From f7e6500ef2d42b3b66d6df1dc88e3d56489e5860 Mon Sep 17 00:00:00 2001 From: arnol377 Date: Tue, 29 Oct 2024 15:00:51 -0400 Subject: [PATCH 1/4] adding new env --- .targets | 2 -- app_setup.tf | 7 +++++++ backend-configs/csvd-common-ew.tf | 4 ++++ backend-configs/csvd-dev-ew.tf | 4 ++++ default.auto.tfvars | 4 +++- ecs_cluster.tf | 23 +++++++++++++++++++++++ main.tf | 16 +++++----------- varfiles/csvd-common-ew.tfvars | 21 +++++++++++++++++++++ varfiles/csvd.tfvars | 2 +- variables.tf | 4 ++++ 10 files changed, 72 insertions(+), 15 deletions(-) delete mode 100644 .targets create mode 100644 app_setup.tf create mode 100644 backend-configs/csvd-common-ew.tf create mode 100644 backend-configs/csvd-dev-ew.tf create mode 100644 ecs_cluster.tf create mode 100644 varfiles/csvd-common-ew.tfvars diff --git a/.targets b/.targets deleted file mode 100644 index b866136..0000000 --- a/.targets +++ /dev/null @@ -1,2 +0,0 @@ -aws_iam_policy.policy -aws_iam_policy.admin_policy diff --git a/app_setup.tf b/app_setup.tf new file mode 100644 index 0000000..f8a81f0 --- /dev/null +++ b/app_setup.tf @@ -0,0 +1,7 @@ +#data "aws_secretsmanager_secret" "app_install" { +# name = "github-runners/github/secrets-key" +#} + +#output app_install { +# value = data.aws_secretsmanager_secret.app_install +#} diff --git a/backend-configs/csvd-common-ew.tf b/backend-configs/csvd-common-ew.tf new file mode 100644 index 0000000..98a3486 --- /dev/null +++ b/backend-configs/csvd-common-ew.tf @@ -0,0 +1,4 @@ +bucket = "inf-tfstate-220615867784" +key = "csvd-common-ew/common/apps/ghe-runner" +region = "us-gov-east-1" +dynamodb_table = "tf_remote_state" diff --git a/backend-configs/csvd-dev-ew.tf b/backend-configs/csvd-dev-ew.tf new file mode 100644 index 0000000..b7dc755 --- /dev/null +++ b/backend-configs/csvd-dev-ew.tf @@ -0,0 +1,4 @@ +bucket = "inf-tfstate-229685449397" +key = "csvd-dev-gov/common/apps/ghe-runner" +region = "us-gov-east-1" +dynamodb_table = "tf_remote_state" diff --git a/default.auto.tfvars b/default.auto.tfvars index 0e42c1b..52c4e39 100644 --- a/default.auto.tfvars +++ b/default.auto.tfvars @@ -3,7 +3,7 @@ image_name = "github-runner" image_version = "1.65.0" server_url = "https://github.e.it.census.gov" create_vpc_endpoint = true -create_ecs_cluster = true +create_ecs_cluster = false ecs_cluster_name = "ecs-ghe-runners" vpc_id = "vpc-00576a396ec570b94" @@ -21,3 +21,5 @@ certs = { bucket = "image-pipeline-assets" key = "katello-server-ca.pem" } + +aws_account = "csvd-dev-ew" diff --git a/ecs_cluster.tf b/ecs_cluster.tf new file mode 100644 index 0000000..7f93a4c --- /dev/null +++ b/ecs_cluster.tf @@ -0,0 +1,23 @@ +# __generated__ by Terraform +# Please review these resources and move them into your main configuration files. + +# __generated__ by Terraform from "ecs-ghe-runners-us-gov-west-1" +resource "aws_ecs_cluster" "github-runner" { + count = var.create_ecs_cluster ? 1 : 0 + name = "${var.ecs_cluster_name}-${data.aws_region.current.name}" + tags = {} + tags_all = {} + setting { + name = "containerInsights" + value = "disabled" + } +} + +data "aws_ecs_cluster" "github-runner" { + count = var.create_ecs_cluster ? 0 : 1 + cluster_name = "${var.ecs_cluster_name}-${data.aws_region.current.name}" +} + +locals { + ecs_cluster = var.create_ecs_cluster ? one(aws_ecs_cluster.github-runner) : merge(one(data.aws_ecs_cluster.github-runner), { name = one(data.aws_ecs_cluster.github-runner).cluster_name }) +} diff --git a/main.tf b/main.tf index c91e37b..b76b850 100644 --- a/main.tf +++ b/main.tf @@ -1,11 +1,3 @@ -data "aws_ecs_cluster" "github-runner" { - cluster_name = "${var.ecs_cluster_name}-${data.aws_region.current.name}" -} - -locals { - ecs_cluster = data.aws_ecs_cluster.github-runner.cluster_name -} - data "aws_ip_ranges" "ip_ranges" { regions = ["us-gov-west-1", "us-gov-east-1"] services = ["s3", "dynamodb"] @@ -72,7 +64,7 @@ resource "aws_vpc_endpoint" "ecr" { } resource "aws_ecs_cluster_capacity_providers" "fargate" { - cluster_name = local.ecs_cluster + cluster_name = local.ecs_cluster.name capacity_providers = ["FARGATE"] @@ -94,7 +86,7 @@ locals { module "github-runner" { # for_each = toset([for repo in local.all_repos : repo]) source = "HappyPathway/github-runner/ecs" - ecs_cluster = local.ecs_cluster + ecs_cluster = local.ecs_cluster.name hostname = var.repo_org image = "229685449397.dkr.ecr.us-gov-west-1.amazonaws.com/github-runners/${var.image_name}:${var.image_version}" repo_org = var.repo_org @@ -115,6 +107,7 @@ module "github-runner" { server_url = var.server_url runner_labels = [ lower(var.repo_org), + var.aws_account, "${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}", data.aws_caller_identity.current.account_id, data.aws_region.current.name, @@ -128,7 +121,8 @@ module "github-runner" { } tag = "github-runner" depends_on = [ - aws_iam_policy.policy + aws_iam_policy.policy, + aws_vpc_endpoint.ecr ] } diff --git a/varfiles/csvd-common-ew.tfvars b/varfiles/csvd-common-ew.tfvars new file mode 100644 index 0000000..9939e6c --- /dev/null +++ b/varfiles/csvd-common-ew.tfvars @@ -0,0 +1,21 @@ +namespace = "csvd-common-ew" +repo_org = "CSVD" +desired_count = 1 +create_ecs_cluster = true + +ecs_cluster_name = "ecs-ghe-runners" +vpc_id = "vpc-0dac762f63574b185" + +subnets = [ + "subnet-0d22f390a0a024831" +] + +security_groups = [ + # "sg-0d828d223df9834a6" + "sg-03da51877fddcd8f8" +] + +certs = { + bucket = "image-pipeline-assets-220615867784" + key = "katello-server-ca.pem" +} diff --git a/varfiles/csvd.tfvars b/varfiles/csvd.tfvars index 05493b9..d53ce2e 100644 --- a/varfiles/csvd.tfvars +++ b/varfiles/csvd.tfvars @@ -1,3 +1,3 @@ namespace = "csvd-ghe-runner" repo_org = "CSVD" -desired_count = 1 +desired_count = 3 diff --git a/variables.tf b/variables.tf index 65f65cc..1baaf47 100644 --- a/variables.tf +++ b/variables.tf @@ -91,3 +91,7 @@ variable "desired_count" { variable "base_url" { default = "https://github.e.it.census.gov/" } + +variable "aws_account" { + type = string +} From 36ea9ac80242c21d9a9bb91a399aa420e05fed8f Mon Sep 17 00:00:00 2001 From: arnol377 Date: Wed, 30 Oct 2024 14:28:27 -0400 Subject: [PATCH 2/4] adding csvd-common-ew runners --- main.tf | 2 +- varfiles/csvd-common-ew.tfvars | 12 +++++++----- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/main.tf b/main.tf index b76b850..c6a2c2b 100644 --- a/main.tf +++ b/main.tf @@ -88,7 +88,7 @@ module "github-runner" { source = "HappyPathway/github-runner/ecs" ecs_cluster = local.ecs_cluster.name hostname = var.repo_org - image = "229685449397.dkr.ecr.us-gov-west-1.amazonaws.com/github-runners/${var.image_name}:${var.image_version}" + image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/github-runners/${var.image_name}:${var.image_version}" repo_org = var.repo_org # repo_name = each.value namespace = "${lower(var.repo_org)}-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}" diff --git a/varfiles/csvd-common-ew.tfvars b/varfiles/csvd-common-ew.tfvars index 9939e6c..5fc9686 100644 --- a/varfiles/csvd-common-ew.tfvars +++ b/varfiles/csvd-common-ew.tfvars @@ -2,20 +2,22 @@ namespace = "csvd-common-ew" repo_org = "CSVD" desired_count = 1 create_ecs_cluster = true +# create_vpc_endpoint = false +aws_account = "csvd-common-ew" ecs_cluster_name = "ecs-ghe-runners" -vpc_id = "vpc-0dac762f63574b185" +vpc_id = "vpc-0da08a2244f23b246" subnets = [ - "subnet-0d22f390a0a024831" + "subnet-00b7920342b4c41f3" ] security_groups = [ - # "sg-0d828d223df9834a6" - "sg-03da51877fddcd8f8" + "sg-00329ba6018f916b2" ] certs = { - bucket = "image-pipeline-assets-220615867784" + bucket = "image-pipeline-assets-220615867784-us-gov-west-1" key = "katello-server-ca.pem" } + From 2362acfdb7d743ab9d8c47c77cd7d45819606124 Mon Sep 17 00:00:00 2001 From: David John Arnold Jr Date: Wed, 30 Oct 2024 13:39:55 -0700 Subject: [PATCH 3/4] Update terraform_plan.yaml --- .github/workflows/terraform_plan.yaml | 158 ++++++++++---------------- 1 file changed, 62 insertions(+), 96 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 5d5681b..335080b 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -4,117 +4,83 @@ name: Terraform Plan # Controls when the workflow will run on: pull_request: - # Allows you to run this workflow manually from the Actions tab + # Allows you to run this workflow manually from the Actions tab workflow_dispatch: + +concurrency: + group: ${{ github.repo }}-${{ vars.terraform_workspace }} +permissions: write-all # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" - build: + Plan: # The type of runner that the job will run on - runs-on: [ "229685449397" ] + runs-on: ["229685449397"] + env: - AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" - AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_SESSION_TOKEN: "${{ secrets.AWS_SESSION_TOKEN }}" - GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}" + TF_WORKSPACE: ${{ vars.terraform_workspace }} + TF_CLI_ARGS_plan: -lock-timeout=30m + TF_CLI_ARGS_apply: -lock-timeout=30m + NO_PROXY: ${{ vars.NO_PROXY }} - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: CSVD/gh-actions-checkout@v3 + - uses: CSVD/gh-actions-checkout@v4 + id: checkout with: - github-server-url: https://github.e.it.census.gov - ref: ${{ github.head_ref }} - token: ${{ secrets.GH_TOKEN }} + persist-credentials: false - - - uses: CSVD/gh-actions-setup-node@v3 + - name: git show + run: echo "commit_sha=$(git show | grep commit | head -1 | awk '{ print $NF }')" >> $GITHUB_ENV + + - name: AWS Auth + id: aws_auth + uses: CSVD/aws-auth@main with: - node-version: 16 - - - uses: CSVD/gh-actions-setup-terraform@v2 + ecs: true + + - name: Setup GITHUB Credentials + id: github_credentials + uses: CSVD/gh-auth@main with: - terraform_version: ${{ vars.terraform_version }} + github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }} + github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }} + github_base_url: "${{ github.server_url }}/" - - name: Set output - id: vars - run: echo ::set-output name=short_ref::${GITHUB_REF#refs/*/} - - - name: Terraform Format - id: fmt - run: | - terraform fmt - if ! git diff-index --quiet HEAD; then - git config --global user.name '${{ vars.REPO_OWNER }}' - git config --global user.email '${{ vars.REPO_OWNER_EMAIL }}' - git commit -am "Autoformatting TF Code" - git push - echo "auto_format=true" >> $GITHUB_ENV - fi - - - name: Autoformat Halt - if: env.auto_format == 'true' - run: exit 0 - - name: Terraform Init - id: init - run: terraform init -upgrade - - - name: Terraform Validate - id: validate - run: terraform validate -no-color - - - name: Terraform Plan - id: plan - if: github.event_name == 'pull_request' - run: terraform plan -no-color -out=${{ vars.plan_cache }}/${{ github.sha }} - continue-on-error: true - - - name: Terraform Plan - if: github.event_name != 'pull_request' - run: terraform plan -no-color - continue-on-error: true - - - name: Terraform Show plan - if: github.event_name == 'pull_request' - run: echo ::set-output name=terraform_plan::$(terraform show ${{ vars.plan_cache }}/${{ github.sha }}) - - - name: Post Terraform Plan to PR - uses: CSVD/gh-actions-github-script@v6 - if: github.event_name == 'pull_request' + uses: CSVD/terraform-init@main + id: terraform_init + with: + commit_sha: ${{ env.commit_sha }} + checkout: false + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + setup_terraform: true + terraform_init: true env: - PLAN: "terraform\n${{ env.terraform_plan }}" + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + + - name: Terraform Plan + uses: CSVD/terraform-plan@main with: - github-token: ${{ secrets.GH_TOKEN }} - script: | - const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` - #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` - #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` -
Validation Output - - \`\`\`\n - ${{ steps.validate.outputs.stdout }} - \`\`\` - -
- - #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` - -
Show Plan - - \`\`\`\n - ${process.env.PLAN} - \`\`\` - -
- - *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Workflow: \`${{ github.workflow }}\`*`; - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + commit_sha: ${{ steps.terraform_init.outputs.commit_sha }} + varfile: varfiles/${{ vars.terraform_workspace }}.tfvars + download_cache: true + setup_terraform: false + cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }} + env: + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + GITHUB_OWNER: ${{ github.repository_owner }} + GITHUB_BASE_URL: "${{ github.server_url }}/" + HTTP_PROXY: http://proxy.tco.census.gov:3128 + HTTPS_PROXY: http://proxy.tco.census.gov:3128 + NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com" From 019346bbadad3f4fe847a4d3b837d5b9978ea45a Mon Sep 17 00:00:00 2001 From: David John Arnold Jr Date: Wed, 30 Oct 2024 13:40:28 -0700 Subject: [PATCH 4/4] Update terraform_apply.yaml --- .github/workflows/terraform_apply.yaml | 155 +++++++++++++++++++------ 1 file changed, 119 insertions(+), 36 deletions(-) diff --git a/.github/workflows/terraform_apply.yaml b/.github/workflows/terraform_apply.yaml index 3055a9c..12c67b3 100644 --- a/.github/workflows/terraform_apply.yaml +++ b/.github/workflows/terraform_apply.yaml @@ -4,56 +4,139 @@ name: Terraform Apply # Controls when the workflow will run on: push: - branches: [ "main" ] + branches: + - main # Allows you to run this workflow manually from the Actions tab workflow_dispatch: - + +concurrency: + group: ${{ github.repo }}-${{ vars.terraform_workspace }} + +permissions: write-all # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" - build: + Plan: # The type of runner that the job will run on - runs-on: [ ghe-runners ] + runs-on: ["229685449397"] + env: - AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" - AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_SESSION_TOKEN: "${{ secrets.AWS_SESSION_TOKEN }}" - GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}" + TF_WORKSPACE: ${{ vars.terraform_workspace }} + TF_CLI_ARGS_plan: -lock-timeout=30m + TF_CLI_ARGS_apply: -lock-timeout=30m + NO_PROXY: ${{ vars.NO_PROXY }} + + outputs: + commit_sha: "${{ steps.git_show.outputs.commit_sha }}" + cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }} + github_token: ${{ steps.github_credentials.outputs.github_token }} + aws_access_key_id: ${{ steps.aws_auth.outputs.aws_access_key_id }} + aws_secret_access_key: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + aws_session_token: ${{ steps.aws_auth.outputs.aws_session_token }} - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 - + - uses: CSVD/gh-actions-checkout@v4 + id: checkout + with: + persist-credentials: false - - uses: CSVD/gh-actions-setup-node@v3 + - name: git show + id: git_show + run: | + echo "commit_sha=$(git show | grep commit | head -1 | awk '{ print $NF }')" >> $GITHUB_ENV + echo "commit_sha=$(git show | grep commit | head -1 | awk '{ print $NF }')" >> $GITHUB_OUTPUT + + - name: AWS Auth + id: aws_auth + uses: CSVD/aws-auth@main with: - node-version: 16 - - - uses: CSVD/gh-actions-setup-terraform@v2 + ecs: true + + - name: Setup GITHUB Credentials + id: github_credentials + uses: CSVD/gh-auth@main with: - terraform_wrapper: false - terraform_version: ${{ vars.terraform_version }} + github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }} + github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }} + github_base_url: "${{ github.server_url }}/" - - name: Terraform Format - id: fmt - run: | - terraform fmt -check - - - name: Autoformat Halt - if: env.auto_format == 'true' - run: exit 1 - - name: Terraform Init - id: init - run: terraform init -upgrade - - - name: Terraform Validate - id: validate - run: terraform validate + uses: CSVD/terraform-init@main + id: terraform_init + with: + commit_sha: ${{ env.commit_sha }} + checkout: false + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + setup_terraform: true + terraform_init: true + env: + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + + - name: Terraform Plan + uses: CSVD/terraform-plan@main + with: + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + commit_sha: ${{ steps.terraform_init.outputs.commit_sha }} + varfile: varfiles/${{ vars.terraform_workspace }}.tfvars + download_cache: true + setup_terraform: false + cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }} + env: + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + GITHUB_OWNER: ${{ github.repository_owner }} + GITHUB_BASE_URL: "${{ github.server_url }}/" + HTTP_PROXY: http://proxy.tco.census.gov:3128 + HTTPS_PROXY: http://proxy.tco.census.gov:3128 + NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com" + + Apply: + # The type of runner that the job will run on + runs-on: ["229685449397"] + needs: Plan + environment: requires_approval + steps: + - name: AWS Auth + id: aws_auth + uses: CSVD/aws-auth@main + with: + ecs: true + + - name: Setup GITHUB Credentials + id: github_credentials + uses: CSVD/gh-auth@main + with: + github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }} + github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }} + github_base_url: "${{ github.server_url }}/" - name: Terraform Apply - id: plan - run: terraform apply -auto-approve - continue-on-error: true + uses: CSVD/terraform-apply@main + with: + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + commit_sha: ${{ needs.Plan.outputs.commit_sha }} + download_cache: true + setup_terraform: true + terraform_wrapper: false + cache_key: ${{ needs.Plan.outputs.cache_key }} + env: + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + GITHUB_OWNER: ${{ github.repository_owner }} + GITHUB_BASE_URL: "${{ github.server_url }}/" + HTTP_PROXY: http://proxy.tco.census.gov:3128 + HTTPS_PROXY: http://proxy.tco.census.gov:3128 + NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com" + +