chore: Updates package aws-sdk-go to aws-sdk-go-v2#1467
Conversation
This reverts commit 3311dc3.
|
|
||
| secretsManagerClient := secretsmanager.New(req.Session) | ||
| // Create AWS SDK v2 config using CloudFormation handler's SDK v1 session credentials | ||
| cfg := awsconfig.FromHandlerRequest(req) |
There was a problem hiding this comment.
When migrating to AWS SDK v2, we can't use config.LoadDefaultConfig() directly in CloudFormation resource handlers to access the secret profile.
The cloudformation-cli-go-plugin provides credentials via handler.Request.Session, which is an AWS SDK v1 session. These credentials have the permissions defined in our resource execution roles (e.g., Secrets Manager access). Using LoadDefaultConfig() would use the Lambda's base execution role instead, which lacks these permissions returning below error:
CREATE_FAILED - Resource handler returned message: "operation error Secrets Manager: GetSecretValue, https response error StatusCode: 400, RequestID: ..., api error AccessDeniedException: User: arn:aws:sts::......:assumed-role/UluruResourceHandlerLambdaExecutionRole-XXXXXXXXdub/MongoDB-Atlas-ClusterXXXXXXXXXXXX-Handler-d1r20rzp5ivm is not authorized to perform: secretsmanager:GetSecretValue on resource: cfn/atlas/profile/XXXXXXXXXXX because no identity-based policy allows the secretsmanager:GetSecretValue action"
To fix this, we extract credentials from the SDK v1 session and create an SDK v2 config in awsconfig.FromHandlerRequest(req).
Alternative would be to keep AWS SDK v1 specifically for AWS service calls that require handler session (Secrets Manager, EC2, etc.) while using SDK v2 elsewhere. However, this would mean maintaining both SDK versions long-term. The current approach allows us to fully migrate to SDK v2 now and simply remove the awsconfig.FromHandlerRequest code once cloudformation-cli-go-plugin adds native SDK v2 support.
Next steps:
- ✅ Check with AWS on alternatives to using cloudformation-cli-go-plugin that still relies on aws-sdk-go (v1) or plans to update it.
There was a problem hiding this comment.
Maybe we can add more of this explanation in the comment? Also, does this mean we will anyway depend on aws-sdk-go indirectly via the cloudformation-cli-go-plugin plugin? Do we need a ticket to track when they upgrade?
There was a problem hiding this comment.
Also, does this mean we will anyway depend on aws-sdk-go indirectly via the cloudformation-cli-go-plugin plugin?
Yes. The last release was in 2023 and last commit was also 2 years ago so I doubt it's being maintained & I haven't come across an alternative.
Added a next step to my previous comment but will wait to be aligned with the team.
There was a problem hiding this comment.
Agree with Espen we can capture this context in a comment, also the associated GH issue which was created aws-cloudformation/cloudformation-cli-go-plugin#237
maastha
changed the title
| // The cloudformation-cli-go-plugin provides credentials via handler.Request.Session, | ||
| // which is an AWS SDK v1 session. This function bridges those credentials to SDK v2 | ||
| // using a provider that fetches credentials on each AWS API call. | ||
| func FromHandlerRequest(req *handler.Request) aws.Config { |
| return eMap, nil | ||
| } | ||
|
|
||
| func CreateSSManagerClient(curSession *session.Session) (*ssm.SSM, error) { |
There was a problem hiding this comment.
the methods removed in this file are unused
There was a problem hiding this comment.
Pull request overview
This PR migrates from AWS SDK Go v1 (aws-sdk-go) to AWS SDK Go v2 (aws-sdk-go-v2) for CloudFormation resources. The primary changes involve updating import paths, adapting to the new SDK's API patterns (including adding context.Context parameters to AWS service calls), and converting between SDK v1 and v2 types (particularly for error codes and AWS utility functions).
Key Changes:
- Updated import paths from
github.com/aws/aws-sdk-gotogithub.com/aws/aws-sdk-go-v2 - Added context parameters to AWS SDK service calls (Secrets Manager, CloudFormation types)
- Created new
awsconfigpackage to bridge CloudFormation handler's SDK v1 session credentials to SDK v2 configuration - Converted CloudFormation error code constants to string type using
types.HandlerErrorCode*enums - Replaced AWS SDK v1 utility functions (
aws.IntValue,aws.BoolValue) with SDK v2 equivalents (aws.ToInt,aws.ToBool) or custom utilities - Removed unused SSM-related functions (
CreateSSManagerClient,Get,buildKey)
Reviewed changes
Copilot reviewed 23 out of 24 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| cfn-resources/util/validator/validator.go | Updated CloudFormation types import and error code usage |
| cfn-resources/util/util.go | Updated AWS SDK imports, error codes, and removed unused SSM functions |
| cfn-resources/util/progressevent/failed_event.go | Converted error codes to string type using SDK v2 types |
| cfn-resources/util/deployment_secret.go | Added context parameters and migrated to SDK v2 Secrets Manager client |
| cfn-resources/util/cluster_common.go | Updated error code handling to SDK v2 types |
| cfn-resources/util/awsconfig/awsconfig.go | New package providing SDK v1 to v2 credentials bridge |
| cfn-resources/util/aws/utils.go | Updated error code type conversions |
| cfn-resources/search-deployment/cmd/resource/resource.go | Reordered imports and updated error code handling |
| cfn-resources/project/cmd/resource/resource.go | Added nil checks before accessing response status codes and updated error codes |
| cfn-resources/profile/profile.go | Migrated to SDK v2 Secrets Manager with context support |
| cfn-resources/go.mod | Added SDK v2 dependencies for secretsmanager and ssm |
| cfn-resources/custom-dns-configuration-cluster-aws/cmd/resource/resource.go | Updated error code handling and reordered imports |
| cfn-resources/custom-db-role/cmd/resource/resource.go | Updated error code type conversion |
| cfn-resources/cluster/cmd/resource/resource.go | Migrated AWS SDK imports and error codes |
| cfn-resources/cluster/cmd/resource/mappings.go | Updated error code handling |
| cfn-resources/cluster-outage-simulation/cmd/resource/resource.go | Updated AWS SDK imports and error codes |
| cfn-resources/cloud-backup-snapshot/cmd/resource/resource.go | Replaced deprecated aws.BackgroundContext() with context.Background() |
| cfn-resources/cloud-backup-schedule/cmd/resource/resource.go | Migrated AWS utility functions from SDK v1 to v2 equivalents |
| cfn-resources/cloud-backup-restore-jobs/cmd/resource/resource.go | Updated AWS utility function calls and error codes |
| cfn-resources/auditing/cmd/resource/resource.go | Migrated AWS SDK imports and boolean utility functions |
| cfn-resources/api-key/cmd/resource/resource.go | Updated error code handling |
| cfn-resources/alert-configuration/cmd/resource/resource.go | Updated AWS SDK imports and error codes |
| cfn-resources/access-list-api-key/cmd/resource/resource.go | Updated error code handling |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
EspenAlbert
left a comment
EspenAlbert
left a comment
There was a problem hiding this comment.
A bit tricky to follow the changes and what alternatives where considered and next steps. But seems like you have tested and considered other alternatives 👍
|
cluster-outage-simluation tests failing due to current cloud-dev issues related to cluster creation. Merging this PR. |
Proposed changes
Jira ticket: CLOUDP-339863
Updates package aws-sdk-go to aws-sdk-go-v2.
NOTE: Remaining resources are being addressed in a follow-up PR.
Link to any related issue(s):
Type of change:
expected)
Manual QA performed:
Required Checklist:
make fmtand formatted my codeworks in Atlas
Further comments