Headline:
Add a way to select multiple regions for a cloud in AWS
Description:
The new Morpheus feature to select “All” as a region when creating a cloud is great. but tries to iterate over all regions during the daily refresh, causing many errors to show up in the logs if unused regions have been blocked in AWS.
AWS recommendations include blocking regions not in use for security reasons (reduce attack surface) and cost (prevent accidental creation of resources in the wrong region)… Blocking regions is a main feature of AWS Control Tower which uses an SCP to block all API calls to those regions with an unauthorized HTTP response.
Some ideas for solutions might be:
- Allow the region to use multiple values (or make “multiple” an option for region and add another config item to list the enabled regions
- When using the “all” region. use a canary API call to each region for an AWS service Morpheus would always have access to (maybe STS?") and not try to sync from that region if a “not authorized” is received.