✨ cache aws connection and upstream client (#5461)

This is an attempt to reduce the load of the AWS provider. We are going to cache
the upstream client which uses ranger under the hood and creates goroutines to
fulfill the requests. This is not a problem for a few runtimes, but when we do
thousands of them, we really don't need to create that many clients.

---------

Signed-off-by: Salim Afiune Maya <afiune@mondoo.com>

Author: afiune

providers/aws/connection/awsec2ebsconn/provider.go

@@ -174,6 +174,11 @@ func NewAwsEbsConnection(id uint32, conf *inventory.Config, asset *inventory.Ass
 	return c, nil
 }
 
+// no-op since ebs connection doesn't do any verification
+func (c *AwsEbsConnection) Hash() uint64            { return 0 }
+func (c *AwsEbsConnection) Verify() (string, error) { return "no-op", nil }
+func (c *AwsEbsConnection) SetAccountId(_ string)   {}
+
 func (c *AwsEbsConnection) FileInfo(path string) (shared.FileInfoDetails, error) {
 	return shared.FileInfoDetails{}, errors.New("FileInfo not implemented")
 }

providers/aws/connection/connection.go

@@ -8,6 +8,7 @@ import (
 	"encoding/json"
 	"errors"
 	"io"
+	"maps"
 	"net/http"
 	"slices"
 	"strconv"
@@ -22,6 +23,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/ec2"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"github.com/hashicorp/go-retryablehttp"
+	"github.com/mitchellh/hashstructure/v2"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/afero"
 	"go.mondoo.com/cnquery/v11/logger/zerologadapter"
@@ -33,17 +35,22 @@ import (
 
 type AwsConnection struct {
 	plugin.Connection
-	Conf              *inventory.Config
-	asset             *inventory.Asset
-	cfg               aws.Config
-	accountId         string
-	clientcache       ClientsCache
-	awsConfigOptions  []func(*config.LoadOptions) error
-	profile           string
-	PlatformOverride  string
-	connectionOptions map[string]string
-	Filters           DiscoveryFilters
-	scope             string
+	Conf             *inventory.Config
+	asset            *inventory.Asset
+	cfg              aws.Config
+	accountId        string
+	clientcache      ClientsCache
+	awsConfigOptions []func(*config.LoadOptions) error
+	PlatformOverride string
+	Filters          DiscoveryFilters
+
+	opts awsConnectionOptions
+}
+
+type awsConnectionOptions struct {
+	scope   string
+	profile string
+	options map[string]string
 }
 
 type DiscoveryFilters struct {
@@ -100,7 +107,11 @@ func NewAwsConnection(id uint32, asset *inventory.Asset, conf *inventory.Config)
 		awsConfigOptions: []func(*config.LoadOptions) error{},
 		Filters:          EmptyDiscoveryFilters(),
 	}
-	opts := parseFlagsForConnectionOptions(asset.Options, conf.Options, conf.GetCredentials())
+
+	// merge the options to make sure we don't miss anything
+	maps.Copy(asset.Options, conf.Options)
+
+	opts := parseFlagsForConnectionOptions(asset.Options, conf.GetCredentials())
 	for _, opt := range opts {
 		opt(c)
 	}
@@ -118,34 +129,60 @@ func NewAwsConnection(id uint32, asset *inventory.Asset, conf *inventory.Config)
 		log.Info().Msg("no AWS region found, using us-east-1")
 		cfg.Region = "us-east-1" // in case the user has no region set, default to us-east-1
 	}
-	// gather information about the aws account
-	cfgCopy := cfg.Copy()
-	identity, err := CheckIam(cfgCopy)
-	if err != nil {
-		log.Debug().Err(err).Msg("could not gather details of AWS account")
-		// try with govcloud region
-		cfgCopy.Region = "us-gov-west-1"
-		identity, err = CheckIam(cfgCopy)
-		if err != nil {
-			log.Debug().Err(err).Msg("could not gather details of AWS account")
-			return nil, err
-		}
-	}
 
 	c.Connection = plugin.NewConnection(id, asset)
 	c.Conf = conf
 	c.asset = asset
 	c.cfg = cfg
-	c.accountId = *identity.Account
-	c.profile = asset.Options["profile"]
-	c.scope = asset.Options["scope"]
-	c.connectionOptions = asset.Options
+	c.opts.profile = asset.Options["profile"]
+	c.opts.scope = asset.Options["scope"]
+	c.opts.options = asset.Options
 	if conf.Discover != nil {
 		c.Filters = parseOptsToFilters(conf.Discover.Filter)
 	}
 	return c, nil
 }
 
+func (c *AwsConnection) Hash() uint64 {
+	// generate hash of the config options used to to initialize this connection,
+	// we use this to avoid verifying a client with the same options more than once
+	hash, err := hashstructure.Hash(c.opts, hashstructure.FormatV2, nil)
+	if err != nil {
+		log.Error().Err(err).Msg("unable to hash connection")
+	}
+	return hash
+}
+
+func (c *AwsConnection) Verify() (string, error) {
+	identity, err := CheckIam(c.cfg.Copy())
+	if err != nil {
+		log.Debug().Err(err).Msg("could not gather details of AWS account")
+		// try with govcloud region, store error to return it if this last option does not work
+		err1 := err
+		cfgCopy := c.cfg.Copy()
+		cfgCopy.Region = "us-gov-west-1"
+		identity, err = CheckIam(cfgCopy)
+		if err != nil {
+			return "", err1
+		}
+	}
+	account := ""
+	if identity.Account != nil {
+		account = *identity.Account
+	}
+
+	return account, nil
+}
+
+func (c *AwsConnection) SetAccountId(id string) {
+	if id != "" {
+		c.accountId = id
+	}
+}
+func (p *AwsConnection) AccountId() string {
+	return p.accountId
+}
+
 func parseOptsToFilters(opts map[string]string) DiscoveryFilters {
 	d := EmptyDiscoveryFilters()
 	for k, v := range opts {
@@ -186,15 +223,7 @@ func parseOptsToFilters(opts map[string]string) DiscoveryFilters {
 	return d
 }
 
-func parseFlagsForConnectionOptions(m1 map[string]string, m2 map[string]string, creds []*vault.Credential) []ConnectionOption {
-	// merge the options to make sure we don't miss anything
-	m := m1
-	if m == nil {
-		m = make(map[string]string)
-	}
-	for k, v := range m2 {
-		m[k] = v
-	}
+func parseFlagsForConnectionOptions(m map[string]string, creds []*vault.Credential) []ConnectionOption {
 	o := make([]ConnectionOption, 0)
 	if apiEndpoint, ok := m["endpoint-url"]; ok {
 		o = append(o, WithEndpoint(apiEndpoint))
@@ -300,20 +329,16 @@ func (p *AwsConnection) UpdateAsset(asset *inventory.Asset) {
 	p.asset = asset
 }
 
-func (p *AwsConnection) AccountId() string {
-	return p.accountId
-}
-
 func (p *AwsConnection) Profile() string {
-	return p.profile
+	return p.opts.profile
 }
 
 func (p *AwsConnection) Scope() string {
-	return p.scope
+	return p.opts.scope
 }
 
 func (p *AwsConnection) ConnectionOptions() map[string]string {
-	return p.connectionOptions
+	return p.opts.options
 }
 
 func (p *AwsConnection) RunCommand(command string) (*shared.Command, error) {

providers/aws/connection/shared/shared.go

@@ -0,0 +1,17 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package shared
+
+import (
+	"go.mondoo.com/cnquery/v11/providers/os/connection/shared"
+)
+
+type Connection interface {
+	shared.Connection
+
+	// Used to avoid verifying a client with the same options more than once
+	Verify() (accountID string, err error)
+	Hash() uint64
+	SetAccountId(string)
+}

providers/aws/go.mod

@@ -60,6 +60,7 @@ require (
 	github.com/cockroachdb/errors v1.11.3
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-retryablehttp v0.7.7
+	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/rs/zerolog v1.34.0
 	github.com/spf13/afero v1.14.0
 	github.com/stretchr/testify v1.10.0
@@ -188,7 +189,7 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/knqyf263/go-rpmdb v0.1.1 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
@@ -198,7 +199,6 @@ require (
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/buildkit v0.19.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
@@ -221,9 +221,9 @@ require (
 	github.com/pkg/sftp v1.13.9 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.20.5 // indirect
+	github.com/prometheus/client_golang v1.22.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
@@ -278,13 +278,14 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.1 // indirect
 	k8s.io/api v0.32.3 // indirect
 	k8s.io/apimachinery v0.32.3 // indirect
-	k8s.io/component-base v0.28.9 // indirect
+	k8s.io/component-base v0.29.3 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kubelet v0.28.9 // indirect
+	k8s.io/kubelet v0.29.3 // indirect
 	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect
 	modernc.org/libc v1.62.1 // indirect
 	modernc.org/mathutil v1.7.1 // indirect

providers/aws/go.sum

@@ -679,8 +679,8 @@ github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRt
 github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/knqyf263/go-rpmdb v0.1.1 h1:oh68mTCvp1XzxdU7EfafcWzzfstUZAEa3MW0IJye584=
 github.com/knqyf263/go-rpmdb v0.1.1/go.mod h1:9LQcoMCMQ9vrF7HcDtXfvqGO4+ddxFQ8+YF/0CVGDww=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -815,8 +815,8 @@ github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSg
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU=
-github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
-github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -825,8 +825,8 @@ github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4=
-github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc=
-github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
+github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
+github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
@@ -1511,6 +1511,7 @@ gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -1533,12 +1534,12 @@ k8s.io/apimachinery v0.32.3 h1:JmDuDarhDmA/Li7j3aPrwhpNBA94Nvk5zLeOge9HH1U=
 k8s.io/apimachinery v0.32.3/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
 k8s.io/client-go v0.32.3 h1:RKPVltzopkSgHS7aS98QdscAgtgah/+zmpAogooIqVU=
 k8s.io/client-go v0.32.3/go.mod h1:3v0+3k4IcT9bXTc4V2rt+d2ZPPG700Xy6Oi0Gdl2PaY=
-k8s.io/component-base v0.28.9 h1:ySM2PR8Z/xaUSG1Akd3yM6dqUezTltI7S5aV41MMuuc=
-k8s.io/component-base v0.28.9/go.mod h1:QtWzscEhCKRfHV24/S+11BwWjVxhC6fd3RYoEgZcWFU=
+k8s.io/component-base v0.29.3 h1:Oq9/nddUxlnrCuuR2K/jp6aflVvc0uDvxMzAWxnGzAo=
+k8s.io/component-base v0.29.3/go.mod h1:Yuj33XXjuOk2BAaHsIGHhCKZQAgYKhqIxIjIr2UXYio=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kubelet v0.28.9 h1:76v00fFLeniz27kXhGGUIxONdwa9LKcD2Jd5cXYAZko=
-k8s.io/kubelet v0.28.9/go.mod h1:46P39DFjI+E59nU2OgpatyS3oWy58ClulKO6riZ/97o=
+k8s.io/kubelet v0.29.3 h1:X9h0ZHzc+eUeNTaksbN0ItHyvGhQ7Z0HPjnQD2oHdwU=
+k8s.io/kubelet v0.29.3/go.mod h1:jDiGuTkFOUynyBKzOoC1xRSWlgAZ9UPcTYeFyjr6vas=
 k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e h1:KqK5c/ghOm8xkHYhlodbp6i6+r+ChV2vuAuVRdFbLro=
 k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 modernc.org/cc/v4 v4.25.2 h1:T2oH7sZdGvTaie0BRNFbIYsabzCxUQg8nLqCdQ2i0ic=