diff --git a/go.mod b/go.mod index 70f687fa06..3bad6f9b73 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,11 @@ go 1.25.7 require ( github.com/Masterminds/semver/v3 v3.4.0 - github.com/aws/aws-sdk-go v1.55.8 + github.com/aws/aws-sdk-go-v2 v1.41.1 + github.com/aws/aws-sdk-go-v2/config v1.32.9 + github.com/aws/aws-sdk-go-v2/credentials v1.19.9 + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.290.0 github.com/blang/semver/v4 v4.0.0 github.com/cloudflare/cfssl v1.6.5 github.com/containernetworking/cni v1.2.3 @@ -65,6 +69,16 @@ require ( github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect github.com/armon/go-radix v1.0.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 // indirect + github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.30.10 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.14 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 // indirect + github.com/aws/smithy-go v1.24.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect @@ -112,7 +126,6 @@ require ( github.com/huandu/xstrings v1.5.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jinzhu/copier v0.4.0 // indirect - github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/jmoiron/sqlx v1.4.0 // indirect github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 // indirect github.com/josharian/intern v1.0.0 // indirect diff --git a/go.sum b/go.sum index 6157cb7cc1..fed2a11435 100644 --- a/go.sum +++ b/go.sum @@ -32,8 +32,36 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ= -github.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk= +github.com/aws/aws-sdk-go-v2 v1.41.1 h1:ABlyEARCDLN034NhxlRUSZr4l71mh+T5KAeGh6cerhU= +github.com/aws/aws-sdk-go-v2 v1.41.1/go.mod h1:MayyLB8y+buD9hZqkCW3kX1AKq07Y5pXxtgB+rRFhz0= +github.com/aws/aws-sdk-go-v2/config v1.32.9 h1:ktda/mtAydeObvJXlHzyGpK1xcsLaP16zfUPDGoW90A= +github.com/aws/aws-sdk-go-v2/config v1.32.9/go.mod h1:U+fCQ+9QKsLW786BCfEjYRj34VVTbPdsLP3CHSYXMOI= +github.com/aws/aws-sdk-go-v2/credentials v1.19.9 h1:sWvTKsyrMlJGEuj/WgrwilpoJ6Xa1+KhIpGdzw7mMU8= +github.com/aws/aws-sdk-go-v2/credentials v1.19.9/go.mod h1:+J44MBhmfVY/lETFiKI+klz0Vym2aCmIjqgClMmW82w= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 h1:I0GyV8wiYrP8XpA70g1HBcQO1JlQxCMTW9npl5UbDHY= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17/go.mod h1:tyw7BOl5bBe/oqvoIeECFJjMdzXoa/dfVz3QQ5lgHGA= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 h1:xOLELNKGp2vsiteLsvLPwxC+mYmO6OZ8PYgiuPJzF8U= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17/go.mod h1:5M5CI3D12dNOtH3/mk6minaRwI2/37ifCURZISxA/IQ= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 h1:WWLqlh79iO48yLkj1v3ISRNiv+3KdQoZ6JWyfcsyQik= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17/go.mod h1:EhG22vHRrvF8oXSTYStZhJc1aUgKtnJe+aOiFEV90cM= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.290.0 h1:Ub4CvLWf8wEQ7/pEiqXM9tTsHXf2BokPLwbqEvrmAq0= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.290.0/go.mod h1:Uy+C+Sc58jozdoL1McQr8bDsEvNFx+/nBY+vpO1HVUY= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 h1:0ryTNEdJbzUCEWkVXEXoqlXV72J5keC1GvILMOuD00E= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4/go.mod h1:HQ4qwNZh32C3CBeO6iJLQlgtMzqeG17ziAA/3KDJFow= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 h1:RuNSMoozM8oXlgLG/n6WLaFGoea7/CddrCfIiSA+xdY= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17/go.mod h1:F2xxQ9TZz5gDWsclCtPQscGpP0VUOc8RqgFM3vDENmU= +github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 h1:VrhDvQib/i0lxvr3zqlUwLwJP4fpmpyD9wYG1vfSu+Y= +github.com/aws/aws-sdk-go-v2/service/signin v1.0.5/go.mod h1:k029+U8SY30/3/ras4G/Fnv/b88N4mAfliNn08Dem4M= +github.com/aws/aws-sdk-go-v2/service/sso v1.30.10 h1:+VTRawC4iVY58pS/lzpo0lnoa/SYNGF4/B/3/U5ro8Y= +github.com/aws/aws-sdk-go-v2/service/sso v1.30.10/go.mod h1:yifAsgBxgJWn3ggx70A3urX2AN49Y5sJTD1UQFlfqBw= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.14 h1:0jbJeuEHlwKJ9PfXtpSFc4MF+WIWORdhN1n30ITZGFM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.14/go.mod h1:sTGThjphYE4Ohw8vJiRStAcu3rbjtXRsdNB0TvZ5wwo= +github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 h1:5fFjR/ToSOzB2OQ/XqWpZBmNvmP/pJ1jOWYlFDJTjRQ= +github.com/aws/aws-sdk-go-v2/service/sts v1.41.6/go.mod h1:qgFDZQSD/Kys7nJnVqYlWKnh0SSdMjAi0uSwON4wgYQ= +github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk= +github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= @@ -232,10 +260,6 @@ github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLf github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8= github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg= -github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= -github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= -github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= -github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 h1:rp+c0RAYOWj8l6qbCUTSiRLG/iKnW3K3/QfPPuSsBt4= diff --git a/pkg/awssgsetup/aws_security_group_setup.go b/pkg/awssgsetup/aws_security_group_setup.go index 82c54c1193..d016eb2b38 100644 --- a/pkg/awssgsetup/aws_security_group_setup.go +++ b/pkg/awssgsetup/aws_security_group_setup.go @@ -18,21 +18,18 @@ import ( "context" "errors" "fmt" + "io" - //nolint:staticcheck // Ignore SA1019 deprecated - "github.com/aws/aws-sdk-go/aws" - //nolint:staticcheck // Ignore SA1019 deprecated - "github.com/aws/aws-sdk-go/aws/credentials" - //nolint:staticcheck // Ignore SA1019 deprecated - "github.com/aws/aws-sdk-go/aws/ec2metadata" - //nolint:staticcheck // Ignore SA1019 deprecated - "github.com/aws/aws-sdk-go/aws/session" - //nolint:staticcheck // Ignore SA1019 deprecated - "github.com/aws/aws-sdk-go/service/ec2" + "github.com/aws/aws-sdk-go-v2/aws" + awsconfig "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/credentials" + "github.com/aws/aws-sdk-go-v2/feature/ec2/imds" + "github.com/aws/aws-sdk-go-v2/service/ec2" + "github.com/aws/aws-sdk-go-v2/service/ec2/types" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" + k8stypes "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/client" logf "sigs.k8s.io/controller-runtime/pkg/log" ) @@ -64,72 +61,69 @@ func SetupAWSSecurityGroups(ctx context.Context, client client.Client, hosted bo return fmt.Errorf("failed to get AWS credentials: %v", err) } - metaSess, err := session.NewSession() + cfg, err := awsconfig.LoadDefaultConfig(ctx) if err != nil { - return fmt.Errorf("failed to get metadata session: %v", err) + return fmt.Errorf("failed to load AWS config: %v", err) } - meta := ec2metadata.New(metaSess) - if !meta.Available() { - return fmt.Errorf("instance metadata is not available, unable to configure Security Groups") - } + imdsClient := imds.NewFromConfig(cfg) - doc, err := meta.GetInstanceIdentityDocument() + doc, err := imdsClient.GetInstanceIdentityDocument(ctx, &imds.GetInstanceIdentityDocumentInput{}) if err != nil { return fmt.Errorf("failed to get metadata document: %v", err) } region := doc.Region - vpcId, err := getVPCid(meta) + vpcId, err := getVPCid(ctx, imdsClient) if err != nil { return fmt.Errorf("failed to update AWS SecurityGroups: %v", err) } - sess, err := session.NewSession(&aws.Config{ - Region: aws.String(region), - Credentials: credentials.NewStaticCredentials(awsKeyId, awsSecret, ""), - }) + cfg, err = awsconfig.LoadDefaultConfig(ctx, + awsconfig.WithRegion(region), + awsconfig.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(awsKeyId, awsSecret, "")), + ) if err != nil { return fmt.Errorf("failed to update AWS SecurityGroups: %v", err) } - ec2Cli := ec2.New(sess) + ec2Cli := ec2.NewFromConfig(cfg) if hosted { - return setupHostedClusterSGs(ec2Cli, vpcId) + return setupHostedClusterSGs(ctx, ec2Cli, vpcId) } - return setupClusterSGs(ec2Cli, vpcId) + return setupClusterSGs(ctx, ec2Cli, vpcId) } -func setupClusterSGs(ec2Cli *ec2.EC2, vpcId string) error { +func setupClusterSGs(ctx context.Context, ec2Cli *ec2.Client, vpcId string) error { // Get SG ids in VPC // Get controlplane SG with role filter - controlPlaneSg, err := getSecurityGroup(ec2Cli, vpcId, "tag:sigs.k8s.io/cluster-api-provider-aws/role", "controlplane") + controlPlaneSg, err := getSecurityGroup(ctx, ec2Cli, vpcId, "tag:sigs.k8s.io/cluster-api-provider-aws/role", "controlplane") // Fall back to using filter tag:Name with *-master-sg if not found var notFound errorSecurityGroupNotFound if err != nil && errors.As(err, ¬Found) { - controlPlaneSg, err = getSecurityGroup(ec2Cli, vpcId, "tag:Name", "*-master-sg") + controlPlaneSg, err = getSecurityGroup(ctx, ec2Cli, vpcId, "tag:Name", "*-master-sg") } if err != nil { return fmt.Errorf("failed to get controlplane AWS SecurityGroup: %v", err) } // Get node SG with role filter - nodeSg, err := getSecurityGroup(ec2Cli, vpcId, "tag:sigs.k8s.io/cluster-api-provider-aws/role", "node") + nodeSg, err := getSecurityGroup(ctx, ec2Cli, vpcId, "tag:sigs.k8s.io/cluster-api-provider-aws/role", "node") // Fall back to using filter tag:Name with *-worker-sg if not found if err != nil && errors.As(err, ¬Found) { - nodeSg, err = getSecurityGroup(ec2Cli, vpcId, "tag:Name", "*-worker-sg") + nodeSg, err = getSecurityGroup(ctx, ec2Cli, vpcId, "tag:Name", "*-worker-sg") } if err != nil { return fmt.Errorf("failed to get node AWS SecurityGroup: %v", err) } - err = setupSG(ec2Cli, controlPlaneSg, []*string{controlPlaneSg.GroupId, nodeSg.GroupId}) + err = setupSG(ctx, ec2Cli, controlPlaneSg, []string{aws.ToString(controlPlaneSg.GroupId), aws.ToString(nodeSg.GroupId)}) if err != nil { return fmt.Errorf("failed to update controlplane AWS SecurityGroup: %v", err) } - err = setupSG(ec2Cli, nodeSg, []*string{controlPlaneSg.GroupId, nodeSg.GroupId}) + err = setupSG(ctx, ec2Cli, nodeSg, []string{aws.ToString(controlPlaneSg.GroupId), aws.ToString(nodeSg.GroupId)}) if err != nil { return fmt.Errorf("failed to update node AWS SecurityGroup: %v", err) } @@ -137,14 +131,14 @@ func setupClusterSGs(ec2Cli *ec2.EC2, vpcId string) error { return nil } -func setupHostedClusterSGs(ec2Cli *ec2.EC2, vpcId string) error { +func setupHostedClusterSGs(ctx context.Context, ec2Cli *ec2.Client, vpcId string) error { // On an OpenShift HCP hosted (guest) cluster, there are no master and worker // security groups, there is only one sg named '*-default-sg' - defaultSg, err := getSecurityGroup(ec2Cli, vpcId, "tag:Name", "*-default-sg") + defaultSg, err := getSecurityGroup(ctx, ec2Cli, vpcId, "tag:Name", "*-default-sg") if err != nil { return fmt.Errorf("failed to get AWS SecurityGroups: %v", err) } - err = setupSG(ec2Cli, defaultSg, []*string{defaultSg.GroupId}) + err = setupSG(ctx, ec2Cli, defaultSg, []string{aws.ToString(defaultSg.GroupId)}) if err != nil { return fmt.Errorf("failed to update default AWS SecurityGroup: %v", err) } @@ -157,7 +151,7 @@ func getAWSCreds(ctx context.Context, client client.Client) (id, secret string, // Grab Secret kube-system aws-creds // get aws_access_key_id and aws_secret_access_key creds := &v1.Secret{} - key := types.NamespacedName{Name: "aws-creds", Namespace: metav1.NamespaceSystem} + key := k8stypes.NamespacedName{Name: "aws-creds", Namespace: metav1.NamespaceSystem} if err := client.Get(ctx, key, creds); err != nil { return "", "", err @@ -176,19 +170,31 @@ func getAWSCreds(ctx context.Context, client client.Client) (id, secret string, } // getVPCid gets the VPC id by querying the instance metadata. -func getVPCid(meta *ec2metadata.EC2Metadata) (string, error) { - mac, err := meta.GetMetadata("mac") +func getVPCid(ctx context.Context, meta *imds.Client) (string, error) { + macOut, err := meta.GetMetadata(ctx, &imds.GetMetadataInput{Path: "mac"}) if err != nil { return "", fmt.Errorf("failed to read MAC for VPC Id: %v", err) } + defer func() { _ = macOut.Content.Close() }() + macBytes, err := io.ReadAll(macOut.Content) + if err != nil { + return "", fmt.Errorf("failed to read MAC response body: %v", err) + } + mac := string(macBytes) log.V(TRACE).Info("MAC read from metadata", "MAC", mac) if len(mac) < 1 { return "", fmt.Errorf("no MAC read for VPC Id: %v", err) } - vpcId, err := meta.GetMetadata(fmt.Sprintf("network/interfaces/macs/%s/vpc-id", mac)) + vpcOut, err := meta.GetMetadata(ctx, &imds.GetMetadataInput{Path: fmt.Sprintf("network/interfaces/macs/%s/vpc-id", mac)}) if err != nil { return "", fmt.Errorf("failed to read VPC Id: %v", err) } + defer func() { _ = vpcOut.Content.Close() }() + vpcBytes, err := io.ReadAll(vpcOut.Content) + if err != nil { + return "", fmt.Errorf("failed to read VPC Id response body: %v", err) + } + vpcId := string(vpcBytes) log.V(TRACE).Info("VPC id read from metadata", "VPCid", vpcId) return vpcId, nil @@ -196,19 +202,20 @@ func getVPCid(meta *ec2metadata.EC2Metadata) (string, error) { // getSecurityGroup returns the first SG that is in the specified VPC and matches the nameFilter. // nameFilter matches tag:Name. -func getSecurityGroup(cli *ec2.EC2, vpcId string, filterKey string, filterValue string) (*ec2.SecurityGroup, error) { - in := &ec2.DescribeSecurityGroupsInput{} - in.SetFilters([]*ec2.Filter{ - { - Name: aws.String("vpc-id"), - Values: []*string{aws.String(vpcId)}, - }, - { - Name: aws.String(filterKey), - Values: []*string{aws.String(filterValue)}, +func getSecurityGroup(ctx context.Context, cli *ec2.Client, vpcId string, filterKey string, filterValue string) (*types.SecurityGroup, error) { + in := &ec2.DescribeSecurityGroupsInput{ + Filters: []types.Filter{ + { + Name: aws.String("vpc-id"), + Values: []string{vpcId}, + }, + { + Name: aws.String(filterKey), + Values: []string{filterValue}, + }, }, - }) - out, err := cli.DescribeSecurityGroups(in) + } + out, err := cli.DescribeSecurityGroups(ctx, in) if err != nil { return nil, err } @@ -223,11 +230,11 @@ func getSecurityGroup(cli *ec2.EC2, vpcId string, filterKey string, filterValue } log.V(TRACE).Info("DescribeSecurityGroups", "SecurityGroupOutput", out) - return out.SecurityGroups[0], nil + return &out.SecurityGroups[0], nil } type ingressSrc struct { - port *int64 + port *int32 protocol string srcSGId string } @@ -241,18 +248,18 @@ func (is *ingressSrc) String() string { // ingressSrcMatchesIpPermission checks if the s (source) is already in the // IpPermission and returns true if so, otherwise file is returned. -func ingressSrcMatchesIpPermission(s ingressSrc, ipp *ec2.IpPermission) bool { - if aws.StringValue(ipp.IpProtocol) != s.protocol { +func ingressSrcMatchesIpPermission(s ingressSrc, ipp types.IpPermission) bool { + if aws.ToString(ipp.IpProtocol) != s.protocol { return false } // Some protocols do not use port so skip checking that if we don't have one // specified in s - p := aws.Int64Value(s.port) - if s.port != nil && (aws.Int64Value(ipp.FromPort) != p || aws.Int64Value(ipp.ToPort) != p) { + p := aws.ToInt32(s.port) + if s.port != nil && (aws.ToInt32(ipp.FromPort) != p || aws.ToInt32(ipp.ToPort) != p) { return false } for _, y := range ipp.UserIdGroupPairs { - if *y.GroupId == s.srcSGId { + if aws.ToString(y.GroupId) == s.srcSGId { return true } } @@ -260,31 +267,31 @@ func ingressSrcMatchesIpPermission(s ingressSrc, ipp *ec2.IpPermission) bool { } // setupSG adds rules to SG that allow incoming from srcSGIDs for BGP, IPIP, Typha comms -func setupSG(ec2Cli *ec2.EC2, sg *ec2.SecurityGroup, srcSGIDs []*string) error { +func setupSG(ctx context.Context, ec2Cli *ec2.Client, sg *types.SecurityGroup, srcSGIDs []string) error { src := []ingressSrc{} for _, srcSGID := range srcSGIDs { src = append(src, []ingressSrc{ { // BGP - srcSGId: aws.StringValue(srcSGID), + srcSGId: srcSGID, protocol: "tcp", - port: aws.Int64(179), + port: aws.Int32(179), }, { // IP-in-IP - srcSGId: aws.StringValue(srcSGID), + srcSGId: srcSGID, protocol: "4", }, { // Typha - srcSGId: aws.StringValue(srcSGID), + srcSGId: srcSGID, protocol: "tcp", - port: aws.Int64(5473), + port: aws.Int32(5473), }, }...) } - err := allowIngressToSG(ec2Cli, sg, src) + err := allowIngressToSG(ctx, ec2Cli, sg, src) if err != nil { return fmt.Errorf("failed to update AWS SecurityGroup Name: %v, ID: %v, error: %v", sg.GroupName, sg.GroupId, err) } @@ -294,10 +301,11 @@ func setupSG(ec2Cli *ec2.EC2, sg *ec2.SecurityGroup, srcSGIDs []*string) error { // allowIngressToSG adds rules to the toSG Security Group for each element of sources. // Before attempting to add a rule the function checks the toSG to see if the rule already exists. // If there is an error adding the rules then an error is returned. -func allowIngressToSG(cli *ec2.EC2, toSG *ec2.SecurityGroup, sources []ingressSrc) error { - in := &ec2.AuthorizeSecurityGroupIngressInput{} - sgId := aws.StringValue(toSG.GroupId) - in.SetGroupId(sgId) +func allowIngressToSG(ctx context.Context, cli *ec2.Client, toSG *types.SecurityGroup, sources []ingressSrc) error { + sgId := aws.ToString(toSG.GroupId) + in := &ec2.AuthorizeSecurityGroupIngressInput{ + GroupId: aws.String(sgId), + } for _, s := range sources { log.V(DEBUG).Info("Ingress src being added", "toSG.GroupId", sgId, "ingressSrc", s.String()) skip := false @@ -314,15 +322,15 @@ func allowIngressToSG(cli *ec2.EC2, toSG *ec2.SecurityGroup, sources []ingressSr if skip { continue } - in.SetIpPermissions([]*ec2.IpPermission{{ - UserIdGroupPairs: []*ec2.UserIdGroupPair{{ + in.IpPermissions = []types.IpPermission{{ + UserIdGroupPairs: []types.UserIdGroupPair{{ GroupId: aws.String(s.srcSGId), }}, IpProtocol: aws.String(s.protocol), FromPort: s.port, ToPort: s.port, - }}) - _, err := cli.AuthorizeSecurityGroupIngress(in) + }} + _, err := cli.AuthorizeSecurityGroupIngress(ctx, in) if err != nil { return fmt.Errorf("failed to add to SG '%s' the ingress rule '%s': %v: %v", sgId, s.String(), toSG, err) }