AWS China and US partition secret ARN update

Co-authored-by: praveene12 <[email protected]>

Author: clintonk

storage_drivers/ontap/aws_common.go

@@ -5,7 +5,6 @@ package ontap
 import (
 	"context"
 	"fmt"
-	"strings"
 
 	tridentconfig "github.com/netapp/trident/config"
 	. "github.com/netapp/trident/logging"
@@ -19,11 +18,12 @@ import (
 // SetSvmCredentials Pull SVM credentials out of AWS secret store and enter them into the config.
 func SetSvmCredentials(ctx context.Context, secretARN string, api awsapi.AWSAPI, config *drivers.OntapStorageDriverConfig) (err error) {
 	secret, secretErr := api.GetSecret(ctx, secretARN)
-	secretMap := secret.SecretMap
 	if secretErr != nil {
 		return fmt.Errorf("could not retrieve credentials from AWS Secrets Manager; %w", secretErr)
 	}
 
+	secretMap := secret.SecretMap
+
 	if username, ok := secretMap["username"]; !ok {
 		return fmt.Errorf("%s driver must include username in the secret referenced by Credentials",
 			config.StorageDriverName)
@@ -192,12 +192,13 @@ func getAWSSecretsManagerARNFromConfig(_ context.Context, config *drivers.OntapS
 		return config.Credentials[drivers.KeyName], nil
 	}
 
-	if strings.HasPrefix(config.Username, "arn:aws:secretsmanager:") {
+	_, _, _, err := awsapi.ParseSecretARN(config.Username)
+	if err != nil {
+		return config.Username, errors.NotFoundError("%s, %s driver with FSxN personality must include Credentials of type %s "+
+			"in the configuration", err, config.StorageDriverName, string(drivers.CredentialStoreAWSARN))
+	} else {
 		return config.Username, nil
 	}
-
-	return "", errors.NotFoundError("%s driver with FSxN personality must include Credentials of type %s "+
-		"in the configuration", config.StorageDriverName, string(drivers.CredentialStoreAWSARN))
 }
 
 // destroyFSxVolume discovers and deletes a volume using the FSx SDK.  This is needed to delete a volume in the case

storage_drivers/ontap/aws_common_test.go

@@ -14,7 +14,16 @@ import (
 )
 
 const (
-	SECRET_MANAGER_ARN = "arn:aws:secretsmanager:eu-west-3:111111111111:secret:secret-name-mlNvrF"
+	VOLUME_MANAGER_ARN                    = "arn:aws:fsx:eu-west-3:111111111111:volume/111111111/111111111"
+	VOLUME_MANAGER_ARN_CN                 = "arn:aws-cn:fsx:eu-west-3:111111111111:volume/111111111/111111111"
+	VOLUME_MANAGER_ARN_US                 = "arn:aws-us-gov:fsx:eu-west-3:111111111111:volume/111111111/111111111"
+	VOLUME_MANAGER_ARN_INVALID_PARTITION  = "arn:aws-us-gov1:fsx:eu-west-3:111111111111:volume/111111111/111111111"
+	VOLUME_MANAGER_ARN_INVALID_FILESYSTEM = "arn:aws-us-gov:fsx:eu-west-3:111111111111:volume//111111111"
+	SECRET_MANAGER_ARN                    = "arn:aws:secretsmanager:eu-west-3:111111111111:secret:secret-name-mlNvrF"
+	SECRET_MANAGER_ARN_CN                 = "arn:aws-cn:secretsmanager:cn-west-3:111111111111:secret:secret-name-mlNvrF"
+	SECRET_MANAGER_ARN_US                 = "arn:aws-us-gov:secretsmanager:us-west-3:111111111111:secret:secret-name-mlNvrF"
+	SECRET_MANAGER_ARN_INVALID_PARTITION  = "arn:awsaws-cn:secretsmanager:eu-west-3:111111111111:secret:secret-name-mlNvrF"
+	SECRET_MANAGER_ARN_INVALID_SECRET     = "arn:aws-cn:secmanagers:eu-west-3:111111111111:secret:secret-name-mlNvrF"
 )
 
 func TestFSxFilesystemValidation_Error(t *testing.T) {
@@ -301,3 +310,65 @@ func TestSvmCredentials(t *testing.T) {
 		})
 	}
 }
+
+func TestParseSecretARN(t *testing.T) {
+	secretArn := SECRET_MANAGER_ARN
+	secretArn_cn := SECRET_MANAGER_ARN_CN
+	secretArn_invalid_partition := SECRET_MANAGER_ARN_INVALID_PARTITION
+	secretArn_invalid_secret := SECRET_MANAGER_ARN_INVALID_SECRET
+	secretArn_us := SECRET_MANAGER_ARN_US
+	tests := []struct {
+		name     string
+		userName string
+		error    string
+	}{
+		{"Invalid secret ARN partition value", secretArn_invalid_partition, "secret ARN " + secretArn_invalid_partition + " is invalid"},
+		{"Invalid secret fomrat", secretArn_invalid_secret, "secret ARN " + secretArn_invalid_secret + " is invalid"},
+		{"valid aws us secret", secretArn_us, ""},
+		{"valid aws cn secret", secretArn_cn, ""},
+		{"valid aws cn secret", secretArn, ""},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			secretARN := test.userName
+
+			_, _, _, err := awsapi.ParseSecretARN(secretARN)
+			if test.error == "" {
+				assert.Nil(t, err)
+			} else {
+				assert.Equal(t, err.Error(), test.error)
+			}
+		})
+	}
+}
+
+func TestParseVolumeARN(t *testing.T) {
+	volumeArn := VOLUME_MANAGER_ARN
+	volumeArn_cn := VOLUME_MANAGER_ARN_CN
+	volumeArn_invalid_filesystem := VOLUME_MANAGER_ARN_INVALID_FILESYSTEM
+	volumeArn_invalid_partition := VOLUME_MANAGER_ARN_INVALID_PARTITION
+	volumeArn_us := VOLUME_MANAGER_ARN_US
+	tests := []struct {
+		name     string
+		userName string
+		error    string
+	}{
+		{"Invalid volume ARN parition value", volumeArn_invalid_partition, "volume ARN " + volumeArn_invalid_partition + " is invalid"},
+		{"Invalid volume ARN filesystem value", volumeArn_invalid_filesystem, "volume ARN " + volumeArn_invalid_filesystem + " is invalid"},
+		{"valid volume us secret", volumeArn_us, ""},
+		{"valid volume cn secret", volumeArn_cn, ""},
+		{"valid volume secret", volumeArn, ""},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			volumeARN := test.userName
+
+			_, _, _, _, err := awsapi.ParseVolumeARN(volumeARN)
+			if test.error == "" {
+				assert.Nil(t, err)
+			} else {
+				assert.Equal(t, err.Error(), test.error)
+			}
+		})
+	}
+}

storage_drivers/ontap/awsapi/aws.go

@@ -35,8 +35,8 @@ const (
 )
 
 var (
-	volumeARNRegex = regexp.MustCompile(`^arn:aws:fsx:(?P<region>[^:]+):(?P<accountID>\d{12}):volume/(?P<filesystemID>[A-z0-9-]+)/(?P<volumeID>[A-z0-9-]+)$`)
-	secretARNRegex = regexp.MustCompile(`^arn:aws:secretsmanager:(?P<region>[^:]+):(?P<accountID>\d{12}):secret:(?P<secretName>[A-z0-9/_+=.@-]+)-[A-z0-9/_+=.@-]{6}$`)
+	volumeARNRegex = regexp.MustCompile(`^arn:(?P<partition>aws|aws-cn|aws-us-gov){1}:fsx:(?P<region>[^:]+):(?P<accountID>\d{12}):volume/(?P<filesystemID>[A-z0-9-]+)/(?P<volumeID>[A-z0-9-]+)$`)
+	secretARNRegex = regexp.MustCompile(`^arn:(?P<partition>aws|aws-cn|aws-us-gov){1}:secretsmanager:(?P<region>[^:]+):(?P<accountID>\d{12}):secret:(?P<secretName>[A-z0-9/_+=.@-]+)-[A-z0-9/_+=.@-]{6}$`)
 )
 
 // ClientConfig holds configuration data for the API driver object.

storage_drivers/ontap/ontap_factory.go

@@ -42,6 +42,13 @@ func GetStorageDriver(
 		return nil, fmt.Errorf("error initializing %s driver: %v", commonConfig.StorageDriverName, err)
 	}
 
+	// Initialize AWS API if applicable.
+	// Unit tests mock the API layer, so we only use the real API interface if it doesn't already exist.
+	AWSAPI, err := initializeAWSDriver(ctx, ontapConfig)
+	if err != nil {
+		return nil, fmt.Errorf("error initializing %s AWS driver; %v", commonConfig.StorageDriverName, err)
+	}
+
 	// Initialize the ONTAP API.
 	API, err := InitializeOntapDriver(ctx, ontapConfig)
 	if err != nil {
@@ -59,13 +66,13 @@ func GetStorageDriver(
 	switch ontapConfig.StorageDriverName {
 
 	case config.OntapNASStorageDriverName:
-		storageDriver = &NASStorageDriver{API: API, Config: *ontapConfig}
+		storageDriver = &NASStorageDriver{API: API, AWSAPI: AWSAPI, Config: *ontapConfig}
 	case config.OntapNASFlexGroupStorageDriverName:
-		storageDriver = &NASFlexGroupStorageDriver{API: API, Config: *ontapConfig}
+		storageDriver = &NASFlexGroupStorageDriver{API: API, AWSAPI: AWSAPI, Config: *ontapConfig}
 	case config.OntapNASQtreeStorageDriverName:
-		storageDriver = &NASQtreeStorageDriver{API: API, Config: *ontapConfig}
+		storageDriver = &NASQtreeStorageDriver{API: API, AWSAPI: AWSAPI, Config: *ontapConfig}
 	case config.OntapSANEconomyStorageDriverName:
-		storageDriver = &SANEconomyStorageDriver{API: API, Config: *ontapConfig}
+		storageDriver = &SANEconomyStorageDriver{API: API, AWSAPI: AWSAPI, Config: *ontapConfig}
 
 	// ontap-san uses additional system details to choose the needed driver
 	case config.OntapSANStorageDriverName:
@@ -75,15 +82,15 @@ func GetStorageDriver(
 				ontapConfig.Flags[FlagPersonality] = PersonalityASAr2 // Used by ASUP to distinguish personalities
 				storageDriver = &ASAStorageDriver{API: API, Config: *ontapConfig}
 			} else if !API.IsSANOptimized() && !API.IsDisaggregated() {
-				storageDriver = &SANStorageDriver{API: API, Config: *ontapConfig}
+				storageDriver = &SANStorageDriver{API: API, AWSAPI: AWSAPI, Config: *ontapConfig}
 			} else {
 				return nil, fmt.Errorf("unsupported ONTAP personality with disaggregated %t and SAN optimized %t",
 					API.IsDisaggregated(), API.IsSANOptimized())
 			}
 		case sa.FCP:
-			storageDriver = &SANStorageDriver{API: API, Config: *ontapConfig}
+			storageDriver = &SANStorageDriver{API: API, AWSAPI: AWSAPI, Config: *ontapConfig}
 		case sa.NVMe:
-			storageDriver = &NVMeStorageDriver{API: API, Config: *ontapConfig}
+			storageDriver = &NVMeStorageDriver{API: API, AWSAPI: AWSAPI, Config: *ontapConfig}
 		default:
 			return nil, fmt.Errorf("unsupported SAN protocol %s", driverProtocol)
 		}