Fix broken multi-account/multi-region functionality (#9541)

viren-nadkarni · web-flow · commit 177773bf0814 · 2023-11-20T17:51:43.000+05:30
diff --git a/localstack/services/kinesis/provider.py b/localstack/services/kinesis/provider.py
@@ -151,6 +151,7 @@ def put_record(
         sequence_number_for_ordering: SequenceNumber = None,
         stream_arn: StreamARN = None,
     ) -> PutRecordOutput:
+        # TODO: Ensure use of `stream_arn` works. Currently kinesis-mock only works with ctx request account ID and region
         if random() < config.KINESIS_ERROR_PROBABILITY:
             raise ProvisionedThroughputExceededException(
                 "Rate exceeded for shard X in stream Y under account Z."
@@ -166,6 +167,7 @@ def put_records(
         stream_name: StreamName = None,
         stream_arn: StreamARN = None,
     ) -> PutRecordsOutput:
+        # TODO: Ensure use of `stream_arn` works. Currently kinesis-mock only works with ctx request account ID and region
         if random() < config.KINESIS_ERROR_PROBABILITY:
             records_count = len(records) if records is not None else 0
             records = [
diff --git a/localstack/services/logs/provider.py b/localstack/services/logs/provider.py
@@ -11,7 +11,6 @@
 from moto.logs.models import LogGroup as MotoLogGroup
 from moto.logs.models import LogStream as MotoLogStream
 
-from localstack.aws.accounts import get_aws_account_id
 from localstack.aws.api import CommonServiceException, RequestContext, handler
 from localstack.aws.api.logs import (
     AmazonResourceName,
@@ -40,7 +39,7 @@
 from localstack.services.moto import call_moto
 from localstack.services.plugins import ServiceLifecycleHook
 from localstack.utils.aws import arns
-from localstack.utils.aws.arns import extract_region_from_arn
+from localstack.utils.aws.client_types import ServicePrincipal
 from localstack.utils.bootstrap import is_api_enabled
 from localstack.utils.common import is_number
 from localstack.utils.patch import patch
@@ -247,46 +246,61 @@ def moto_put_subscription_filter(fn, self, *args, **kwargs):
     role_arn = args[4]
 
     log_group = self.groups.get(log_group_name)
+    log_group_arn = arns.log_group_arn(log_group_name, self.account_id, self.region_name)
 
     if not log_group:
         raise ResourceNotFoundException("The specified log group does not exist.")
 
+    arn_data = arns.parse_arn(destination_arn)
+
+    if role_arn:
+        factory = connect_to.with_assumed_role(
+            role_arn=role_arn, service_principal=ServicePrincipal.logs
+        )
+    else:
+        factory = connect_to(aws_access_key_id=arn_data["account"], region_name=arn_data["region"])
+
     if ":lambda:" in destination_arn:
-        client = connect_to(region_name=extract_region_from_arn(destination_arn)).lambda_
-        lambda_name = arns.lambda_function_name(destination_arn)
+        client = factory.lambda_.request_metadata(
+            source_arn=log_group_arn, service_principal=ServicePrincipal.logs
+        )
         try:
-            client.get_function(FunctionName=lambda_name)
+            client.get_function(FunctionName=destination_arn)
         except Exception:
             raise InvalidParameterException(
                 "destinationArn for vendor lambda cannot be used with roleArn"
             )
 
     elif ":kinesis:" in destination_arn:
-        client = connect_to().kinesis
+        client = factory.kinesis.request_metadata(
+            source_arn=log_group_arn, service_principal=ServicePrincipal.logs
+        )
         stream_name = arns.kinesis_stream_name(destination_arn)
         try:
+            # Kinesis-Local DescribeStream does not support StreamArn param, so use StreamName instead
             client.describe_stream(StreamName=stream_name)
         except Exception:
             raise InvalidParameterException(
-                "Could not deliver test message to specified Kinesis stream. "
-                "Check if the given kinesis stream is in ACTIVE state. "
+                "Could not deliver message to specified Kinesis stream. "
+                "Ensure that the Kinesis stream exists and is ACTIVE."
             )
 
     elif ":firehose:" in destination_arn:
-        client = connect_to().firehose
+        client = factory.firehose.request_metadata(
+            source_arn=log_group_arn, service_principal=ServicePrincipal.logs
+        )
         firehose_name = arns.firehose_name(destination_arn)
         try:
             client.describe_delivery_stream(DeliveryStreamName=firehose_name)
         except Exception:
             raise InvalidParameterException(
-                "Could not deliver test message to specified Firehose stream. "
-                "Check if the given Firehose stream is in ACTIVE state."
+                "Could not deliver message to specified Firehose stream. "
+                "Ensure that the Firehose stream exists and is ACTIVE."
             )
 
     else:
-        service = arns.extract_service_from_arn(destination_arn)
         raise InvalidParameterException(
-            f"PutSubscriptionFilter operation cannot work with destinationArn for vendor {service}"
+            f"PutSubscriptionFilter operation cannot work with destinationArn for vendor {arn_data['service']}"
         )
 
     if filter_pattern:
@@ -329,7 +343,7 @@ def moto_put_log_events(self: "MotoLogStream", log_events):
 
             data = {
                 "messageType": "DATA_MESSAGE",
-                "owner": get_aws_account_id(),
+                "owner": self.account_id,  # AWS Account ID of the originating log data
                 "logGroup": self.log_group.name,
                 "logStream": self.log_stream_name,
                 "subscriptionFilters": [subscription_filter.name],
@@ -342,20 +356,39 @@ def moto_put_log_events(self: "MotoLogStream", log_events):
             payload_gz_encoded = output.getvalue()
             event = {"awslogs": {"data": base64.b64encode(output.getvalue()).decode("utf-8")}}
 
+            log_group_arn = arns.log_group_arn(self.log_group.name, self.account_id, self.region)
+            arn_data = arns.parse_arn(destination_arn)
+
+            if subscription_filter.role_arn:
+                factory = connect_to.with_assumed_role(
+                    role_arn=subscription_filter.role_arn, service_principal=ServicePrincipal.logs
+                )
+            else:
+                factory = connect_to(
+                    aws_access_key_id=arn_data["account"], region_name=arn_data["region"]
+                )
+
             if ":lambda:" in destination_arn:
-                client = connect_to(region_name=extract_region_from_arn(destination_arn)).lambda_
-                lambda_name = arns.lambda_function_name(destination_arn)
-                client.invoke(FunctionName=lambda_name, Payload=json.dumps(event))
+                client = factory.lambda_.request_metadata(
+                    source_arn=log_group_arn, service_principal=ServicePrincipal.logs
+                )
+                client.invoke(FunctionName=destination_arn, Payload=json.dumps(event))
+
             if ":kinesis:" in destination_arn:
-                client = connect_to().kinesis
+                client = factory.kinesis.request_metadata(
+                    source_arn=log_group_arn, service_principal=ServicePrincipal.logs
+                )
                 stream_name = arns.kinesis_stream_name(destination_arn)
                 client.put_record(
                     StreamName=stream_name,
                     Data=payload_gz_encoded,
                     PartitionKey=self.log_group.name,
                 )
+
             if ":firehose:" in destination_arn:
-                client = connect_to().firehose
+                client = factory.firehose.request_metadata(
+                    source_arn=log_group_arn, service_principal=ServicePrincipal.logs
+                )
                 firehose_name = arns.firehose_name(destination_arn)
                 client.put_record(
                     DeliveryStreamName=firehose_name,
diff --git a/localstack/utils/aws/client_types.py b/localstack/utils/aws/client_types.py
@@ -240,6 +240,7 @@ class ServicePrincipal(str):
     events = "events"
     firehose = "firehose"
     lambda_ = "lambda"
+    logs = "logs"
     s3 = "s3"
     sns = "sns"
     sqs = "sqs"
diff --git a/tests/aws/services/dynamodb/test_dynamodb.py b/tests/aws/services/dynamodb/test_dynamodb.py
@@ -16,7 +16,7 @@
 from localstack.testing.pytest import markers
 from localstack.testing.snapshots.transformer import SortingTransformer
 from localstack.utils import testutil
-from localstack.utils.aws import arns, aws_stack, queries, resources
+from localstack.utils.aws import arns, queries, resources
 from localstack.utils.aws.resources import create_dynamodb_table
 from localstack.utils.common import json_safe, long_uid, retry, short_uid
 from localstack.utils.sync import poll_condition, wait_until
@@ -218,7 +218,7 @@ def test_stream_spec_and_region_replacement(self, aws_client):
         table = aws_client.dynamodb.describe_table(TableName=table_name)["Table"]
 
         # assert ARN formats
-        expected_arn_prefix = "arn:aws:dynamodb:" + aws_stack.get_local_region()
+        expected_arn_prefix = "arn:aws:dynamodb:" + TEST_AWS_REGION_NAME
         assert table["TableArn"].startswith(expected_arn_prefix)
         assert table["LatestStreamArn"].startswith(expected_arn_prefix)
 
diff --git a/tests/aws/services/logs/test_logs.py b/tests/aws/services/logs/test_logs.py
@@ -6,7 +6,7 @@
 import pytest
 
 from localstack.aws.api.lambda_ import Runtime
-from localstack.constants import APPLICATION_AMZ_JSON_1_1, AWS_REGION_US_EAST_1
+from localstack.constants import APPLICATION_AMZ_JSON_1_1, TEST_AWS_REGION_NAME
 from localstack.testing.pytest import markers
 from localstack.testing.snapshots.transformer import KeyValueBasedTransformer
 from localstack.utils import testutil
@@ -17,7 +17,7 @@
 logs_role = {
     "Statement": {
         "Effect": "Allow",
-        "Principal": {"Service": f"logs.{AWS_REGION_US_EAST_1}.amazonaws.com"},
+        "Principal": {"Service": f"logs.{TEST_AWS_REGION_NAME}.amazonaws.com"},
         "Action": "sts:AssumeRole",
     }
 }
@@ -206,7 +206,7 @@ def test_create_and_delete_log_stream(self, logs_log_group, aws_client, snapshot
             logGroupIdentifier=arns.log_group_arn(
                 logs_log_group,
                 account_id=aws_client.sts.get_caller_identity()["Account"],
-                region_name=AWS_REGION_US_EAST_1,
+                region_name=TEST_AWS_REGION_NAME,
             )
         ).get("logStreams")
         snapshot.match("log_group_identifier-arn", response)
@@ -287,9 +287,9 @@ def test_put_subscription_filter_lambda(
         result = aws_client.lambda_.add_permission(
             FunctionName=test_lambda_name,
             StatementId=test_lambda_name,
-            Principal=f"logs.{AWS_REGION_US_EAST_1}.amazonaws.com",
+            Principal=f"logs.{TEST_AWS_REGION_NAME}.amazonaws.com",
             Action="lambda:InvokeFunction",
-            SourceArn=f"arn:aws:logs:{AWS_REGION_US_EAST_1}:{account_id}:log-group:{logs_log_group}:*",
+            SourceArn=f"arn:aws:logs:{TEST_AWS_REGION_NAME}:{account_id}:log-group:{logs_log_group}:*",
             SourceAccount=account_id,
         )
 
diff --git a/tests/aws/services/s3/test_s3.py b/tests/aws/services/s3/test_s3.py
@@ -55,6 +55,7 @@
 from localstack.testing.snapshots.transformer_utility import TransformerUtility
 from localstack.utils import testutil
 from localstack.utils.aws import aws_stack
+from localstack.utils.aws.resources import create_s3_bucket
 from localstack.utils.files import load_file
 from localstack.utils.run import run
 from localstack.utils.server import http2_server
@@ -5446,31 +5447,33 @@ def secondary_client(self, secondary_aws_client):
         return secondary_aws_client.s3
 
     @markers.aws.unknown
-    def test_shared_bucket_namespace(self, primary_client, secondary_client):
+    def test_shared_bucket_namespace(self, primary_client, secondary_client, cleanups):
+        bucket_name = short_uid()
+
         # Ensure that the bucket name space is shared by all accounts and regions
-        primary_client.create_bucket(Bucket="foo")
+        create_s3_bucket(bucket_name=bucket_name, s3_client=primary_client)
+        cleanups.append(lambda: primary_client.delete_bucket(Bucket=bucket_name))
 
         with pytest.raises(ClientError) as exc:
-            secondary_client.create_bucket(
-                Bucket="foo",
-                CreateBucketConfiguration={"LocationConstraint": SECONDARY_TEST_AWS_REGION_NAME},
-            )
+            create_s3_bucket(bucket_name=bucket_name, s3_client=secondary_client)
         exc.match("BucketAlreadyExists")
 
     @markers.aws.unknown
-    def test_cross_account_access(self, primary_client, secondary_client):
+    def test_cross_account_access(self, primary_client, secondary_client, cleanups):
         # Ensure that following operations can be performed across accounts
         # - ListObjects
         # - PutObject
         # - GetObject
 
-        bucket_name = "foo"
+        bucket_name = short_uid()
         key_name = "lorem/ipsum"
         body1 = b"zaphod beeblebrox"
         body2 = b"42"
 
         # First user creates a bucket and puts an object
-        primary_client.create_bucket(Bucket=bucket_name)
+        create_s3_bucket(bucket_name=bucket_name, s3_client=primary_client)
+        cleanups.append(lambda: primary_client.delete_bucket(Bucket=bucket_name))
+
         response = primary_client.list_buckets()
         assert bucket_name in [bucket["Name"] for bucket in response["Buckets"]]
         primary_client.put_object(Bucket=bucket_name, Key=key_name, Body=body1)
diff --git a/tests/aws/services/sqs/test_sqs.py b/tests/aws/services/sqs/test_sqs.py
@@ -12,7 +12,6 @@
 from localstack import config
 from localstack.aws.api.lambda_ import Runtime
 from localstack.constants import (
-    DEFAULT_AWS_ACCOUNT_ID,
     SECONDARY_TEST_AWS_ACCESS_KEY_ID,
     SECONDARY_TEST_AWS_ACCOUNT_ID,
     SECONDARY_TEST_AWS_SECRET_ACCESS_KEY,
@@ -3771,7 +3770,12 @@ def test_get_queue_attributes_all(self, sqs_create_queue, sqs_http_client):
         assert queue_url.split("/")[-1] in response.text
 
     @markers.aws.only_localstack
-    def test_get_queue_attributes_works_without_authparams(self, sqs_create_queue):
+    @pytest.mark.parametrize("strategy", ["standard", "domain", "path"])
+    def test_get_queue_attributes_works_without_authparams(
+        self, monkeypatch, sqs_create_queue, strategy
+    ):
+        monkeypatch.setattr(config, "SQS_ENDPOINT_STRATEGY", strategy)
+
         queue_url = sqs_create_queue()
         response = requests.get(
             queue_url,
@@ -4021,6 +4025,7 @@ def test_get_queue_url_works_for_same_queue(
             params={
                 "Action": "GetQueueUrl",
                 "QueueName": queue_url.split("/")[-1],
+                "QueueOwnerAWSAccountId": TEST_AWS_ACCOUNT_ID,
             },
         )
         assert f"<QueueUrl>{queue_url}</QueueUrl>" in response.text
@@ -4042,6 +4047,7 @@ def test_get_queue_url_work_for_different_queue(
             params={
                 "Action": "GetQueueUrl",
                 "QueueName": queue2_url.split("/")[-1],
+                "QueueOwnerAWSAccountId": TEST_AWS_ACCOUNT_ID,
             },
         )
         assert f"<QueueUrl>{queue2_url}</QueueUrl>" in response.text
@@ -4254,7 +4260,7 @@ def test_cross_account_get_queue_url(
         queue_name = f"test-queue-cross-account-{short_uid()}"
         queue_url = sqs_create_queue(QueueName=queue_name)
         account_id, region_name, queue_name_from_url = parse_queue_url(queue_url)
-        assert account_id == DEFAULT_AWS_ACCOUNT_ID
+        assert account_id == TEST_AWS_ACCOUNT_ID
         assert region_name == TEST_AWS_REGION_NAME
         assert queue_name_from_url == queue_name
 
diff --git a/tests/aws/services/sqs/test_sqs_backdoor.py b/tests/aws/services/sqs/test_sqs_backdoor.py
@@ -94,6 +94,8 @@ def test_list_messages_as_botocore_endpoint_url(
     def test_fifo_list_messages_as_botocore_endpoint_url(
         self, sqs_create_queue, aws_client, aws_client_factory, monkeypatch, strategy
     ):
+        monkeypatch.setattr(config, "SQS_ENDPOINT_STRATEGY", strategy)
+
         queue_url = sqs_create_queue(
             QueueName=f"queue-{short_uid()}.fifo",
             Attributes={
@@ -130,6 +132,8 @@ def test_fifo_list_messages_as_botocore_endpoint_url(
     def test_list_messages_with_invalid_action_raises_error(
         self, sqs_create_queue, aws_client_factory, monkeypatch, strategy
     ):
+        monkeypatch.setattr(config, "SQS_ENDPOINT_STRATEGY", strategy)
+
         queue_url = sqs_create_queue()
 
         client = aws_client_factory(
@@ -183,6 +187,8 @@ def test_list_messages_as_json(self, sqs_create_queue, monkeypatch, aws_client,
     def test_list_messages_with_invisible_messages(
         self, sqs_create_queue, aws_client, monkeypatch, strategy
     ):
+        monkeypatch.setattr(config, "SQS_ENDPOINT_STRATEGY", strategy)
+
         queue_url = sqs_create_queue()
 
         aws_client.sqs.send_message(QueueUrl=queue_url, MessageBody="message-1")
@@ -224,6 +230,8 @@ def test_list_messages_with_invisible_messages(
     def test_list_messages_with_delayed_messages(
         self, sqs_create_queue, aws_client, monkeypatch, strategy
     ):
+        monkeypatch.setattr(config, "SQS_ENDPOINT_STRATEGY", strategy)
+
         queue_url = sqs_create_queue()
 
         aws_client.sqs.send_message(QueueUrl=queue_url, MessageBody="message-1")
@@ -259,6 +267,8 @@ def test_list_messages_with_delayed_messages(
     @markers.aws.only_localstack
     @pytest.mark.parametrize("strategy", ["standard", "domain", "path"])
     def test_list_messages_without_queue_url(self, aws_client, monkeypatch, strategy):
+        monkeypatch.setattr(config, "SQS_ENDPOINT_STRATEGY", strategy)
+
         # makes sure the service is loaded when running the test individually
         aws_client.sqs.list_queues()
 
@@ -275,6 +285,8 @@ def test_list_messages_without_queue_url(self, aws_client, monkeypatch, strategy
     @markers.aws.only_localstack
     @pytest.mark.parametrize("strategy", ["standard", "domain", "path"])
     def test_list_messages_with_invalid_queue_url(self, aws_client, monkeypatch, strategy):
+        monkeypatch.setattr(config, "SQS_ENDPOINT_STRATEGY", strategy)
+
         # makes sure the service is loaded when running the test individually
         aws_client.sqs.list_queues()
 
@@ -289,6 +301,8 @@ def test_list_messages_with_invalid_queue_url(self, aws_client, monkeypatch, str
     @markers.aws.only_localstack
     @pytest.mark.parametrize("strategy", ["standard", "domain", "path"])
     def test_list_messages_with_non_existent_queue(self, aws_client, monkeypatch, strategy):
+        monkeypatch.setattr(config, "SQS_ENDPOINT_STRATEGY", strategy)
+
         # makes sure the service is loaded when running the test individually
         aws_client.sqs.list_queues()
 
@@ -316,6 +330,8 @@ def test_list_messages_with_non_existent_queue(self, aws_client, monkeypatch, st
     def test_list_messages_with_queue_url_in_path(
         self, sqs_create_queue, aws_client, monkeypatch, strategy
     ):
+        monkeypatch.setattr(config, "SQS_ENDPOINT_STRATEGY", strategy)
+
         queue_url = sqs_create_queue()
 
         aws_client.sqs.send_message(QueueUrl=queue_url, MessageBody="message-1")
diff --git a/tests/aws/services/stepfunctions/legacy/test_stepfunctions_legacy.py b/tests/aws/services/stepfunctions/legacy/test_stepfunctions_legacy.py
diff --git a/tests/aws/test_integration.py b/tests/aws/test_integration.py
