diff --git a/lib/cloud/clients.go b/lib/cloud/clients.go index 3c7528e56da34..991a60d200d51 100644 --- a/lib/cloud/clients.go +++ b/lib/cloud/clients.go @@ -594,15 +594,6 @@ func (c *cloudClients) GetAWSSTSClient(ctx context.Context, region string, opts return sts.New(session), nil } -// // GetAWSEKSClient returns AWS EKS client for the specified region. -// func (c *cloudClients) GetAWSEKSClient(ctx context.Context, region string, opts ...AWSOptionsFn) (eksiface.EKSAPI, error) { -// session, err := c.GetAWSSession(ctx, region, opts...) -// if err != nil { -// return nil, trace.Wrap(err) -// } -// return eks.New(session), nil -// } - // GetAWSKMSClient returns AWS KMS client for the specified region. func (c *cloudClients) GetAWSKMSClient(ctx context.Context, region string, opts ...AWSOptionsFn) (kmsiface.KMSAPI, error) { session, err := c.GetAWSSession(ctx, region, opts...) @@ -1027,22 +1018,21 @@ var _ Clients = (*TestCloudClients)(nil) // TestCloudClients are used in tests. type TestCloudClients struct { - RDS rdsiface.RDSAPI - RDSPerRegion map[string]rdsiface.RDSAPI - Redshift redshiftiface.RedshiftAPI - RedshiftServerless redshiftserverlessiface.RedshiftServerlessAPI - ElastiCache elasticacheiface.ElastiCacheAPI - OpenSearch opensearchserviceiface.OpenSearchServiceAPI - MemoryDB memorydbiface.MemoryDBAPI - SecretsManager secretsmanageriface.SecretsManagerAPI - IAM iamiface.IAMAPI - STS stsiface.STSAPI - GCPSQL gcp.SQLAdminClient - GCPGKE gcp.GKEClient - GCPProjects gcp.ProjectsClient - GCPInstances gcp.InstancesClient - InstanceMetadata imds.Client - // EKS eksiface.EKSAPI + RDS rdsiface.RDSAPI + RDSPerRegion map[string]rdsiface.RDSAPI + Redshift redshiftiface.RedshiftAPI + RedshiftServerless redshiftserverlessiface.RedshiftServerlessAPI + ElastiCache elasticacheiface.ElastiCacheAPI + OpenSearch opensearchserviceiface.OpenSearchServiceAPI + MemoryDB memorydbiface.MemoryDBAPI + SecretsManager secretsmanageriface.SecretsManagerAPI + IAM iamiface.IAMAPI + STS stsiface.STSAPI + GCPSQL gcp.SQLAdminClient + GCPGKE gcp.GKEClient + GCPProjects gcp.ProjectsClient + GCPInstances gcp.InstancesClient + InstanceMetadata imds.Client KMS kmsiface.KMSAPI S3 s3iface.S3API AzureMySQL azure.DBServersClient diff --git a/lib/cloud/mocks/aws.go b/lib/cloud/mocks/aws.go index 81246f1799fac..9935543843dff 100644 --- a/lib/cloud/mocks/aws.go +++ b/lib/cloud/mocks/aws.go @@ -35,8 +35,8 @@ import ( "github.com/gravitational/trace" ) -// STSClientV1 mocks AWS STS API. -type STSClientV1 struct { +// STSMock mocks AWS STS API. +type STSMock struct { stsiface.STSAPI ARN string URL *url.URL @@ -45,36 +45,36 @@ type STSClientV1 struct { mu sync.Mutex } -func (m *STSClientV1) GetAssumedRoleARNs() []string { +func (m *STSMock) GetAssumedRoleARNs() []string { m.mu.Lock() defer m.mu.Unlock() return m.assumedRoleARNs } -func (m *STSClientV1) GetAssumedRoleExternalIDs() []string { +func (m *STSMock) GetAssumedRoleExternalIDs() []string { m.mu.Lock() defer m.mu.Unlock() return m.assumedRoleExternalIDs } -func (m *STSClientV1) ResetAssumeRoleHistory() { +func (m *STSMock) ResetAssumeRoleHistory() { m.mu.Lock() defer m.mu.Unlock() m.assumedRoleARNs = nil m.assumedRoleExternalIDs = nil } -func (m *STSClientV1) GetCallerIdentityWithContext(aws.Context, *sts.GetCallerIdentityInput, ...request.Option) (*sts.GetCallerIdentityOutput, error) { +func (m *STSMock) GetCallerIdentityWithContext(aws.Context, *sts.GetCallerIdentityInput, ...request.Option) (*sts.GetCallerIdentityOutput, error) { return &sts.GetCallerIdentityOutput{ Arn: aws.String(m.ARN), }, nil } -func (m *STSClientV1) AssumeRole(in *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) { +func (m *STSMock) AssumeRole(in *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) { return m.AssumeRoleWithContext(context.Background(), in) } -func (m *STSClientV1) AssumeRoleWithContext(ctx aws.Context, in *sts.AssumeRoleInput, _ ...request.Option) (*sts.AssumeRoleOutput, error) { +func (m *STSMock) AssumeRoleWithContext(ctx aws.Context, in *sts.AssumeRoleInput, _ ...request.Option) (*sts.AssumeRoleOutput, error) { m.mu.Lock() defer m.mu.Unlock() if !slices.Contains(m.assumedRoleARNs, aws.StringValue(in.RoleArn)) { @@ -92,7 +92,7 @@ func (m *STSClientV1) AssumeRoleWithContext(ctx aws.Context, in *sts.AssumeRoleI }, nil } -func (m *STSClientV1) GetCallerIdentityRequest(req *sts.GetCallerIdentityInput) (*request.Request, *sts.GetCallerIdentityOutput) { +func (m *STSMock) GetCallerIdentityRequest(req *sts.GetCallerIdentityInput) (*request.Request, *sts.GetCallerIdentityOutput) { return &request.Request{ HTTPRequest: &http.Request{ Header: http.Header{}, @@ -286,85 +286,3 @@ func (m *IAMErrorMock) PutUserPolicyWithContext(ctx aws.Context, input *iam.PutU } return nil, trace.AccessDenied("unauthorized") } - -// // EKSMock is a mock EKS client. -// type EKSMock struct { -// eksiface.EKSAPI -// Clusters []*eks.Cluster -// AccessEntries []*eks.AccessEntry -// AssociatedPolicies []*eks.AssociatedAccessPolicy -// Notify chan struct{} -// } - -// func (e *EKSMock) DescribeClusterWithContext(_ aws.Context, req *eks.DescribeClusterInput, _ ...request.Option) (*eks.DescribeClusterOutput, error) { -// defer func() { -// if e.Notify != nil { -// e.Notify <- struct{}{} -// } -// }() -// for _, cluster := range e.Clusters { -// if aws.StringValue(req.Name) == aws.StringValue(cluster.Name) { -// return &eks.DescribeClusterOutput{Cluster: cluster}, nil -// } -// } -// return nil, trace.NotFound("cluster %v not found", aws.StringValue(req.Name)) -// } - -// func (e *EKSMock) ListClustersPagesWithContext(_ aws.Context, _ *eks.ListClustersInput, f func(*eks.ListClustersOutput, bool) bool, _ ...request.Option) error { -// defer func() { -// if e.Notify != nil { -// e.Notify <- struct{}{} -// } -// }() -// clusters := make([]*string, 0, len(e.Clusters)) -// for _, cluster := range e.Clusters { -// clusters = append(clusters, cluster.Name) -// } -// f(&eks.ListClustersOutput{ -// Clusters: clusters, -// }, true) -// return nil -// } - -// func (e *EKSMock) ListAccessEntriesPagesWithContext(_ aws.Context, _ *eks.ListAccessEntriesInput, f func(*eks.ListAccessEntriesOutput, bool) bool, _ ...request.Option) error { -// defer func() { -// if e.Notify != nil { -// e.Notify <- struct{}{} -// } -// }() -// accessEntries := make([]*string, 0, len(e.Clusters)) -// for _, a := range e.AccessEntries { -// accessEntries = append(accessEntries, a.PrincipalArn) -// } -// f(&eks.ListAccessEntriesOutput{ -// AccessEntries: accessEntries, -// }, true) -// return nil -// } - -// func (e *EKSMock) DescribeAccessEntryWithContext(_ aws.Context, req *eks.DescribeAccessEntryInput, _ ...request.Option) (*eks.DescribeAccessEntryOutput, error) { -// defer func() { -// if e.Notify != nil { -// e.Notify <- struct{}{} -// } -// }() -// for _, a := range e.AccessEntries { -// if aws.StringValue(req.PrincipalArn) == aws.StringValue(a.PrincipalArn) && aws.StringValue(a.ClusterName) == aws.StringValue(req.ClusterName) { -// return &eks.DescribeAccessEntryOutput{AccessEntry: a}, nil -// } -// } -// return nil, trace.NotFound("access entry %v not found", aws.StringValue(req.PrincipalArn)) -// } - -// func (e *EKSMock) ListAssociatedAccessPoliciesPagesWithContext(_ aws.Context, _ *eks.ListAssociatedAccessPoliciesInput, f func(*eks.ListAssociatedAccessPoliciesOutput, bool) bool, _ ...request.Option) error { -// defer func() { -// if e.Notify != nil { -// e.Notify <- struct{}{} -// } -// }() - -// f(&eks.ListAssociatedAccessPoliciesOutput{ -// AssociatedAccessPolicies: e.AssociatedPolicies, -// }, true) -// return nil -// } diff --git a/lib/kube/proxy/cluster_details.go b/lib/kube/proxy/cluster_details.go index 0c7218b1559af..8e502ea775acd 100644 --- a/lib/kube/proxy/cluster_details.go +++ b/lib/kube/proxy/cluster_details.go @@ -52,6 +52,7 @@ import ( // kubeDetails contain the cluster-related details including authentication. type kubeDetails struct { kubeCreds + // dynamicLabels is the dynamic labels executor for this cluster. dynamicLabels *labels.Dynamic // kubeCluster is the dynamic kube_cluster or a static generated from kubeconfig and that only has the name populated. @@ -268,8 +269,14 @@ func (k *kubeDetails) getObjectGVK(resource apiResource) *schema.GroupVersionKin // getKubeClusterCredentials generates kube credentials for dynamic clusters. func getKubeClusterCredentials(ctx context.Context, cfg clusterDetailsConfig) (kubeCreds, error) { - dynCredsCfg := dynamicCredsConfig{kubeCluster: cfg.cluster, log: cfg.log, checker: cfg.checker, resourceMatchers: cfg.resourceMatchers, clock: cfg.clock, component: cfg.component} - switch { + switch dynCredsCfg := (dynamicCredsConfig{ + kubeCluster: cfg.cluster, + log: cfg.log, + checker: cfg.checker, + resourceMatchers: cfg.resourceMatchers, + clock: cfg.clock, + component: cfg.component, + }); { case cfg.cluster.IsKubeconfig(): return getStaticCredentialsFromKubeconfig(ctx, cfg.component, cfg.cluster, cfg.log, cfg.checker) case cfg.cluster.IsAzure(): @@ -333,8 +340,7 @@ func getAWSResourceMatcherToCluster(kubeCluster types.KubeCluster, resourceMatch if match, _, _ := services.MatchLabels(matcher.Labels, kubeCluster.GetAllLabels()); !match { continue } - - return &(matcher.AWS) + return &matcher.AWS } return nil } @@ -342,10 +348,12 @@ func getAWSResourceMatcherToCluster(kubeCluster types.KubeCluster, resourceMatch // STSPresignClient is the subset of the STS presign interface we use in fetchers. type STSPresignClient = kubeutils.STSPresignClient +// EKSClient is the subset of the EKS Client interface we use. type EKSClient interface { eks.DescribeClusterAPIClient } +// STSClient is the subset of the STS Client interface we use. type STSClient interface { stscreds.AssumeRoleAPIClient } @@ -366,7 +374,7 @@ func getAWSClientRestConfig(cloudClients ClientGetter, clock clockwork.Clock, re region := cluster.GetAWSConfig().Region opts := []awsconfig.OptionsFn{ awsconfig.WithAmbientCredentials(), - // TODO(@creack): Re-enable this when session cache v2 gets merged (#50561). + // TODO(@GavinFrazar): Re-enable this when session cache v2 gets merged (#50561). // awsconfig.WithoutSessionCache(), } stsClient, err := cloudClients.GetAWSSTSClient(ctx, region, opts...) diff --git a/lib/srv/db/access_test.go b/lib/srv/db/access_test.go index a456f972e72ff..8d415fc8953c0 100644 --- a/lib/srv/db/access_test.go +++ b/lib/srv/db/access_test.go @@ -2481,7 +2481,7 @@ func (p *agentParams) setDefaults(c *testContext) { if p.CloudClients == nil { p.CloudClients = &clients.TestCloudClients{ - STS: &mocks.STSClientV1{}, + STS: &mocks.STSMock{}, RDS: &mocks.RDSMock{}, Redshift: &mocks.RedshiftMock{}, RedshiftServerless: &mocks.RedshiftServerlessMock{}, diff --git a/lib/srv/db/cloud/iam_test.go b/lib/srv/db/cloud/iam_test.go index 68d826761cb65..1c4646637388d 100644 --- a/lib/srv/db/cloud/iam_test.go +++ b/lib/srv/db/cloud/iam_test.go @@ -65,7 +65,7 @@ func TestAWSIAM(t *testing.T) { } // Configure mocks. - stsClient := &mocks.STSClientV1{ + stsClient := &mocks.STSMock{ ARN: "arn:aws:iam::123456789012:role/test-role", } @@ -294,7 +294,7 @@ func TestAWSIAMNoPermissions(t *testing.T) { t.Cleanup(cancel) // Create unauthorized mocks for AWS services. - stsClient := &mocks.STSClientV1{ + stsClient := &mocks.STSMock{ ARN: "arn:aws:iam::123456789012:role/test-role", } // Make configurator. diff --git a/lib/srv/db/cloud/meta_test.go b/lib/srv/db/cloud/meta_test.go index ba99ed22e7cdf..c4eb033360f13 100644 --- a/lib/srv/db/cloud/meta_test.go +++ b/lib/srv/db/cloud/meta_test.go @@ -116,7 +116,7 @@ func TestAWSMetadata(t *testing.T) { }, } - stsMock := &mocks.STSClientV1{} + stsMock := &mocks.STSMock{} // Configure Redshift Serverless API mock. redshiftServerlessWorkgroup := mocks.RedshiftServerlessWorkgroup("my-workgroup", "us-west-1") @@ -406,7 +406,7 @@ func TestAWSMetadataNoPermissions(t *testing.T) { rds := &mocks.RDSMockUnauth{} redshift := &mocks.RedshiftMockUnauth{} - stsMock := &mocks.STSClientV1{} + stsMock := &mocks.STSMock{} // Create metadata fetcher. metadata, err := NewMetadata(MetadataConfig{ diff --git a/lib/srv/db/cloud/resource_checker_url_aws_test.go b/lib/srv/db/cloud/resource_checker_url_aws_test.go index a8f431e282cc6..81928cbd7902c 100644 --- a/lib/srv/db/cloud/resource_checker_url_aws_test.go +++ b/lib/srv/db/cloud/resource_checker_url_aws_test.go @@ -142,7 +142,7 @@ func TestURLChecker_AWS(t *testing.T) { OpenSearch: &mocks.OpenSearchMock{ Domains: []*opensearchservice.DomainStatus{openSearchDomain, openSearchVPCDomain}, }, - STS: &mocks.STSClientV1{}, + STS: &mocks.STSMock{}, } mockClientsUnauth := &cloud.TestCloudClients{ RDS: &mocks.RDSMockUnauth{}, @@ -151,7 +151,7 @@ func TestURLChecker_AWS(t *testing.T) { ElastiCache: &mocks.ElastiCacheMock{Unauth: true}, MemoryDB: &mocks.MemoryDBMock{Unauth: true}, OpenSearch: &mocks.OpenSearchMock{Unauth: true}, - STS: &mocks.STSClientV1{}, + STS: &mocks.STSMock{}, } // Test both check methods. diff --git a/lib/srv/db/common/auth_test.go b/lib/srv/db/common/auth_test.go index e8bd08f5e72bd..32d72d0dd41eb 100644 --- a/lib/srv/db/common/auth_test.go +++ b/lib/srv/db/common/auth_test.go @@ -106,7 +106,7 @@ func TestAuthGetRedshiftServerlessAuthToken(t *testing.T) { t.Parallel() // setup mock aws sessions. - stsMock := &mocks.STSClientV1{} + stsMock := &mocks.STSMock{} clock := clockwork.NewFakeClock() auth, err := NewAuth(AuthConfig{ Clock: clock, @@ -466,7 +466,7 @@ func TestAuthGetAWSTokenWithAssumedRole(t *testing.T) { t.Cleanup(cancel) tests := map[string]struct { checkGetAuthFn func(t *testing.T, auth Auth) - checkSTS func(t *testing.T, stsMock *mocks.STSClientV1) + checkSTS func(t *testing.T, stsMock *mocks.STSMock) }{ "Redshift": { checkGetAuthFn: func(t *testing.T, auth Auth) { @@ -485,7 +485,7 @@ func TestAuthGetAWSTokenWithAssumedRole(t *testing.T) { require.Equal(t, "IAM:some-user", dbUser) require.Equal(t, "some-password", dbPassword) }, - checkSTS: func(t *testing.T, stsMock *mocks.STSClientV1) { + checkSTS: func(t *testing.T, stsMock *mocks.STSMock) { t.Helper() require.Contains(t, stsMock.GetAssumedRoleARNs(), "arn:aws:iam::123456789012:role/RedshiftRole") require.Contains(t, stsMock.GetAssumedRoleExternalIDs(), "externalRedshift") @@ -508,7 +508,7 @@ func TestAuthGetAWSTokenWithAssumedRole(t *testing.T) { require.Equal(t, "IAM:some-role", dbUser) require.Equal(t, "some-password-for-some-role", dbPassword) }, - checkSTS: func(t *testing.T, stsMock *mocks.STSClientV1) { + checkSTS: func(t *testing.T, stsMock *mocks.STSMock) { t.Helper() require.Contains(t, stsMock.GetAssumedRoleARNs(), "arn:aws:iam::123456789012:role/RedshiftRole") require.Contains(t, stsMock.GetAssumedRoleExternalIDs(), "externalRedshift") @@ -530,7 +530,7 @@ func TestAuthGetAWSTokenWithAssumedRole(t *testing.T) { require.Equal(t, "IAM:some-user", dbUser) require.Equal(t, "some-password", dbPassword) }, - checkSTS: func(t *testing.T, stsMock *mocks.STSClientV1) { + checkSTS: func(t *testing.T, stsMock *mocks.STSMock) { t.Helper() require.Contains(t, stsMock.GetAssumedRoleARNs(), "arn:aws:iam::123456789012:role/RedshiftServerlessRole") require.Contains(t, stsMock.GetAssumedRoleExternalIDs(), "externalRedshiftServerless") @@ -550,7 +550,7 @@ func TestAuthGetAWSTokenWithAssumedRole(t *testing.T) { require.NoError(t, err) require.Contains(t, token, "DBUser=some-user") }, - checkSTS: func(t *testing.T, stsMock *mocks.STSClientV1) { + checkSTS: func(t *testing.T, stsMock *mocks.STSMock) { t.Helper() require.Contains(t, stsMock.GetAssumedRoleARNs(), "arn:aws:iam::123456789012:role/RDSProxyRole") require.Contains(t, stsMock.GetAssumedRoleExternalIDs(), "externalRDSProxy") @@ -578,7 +578,7 @@ func TestAuthGetAWSTokenWithAssumedRole(t *testing.T) { require.Equal(t, "arn:aws:iam::123456789012:role/RedisRole/20010203/ca-central-1/elasticache/aws4_request", query.Get("X-Amz-Credential")) }, - checkSTS: func(t *testing.T, stsMock *mocks.STSClientV1) { + checkSTS: func(t *testing.T, stsMock *mocks.STSMock) { t.Helper() require.Contains(t, stsMock.GetAssumedRoleARNs(), "arn:aws:iam::123456789012:role/RedisRole") require.Contains(t, stsMock.GetAssumedRoleExternalIDs(), "externalElastiCacheRedis") @@ -586,7 +586,7 @@ func TestAuthGetAWSTokenWithAssumedRole(t *testing.T) { }, } - stsMock := &mocks.STSClientV1{} + stsMock := &mocks.STSMock{} clock := clockwork.NewFakeClockAt(time.Date(2001, time.February, 3, 0, 0, 0, 0, time.UTC)) auth, err := NewAuth(AuthConfig{ Clock: clock, @@ -623,7 +623,7 @@ func TestGetAWSIAMCreds(t *testing.T) { for name, tt := range map[string]struct { db types.Database - stsMock *mocks.STSClientV1 + stsMock *mocks.STSMock username string expectedKeyId string expectedAssumedRoles []string @@ -632,7 +632,7 @@ func TestGetAWSIAMCreds(t *testing.T) { }{ "username is full role ARN": { db: newMongoAtlasDatabase(t, types.AWS{}), - stsMock: &mocks.STSClientV1{}, + stsMock: &mocks.STSMock{}, username: "arn:aws:iam::123456789012:role/role-name", expectedKeyId: "arn:aws:iam::123456789012:role/role-name", expectedAssumedRoles: []string{"arn:aws:iam::123456789012:role/role-name"}, @@ -641,7 +641,7 @@ func TestGetAWSIAMCreds(t *testing.T) { }, "username is partial role ARN": { db: newMongoAtlasDatabase(t, types.AWS{}), - stsMock: &mocks.STSClientV1{ + stsMock: &mocks.STSMock{ // This is the role returned by the STS GetCallerIdentity. ARN: "arn:aws:iam::222222222222:role/teleport-service-role", }, @@ -653,7 +653,7 @@ func TestGetAWSIAMCreds(t *testing.T) { }, "unable to fetch account ID": { db: newMongoAtlasDatabase(t, types.AWS{}), - stsMock: &mocks.STSClientV1{ + stsMock: &mocks.STSMock{ ARN: "", }, username: "role/role-name", @@ -664,7 +664,7 @@ func TestGetAWSIAMCreds(t *testing.T) { ExternalID: "123123", AssumeRoleARN: "arn:aws:iam::222222222222:role/teleport-service-role-external", }), - stsMock: &mocks.STSClientV1{ + stsMock: &mocks.STSMock{ ARN: "arn:aws:iam::111111111111:role/teleport-service-role", }, username: "role/role-name", diff --git a/lib/srv/discovery/discovery_test.go b/lib/srv/discovery/discovery_test.go index 37ea720c6e559..392126c096c11 100644 --- a/lib/srv/discovery/discovery_test.go +++ b/lib/srv/discovery/discovery_test.go @@ -2046,7 +2046,7 @@ func TestDiscoveryDatabase(t *testing.T) { } testCloudClients := &cloud.TestCloudClients{ - STS: &mocks.STSClientV1{}, + STS: &mocks.STSMock{}, RDS: &mocks.RDSMock{ DBInstances: []*rds.DBInstance{awsRDSInstance}, DBEngineVersions: []*rds.DBEngineVersion{ @@ -2457,7 +2457,7 @@ func TestDiscoveryDatabaseRemovingDiscoveryConfigs(t *testing.T) { awsRDSInstance, awsRDSDB := makeRDSInstance(t, "aws-rds", "us-west-1", rewriteDiscoveryLabelsParams{discoveryConfigName: dc2Name, discoveryGroup: mainDiscoveryGroup}) testCloudClients := &cloud.TestCloudClients{ - STS: &mocks.STSClientV1{}, + STS: &mocks.STSMock{}, RDS: &mocks.RDSMock{ DBInstances: []*rds.DBInstance{awsRDSInstance}, DBEngineVersions: []*rds.DBEngineVersion{ diff --git a/lib/srv/discovery/fetchers/aws-sync/eks_test.go b/lib/srv/discovery/fetchers/aws-sync/eks_test.go index a265bebf782b7..b38f1ff851a92 100644 --- a/lib/srv/discovery/fetchers/aws-sync/eks_test.go +++ b/lib/srv/discovery/fetchers/aws-sync/eks_test.go @@ -26,7 +26,7 @@ import ( "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/eks" - "github.com/aws/aws-sdk-go-v2/service/eks/types" + ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types" "github.com/google/go-cmp/cmp" "github.com/stretchr/testify/require" "google.golang.org/protobuf/testing/protocmp" @@ -45,9 +45,9 @@ const ( ) type mockedEKSClient struct { - clusters []*types.Cluster - accessEntries []*types.AccessEntry - associatedAccessPolicies []types.AssociatedAccessPolicy + clusters []*ekstypes.Cluster + accessEntries []*ekstypes.AccessEntry + associatedAccessPolicies []ekstypes.AssociatedAccessPolicy } func (m *mockedEKSClient) DescribeCluster(ctx context.Context, input *eks.DescribeClusterInput, optFns ...func(*eks.Options)) (*eks.DescribeClusterOutput, error) { @@ -89,7 +89,7 @@ func (m *mockedEKSClient) ListAssociatedAccessPolicies(ctx context.Context, inpu func (m *mockedEKSClient) DescribeAccessEntry(ctx context.Context, input *eks.DescribeAccessEntryInput, optFns ...func(*eks.Options)) (*eks.DescribeAccessEntryOutput, error) { return &eks.DescribeAccessEntryOutput{ - AccessEntry: &types.AccessEntry{ + AccessEntry: &ekstypes.AccessEntry{ PrincipalArn: aws.String(principalARN), AccessEntryArn: aws.String(accessEntryARN), CreatedAt: aws.Time(date), @@ -98,7 +98,7 @@ func (m *mockedEKSClient) DescribeAccessEntry(ctx context.Context, input *eks.De Tags: map[string]string{ "t1": "t2", }, - Type: aws.String(string(types.AccessScopeTypeCluster)), + Type: aws.String(string(ekstypes.AccessScopeTypeCluster)), Username: aws.String("teleport"), KubernetesGroups: []string{"teleport"}, }, @@ -162,7 +162,7 @@ func TestPollAWSEKSClusters(t *testing.T) { Cluster: cluster, PrincipalArn: principalARN, Scope: &accessgraphv1alpha.AWSEKSAccessScopeV1{ - Type: string(types.AccessScopeTypeCluster), + Type: string(ekstypes.AccessScopeTypeCluster), Namespaces: []string{"ns1"}, }, AssociatedAt: timestamppb.New(date), @@ -227,13 +227,13 @@ func TestPollAWSEKSClusters(t *testing.T) { } } -func eksClusters() []*types.Cluster { - return []*types.Cluster{ +func eksClusters() []*ekstypes.Cluster { + return []*ekstypes.Cluster{ { Name: aws.String("cluster1"), Arn: aws.String("arn:us-west1:eks:cluster1"), CreatedAt: aws.Time(date), - Status: types.ClusterStatusActive, + Status: ekstypes.ClusterStatusActive, Tags: map[string]string{ "tag1": "", "tag2": "val2", @@ -242,8 +242,8 @@ func eksClusters() []*types.Cluster { } } -func accessEntries() []*types.AccessEntry { - return []*types.AccessEntry{ +func accessEntries() []*ekstypes.AccessEntry { + return []*ekstypes.AccessEntry{ { PrincipalArn: aws.String(principalARN), AccessEntryArn: aws.String(accessEntryARN), @@ -253,19 +253,19 @@ func accessEntries() []*types.AccessEntry { Tags: map[string]string{ "t1": "t2", }, - Type: aws.String(string(types.AccessScopeTypeCluster)), + Type: aws.String(string(ekstypes.AccessScopeTypeCluster)), Username: aws.String("teleport"), KubernetesGroups: []string{"teleport"}, }, } } -func associatedPolicies() []types.AssociatedAccessPolicy { - return []types.AssociatedAccessPolicy{ +func associatedPolicies() []ekstypes.AssociatedAccessPolicy { + return []ekstypes.AssociatedAccessPolicy{ { - AccessScope: &types.AccessScope{ + AccessScope: &ekstypes.AccessScope{ Namespaces: []string{"ns1"}, - Type: types.AccessScopeTypeCluster, + Type: ekstypes.AccessScopeTypeCluster, }, ModifiedAt: aws.Time(date), AssociatedAt: aws.Time(date), diff --git a/lib/srv/discovery/fetchers/db/helpers_test.go b/lib/srv/discovery/fetchers/db/helpers_test.go index aa09cf831fe2e..6063198b71e6d 100644 --- a/lib/srv/discovery/fetchers/db/helpers_test.go +++ b/lib/srv/discovery/fetchers/db/helpers_test.go @@ -122,7 +122,7 @@ func testAWSFetchers(t *testing.T, tests ...awsFetcherTest) { for _, test := range tests { test := test require.Nil(t, test.inputClients.STS, "testAWSFetchers injects an STS mock itself, but test input had already configured it. This is a test configuration error.") - stsMock := &mocks.STSClientV1{} + stsMock := &mocks.STSMock{} test.inputClients.STS = stsMock t.Run(test.name, func(t *testing.T) { t.Helper()