Merge pull request #5526 from alexander-demicev/iamv2

🌱 Migrate iam to aws sdk v2

Author: k8s-ci-robot

controlplane/eks/controllers/awsmanagedcontrolplane_controller_test.go

@@ -28,11 +28,12 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/eks"
 	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
-	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go-v2/service/iam"
+	iamtypes "github.com/aws/aws-sdk-go-v2/service/iam/types"
 	stsrequest "github.com/aws/aws-sdk-go/aws/request"
 	"github.com/aws/aws-sdk-go/service/ec2"
-	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/sts"
+	"github.com/aws/smithy-go"
 	"github.com/golang/mock/gomock"
 	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
@@ -797,37 +798,37 @@ func mockedDescribeInstanceCall(ec2Rec *mocks.MockEC2APIMockRecorder) {
 }
 
 func mockedEKSControlPlaneIAMRole(g *WithT, iamRec *mock_iamauth.MockIAMAPIMockRecorder) {
-	getRoleCall := iamRec.GetRole(&iam.GetRoleInput{
+	getRoleCall := iamRec.GetRole(gomock.Any(), &iam.GetRoleInput{
 		RoleName: aws.String("test-cluster-iam-service-role"),
-	}).Return(nil, awserr.New(iam.ErrCodeNoSuchEntityException, "", nil))
+	}).Return(nil, &smithy.GenericAPIError{Code: "NoSuchEntity", Message: ""})
 
-	createRoleCall := iamRec.CreateRole(gomock.Any()).After(getRoleCall).DoAndReturn(func(input *iam.CreateRoleInput) (*iam.CreateRoleOutput, error) {
+	createRoleCall := iamRec.CreateRole(gomock.Any(), gomock.Any()).After(getRoleCall).DoAndReturn(func(ctx context.Context, input *iam.CreateRoleInput, optFns ...func(*iam.Options)) (*iam.CreateRoleOutput, error) {
 		g.Expect(input.RoleName).To(BeComparableTo(aws.String("test-cluster-iam-service-role")))
 		return &iam.CreateRoleOutput{
-			Role: &iam.Role{
+			Role: &iamtypes.Role{
 				RoleName: aws.String("test-cluster-iam-service-role"),
 				Arn:      aws.String("arn:aws:iam::123456789012:role/test-cluster-iam-service-role"),
 				Tags:     input.Tags,
 			},
 		}, nil
 	})
 
-	iamRec.ListAttachedRolePolicies(&iam.ListAttachedRolePoliciesInput{
+	iamRec.ListAttachedRolePolicies(gomock.Any(), &iam.ListAttachedRolePoliciesInput{
 		RoleName: aws.String("test-cluster-iam-service-role"),
 	}).After(createRoleCall).Return(&iam.ListAttachedRolePoliciesOutput{
-		AttachedPolicies: []*iam.AttachedPolicy{},
+		AttachedPolicies: []iamtypes.AttachedPolicy{},
 	}, nil)
 
-	getPolicyCall := iamRec.GetPolicy(&iam.GetPolicyInput{
+	getPolicyCall := iamRec.GetPolicy(gomock.Any(), &iam.GetPolicyInput{
 		PolicyArn: aws.String("arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"),
 	}).Return(&iam.GetPolicyOutput{
 		// This policy is predefined by AWS
-		Policy: &iam.Policy{
+		Policy: &iamtypes.Policy{
 			// Fields are not used. Our code only checks for existence of the policy.
 		},
 	}, nil)
 
-	iamRec.AttachRolePolicy(&iam.AttachRolePolicyInput{
+	iamRec.AttachRolePolicy(gomock.Any(), &iam.AttachRolePolicyInput{
 		PolicyArn: aws.String("arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"),
 		RoleName:  aws.String("test-cluster-iam-service-role"),
 	}).After(getPolicyCall).Return(&iam.AttachRolePolicyOutput{}, nil)
@@ -840,10 +841,10 @@ func mockedEKSCluster(ctx context.Context, g *WithT, eksRec *mock_eksiface.MockE
 		Message: aws.String("cluster not found"),
 	})
 
-	getRoleCall := iamRec.GetRole(&iam.GetRoleInput{
+	getRoleCall := iamRec.GetRole(gomock.Any(), &iam.GetRoleInput{
 		RoleName: aws.String("test-cluster-iam-service-role"),
 	}).After(describeClusterCall).Return(&iam.GetRoleOutput{
-		Role: &iam.Role{
+		Role: &iamtypes.Role{
 			RoleName: aws.String("test-cluster-iam-service-role"),
 			Arn:      aws.String("arn:aws:iam::123456789012:role/test-cluster-iam-service-role"),
 		},

go.mod

@@ -40,6 +40,7 @@ require (
 	github.com/spf13/pflag v1.0.6
 	github.com/zgalor/weberr v0.8.2
 	golang.org/x/crypto v0.36.0
+	golang.org/x/net v0.38.0
 	golang.org/x/text v0.23.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.32.3
@@ -210,7 +211,6 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/oauth2 v0.28.0 // indirect
 	golang.org/x/sync v0.12.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect

pkg/cloud/converters/tags.go

@@ -21,11 +21,11 @@ import (
 	"strings"
 
 	autoscalingtypes "github.com/aws/aws-sdk-go-v2/service/autoscaling/types"
+	iamtypes "github.com/aws/aws-sdk-go-v2/service/iam/types"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/elb"
 	"github.com/aws/aws-sdk-go/service/elbv2"
-	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/secretsmanager"
 	"github.com/aws/aws-sdk-go/service/ssm"
 
@@ -174,11 +174,11 @@ func MapToSSMTags(src infrav1.Tags) []*ssm.Tag {
 }
 
 // MapToIAMTags converts a infrav1.Tags to a []*iam.Tag.
-func MapToIAMTags(src infrav1.Tags) []*iam.Tag {
-	tags := make([]*iam.Tag, 0, len(src))
+func MapToIAMTags(src infrav1.Tags) []iamtypes.Tag {
+	tags := make([]iamtypes.Tag, 0, len(src))
 
 	for k, v := range src {
-		tag := &iam.Tag{
+		tag := iamtypes.Tag{
 			Key:   aws.String(k),
 			Value: aws.String(v),
 		}

pkg/cloud/scope/clients.go

@@ -19,6 +19,7 @@ package scope
 import (
 	"github.com/aws/aws-sdk-go-v2/service/autoscaling"
 	"github.com/aws/aws-sdk-go-v2/service/eks"
+	"github.com/aws/aws-sdk-go-v2/service/iam"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
@@ -31,8 +32,6 @@ import (
 	"github.com/aws/aws-sdk-go/service/elbv2/elbv2iface"
 	"github.com/aws/aws-sdk-go/service/eventbridge"
 	"github.com/aws/aws-sdk-go/service/eventbridge/eventbridgeiface"
-	"github.com/aws/aws-sdk-go/service/iam"
-	"github.com/aws/aws-sdk-go/service/iam/iamiface"
 	"github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi"
 	"github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi/resourcegroupstaggingapiiface"
 	"github.com/aws/aws-sdk-go/service/secretsmanager"
@@ -185,13 +184,21 @@ func NewEKSClient(scopeUser cloud.ScopeUsage, session cloud.Session, logger logg
 }
 
 // NewIAMClient creates a new IAM API client for a given session.
-func NewIAMClient(scopeUser cloud.ScopeUsage, session cloud.Session, logger logger.Wrapper, target runtime.Object) iamiface.IAMAPI {
-	iamClient := iam.New(session.Session(), aws.NewConfig().WithLogLevel(awslogs.GetAWSLogLevel(logger.GetLogger())).WithLogger(awslogs.NewWrapLogr(logger.GetLogger())))
-	iamClient.Handlers.Build.PushFrontNamed(getUserAgentHandler())
-	iamClient.Handlers.CompleteAttempt.PushFront(awsmetrics.CaptureRequestMetrics(scopeUser.ControllerName()))
-	iamClient.Handlers.Complete.PushBack(recordAWSPermissionsIssue(target))
+func NewIAMClient(scopeUser cloud.ScopeUsage, session cloud.Session, logger logger.Wrapper, target runtime.Object) *iam.Client {
+	cfg := session.SessionV2()
+
+	iamOpts := []func(*iam.Options){
+		func(o *iam.Options) {
+			o.Logger = logger.GetAWSLogger()
+			o.ClientLogMode = awslogs.GetAWSLogLevelV2(logger.GetLogger())
+		},
+		iam.WithAPIOptions(
+			awsmetricsv2.WithMiddlewares(scopeUser.ControllerName(), target),
+			awsmetricsv2.WithCAPAUserAgentMiddleware(),
+		),
+	}
 
-	return iamClient
+	return iam.NewFromConfig(cfg, iamOpts...)
 }
 
 // NewSTSClient creates a new STS API client for a given session.

pkg/cloud/services/eks/cluster.go

@@ -445,7 +445,7 @@ func (s *Service) createCluster(ctx context.Context, eksClusterName string) (*ek
 		tags[k] = tagValue
 	}
 
-	role, err := s.GetIAMRole(*s.scope.ControlPlane.Spec.RoleName)
+	role, err := s.GetIAMRole(ctx, *s.scope.ControlPlane.Spec.RoleName)
 	if err != nil {
 		return nil, errors.Wrapf(err, "error getting control plane iam role: %s", *s.scope.ControlPlane.Spec.RoleName)
 	}

pkg/cloud/services/eks/cluster_test.go

@@ -23,7 +23,8 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/eks"
 	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
-	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/aws/aws-sdk-go-v2/service/iam"
+	iamtypes "github.com/aws/aws-sdk-go-v2/service/iam/types"
 	"github.com/golang/mock/gomock"
 	. "github.com/onsi/gomega"
 	"github.com/pkg/errors"
@@ -544,8 +545,8 @@ func TestCreateCluster(t *testing.T) {
 			}
 
 			if !tc.expectError {
-				roleOutput := iam.GetRoleOutput{Role: &iam.Role{Arn: tc.role}}
-				iamMock.EXPECT().GetRole(gomock.Any()).Return(&roleOutput, nil)
+				roleOutput := iam.GetRoleOutput{Role: &iamtypes.Role{Arn: tc.role}}
+				iamMock.EXPECT().GetRole(gomock.Any(), gomock.Any()).Return(&roleOutput, nil)
 				eksMock.EXPECT().CreateCluster(context.TODO(), &eks.CreateClusterInput{
 					Name:             aws.String(clusterName),
 					EncryptionConfig: []ekstypes.EncryptionConfig{},
@@ -771,11 +772,11 @@ func TestCreateIPv6Cluster(t *testing.T) {
 		},
 		BootstrapSelfManagedAddons: aws.Bool(false),
 	}).Return(&eks.CreateClusterOutput{}, nil)
-	iamMock.EXPECT().GetRole(&iam.GetRoleInput{
+	iamMock.EXPECT().GetRole(gomock.Any(), &iam.GetRoleInput{
 		RoleName: aws.String("arn-role"),
 	}).Return(&iam.GetRoleOutput{
-		Role: &iam.Role{
-			RoleName: ptr.To[string]("arn-role"),
+		Role: &iamtypes.Role{
+			RoleName: aws.String("arn-role"),
 		},
 	}, nil)
 

pkg/cloud/services/eks/eks.go

@@ -36,7 +36,7 @@ func (s *Service) ReconcileControlPlane(ctx context.Context) error {
 	s.scope.Debug("Reconciling EKS control plane", "cluster", klog.KRef(s.scope.Cluster.Namespace, s.scope.Cluster.Name))
 
 	// Control Plane IAM Role
-	if err := s.reconcileControlPlaneIAMRole(); err != nil {
+	if err := s.reconcileControlPlaneIAMRole(ctx); err != nil {
 		conditions.MarkFalse(s.scope.ControlPlane, ekscontrolplanev1.IAMControlPlaneRolesReadyCondition, ekscontrolplanev1.IAMControlPlaneRolesReconciliationFailedReason, clusterv1.ConditionSeverityError, "%s", err.Error())
 		return err
 	}
@@ -77,12 +77,12 @@ func (s *Service) DeleteControlPlane(ctx context.Context) (err error) {
 	}
 
 	// Control Plane IAM role
-	if err := s.deleteControlPlaneIAMRole(); err != nil {
+	if err := s.deleteControlPlaneIAMRole(ctx); err != nil {
 		return err
 	}
 
 	// OIDC Provider
-	if err := s.deleteOIDCProvider(); err != nil {
+	if err := s.deleteOIDCProvider(ctx); err != nil {
 		return err
 	}
 
@@ -94,7 +94,7 @@ func (s *Service) DeleteControlPlane(ctx context.Context) (err error) {
 func (s *NodegroupService) ReconcilePool(ctx context.Context) error {
 	s.scope.Debug("Reconciling EKS nodegroup")
 
-	if err := s.reconcileNodegroupIAMRole(); err != nil {
+	if err := s.reconcileNodegroupIAMRole(ctx); err != nil {
 		conditions.MarkFalse(
 			s.scope.ManagedMachinePool,
 			expinfrav1.IAMNodegroupRolesReadyCondition,
@@ -146,7 +146,7 @@ func (s *NodegroupService) ReconcilePoolDelete(ctx context.Context) error {
 		return errors.Wrap(err, "failed to delete nodegroup")
 	}
 
-	if err := s.deleteNodegroupIAMRole(); err != nil {
+	if err := s.deleteNodegroupIAMRole(ctx); err != nil {
 		return errors.Wrap(err, "failed to delete nodegroup IAM role")
 	}
 

pkg/cloud/services/eks/fargate.go

@@ -24,7 +24,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/eks"
 	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
-	"github.com/aws/aws-sdk-go/service/iam"
+	iamtypes "github.com/aws/aws-sdk-go-v2/service/iam/types"
 	"github.com/pkg/errors"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
@@ -48,7 +48,7 @@ func requeueRoleUpdating() reconcile.Result {
 func (s *FargateService) Reconcile(ctx context.Context) (reconcile.Result, error) {
 	s.scope.Debug("Reconciling EKS fargate profile")
 
-	requeue, err := s.reconcileFargateIAMRole()
+	requeue, err := s.reconcileFargateIAMRole(ctx)
 	if err != nil {
 		conditions.MarkFalse(
 			s.scope.FargateProfile,
@@ -182,7 +182,7 @@ func (s *FargateService) ReconcileDelete(ctx context.Context) (reconcile.Result,
 		return requeueProfileUpdating(), nil
 	}
 
-	err = s.deleteFargateIAMRole()
+	err = s.deleteFargateIAMRole(ctx)
 	if err != nil {
 		conditions.MarkFalse(
 			s.scope.FargateProfile,
@@ -223,7 +223,7 @@ func (s *FargateService) createFargateProfile(ctx context.Context) (*ekstypes.Fa
 
 	additionalTags := s.scope.AdditionalTags()
 
-	roleArn, err := s.roleArn()
+	roleArn, err := s.roleArn(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -302,11 +302,11 @@ func (s *FargateService) deleteFargateProfile(ctx context.Context) (requeue bool
 	return s.handleStatus(profile), nil
 }
 
-func (s *FargateService) roleArn() (*string, error) {
-	var role *iam.Role
+func (s *FargateService) roleArn(ctx context.Context) (*string, error) {
+	var role *iamtypes.Role
 	if s.scope.RoleName() != "" {
 		var err error
-		role, err = s.GetIAMRole(s.scope.RoleName())
+		role, err = s.GetIAMRole(ctx, s.scope.RoleName())
 		if err != nil {
 			return nil, errors.Wrapf(err, "error getting fargate profile IAM role: %s", s.scope.RoleName())
 		}