CORS-4336: Support for AWS European Sovereign Cloud

[tthvo]

This PR adds support for the newly opened AWS European Sovereign Cloud (EUSC). The EUSC is a completely independent partition from global AWS Cloud, and the first available region is eusc-de-east-1 (Brandenburg, German).

As of now, eusc-de-east-1 is the only available region and will be the only supported one for openshift.

Notes

The eusc-de-east-1 endpoint resolution works out of the box in AWS SDK v2. For AWS SDK v1, this requires specifying custom service endpoints since the SDK v1 doesn't recognize the new partition and returns invalid URLs, especially for global services Route53 and IAM.

The installer will automatically populates the service endpoints in the install-config if unset and region is eusc-de-east-1 Note that we must also build a custom RHCOS AMI since the none has been published in this region (see guide).

platform:
  aws:
    region: eusc-de-east-1
    defaultMachinePlatform:
      # Build and use a custom AMI as public RHCOS AMI is not available in this region
      amiID: ami-1234567890

Once all openshift components migrate to AWS SDK v2, we will no longer need custom service endpoints. As of now,

References

• https://docs.aws.eu/esc/latest/userguide/introduction.html
• https://docs.aws.eu/general/latest/gr/endpoints.html
• https://access.redhat.com/solutions/7058799
• https://github.com/openshift/enhancements/blob/master/enhancements/installer/aws-eusc-partition.md

[openshift-ci-robot]

@tthvo: This pull request references CORS-4239 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR adds support for the newly opened AWS European Sovereign Cloud (EUSC). The EUSC is a completely independent partition from global AWS Cloud, and the first available region is eusc-de-east-1 (Brandenburg, German).

As of now, eusc-de-east-1 is the only available region and will be the only supported one for openshift.

Notes

The eusc-de-east-1 endpoint resolution works out of the box in AWS SDK v2. For AWS SDK v1, this requires specifying custom service endpoints since the SDK v1 doesn't recognize the new partition and returns invalid URLs, especially for global services Route53 and IAM.

We define the eusc-de-east-1 and specify the necessary custom service endpoints in the install-config.yaml as below. Note that we must also build a custom RHCOS AMI since the none has been published in this region (See guide).

platform:
 aws:
   region: eusc-de-east-1
   defaultMachinePlatform:
     # Build and use a custom AMI as public RHCOS AMI is not available in this region
     amiID: ami-1234567890
   serviceEndpoints:
   - name: ec2
     url: https://ec2.eusc-de-east-1.amazonaws.eu
   - name: elasticloadbalancing
     url: https://elasticloadbalancing.eusc-de-east-1.amazonaws.eu
   - name: s3
     url: https://s3.eusc-de-east-1.amazonaws.eu
   - name: route53
     url: https://route53.amazonaws.eu
   - name: iam
     url: https://iam.eusc-de-east-1.amazonaws.eu
   - name: sts
     url: https://sts.eusc-de-east-1.amazonaws.eu
   - name: tagging
     url: https://tagging.eusc-de-east-1.amazonaws.eu

Once all openshift components migrate to AWS SDK v2, we will no longer need custom service endpoints.

References

• https://docs.aws.eu/esc/latest/userguide/introduction.html
• https://docs.aws.eu/general/latest/gr/endpoints.html
• https://access.redhat.com/solutions/7058799

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

/label platform/aws

[tthvo]

/cc @rna-afk
/jira cc-qa

[openshift-ci-robot]

@tthvo: This pull request references CORS-4239 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Requesting review from QA contact:
/cc @liweinan

Details

In response to this:

/cc @rna-afk
/jira cc-qa

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

/jira refresh

[openshift-ci-robot]

@tthvo: This pull request references CORS-4239 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

This PR covers the installer responsibility. For ingress, see openshift/cluster-ingress-operator#1360.

[liweinan]

I'll verify it today.

[liweinan]

Relative issue: https://issues.redhat.com/browse/PCO-1474

[liweinan]

@tthvo I don't have a valid account for this region right now. I'll keep an eye on it.

[tthvo]

/hold

Waiting on #10265 to not duplicate certain region and partition definitions.

[tthvo]

/test verify-vendor golint

[tthvo]

/retitle CORS-4336: Support for AWS European Sovereign Cloud

[openshift-ci-robot]

@tthvo: This pull request references CORS-4336 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR adds support for the newly opened AWS European Sovereign Cloud (EUSC). The EUSC is a completely independent partition from global AWS Cloud, and the first available region is eusc-de-east-1 (Brandenburg, German).

As of now, eusc-de-east-1 is the only available region and will be the only supported one for openshift.

Notes

The eusc-de-east-1 endpoint resolution works out of the box in AWS SDK v2. For AWS SDK v1, this requires specifying custom service endpoints since the SDK v1 doesn't recognize the new partition and returns invalid URLs, especially for global services Route53 and IAM.

We define the eusc-de-east-1 and specify the necessary custom service endpoints in the install-config.yaml as below. Note that we must also build a custom RHCOS AMI since the none has been published in this region (See guide).

platform:
 aws:
   region: eusc-de-east-1
   defaultMachinePlatform:
     # Build and use a custom AMI as public RHCOS AMI is not available in this region
     amiID: ami-1234567890
   serviceEndpoints:
   - name: ec2
     url: https://ec2.eusc-de-east-1.amazonaws.eu
   - name: elasticloadbalancing
     url: https://elasticloadbalancing.eusc-de-east-1.amazonaws.eu
   - name: s3
     url: https://s3.eusc-de-east-1.amazonaws.eu
   - name: route53
     url: https://route53.amazonaws.eu
   - name: iam
     url: https://iam.eusc-de-east-1.amazonaws.eu
   - name: sts
     url: https://sts.eusc-de-east-1.amazonaws.eu
   - name: tagging
     url: https://tagging.eusc-de-east-1.amazonaws.eu

Once all openshift components migrate to AWS SDK v2, we will no longer need custom service endpoints.

References

• https://docs.aws.eu/esc/latest/userguide/introduction.html
• https://docs.aws.eu/general/latest/gr/endpoints.html
• https://access.redhat.com/solutions/7058799

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

/jira refresh

[openshift-ci-robot]

@tthvo: This pull request references CORS-4336 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

/payload-job periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-nightly-aws-ipi-shared-vpc-phz-sts-fips-openldap-mini-perm-f7

[openshift-ci]

@tthvo: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-nightly-aws-ipi-shared-vpc-phz-sts-fips-openldap-mini-perm-f7

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/0975dc00-0962-11f1-8d3a-01090aad877e-0

[tthvo]

/payload-job periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-nightly-aws-usgov-ipi-private-ep-fips-f7

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: efdc85e6-8a33-43ac-add7-4371ed2924f4

📥 Commits

Reviewing files that changed from the base of the PR and between b3e61d0 and ee1dd30.

📒 Files selected for processing (7)

• pkg/asset/installconfig/aws/endpoints.go
• pkg/destroy/aws/aws.go
• pkg/destroy/aws/shared.go
• pkg/infrastructure/aws/clusterapi/iam.go
• pkg/types/aws/defaults/platform.go
• pkg/types/aws/defaults/platform_test.go
• pkg/types/aws/regions.go

---

Walkthrough

This pull request introduces partition-aware AWS region handling, particularly for the EU Sovereign Cloud (EUSC) partition. It adds partition and region constants, a partition ID lookup function, filtering logic for unsupported untagging operations, and region-specific service endpoint defaults.

Changes

Cohort / File(s)	Summary
Region and Partition Constants pkg/types/aws/regions.go	Added AwsEuscPartitionID constant and EuscDeEast1RegionID constant to represent AWS Europe Sovereign Cloud partition and Germany region.
Partition Resolution pkg/asset/installconfig/aws/endpoints.go	Added GetPartitionIDForRegion function that resolves AWS endpoints and returns the PartitionID for a given region.
Cluster Uninstaller Enhancements pkg/destroy/aws/aws.go	Added PartitionID field and GetPartitionID method to ClusterUninstaller. Modified RunWithContext to perform partition-aware tagging region lookup and create assumed-role tagging clients dynamically. Expanded region-specific routing logic including new case for EuscDeEast1RegionID.
Untagging Filter Logic pkg/destroy/aws/shared.go	Added filterUnsupportedUntagResources helper method to exclude ARNs that cannot be untagged in specific regions (e.g., EUSC regions for Route53).
Service Principal Retrieval pkg/infrastructure/aws/clusterapi/iam.go	Replaced getPartitionDNSSuffix with getEC2ServicePrincipal function to dynamically obtain EC2 service principal from endpoint resolution, with partition-specific handling for EUSC partition.
Platform Defaults for EUSC pkg/types/aws/defaults/platform.go, platform_test.go	Added logic to populate default service endpoints for EUSC region as fallback for regions not yet supported by AWS SDK v2. Included test cases validating endpoint population for EUSC and non-EUSC regions.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.3)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can enforce grammar and style rules using `languagetool`.

Configure the reviews.tools.languagetool setting to enable/disable rules and categories. Refer to the LanguageTool Community to learn more.

[tthvo]

/hold cancel

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/asset/installconfig/aws/OWNERS [patrickdillon]
• pkg/destroy/aws/OWNERS [patrickdillon]
• pkg/infrastructure/aws/OWNERS [patrickdillon]
• pkg/types/aws/OWNERS [patrickdillon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tthvo]

/payload-job periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-nightly-aws-ipi-shared-vpc-phz-sts-fips-openldap-mini-perm-f7

[openshift-ci]

@tthvo: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-nightly-aws-ipi-shared-vpc-phz-sts-fips-openldap-mini-perm-f7

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/b9dba900-21d4-11f1-8a6a-1037f7630c8c-0

[tthvo]

Heads up, needs a rebase.

Thanks! The PR should be rebased now 🙏. I also just wanted to point out a few things:

1. The installer now populates the service endpoints for region eusc-de-east-1 automatically (see db0d82d). This means users can just use a minimal platform config:

   platform:
     aws:
       region: eusc-de-east-1
       defaultMachinePlatform:
         amiID: ami-123456789012 # Please use the pre-built AMI in our shared installer account

2. We still need to specify the amiID of an existing AMI in EU Sovereign Cloud while waiting on a public AMI to be published by RHCOS team.

3. For EUSC, the region for route 53 resources is eusc-de-east-1 (unless AWS changes that later 🙄)

4. For EUSC, we cannot untag shared hosted zone via resourcetagging API. Thus, for now (until AWS adds support), we will skip it and instruct the users to manually remove it (see ee1dd30).

5. Another follow-up PR will be opened to feature gate the install into EU Sovereign Cloud behind AWSEuropeanSovereignCloudInstall after o/api PR is merged.

[tthvo]

So far, I have successfully installed in EUSC with the following configurations:

Scenarios	Additional configuration	Status
Default minimal config	N/A	✔️
Ingress NLB type	platform.aws.lbType: NLB	✔️
BYO Private Hosted zone	platform.aws.hostedZone: <zoneID> and platform.aws.hostedZoneRole: <role-arn>	✔️
BYO KMS key (machine and persistent volume)	platform.aws.defaultMachinePlatform.rootVolume.kmsKeyARN: <arn>	✔️
BYO VPC and subnets	platform.aws.vpc.subnets: <object>	✔️

Set up

• Custom release payload, which includes ingress PR + o/api PR. The o/api commit is older than the actual PR, which allows aws-eusc regardless feature gate (for quick testing).
• Manual installer build from this PR

# Build the binary
$ ./hack/build.sh

# Copy the binary into an install dir with an existing install-config (region eusc-de-east-1)
$ export AWS_PROFILE=eusc
$ export OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE=registry.build11.ci.openshift.org/ci-ln-sjdtf82/release:latest
$ ./openshift-install create cluster --dir=.

[openshift-ci-robot]

@tthvo: This pull request references CORS-4336 which is a valid jira issue.

Details

In response to this:

This PR adds support for the newly opened AWS European Sovereign Cloud (EUSC). The EUSC is a completely independent partition from global AWS Cloud, and the first available region is eusc-de-east-1 (Brandenburg, German).

As of now, eusc-de-east-1 is the only available region and will be the only supported one for openshift.

Notes

The eusc-de-east-1 endpoint resolution works out of the box in AWS SDK v2. For AWS SDK v1, this requires specifying custom service endpoints since the SDK v1 doesn't recognize the new partition and returns invalid URLs, especially for global services Route53 and IAM.

The installer will automatically populates the service endpoints in the install-config if unset and region is eusc-de-east-1 Note that we must also build a custom RHCOS AMI since the none has been published in this region (see guide).

platform:
 aws:
   region: eusc-de-east-1
   defaultMachinePlatform:
     # Build and use a custom AMI as public RHCOS AMI is not available in this region
     amiID: ami-1234567890

Once all openshift components migrate to AWS SDK v2, we will no longer need custom service endpoints. As of now,

References

• https://docs.aws.eu/esc/latest/userguide/introduction.html
• https://docs.aws.eu/general/latest/gr/endpoints.html
• https://access.redhat.com/solutions/7058799
• https://github.com/openshift/enhancements/blob/master/enhancements/installer/aws-eusc-partition.md

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

/payload-job periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-nightly-aws-usgov-ipi-private-ep-fips-f7

[openshift-ci]

@tthvo: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-nightly-aws-usgov-ipi-private-ep-fips-f7

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/40d27ec0-21da-11f1-8350-85b0f27a71ee-0

[tthvo]

/test okd-scos-images

[openshift-ci]

@tthvo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-dualstack-ipv4-primary-techpreview	f093d45	link	false	/test e2e-aws-ovn-dualstack-ipv4-primary-techpreview
ci/prow/e2e-aws-ovn-dualstack-ipv6-primary-techpreview	f093d45	link	false	/test e2e-aws-ovn-dualstack-ipv6-primary-techpreview
ci/prow/e2e-aws-ovn-heterogeneous	ee1dd30	link	false	/test e2e-aws-ovn-heterogeneous
ci/prow/e2e-aws-ovn-edge-zones	ee1dd30	link	false	/test e2e-aws-ovn-edge-zones

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[patrickdillon]

/lgtm

/verified by @patrickdillon

Tested with

apiVersion: v1
baseDomain: installer-eusc.devcluster.openshift.com
metadata:
  name: padillon-03191533
platform:
  aws:
    region: eusc-de-east-1
    amiID: ami-00a514af7b252a0f0
    propagateUserTags: true
    userTags:
      key: value

yq .status.platformStatus.aws.serviceEndpoints c/manifests/cluster-infrastructure-02-config.yml

- name: ec2
  url: https://ec2.eusc-de-east-1.amazonaws.eu
- name: elasticloadbalancing
  url: https://elasticloadbalancing.eusc-de-east-1.amazonaws.eu
- name: iam
  url: https://iam.eusc-de-east-1.amazonaws.eu
- name: route53
  url: https://route53.amazonaws.eu
- name: s3
  url: https://s3.eusc-de-east-1.amazonaws.eu
- name: sts
  url: https://sts.eusc-de-east-1.amazonaws.eu
- name: tagging
  url: https://tagging.eusc-de-east-1.amazonaws.eu

DNS record propagation is slow...

[openshift-ci-robot]

@patrickdillon: This PR has been marked as verified by @patrickdillon.

Details

In response to this:

/lgtm

/verified by @patrickdillon

Tested with

apiVersion: v1
baseDomain: installer-eusc.devcluster.openshift.com
metadata:
 name: padillon-03191533
platform:
 aws:
   region: eusc-de-east-1
   amiID: ami-00a514af7b252a0f0
   propagateUserTags: true
   userTags:
     key: value

yq .status.platformStatus.aws.serviceEndpoints c/manifests/cluster-infrastructure-02-config.yml

- name: ec2
 url: https://ec2.eusc-de-east-1.amazonaws.eu
- name: elasticloadbalancing
 url: https://elasticloadbalancing.eusc-de-east-1.amazonaws.eu
- name: iam
 url: https://iam.eusc-de-east-1.amazonaws.eu
- name: route53
 url: https://route53.amazonaws.eu
- name: s3
 url: https://s3.eusc-de-east-1.amazonaws.eu
- name: sts
 url: https://sts.eusc-de-east-1.amazonaws.eu
- name: tagging
 url: https://tagging.eusc-de-east-1.amazonaws.eu

DNS record propagation is slow...

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

/test shellcheck

[tthvo]

/test shellcheck

hmm?