Merge branch 'main' into 3318-ravendb-state-store

dapr · Dec 20, 2024 · 4dca8a5 · 4dca8a5
2 parents 5451108 + 26808c9
commit 4dca8a5
Show file tree

Hide file tree

Showing 77 changed files with 4,568 additions and 1,375 deletions.
diff --git a/.build-tools/builtin-authentication-profiles.yaml b/.build-tools/builtin-authentication-profiles.yaml
@@ -3,33 +3,84 @@ aws:
     description: |
       Authenticate using an Access Key ID and Secret Access Key included in the metadata
     metadata:
+      - name: region
+        type: string
+        required: false
+        description: |
+          The AWS Region where the AWS resource is deployed to.
+          This will be marked required in Dapr 1.17.
+        example: '"us-east-1"'
       - name: awsRegion
         type: string
-        required: true
+        required: false
         description: |
+          This maintains backwards compatibility with existing fields. 
+          It will be deprecated as of Dapr 1.17. Use 'region' instead.
           The AWS Region where the AWS resource is deployed to.
         example: '"us-east-1"'
       - name: accessKey
         description: AWS access key associated with an IAM account
-        required: true
+        required: false
         sensitive: true
         example: '"AKIAIOSFODNN7EXAMPLE"'
       - name: secretKey
         description: The secret key associated with the access key
-        required: true
+        required: false
         sensitive: true
         example: '"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"'
       - name: sessionToken
+        type: string
         required: false
         sensitive: true
         description: |
           AWS session token to use. A session token is only required if you are using
           temporary security credentials.
         example: '"TOKEN"'
+  - title: "AWS: Assume IAM Role"
+    description: |
+      Assume a specific IAM role. Note: This is only supported for Kafka and PostgreSQL.
+    metadata:
+      - name: region
         type: string
+        required: true
+        description: |
+          The AWS Region where the AWS resource is deployed to.
+        example: '"us-east-1"'
+      - name: assumeRoleArn
+        type: string
+        required: false
+        description: |
+          IAM role that has access to AWS resource.
+          This is another option to authenticate with MSK and RDS Aurora aside from the AWS Credentials.
+          This will be marked required in Dapr 1.17.
+        example: '"arn:aws:iam::123456789:role/mskRole"'
+      - name: sessionName
+        type: string
+        description: |
+          The session name for assuming a role.
+        example: '"MyAppSession"'
+        default: '"DaprDefaultSession"'
   - title: "AWS: Credentials from Environment Variables"
     description: Use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from the environment
-
+  - title: "AWS: IAM Roles Anywhere"
+    description: Use X.509 certificates to establish trust between your AWS account and the Dapr cluster using AWS IAM Roles Anywhere.
+    metadata:
+      - name: trustAnchorArn
+        description: |
+          ARN of the AWS Trust Anchor in the AWS account granting trust to the Dapr Certificate Authority.
+        example: arn:aws:rolesanywhere:us-west-1:012345678910:trust-anchor/01234568-0123-0123-0123-012345678901
+        required: true
+      - name: trustProfileArn
+        description: |
+          ARN of the AWS IAM Profile in the trusting AWS account.
+        example: arn:aws:rolesanywhere:us-west-1:012345678910:profile/01234568-0123-0123-0123-012345678901
+        required: true
+      - name: assumeRoleArn
+        description: |
+          ARN of the AWS IAM role to assume in the trusting AWS account.
+        example: arn:aws:iam:012345678910:role/exampleIAMRoleName
+        required: true
+
 azuread:
   - title: "Azure AD: Managed identity"
     description: Authenticate using Azure AD and a managed identity.

diff --git a/.build-tools/pkg/metadataschema/builtin-authentication-profiles.go b/.build-tools/pkg/metadataschema/builtin-authentication-profiles.go
@@ -32,14 +32,38 @@ func ParseBuiltinAuthenticationProfile(bi BuiltinAuthenticationProfile, componen
 	for i, profile := range profiles {
 		res[i] = profile
 
-		res[i].Metadata = mergedMetadata(bi.Metadata, res[i].Metadata...)
+		// deep copy the metadata slice to avoid side effects when manually updating some req -> non-req fields to deprecate some fields for kafka/postgres
+		// TODO: rm all of this manipulation in Dapr 1.17!!
+		originalMetadata := profile.Metadata
+		metadataCopy := make([]Metadata, len(originalMetadata))
+		copy(metadataCopy, originalMetadata)
 
-		// If component is PostgreSQL, filter out duplicated aws profile fields
-		if strings.ToLower(componentTitle) == "postgresql" && bi.Name == "aws" {
-			res[i].Metadata = filterOutDuplicateFields(res[i].Metadata)
+		if componentTitle == "Apache Kafka" || strings.ToLower(componentTitle) == "postgresql" {
+			removeRequiredOnSomeAWSFields(&metadataCopy)
 		}
 
+		merged := mergedMetadata(bi.Metadata, metadataCopy...)
+
+		// Note: We must apply the removal of deprecated fields after the merge!!
+
+		// Here, we remove some deprecated fields as we support the transition to a new auth profile
+		if profile.Title == "AWS: Assume IAM Role" && componentTitle == "Apache Kafka" || profile.Title == "AWS: Assume IAM Role" && strings.ToLower(componentTitle) == "postgresql" {
+			merged = removeSomeDeprecatedFieldsOnUnrelatedAuthProfiles(merged)
+		}
+
+		// Here, there are no metadata fields that need deprecating
+		if profile.Title == "AWS: Credentials from Environment Variables" && componentTitle == "Apache Kafka" || profile.Title == "AWS: Credentials from Environment Variables" && strings.ToLower(componentTitle) == "postgresql" {
+			merged = removeAllDeprecatedFieldsOnUnrelatedAuthProfiles(merged)
+		}
+
+		// Here, this is a new auth profile, so rm all deprecating fields as unrelated.
+		if profile.Title == "AWS: IAM Roles Anywhere" && componentTitle == "Apache Kafka" || profile.Title == "AWS: IAM Roles Anywhere" && strings.ToLower(componentTitle) == "postgresql" {
+			merged = removeAllDeprecatedFieldsOnUnrelatedAuthProfiles(merged)
+		}
+
+		res[i].Metadata = merged
 	}
+
 	return res, nil
 }
 
@@ -54,26 +78,55 @@ func mergedMetadata(base []Metadata, add ...Metadata) []Metadata {
 	return res
 }
 
-// filterOutDuplicateFields removes specific duplicated fields from the metadata
-func filterOutDuplicateFields(metadata []Metadata) []Metadata {
-	duplicateFields := map[string]int{
-		"awsRegion": 0,
-		"accessKey": 0,
-		"secretKey": 0,
+// removeRequiredOnSomeAWSFields needs to be removed in Dapr 1.17 as duplicated AWS IAM fields get removed,
+// and we standardize on these fields.
+// Currently, there are: awsAccessKey, accessKey and awsSecretKey, secretKey, and awsRegion and region fields.
+// We normally have accessKey, secretKey, and region fields marked required as it is part of the builtin AWS auth profile fields.
+// However, as we rm the aws prefixed ones, we need to then mark the normally required ones as not required only for postgres and kafka.
+// This way we do not break existing users, and transition them to the standardized fields.
+func removeRequiredOnSomeAWSFields(metadata *[]Metadata) {
+	if metadata == nil {
+		return
 	}
 
-	filteredMetadata := []Metadata{}
+	for i := range *metadata {
+		field := &(*metadata)[i]
+
+		if field == nil {
+			continue
+		}
 
+		if field.Name == "accessKey" || field.Name == "secretKey" || field.Name == "region" {
+			field.Required = false
+		}
+	}
+}
+
+func removeAllDeprecatedFieldsOnUnrelatedAuthProfiles(metadata []Metadata) []Metadata {
+	filteredMetadata := []Metadata{}
 	for _, field := range metadata {
-		if _, exists := duplicateFields[field.Name]; !exists {
+		if strings.HasPrefix(field.Name, "aws") {
+			continue
+		} else {
 			filteredMetadata = append(filteredMetadata, field)
+		}
+	}
+
+	return filteredMetadata
+}
+
+func removeSomeDeprecatedFieldsOnUnrelatedAuthProfiles(metadata []Metadata) []Metadata {
+	filteredMetadata := []Metadata{}
+
+	for _, field := range metadata {
+		// region is required in Assume Role auth profile, so this is needed for now.
+		if field.Name == "region" {
+			field.Required = true
+		}
+		if field.Name == "awsAccessKey" || field.Name == "awsSecretKey" || field.Name == "awsSessionToken" || field.Name == "awsRegion" {
+			continue
 		} else {
-			if field.Name == "awsRegion" && duplicateFields["awsRegion"] == 0 {
-				filteredMetadata = append(filteredMetadata, field)
-				duplicateFields["awsRegion"]++
-			} else if field.Name != "awsRegion" {
-				continue
-			}
+			filteredMetadata = append(filteredMetadata, field)
 		}
 	}
 

diff --git a/.github/scripts/dapr_bot.js b/.github/scripts/dapr_bot.js
@@ -21,6 +21,7 @@ const owners = [
     'RyanLettieri',
     'shivamkm07',
     'shubham1172',
+    'sicoyle',
     'skyao',
     'Taction',
     'tmacam',

diff --git a/.github/workflows/certification.yml → .github/workflows/certification.yml.disabled b/.github/workflows/certification.yml → .github/workflows/certification.yml.disabled
diff --git a/bindings/aws/dynamodb/dynamodb.go b/bindings/aws/dynamodb/dynamodb.go
@@ -31,9 +31,9 @@ import (
 
 // DynamoDB allows performing stateful operations on AWS DynamoDB.
 type DynamoDB struct {
-	client *dynamodb.DynamoDB
-	table  string
-	logger logger.Logger
+	authProvider awsAuth.Provider
+	table        string
+	logger       logger.Logger
 }
 
 type dynamoDBMetadata struct {
@@ -51,18 +51,27 @@ func NewDynamoDB(logger logger.Logger) bindings.OutputBinding {
 }
 
 // Init performs connection parsing for DynamoDB.
-func (d *DynamoDB) Init(_ context.Context, metadata bindings.Metadata) error {
+func (d *DynamoDB) Init(ctx context.Context, metadata bindings.Metadata) error {
 	meta, err := d.getDynamoDBMetadata(metadata)
 	if err != nil {
 		return err
 	}
 
-	client, err := d.getClient(meta)
+	opts := awsAuth.Options{
+		Logger:       d.logger,
+		Properties:   metadata.Properties,
+		Region:       meta.Region,
+		Endpoint:     meta.Endpoint,
+		AccessKey:    meta.AccessKey,
+		SecretKey:    meta.SecretKey,
+		SessionToken: meta.SessionToken,
+	}
+
+	provider, err := awsAuth.NewProvider(ctx, opts, awsAuth.GetConfig(opts))
 	if err != nil {
 		return err
 	}
-
-	d.client = client
+	d.authProvider = provider
 	d.table = meta.Table
 
 	return nil
@@ -84,7 +93,7 @@ func (d *DynamoDB) Invoke(ctx context.Context, req *bindings.InvokeRequest) (*bi
 		return nil, err
 	}
 
-	_, err = d.client.PutItemWithContext(ctx, &dynamodb.PutItemInput{
+	_, err = d.authProvider.DynamoDB().DynamoDB.PutItemWithContext(ctx, &dynamodb.PutItemInput{
 		Item:      item,
 		TableName: aws.String(d.table),
 	})
@@ -105,16 +114,6 @@ func (d *DynamoDB) getDynamoDBMetadata(spec bindings.Metadata) (*dynamoDBMetadat
 	return &meta, nil
 }
 
-func (d *DynamoDB) getClient(metadata *dynamoDBMetadata) (*dynamodb.DynamoDB, error) {
-	sess, err := awsAuth.GetClient(metadata.AccessKey, metadata.SecretKey, metadata.SessionToken, metadata.Region, metadata.Endpoint)
-	if err != nil {
-		return nil, err
-	}
-	c := dynamodb.New(sess)
-
-	return c, nil
-}
-
 // GetComponentMetadata returns the metadata of the component.
 func (d *DynamoDB) GetComponentMetadata() (metadataInfo metadata.MetadataMap) {
 	metadataStruct := dynamoDBMetadata{}
@@ -123,5 +122,8 @@ func (d *DynamoDB) GetComponentMetadata() (metadataInfo metadata.MetadataMap) {
 }
 
 func (d *DynamoDB) Close() error {
+	if d.authProvider != nil {
+		return d.authProvider.Close()
+	}
 	return nil
 }