Better handle non-us-east-1 project regions (#980)

sean-navapbc · Sean Thomas · web-flow · commit 47e0872b7487 · 2026-01-22T22:42:48.000-05:00
## Ticket Resolves #947 ## Summary Enables projects to use non-us-east-1 regions by ensuring region-sensitive resources are handled correctly. ## Changes - Added `aws.us-east-1` provider alias in network layer - DNS query logging resources use us-east-1 provider (AWS requirement - Route53 query logs can only be sent to CloudWatch in us-east-1) - ACM certificates remain in the default region (must match ALB region) - Route53 zone and records use default region (global service, API works from any region) - Updated CI tests to use us-east-2 to validate multi-region support - Updated `bin/set-up-current-account` to get region from project config for consistency ## Testing - Tested on platform-test (dev network) with `manage_dns=true` and multiple apps with `enable_https=true` - Terraform plan shows no unexpected changes to existing resources - CI tests run against us-east-2 to verify non-us-east-1 region support --------- Co-authored-by: Sean Thomas <sean.thomas@navapbc.com>
diff --git a/.github/workflows/template-only-ci-infra.yml b/.github/workflows/template-only-ci-infra.yml
@@ -71,7 +71,7 @@ jobs:
           --data base_project_name="${project_name}" \
           --data base_owner=platform-admins \
           --data base_code_repository_url=${{ github.repositoryUrl }} \
-          --data base_default_region=us-east-1 \
+          --data base_default_region=us-east-2 \
           --data app_name=app \
           --data app_local_port=3000 \
           --data app_has_dev_env_setup=true \
@@ -88,7 +88,7 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-region: us-east-1
+          aws-region: us-east-2
 
           # Use access key credentials for the template infra test workflow
           # instead of using GitHub OIDC because only one GitHub OIDC provider
diff --git a/bin/set-up-current-account b/bin/set-up-current-account
@@ -25,11 +25,12 @@ set -euo pipefail
 account_name="$1"
 
 account_id=$(./bin/current-account-id)
-region=$(./bin/current-region)
 
-# Get project name
+# Get project name and region from project config
+# This ensures consistency with how terraform computes the bucket name
 terraform -chdir="infra/project-config" apply -auto-approve > /dev/null
 project_name=$(terraform -chdir="infra/project-config" output --raw project_name)
+region=$(terraform -chdir="infra/project-config" output --raw default_region)
 
 tf_state_bucket_name="${project_name}-${account_id}-${region}-tf"
 tf_state_key="infra/account.tfstate"
diff --git a/infra/modules/domain/resources/certificates.tf b/infra/modules/domain/resources/certificates.tf
@@ -27,6 +27,7 @@ locals {
 }
 
 # ACM certificate that will be used by the load balancer.
+# This must be in the same region as the ALB.
 resource "aws_acm_certificate" "issued" {
   for_each = local.issued_certificate_configs
 
diff --git a/infra/modules/domain/resources/main.tf b/infra/modules/domain/resources/main.tf
@@ -1,3 +1,12 @@
+terraform {
+  required_providers {
+    aws = {
+      source                = "hashicorp/aws"
+      configuration_aliases = [aws, aws.us-east-1]
+    }
+  }
+}
+
 # Create a Route53 hosted zone for the domain.
 # Individual address records will be created in the service layer by the services that
 # need them (e.g. the load balancer or CDN).
diff --git a/infra/modules/domain/resources/query_logs.tf b/infra/modules/domain/resources/query_logs.tf
@@ -1,6 +1,8 @@
 # DNS query logging
 
 resource "aws_cloudwatch_log_group" "dns_query_logging" {
+  provider = aws.us-east-1
+
   count = var.manage_dns ? 1 : 0
 
   name              = "/dns/${var.name}"
@@ -36,6 +38,8 @@ data "aws_iam_policy_document" "dns_query_logging" {
 }
 
 resource "aws_cloudwatch_log_resource_policy" "dns_query_logging" {
+  provider = aws.us-east-1
+
   count = var.manage_dns ? 1 : 0
 
   policy_document = data.aws_iam_policy_document.dns_query_logging.json
diff --git a/infra/networks/main.tf.jinja b/infra/networks/main.tf.jinja
@@ -72,6 +72,15 @@ provider "aws" {
   }
 }
 
+provider "aws" {
+  alias  = "us-east-1"
+  region = "us-east-1"
+
+  default_tags {
+    tags = local.tags
+  }
+}
+
 module "project_config" {
   source = "../project-config"
 }
@@ -93,7 +102,12 @@ module "network" {
 }
 
 module "domain" {
-  source              = "../modules/domain/resources"
+  source = "../modules/domain/resources"
+  providers = {
+    aws           = aws
+    aws.us-east-1 = aws.us-east-1
+  }
+
   name                = local.domain_config.hosted_zone
   manage_dns          = local.domain_config.manage_dns
   certificate_configs = local.domain_config.certificate_configs
diff --git a/template-only-test/template_infra_test.go b/template-only-test/template_infra_test.go
@@ -16,6 +16,7 @@ import (
 
 var projectName = os.Getenv("PROJECT_NAME")
 var imageTag = os.Getenv("IMAGE_TAG")
+var region = "us-east-2"
 
 const maxRetries = 3
 const sleepBetweenRetries = 5 * time.Second
@@ -38,7 +39,6 @@ func TestEndToEnd(t *testing.T) {
 func ValidateAccount(t *testing.T) {
 	projectName := projectName
 	accountId := "533267424629"
-	region := "us-east-1"
 	ValidateAccountBackend(t, region, projectName)
 	ValidateGithubActionsAuth(t, accountId, projectName)
 }
@@ -182,7 +182,7 @@ func ValidateDevEnvironment(t *testing.T) {
 	serviceName := fmt.Sprintf("%s-%s", appName, environmentName)
 	shell.RunCommand(t, shell.Command{
 		Command:    "aws",
-		Args:       []string{"ecs", "wait", "services-stable", "--cluster", serviceName, "--services", serviceName},
+		Args:       []string{"ecs", "wait", "services-stable", "--cluster", serviceName, "--services", serviceName, "--region", region},
 		WorkingDir: "../../",
 	})
 

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@ locals {`
`27`	`27`	`}`
`28`	`28`
`29`	`29`	`# ACM certificate that will be used by the load balancer.`
	`30`	`+# This must be in the same region as the ALB.`
`30`	`31`	`resource "aws_acm_certificate" "issued" {`
`31`	`32`	`for_each = local.issued_certificate_configs`
`32`	`33`