fix(validator): accept new AWS regions like eu-central-2

paulbalaji · paulbalaji · commit fe9b2199a856 · 2026-04-23T18:25:57.000+01:00
rusoto_core 0.48.0 (abandoned) hardcodes the set of known AWS regions
and rejects anything launched after its last release, surfacing as
"Not a valid AWS region: eu-central-2" when parsing the validator's
checkpointSyncer config or the relayer's S3 storage location URL.

Replace the rusoto-based region validation with a format check (regex)
that accepts any well-formed AWS region string, so newer regions
(eu-central-2, ap-south-2, il-central-1, mx-central-1, ca-west-1, ...)
work without waiting on rusoto updates that will never come.
diff --git a/rust/main/Cargo.lock b/rust/main/Cargo.lock
diff --git a/rust/main/agents/validator/src/settings.rs b/rust/main/agents/validator/src/settings.rs
@@ -13,7 +13,7 @@ use hyperlane_base::{
     impl_loadable_from_settings,
     settings::{
         parser::{RawAgentConf, RawAgentSignerConf, ValueParser},
-        CheckpointSyncerConf, Settings, SignerConf,
+        validate_aws_region, CheckpointSyncerConf, Settings, SignerConf,
     },
 };
 use hyperlane_core::{
@@ -293,12 +293,12 @@ fn parse_checkpoint_syncer(syncer: ValueParser) -> ConfigResult<CheckpointSyncer
                 .parse_string()
                 .end()
                 .map(str::to_owned);
-            // Using rusoto_core::Region just to get some input validation
-            let region: Option<rusoto_core::Region> = syncer
+            let region: Option<String> = syncer
                 .chain(&mut err)
                 .get_key("region")
-                .parse_from_str("Expected aws region")
-                .end();
+                .parse_string()
+                .end()
+                .map(str::to_owned);
             let folder = syncer
                 .chain(&mut err)
                 .get_opt_key("folder")
@@ -307,9 +307,13 @@ fn parse_checkpoint_syncer(syncer: ValueParser) -> ConfigResult<CheckpointSyncer
                 .map(str::to_owned);
 
             cfg_unwrap_all!(&syncer.cwp, err: [bucket, region]);
+            if let Err(e) = validate_aws_region(&region) {
+                err.push(syncer.cwp.join("region"), e);
+                return Err(err);
+            }
             err.into_result(CheckpointSyncerConf::S3 {
                 bucket,
-                region: Region::new(region.name().to_owned()),
+                region: Region::new(region),
                 folder,
             })
         }
diff --git a/rust/main/hyperlane-base/Cargo.toml b/rust/main/hyperlane-base/Cargo.toml
@@ -31,6 +31,7 @@ maplit.workspace = true
 mockall.workspace = true
 paste.workspace = true
 prometheus.workspace = true
+regex.workspace = true
 rocksdb.workspace = true
 serde.workspace = true
 serde_json.workspace = true
diff --git a/rust/main/hyperlane-base/src/settings/checkpoint_syncer.rs b/rust/main/hyperlane-base/src/settings/checkpoint_syncer.rs
@@ -1,9 +1,10 @@
-use std::{env, path::PathBuf};
+use std::{env, path::PathBuf, sync::OnceLock};
 
 use aws_config::Region;
 use core::str::FromStr;
 use eyre::{eyre, Context, Report, Result};
 use prometheus::IntGauge;
+use regex::Regex;
 use tracing::error;
 use ya_gcp::{AuthFlow, ServiceAccountAuth};
 
@@ -14,6 +15,23 @@ use crate::{
     GCS_USER_SECRET,
 };
 
+/// Validates an AWS region string by format.
+///
+/// The canonical list is maintained by AWS
+/// (https://docs.aws.amazon.com/global-infrastructure/latest/regions/aws-regions.html)
+/// and grows over time, so we validate by shape rather than against a hardcoded
+/// allowlist — this is why `rusoto_core::Region::from_str` (abandoned crate) was
+/// rejecting valid regions like `eu-central-2`.
+pub fn validate_aws_region(region: &str) -> Result<()> {
+    static REGION_RE: OnceLock<Regex> = OnceLock::new();
+    let re = REGION_RE
+        .get_or_init(|| Regex::new(r"^[a-z]{2,3}(-[a-z]+)+-\d+$").expect("valid region regex"));
+    if !re.is_match(region) {
+        return Err(eyre!("Not a valid AWS region: {region}"));
+    }
+    Ok(())
+}
+
 /// Checkpoint Syncer types
 #[derive(Debug, Clone)]
 pub enum CheckpointSyncerConf {
@@ -76,18 +94,12 @@ impl FromStr for CheckpointSyncerConf {
                     3 .. => Ok((url_components[0], url_components[1], Some(url_components[2..].join("/")))),
                     _ => Err(eyre!("Error parsing storage location; could not split bucket, region and folder ({suffix})"))
                 }?;
+                validate_aws_region(region)
+                    .context("Invalid region when parsing storage location")?;
                 Ok(CheckpointSyncerConf::S3 {
                     bucket: bucket.into(),
                     folder,
-                    // Wildly, aws_config doesn't provide any client-side way to validate a region string, so while
-                    // we still have Rusoto around we just use that to validate the region string :)
-                    region: aws_config::Region::new(
-                        region
-                            .parse::<rusoto_core::Region>()
-                            .context("Invalid region when parsing storage location")?
-                            .name()
-                            .to_owned(),
-                    ),
+                    region: aws_config::Region::new(region.to_owned()),
                 })
             }
             "file" => Ok(CheckpointSyncerConf::LocalStorage {
@@ -290,4 +302,66 @@ mod test {
             _ => panic!("Expected a reorg event error"),
         }
     }
+
+    #[test]
+    fn test_validate_aws_region() {
+        use super::validate_aws_region;
+
+        for region in [
+            "us-east-1",
+            "us-east-2",
+            "us-west-2",
+            "eu-central-1",
+            "eu-central-2",
+            "eu-west-1",
+            "eu-north-1",
+            "ap-southeast-1",
+            "ap-southeast-7",
+            "ap-south-2",
+            "ca-west-1",
+            "il-central-1",
+            "me-central-1",
+            "mx-central-1",
+            "us-gov-east-1",
+            "us-iso-east-1",
+        ] {
+            assert!(
+                validate_aws_region(region).is_ok(),
+                "expected {region} to be accepted"
+            );
+        }
+
+        for region in [
+            "",
+            "US-EAST-1",
+            "us_east_1",
+            "us-east",
+            "useast1",
+            "us-east-1a",
+            "foo",
+        ] {
+            assert!(
+                validate_aws_region(region).is_err(),
+                "expected {region} to be rejected"
+            );
+        }
+    }
+
+    #[test]
+    fn test_parse_s3_storage_location_with_new_region() {
+        use super::*;
+        let conf = CheckpointSyncerConf::from_str("s3://my-bucket/eu-central-2/folder").unwrap();
+        match conf {
+            CheckpointSyncerConf::S3 {
+                bucket,
+                folder,
+                region,
+            } => {
+                assert_eq!(bucket, "my-bucket");
+                assert_eq!(folder.as_deref(), Some("folder"));
+                assert_eq!(region.as_ref(), "eu-central-2");
+            }
+            _ => panic!("Expected S3 checkpoint syncer"),
+        }
+    }
 }
