra_args=None):
         ''' Generate URL for get_object / put_object '''
-        region_name = self.get_option('region') or 'us-east-1'
+
+        bucket_location = boto3.client('s3').get_bucket_location(
+            Bucket=(self.get_option('bucket_name')),
+        )
+        region_name = bucket_location['LocationConstraint']
+
         client = self._get_boto_client('s3', region_name=region_name, profile_name=profile_name)
         params = {'Bucket': bucket_name, 'Key': out_path}
         if extra_args is not None: