Update awskms to aws-sdk-go-v2 #293
Conversation
|
|
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes Have you signed the CLA already but the status is still pending? Recheck it. |
psekar
requested review from
ddebko,
johanbrandhorst,
kheina,
louisruch and
sgmiller
and removed request for
sgmiller
There was a problem hiding this comment.
Thank you so much for updating the tests - they were in dire need of some love! I'm not sure I see the utility in using gomock or a test suite in this specific case though. Do you think you could try refactoring the tests so that they use the basic Go test setup (e.g. TestFoo(t *testing.T) and t.Run for sub tests), so we can compare? I'd also appreciate if you could separate the changes into separate commits, so I can view:
- Just the dependency upgrade (with any changes to existing tests required). This can also include the module version bump
- Just the test changes
I love the new tests but I don't know if we need the suite or gomock integratoin. What do you think?
| Encrypt(ctx context.Context, input *kms.EncryptInput, opts ...func(*kms.Options)) (*kms.EncryptOutput, error) | ||
| Decrypt(ctx context.Context, input *kms.DecryptInput, opts ...func(*kms.Options)) (*kms.DecryptOutput, error) | ||
| DescribeKey(ctx context.Context, inpput *kms.DescribeKeyInput, opts ...func(*kms.Options)) (*kms.DescribeKeyOutput, error) | ||
| } |
There was a problem hiding this comment.
Was the old interface removed? Please add a doc comment since this is exported.
| const ( | ||
| EnvAwsKmsWrapperKeyId = "AWSKMS_WRAPPER_KEY_ID" | ||
| EnvVaultAwsKmsSealKeyId = "VAULT_AWSKMS_SEAL_KEY_ID" | ||
| EnvAwsKmsEndpoint = "AWS_KMS_ENDPOINT" |
There was a problem hiding this comment.
I see below that we need to keep this environment variable, but could we perhaps also look for AWSKMS_ENDPOINT and deprecate AWS_KMS_ENDPOINT? It's unfortunate that the formatting differs to AWSKMS_WRAPPER_KEY_ID IMO.
| return nil, errors.New("no key information returned") | ||
| } | ||
| k.currentKeyId.Store(aws.StringValue(keyInfo.KeyMetadata.KeyId)) | ||
| k.currentKeyId.Store(*keyInfo.KeyMetadata.KeyId) |
There was a problem hiding this comment.
what is the type of KeyId? Are we storing a pointer?
There was a problem hiding this comment.
k.currentKeyId stores a string but keyinfo.KeyMetadata stores a *string. The reason for this was that aws v1 used pointers for basically all fields & parameters and so provided aws.String() to work around the awkwardness of taking the address of a module level const string.
They changed philosophies in sdk v2 and use fewer pointers, so I figured I'd use the plain pointer syntax to make clearer that there's nothing special going on with the types here.
| credsConfig := &awsutil.CredentialsConfig{ | ||
| AccessKey: k.accessKey, | ||
| SecretKey: k.secretKey, | ||
| SessionToken: k.sessionToken, | ||
| Filename: k.sharedCredsFilename, | ||
| Profile: k.sharedCredsProfile, | ||
| RoleARN: k.roleArn, | ||
| RoleSessionName: k.roleSessionName, | ||
| WebIdentityTokenFile: k.webIdentityTokenFile, | ||
| Region: k.region, | ||
| Logger: k.logger, | ||
| HTTPClient: cleanhttp.DefaultClient(), | ||
| } |
| kmsOpts := []func(*kms.Options){} | ||
|
|
||
| client := kms.NewFromConfig(cfg, kmsOpts...) |
There was a problem hiding this comment.
Do we intend to add any options here? I think we can just omit this variable if not.
| @@ -1,33 +1,48 @@ | |||
| module github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 | |||
| module github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v3 | |||
There was a problem hiding this comment.
This seems reasonable to me since it's a major dependency change, thanks.
There was a problem hiding this comment.
Is this the correct way to do it so that we don't break client code on v2? i.e. if I merge this, will other modules still be able to pull v2? I was debating this vs have a separate v2 and v3 folder
| module github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v3 | ||
|
|
||
| go 1.20 | ||
| go 1.24.0 |
There was a problem hiding this comment.
Good call keeping this N-1
emilia-grant
force-pushed
the
egrant-aws-sdk-v2
branch
from
b7302d0 to
a75e09f
Compare
Yeah I'll split them out into a couple commits to see the difference. I don't think gomock is necessary here since we already have mocks created and we don't use thorough enough DI to get the benefits. I do think the suite pattern here is my hill to die on, though. Once I split out the commits, it'll be crystal clear how much clarity it's providing here, but I have another example in the meantime from another module I'm working on: https://github.com/hashicorp/go-secure-stdlib/blob/main/awsutil/generate_credentials_test.go#L232. Take a look at the suite I wrote out in this PR and then compare it against the
|
2 participants
This PR updates awsutil to use aws-sdk-go-v2 because v1 has gone EOL. This is also part of addressing ICU-17267.
It required an API breaking change, so I bumped the mod version to v3. Not sure if this is the correct way to do it here (does this remove v2?)
I also refactored the tests into a suite pattern as a demo. This is a particularly good spot to use the suite pattern because the code only gets touched once in a blue moon, so encoding as much understanding about how the code should function directly into tests will help the next person two years from now.
PCI review checklist
I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
If applicable, I've documented the impact of any changes to security controls.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.