Skip to content

[SREP-1313] feat : Update isolation workflow to enforce policy Arn from backplane-api assume-role-sequence endpoint #748

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 11, 2025
Merged

[SREP-1313] feat : Update isolation workflow to enforce policy Arn from backplane-api assume-role-sequence endpoint #748

merged 1 commit into from
Aug 11, 2025
+836 −8

Conversation

samanthajayasinghe
Copy link
Contributor

[SREP-1313] feat : Update isolation workflow to enforce policy Arn from backplane-api assume-role-sequence endpoint

What type of PR is this?

  • fix (Bug Fix)
  • feat (New Feature)
  • docs (Documentation)
  • test (Test Coverage)
  • chore (Clean Up / Maintenance Tasks)
  • other (Anything that doesn't fit the above)

What this PR does / Why we need it?

Enforce the session policy Arn to the Customer AWS account on assume role chain

Which Jira/Github issue(s) does this PR fix?

https://issues.redhat.com/browse/SREP-1313

  • Related Issue #
  • Closes #

Special notes for your reviewer

Unit Test Coverage

Guidelines

  • If it's a new sub-command or new function to an existing sub-command, please cover at least 50% of the code
  • If it's a bug fix for an existing sub-command, please cover 70% of the code

Test coverage checks

  • Added unit tests
  • Created jira card to add unit test
  • This PR may not need unit tests

Pre-checks (if applicable)

  • Ran unit tests locally
  • Validated the changes in a cluster
  • Included documentation changes with PR
  • Backward compatible

/label tide/merge-method-squash

@openshift-ci openshift-ci bot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Aug 8, 2025
@openshift-ci openshift-ci bot requested review from Tessg22 and xiaoyu74 August 8, 2025 00:34
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 8, 2025
@samanthajayasinghe samanthajayasinghe force-pushed the enforced-session-policy-arn branch from 874fb10 to 3a2ecb3 Compare August 8, 2025 00:34
@codecov-commenter
Copy link

codecov-commenter commented Aug 8, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 62.50000% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 51.78%. Comparing base (acf0385) to head (a198971).

Files with missing lines Patch % Lines
cmd/ocm-backplane/cloud/common.go 54.54% 4 Missing and 1 partial ⚠️
pkg/awsutil/sts.go 69.23% 4 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #748      +/-   ##
==========================================
+ Coverage   51.74%   51.78%   +0.04%     
==========================================
  Files          80       80              
  Lines        5945     5965      +20     
==========================================
+ Hits         3076     3089      +13     
- Misses       2451     2457       +6     
- Partials      418      419       +1
Files with missing lines Coverage Δ
pkg/awsutil/sts.go 61.53% <69.23%> (+1.20%) ⬆️
cmd/ocm-backplane/cloud/common.go 47.01% <54.54%> (+0.30%) ⬆️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@samanthajayasinghe samanthajayasinghe force-pushed the enforced-session-policy-arn branch 4 times, most recently from 9969f0e to 83030ec Compare August 10, 2025 23:38
smarthall
smarthall requested changes Aug 11, 2025
View reviewed changes
@samanthajayasinghe samanthajayasinghe force-pushed the enforced-session-policy-arn branch 2 times, most recently from 13d6d9c to fc8c89a Compare August 11, 2025 02:21
bmeng
bmeng reviewed Aug 11, 2025
View reviewed changes
cmd/ocm-backplane/cloud/common.go Outdated
@@ -211,6 +212,8 @@ func (cfg *QueryConfig) getCloudCredentialsFromBackplaneAPI(ocmToken string) (bp
type assumeChainResponse struct {
AssumptionSequence []namedRoleArn `json:"assumptionSequence"`
CustomerRoleSessionName string `json:"customerRoleSessionName"`
// SessionPolicyArn is the ARN of the session policy
SessionPolicyArn string `json:"sessionPolicyArn"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please fix the indent here to make them align

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

pkg/awsutil/sts.go
RoleSessionName string
RoleArn string
IsCustomerRole bool
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the use case for this in the struct? Only for printing the debug log?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Basically, to identify the customer role to apply the session policy ARN , otherwise we always have to check if name=CustomerRoleArn statment

@samanthajayasinghe
[SREP-1313] feat : Update isolation workflow to enforce policy Arn fr…
7e9b5da 
…om backplane-api assume-role-sequence endpoint
@samanthajayasinghe samanthajayasinghe force-pushed the enforced-session-policy-arn branch from fc8c89a to 7e9b5da Compare August 11, 2025 05:54
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Aug 11, 2025

@samanthajayasinghe: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@smarthall
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 11, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Aug 11, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: samanthajayasinghe, smarthall

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [samanthajayasinghe,smarthall]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit bbcffa9 into openshift:main Aug 11, 2025
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bmeng bmeng bmeng left review comments

@smarthall smarthall smarthall approved these changes

@Tessg22 Tessg22 Awaiting requested review from Tessg22

@xiaoyu74 xiaoyu74 Awaiting requested review from xiaoyu74

Assignees

@smarthall smarthall

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@samanthajayasinghe @codecov-commenter @smarthall @bmeng