diff --git a/go.mod b/go.mod index a42f7b8f48..cdcec5a25e 100644 --- a/go.mod +++ b/go.mod @@ -7,24 +7,24 @@ go 1.25.1 require ( github.com/Masterminds/semver/v3 v3.4.0 github.com/aws/amazon-ec2-instance-selector/v3 v3.1.2 - github.com/aws/aws-sdk-go-v2 v1.41.2 + github.com/aws/aws-sdk-go-v2 v1.41.3 github.com/aws/aws-sdk-go-v2/config v1.32.7 github.com/aws/aws-sdk-go-v2/credentials v1.19.7 - github.com/aws/aws-sdk-go-v2/service/autoscaling v1.64.1 - github.com/aws/aws-sdk-go-v2/service/cloudformation v1.71.6 - github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.55.6 - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.63.2 + github.com/aws/aws-sdk-go-v2/service/autoscaling v1.64.2 + github.com/aws/aws-sdk-go-v2/service/cloudformation v1.71.7 + github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.55.7 + github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.64.0 github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.57.7 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.291.0 - github.com/aws/aws-sdk-go-v2/service/eks v1.80.1 - github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.20 - github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.7 - github.com/aws/aws-sdk-go-v2/service/iam v1.53.3 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.294.0 + github.com/aws/aws-sdk-go-v2/service/eks v1.80.2 + github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.21 + github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.8 + github.com/aws/aws-sdk-go-v2/service/iam v1.53.4 github.com/aws/aws-sdk-go-v2/service/kms v1.47.1 - github.com/aws/aws-sdk-go-v2/service/outposts v1.57.12 - github.com/aws/aws-sdk-go-v2/service/ssm v1.68.1 + github.com/aws/aws-sdk-go-v2/service/outposts v1.57.13 + github.com/aws/aws-sdk-go-v2/service/ssm v1.68.2 github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 - github.com/aws/smithy-go v1.24.1 + github.com/aws/smithy-go v1.24.2 github.com/awslabs/amazon-eks-ami/nodeadm v0.0.0-20260213141146-147b13ea3f4a github.com/benjamintf1/unmarshalledmatchers v1.0.0 github.com/blang/semver/v4 v4.0.0 @@ -134,16 +134,16 @@ require ( github.com/ashanbrown/forbidigo/v2 v2.3.0 // indirect github.com/ashanbrown/makezero/v2 v2.1.0 // indirect github.com/atotto/clipboard v0.1.4 // indirect - github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.5 // indirect + github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.6 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.18 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.18 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.19 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.19 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.14 // indirect github.com/aws/aws-sdk-go-v2/service/eventbridge v1.39.3 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.5 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.6 // indirect github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.5 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.18 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.19 // indirect github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14 // indirect github.com/aws/aws-sdk-go-v2/service/pricing v1.34.3 // indirect github.com/aws/aws-sdk-go-v2/service/route53 v1.52.2 // indirect diff --git a/go.sum b/go.sum index a97603660e..9107fb3dc3 100644 --- a/go.sum +++ b/go.sum @@ -108,58 +108,58 @@ github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI= github.com/aws/amazon-ec2-instance-selector/v3 v3.1.2 h1:F8GBspJo+RmR4rYyw75XywEEQHQxBbF7QYKaMMnYREc= github.com/aws/amazon-ec2-instance-selector/v3 v3.1.2/go.mod h1:wdlMRtz9G4IO6H1yZPsqfGBxR8E6B/bdxHlGkls4kGQ= -github.com/aws/aws-sdk-go-v2 v1.41.2 h1:LuT2rzqNQsauaGkPK/7813XxcZ3o3yePY0Iy891T2ls= -github.com/aws/aws-sdk-go-v2 v1.41.2/go.mod h1:IvvlAZQXvTXznUPfRVfryiG1fbzE2NGK6m9u39YQ+S4= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.5 h1:zWFmPmgw4sveAYi1mRqG+E/g0461cJ5M4bJ8/nc6d3Q= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.5/go.mod h1:nVUlMLVV8ycXSb7mSkcNu9e3v/1TJq2RTlrPwhYWr5c= +github.com/aws/aws-sdk-go-v2 v1.41.3 h1:4kQ/fa22KjDt13QCy1+bYADvdgcxpfH18f0zP542kZA= +github.com/aws/aws-sdk-go-v2 v1.41.3/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.6 h1:N4lRUXZpZ1KVEUn6hxtco/1d2lgYhNn1fHkkl8WhlyQ= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.6/go.mod h1:lyw7GFp3qENLh7kwzf7iMzAxDn+NzjXEAGjKS2UOKqI= github.com/aws/aws-sdk-go-v2/config v1.32.7 h1:vxUyWGUwmkQ2g19n7JY/9YL8MfAIl7bTesIUykECXmY= github.com/aws/aws-sdk-go-v2/config v1.32.7/go.mod h1:2/Qm5vKUU/r7Y+zUk/Ptt2MDAEKAfUtKc1+3U1Mo3oY= github.com/aws/aws-sdk-go-v2/credentials v1.19.7 h1:tHK47VqqtJxOymRrNtUXN5SP/zUTvZKeLx4tH6PGQc8= github.com/aws/aws-sdk-go-v2/credentials v1.19.7/go.mod h1:qOZk8sPDrxhf+4Wf4oT2urYJrYt3RejHSzgAquYeppw= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 h1:I0GyV8wiYrP8XpA70g1HBcQO1JlQxCMTW9npl5UbDHY= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17/go.mod h1:tyw7BOl5bBe/oqvoIeECFJjMdzXoa/dfVz3QQ5lgHGA= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.18 h1:F43zk1vemYIqPAwhjTjYIz0irU2EY7sOb/F5eJ3HuyM= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.18/go.mod h1:w1jdlZXrGKaJcNoL+Nnrj+k5wlpGXqnNrKoP22HvAug= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.18 h1:xCeWVjj0ki0l3nruoyP2slHsGArMxeiiaoPN5QZH6YQ= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.18/go.mod h1:r/eLGuGCBw6l36ZRWiw6PaZwPXb6YOj+i/7MizNl5/k= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.19 h1:/sECfyq2JTifMI2JPyZ4bdRN77zJmr6SrS1eL3augIA= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.19/go.mod h1:dMf8A5oAqr9/oxOfLkC/c2LU/uMcALP0Rgn2BD5LWn0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.19 h1:AWeJMk33GTBf6J20XJe6qZoRSJo0WfUhsMdUKhoODXE= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.19/go.mod h1:+GWrYoaAsV7/4pNHpwh1kiNLXkKaSoppxQq9lbH8Ejw= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc= github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.14 h1:ITi7qiDSv/mSGDSWNpZ4k4Ve0DQR6Ug2SJQ8zEHoDXg= github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.14/go.mod h1:k1xtME53H1b6YpZt74YmwlONMWf4ecM+lut1WQLAF/U= -github.com/aws/aws-sdk-go-v2/service/autoscaling v1.64.1 h1:3eD5+Hg+h7XTwmix7vWf5oSIBp/1+KWync+JVsgfWsg= -github.com/aws/aws-sdk-go-v2/service/autoscaling v1.64.1/go.mod h1:c7Rb5WS2TW1nY+Mz60fPTdMAdkpZWCIzHz7HrNdKft8= -github.com/aws/aws-sdk-go-v2/service/cloudformation v1.71.6 h1:3Rzut9v4ULIX3kjA6w3/Zaq2g8wBx6qJXB4BhQhIgjs= -github.com/aws/aws-sdk-go-v2/service/cloudformation v1.71.6/go.mod h1:skaILkh1I1KNecsZHyNL4c6hdHop7apjt6YzAhezMkc= -github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.55.6 h1:I/7eKwGn6VLi+Uj0evnV9ivdck2DG0GFNzhRJtBGt4U= -github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.55.6/go.mod h1:KD0ez/ci26xygH+Cd8KdrAQN0BsTDhLmwnpZH7CzZQY= -github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.63.2 h1:9Zc/otv2WzK7gbhXIbDfzV5aWUoaFDV7WHPcpvp4B8o= -github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.63.2/go.mod h1:dvfInk3WN/sz8is2m5iN5EFYQzIXcQLaT2UnauE8uL4= +github.com/aws/aws-sdk-go-v2/service/autoscaling v1.64.2 h1:pzFtdV2DArJul6aM3+WiWjUQ63IzrSnSbvBr8FAokt4= +github.com/aws/aws-sdk-go-v2/service/autoscaling v1.64.2/go.mod h1:8xQlcle6cf4R66HrXbiahORXakWpLlvJXoiGae5BlIc= +github.com/aws/aws-sdk-go-v2/service/cloudformation v1.71.7 h1:QkM9aGnVnXrXpxXJMu7GO+E/eho+RfItwDp71aPa79o= +github.com/aws/aws-sdk-go-v2/service/cloudformation v1.71.7/go.mod h1:XluvzGQyrIEHZQOYM7QuO+ViUk3wPXF0VsI5+fum67s= +github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.55.7 h1:yd6F0NesTmsJVOCINfKXBcGXx9J7k4hZQU/njcUlC7w= +github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.55.7/go.mod h1:t6XfFh0GZGngXjAlsmFedoylELOo9t/XetRCeTEfZEc= +github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.64.0 h1:6QLwTAIR2z3QmYxuHM8nfZkW/C/qn4cvhesHIE98/CE= +github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.64.0/go.mod h1:RCkMRCGlsyFwF9Accj7GsHQFCIR9s8iRbv4LPYOT9wY= github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.57.7 h1:1LPBlVrceFenrbWOZBGu8KTmX8TTMpZfRxX0HCnSjz0= github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.57.7/go.mod h1:l8KDrD4EZQwTuM69YK3LFZ4c9VbNHrzaQJjJsoIFqfo= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.291.0 h1:E0/zdPeHKCpXVRAImhnHJYgpfZnTCjnr6i75gZIhwHs= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.291.0/go.mod h1:2dMnUs1QzlGzsm46i9oBHAxVHQp7b6qF7PljWcgVEVE= -github.com/aws/aws-sdk-go-v2/service/eks v1.80.1 h1:Aivj88+23MYkW/B507eqsnLHTMmj4A/Us2AxKz+PDkM= -github.com/aws/aws-sdk-go-v2/service/eks v1.80.1/go.mod h1:p30UgulgoiPvwWGGfVeiaCbOzD1PTObBVYn6MmCPHVg= -github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.20 h1:kHQywC96ZviLmJJmgWKm6NTGX1BR3hEv52Gl82ik0i0= -github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.20/go.mod h1:bsLJBZhd8V2OqgNFn61nVh6PTluA4JZh+/DIneIntw4= -github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.7 h1:txeoy+BxL/Xef6Cl8zAq4ZewY7c+KnQ3gPSMSTTkTt4= -github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.7/go.mod h1:tv2v97S1V5kkp/1vneSYad5Cnrbo+4vfiNNAKCWNKIk= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.294.0 h1:776KnBqePBBR6zEDi0bUIHXzUBOISa2WgAKEgckUF8M= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.294.0/go.mod h1:rB577GvkmJADVOFGY8/j9sPv/ewcsEtQNsd9Lrn7Zx0= +github.com/aws/aws-sdk-go-v2/service/eks v1.80.2 h1:+FLU7+D9AW9ZMQIg4YjIN/nTJV0A2TIB2f+ovZXqAdU= +github.com/aws/aws-sdk-go-v2/service/eks v1.80.2/go.mod h1:nx52u/3RVDWkOcrAchYgt7CXkrd03A6Gvzi0trtMFjQ= +github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.21 h1:VriOdPKF8YrkMpnT76ZwA2LXk5aBInOfuzN14QGTOJc= +github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.21/go.mod h1:sp4Mz5YUnYCvIkGNEcdEPp+DuHqquEZYXyIuKXuHzig= +github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.8 h1:xUwbqWhKASQsigeQfeBjhbm6dAP1EeTulHnNSYv5Xfc= +github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.8/go.mod h1:sQoz/dTooY3kCkNNGxVLTS7EacLA0qXUaK4BkpMjGOc= github.com/aws/aws-sdk-go-v2/service/eventbridge v1.39.3 h1:T6L7fsONflMeXuvsT8qZ247hA8ShBB0jF9yUEhW4JqI= github.com/aws/aws-sdk-go-v2/service/eventbridge v1.39.3/go.mod h1:sIrUII6Z+hAVAgcpmsc2e9HvEr++m/v8aBPT7s4ZYUk= -github.com/aws/aws-sdk-go-v2/service/iam v1.53.3 h1:boKZv8dNdHznhAA68hb/dqFz5pxoWmRAOJr9LtscVCI= -github.com/aws/aws-sdk-go-v2/service/iam v1.53.3/go.mod h1:E0QHh3aEwxYb7xshjvxYDELiOda7KBYJ77e/TvGhpcM= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.5 h1:CeY9LUdur+Dxoeldqoun6y4WtJ3RQtzk0JMP2gfUay0= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.5/go.mod h1:AZLZf2fMaahW5s/wMRciu1sYbdsikT/UHwbUjOdEVTc= +github.com/aws/aws-sdk-go-v2/service/iam v1.53.4 h1:FUWGS7m97SYL0bk9Kb+Q4bVpcSrKOHNiIbEXIRFTRW4= +github.com/aws/aws-sdk-go-v2/service/iam v1.53.4/go.mod h1:seDE466zJ4haVuAVcRk+yIH4DWb3s6cqt3Od8GxnGAA= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.6 h1:XAq62tBTJP/85lFD5oqOOe7YYgWxY9LvWq8plyDvDVg= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.6/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI= github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.5 h1:Hjkh7kE6D81PgrHlE/m9gx+4TyyeLHuY8xJs7yXN5C4= github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.5/go.mod h1:nPRXgyCfAurhyaTMoBMwRBYBhaHI4lNPAnJmjM0Tslc= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.18 h1:LTRCYFlnnKFlKsyIQxKhJuDuA3ZkrDQMRYm6rXiHlLY= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.18/go.mod h1:XhwkgGG6bHSd00nO/mexWTcTjgd6PjuvWQMqSn2UaEk= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.19 h1:X1Tow7suZk9UCJHE1Iw9GMZJJl0dAnKXXP1NaSDHwmw= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.19/go.mod h1:/rARO8psX+4sfjUQXp5LLifjUt8DuATZ31WptNJTyQA= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14 h1:FzQE21lNtUor0Fb7QNgnEyiRCBlolLTX/Z1j65S7teM= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14/go.mod h1:s1ydyWG9pm3ZwmmYN21HKyG9WzAZhYVW85wMHs5FV6w= github.com/aws/aws-sdk-go-v2/service/kms v1.47.1 h1:6+C0RoGF4HJQALrsecOXN7cm/l5rgNHCw2xbcvFgpH4= github.com/aws/aws-sdk-go-v2/service/kms v1.47.1/go.mod h1:VJcNH6BLr+3VJwinRKdotLOMglHO8mIKlD3ea5c7hbw= -github.com/aws/aws-sdk-go-v2/service/outposts v1.57.12 h1:WKhrnkrXnuMunZlzyvCIuM8mP7hE3eW0vu+kkPQhnlY= -github.com/aws/aws-sdk-go-v2/service/outposts v1.57.12/go.mod h1:SzuukjKn9dAz2nrgRz2jXDeii4BEACa9jFzuVJKjalc= +github.com/aws/aws-sdk-go-v2/service/outposts v1.57.13 h1:WZtZkRXsNpCwgrUeE8+RP3UvfiSGMKvGS9WTlr5syE8= +github.com/aws/aws-sdk-go-v2/service/outposts v1.57.13/go.mod h1:gSKx2rXBosvBz74takE/Xux83pnSGqNaGrvu5paBesg= github.com/aws/aws-sdk-go-v2/service/pricing v1.34.3 h1:vAv0hi3SWcc8cotkWRP4mPkmRbp/XqWKFyPW4Nwpzv0= github.com/aws/aws-sdk-go-v2/service/pricing v1.34.3/go.mod h1:giTP9ufzBQJRB6bc7P30PO8s35hCp6au5uM70zkohU4= github.com/aws/aws-sdk-go-v2/service/route53 v1.52.2 h1:dXHWVVPx2W2fq2PTugj8QXpJ0YTRAGx0KLPKhMBmcsY= @@ -170,16 +170,16 @@ github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 h1:VrhDvQib/i0lxvr3zqlUwLwJP4 github.com/aws/aws-sdk-go-v2/service/signin v1.0.5/go.mod h1:k029+U8SY30/3/ras4G/Fnv/b88N4mAfliNn08Dem4M= github.com/aws/aws-sdk-go-v2/service/sqs v1.38.8 h1:80dpSqWMwx2dAm30Ib7J6ucz1ZHfiv5OCRwN/EnCOXQ= github.com/aws/aws-sdk-go-v2/service/sqs v1.38.8/go.mod h1:IzNt/udsXlETCdvBOL0nmyMe2t9cGmXmZgsdoZGYYhI= -github.com/aws/aws-sdk-go-v2/service/ssm v1.68.1 h1:kDgdZuYBWSsh3U/jZOXwcqfX6UsSzFcmtgKx7C0c5/E= -github.com/aws/aws-sdk-go-v2/service/ssm v1.68.1/go.mod h1:xyao5chroDlX/9q/rKBxRKZPv9NdG5Pm9W5zS+wQJ84= +github.com/aws/aws-sdk-go-v2/service/ssm v1.68.2 h1:idKv7B7NjmTDd05YHQYMMEFNeD0rWxs/kVX4lsjEiDo= +github.com/aws/aws-sdk-go-v2/service/ssm v1.68.2/go.mod h1:1NiL45h4A60CO/hu/UdNyG5AD3VEsdpaQx1l5KtpurA= github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 h1:v6EiMvhEYBoHABfbGB4alOYmCIrcgyPPiBE1wZAEbqk= github.com/aws/aws-sdk-go-v2/service/sso v1.30.9/go.mod h1:yifAsgBxgJWn3ggx70A3urX2AN49Y5sJTD1UQFlfqBw= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 h1:gd84Omyu9JLriJVCbGApcLzVR3XtmC4ZDPcAI6Ftvds= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13/go.mod h1:sTGThjphYE4Ohw8vJiRStAcu3rbjtXRsdNB0TvZ5wwo= github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 h1:5fFjR/ToSOzB2OQ/XqWpZBmNvmP/pJ1jOWYlFDJTjRQ= github.com/aws/aws-sdk-go-v2/service/sts v1.41.6/go.mod h1:qgFDZQSD/Kys7nJnVqYlWKnh0SSdMjAi0uSwON4wgYQ= -github.com/aws/smithy-go v1.24.1 h1:VbyeNfmYkWoxMVpGUAbQumkODcYmfMRfZ8yQiH30SK0= -github.com/aws/smithy-go v1.24.1/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0= +github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng= +github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc= github.com/awslabs/amazon-eks-ami/nodeadm v0.0.0-20260213141146-147b13ea3f4a h1:xGY9gNZ4pGlqZti3DlsR8WiHz9sjjfaofG0KH0UgAhg= github.com/awslabs/amazon-eks-ami/nodeadm v0.0.0-20260213141146-147b13ea3f4a/go.mod h1:JndTvVCUQsR9TiNZ6g9J5V2LGQkuhhgUGuxzWhNZLA0= github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k= diff --git a/pkg/actions/addon/mocks/IAMRoleCreator.go b/pkg/actions/addon/mocks/IAMRoleCreator.go index 2c8e6b7a0e..6c9864d8ce 100644 --- a/pkg/actions/addon/mocks/IAMRoleCreator.go +++ b/pkg/actions/addon/mocks/IAMRoleCreator.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/actions/addon/mocks/IAMRoleUpdater.go b/pkg/actions/addon/mocks/IAMRoleUpdater.go index 81dd57dd6e..4c537b5392 100644 --- a/pkg/actions/addon/mocks/IAMRoleUpdater.go +++ b/pkg/actions/addon/mocks/IAMRoleUpdater.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/actions/addon/mocks/PodIdentityIAMUpdater.go b/pkg/actions/addon/mocks/PodIdentityIAMUpdater.go index 91d838a995..95e253e587 100644 --- a/pkg/actions/addon/mocks/PodIdentityIAMUpdater.go +++ b/pkg/actions/addon/mocks/PodIdentityIAMUpdater.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/actions/automode/mocks/cluster_role_manager.go b/pkg/actions/automode/mocks/cluster_role_manager.go index a0df9b6276..38828c73cb 100644 --- a/pkg/actions/automode/mocks/cluster_role_manager.go +++ b/pkg/actions/automode/mocks/cluster_role_manager.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/actions/automode/mocks/node_group_drainer.go b/pkg/actions/automode/mocks/node_group_drainer.go index acfab670f3..66562f11db 100644 --- a/pkg/actions/automode/mocks/node_group_drainer.go +++ b/pkg/actions/automode/mocks/node_group_drainer.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/actions/automode/mocks/role_manager.go b/pkg/actions/automode/mocks/role_manager.go index 90a852dc8e..99929f5784 100644 --- a/pkg/actions/automode/mocks/role_manager.go +++ b/pkg/actions/automode/mocks/role_manager.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/actions/capability/mocks/creator_interface.go b/pkg/actions/capability/mocks/creator_interface.go index 7334efd594..e9e06c2203 100644 --- a/pkg/actions/capability/mocks/creator_interface.go +++ b/pkg/actions/capability/mocks/creator_interface.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/actions/capability/mocks/getter_interface.go b/pkg/actions/capability/mocks/getter_interface.go index f983771cc9..504a40f82f 100644 --- a/pkg/actions/capability/mocks/getter_interface.go +++ b/pkg/actions/capability/mocks/getter_interface.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/actions/capability/mocks/remover_interface.go b/pkg/actions/capability/mocks/remover_interface.go index b18dec9711..53be79b4b9 100644 --- a/pkg/actions/capability/mocks/remover_interface.go +++ b/pkg/actions/capability/mocks/remover_interface.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/actions/capability/mocks/stack_creator.go b/pkg/actions/capability/mocks/stack_creator.go index 021967fa3e..6eec84948d 100644 --- a/pkg/actions/capability/mocks/stack_creator.go +++ b/pkg/actions/capability/mocks/stack_creator.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/actions/capability/mocks/stack_remover.go b/pkg/actions/capability/mocks/stack_remover.go index c9ac575107..1bf185debd 100644 --- a/pkg/actions/capability/mocks/stack_remover.go +++ b/pkg/actions/capability/mocks/stack_remover.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/actions/cluster/mocks/auto_mode_deleter.go b/pkg/actions/cluster/mocks/auto_mode_deleter.go index 92f2aa809c..392f23c71f 100644 --- a/pkg/actions/cluster/mocks/auto_mode_deleter.go +++ b/pkg/actions/cluster/mocks/auto_mode_deleter.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/actions/podidentityassociation/mocks/RoleMigrator.go b/pkg/actions/podidentityassociation/mocks/RoleMigrator.go index ea62281103..c82ed79599 100644 --- a/pkg/actions/podidentityassociation/mocks/RoleMigrator.go +++ b/pkg/actions/podidentityassociation/mocks/RoleMigrator.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/actions/podidentityassociation/mocks/StackDeleter.go b/pkg/actions/podidentityassociation/mocks/StackDeleter.go index 614f640ac5..e2dae64637 100644 --- a/pkg/actions/podidentityassociation/mocks/StackDeleter.go +++ b/pkg/actions/podidentityassociation/mocks/StackDeleter.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/apis/eksctl.io/v1alpha5/assets/schema.json b/pkg/apis/eksctl.io/v1alpha5/assets/schema.json index 5bad31ad0a..895b8450d5 100755 --- a/pkg/apis/eksctl.io/v1alpha5/assets/schema.json +++ b/pkg/apis/eksctl.io/v1alpha5/assets/schema.json @@ -2865,6 +2865,9 @@ }, "type": "array" }, + "permissionPolicyName": { + "type": "string" + }, "permissionsBoundaryARN": { "type": "string" }, @@ -2906,6 +2909,7 @@ "roleName", "permissionsBoundaryARN", "permissionPolicyARNs", + "permissionPolicyName", "permissionPolicy", "wellKnownPolicies", "tags", diff --git a/pkg/apis/eksctl.io/v1alpha5/iam.go b/pkg/apis/eksctl.io/v1alpha5/iam.go index eb63036e61..5028e25d9c 100644 --- a/pkg/apis/eksctl.io/v1alpha5/iam.go +++ b/pkg/apis/eksctl.io/v1alpha5/iam.go @@ -192,6 +192,9 @@ type PodIdentityAssociation struct { // +optional PermissionPolicyARNs []string `json:"permissionPolicyARNs,omitempty"` + // +optional + PermissionPolicyName string `json:"permissionPolicyName,omitempty"` + // +optional PermissionPolicy InlineDocument `json:"permissionPolicy,omitempty"` diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go index b6cf69653f..bb9eadb1b1 100644 --- a/pkg/apis/eksctl.io/v1alpha5/validation.go +++ b/pkg/apis/eksctl.io/v1alpha5/validation.go @@ -186,6 +186,12 @@ func ValidateClusterConfig(cfg *ClusterConfig) error { } } + for i := range cfg.IAM.PodIdentityAssociations { + if err := validatePermissionPolicyName(&cfg.IAM.PodIdentityAssociations[i]); err != nil { + return fmt.Errorf("iam.podIdentityAssociations[%d]: %w", i, err) + } + } + if err := cfg.validateKubernetesNetworkConfig(); err != nil { return err } @@ -1832,19 +1838,43 @@ func validateIAMIdentityMappings(clusterConfig *ClusterConfig) error { return nil } +func validatePermissionPolicyName(pia *PodIdentityAssociation) error { + if pia.PermissionPolicyName == "" { + return nil + } + if len(pia.PermissionPolicy) == 0 { + return fmt.Errorf("permissionPolicyName requires permissionPolicy to be set") + } + hasAlphanumeric := false + for _, r := range pia.PermissionPolicyName { + if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') || (r >= '0' && r <= '9') { + hasAlphanumeric = true + break + } + } + if !hasAlphanumeric { + return fmt.Errorf("permissionPolicyName %q must contain at least one alphanumeric character", pia.PermissionPolicyName) + } + return nil +} + func validateAddonPodIdentityAssociations(addons []*Addon) error { for _, addon := range addons { makeAddonErr := func(msg string) error { return fmt.Errorf("%s (addon: %s)", msg, addon.Name) } if addon.PodIdentityAssociations != nil { - for _, pia := range *addon.PodIdentityAssociations { + for i := range *addon.PodIdentityAssociations { + pia := &(*addon.PodIdentityAssociations)[i] if pia.WellKnownPolicies.HasPolicy() { return makeAddonErr("wellKnownPolicies is not supported for addon.podIdentityAssociations; use addon.useDefaultPodIdentityAssociations instead") } if pia.Tags != nil { return makeAddonErr("tags is not supported for addon.podIdentityAssociations") } + if err := validatePermissionPolicyName(pia); err != nil { + return makeAddonErr(err.Error()) + } } } if addon.UseDefaultPodIdentityAssociations { diff --git a/pkg/apis/eksctl.io/v1alpha5/validation_test.go b/pkg/apis/eksctl.io/v1alpha5/validation_test.go index 27e235099b..7c36c1cd57 100644 --- a/pkg/apis/eksctl.io/v1alpha5/validation_test.go +++ b/pkg/apis/eksctl.io/v1alpha5/validation_test.go @@ -2788,6 +2788,76 @@ var _ = Describe("ClusterConfig validation", func() { ServiceAccountRoleARN: "role-1", }, }, ""), + Entry("permissionPolicyName without permissionPolicy", []*api.Addon{ + { + Name: api.VPCCNIAddon, + PodIdentityAssociations: &[]api.PodIdentityAssociation{ + { + ServiceAccountName: "aws-node", + PermissionPolicyName: "my-policy", + }, + }, + }, + }, "permissionPolicyName requires permissionPolicy to be set"), + Entry("permissionPolicyName with only special characters", []*api.Addon{ + { + Name: api.VPCCNIAddon, + PodIdentityAssociations: &[]api.PodIdentityAssociation{ + { + ServiceAccountName: "aws-node", + PermissionPolicyName: "---!!!", + PermissionPolicy: api.InlineDocument{"Version": "2012-10-17"}, + }, + }, + }, + }, `permissionPolicyName "---!!!" must contain at least one alphanumeric character`), + Entry("valid permissionPolicyName with permissionPolicy", []*api.Addon{ + { + Name: api.VPCCNIAddon, + PodIdentityAssociations: &[]api.PodIdentityAssociation{ + { + ServiceAccountName: "aws-node", + PermissionPolicyName: "my-policy", + PermissionPolicy: api.InlineDocument{"Version": "2012-10-17"}, + }, + }, + }, + }, ""), + ) + + DescribeTable("iam pod identity association permissionPolicyName", func(pias []api.PodIdentityAssociation, expectedErr string) { + clusterConfig := api.NewClusterConfig() + clusterConfig.IAM.PodIdentityAssociations = pias + err := api.ValidateClusterConfig(clusterConfig) + if expectedErr != "" { + Expect(err).To(MatchError(ContainSubstring(expectedErr))) + } else { + Expect(err).NotTo(HaveOccurred()) + } + }, + Entry("permissionPolicyName without permissionPolicy", []api.PodIdentityAssociation{ + { + Namespace: "kube-system", + ServiceAccountName: "aws-node", + PermissionPolicyName: "my-policy", + }, + }, "permissionPolicyName requires permissionPolicy to be set"), + Entry("permissionPolicyName with only special characters", []api.PodIdentityAssociation{ + { + Namespace: "kube-system", + ServiceAccountName: "aws-node", + PermissionPolicyName: "---!!!", + PermissionPolicy: api.InlineDocument{"Version": "2012-10-17"}, + }, + }, `permissionPolicyName "---!!!" must contain at least one alphanumeric character`), + Entry("valid permissionPolicyName", []api.PodIdentityAssociation{ + { + Namespace: "kube-system", + ServiceAccountName: "aws-node", + PermissionPolicyName: "my-policy", + PermissionPolicy: api.InlineDocument{"Version": "2012-10-17"}, + }, + }, ""), ) }) diff --git a/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go b/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go index 18bee64b01..89c5878a84 100644 --- a/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go +++ b/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go @@ -2406,6 +2406,11 @@ func (in *PodIdentityAssociation) DeepCopyInto(out *PodIdentityAssociation) { *out = new(bool) **out = **in } + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(string) + **out = **in + } return } diff --git a/pkg/automode/mocks/stack_creator.go b/pkg/automode/mocks/stack_creator.go index a5ba0791e0..2a7356fdbd 100644 --- a/pkg/automode/mocks/stack_creator.go +++ b/pkg/automode/mocks/stack_creator.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/automode/mocks/stack_deleter.go b/pkg/automode/mocks/stack_deleter.go index f0588fa9c7..0491b9219a 100644 --- a/pkg/automode/mocks/stack_deleter.go +++ b/pkg/automode/mocks/stack_deleter.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/awsapi/cloudwatchlogs.go b/pkg/awsapi/cloudwatchlogs.go index d9baaab20d..af746f1636 100644 --- a/pkg/awsapi/cloudwatchlogs.go +++ b/pkg/awsapi/cloudwatchlogs.go @@ -179,9 +179,10 @@ type CloudWatchLogs interface { // // - logs:PutResourcePolicy // - // - (If source has an associated AWS KMS Key) kms:Decrypt + // - (If source has an associated Amazon Web Services KMS Key) kms:Decrypt // - // - (If source has an associated AWS KMS Key) kms:GenerateDataKey + // - (If source has an associated Amazon Web Services KMS Key) + // kms:GenerateDataKey // // Example IAM policy for provided import role: // @@ -760,6 +761,15 @@ type CloudWatchLogs interface { // original JSON structure where the large field was located. For example, this // could be @ptr.$['input']['message'] , @ptr.$['AAA']['BBB']['CCC']['DDD'] , // @ptr.$['AAA'] , or any other path matching your log structure. + // + // The GetLogObject API routes requests using SDK host prefix injection. SDK + // versions released before April 1, 2026 route to + // streaming-logs.Region.amazonaws.com , which does not support VPC endpoints. SDK + // versions released on or after April 1, 2026 route to + // stream-logs.Region.amazonaws.com , which supports VPC endpoints. To set up a VPC + // endpoint for this API, see [Creating a VPC endpoint for CloudWatch Logs]. + // + // [Creating a VPC endpoint for CloudWatch Logs]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cloudwatch-logs-and-interface-VPC.html#create-VPC-endpoint-for-CloudWatchLogs GetLogObject(ctx context.Context, params *cloudwatchlogs.GetLogObjectInput, optFns ...func(*Options)) (*cloudwatchlogs.GetLogObjectOutput, error) // Retrieves all of the fields and values of a single log event. All fields are // retrieved, even if the original query that produced the logRecordPointer @@ -1161,11 +1171,11 @@ type CloudWatchLogs interface { // When a policy disables EMF metric creation for a log group, log events in the // EMF format are still ingested, but no CloudWatch Metrics are created from them. // - // Creating a policy disables metrics for AWS features that use EMF to create - // metrics, such as CloudWatch Container Insights and CloudWatch Application - // Signals. To prevent turning off those features by accident, we recommend that - // you exclude the underlying log-groups through a selection-criteria such as - // LogGroupNamePrefix NOT IN ["/aws/containerinsights", + // Creating a policy disables metrics for Amazon Web Services features that use + // EMF to create metrics, such as CloudWatch Container Insights and CloudWatch + // Application Signals. To prevent turning off those features by accident, we + // recommend that you exclude the underlying log-groups through a + // selection-criteria such as LogGroupNamePrefix NOT IN ["/aws/containerinsights", // "/aws/ecs/containerinsights", "/aws/application-signals/data"] . // // Each account can have either one account-level metric extraction policy that @@ -1218,6 +1228,14 @@ type CloudWatchLogs interface { // [Use facets to group and explore logs]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogs-Facets.html // [Create field indexes to improve query performance and reduce costs]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogs-Field-Indexing.html PutAccountPolicy(ctx context.Context, params *cloudwatchlogs.PutAccountPolicyInput, optFns ...func(*Options)) (*cloudwatchlogs.PutAccountPolicyOutput, error) + // Enables or disables bearer token authentication for the specified log group. + // When enabled on a log group, bearer token authentication is enabled on + // operations until it is explicitly disabled. + // + // For information about the parameters that are common to all actions, see [Common Parameters]. + // + // [Common Parameters]: https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/CommonParameters.html + PutBearerTokenAuthentication(ctx context.Context, params *cloudwatchlogs.PutBearerTokenAuthenticationInput, optFns ...func(*Options)) (*cloudwatchlogs.PutBearerTokenAuthenticationOutput, error) // Creates a data protection policy for the specified log group. A data protection // policy can help safeguard sensitive data that's ingested by the log group by // auditing and masking the sensitive log data. @@ -1715,9 +1733,12 @@ type CloudWatchLogs interface { // - A [SessionTimeoutException]object is returned when the session times out, after it has been kept // open for three hours. // - // The StartLiveTail API routes requests to streaming-logs.Region.amazonaws.com - // using SDK host prefix injection. VPC endpoint support is not available for this - // API. + // The StartLiveTail API routes requests using SDK host prefix injection. SDK + // versions released before April 1, 2026 route to + // streaming-logs.Region.amazonaws.com , which does not support VPC endpoints. SDK + // versions released on or after April 1, 2026 route to + // stream-logs.Region.amazonaws.com , which supports VPC endpoints. To set up a VPC + // endpoint for this API, see [Creating a VPC endpoint for CloudWatch Logs]. // // You can end a session before it times out by closing the session stream or by // closing the client that is receiving the stream. The session also ends if the @@ -1728,6 +1749,7 @@ type CloudWatchLogs interface { // [LiveTailSessionStart]: https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_LiveTailSessionStart.html // [LiveTailSessionUpdate]: https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_LiveTailSessionUpdate.html // [Use Live Tail to view logs in near real time]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogs_LiveTail.html + // [Creating a VPC endpoint for CloudWatch Logs]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cloudwatch-logs-and-interface-VPC.html#create-VPC-endpoint-for-CloudWatchLogs // [Start a Live Tail session using an Amazon Web Services SDK]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/example_cloudwatch-logs_StartLiveTail_section.html // // [SessionTimeoutException]: https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_StartLiveTailResponseStream.html#CWL-Type-StartLiveTailResponseStream-SessionTimeoutException diff --git a/pkg/awsapi/ec2.go b/pkg/awsapi/ec2.go index d712418275..1bc0783c39 100644 --- a/pkg/awsapi/ec2.go +++ b/pkg/awsapi/ec2.go @@ -1392,7 +1392,7 @@ type EC2 interface { // // [Route tables]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html CreateRouteTable(ctx context.Context, params *ec2.CreateRouteTableInput, optFns ...func(*Options)) (*ec2.CreateRouteTableOutput, error) - // Creates an Amazon secondary network. + // Creates a secondary network. // // The allowed size for a secondary network CIDR block is between /28 netmask (16 // IP addresses) and /12 netmask (1,048,576 IP addresses). diff --git a/pkg/awsapi/ssm.go b/pkg/awsapi/ssm.go index fb83b4bf0d..7276935312 100644 --- a/pkg/awsapi/ssm.go +++ b/pkg/awsapi/ssm.go @@ -671,10 +671,9 @@ type SSM interface { // patches, or custom compliance types according to the filter criteria that you // specify. ListComplianceSummaries(ctx context.Context, params *ssm.ListComplianceSummariesInput, optFns ...func(*Options)) (*ssm.ListComplianceSummariesOutput, error) - // Amazon Web Services Systems Manager Change Manager will no longer be open to - // new customers starting November 7, 2025. If you would like to use Change - // Manager, sign up prior to that date. Existing customers can continue to use the - // service as normal. For more information, see [Amazon Web Services Systems Manager Change Manager availability change]. + // Amazon Web Services Systems Manager Change Manager is no longer open to new + // customers. Existing customers can continue to use the service as normal. For + // more information, see [Amazon Web Services Systems Manager Change Manager availability change]. // // Information about approval reviews for a version of a change template in Change // Manager. @@ -882,10 +881,9 @@ type SSM interface { StartAssociationsOnce(ctx context.Context, params *ssm.StartAssociationsOnceInput, optFns ...func(*Options)) (*ssm.StartAssociationsOnceOutput, error) // Initiates execution of an Automation runbook. StartAutomationExecution(ctx context.Context, params *ssm.StartAutomationExecutionInput, optFns ...func(*Options)) (*ssm.StartAutomationExecutionOutput, error) - // Amazon Web Services Systems Manager Change Manager will no longer be open to - // new customers starting November 7, 2025. If you would like to use Change - // Manager, sign up prior to that date. Existing customers can continue to use the - // service as normal. For more information, see [Amazon Web Services Systems Manager Change Manager availability change]. + // Amazon Web Services Systems Manager Change Manager is no longer open to new + // customers. Existing customers can continue to use the service as normal. For + // more information, see [Amazon Web Services Systems Manager Change Manager availability change]. // // Creates a change request for Change Manager. The Automation runbooks specified // in the change request run only after all required approvals for the change @@ -959,10 +957,9 @@ type SSM interface { // Manager immediately runs the association unless you previously specifed the // apply-only-at-cron-interval parameter. UpdateDocumentDefaultVersion(ctx context.Context, params *ssm.UpdateDocumentDefaultVersionInput, optFns ...func(*Options)) (*ssm.UpdateDocumentDefaultVersionOutput, error) - // Amazon Web Services Systems Manager Change Manager will no longer be open to - // new customers starting November 7, 2025. If you would like to use Change - // Manager, sign up prior to that date. Existing customers can continue to use the - // service as normal. For more information, see [Amazon Web Services Systems Manager Change Manager availability change]. + // Amazon Web Services Systems Manager Change Manager is no longer open to new + // customers. Existing customers can continue to use the service as normal. For + // more information, see [Amazon Web Services Systems Manager Change Manager availability change]. // // Updates information related to approval reviews for a specific version of a // change template in Change Manager. diff --git a/pkg/cfn/builder/iam.go b/pkg/cfn/builder/iam.go index 8287df7f8e..df96bf14f5 100644 --- a/pkg/cfn/builder/iam.go +++ b/pkg/cfn/builder/iam.go @@ -339,6 +339,7 @@ func NewIAMRoleResourceSetForServiceAccount(spec *api.ClusterIAMServiceAccount, template: cft.NewTemplate(), attachPolicy: spec.AttachPolicy, attachPolicyARNs: spec.AttachPolicyARNs, + attachPolicyName: "Policy1", serviceAccount: spec.Name, namespace: spec.Namespace, wellKnownPolicies: spec.WellKnownPolicies, @@ -361,10 +362,16 @@ func NewIAMRoleResourceSetForServiceAccount(spec *api.ClusterIAMServiceAccount, } func NewIAMRoleResourceSetForPodIdentity(spec *api.PodIdentityAssociation) *IAMRoleResourceSet { + attachPolicyName := "Policy1" + if spec.PermissionPolicyName != "" { + attachPolicyName = spec.PermissionPolicyName + } + return &IAMRoleResourceSet{ template: cft.NewTemplate(), attachPolicy: spec.PermissionPolicy, attachPolicyARNs: spec.PermissionPolicyARNs, + attachPolicyName: attachPolicyName, serviceAccount: spec.ServiceAccountName, namespace: spec.Namespace, wellKnownPolicies: spec.WellKnownPolicies, @@ -386,6 +393,7 @@ func NewIAMRoleResourceSetForCapability(spec *api.Capability) *IAMRoleResourceSe template: cft.NewTemplate(), attachPolicy: spec.AttachPolicy, attachPolicyARNs: spec.AttachPolicyARNs, + attachPolicyName: "Policy1", description: fmt.Sprintf( "IAM role for capability %s %s", spec.Name, @@ -421,6 +429,7 @@ type IAMRoleResourceSet struct { wellKnownPolicies api.WellKnownPolicies attachPolicyARNs []string attachPolicy api.InlineDocument + attachPolicyName string trustStatements []api.IAMStatement roleNameCollector func(string) error OutputRole string @@ -452,6 +461,7 @@ func newIAMRoleResourceSet(name, namespace, serviceAccount, permissionsBoundary template: cft.NewTemplate(), attachPolicyARNs: attachPolicyARNs, attachPolicy: attachPolicy, + attachPolicyName: "Policy1", oidc: oidc, serviceAccount: serviceAccount, namespace: namespace, @@ -512,7 +522,7 @@ func (rs *IAMRoleResourceSet) AddAllResources() error { }) if len(rs.attachPolicy) != 0 { - rs.template.AttachPolicy("Policy1", roleRef, rs.attachPolicy) + rs.template.AttachPolicy(rs.attachPolicyName, roleRef, rs.attachPolicy) } return nil diff --git a/pkg/cfn/builder/iam_test.go b/pkg/cfn/builder/iam_test.go index 2923163978..193cc4c347 100644 --- a/pkg/cfn/builder/iam_test.go +++ b/pkg/cfn/builder/iam_test.go @@ -454,6 +454,38 @@ var _ = Describe("template builder for IAM", func() { Expect(t).To(HaveOutputWithValue(outputs.IAMServiceAccountRoleName, `{ "Fn::GetAtt": "Role1.Arn" }`)) }) + + It("can construct an iamrole template for pod identity with a custom inline policy name", func() { + spec := &api.PodIdentityAssociation{ + Namespace: "kube-system", + ServiceAccountName: "aws-node", + PermissionPolicyName: "PodIdentityPolicy", + PermissionPolicy: cft.MakePolicyDocument( + cft.MapOfInterfaces{ + "Effect": "Allow", + "Action": []string{ + "ec2:DescribeNetworkInterfaces", + }, + "Resource": "*", + }, + ), + } + + rs := builder.NewIAMRoleResourceSetForPodIdentity(spec) + + templateBody := []byte{} + + Expect(rs).To(RenderWithoutErrors(&templateBody)) + + t := cft.NewTemplate() + + Expect(t).To(LoadBytesWithoutErrors(templateBody)) + + Expect(t).To(HaveResource(outputs.IAMServiceAccountRoleName, "AWS::IAM::Role")) + Expect(t).To(HaveResource("PodIdentityPolicy", "AWS::IAM::Policy")) + Expect(t).NotTo(HaveResource("Policy1", "AWS::IAM::Policy")) + Expect(t).To(HaveResourceWithPropertyValue("PodIdentityPolicy", "PolicyName", `{ "Fn::Sub": "${AWS::StackName}-PodIdentityPolicy" }`)) + }) }) }) diff --git a/pkg/cfn/manager/mocks/NodeGroupResourceSet.go b/pkg/cfn/manager/mocks/NodeGroupResourceSet.go index e12c690dd2..ed7e987c06 100644 --- a/pkg/cfn/manager/mocks/NodeGroupResourceSet.go +++ b/pkg/cfn/manager/mocks/NodeGroupResourceSet.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/cfn/manager/mocks/NodeGroupStackManager.go b/pkg/cfn/manager/mocks/NodeGroupStackManager.go index 1c6de80c63..e7bd23914e 100644 --- a/pkg/cfn/manager/mocks/NodeGroupStackManager.go +++ b/pkg/cfn/manager/mocks/NodeGroupStackManager.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/cfn/template/iam_helpers.go b/pkg/cfn/template/iam_helpers.go index 9be7d2c3f9..5e89e3c7be 100644 --- a/pkg/cfn/template/iam_helpers.go +++ b/pkg/cfn/template/iam_helpers.go @@ -1,6 +1,8 @@ package template import ( + "strings" + gfn "github.com/weaveworks/eksctl/pkg/goformation/cloudformation/types" api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5" @@ -8,13 +10,26 @@ import ( // AttachPolicy attaches the specified policy document func (t *Template) AttachPolicy(name string, refRole *Value, policyDoc MapOfInterfaces) { - t.NewResource(name, &IAMPolicy{ + t.NewResource(sanitizeResourceName(name), &IAMPolicy{ PolicyName: MakeName(name), Roles: MakeSlice(refRole), PolicyDocument: policyDoc, }) } +func sanitizeResourceName(name string) string { + var b strings.Builder + for _, r := range name { + if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') || (r >= '0' && r <= '9') { + b.WriteRune(r) + } + } + if b.Len() == 0 { + return "Policy1" + } + return b.String() +} + // MakePolicyDocument constructs a policy with given statements func MakePolicyDocument(statements ...MapOfInterfaces) MapOfInterfaces { return MapOfInterfaces{ diff --git a/pkg/ctl/utils/mocks/VPCConfigUpdater.go b/pkg/ctl/utils/mocks/VPCConfigUpdater.go index aca231263c..8d55b1f548 100644 --- a/pkg/ctl/utils/mocks/VPCConfigUpdater.go +++ b/pkg/ctl/utils/mocks/VPCConfigUpdater.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/eks/mocks/KubeNodeGroup.go b/pkg/eks/mocks/KubeNodeGroup.go index 3655bc7846..c920aac3ea 100644 --- a/pkg/eks/mocks/KubeNodeGroup.go +++ b/pkg/eks/mocks/KubeNodeGroup.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocks diff --git a/pkg/eks/mocksv2/ASG.go b/pkg/eks/mocksv2/ASG.go index abad2f9c86..d0c8b7861b 100644 --- a/pkg/eks/mocksv2/ASG.go +++ b/pkg/eks/mocksv2/ASG.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocksv2 diff --git a/pkg/eks/mocksv2/CloudFormation.go b/pkg/eks/mocksv2/CloudFormation.go index 61f51e1551..95543daac7 100644 --- a/pkg/eks/mocksv2/CloudFormation.go +++ b/pkg/eks/mocksv2/CloudFormation.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocksv2 diff --git a/pkg/eks/mocksv2/CloudTrail.go b/pkg/eks/mocksv2/CloudTrail.go index ba7b4ff04c..54d1becf68 100644 --- a/pkg/eks/mocksv2/CloudTrail.go +++ b/pkg/eks/mocksv2/CloudTrail.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocksv2 diff --git a/pkg/eks/mocksv2/CloudWatchLogs.go b/pkg/eks/mocksv2/CloudWatchLogs.go index 26790ebdc2..d4bc0c8ebb 100644 --- a/pkg/eks/mocksv2/CloudWatchLogs.go +++ b/pkg/eks/mocksv2/CloudWatchLogs.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocksv2 @@ -5840,6 +5840,80 @@ func (_c *CloudWatchLogs_PutAccountPolicy_Call) RunAndReturn(run func(context.Co return _c } +// PutBearerTokenAuthentication provides a mock function with given fields: ctx, params, optFns +func (_m *CloudWatchLogs) PutBearerTokenAuthentication(ctx context.Context, params *cloudwatchlogs.PutBearerTokenAuthenticationInput, optFns ...func(*cloudwatchlogs.Options)) (*cloudwatchlogs.PutBearerTokenAuthenticationOutput, error) { + _va := make([]interface{}, len(optFns)) + for _i := range optFns { + _va[_i] = optFns[_i] + } + var _ca []interface{} + _ca = append(_ca, ctx, params) + _ca = append(_ca, _va...) + ret := _m.Called(_ca...) + + if len(ret) == 0 { + panic("no return value specified for PutBearerTokenAuthentication") + } + + var r0 *cloudwatchlogs.PutBearerTokenAuthenticationOutput + var r1 error + if rf, ok := ret.Get(0).(func(context.Context, *cloudwatchlogs.PutBearerTokenAuthenticationInput, ...func(*cloudwatchlogs.Options)) (*cloudwatchlogs.PutBearerTokenAuthenticationOutput, error)); ok { + return rf(ctx, params, optFns...) + } + if rf, ok := ret.Get(0).(func(context.Context, *cloudwatchlogs.PutBearerTokenAuthenticationInput, ...func(*cloudwatchlogs.Options)) *cloudwatchlogs.PutBearerTokenAuthenticationOutput); ok { + r0 = rf(ctx, params, optFns...) + } else { + if ret.Get(0) != nil { + r0 = ret.Get(0).(*cloudwatchlogs.PutBearerTokenAuthenticationOutput) + } + } + + if rf, ok := ret.Get(1).(func(context.Context, *cloudwatchlogs.PutBearerTokenAuthenticationInput, ...func(*cloudwatchlogs.Options)) error); ok { + r1 = rf(ctx, params, optFns...) + } else { + r1 = ret.Error(1) + } + + return r0, r1 +} + +// CloudWatchLogs_PutBearerTokenAuthentication_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'PutBearerTokenAuthentication' +type CloudWatchLogs_PutBearerTokenAuthentication_Call struct { + *mock.Call +} + +// PutBearerTokenAuthentication is a helper method to define mock.On call +// - ctx context.Context +// - params *cloudwatchlogs.PutBearerTokenAuthenticationInput +// - optFns ...func(*cloudwatchlogs.Options) +func (_e *CloudWatchLogs_Expecter) PutBearerTokenAuthentication(ctx interface{}, params interface{}, optFns ...interface{}) *CloudWatchLogs_PutBearerTokenAuthentication_Call { + return &CloudWatchLogs_PutBearerTokenAuthentication_Call{Call: _e.mock.On("PutBearerTokenAuthentication", + append([]interface{}{ctx, params}, optFns...)...)} +} + +func (_c *CloudWatchLogs_PutBearerTokenAuthentication_Call) Run(run func(ctx context.Context, params *cloudwatchlogs.PutBearerTokenAuthenticationInput, optFns ...func(*cloudwatchlogs.Options))) *CloudWatchLogs_PutBearerTokenAuthentication_Call { + _c.Call.Run(func(args mock.Arguments) { + variadicArgs := make([]func(*cloudwatchlogs.Options), len(args)-2) + for i, a := range args[2:] { + if a != nil { + variadicArgs[i] = a.(func(*cloudwatchlogs.Options)) + } + } + run(args[0].(context.Context), args[1].(*cloudwatchlogs.PutBearerTokenAuthenticationInput), variadicArgs...) + }) + return _c +} + +func (_c *CloudWatchLogs_PutBearerTokenAuthentication_Call) Return(_a0 *cloudwatchlogs.PutBearerTokenAuthenticationOutput, _a1 error) *CloudWatchLogs_PutBearerTokenAuthentication_Call { + _c.Call.Return(_a0, _a1) + return _c +} + +func (_c *CloudWatchLogs_PutBearerTokenAuthentication_Call) RunAndReturn(run func(context.Context, *cloudwatchlogs.PutBearerTokenAuthenticationInput, ...func(*cloudwatchlogs.Options)) (*cloudwatchlogs.PutBearerTokenAuthenticationOutput, error)) *CloudWatchLogs_PutBearerTokenAuthentication_Call { + _c.Call.Return(run) + return _c +} + // PutDataProtectionPolicy provides a mock function with given fields: ctx, params, optFns func (_m *CloudWatchLogs) PutDataProtectionPolicy(ctx context.Context, params *cloudwatchlogs.PutDataProtectionPolicyInput, optFns ...func(*cloudwatchlogs.Options)) (*cloudwatchlogs.PutDataProtectionPolicyOutput, error) { _va := make([]interface{}, len(optFns)) diff --git a/pkg/eks/mocksv2/CredentialsProvider.go b/pkg/eks/mocksv2/CredentialsProvider.go index 8d8684708e..b969afc227 100644 --- a/pkg/eks/mocksv2/CredentialsProvider.go +++ b/pkg/eks/mocksv2/CredentialsProvider.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocksv2 diff --git a/pkg/eks/mocksv2/EC2.go b/pkg/eks/mocksv2/EC2.go index 13f97757b7..3f667a50d7 100644 --- a/pkg/eks/mocksv2/EC2.go +++ b/pkg/eks/mocksv2/EC2.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocksv2 diff --git a/pkg/eks/mocksv2/EKS.go b/pkg/eks/mocksv2/EKS.go index d050a1f9d7..2d846d963d 100644 --- a/pkg/eks/mocksv2/EKS.go +++ b/pkg/eks/mocksv2/EKS.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocksv2 diff --git a/pkg/eks/mocksv2/ELB.go b/pkg/eks/mocksv2/ELB.go index d739a6add9..f78be539dd 100644 --- a/pkg/eks/mocksv2/ELB.go +++ b/pkg/eks/mocksv2/ELB.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocksv2 diff --git a/pkg/eks/mocksv2/ELBV2.go b/pkg/eks/mocksv2/ELBV2.go index 0f5aabb16e..c220bb92c3 100644 --- a/pkg/eks/mocksv2/ELBV2.go +++ b/pkg/eks/mocksv2/ELBV2.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocksv2 diff --git a/pkg/eks/mocksv2/IAM.go b/pkg/eks/mocksv2/IAM.go index 6491782a40..583cd13039 100644 --- a/pkg/eks/mocksv2/IAM.go +++ b/pkg/eks/mocksv2/IAM.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocksv2 diff --git a/pkg/eks/mocksv2/Outposts.go b/pkg/eks/mocksv2/Outposts.go index 373a944731..f135809083 100644 --- a/pkg/eks/mocksv2/Outposts.go +++ b/pkg/eks/mocksv2/Outposts.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocksv2 diff --git a/pkg/eks/mocksv2/SSM.go b/pkg/eks/mocksv2/SSM.go index a1683ca9e5..542f239e7c 100644 --- a/pkg/eks/mocksv2/SSM.go +++ b/pkg/eks/mocksv2/SSM.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocksv2 diff --git a/pkg/eks/mocksv2/STS.go b/pkg/eks/mocksv2/STS.go index 93f329d35d..5dfb02fd77 100644 --- a/pkg/eks/mocksv2/STS.go +++ b/pkg/eks/mocksv2/STS.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.53.5. DO NOT EDIT. +// Code generated by mockery v2.53.6. DO NOT EDIT. package mocksv2