From e3a560fa79a831a7c648bb63c5258ac5759e1b65 Mon Sep 17 00:00:00 2001 From: Patrick Decat Date: Tue, 20 Feb 2024 16:49:09 +0100 Subject: [PATCH 1/5] feat: use HTTP HEAD method to retrieve S3 bucket region instead of GetBucketLocation Signed-off-by: Patrick Decat --- .../aws_s3_bucket/test-hydrate-expected.json | 1 + .../aws_s3_bucket/test-hydrate-query.sql | 2 +- aws/table_aws_s3_bucket.go | 321 +++++++----------- ...ucket_intelligent_tiering_configuration.go | 95 +----- aws/table_aws_s3_object.go | 157 ++------- aws/table_aws_s3_object_version.go | 21 +- 6 files changed, 171 insertions(+), 426 deletions(-) diff --git a/aws-test/tests/aws_s3_bucket/test-hydrate-expected.json b/aws-test/tests/aws_s3_bucket/test-hydrate-expected.json index 68f90d0e4..bd8010013 100644 --- a/aws-test/tests/aws_s3_bucket/test-hydrate-expected.json +++ b/aws-test/tests/aws_s3_bucket/test-hydrate-expected.json @@ -25,6 +25,7 @@ "ObjectLockEnabled": "Enabled", "Rule": null }, + "region": "us-east-2", "replication": null, "versioning_enabled": true, "versioning_mfa_delete": false diff --git a/aws-test/tests/aws_s3_bucket/test-hydrate-query.sql b/aws-test/tests/aws_s3_bucket/test-hydrate-query.sql index ec5a48188..e8dc8d995 100644 --- a/aws-test/tests/aws_s3_bucket/test-hydrate-query.sql +++ b/aws-test/tests/aws_s3_bucket/test-hydrate-query.sql @@ -1,3 +1,3 @@ -select name, logging, acl, replication, versioning_enabled, versioning_mfa_delete, bucket_policy_is_public, object_lock_configuration +select name, logging, acl, replication, versioning_enabled, versioning_mfa_delete, bucket_policy_is_public, object_lock_configuration, region from aws.aws_s3_bucket where name = '{{ resourceName }}'; diff --git a/aws/table_aws_s3_bucket.go b/aws/table_aws_s3_bucket.go index f9c8f79e1..5c97e486d 100644 --- a/aws/table_aws_s3_bucket.go +++ b/aws/table_aws_s3_bucket.go @@ -3,6 +3,8 @@ package aws import ( "context" "errors" + "fmt" + "net/http" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/s3" @@ -27,77 +29,77 @@ func tableAwsS3Bucket(_ context.Context) *plugin.Table { // list call. HydrateConfig: []plugin.HydrateConfig{ { - Func: getBucketLocation, - Tags: map[string]string{"service": "s3", "action": "GetBucketLocation"}, + Func: getBucketRegion, + Tags: map[string]string{"service": "s3", "action": "HTTPHeadBucket"}, }, { Func: getBucketIsPublic, - Depends: []plugin.HydrateFunc{getBucketLocation}, + Depends: []plugin.HydrateFunc{getBucketRegion}, Tags: map[string]string{"service": "s3", "action": "GetBucketPolicyStatus"}, }, { Func: getBucketVersioning, - Depends: []plugin.HydrateFunc{getBucketLocation}, + Depends: []plugin.HydrateFunc{getBucketRegion}, Tags: map[string]string{"service": "s3", "action": "GetBucketVersioning"}, }, { Func: getBucketEncryption, - Depends: []plugin.HydrateFunc{getBucketLocation}, + Depends: []plugin.HydrateFunc{getBucketRegion}, Tags: map[string]string{"service": "s3", "action": "GetBucketEncryption"}, }, { Func: getBucketPublicAccessBlock, - Depends: []plugin.HydrateFunc{getBucketLocation}, + Depends: []plugin.HydrateFunc{getBucketRegion}, Tags: map[string]string{"service": "s3", "action": "GetPublicAccessBlock"}, }, { Func: getBucketACL, - Depends: []plugin.HydrateFunc{getBucketLocation}, + Depends: []plugin.HydrateFunc{getBucketRegion}, Tags: map[string]string{"service": "s3", "action": "GetBucketAcl"}, }, { Func: getBucketLifecycle, - Depends: []plugin.HydrateFunc{getBucketLocation}, + Depends: []plugin.HydrateFunc{getBucketRegion}, Tags: map[string]string{"service": "s3", "action": "GetLifecycleConfiguration"}, }, { Func: getBucketLogging, - Depends: []plugin.HydrateFunc{getBucketLocation}, + Depends: []plugin.HydrateFunc{getBucketRegion}, Tags: map[string]string{"service": "s3", "action": "GetBucketLogging"}, }, { Func: getBucketPolicy, - Depends: []plugin.HydrateFunc{getBucketLocation}, + Depends: []plugin.HydrateFunc{getBucketRegion}, Tags: map[string]string{"service": "s3", "action": "GetBucketPolicy"}, }, { Func: getBucketReplication, - Depends: []plugin.HydrateFunc{getBucketLocation}, + Depends: []plugin.HydrateFunc{getBucketRegion}, Tags: map[string]string{"service": "s3", "action": "GetBucketReplication"}, }, { Func: getBucketTagging, - Depends: []plugin.HydrateFunc{getBucketLocation}, + Depends: []plugin.HydrateFunc{getBucketRegion}, Tags: map[string]string{"service": "s3", "action": "GetBucketTagging"}, }, { Func: getObjectLockConfiguration, - Depends: []plugin.HydrateFunc{getBucketLocation}, + Depends: []plugin.HydrateFunc{getBucketRegion}, Tags: map[string]string{"service": "s3", "action": "GetObjectLockConfiguration"}, }, { Func: getS3BucketEventNotificationConfigurations, - Depends: []plugin.HydrateFunc{getBucketLocation}, + Depends: []plugin.HydrateFunc{getBucketRegion}, Tags: map[string]string{"service": "s3", "action": "GetBucketNotificationConfiguration"}, }, { Func: getS3BucketObjectOwnershipControl, - Depends: []plugin.HydrateFunc{getBucketLocation}, + Depends: []plugin.HydrateFunc{getBucketRegion}, Tags: map[string]string{"service": "s3", "action": "GetBucketOwnershipControls"}, }, { Func: getBucketWebsite, - Depends: []plugin.HydrateFunc{getBucketLocation}, + Depends: []plugin.HydrateFunc{getBucketRegion}, Tags: map[string]string{"service": "s3", "action": "GetBucketWebsite"}, }, }, @@ -276,8 +278,8 @@ func tableAwsS3Bucket(_ context.Context) *plugin.Table { Name: "region", Description: "The AWS Region in which the resource is located.", Type: proto.ColumnType_STRING, - Hydrate: getBucketLocation, - Transform: transform.FromField("LocationConstraint"), + Hydrate: getBucketRegion, + Transform: transform.FromValue(), }, }), } @@ -319,25 +321,61 @@ func listS3Buckets(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateDa return nil, nil } -func getS3BucketEventNotificationConfigurations(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocation returned an error but - // was ignored through ignore_error_codes config arg - if h.HydrateResults["getBucketLocation"] == nil { - return nil, nil +func doGetBucketRegion(ctx context.Context, d *plugin.QueryData, bucket string) (string, error) { + // Have we already resolved and cached the bucket name? + // FIXME: include the partition name as: + // > Bucket names must be unique across all AWS accounts in all the AWS Regions within a partition + // See https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html#general-purpose-bucket-names + cacheKey := "getBucketRegion" + bucket + if cachedData, ok := d.ConnectionManager.Cache.Get(cacheKey); ok { + return cachedData.(string), nil + } + + // The most reliable way to discover the region of an S3 bucket is to make an unauthenticated HTTP HEAD request. + // See https://github.com/aws/aws-sdk-go/issues/356#issuecomment-132707340 + // Using the S3 path style allows to query buckets with dots in their name. + // Not doing so with such buckets causes `tls: failed to verify certificate: x509: certificate is valid for *.s3.amazonaws.com, s3.amazonaws.com, not www.somedomain.com.s3.amazonaws.com (SQLSTATE HV000)` errors. + // FIXME: do we also want to implement non S3 path style? It may help avoiding rate limiting, but given the above limitation, + // it may be better to define a default Steampipe limiter once actual AWS limits are discovered. + resp, err := http.Head(fmt.Sprintf("https://s3.amazonaws.com/%s", bucket)) + if err != nil { + plugin.Logger(ctx).Error("aws_s3_bucket.getBucketRegion", "http_head_error", err) + return "", err + } + + // We only care about the 400 and 404 HTTP status codes which respectively mean the request is invalid or the bucket does not exist at all. + // FIXME: do 429 responses happen and also include the header? + if resp.StatusCode == 400 || resp.StatusCode == 404 { + plugin.Logger(ctx).Error("aws_s3_bucket.getBucketRegion", "http_head_status_code", resp.StatusCode) } - name := h.Item.(types.Bucket).Name - location := h.HydrateResults["getBucketLocation"].(*s3.GetBucketLocationOutput) + // In the other situations (i.e. 200, 301 and 403, the x-amz-bucket-region header is always present + bucketRegion := resp.Header.Get("x-amz-bucket-region") + plugin.Logger(ctx).Debug("aws_s3_bucket.getBucketRegion", "bucket", bucket, "region", bucketRegion, "status_code", resp.StatusCode) + + d.ConnectionManager.Cache.Set(cacheKey, bucketRegion) + return bucketRegion, nil +} + +func getBucketRegion(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { + bucketName := h.Item.(types.Bucket).Name + + return doGetBucketRegion(ctx, d, *bucketName) +} + +func getS3BucketEventNotificationConfigurations(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { + bucketName := h.Item.(types.Bucket).Name + bucketRegion := h.HydrateResults["getBucketRegion"].(string) // Create client - svc, err := S3Client(ctx, d, string(location.LocationConstraint)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket.getS3BucketEventNotificationConfigurations", "client_error", err) return nil, err } // Build param - input := &s3.GetBucketNotificationConfigurationInput{Bucket: name} + input := &s3.GetBucketNotificationConfigurationInput{Bucket: bucketName} notificationDetails, err := svc.GetBucketNotificationConfiguration(ctx, input) if err != nil { @@ -358,17 +396,11 @@ func getS3BucketEventNotificationConfigurations(ctx context.Context, d *plugin.Q } func getS3BucketObjectOwnershipControl(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocation returned an error but - // was ignored through ignore_error_codes config arg - if h.HydrateResults["getBucketLocation"] == nil { - return nil, nil - } - - name := h.Item.(types.Bucket).Name - location := h.HydrateResults["getBucketLocation"].(*s3.GetBucketLocationOutput) + bucketName := h.Item.(types.Bucket).Name + bucketRegion := h.HydrateResults["getBucketRegion"].(string) // Create client - svc, err := S3Client(ctx, d, string(location.LocationConstraint)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket.getS3BucketObjectOwnershipControl", "client_error", err) @@ -376,7 +408,7 @@ func getS3BucketObjectOwnershipControl(ctx context.Context, d *plugin.QueryData, } // Build param - input := &s3.GetBucketOwnershipControlsInput{Bucket: name} + input := &s3.GetBucketOwnershipControlsInput{Bucket: bucketName} conf, err := svc.GetBucketOwnershipControls(ctx, input) if err != nil { @@ -397,67 +429,18 @@ func getS3BucketObjectOwnershipControl(ctx context.Context, d *plugin.QueryData, return conf.OwnershipControls, nil } -func getBucketLocation(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - bucket := h.Item.(types.Bucket) - - // Unlike most services, S3 buckets are a global list. They can be retrieved - // from any single region. It's best to use the client region of the user - // (e.g. closest to them). - clientRegion, err := getDefaultRegion(ctx, d, h) - if err != nil { - return nil, err - } - svc, err := S3Client(ctx, d, clientRegion) - if err != nil { - plugin.Logger(ctx).Error("aws_s3_bucket.getBucketLocation", "get_client_error", err, "clientRegion", clientRegion) - return nil, err - } - - params := &s3.GetBucketLocationInput{Bucket: bucket.Name} - - // Specifies the Region where the bucket resides. For a list of all the Amazon - // S3 supported location constraints by Region, see Regions and Endpoints (https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region). - location, err := svc.GetBucketLocation(ctx, params) - if err != nil { - plugin.Logger(ctx).Error("aws_s3_bucket.getBucketLocation", "bucket_name", *bucket.Name, "clientRegion", clientRegion, "api_error", err) - return nil, err - } - - if location != nil && location.LocationConstraint != "" { - // Buckets in eu-west-1 created through the AWS CLI or other API driven methods can return a location of "EU", - // so we need to convert back - if location.LocationConstraint == "EU" { - return &s3.GetBucketLocationOutput{ - LocationConstraint: "eu-west-1", - }, nil - } - return location, nil - } - - // Buckets in us-east-1 have a LocationConstraint of null - return &s3.GetBucketLocationOutput{ - LocationConstraint: "us-east-1", - }, nil -} - func getBucketIsPublic(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocation returned an error but - // was ignored through ignore_error_codes config arg - if h.HydrateResults["getBucketLocation"] == nil { - return nil, nil - } - - bucket := h.Item.(types.Bucket) - location := h.HydrateResults["getBucketLocation"].(*s3.GetBucketLocationOutput) + bucketName := h.Item.(types.Bucket).Name + bucketRegion := h.HydrateResults["getBucketRegion"].(string) // Create client - svc, err := S3Client(ctx, d, string(location.LocationConstraint)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket.getBucketIsPublic", "client_error", err) return nil, err } - params := &s3.GetBucketPolicyStatusInput{Bucket: bucket.Name} + params := &s3.GetBucketPolicyStatusInput{Bucket: bucketName} policyStatus, err := svc.GetBucketPolicyStatus(ctx, params) if err != nil { var a smithy.APIError @@ -474,23 +457,17 @@ func getBucketIsPublic(ctx context.Context, d *plugin.QueryData, h *plugin.Hydra } func getBucketVersioning(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocation returned an error but - // was ignored through ignore_error_codes config arg - if h.HydrateResults["getBucketLocation"] == nil { - return nil, nil - } - - bucket := h.Item.(types.Bucket) - location := h.HydrateResults["getBucketLocation"].(*s3.GetBucketLocationOutput) + bucketName := h.Item.(types.Bucket).Name + bucketRegion := h.HydrateResults["getBucketRegion"].(string) // Create client - svc, err := S3Client(ctx, d, string(location.LocationConstraint)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket.getBucketVersioning", "client_error", err) return nil, err } - params := &s3.GetBucketVersioningInput{Bucket: bucket.Name} + params := &s3.GetBucketVersioningInput{Bucket: bucketName} versioning, err := svc.GetBucketVersioning(ctx, params) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket.getBucketVersioning", "api_error", err) @@ -501,23 +478,17 @@ func getBucketVersioning(ctx context.Context, d *plugin.QueryData, h *plugin.Hyd } func getBucketEncryption(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocation returned an error but - // was ignored through ignore_error_codes config arg - if h.HydrateResults["getBucketLocation"] == nil { - return nil, nil - } - - bucket := h.Item.(types.Bucket) - location := h.HydrateResults["getBucketLocation"].(*s3.GetBucketLocationOutput) + bucketName := h.Item.(types.Bucket).Name + bucketRegion := h.HydrateResults["getBucketRegion"].(string) // Create client - svc, err := S3Client(ctx, d, string(location.LocationConstraint)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket.getBucketEncryption", "client_error", err) return nil, err } params := &s3.GetBucketEncryptionInput{ - Bucket: bucket.Name, + Bucket: bucketName, } encryption, err := svc.GetBucketEncryption(ctx, params) @@ -535,23 +506,17 @@ func getBucketEncryption(ctx context.Context, d *plugin.QueryData, h *plugin.Hyd } func getBucketPublicAccessBlock(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocation returned an error but - // was ignored through ignore_error_codes config arg - if h.HydrateResults["getBucketLocation"] == nil { - return nil, nil - } - - bucket := h.Item.(types.Bucket) - location := h.HydrateResults["getBucketLocation"].(*s3.GetBucketLocationOutput) + bucketName := h.Item.(types.Bucket).Name + bucketRegion := h.HydrateResults["getBucketRegion"].(string) // Create client - svc, err := S3Client(ctx, d, string(location.LocationConstraint)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket.getBucketPublicAccessBlock", "client_error", err) return nil, err } - params := &s3.GetPublicAccessBlockInput{Bucket: bucket.Name} + params := &s3.GetPublicAccessBlockInput{Bucket: bucketName} defaultAccessBlock := &types.PublicAccessBlockConfiguration{ BlockPublicAcls: aws.Bool(false), BlockPublicPolicy: aws.Bool(false), @@ -577,23 +542,17 @@ func getBucketPublicAccessBlock(ctx context.Context, d *plugin.QueryData, h *plu } func getBucketACL(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocation returned an error but - // was ignored through ignore_error_codes config arg - if h.HydrateResults["getBucketLocation"] == nil { - return nil, nil - } - - bucket := h.Item.(types.Bucket) - location := h.HydrateResults["getBucketLocation"].(*s3.GetBucketLocationOutput) + bucketName := h.Item.(types.Bucket).Name + bucketRegion := h.HydrateResults["getBucketRegion"].(string) // Create client - svc, err := S3Client(ctx, d, string(location.LocationConstraint)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket.getBucketACL", "client_error", err) return nil, err } - params := &s3.GetBucketAclInput{Bucket: bucket.Name} + params := &s3.GetBucketAclInput{Bucket: bucketName} acl, err := svc.GetBucketAcl(ctx, params) if err != nil { @@ -612,23 +571,17 @@ func getBucketACL(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateDat } func getBucketLifecycle(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocation returned an error but - // was ignored through ignore_error_codes config arg - if h.HydrateResults["getBucketLocation"] == nil { - return nil, nil - } - - bucket := h.Item.(types.Bucket) - location := h.HydrateResults["getBucketLocation"].(*s3.GetBucketLocationOutput) + bucketName := h.Item.(types.Bucket).Name + bucketRegion := h.HydrateResults["getBucketRegion"].(string) // Create client - svc, err := S3Client(ctx, d, string(location.LocationConstraint)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket.getBucketLifecycle", "client_error", err) return nil, err } - params := &s3.GetBucketLifecycleConfigurationInput{Bucket: bucket.Name} + params := &s3.GetBucketLifecycleConfigurationInput{Bucket: bucketName} lifecycleConfiguration, err := svc.GetBucketLifecycleConfiguration(ctx, params) if err != nil { @@ -646,23 +599,17 @@ func getBucketLifecycle(ctx context.Context, d *plugin.QueryData, h *plugin.Hydr } func getBucketLogging(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocation returned an error but - // was ignored through ignore_error_codes config arg - if h.HydrateResults["getBucketLocation"] == nil { - return nil, nil - } - - bucket := h.Item.(types.Bucket) - location := h.HydrateResults["getBucketLocation"].(*s3.GetBucketLocationOutput) + bucketName := h.Item.(types.Bucket).Name + bucketRegion := h.HydrateResults["getBucketRegion"].(string) // Create client - svc, err := S3Client(ctx, d, string(location.LocationConstraint)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket.getBucketLogging", "client_error", err) return nil, err } - params := &s3.GetBucketLoggingInput{Bucket: bucket.Name} + params := &s3.GetBucketLoggingInput{Bucket: bucketName} logging, err := svc.GetBucketLogging(ctx, params) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket.getBucketLogging", "api_error", err) @@ -672,23 +619,17 @@ func getBucketLogging(ctx context.Context, d *plugin.QueryData, h *plugin.Hydrat } func getBucketPolicy(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocation returned an error but - // was ignored through ignore_error_codes config arg - if h.HydrateResults["getBucketLocation"] == nil { - return nil, nil - } - - bucket := h.Item.(types.Bucket) - location := h.HydrateResults["getBucketLocation"].(*s3.GetBucketLocationOutput) + bucketName := h.Item.(types.Bucket).Name + bucketRegion := h.HydrateResults["getBucketRegion"].(string) // Create client - svc, err := S3Client(ctx, d, string(location.LocationConstraint)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket.getBucketPolicy", "client_error", err) return nil, err } params := &s3.GetBucketPolicyInput{ - Bucket: bucket.Name, + Bucket: bucketName, } bucketPolicy, err := svc.GetBucketPolicy(ctx, params) @@ -707,22 +648,16 @@ func getBucketPolicy(ctx context.Context, d *plugin.QueryData, h *plugin.Hydrate } func getBucketReplication(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocation returned an error but - // was ignored through ignore_error_codes config arg - if h.HydrateResults["getBucketLocation"] == nil { - return nil, nil - } - - bucket := h.Item.(types.Bucket) - location := h.HydrateResults["getBucketLocation"].(*s3.GetBucketLocationOutput) + bucketName := h.Item.(types.Bucket).Name + bucketRegion := h.HydrateResults["getBucketRegion"].(string) // Create client - svc, err := S3Client(ctx, d, string(location.LocationConstraint)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket.getBucketReplication", "client_error", err) return nil, err } - params := &s3.GetBucketReplicationInput{Bucket: bucket.Name} + params := &s3.GetBucketReplicationInput{Bucket: bucketName} replication, err := svc.GetBucketReplication(ctx, params) if err != nil { @@ -740,23 +675,17 @@ func getBucketReplication(ctx context.Context, d *plugin.QueryData, h *plugin.Hy } func getBucketTagging(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocation returned an error but - // was ignored through ignore_error_codes config arg - if h.HydrateResults["getBucketLocation"] == nil { - return nil, nil - } - - bucket := h.Item.(types.Bucket) - location := h.HydrateResults["getBucketLocation"].(*s3.GetBucketLocationOutput) + bucketName := h.Item.(types.Bucket).Name + bucketRegion := h.HydrateResults["getBucketRegion"].(string) // Create client - svc, err := S3Client(ctx, d, string(location.LocationConstraint)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket.getBucketTagging", "client_error", err) return nil, err } - params := &s3.GetBucketTaggingInput{Bucket: bucket.Name} + params := &s3.GetBucketTaggingInput{Bucket: bucketName} bucketTags, _ := svc.GetBucketTagging(ctx, params) if err != nil { @@ -768,23 +697,17 @@ func getBucketTagging(ctx context.Context, d *plugin.QueryData, h *plugin.Hydrat } func getBucketWebsite(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocation returned an error but - // was ignored through ignore_error_codes config arg - if h.HydrateResults["getBucketLocation"] == nil { - return nil, nil - } - - bucket := h.Item.(types.Bucket) - location := h.HydrateResults["getBucketLocation"].(*s3.GetBucketLocationOutput) + bucketName := h.Item.(types.Bucket).Name + bucketRegion := h.HydrateResults["getBucketRegion"].(string) // Create client - svc, err := S3Client(ctx, d, string(location.LocationConstraint)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket.getBucketWebsite", "client_error", err) return nil, err } - params := &s3.GetBucketWebsiteInput{Bucket: bucket.Name} + params := &s3.GetBucketWebsiteInput{Bucket: bucketName} bucketwebsites, _ := svc.GetBucketWebsite(ctx, params) if err != nil { @@ -796,7 +719,7 @@ func getBucketWebsite(ctx context.Context, d *plugin.QueryData, h *plugin.Hydrat } func getBucketARN(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - bucket := h.Item.(types.Bucket) + bucketName := h.Item.(types.Bucket).Name c, err := getCommonColumns(ctx, d, h) if err != nil { @@ -805,29 +728,23 @@ func getBucketARN(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateDat } commonColumnData := c.(*awsCommonColumnData) - arn := "arn:" + commonColumnData.Partition + ":s3:::" + *bucket.Name + arn := "arn:" + commonColumnData.Partition + ":s3:::" + *bucketName return arn, nil } func getObjectLockConfiguration(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocation returned an error but - // was ignored through ignore_error_codes config arg - if h.HydrateResults["getBucketLocation"] == nil { - return nil, nil - } - - bucket := h.Item.(types.Bucket) - location := h.HydrateResults["getBucketLocation"].(*s3.GetBucketLocationOutput) + bucketName := h.Item.(types.Bucket).Name + bucketRegion := h.HydrateResults["getBucketRegion"].(string) // Create client - svc, err := S3Client(ctx, d, string(location.LocationConstraint)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket.getObjectLockConfiguration", "client_error", err) return nil, err } - params := &s3.GetObjectLockConfigurationInput{Bucket: bucket.Name} + params := &s3.GetObjectLockConfigurationInput{Bucket: bucketName} data, err := svc.GetObjectLockConfiguration(ctx, params) if err != nil { diff --git a/aws/table_aws_s3_bucket_intelligent_tiering_configuration.go b/aws/table_aws_s3_bucket_intelligent_tiering_configuration.go index 52e6476e3..c27e8df99 100644 --- a/aws/table_aws_s3_bucket_intelligent_tiering_configuration.go +++ b/aws/table_aws_s3_bucket_intelligent_tiering_configuration.go @@ -2,9 +2,7 @@ package aws import ( "context" - "fmt" - "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/s3" "github.com/aws/aws-sdk-go-v2/service/s3/types" @@ -81,23 +79,18 @@ type IntelligentTieringConfigurationInfo struct { //// LIST FUNCTION func listBucketIntelligentTieringConfigurations(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - - // Bucket location will be nil if getBucketLocation returned an error but - // was ignored through ignore_error_codes config arg bucket := h.Item.(types.Bucket) - location, err := getIntelligentTieringBucketLocation(ctx, d, h) - if err != nil { - return nil, nil - } else if location == nil { + if d.EqualsQualString("bucket_name") != "" && d.EqualsQualString("bucket_name") != *bucket.Name { return nil, nil } - if d.EqualsQualString("bucket_name") != "" && d.EqualsQualString("bucket_name") != *bucket.Name { - return nil, nil + bucketRegion, err := doGetBucketRegion(ctx, d, *bucket.Name) + if err != nil { + return nil, err } // Create client - svc, err := S3Client(ctx, d, fmt.Sprint(location)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket_intelligent_tiering_configuration.listBucketIntelligentTieringConfigurations", "client_error", err) return nil, err @@ -147,17 +140,13 @@ func getBucketIntelligentTieringConfiguration(ctx context.Context, d *plugin.Que return nil, nil } - // Bucket location will be nil if getBucketLocation returned an error but - // was ignored through ignore_error_codes config arg - location, err := getIntelligentTieringBucketLocation(ctx, d, h) + bucketRegion, err := doGetBucketRegion(ctx, d, bucketName) if err != nil { - return nil, nil - } else if location == nil { - return nil, nil + return nil, err } // Create client - svc, err := S3Client(ctx, d, fmt.Sprint(location)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_bucket_intelligent_tiering_configuration.getBucketIntelligentTieringConfiguration", "client_error", err) return nil, err @@ -180,71 +169,3 @@ func getBucketIntelligentTieringConfiguration(ctx context.Context, d *plugin.Que return nil, nil } - -func getIntelligentTieringBucketLocation(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - var bucketName string - if h.Item != nil { - bucketName = *h.Item.(types.Bucket).Name - } else { - bucketName = d.EqualsQuals["bucket_name"].GetStringValue() - } - - if bucketName == "" { - return nil, nil - } - - c, err := getCommonColumns(ctx, d, h) - if err != nil { - plugin.Logger(ctx).Error("aws_s3_bucket_intelligent_tiering_configuration.getIntelligentTieringBucketLocation", "get_common_columns_error", err) - return nil, err - } - commonColumnData := c.(*awsCommonColumnData) - - // have we already created and cached the session? - cacheKey := "getIntelligentTieringBucketLocation" + bucketName + commonColumnData.AccountId - - if cachedData, ok := d.ConnectionManager.Cache.Get(cacheKey); ok { - return cachedData.(string), nil - } - - // Unlike most services, S3 buckets are a global list. They can be retrieved - // from any single region. It's best to use the client region of the user - // (e.g. closest to them). - clientRegion, err := getDefaultRegion(ctx, d, h) - if err != nil { - return "", err - } - - svc, err := S3Client(ctx, d, clientRegion) - if err != nil { - plugin.Logger(ctx).Error("aws_s3_bucket_intelligent_tiering_configuration.getIntelligentTieringBucketLocation", "get_client_error", err, "clientRegion", clientRegion) - return "", err - } - - params := &s3.GetBucketLocationInput{Bucket: aws.String(bucketName), ExpectedBucketOwner: aws.String(commonColumnData.AccountId)} - - // Specifies the Region where the bucket resides. For a list of all the Amazon - // S3 supported location constraints by Region, see Regions and Endpoints (https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region). - location, err := svc.GetBucketLocation(ctx, params) - if err != nil { - plugin.Logger(ctx).Error("aws_s3_bucket_intelligent_tiering_configuration.getIntelligentTieringBucketLocation", "bucket_name", bucketName, "clientRegion", clientRegion, "api_error", err) - return "", err - } - var locationConstraint string - if location != nil && location.LocationConstraint != "" { - // Buckets in eu-west-1 created through the AWS CLI or other API driven methods can return a location of "EU", - // so we need to convert back - if location.LocationConstraint == "EU" { - locationConstraint = "eu-west-1" - d.ConnectionManager.Cache.Set(cacheKey, locationConstraint) - return locationConstraint, nil - } - d.ConnectionManager.Cache.Set(cacheKey, string(location.LocationConstraint)) - return string(location.LocationConstraint), nil - } - - // Buckets in us-east-1 have a LocationConstraint of null - locationConstraint = "us-east-1" - d.ConnectionManager.Cache.Set(cacheKey, locationConstraint) - return locationConstraint, nil -} diff --git a/aws/table_aws_s3_object.go b/aws/table_aws_s3_object.go index d438d2db7..265a894a1 100644 --- a/aws/table_aws_s3_object.go +++ b/aws/table_aws_s3_object.go @@ -3,7 +3,6 @@ package aws import ( "context" "encoding/base64" - "fmt" "io" "strings" "unicode/utf8" @@ -30,24 +29,28 @@ func tableAwsS3Object(_ context.Context) *plugin.Table { }, HydrateConfig: []plugin.HydrateConfig{ { - Func: getS3Object, - Tags: map[string]string{"service": "s3", "action": "GetObject"}, + Func: getBucketRegionForObjects, + Tags: map[string]string{"service": "s3", "action": "HTTPHeadBucket"}, }, { - Func: getS3ObjectAttributes, - Tags: map[string]string{"service": "s3", "action": "GetObjectAttributes"}, + Func: getS3Object, + Depends: []plugin.HydrateFunc{getBucketRegionForObjects}, + Tags: map[string]string{"service": "s3", "action": "GetObject"}, }, { - Func: getS3ObjectACL, - Tags: map[string]string{"service": "s3", "action": "GetObjectAcl"}, + Func: getS3ObjectAttributes, + Depends: []plugin.HydrateFunc{getBucketRegionForObjects}, + Tags: map[string]string{"service": "s3", "action": "GetObjectAttributes"}, }, { - Func: getS3ObjectTagging, - Tags: map[string]string{"service": "s3", "action": "GetObjectTagging"}, + Func: getS3ObjectACL, + Depends: []plugin.HydrateFunc{getBucketRegionForObjects}, + Tags: map[string]string{"service": "s3", "action": "GetObjectAcl"}, }, { - Func: getBucketLocationForObjects, - Tags: map[string]string{"service": "s3", "action": "GetBucketLocation"}, + Func: getS3ObjectTagging, + Depends: []plugin.HydrateFunc{getBucketRegionForObjects}, + Tags: map[string]string{"service": "s3", "action": "GetObjectTagging"}, }, }, Columns: awsAccountColumns([]*plugin.Column{ @@ -378,31 +381,29 @@ func tableAwsS3Object(_ context.Context) *plugin.Table { Name: "region", Description: "The AWS Region in which the object is located.", Type: proto.ColumnType_STRING, - Hydrate: getBucketLocationForObjects, + Hydrate: getBucketRegionForObjects, Transform: transform.FromValue(), }, }), } } +func getBucketRegionForObjects(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { + bucketName := d.EqualsQuals["bucket_name"].GetStringValue() + + return doGetBucketRegion(ctx, d, bucketName) +} + func listS3Objects(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocationForObjects returned an error but - // was ignored through ignore_error_codes config arg - location, err := getBucketLocationForObjects(ctx, d, h) - if err != nil { - return nil, err - } else if location == "" { - return nil, nil - } + bucketName := d.EqualsQuals["bucket_name"].GetStringValue() + bucketRegion := h.HydrateResults["getBucketRegionForObjects"].(string) - svc, err := S3Client(ctx, d, fmt.Sprint(location)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_object.listS3Objects", "get_client_error", err) return nil, err } - bucketName := d.EqualsQuals["bucket_name"].GetStringValue() - // default supported max value is 1000 by ListObjectsV2 maxItems := int32(1000) @@ -457,23 +458,16 @@ func listS3Objects(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateDa } func getS3Object(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocationForObjects returned an error but - // was ignored through ignore_error_codes config arg - location, err := getBucketLocationForObjects(ctx, d, h) - if err != nil { - return nil, err - } else if location == "" { - return nil, nil - } + bucketName := d.EqualsQuals["bucket_name"].GetStringValue() + bucketRegion := h.HydrateResults["getBucketRegion"].(string) // Create client - svc, err := S3Client(ctx, d, fmt.Sprint(location)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_object.getS3Object", "client_error", err) return nil, err } - bucketName := d.EqualsQuals["bucket_name"].GetStringValue() key := h.Item.(types.Object).Key params := &s3.GetObjectInput{ @@ -495,23 +489,16 @@ func getS3Object(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData } func getS3ObjectAttributes(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocationForObjects returned an error but - // was ignored through ignore_error_codes config arg - location, err := getBucketLocationForObjects(ctx, d, h) - if err != nil { - return nil, err - } else if location == "" { - return nil, nil - } + bucketName := d.EqualsQuals["bucket_name"].GetStringValue() + bucketRegion := h.HydrateResults["getBucketRegion"].(string) // Create client - svc, err := S3Client(ctx, d, fmt.Sprint(location)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_object.getS3ObjectAttributes", "client_error", err) return nil, err } - bucketName := d.EqualsQuals["bucket_name"].GetStringValue() key := h.Item.(types.Object).Key params := &s3.GetObjectAttributesInput{ @@ -530,16 +517,9 @@ func getS3ObjectAttributes(ctx context.Context, d *plugin.QueryData, h *plugin.H } func getS3ObjectACL(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocationForObjects returned an error but - // was ignored through ignore_error_codes config arg - location, err := getBucketLocationForObjects(ctx, d, h) - if err != nil { - return nil, err - } else if location == "" { - return nil, nil - } - bucketName := d.EqualsQuals["bucket_name"].GetStringValue() + bucketRegion := h.HydrateResults["getBucketRegion"].(string) + object := h.Item.(types.Object) // GetObjectAcl is not supported by Amazon S3 on Outposts. @@ -549,7 +529,7 @@ func getS3ObjectACL(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateD } // Create client - svc, err := S3Client(ctx, d, fmt.Sprint(location)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_object.getS3ObjectACL", "client_error", err) return nil, err @@ -570,20 +550,13 @@ func getS3ObjectACL(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateD } func getS3ObjectTagging(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocationForObjects returned an error but - // was ignored through ignore_error_codes config arg - location, err := getBucketLocationForObjects(ctx, d, h) - if err != nil { - return nil, err - } else if location == "" { - return nil, nil - } - bucketName := d.EqualsQuals["bucket_name"].GetStringValue() + bucketRegion := h.HydrateResults["getBucketRegion"].(string) + object := h.Item.(types.Object) // Create client - svc, err := S3Client(ctx, d, fmt.Sprint(location)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_object.getS3ObjectTagging", "client_error", err) return nil, err @@ -603,64 +576,6 @@ func getS3ObjectTagging(ctx context.Context, d *plugin.QueryData, h *plugin.Hydr return tags, nil } -func getBucketLocationForObjects(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - c, err := getCommonColumns(ctx, d, h) - if err != nil { - plugin.Logger(ctx).Error("aws_s3_object.getBucketLocationForObjects", "get_common_columns_error", err) - return nil, err - } - commonColumnData := c.(*awsCommonColumnData) - - bucketName := d.EqualsQuals["bucket_name"].GetStringValue() - - // have we already created and cached the session? - cacheKey := "getBucketLocationForObjects" + bucketName + commonColumnData.AccountId - - if cachedData, ok := d.ConnectionManager.Cache.Get(cacheKey); ok { - return cachedData.(string), nil - } - - // Unlike most services, S3 buckets are a global list. They can be retrieved - // from any single region. It's best to use the client region of the user - // (e.g. closest to them). - clientRegion, err := getDefaultRegion(ctx, d, h) - if err != nil { - return "", err - } - svc, err := S3Client(ctx, d, clientRegion) - if err != nil { - plugin.Logger(ctx).Error("aws_s3_object.getBucketLocationForObjects", "get_client_error", err, "clientRegion", clientRegion) - return "", err - } - - params := &s3.GetBucketLocationInput{Bucket: aws.String(bucketName), ExpectedBucketOwner: aws.String(commonColumnData.AccountId)} - - // Specifies the Region where the bucket resides. For a list of all the Amazon - // S3 supported location constraints by Region, see Regions and Endpoints (https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region). - location, err := svc.GetBucketLocation(ctx, params) - if err != nil { - plugin.Logger(ctx).Error("aws_s3_object.getBucketLocationForObjects", "bucket_name", bucketName, "clientRegion", clientRegion, "api_error", err) - return "", err - } - var locationConstraint string - if location != nil && location.LocationConstraint != "" { - // Buckets in eu-west-1 created through the AWS CLI or other API driven methods can return a location of "EU", - // so we need to convert back - if location.LocationConstraint == "EU" { - locationConstraint = "eu-west-1" - d.ConnectionManager.Cache.Set(cacheKey, locationConstraint) - return locationConstraint, nil - } - d.ConnectionManager.Cache.Set(cacheKey, string(location.LocationConstraint)) - return string(location.LocationConstraint), nil - } - - // Buckets in us-east-1 have a LocationConstraint of null - locationConstraint = "us-east-1" - d.ConnectionManager.Cache.Set(cacheKey, locationConstraint) - return locationConstraint, nil -} - func getObjectARN(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { object := h.Item.(types.Object) diff --git a/aws/table_aws_s3_object_version.go b/aws/table_aws_s3_object_version.go index 5a47543be..c96107ae5 100644 --- a/aws/table_aws_s3_object_version.go +++ b/aws/table_aws_s3_object_version.go @@ -2,7 +2,6 @@ package aws import ( "context" - "fmt" "github.com/aws/aws-sdk-go-v2/service/s3" "github.com/aws/aws-sdk-go/aws" @@ -25,8 +24,8 @@ func tableAwsS3ObjectVersion(_ context.Context) *plugin.Table { }, HydrateConfig: []plugin.HydrateConfig{ { - Func: getBucketLocationForObjects, - Tags: map[string]string{"service": "s3", "action": "GetBucketLocation"}, + Func: getBucketRegionForObjects, + Tags: map[string]string{"service": "s3", "action": "HTTPHeadBucket"}, }, }, Columns: awsAccountColumns([]*plugin.Column{ @@ -101,7 +100,7 @@ func tableAwsS3ObjectVersion(_ context.Context) *plugin.Table { Name: "region", Description: "The AWS Region in which the object is located.", Type: proto.ColumnType_STRING, - Hydrate: getBucketLocationForObjects, + Hydrate: getBucketRegionForObjects, Transform: transform.FromValue(), }, }), @@ -109,23 +108,15 @@ func tableAwsS3ObjectVersion(_ context.Context) *plugin.Table { } func listS3ObjectVersions(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { - // Bucket location will be nil if getBucketLocationForObjects returned an error but - // was ignored through ignore_error_codes config arg - location, err := getBucketLocationForObjects(ctx, d, h) - if err != nil { - return nil, err - } else if location == "" { - return nil, nil - } + bucketName := d.EqualsQuals["bucket_name"].GetStringValue() + bucketRegion := h.HydrateResults["getBucketRegionForObjects"].(string) - svc, err := S3Client(ctx, d, fmt.Sprint(location)) + svc, err := S3Client(ctx, d, bucketRegion) if err != nil { plugin.Logger(ctx).Error("aws_s3_object_version.listS3ObjectVersions", "get_client_error", err) return nil, err } - bucketName := d.EqualsQualString("bucket_name") - // default supported max value is 1000 by ListObjectVersions maxItems := int32(1000) From 8c8b32badb8bd700a144da687d7e94332f92c8f5 Mon Sep 17 00:00:00 2001 From: Patrick Decat Date: Tue, 20 Feb 2024 17:05:24 +0100 Subject: [PATCH 2/5] fix: add AWS partition to S3 bucket region cache key Signed-off-by: Patrick Decat --- aws/table_aws_s3_bucket.go | 21 +++++++++++-------- ...ucket_intelligent_tiering_configuration.go | 4 ++-- aws/table_aws_s3_object.go | 2 +- 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/aws/table_aws_s3_bucket.go b/aws/table_aws_s3_bucket.go index 5c97e486d..8ed61f3d0 100644 --- a/aws/table_aws_s3_bucket.go +++ b/aws/table_aws_s3_bucket.go @@ -321,12 +321,15 @@ func listS3Buckets(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateDa return nil, nil } -func doGetBucketRegion(ctx context.Context, d *plugin.QueryData, bucket string) (string, error) { +func doGetBucketRegion(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData, bucket string) (string, error) { // Have we already resolved and cached the bucket name? - // FIXME: include the partition name as: - // > Bucket names must be unique across all AWS accounts in all the AWS Regions within a partition - // See https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html#general-purpose-bucket-names - cacheKey := "getBucketRegion" + bucket + c, err := getCommonColumns(ctx, d, h) + if err != nil { + plugin.Logger(ctx).Error("aws_s3_bucket.doGetBucketRegion", "get_common_columns_error", err) + return "", err + } + commonColumnData := c.(*awsCommonColumnData) + cacheKey := "getBucketRegion/" + commonColumnData.Partition + "/" + bucket if cachedData, ok := d.ConnectionManager.Cache.Get(cacheKey); ok { return cachedData.(string), nil } @@ -339,19 +342,19 @@ func doGetBucketRegion(ctx context.Context, d *plugin.QueryData, bucket string) // it may be better to define a default Steampipe limiter once actual AWS limits are discovered. resp, err := http.Head(fmt.Sprintf("https://s3.amazonaws.com/%s", bucket)) if err != nil { - plugin.Logger(ctx).Error("aws_s3_bucket.getBucketRegion", "http_head_error", err) + plugin.Logger(ctx).Error("aws_s3_bucket.doGetBucketRegion", "http_head_error", err) return "", err } // We only care about the 400 and 404 HTTP status codes which respectively mean the request is invalid or the bucket does not exist at all. // FIXME: do 429 responses happen and also include the header? if resp.StatusCode == 400 || resp.StatusCode == 404 { - plugin.Logger(ctx).Error("aws_s3_bucket.getBucketRegion", "http_head_status_code", resp.StatusCode) + plugin.Logger(ctx).Error("aws_s3_bucket.doGetBucketRegion", "http_head_status_code", resp.StatusCode) } // In the other situations (i.e. 200, 301 and 403, the x-amz-bucket-region header is always present bucketRegion := resp.Header.Get("x-amz-bucket-region") - plugin.Logger(ctx).Debug("aws_s3_bucket.getBucketRegion", "bucket", bucket, "region", bucketRegion, "status_code", resp.StatusCode) + plugin.Logger(ctx).Debug("aws_s3_bucket.doGetBucketRegion", "bucket", bucket, "region", bucketRegion, "status_code", resp.StatusCode) d.ConnectionManager.Cache.Set(cacheKey, bucketRegion) return bucketRegion, nil @@ -360,7 +363,7 @@ func doGetBucketRegion(ctx context.Context, d *plugin.QueryData, bucket string) func getBucketRegion(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { bucketName := h.Item.(types.Bucket).Name - return doGetBucketRegion(ctx, d, *bucketName) + return doGetBucketRegion(ctx, d, h, *bucketName) } func getS3BucketEventNotificationConfigurations(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { diff --git a/aws/table_aws_s3_bucket_intelligent_tiering_configuration.go b/aws/table_aws_s3_bucket_intelligent_tiering_configuration.go index c27e8df99..eab2c83a9 100644 --- a/aws/table_aws_s3_bucket_intelligent_tiering_configuration.go +++ b/aws/table_aws_s3_bucket_intelligent_tiering_configuration.go @@ -84,7 +84,7 @@ func listBucketIntelligentTieringConfigurations(ctx context.Context, d *plugin.Q return nil, nil } - bucketRegion, err := doGetBucketRegion(ctx, d, *bucket.Name) + bucketRegion, err := doGetBucketRegion(ctx, d, h, *bucket.Name) if err != nil { return nil, err } @@ -140,7 +140,7 @@ func getBucketIntelligentTieringConfiguration(ctx context.Context, d *plugin.Que return nil, nil } - bucketRegion, err := doGetBucketRegion(ctx, d, bucketName) + bucketRegion, err := doGetBucketRegion(ctx, d, h, bucketName) if err != nil { return nil, err } diff --git a/aws/table_aws_s3_object.go b/aws/table_aws_s3_object.go index 265a894a1..31b808aab 100644 --- a/aws/table_aws_s3_object.go +++ b/aws/table_aws_s3_object.go @@ -391,7 +391,7 @@ func tableAwsS3Object(_ context.Context) *plugin.Table { func getBucketRegionForObjects(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { bucketName := d.EqualsQuals["bucket_name"].GetStringValue() - return doGetBucketRegion(ctx, d, bucketName) + return doGetBucketRegion(ctx, d, h, bucketName) } func listS3Objects(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { From acba474845850a034b26b4842438d028a704c5fb Mon Sep 17 00:00:00 2001 From: Patrick Decat Date: Fri, 24 May 2024 14:22:05 +0200 Subject: [PATCH 3/5] Use HeadBucket instead of HTTPHeadBucket for action tag Co-authored-by: cbruno10 --- aws/table_aws_s3_bucket.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/table_aws_s3_bucket.go b/aws/table_aws_s3_bucket.go index 8ed61f3d0..4214d7979 100644 --- a/aws/table_aws_s3_bucket.go +++ b/aws/table_aws_s3_bucket.go @@ -30,7 +30,7 @@ func tableAwsS3Bucket(_ context.Context) *plugin.Table { HydrateConfig: []plugin.HydrateConfig{ { Func: getBucketRegion, - Tags: map[string]string{"service": "s3", "action": "HTTPHeadBucket"}, + Tags: map[string]string{"service": "s3", "action": "HeadBucket"}, }, { Func: getBucketIsPublic, From d29a51d8de38405dad558465f67cdf62c4bc9cb7 Mon Sep 17 00:00:00 2001 From: Patrick Decat Date: Fri, 24 May 2024 14:26:50 +0200 Subject: [PATCH 4/5] fix: log HEAD request status code at debug level --- aws/table_aws_s3_bucket.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/table_aws_s3_bucket.go b/aws/table_aws_s3_bucket.go index 4214d7979..f69ff6f09 100644 --- a/aws/table_aws_s3_bucket.go +++ b/aws/table_aws_s3_bucket.go @@ -349,7 +349,7 @@ func doGetBucketRegion(ctx context.Context, d *plugin.QueryData, h *plugin.Hydra // We only care about the 400 and 404 HTTP status codes which respectively mean the request is invalid or the bucket does not exist at all. // FIXME: do 429 responses happen and also include the header? if resp.StatusCode == 400 || resp.StatusCode == 404 { - plugin.Logger(ctx).Error("aws_s3_bucket.doGetBucketRegion", "http_head_status_code", resp.StatusCode) + plugin.Logger(ctx).Debug("aws_s3_bucket.doGetBucketRegion", "http_head_status_code", resp.StatusCode) } // In the other situations (i.e. 200, 301 and 403, the x-amz-bucket-region header is always present From 38bff7ca9384262e2c159ad2ea407918d4e1cd52 Mon Sep 17 00:00:00 2001 From: Patrick Decat Date: Fri, 24 May 2024 14:56:16 +0200 Subject: [PATCH 5/5] fix: use manager.GetBucketRegion() to retrieve S3 bucket region --- aws/table_aws_s3_bucket.go | 35 +++++++++++++++++------------------ go.mod | 29 +++++++++++++++-------------- go.sum | 30 ++++++++++++++++++++++++++++++ 3 files changed, 62 insertions(+), 32 deletions(-) diff --git a/aws/table_aws_s3_bucket.go b/aws/table_aws_s3_bucket.go index f69ff6f09..d80f157ed 100644 --- a/aws/table_aws_s3_bucket.go +++ b/aws/table_aws_s3_bucket.go @@ -3,10 +3,9 @@ package aws import ( "context" "errors" - "fmt" - "net/http" "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/feature/s3/manager" "github.com/aws/aws-sdk-go-v2/service/s3" "github.com/aws/aws-sdk-go-v2/service/s3/types" "github.com/aws/smithy-go" @@ -334,27 +333,27 @@ func doGetBucketRegion(ctx context.Context, d *plugin.QueryData, h *plugin.Hydra return cachedData.(string), nil } - // The most reliable way to discover the region of an S3 bucket is to make an unauthenticated HTTP HEAD request. - // See https://github.com/aws/aws-sdk-go/issues/356#issuecomment-132707340 - // Using the S3 path style allows to query buckets with dots in their name. - // Not doing so with such buckets causes `tls: failed to verify certificate: x509: certificate is valid for *.s3.amazonaws.com, s3.amazonaws.com, not www.somedomain.com.s3.amazonaws.com (SQLSTATE HV000)` errors. - // FIXME: do we also want to implement non S3 path style? It may help avoiding rate limiting, but given the above limitation, - // it may be better to define a default Steampipe limiter once actual AWS limits are discovered. - resp, err := http.Head(fmt.Sprintf("https://s3.amazonaws.com/%s", bucket)) + // Create client in default region + defaultRegion, err := getDefaultRegion(ctx, d, nil) if err != nil { - plugin.Logger(ctx).Error("aws_s3_bucket.doGetBucketRegion", "http_head_error", err) + plugin.Logger(ctx).Error("aws_s3_bucket.doGetBucketRegion", "default_region_error", err) return "", err } - - // We only care about the 400 and 404 HTTP status codes which respectively mean the request is invalid or the bucket does not exist at all. - // FIXME: do 429 responses happen and also include the header? - if resp.StatusCode == 400 || resp.StatusCode == 404 { - plugin.Logger(ctx).Debug("aws_s3_bucket.doGetBucketRegion", "http_head_status_code", resp.StatusCode) + svc, err := S3Client(ctx, d, defaultRegion) + if err != nil { + plugin.Logger(ctx).Error("aws_s3_bucket.doGetBucketRegion", "client_error", err) + return "", err } - // In the other situations (i.e. 200, 301 and 403, the x-amz-bucket-region header is always present - bucketRegion := resp.Header.Get("x-amz-bucket-region") - plugin.Logger(ctx).Debug("aws_s3_bucket.doGetBucketRegion", "bucket", bucket, "region", bucketRegion, "status_code", resp.StatusCode) + // The most reliable way to discover the region of an S3 bucket is to make an unauthenticated HTTP HEAD request which this SDK manager.GetBucketRegion() function does. + // See https://github.com/aws/aws-sdk-go/issues/356#issuecomment-132707340 + // and https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/feature/s3/manager#GetBucketRegion + bucketRegion, err := manager.GetBucketRegion(ctx, svc, bucket) + if err != nil { + plugin.Logger(ctx).Error("aws_s3_bucket.doGetBucketRegion", "get_bucket_region_error", err) + return "", err + } + plugin.Logger(ctx).Debug("aws_s3_bucket.doGetBucketRegion", "bucket", bucket, "region", bucketRegion) d.ConnectionManager.Cache.Set(cacheKey, bucketRegion) return bucketRegion, nil diff --git a/go.mod b/go.mod index afbccb0af..c2d4528ce 100644 --- a/go.mod +++ b/go.mod @@ -6,9 +6,9 @@ toolchain go1.21.3 require ( github.com/aws/aws-sdk-go v1.51.19 - github.com/aws/aws-sdk-go-v2 v1.26.1 - github.com/aws/aws-sdk-go-v2/config v1.27.11 - github.com/aws/aws-sdk-go-v2/credentials v1.17.11 + github.com/aws/aws-sdk-go-v2 v1.27.0 + github.com/aws/aws-sdk-go-v2/config v1.27.16 + github.com/aws/aws-sdk-go-v2/credentials v1.17.16 github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.29.1 github.com/aws/aws-sdk-go-v2/service/account v1.16.4 github.com/aws/aws-sdk-go-v2/service/acm v1.25.4 @@ -102,7 +102,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/route53 v1.40.4 github.com/aws/aws-sdk-go-v2/service/route53domains v1.23.4 github.com/aws/aws-sdk-go-v2/service/route53resolver v1.27.4 - github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1 + github.com/aws/aws-sdk-go-v2/service/s3 v1.54.3 github.com/aws/aws-sdk-go-v2/service/s3control v1.44.4 github.com/aws/aws-sdk-go-v2/service/sagemaker v1.135.0 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.6 @@ -119,7 +119,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/sqs v1.31.4 github.com/aws/aws-sdk-go-v2/service/ssm v1.49.5 github.com/aws/aws-sdk-go-v2/service/ssoadmin v1.25.5 - github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 + github.com/aws/aws-sdk-go-v2/service/sts v1.28.10 github.com/aws/aws-sdk-go-v2/service/support v1.21.4 github.com/aws/aws-sdk-go-v2/service/transfer v1.45.0 github.com/aws/aws-sdk-go-v2/service/waf v1.20.4 @@ -142,6 +142,7 @@ require ( require golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect require ( + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.21 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 // indirect @@ -160,19 +161,19 @@ require ( github.com/allegro/bigcache/v3 v3.1.0 // indirect github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect - github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.7 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.9 // indirect github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.6 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.7 // indirect github.com/aws/aws-sdk-go-v2/service/ssmincidents v1.30.4 - github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.20.9 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.3 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect github.com/btubbs/datetime v0.1.1 // indirect diff --git a/go.sum b/go.sum index bf5460e51..75475d0a7 100644 --- a/go.sum +++ b/go.sum @@ -207,22 +207,38 @@ github.com/aws/aws-sdk-go v1.51.19 h1:jp/Vx/mUpXttthvvo/4/Nn/3+zumirIlAFkp1Irf1k github.com/aws/aws-sdk-go v1.51.19/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA= github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= +github.com/aws/aws-sdk-go-v2 v1.27.0 h1:7bZWKoXhzI+mMR/HjdMx8ZCC5+6fY0lS5tr0bbgiLlo= +github.com/aws/aws-sdk-go-v2 v1.27.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 h1:x6xsQXGSmW6frevwDA+vi/wqhp1ct18mVXYN08/93to= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2/go.mod h1:lPprDr1e6cJdyYeGXnRaJoP4Md+cDBvi2eOj00BlGmg= github.com/aws/aws-sdk-go-v2/config v1.27.11 h1:f47rANd2LQEYHda2ddSCKYId18/8BhSRM4BULGmfgNA= github.com/aws/aws-sdk-go-v2/config v1.27.11/go.mod h1:SMsV78RIOYdve1vf36z8LmnszlRWkwMQtomCAI0/mIE= +github.com/aws/aws-sdk-go-v2/config v1.27.16 h1:knpCuH7laFVGYTNd99Ns5t+8PuRjDn4HnnZK48csipM= +github.com/aws/aws-sdk-go-v2/config v1.27.16/go.mod h1:vutqgRhDUktwSge3hrC3nkuirzkJ4E/mLj5GvI0BQas= github.com/aws/aws-sdk-go-v2/credentials v1.17.11 h1:YuIB1dJNf1Re822rriUOTxopaHHvIq0l/pX3fwO+Tzs= github.com/aws/aws-sdk-go-v2/credentials v1.17.11/go.mod h1:AQtFPsDH9bI2O+71anW6EKL+NcD7LG3dpKGMV4SShgo= +github.com/aws/aws-sdk-go-v2/credentials v1.17.16 h1:7d2QxY83uYl0l58ceyiSpxg9bSbStqBC6BeEeHEchwo= +github.com/aws/aws-sdk-go-v2/credentials v1.17.16/go.mod h1:Ae6li/6Yc6eMzysRL2BXlPYvnrLLBg3D11/AmOjw50k= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYhEpvlHpiSd38RQWhut5J4= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3 h1:dQLK4TjtnlRGb0czOht2CevZ5l6RSyRWAnKeGd7VAFE= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3/go.mod h1:TL79f2P6+8Q7dTsILpiVST+AL9lkF6PPGI167Ny0Cjw= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.21 h1:1v8Ii0MRVGYB/sdhkbxrtolCA7Tp+lGh+5OJTs5vmZ8= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.21/go.mod h1:cxdd1rc8yxCjKz28hi30XN1jDXr2DxZvD44vLxTz/bg= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5/go.mod h1:FSaRudD0dXiMPK2UjknVwwTYyZMRsHv3TtkabsZih5I= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7 h1:lf/8VTF2cM+N4SLzaYJERKEWAXq8MOMpZfU6wEPWsPk= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7/go.mod h1:4SjkU7QiqK2M9oozyMzfZ/23LmUY+h3oFqhdeP5OMiI= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3CIQsRIrtTlUC3lP84taWzHlq0= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7 h1:4OYVp0705xu8yjdyoWix0r9wPIRXnIzzOoUpQVHIJ/g= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7/go.mod h1:vd7ESTEvI76T2Na050gODNmNU7+OyKrIKroYTu4ABiI= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 h1:81KE7vaZzrl7yHBYHVEzYB8sypz11NMOZ40YlWvPxsU= github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5/go.mod h1:LIt2rg7Mcgn09Ygbdh/RdIm0rQ+3BNkbP1gyVMFtRK0= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.7 h1:/FUtT3xsoHO3cfh+I/kCbcMCN98QZRsiFet/V8QkWSs= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.7/go.mod h1:MaCAgWpGooQoCWZnMur97rGn5dp350w2+CeiV5406wE= github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.29.1 h1:PL5AbOt4fBuqFOupjlJz7FNQv8Y9iq/3AlOiPFMcBhY= github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.29.1/go.mod h1:CDDc+pehLZpaGJNHUE6RJcp7MjQUhduISa1bQ/ixwR8= github.com/aws/aws-sdk-go-v2/service/account v1.16.4 h1:Fvgx1l0High+w0FoOFj9ZOJR3H6qBqNmFvespxtz7xk= @@ -353,12 +369,18 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1x github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7 h1:ZMeFZ5yk+Ek+jNr1+uwCd2tG89t6oTS5yVWpa6yy2es= github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7/go.mod h1:mxV05U+4JiHqIpGqqYXOHLPKUC6bDXC44bsUhNjOEwY= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.9 h1:UXqEWQI0n+q0QixzU0yUUQBZXRd5037qdInTIHFTl98= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.9/go.mod h1:xP6Gq6fzGZT8w/ZN+XvGMZ2RU1LeEs7b2yUP5DN8NY4= github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.6 h1:6tayEze2Y+hiL3kdnEUxSPsP+pJsUfwLSFspFl1ru9Q= github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.6/go.mod h1:qVNb/9IOVsLCZh0x2lnagrBwQ9fxajUpXS7OZfIsKn0= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 h1:ogRAwT1/gxJBcSWDMZlgyFUM962F51A5CRhDLbxLdmo= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7/go.mod h1:YCsIZhXfRPLFFCl5xxY+1T9RKzOKjCut+28JSX2DnAk= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9 h1:Wx0rlZoEJR7JwlSZcHnEa7CNjrSIyVxMFWGAaXy4fJY= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9/go.mod h1:aVMHdE0aHO3v+f/iw01fmXV/5DbfQ3Bi9nN7nd9bE9Y= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5 h1:f9RyWNtS8oH7cZlbn+/JNPpjUk5+5fLd5lM9M0i49Ys= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5/go.mod h1:h5CoMZV2VF297/VLhRhO1WF+XYWOzXo+4HsObA4HjBQ= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.7 h1:uO5XR6QGBcmPyo2gxofYJLFkcVQ4izOoGDNenlZhTEk= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.7/go.mod h1:feeeAYfAcwTReM6vbwjEyDmiGho+YgBhaFULuXDW8kc= github.com/aws/aws-sdk-go-v2/service/iot v1.53.3 h1:d9R8dezHswXV9am8Sz+1HOsCas1/7YmJQQq7FmpD7rQ= github.com/aws/aws-sdk-go-v2/service/iot v1.53.3/go.mod h1:7rtIbAvSP5Nbc1f7sbeWa+uMV+T6khOkWAh6VHsbOZI= github.com/aws/aws-sdk-go-v2/service/kafka v1.31.2 h1:jODSVa9LbXmZKRLy4KLFHCfhKlCGzU8FPOClKTqrh9U= @@ -423,6 +445,8 @@ github.com/aws/aws-sdk-go-v2/service/route53resolver v1.27.4 h1:NRXU+A97tIT+omlG github.com/aws/aws-sdk-go-v2/service/route53resolver v1.27.4/go.mod h1:g9o7qdXg8Tp8rrfbD/8loqCr+uv4mIBhMv/W4Kk8vNY= github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1 h1:6cnno47Me9bRykw9AEv9zkXE+5or7jz8TsskTTccbgc= github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1/go.mod h1:qmdkIIAC+GCLASF7R2whgNrJADz0QZPX+Seiw/i4S3o= +github.com/aws/aws-sdk-go-v2/service/s3 v1.54.3 h1:57NtjG+WLims0TxIQbjTqebZUKDM03DfM11ANAekW0s= +github.com/aws/aws-sdk-go-v2/service/s3 v1.54.3/go.mod h1:739CllldowZiPPsDFcJHNF4FXrVxaSGVnZ9Ez9Iz9hc= github.com/aws/aws-sdk-go-v2/service/s3control v1.44.4 h1:9QdyZyzWTzZxr3uvVMVgN8R/h1gKCQ5TfcaTkqg4Cog= github.com/aws/aws-sdk-go-v2/service/s3control v1.44.4/go.mod h1:xywJi2/waU8+fglbs5ASVHKr5y7OAYsEBOyQwgQgTIc= github.com/aws/aws-sdk-go-v2/service/sagemaker v1.135.0 h1:xr65PMo/RO3CDaYz2/U4W+cadzWzB+2b7AW7em3OHos= @@ -457,12 +481,18 @@ github.com/aws/aws-sdk-go-v2/service/ssmincidents v1.30.4 h1:FctT4NUwB7L4EvS5OBT github.com/aws/aws-sdk-go-v2/service/ssmincidents v1.30.4/go.mod h1:xgj+QUtfv/DrfdZq1cGt0wlEX6om1oh/NHB+PClQbWs= github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 h1:vN8hEbpRnL7+Hopy9dzmRle1xmDc7o8tmY0klsr175w= github.com/aws/aws-sdk-go-v2/service/sso v1.20.5/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.9 h1:aD7AGQhvPuAxlSUfo0CWU7s6FpkbyykMhGYMvlqTjVs= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.9/go.mod h1:c1qtZUWtygI6ZdvKppzCSXsDOq5I4luJPZ0Ud3juFCA= github.com/aws/aws-sdk-go-v2/service/ssoadmin v1.25.5 h1:hvgJmR5q+yIlYrzQPL/8I1kM+FsqycTmMe4XMoQ+RP0= github.com/aws/aws-sdk-go-v2/service/ssoadmin v1.25.5/go.mod h1:GZij+X8ngo9syeLTjVVfJKVDe+8qIB5D5TDTH0L8gEM= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 h1:Jux+gDDyi1Lruk+KHF91tK2KCuY61kzoCpvtvJJBtOE= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4/go.mod h1:mUYPBhaF2lGiukDEjJX2BLRRKTmoUSitGDUgM4tRxak= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.3 h1:Pav5q3cA260Zqez42T9UhIlsd9QeypszRPwC9LdSSsQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.3/go.mod h1:9lmoVDVLz/yUZwLaQ676TK02fhCu4+PgRSmMaKR1ozk= github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 h1:cwIxeBttqPN3qkaAjcEcsh8NYr8n2HZPkcKgPAi1phU= github.com/aws/aws-sdk-go-v2/service/sts v1.28.6/go.mod h1:FZf1/nKNEkHdGGJP/cI2MoIMquumuRK6ol3QQJNDxmw= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.10 h1:69tpbPED7jKPyzMcrwSvhWcJ9bPnZsZs18NT40JwM0g= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.10/go.mod h1:0Aqn1MnEuitqfsCNyKsdKLhDUOr4txD/g19EfiUqgws= github.com/aws/aws-sdk-go-v2/service/support v1.21.4 h1:LGPzkSN77fiJKxfQF5AGT1gbKMmdtESl1ij+JpSDED0= github.com/aws/aws-sdk-go-v2/service/support v1.21.4/go.mod h1:3aB5W1UW7c5z86tENabIcgkWNF58VE8FqU6F329xfAs= github.com/aws/aws-sdk-go-v2/service/transfer v1.45.0 h1:t8j8kiVkaRtffvv3rhu4dZD4MZgzNDkVa6x3kO4yhmk=