Pcp 1428 4.0 (#812)

Author: AmitSahastra

pkg/cloud/scope/session.go

@@ -19,6 +19,7 @@ package scope
 import (
 	"context"
 	"fmt"
+	"sigs.k8s.io/cluster-api-provider-aws/pkg/utils"
 	"sync"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -86,7 +87,7 @@ func sessionForRegion(region string, endpoint []ServiceEndpoint) (*session.Sessi
 				}, nil
 			}
 		}
-		return endpoints.DefaultResolver().EndpointFor(service, region, optFns...)
+		return utils.CustomEndpointResolverForAWS().EndpointFor(service, region, optFns...)
 	}
 	ns, err := session.NewSession(&aws.Config{
 		Region:           aws.String(region),
@@ -108,6 +109,11 @@ func sessionForClusterWithRegion(k8sClient client.Client, clusterScoper cloud.Cl
 	log := logger.WithName("identity")
 	log.V(4).Info("Creating an AWS Session")
 
+	err := utils.ResetFipsEndpointEnv(region)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "Failed to reset fips endpoint env")
+	}
+
 	resolver := func(service, region string, optFns ...func(*endpoints.Options)) (endpoints.ResolvedEndpoint, error) {
 		for _, s := range endpoint {
 			if service == s.ServiceID {
@@ -117,7 +123,8 @@ func sessionForClusterWithRegion(k8sClient client.Client, clusterScoper cloud.Cl
 				}, nil
 			}
 		}
-		return endpoints.DefaultResolver().EndpointFor(service, region, optFns...)
+
+		return utils.CustomEndpointResolverForAWS().EndpointFor(service, region, optFns...)
 	}
 
 	providers, err := getProvidersForCluster(context.Background(), k8sClient, clusterScoper, log)

pkg/utils/resolver_endpoint.go

@@ -3,8 +3,11 @@ package utils
 import (
 	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"k8s.io/klog/v2/klogr"
+	"os"
 )
 
+var isFIPSEndpointEnabled bool
+
 func CustomEndpointResolverForAWS() endpoints.ResolverFunc {
 
 	log := klogr.New()
@@ -15,8 +18,8 @@ func CustomEndpointResolverForAWS() endpoints.ResolverFunc {
 			return resolve, err
 		}
 
-		log.V(0).Info("CustomEndpointResolverForAWS", " region: ", region, " service: ", service, " optFns: ", optFns)
-
+		log.V(1).Info("CustomEndpointResolverForAWS", " region: ", region, " service: ", service, " optFns: ", optFns)
+		// Handle only for US-GOV regions exceptions
 		switch region {
 		case endpoints.UsGovEast1RegionID:
 			switch service {
@@ -79,7 +82,31 @@ func CustomEndpointResolverForAWS() endpoints.ResolverFunc {
 			case "autoscaling-plans":
 				resolve.URL = "https://autoscaling-plans.us-gov-west-1.amazonaws.com"
 			case "autoscaling":
-				resolve.URL = "https://ec2autoscaling.us-gov-west-1.amazonaws.com"
+				resolve.URL = "https://autoscaling.us-gov-west-1.amazonaws.com"
+			}
+
+		case endpoints.UsEast1RegionID:
+			switch service {
+			case "autoscaling":
+				resolve.URL = "https://autoscaling.us-east-1.amazonaws.com"
+			}
+
+		case endpoints.UsEast2RegionID:
+			switch service {
+			case "autoscaling":
+				resolve.URL = "https://autoscaling.us-east-2.amazonaws.com"
+			}
+
+		case endpoints.UsWest1RegionID:
+			switch service {
+			case "autoscaling":
+				resolve.URL = "https://autoscaling.us-west-1.amazonaws.com"
+			}
+
+		case endpoints.UsWest2RegionID:
+			switch service {
+			case "autoscaling":
+				resolve.URL = "https://autoscaling.us-west-2.amazonaws.com"
 			}
 		}
 
@@ -89,3 +116,34 @@ func CustomEndpointResolverForAWS() endpoints.ResolverFunc {
 
 	return resolver
 }
+
+func ResetFipsEndpointEnv(region string) error {
+	log := klogr.New()
+	if isFIPSEndpointEnabled && shouldResetFIPSEndpointEnv(region) {
+		log.V(1).Info("ResetFipsEndpointEnv required for non fips regions")
+		err := os.Unsetenv("AWS_USE_FIPS_ENDPOINT")
+		if err != nil {
+			log.Error(err, "Failed to unset env AWS_USE_FIPS_ENDPOINT")
+			return err
+		}
+		isFIPSEndpointEnabled = false
+	}
+
+	return nil
+}
+
+func shouldResetFIPSEndpointEnv(region string) bool {
+	switch region {
+	case endpoints.UsEast1RegionID, endpoints.UsEast2RegionID, endpoints.UsWest1RegionID, endpoints.UsWest2RegionID, endpoints.UsGovEast1RegionID, endpoints.UsGovWest1RegionID:
+	default:
+		return true
+	}
+	return false
+}
+
+func init() {
+	isEnabled := os.Getenv("AWS_USE_FIPS_ENDPOINT")
+	if isEnabled == "true" {
+		isFIPSEndpointEnabled = true
+	}
+}

pkg/utils/resolver_endpoint_test.go

@@ -1,32 +1,125 @@
 package utils
 
 import (
+	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/endpoints"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/cloudformation"
+	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/onsi/gomega"
+	"os"
 	"strings"
 	"testing"
 )
 
 func TestResolverEndpointAWSGov(t *testing.T) {
 	g := gomega.NewGomegaWithT(t)
 
-	resolver := CustomEndpointResolverForAWS()
-	result, err := resolver(endpoints.CloudformationServiceID, endpoints.UsGovEast1RegionID, endpoints.UseFIPSEndpointOption)
-	g.Expect(err).ToNot(gomega.HaveOccurred())
-	g.Expect(strings.Contains(result.URL, "cloudformation.us-gov-east-1.amazonaws.com")).To(gomega.BeTrue())
+	err := os.Setenv("AWS_USE_FIPS_ENDPOINT", "true")
+	if err != nil {
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+	}
 
-	result, err = resolver(endpoints.CloudformationServiceID, endpoints.UsGovWest1RegionID, endpoints.UseFIPSEndpointOption)
-	g.Expect(err).ToNot(gomega.HaveOccurred())
+	// Test us-gov and fips enabled regions
+	err = os.Setenv("AWS_REGION", "us-west-2")
+	if err != nil {
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+	}
+	sess, err := session.NewSessionWithOptions(session.Options{
+		SharedConfigState: session.SharedConfigEnable,
+	})
+	if err != nil {
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+	}
 
-	g.Expect(strings.Contains(result.URL, "cloudformation.us-gov-west-1.amazonaws.com")).To(gomega.BeTrue())
+	stsSvc := sts.New(sess, aws.NewConfig().WithEndpointResolver(CustomEndpointResolverForAWS()))
+	g.Expect(stsSvc.ServiceID).ToNot(gomega.BeEmpty())
+	g.Expect(strings.Contains(stsSvc.Endpoint, "sts-fips.us-west-2.amazonaws.com")).To(gomega.BeTrue())
 
-	result, err = resolver(endpoints.StsServiceID, endpoints.UsGovWest1RegionID, endpoints.UseFIPSEndpointOption)
-	g.Expect(err).ToNot(gomega.HaveOccurred())
+	cfnSvc := cloudformation.New(sess, aws.NewConfig().WithEndpointResolver(CustomEndpointResolverForAWS()))
+	g.Expect(cfnSvc.ServiceID).ToNot(gomega.BeEmpty())
+	g.Expect(strings.Contains(cfnSvc.Endpoint, "cloudformation-fips.us-west-2.amazonaws.com")).To(gomega.BeTrue())
 
-	g.Expect(strings.Contains(result.URL, "sts.us-gov-west-1.amazonaws.com")).To(gomega.BeTrue())
+	err = os.Setenv("AWS_REGION", "us-east-2")
+	if err != nil {
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+	}
+	sess, err = session.NewSessionWithOptions(session.Options{
+		SharedConfigState: session.SharedConfigEnable,
+	})
+	if err != nil {
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+	}
 
-	result, err = resolver(endpoints.IamServiceID, endpoints.UsGovWest1RegionID, endpoints.UseFIPSEndpointOption)
-	g.Expect(err).ToNot(gomega.HaveOccurred())
+	stsSvc = sts.New(sess, aws.NewConfig().WithEndpointResolver(CustomEndpointResolverForAWS()))
+	g.Expect(stsSvc.ServiceID).ToNot(gomega.BeEmpty())
+	g.Expect(strings.Contains(stsSvc.Endpoint, "sts-fips.us-east-2.amazonaws.com")).To(gomega.BeTrue())
 
-	g.Expect(strings.Contains(result.URL, "iam.us-gov.amazonaws.com")).To(gomega.BeTrue())
+	cfnSvc = cloudformation.New(sess, aws.NewConfig().WithEndpointResolver(CustomEndpointResolverForAWS()))
+	g.Expect(cfnSvc.ServiceID).ToNot(gomega.BeEmpty())
+	g.Expect(strings.Contains(cfnSvc.Endpoint, "cloudformation-fips.us-east-2.amazonaws.com")).To(gomega.BeTrue())
+
+	err = os.Setenv("AWS_REGION", endpoints.UsGovWest1RegionID)
+	if err != nil {
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+	}
+
+	sess, err = session.NewSessionWithOptions(session.Options{
+		SharedConfigState: session.SharedConfigEnable,
+	})
+	if err != nil {
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+	}
+
+	cfnSvc = cloudformation.New(sess, aws.NewConfig().WithEndpointResolver(CustomEndpointResolverForAWS()))
+	g.Expect(cfnSvc.ServiceID).ToNot(gomega.BeEmpty())
+	g.Expect(strings.Contains(cfnSvc.Endpoint, "cloudformation.us-gov-west-1.amazonaws.com")).To(gomega.BeTrue())
+
+	stsSvc = sts.New(sess, aws.NewConfig().WithEndpointResolver(CustomEndpointResolverForAWS()))
+	g.Expect(stsSvc.ServiceID).ToNot(gomega.BeEmpty())
+	g.Expect(strings.Contains(stsSvc.Endpoint, "sts.us-gov-west-1.amazonaws.com")).To(gomega.BeTrue())
+
+	// Test non fips endpoint regions
+	err = os.Unsetenv("AWS_USE_FIPS_ENDPOINT")
+	if err != nil {
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+	}
+	err = os.Setenv("AWS_REGION", endpoints.EuNorth1RegionID)
+	if err != nil {
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+	}
+	sess, err = session.NewSessionWithOptions(session.Options{
+		SharedConfigState: session.SharedConfigEnable,
+	})
+	if err != nil {
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+	}
+
+	cfnSvc = cloudformation.New(sess, aws.NewConfig().WithEndpointResolver(CustomEndpointResolverForAWS()))
+	g.Expect(cfnSvc.ServiceID).ToNot(gomega.BeEmpty())
+	g.Expect(strings.Contains(cfnSvc.Endpoint, "cloudformation.eu-north-1.amazonaws.com")).To(gomega.BeTrue())
+
+	stsSvc = sts.New(sess, aws.NewConfig().WithEndpointResolver(CustomEndpointResolverForAWS()))
+	g.Expect(stsSvc.ServiceID).ToNot(gomega.BeEmpty())
+	g.Expect(strings.Contains(stsSvc.Endpoint, "sts.amazonaws.com")).To(gomega.BeTrue())
+
+	err = os.Setenv("AWS_REGION", endpoints.ApSoutheast1RegionID)
+	if err != nil {
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+	}
+
+	sess, err = session.NewSessionWithOptions(session.Options{
+		SharedConfigState: session.SharedConfigEnable,
+	})
+	if err != nil {
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+	}
+
+	cfnSvc = cloudformation.New(sess, aws.NewConfig().WithEndpointResolver(CustomEndpointResolverForAWS()))
+	g.Expect(cfnSvc.ServiceID).ToNot(gomega.BeEmpty())
+	g.Expect(strings.Contains(cfnSvc.Endpoint, "cloudformation.ap-southeast-1.amazonaws.com")).To(gomega.BeTrue())
+
+	stsSvc = sts.New(sess, aws.NewConfig().WithEndpointResolver(CustomEndpointResolverForAWS()))
+	g.Expect(stsSvc.ServiceID).ToNot(gomega.BeEmpty())
+	g.Expect(strings.Contains(stsSvc.Endpoint, "sts.amazonaws.com")).To(gomega.BeTrue())
 }