Skip to content

README.md

Latest commit

 

History

History
55 lines (40 loc) · 3.34 KB

README.md

File metadata and controls

55 lines (40 loc) · 3.34 KB

Multi-account and Multi-region Testing

LocalStack has multi-account and multi-region support. This document contains some tips to make sure that your contributions are compatible with this functionality.

Overview

For cross-account inter-service access, specify a role with which permissions the source service makes a request to the target service to access another service's resource. This role should be in the source account. When writing an AWS validated test case, you need to properly configure IAM roles.

For example: The test case test_apigateway_with_step_function_integration specifies a role which has permissions to access the target step function account.

role_arn = create_iam_role_with_policy(
    RoleName=f"sfn_role-{short_uid()}",
    PolicyName=f"sfn-role-policy-{short_uid()}",
    RoleDefinition=STEPFUNCTIONS_ASSUME_ROLE_POLICY,
    PolicyDefinition=APIGATEWAY_LAMBDA_POLICY,
)

For cross-account inter-service access, you can create the client using connect_to.with_assumed_role(...). For example:

connect_to.with_assumed_role(
    role_arn="role-arn",
    service_principal=ServicePrincial.service_name,
    region_name=region_name,
).lambda_

When there is no role specified, you should use the source arn conceptually if cross-account is allowed. This can be seen in a case where account_id was added to send events to the target service like SQS, SNS, Lambda, etc.

Always refer to the official AWS documentation and investigate how the the services communicate with each other. For example, here are the AWS Firehose docs explaining Firehose and S3 integration.

Test changes in CI with random credentials

We regularly run the test suite on GitHub Actions to verify compatibility with multi-account and multi-region features.

A scheduled GitHub Actions workflow runs on working days at 01:00 UTC, executing the tests with randomized account IDs and regions. If you have the necessary permissions, you can also manually trigger the workflow directly from GitHub.

Test changes locally with random credentials

To test changes locally for multi-account and multi-region compatibility, set the environment config values as follows:

  • TEST_AWS_ACCOUNT_ID (Any value except 000000000000)
  • TEST_AWS_ACCESS_KEY_ID (Any value except 000000000000)
  • TEST_AWS_REGION (Any value except us-east-1)

Note that within all tests you must use account_id, secondary_account_id, region_name, secondary_region_name fixtures. Importing and using localstack.constants.TEST_ values is not advised.