CDRIVER-4512 remove legacy shell from AWS test scripts (#1514)

* run `setup_secrets.sh` for AWS auth

* use `aws_setup.sh` instead of legacy shell setup for AWS test cases

* remove unused `url_encode`

* make `*.sh` scripts readable and executable in drivers-evergreen-tools

* add `secrets-export.sh` to .gitignore

* remove outdated comment

* remove unnecessary PATH modification

* remove unused `mongodb_bin_dir`

* add shellcheck directives

Ignore `aws_setup.sh` since it is in drivers-evergreen-tools

* add missing `LAMBDA` test case to test without a session token

* migrate Ubuntu 18.04 AWS tasks to Ubuntu 20.04

* migrate 6.0+ tasks to Ubuntu 22.04

* enable tracing and print "aws_auth" trace logs

This is intended to help diagnose spurious observed auth failures

* replace legacy shell with `mongosh` in tutorial

Author: kevinAlbs

.evergreen/config_generator/components/funcs/fetch_det.py

@@ -17,6 +17,13 @@ class FetchDET(Function):
             ''',
         ),
 
+        # Make shell scripts executable.
+        bash_exec(
+            command_type=EvgCommandType.SETUP,
+            working_dir="drivers-evergreen-tools",
+            script='find .evergreen -type f -name "*.sh" -execdir chmod +rx "{}" \;',
+        ),
+
         # python is used frequently enough by many tasks that it is worth
         # running find_python3 once here and reusing the result.
         bash_exec(

.evergreen/generated_configs/functions.yml

@@ -173,6 +173,14 @@ functions:
             if [[ ! -d drivers-evergreen-tools ]]; then
                 git clone --depth=1 [email protected]:mongodb-labs/drivers-evergreen-tools.git
             fi
+    - command: subprocess.exec
+      type: setup
+      params:
+        binary: bash
+        working_dir: drivers-evergreen-tools
+        args:
+          - -c
+          - find .evergreen -type f -name "*.sh" -execdir chmod +rx "{}" \;
     - command: subprocess.exec
       type: setup
       params:

.evergreen/generated_configs/legacy-config.yml

@@ -263,43 +263,29 @@ functions:
         ./src/libmongoc/test-libmongoc --no-fork -l /mongohouse/* -d --skip-tests .evergreen/etc/skip-tests.txt
         unset RUN_MONGOHOUSE_TESTS
   run aws tests:
+  - command: ec2.assume_role
+    params:
+      role_arn: ${aws_test_secrets_role}
   - command: shell.exec
     type: test
     params:
-      silent: true
       working_dir: mongoc
+      include_expansions_in_env:
+      - AWS_ACCESS_KEY_ID
+      - AWS_SECRET_ACCESS_KEY
+      - AWS_SESSION_TOKEN
       shell: bash
       script: |-
         set -o errexit
-        # Add AWS variables to a file.
-        cat <<EOF > ../drivers-evergreen-tools/.evergreen/auth_aws/aws_e2e_setup.json
-        {
-            "iam_auth_ecs_account" : "${iam_auth_ecs_account}",
-            "iam_auth_ecs_secret_access_key" : "${iam_auth_ecs_secret_access_key}",
-            "iam_auth_ecs_account_arn": "arn:aws:iam::557821124784:user/authtest_fargate_user",
-            "iam_auth_ecs_cluster": "${iam_auth_ecs_cluster}",
-            "iam_auth_ecs_task_definition": "${iam_auth_ecs_task_definition}",
-            "iam_auth_ecs_subnet_a": "${iam_auth_ecs_subnet_a}",
-            "iam_auth_ecs_subnet_b": "${iam_auth_ecs_subnet_b}",
-            "iam_auth_ecs_security_group": "${iam_auth_ecs_security_group}",
-            "iam_auth_assume_aws_account" : "${iam_auth_assume_aws_account}",
-            "iam_auth_assume_aws_secret_access_key" : "${iam_auth_assume_aws_secret_access_key}",
-            "iam_auth_assume_role_name" : "${iam_auth_assume_role_name}",
-            "iam_auth_ec2_instance_account" : "${iam_auth_ec2_instance_account}",
-            "iam_auth_ec2_instance_secret_access_key" : "${iam_auth_ec2_instance_secret_access_key}",
-            "iam_auth_ec2_instance_profile" : "${iam_auth_ec2_instance_profile}",
-            "iam_auth_assume_web_role_name": "${iam_auth_assume_web_role_name}",
-            "iam_web_identity_issuer": "${iam_web_identity_issuer}",
-            "iam_web_identity_rsa_key": "${iam_web_identity_rsa_key}",
-            "iam_web_identity_jwks_uri": "${iam_web_identity_jwks_uri}",
-            "iam_web_identity_token_file": "${iam_web_identity_token_file}"
-        }
-        EOF
+        pushd ../drivers-evergreen-tools/.evergreen/auth_aws
+        ./setup_secrets.sh drivers/aws_auth
+        popd # ../drivers-evergreen-tools/.evergreen/auth_aws
   - command: shell.exec
     type: test
     params:
       working_dir: mongoc
-      add_expansions_to_env: true
+      include_expansions_in_env:
+      - TESTCASE
       shell: bash
       script: |-
         set -o errexit
@@ -1800,9 +1786,9 @@ tasks:
         export distro_id='${distro_id}' # Required by find_cmake_latest.
         . .evergreen/scripts/find-cmake-latest.sh
         cmake_binary="$(find_cmake_latest)"
-        # Compile test-awsauth. Disable unnecessary dependencies since test-awsauth is copied to a remote Ubuntu 18.04 ECS cluster for testing, which may not have all dependent libraries.
+        # Compile test-awsauth. Disable unnecessary dependencies since test-awsauth is copied to a remote Ubuntu 20.04 ECS cluster for testing, which may not have all dependent libraries.
         export CC='${CC}'
-        "$cmake_binary" -DENABLE_SASL=OFF -DENABLE_SNAPPY=OFF -DENABLE_ZSTD=OFF -DENABLE_CLIENT_SIDE_ENCRYPTION=OFF .
+        "$cmake_binary" -DENABLE_TRACING=ON -DENABLE_SASL=OFF -DENABLE_SNAPPY=OFF -DENABLE_ZSTD=OFF -DENABLE_CLIENT_SIDE_ENCRYPTION=OFF .
         "$cmake_binary" --build . --target test-awsauth
   - func: upload-build
 - name: test-aws-openssl-regular-latest
@@ -14412,23 +14398,23 @@ buildvariants:
   tasks:
   - debug-compile-sasl-openssl-static
   - .authentication-tests .asan
-- name: aws-ubuntu1804
-  display_name: AWS Tests (Ubuntu 18.04)
+- name: aws-ubuntu2004
+  display_name: AWS Tests (Ubuntu 20.04)
   expansions:
     CC: clang
-  run_on: ubuntu1804-small
+  run_on: ubuntu2004-small
   tasks:
   - debug-compile-aws
   - .test-aws .4.4
   - .test-aws .5.0
-  - .test-aws .6.0
-- name: aws-ubuntu2004
-  display_name: AWS Tests (Ubuntu 20.04)
+- name: aws-ubuntu2204
+  display_name: AWS Tests (Ubuntu 22.04)
   expansions:
     CC: clang
   run_on: ubuntu2004-small
   tasks:
   - debug-compile-aws
+  - .test-aws .6.0
   - .test-aws .7.0
   - .test-aws .latest
 - name: mongohouse

.evergreen/legacy_config_generator/evergreen_config_lib/functions.py

@@ -196,37 +196,25 @@
         '''),
     )),
     ('run aws tests', Function(
-        shell_mongoc(r'''
-        # Add AWS variables to a file.
-        cat <<EOF > ../drivers-evergreen-tools/.evergreen/auth_aws/aws_e2e_setup.json
+        # Assume role to get AWS secrets.
         {
-            "iam_auth_ecs_account" : "${iam_auth_ecs_account}",
-            "iam_auth_ecs_secret_access_key" : "${iam_auth_ecs_secret_access_key}",
-            "iam_auth_ecs_account_arn": "arn:aws:iam::557821124784:user/authtest_fargate_user",
-            "iam_auth_ecs_cluster": "${iam_auth_ecs_cluster}",
-            "iam_auth_ecs_task_definition": "${iam_auth_ecs_task_definition}",
-            "iam_auth_ecs_subnet_a": "${iam_auth_ecs_subnet_a}",
-            "iam_auth_ecs_subnet_b": "${iam_auth_ecs_subnet_b}",
-            "iam_auth_ecs_security_group": "${iam_auth_ecs_security_group}",
-            "iam_auth_assume_aws_account" : "${iam_auth_assume_aws_account}",
-            "iam_auth_assume_aws_secret_access_key" : "${iam_auth_assume_aws_secret_access_key}",
-            "iam_auth_assume_role_name" : "${iam_auth_assume_role_name}",
-            "iam_auth_ec2_instance_account" : "${iam_auth_ec2_instance_account}",
-            "iam_auth_ec2_instance_secret_access_key" : "${iam_auth_ec2_instance_secret_access_key}",
-            "iam_auth_ec2_instance_profile" : "${iam_auth_ec2_instance_profile}",
-            "iam_auth_assume_web_role_name": "${iam_auth_assume_web_role_name}",
-            "iam_web_identity_issuer": "${iam_web_identity_issuer}",
-            "iam_web_identity_rsa_key": "${iam_web_identity_rsa_key}",
-            "iam_web_identity_jwks_uri": "${iam_web_identity_jwks_uri}",
-            "iam_web_identity_token_file": "${iam_web_identity_token_file}"
-        }
-        EOF
-        ''', silent=True),
+            "command": "ec2.assume_role",
+            "params": {
+                "role_arn": "${aws_test_secrets_role}"
+            }
+        },
+
+        shell_mongoc(r'''
+        pushd ../drivers-evergreen-tools/.evergreen/auth_aws
+        ./setup_secrets.sh drivers/aws_auth
+        popd # ../drivers-evergreen-tools/.evergreen/auth_aws
+        ''', include_expansions_in_env=["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]),
+
         shell_mongoc(r'''
         pushd ../drivers-evergreen-tools/.evergreen/auth_aws
         . ./activate-authawsvenv.sh
         popd # ../drivers-evergreen-tools/.evergreen/auth_aws
         bash .evergreen/scripts/run-aws-tests.sh
-        ''', add_expansions_to_env=True)
+        ''', include_expansions_in_env=["TESTCASE"])
     )),
 ])

.evergreen/legacy_config_generator/evergreen_config_lib/tasks.py

@@ -926,9 +926,9 @@ def do_is_valid_combination(self) -> bool:
             export distro_id='${distro_id}' # Required by find_cmake_latest.
             . .evergreen/scripts/find-cmake-latest.sh
             cmake_binary="$(find_cmake_latest)"
-            # Compile test-awsauth. Disable unnecessary dependencies since test-awsauth is copied to a remote Ubuntu 18.04 ECS cluster for testing, which may not have all dependent libraries.
+            # Compile test-awsauth. Disable unnecessary dependencies since test-awsauth is copied to a remote Ubuntu 20.04 ECS cluster for testing, which may not have all dependent libraries.
             export CC='${CC}'
-            "$cmake_binary" -DENABLE_SASL=OFF -DENABLE_SNAPPY=OFF -DENABLE_ZSTD=OFF -DENABLE_CLIENT_SIDE_ENCRYPTION=OFF .
+            "$cmake_binary" -DENABLE_TRACING=ON -DENABLE_SASL=OFF -DENABLE_SNAPPY=OFF -DENABLE_ZSTD=OFF -DENABLE_CLIENT_SIDE_ENCRYPTION=OFF .
             "$cmake_binary" --build . --target test-awsauth
             """
         ),

.evergreen/legacy_config_generator/evergreen_config_lib/variants.py

@@ -422,25 +422,25 @@ def days(n: int) -> int:
         ],
         {"CC": "clang"},
     ),
+    # Run AWS tests for MongoDB 4.4 and 5.0 on Ubuntu 20.04. AWS setup scripts expect Ubuntu 20.04+. MongoDB 4.4 and 5.0 are not available on 22.04.
     Variant(
-        "aws-ubuntu1804",
-        "AWS Tests (Ubuntu 18.04)",
-        "ubuntu1804-small",
+        "aws-ubuntu2004",
+        "AWS Tests (Ubuntu 20.04)",
+        "ubuntu2004-small",
         [
             "debug-compile-aws",
             ".test-aws .4.4",
             ".test-aws .5.0",
-            ".test-aws .6.0",
         ],
         {"CC": "clang"},
     ),
-    # Test 7.0+ with Ubuntu 20.04+ since MongoDB 7.0 no longer ships binaries for Ubuntu 18.04.
     Variant(
-        "aws-ubuntu2004",
-        "AWS Tests (Ubuntu 20.04)",
+        "aws-ubuntu2204",
+        "AWS Tests (Ubuntu 22.04)",
         "ubuntu2004-small",
         [
             "debug-compile-aws",
+            ".test-aws .6.0",
             ".test-aws .7.0",
             ".test-aws .latest",
         ],