Skip to content

Commit

Permalink
feat: add support for region on client creation
Browse files Browse the repository at this point in the history
  • Loading branch information
@bearaujus
bearaujus committed Dec 23, 2024
1 parent 0feebd6 commit ce1cbfb
Show file tree
Hide file tree
Showing 5 changed files with 64 additions and 52 deletions.
25 changes: 15 additions & 10 deletions plugins/providers/alicloud_ram/client.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ const (
type aliCloudRAMClient struct {
accessKeyId string
accessKeySecret string
ramRole string // example: `acs:ram::{MAIN_ACCOUNT_ID}:role/{ROLE_NAME}`
ramRole string // (optional) example: `acs:ram::{MAIN_ACCOUNT_ID}:role/{ROLE_NAME}`
regionId string // (optional) can be empty for using default region id. see: https://www.alibabacloud.com/help/en/cloud-migration-guide-for-beginners/latest/regions-and-zones
}

// NewAliCloudRAMClient initializes a new instance of AliCloudRAMClient.
Expand All @@ -38,11 +39,12 @@ type aliCloudRAMClient struct {
// and resource information. If a role ARN (`ramRole`) is specified, it will
// be included in the configuration for assuming a RAM role. The function also
// validates the configuration by attempting to create a new RAM client instance.
func NewAliCloudRAMClient(accessKeyID, accessKeySecret, ramRole string) (AliCloudRAMClient, error) {
func NewAliCloudRAMClient(accessKeyID, accessKeySecret, ramRole, regionId string) (AliCloudRAMClient, error) {
c := &aliCloudRAMClient{
accessKeyId: accessKeyID,
accessKeySecret: accessKeySecret,
ramRole: ramRole,
regionId: regionId,
}

// Validate the ram role ARN if present
Expand All @@ -62,7 +64,7 @@ func NewAliCloudRAMClient(accessKeyID, accessKeySecret, ramRole string) (AliClou
}
}

// Validate the configuration by attempting to create a new request client
// Validate the configuration by creating a new dummy request client
_, err := c.newRequestClient()
if err != nil {
return nil, err
Expand Down Expand Up @@ -208,24 +210,27 @@ func (c *aliCloudRAMClient) GetAllPoliciesByType(_ context.Context, policyType s
func (c *aliCloudRAMClient) newRequestClient() (*ram.Client, error) {
// Default to access key credentials (RAM User)
credentialConfig := &credentials.Config{
Type: bptr.FromString(aliAccountTypeAccessKey),
AccessKeyId: &c.accessKeyId,
AccessKeySecret: &c.accessKeySecret,
Type: bptr.FromStringNilAble(aliAccountTypeAccessKey),
AccessKeyId: bptr.FromStringNilAble(c.accessKeyId),
AccessKeySecret: bptr.FromStringNilAble(c.accessKeySecret),
}

// If a role to assume is specified, configure credentials to assume the role (RAM Role)
if c.ramRole != "" {
credentialConfig.Type = bptr.FromString(aliAccountTypeRamRoleARN)
credentialConfig.RoleArn = &c.ramRole
credentialConfig.RoleSessionExpiration = bptr.FromInt(aliRoleSessionExpiration)
credentialConfig.Type = bptr.FromStringNilAble(aliAccountTypeRamRoleARN)
credentialConfig.RoleArn = bptr.FromStringNilAble(c.ramRole)
credentialConfig.RoleSessionExpiration = bptr.FromIntNilAble(aliRoleSessionExpiration)
}

credential, err := credentials.NewCredential(credentialConfig)
if err != nil {
return nil, fmt.Errorf("failed to create a new credentials: %w", err)
}

reqClient, err := ram.NewClient(&openapi.Config{Credential: credential})
reqClient, err := ram.NewClient(&openapi.Config{
Credential: credential,
RegionId: bptr.FromStringNilAble(c.regionId),
})
if err != nil {
return nil, fmt.Errorf("failed to create RAM client: %w", err)
}
Expand Down
73 changes: 40 additions & 33 deletions plugins/providers/alicloud_ram/client_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,10 @@ import (

func TestNewAliCloudRAMClient(t *testing.T) {
type args struct {
accessKeyID string
accessKeyId string
accessKeySecret string
ramRole string
regionId string
}
tests := []struct {
name string
Expand All @@ -23,7 +24,7 @@ func TestNewAliCloudRAMClient(t *testing.T) {
{
name: "error creating AliCloud RAM client with role - invalid role arn",
args: args{
accessKeyID: testAccessKeyID,
accessKeyId: testAccessKeyID,
accessKeySecret: testAccessKeySecret,
ramRole: "invalid-role-arn",
},
Expand All @@ -32,7 +33,7 @@ func TestNewAliCloudRAMClient(t *testing.T) {
{
name: "error creating AliCloud RAM client with role - unsupported service type",
args: args{
accessKeyID: testAccessKeyID,
accessKeyId: testAccessKeyID,
accessKeySecret: testAccessKeySecret,
ramRole: "acs:unsupported-service-type::500xxxxxxxx:role/role-name",
},
Expand All @@ -41,7 +42,7 @@ func TestNewAliCloudRAMClient(t *testing.T) {
{
name: "error creating AliCloud RAM client with role - invalid resource",
args: args{
accessKeyID: testAccessKeyID,
accessKeyId: testAccessKeyID,
accessKeySecret: testAccessKeySecret,
ramRole: "acs:ram::500xxxxxxxx:invalid-resource",
},
Expand All @@ -50,7 +51,7 @@ func TestNewAliCloudRAMClient(t *testing.T) {
{
name: "error creating AliCloud RAM client with role - unsupported resource type",
args: args{
accessKeyID: testAccessKeyID,
accessKeyId: testAccessKeyID,
accessKeySecret: testAccessKeySecret,
ramRole: "acs:ram::500xxxxxxxx:unsupported-resource-type/role-name",
},
Expand All @@ -59,7 +60,7 @@ func TestNewAliCloudRAMClient(t *testing.T) {
{
name: "error creating AliCloud RAM client with role - empty role name or resource name",
args: args{
accessKeyID: testAccessKeyID,
accessKeyId: testAccessKeyID,
accessKeySecret: testAccessKeySecret,
ramRole: "acs:ram::500xxxxxxxx:role/",
},
Expand All @@ -68,7 +69,7 @@ func TestNewAliCloudRAMClient(t *testing.T) {
{
name: "success creating AliCloud RAM client with role",
args: args{
accessKeyID: testAccessKeyID,
accessKeyId: testAccessKeyID,
accessKeySecret: testAccessKeySecret,
ramRole: "acs:ram::500xxxxxxxx:role/role-name",
},
Expand All @@ -77,15 +78,15 @@ func TestNewAliCloudRAMClient(t *testing.T) {
{
name: "success creating AliCloud RAM client",
args: args{
accessKeyID: testAccessKeyID,
accessKeyId: testAccessKeyID,
accessKeySecret: testAccessKeySecret,
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
client, err := alicloud_ram.NewAliCloudRAMClient(tt.args.accessKeyID, tt.args.accessKeySecret, tt.args.ramRole)
client, err := alicloud_ram.NewAliCloudRAMClient(tt.args.accessKeyId, tt.args.accessKeySecret, tt.args.ramRole, tt.args.regionId)
if tt.wantErr {
assert.Error(t, err)
} else {
Expand All @@ -98,9 +99,10 @@ func TestNewAliCloudRAMClient(t *testing.T) {

func Test_aliCloudRAMClient_GrantAccess(t *testing.T) {
type args struct {
accessKeyID string
accessKeyId string
accessKeySecret string
roleToAssume string
ramRole string
regionId string
ctx context.Context
policyName string
policyType string
Expand All @@ -114,7 +116,7 @@ func Test_aliCloudRAMClient_GrantAccess(t *testing.T) {
{
name: "error when granting access to user",
args: args{
accessKeyID: testAccessKeyID,
accessKeyId: testAccessKeyID,
accessKeySecret: testAccessKeySecret,
ctx: context.TODO(),
policyName: "test-policy-name",
Expand All @@ -126,7 +128,7 @@ func Test_aliCloudRAMClient_GrantAccess(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
client, err := alicloud_ram.NewAliCloudRAMClient(tt.args.accessKeyID, tt.args.accessKeySecret, tt.args.roleToAssume)
client, err := alicloud_ram.NewAliCloudRAMClient(tt.args.accessKeyId, tt.args.accessKeySecret, tt.args.ramRole, tt.args.regionId)
if err != nil {
assert.FailNow(t, err.Error())
}
Expand All @@ -143,9 +145,10 @@ func Test_aliCloudRAMClient_GrantAccess(t *testing.T) {

func Test_aliCloudRAMClient_RevokeAccess(t *testing.T) {
type args struct {
accessKeyID string
accessKeyId string
accessKeySecret string
roleToAssume string
ramRole string
regionId string
ctx context.Context
policyName string
policyType string
Expand All @@ -159,7 +162,7 @@ func Test_aliCloudRAMClient_RevokeAccess(t *testing.T) {
{
name: "error when revoking access to user",
args: args{
accessKeyID: testAccessKeyID,
accessKeyId: testAccessKeyID,
accessKeySecret: testAccessKeySecret,
ctx: context.TODO(),
policyName: "test-policy-name",
Expand All @@ -171,7 +174,7 @@ func Test_aliCloudRAMClient_RevokeAccess(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
client, err := alicloud_ram.NewAliCloudRAMClient(tt.args.accessKeyID, tt.args.accessKeySecret, tt.args.roleToAssume)
client, err := alicloud_ram.NewAliCloudRAMClient(tt.args.accessKeyId, tt.args.accessKeySecret, tt.args.ramRole, tt.args.regionId)
if err != nil {
assert.FailNow(t, err.Error())
}
Expand All @@ -188,9 +191,10 @@ func Test_aliCloudRAMClient_RevokeAccess(t *testing.T) {

func Test_aliCloudRAMClient_GrantAccessToRole(t *testing.T) {
type args struct {
accessKeyID string
accessKeyId string
accessKeySecret string
roleToAssume string
ramRole string
regionId string
ctx context.Context
policyName string
policyType string
Expand All @@ -204,7 +208,7 @@ func Test_aliCloudRAMClient_GrantAccessToRole(t *testing.T) {
{
name: "error when granting access to role",
args: args{
accessKeyID: testAccessKeyID,
accessKeyId: testAccessKeyID,
accessKeySecret: testAccessKeySecret,
ctx: context.TODO(),
policyName: "test-policy-name",
Expand All @@ -216,7 +220,7 @@ func Test_aliCloudRAMClient_GrantAccessToRole(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
client, err := alicloud_ram.NewAliCloudRAMClient(tt.args.accessKeyID, tt.args.accessKeySecret, tt.args.roleToAssume)
client, err := alicloud_ram.NewAliCloudRAMClient(tt.args.accessKeyId, tt.args.accessKeySecret, tt.args.ramRole, tt.args.regionId)
if err != nil {
assert.FailNow(t, err.Error())
}
Expand All @@ -233,9 +237,10 @@ func Test_aliCloudRAMClient_GrantAccessToRole(t *testing.T) {

func Test_aliCloudRAMClient_RevokeAccessFromRole(t *testing.T) {
type args struct {
accessKeyID string
accessKeyId string
accessKeySecret string
roleToAssume string
ramRole string
regionId string
ctx context.Context
policyName string
policyType string
Expand All @@ -249,7 +254,7 @@ func Test_aliCloudRAMClient_RevokeAccessFromRole(t *testing.T) {
{
name: "error when revoking access to role",
args: args{
accessKeyID: testAccessKeyID,
accessKeyId: testAccessKeyID,
accessKeySecret: testAccessKeySecret,
ctx: context.TODO(),
policyName: "test-policy-name",
Expand All @@ -261,7 +266,7 @@ func Test_aliCloudRAMClient_RevokeAccessFromRole(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
client, err := alicloud_ram.NewAliCloudRAMClient(tt.args.accessKeyID, tt.args.accessKeySecret, tt.args.roleToAssume)
client, err := alicloud_ram.NewAliCloudRAMClient(tt.args.accessKeyId, tt.args.accessKeySecret, tt.args.ramRole, tt.args.regionId)
if err != nil {
assert.FailNow(t, err.Error())
}
Expand All @@ -278,9 +283,10 @@ func Test_aliCloudRAMClient_RevokeAccessFromRole(t *testing.T) {

func Test_aliCloudRAMClient_ListAccess(t *testing.T) {
type args struct {
accessKeyID string
accessKeyId string
accessKeySecret string
roleToAssume string
ramRole string
regionId string
ctx context.Context
pc domain.ProviderConfig
r []*domain.Resource
Expand All @@ -293,7 +299,7 @@ func Test_aliCloudRAMClient_ListAccess(t *testing.T) {
{
name: "error not implemented when listing access",
args: args{
accessKeyID: testAccessKeyID,
accessKeyId: testAccessKeyID,
accessKeySecret: testAccessKeySecret,
ctx: context.TODO(),
pc: domain.ProviderConfig{
Expand Down Expand Up @@ -326,7 +332,7 @@ func Test_aliCloudRAMClient_ListAccess(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
client, err := alicloud_ram.NewAliCloudRAMClient(tt.args.accessKeyID, tt.args.accessKeySecret, tt.args.roleToAssume)
client, err := alicloud_ram.NewAliCloudRAMClient(tt.args.accessKeyId, tt.args.accessKeySecret, tt.args.ramRole, tt.args.regionId)
if err != nil {
assert.FailNow(t, err.Error())
}
Expand All @@ -344,9 +350,10 @@ func Test_aliCloudRAMClient_ListAccess(t *testing.T) {

func Test_aliCloudRAMClient_GetAllPoliciesByType(t *testing.T) {
type args struct {
accessKeyID string
accessKeyId string
accessKeySecret string
roleToAssume string
ramRole string
regionId string
ctx context.Context
policyType string
maxItems int32
Expand All @@ -359,7 +366,7 @@ func Test_aliCloudRAMClient_GetAllPoliciesByType(t *testing.T) {
{
name: "error when get all policies by type",
args: args{
accessKeyID: testAccessKeyID,
accessKeyId: testAccessKeyID,
accessKeySecret: testAccessKeySecret,
ctx: context.TODO(),
policyType: alicloud_ram.PolicyTypeSystem,
Expand All @@ -370,7 +377,7 @@ func Test_aliCloudRAMClient_GetAllPoliciesByType(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
client, err := alicloud_ram.NewAliCloudRAMClient(tt.args.accessKeyID, tt.args.accessKeySecret, tt.args.roleToAssume)
client, err := alicloud_ram.NewAliCloudRAMClient(tt.args.accessKeyId, tt.args.accessKeySecret, tt.args.ramRole, tt.args.regionId)
if err != nil {
assert.FailNow(t, err.Error())
}
Expand Down
3 changes: 2 additions & 1 deletion plugins/providers/alicloud_ram/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ type Credentials struct {
MainAccountID string `mapstructure:"main_account_id" json:"main_account_id" validate:"required"` // example: 5123xxxxxxxxx
AccessKeyID string `mapstructure:"access_key_id" json:"access_key_id" validate:"required,base64"`
AccessKeySecret string `mapstructure:"access_key_secret" json:"access_key_secret" validate:"required,base64"`
RAMRole string `mapstructure:"ram_role" json:"ram_role,omitempty"` // example: `acs:ram::{MAIN_ACCOUNT_ID}:role/{ROLE_NAME}`
RAMRole string `mapstructure:"ram_role" json:"ram_role,omitempty"` // (optional) example: `acs:ram::{MAIN_ACCOUNT_ID}:role/{ROLE_NAME}`
RegionID string // (optional) can be empty for using default region id. see: https://www.alibabacloud.com/help/en/cloud-migration-guide-for-beginners/latest/regions-and-zones
}

func (c *Credentials) Encrypt(encryptor domain.Encryptor) error {
Expand Down
6 changes: 6 additions & 0 deletions plugins/providers/alicloud_ram/config_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,17 +161,23 @@ func TestCredentials_Decrypt(t *testing.T) {
{
name: "success decrypting credentials",
field: &alicloud_ram.Credentials{
MainAccountID: "5123xxxxxxxxx",
AccessKeyID: testEncryptedAccessKeyID,
AccessKeySecret: testEncryptedAccessKeySecret,
RAMRole: "acs:ram::500xxxxxxxx:role/role-name",
RegionID: "",
},
args: args{decryptor: decryptor},
mock: func(c *alicloud_ram.Credentials) {
decryptor.On("Decrypt", c.AccessKeyID).Return(testAccessKeyID, nil).Once()
decryptor.On("Decrypt", c.AccessKeySecret).Return(testAccessKeySecret, nil).Once()
},
assertFunc: func(field *alicloud_ram.Credentials) {
assert.Equal(t, "5123xxxxxxxxx", field.MainAccountID)
assert.Equal(t, testAccessKeyID, field.AccessKeyID)
assert.Equal(t, testAccessKeySecret, field.AccessKeySecret)
assert.Equal(t, "acs:ram::500xxxxxxxx:role/role-name", field.RAMRole)
assert.Equal(t, "", field.RegionID)
},
wantErr: false,
},
Expand Down
9 changes: 1 addition & 8 deletions plugins/providers/alicloud_ram/provider.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ func (p *Provider) getClient(pc *domain.ProviderConfig) (AliCloudRAMClient, erro
}

_ = credentials.Decrypt(p.crypto)
client, err := NewAliCloudRAMClient(credentials.AccessKeyID, credentials.AccessKeySecret, credentials.RAMRole)
client, err := NewAliCloudRAMClient(credentials.AccessKeyID, credentials.AccessKeySecret, credentials.RAMRole, credentials.RegionID)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -277,13 +277,6 @@ func getAccountTypes() []string {
}
}

func getPolicyTypes() []string {
return []string{
PolicyTypeSystem,
PolicyTypeCustom,
}
}

func getResourceTypes() []string {
return []string{
ResourceTypeAccount,
Expand Down

0 comments on commit ce1cbfb

Please sign in to comment.