FIPSEndpointStateEnabled option results in incorrect endpoint for us-gov-west-1 region

[bjs-code]

Confirm by changing [ ] to [x] below to ensure that it's a bug:

• I've gone though Developer Guide and API reference
• I've checked AWS Forums and StackOverflow for answers
• I've searched for previous similar issues and didn't find any solution

Describe the bug
Incorrect FIPS endpoint chosen for us-gov-west-1 region.
This appears to have been introduced with aws/aws-sdk-go#3938
We are attempting to use the UseFIPSEndpoint option introduced in the PR above, and targeting an ec2 endpoint in us-gov-west-1. According to both the documentation, and endpoints.json, the correct endpoint should be.
ec2.us-gov-west-1.amazonaws.com
However, with the flag in place the endpoint chosen is:
ec2-fips.us-gov-west-1.amazonaws.com which doesn't resolve

Version of AWS SDK for Go?
v1.42.1

Version of Go (go version)?
go1.16.3 darwin/amd64

To Reproduce (observed behavior)

package main

import (
	"fmt"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/endpoints"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/ec2"
)

func main() {
	config := &aws.Config{
		Region:                        aws.String("us-west-gov-1"),
		CredentialsChainVerboseErrors: aws.Bool(true),
		UseFIPSEndpoint:               endpoints.FIPSEndpointStateEnabled,
	}

	sess := session.Must(session.NewSession(config))
	svc := ec2.New(sess)

	output, err := svc.DescribeImages(&ec2.DescribeImagesInput{
		ImageIds: []*string{aws.String("ami-12345678")},
	})

	fmt.Println(output, err)
}

Expected behavior
SDK uses correct endpoint, however
go run main.go
results in

{

} RequestError: send request failed
caused by: Post "https://ec2-fips.us-west-gov-1.amazonaws.com/": dial tcp: lookup ec2-fips.us-west-gov-1.amazonaws.com: no such host

Additional context

[jasonmfehr]

👍 we are also impacted by this bug.

[KaibaLopez]

Hi @bjs-code ,
Corrrect me if I'm wrong but...I think there is a bit of a confusion here, fips and gov regions are different things, and the way you are trying to define it is sort of combining them...
I guess it depends on what you mean by "SDK uses correct endpoint "

The endpoints should be either ec2.us-gov-west-1.amazonaws.com or ec2-fips.us-west-1.amazonaws.com, so if you change your code to :

Region:                        aws.String("us-west-1"),
CredentialsChainVerboseErrors: aws.Bool(true),
UseFIPSEndpoint:               endpoints.FIPSEndpointStateEnabled,

That should work for the fips region... give it a try and let me know if that works for you, or tell me if I misunderstood the issue here...

[bjs-code]

Hi @KaibaLopez , thanks for the response.

I understand the difference between fips and gov, and I believe that all gov endpoints are FIPS enabled anyway (hence the discrepancy between endpoint naming in different regions).

However, I still believe this is a bug. I guess it seems to me that the UseFIPSEndpoint option isn't very smart. Our application can deal with sensitive financial information, so we're always obliged to use FIPS endpoints in any region. The particular application where this issue was discovered takes the region (and account id) as an argument. I want to initialize the config with whichever region is passed to me, and to insist that FIPS is enabled, hence I would pass

Region: aws.String("us-gov-west-1"),
UseFIPSEndpoint: endpoints.FIPSEndpointStateEnabled,

and expect it to resolve to the correct FIPS endpoint (in fact the only endpoint) for us-gov-west-1, instead it generates an incorrect host name.

I could work around this by checking if the passed in region is a gov region and deliberately not setting UseFIPSEndpoint, or worse, setting it to disabled, but that does not sit well with me - it's illogical and would likely (and rightly) cause comment from people reviewing the code.

[KaibaLopez]

Ah, I see your point, sadly this is a known issue....Your workaround works or define a custom endpoint resolver, to meet your expected behavior.
But we can't really make the changes on the service endpoint models from the SDK...

[bjs-code]

Hi @KaibaLopez ,
Thanks for your reply. We are currently using a custom endpoint resolver, which is basically a fairly ugly series of switches that deal with various services and regions and generate the correct AWS endpoint, dealing with inconsistencies like IAM.

However, I feel that this should really be supported in the base SDK - I don't see why we should maintain logic that generates the correct endpoint for AWS services (which may change under us) when AWS should be in a better position to fully understand that!

I don't understand your last comment above though. I'm not expecting that we change anything regarding the endpoints, just that the SDK generate correct hostnames for those endpoints.

Would the change linked above (3 days ago) fix the issue?
jiegec/aws-sdk-go@45d6ce6#diff-783c87adfc4cf462f2451c6b5dd3078c96de3e6d29526e86cb6f086b0dcea90d