chore: Migrate to aws native pulumi provider

the native provider is the recommended provider now, this allow to remove the dependecy on both providers (classic and native) and remove the aws cli as well

Signed-off-by: Adrian Riobo <[email protected]>

Author: adrianriobo

.claude/settings.local.json

@@ -0,0 +1,20 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(find:*)",
+      "WebFetch(domain:github.com)",
+      "WebFetch(domain:raw.githubusercontent.com)",
+      "Bash(while read file)",
+      "Bash(for:*)",
+      "Bash(do)",
+      "Bash(echo \"Updating $file\")",
+      "Bash(sed:*)",
+      "Bash(done)",
+      "Bash(go build:*)",
+      "Bash(go list:*)",
+      "WebFetch(domain:www.pulumi.com)"
+    ],
+    "deny": [],
+    "ask": []
+  }
+}

go.mod

@@ -24,7 +24,6 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.88.5
 	github.com/aws/aws-sdk-go-v2/service/sts v1.38.7
 	github.com/pulumi/pulumi-aws-native/sdk v1.36.0
-	github.com/pulumi/pulumi-aws/sdk/v7 v7.8.0
 	github.com/pulumi/pulumi-awsx/sdk/v3 v3.0.0
 	github.com/pulumi/pulumi-azure-native-sdk/authorization/v3 v3.8.0
 	github.com/pulumi/pulumi-azure-native-sdk/compute/v3 v3.8.0

go.sum

@@ -292,8 +292,8 @@ github.com/pulumi/esc v0.18.0 h1:bbhRPord3GGb1xrzi9zGx+1nTRB6DOOsLbkFBEYCyMo=
 github.com/pulumi/esc v0.18.0/go.mod h1:Ny5pRVlRwdoVQvtUffTrwgXU91t+wcaAarvB2fRbnAc=
 github.com/pulumi/pulumi-aws-native/sdk v1.36.0 h1:2DL294PFa/CNuvNptAUC7TYHAY8gJ8i+SozBqcDsToQ=
 github.com/pulumi/pulumi-aws-native/sdk v1.36.0/go.mod h1:Jzds3Q+YZu9Kd6xLw/yDzAKbDcHlT2nV5tpVljqa9co=
-github.com/pulumi/pulumi-aws/sdk/v7 v7.8.0 h1:Wf9fZyegAWxxj5nuzrCU3/Q9FtWs9nBUygPimvnSYHY=
-github.com/pulumi/pulumi-aws/sdk/v7 v7.8.0/go.mod h1:4qpJdAOLlqT1l8uTAEc9RNhrRyh7DIw+XP6Fxo5YNdQ=
+github.com/pulumi/pulumi-aws/sdk/v7 v7.0.0 h1:xEp48UEBpCfbY1e0bAILQQljrU7J3+rzgpDlCYIdynk=
+github.com/pulumi/pulumi-aws/sdk/v7 v7.0.0/go.mod h1:+H62XwnzP7yBbBt+ytoZNwcZjdjCJA7tRP5zNdcDuMw=
 github.com/pulumi/pulumi-awsx/sdk/v3 v3.0.0 h1:Hm3E3CUVY9ynj/uByyDvKg5ORKCjfEbDKzbYvEnItfk=
 github.com/pulumi/pulumi-awsx/sdk/v3 v3.0.0/go.mod h1:MhFFQ7VuDIt6Tx6OlcF97Sb9FhvaNZhKaLqwp9GejMA=
 github.com/pulumi/pulumi-azure-native-sdk/authorization/v3 v3.8.0 h1:q6OTXLPujB8M6OajZgj0r4kkR+U1SmDohOy0gEBKUzM=

oci/Containerfile

@@ -16,25 +16,18 @@ RUN unset VERSION \
     && if [ "$TARGETARCH" = "arm64" ]; then export PULUMI_URL="${PULUMI_BASE_URL}-linux-arm64.tar.gz"; fi \
     && echo ${PULUMI_URL} \
     && curl -L ${PULUMI_URL} -o pulumicli.tar.gz \
-    && tar -xzvf pulumicli.tar.gz 
+    && tar -xzvf pulumicli.tar.gz
 
-# ubi 9.5-1732804088
-FROM registry.access.redhat.com/ubi9/ubi@sha256:dec374e05cc13ebbc0975c9f521f3db6942d27f8ccdf06b180160490eef8bdbc
+# ubi-minimal 9.6-1760515502
+FROM registry.access.redhat.com/ubi9-minimal@sha256:34880b64c07f28f64d95737f82f891516de9a3b43583f39970f7bf8e4cfa48b7
 ARG TARGETARCH
 LABEL org.opencontainers.image.authors="Redhat Developer"
 
 COPY --from=builder /workspace/out/mapt /workspace/pulumi/pulumi /usr/local/bin/
 
-ENV PULUMI_CONFIG_PASSPHRASE "passphrase" 
+ENV PULUMI_CONFIG_PASSPHRASE "passphrase"
 
-ENV AWS_SDK_LOAD_CONFIG=1 \
-    AWS_CLI_VERSION=2.16.7 \
-    AZ_CLI_VERSION=2.61.0 \
-    ARCH_N=x86_64
-
-# Pulumi plugins
-# renovate: datasource=github-releases depName=pulumi/pulumi-aws
-ARG PULUMI_AWS_VERSION=v7.8.0
+# Pulumi plugins for native providers and essential utilities
 # renovate: datasource=github-releases depName=pulumi/pulumi-awsx
 ARG PULUMI_AWSX_VERSION=v3.0.0
 # renovate: datasource=github-releases depName=pulumi/pulumi-azure-native
@@ -48,32 +41,18 @@ ARG PULUMI_RANDOM_VERSION=v4.18.4
 # renovate: datasource=github-releases depName=pulumi/pulumi-aws-native
 ARG PULUMI_AWS_NATIVE_VERSION=v1.36.0
 
-ENV PULUMI_HOME "/opt/mapt/run" 
+ENV PULUMI_HOME "/opt/mapt/run"
 WORKDIR ${PULUMI_HOME}
 
 RUN mkdir -p /opt/mapt/run \
-    && if [ "$TARGETARCH" = "arm64" ]; then export ARCH_N=aarch64; fi \
-    && export AWS_CLI_URL="https://awscli.amazonaws.com/awscli-exe-linux-${ARCH_N}-${AWS_CLI_VERSION}.zip" \
-    && export AZ_CLI_RPM="https://packages.microsoft.com/rhel/9.0/prod/Packages/a/azure-cli-${AZ_CLI_VERSION}-1.el9.${ARCH_N}.rpm" \
-    && echo ${AWS_CLI_URL} ${AZ_CLI_RPM} \
-    && curl ${AWS_CLI_URL} -o awscliv2.zip \
-    && dnf install -y unzip \
-    && unzip -qq awscliv2.zip \
-    && ./aws/install \
-    && curl -L ${AZ_CLI_RPM} -o azure-cli.rpm \
-    && dnf install -y azure-cli.rpm \
-    && rm -rf aws awscliv2.zip azure-cli.rpm \
-    && dnf clean all \
-  	&& rm -rf /var/cache/yum \
-    && pulumi plugin install resource aws ${PULUMI_AWS_VERSION} \
     && pulumi plugin install resource azure-native ${PULUMI_AZURE_NATIVE_VERSION} \
     && pulumi plugin install resource command ${PULUMI_COMMAND_VERSION} \
     && pulumi plugin install resource tls ${PULUMI_TLS_VERSION} \
     && pulumi plugin install resource random ${PULUMI_RANDOM_VERSION} \
-    && pulumi plugin install resource awsx ${PULUMI_AWSX_VERSION} \
     && pulumi plugin install resource aws-native ${PULUMI_AWS_NATIVE_VERSION} \
+    && pulumi plugin install resource awsx ${PULUMI_AWSX_VERSION} \
     && chown -R 1001:0 /opt/mapt/run \
-    && chmod -R g=u /opt/mapt/run
+    && chmod -R ug+rwx /opt/mapt/run 
 
 USER 1001
 ENTRYPOINT ["mapt"]

pkg/provider/aws/action/eks/eks.go

@@ -6,10 +6,10 @@ import (
 	"net/url"
 
 	"github.com/go-playground/validator/v10"
-	awsProvider "github.com/pulumi/pulumi-aws/sdk/v7/go/aws"
-	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
-	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/eks"
-	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam"
+	awsProvider "github.com/pulumi/pulumi-aws-native/sdk/go/aws"
+	"github.com/pulumi/pulumi-aws-native/sdk/go/aws/ec2"
+	"github.com/pulumi/pulumi-aws-native/sdk/go/aws/eks"
+	"github.com/pulumi/pulumi-aws-native/sdk/go/aws/iam"
 	"github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes"
 	corev1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/core/v1"
 	helmv3 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/helm/v3"
@@ -181,7 +181,7 @@ func (r *eksRequest) deployer(ctx *pulumi.Context) error {
 	// Create EKS Cluster
 	eksCluster, err := eks.NewCluster(ctx, "eks-cluster", &eks.ClusterArgs{
 		RoleArn: eksRole.Arn,
-		VpcConfig: &eks.ClusterVpcConfigArgs{
+		ResourcesVpcConfig: &eks.ClusterResourcesVpcConfigArgs{
 			PublicAccessCidrs: pulumi.StringArray{
 				pulumi.String("0.0.0.0/0"),
 			},
@@ -194,7 +194,7 @@ func (r *eksRequest) deployer(ctx *pulumi.Context) error {
 		return err
 	}
 
-	kubeconfig := generateKubeconfig(eksCluster.Endpoint, eksCluster.CertificateAuthority.Data().Elem(), eksCluster.Name)
+	kubeconfig := generateKubeconfig(eksCluster.Endpoint, eksCluster.CertificateAuthorityData, eksCluster.Name.Elem())
 	// Create a Kubernetes provider instance
 	k8sProvider, err := kubernetes.NewProvider(ctx, "k8sProvider", &kubernetes.ProviderArgs{
 		Kubeconfig: kubeconfig,
@@ -203,15 +203,15 @@ func (r *eksRequest) deployer(ctx *pulumi.Context) error {
 		return err
 	}
 
-	currentAws, err := awsProvider.GetCallerIdentity(ctx, &awsProvider.GetCallerIdentityArgs{}, nil)
+	currentAws, err := awsProvider.GetAccountId(ctx)
 	if err != nil {
 		return err
 	}
 	accountId := currentAws.AccountId
 
-	oidcIssuerUrl := eksCluster.Identities.Index(pulumi.Int(0)).Oidcs().Index(pulumi.Int(0)).Issuer().Elem()
-	_, err = iam.NewOpenIdConnectProvider(ctx, "my-oidc-provider", &iam.OpenIdConnectProviderArgs{
-		ClientIdLists: pulumi.StringArray{
+	oidcIssuerUrl := eksCluster.OpenIdConnectIssuerUrl
+	_, err = iam.NewOidcProvider(ctx, "my-oidc-provider", &iam.OidcProviderArgs{
+		ClientIdList: pulumi.StringArray{
 			pulumi.String("sts.amazonaws.com"),
 		},
 		Url: oidcIssuerUrl,
@@ -236,17 +236,17 @@ func (r *eksRequest) deployer(ctx *pulumi.Context) error {
 		return err
 	}
 
-	nodeGroup0, err := eks.NewNodeGroup(ctx, "node-group-0", &eks.NodeGroupArgs{
-		ClusterName:   eksCluster.Name,
-		NodeGroupName: pulumi.String("eks-nodegroup-0"),
-		NodeRoleArn:   nodeGroupRole.Arn,
-		SubnetIds:     subnetIds,
+	nodeGroup0, err := eks.NewNodegroup(ctx, "node-group-0", &eks.NodegroupArgs{
+		ClusterName:   eksCluster.Name.Elem(),
+		NodegroupName: pulumi.String("eks-nodegroup-0"),
+		NodeRole:      nodeGroupRole.Arn,
+		Subnets:       subnetIds,
 		InstanceTypes: pulumi.StringArray(util.ArrayConvert(
 			r.allocationData.InstanceTypes,
 			func(s string) pulumi.StringInput {
 				return pulumi.String(s)
 			})),
-		ScalingConfig: &eks.NodeGroupScalingConfigArgs{
+		ScalingConfig: &eks.NodegroupScalingConfigArgs{
 			DesiredSize: pulumi.Int(*r.scalingDesiredSize),
 			MaxSize:     pulumi.Int(*r.scalingMaxSize),
 			MinSize:     pulumi.Int(*r.scalingMinSize),
@@ -343,24 +343,20 @@ func (*eksRequest) createEksRole(ctx *pulumi.Context) (*iam.Role, error) {
 	if err != nil {
 		return nil, err
 	}
-	eksRole, err := iam.NewRole(ctx, "eks-iam-eksRole", &iam.RoleArgs{
-		AssumeRolePolicy: pulumi.String(eksRolePolicyJSON),
-	})
-	if err != nil {
-		return nil, err
-	}
 	eksPolicies := []string{
 		"arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
 		"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
 	}
-	for i, eksPolicy := range eksPolicies {
-		_, err := iam.NewRolePolicyAttachment(ctx, fmt.Sprintf("rpa-%d", i), &iam.RolePolicyAttachmentArgs{
-			PolicyArn: pulumi.String(eksPolicy),
-			Role:      eksRole.Name,
-		})
-		if err != nil {
-			return nil, err
-		}
+	eksRole, err := iam.NewRole(ctx, "eks-iam-eksRole", &iam.RoleArgs{
+		AssumeRolePolicyDocument: pulumi.String(eksRolePolicyJSON),
+		ManagedPolicyArns: pulumi.StringArray(util.ArrayConvert(
+			eksPolicies,
+			func(s string) pulumi.StringInput {
+				return pulumi.String(s)
+			})),
+	})
+	if err != nil {
+		return nil, err
 	}
 	return eksRole, nil
 }
@@ -381,35 +377,31 @@ func (*eksRequest) createNodeGroupRole(ctx *pulumi.Context) (*iam.Role, error) {
 	if err != nil {
 		return nil, err
 	}
-	nodeGroupRole, err := iam.NewRole(ctx, "nodegroup-iam-role", &iam.RoleArgs{
-		AssumeRolePolicy: pulumi.String(nodeGroupAssumeRolePolicyJSON),
-	})
-	if err != nil {
-		return nil, err
-	}
 	nodeGroupPolicies := []string{
 		"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
 		"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
 		"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
 	}
-	for i, nodeGroupPolicy := range nodeGroupPolicies {
-		_, err := iam.NewRolePolicyAttachment(ctx, fmt.Sprintf("ngpa-%d", i), &iam.RolePolicyAttachmentArgs{
-			Role:      nodeGroupRole.Name,
-			PolicyArn: pulumi.String(nodeGroupPolicy),
-		}, pulumi.DependsOn([]pulumi.Resource{nodeGroupRole}))
-		if err != nil {
-			return nil, err
-		}
+	nodeGroupRole, err := iam.NewRole(ctx, "nodegroup-iam-role", &iam.RoleArgs{
+		AssumeRolePolicyDocument: pulumi.String(nodeGroupAssumeRolePolicyJSON),
+		ManagedPolicyArns: pulumi.StringArray(util.ArrayConvert(
+			nodeGroupPolicies,
+			func(s string) pulumi.StringInput {
+				return pulumi.String(s)
+			})),
+	})
+	if err != nil {
+		return nil, err
 	}
 	return nodeGroupRole, nil
 }
 
-func (r *eksRequest) installAwsLoadBalancerController(ctx *pulumi.Context, oidcIssuerHostPath pulumi.StringOutput, accountId string, k8sProvider *kubernetes.Provider, eksCluster *eks.Cluster, vpc *ec2.Vpc, nodeGroup0 *eks.NodeGroup) error {
+func (r *eksRequest) installAwsLoadBalancerController(ctx *pulumi.Context, oidcIssuerHostPath pulumi.StringOutput, accountId string, k8sProvider *kubernetes.Provider, eksCluster *eks.Cluster, vpc *ec2.Vpc, nodeGroup0 *eks.Nodegroup) error {
 	policyDocumentJSON := getAwsLoadBalancerControllerIamPolicy()
 
 	// Create IAM policy
-	albControllerPolicyAttachment, err := iam.NewPolicy(ctx, "loadBalancerControllerPolicy", &iam.PolicyArgs{
-		Policy: pulumi.String(policyDocumentJSON),
+	albControllerPolicyAttachment, err := iam.NewManagedPolicy(ctx, "loadBalancerControllerPolicy", &iam.ManagedPolicyArgs{
+		PolicyDocument: pulumi.Any(policyDocumentJSON),
 	})
 	if err != nil {
 		return err
@@ -444,17 +436,11 @@ func (r *eksRequest) installAwsLoadBalancerController(ctx *pulumi.Context, oidcI
 	}).(pulumi.StringOutput)
 
 	iamRole, err := iam.NewRole(ctx, "loadBalancerControllerRole", &iam.RoleArgs{
-		NamePrefix:       pulumi.String("MaptLBCRole-"),
-		AssumeRolePolicy: assumeRolePolicyJSON,
-	})
-	if err != nil {
-		return err
-	}
-
-	// Attach policy to role
-	_, err = iam.NewRolePolicyAttachment(ctx, "loadBalancerControllerPolicyAttachment", &iam.RolePolicyAttachmentArgs{
-		Role:      iamRole.Name,
-		PolicyArn: albControllerPolicyAttachment.Arn,
+		RoleName:                 pulumi.String("MaptLBCRole"),
+		AssumeRolePolicyDocument: assumeRolePolicyJSON,
+		ManagedPolicyArns: pulumi.StringArray{
+			albControllerPolicyAttachment.PolicyArn,
+		},
 	})
 	if err != nil {
 		return err
@@ -529,15 +515,11 @@ func deployAddons(r *eksRequest, oidcIssuerHostPath pulumi.StringOutput, account
 			}).(pulumi.StringOutput)
 
 			awsEbsCsiDriverRole, err := iam.NewRole(ctx, "AmazonEKS_EBS_CSI_DriverRole", &iam.RoleArgs{
-				NamePrefix:       pulumi.String("MaptEBSCSIDriverRole-"),
-				AssumeRolePolicy: assumeRolePolicyJSON,
-			})
-			if err != nil {
-				return err
-			}
-			_, err = iam.NewRolePolicyAttachment(ctx, "AmazonEBSCSIDriverPolicyAttachment", &iam.RolePolicyAttachmentArgs{
-				PolicyArn: pulumi.String("arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"),
-				Role:      awsEbsCsiDriverRole.Name,
+				RoleName:                 pulumi.String("MaptEBSCSIDriverRole"),
+				AssumeRolePolicyDocument: assumeRolePolicyJSON,
+				ManagedPolicyArns: pulumi.StringArray{
+					pulumi.String("arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"),
+				},
 			})
 			if err != nil {
 				return err
@@ -553,7 +535,7 @@ func deployAddons(r *eksRequest, oidcIssuerHostPath pulumi.StringOutput, account
 				return err
 			}
 			_, err = eks.NewAddon(ctx, addon, &eks.AddonArgs{
-				ClusterName:           eksCluster.Name,
+				ClusterName:           eksCluster.Name.Elem(),
 				AddonName:             pulumi.String(addon),
 				ServiceAccountRoleArn: awsEbsCsiDriverRole.Arn,
 				ConfigurationValues:   pulumi.String(configValues),
@@ -564,7 +546,7 @@ func deployAddons(r *eksRequest, oidcIssuerHostPath pulumi.StringOutput, account
 
 		} else {
 			_, err := eks.NewAddon(ctx, addon, &eks.AddonArgs{
-				ClusterName: eksCluster.Name,
+				ClusterName: eksCluster.Name.Elem(),
 				AddonName:   pulumi.String(addon),
 			}, pulumi.DeletedWith(eksCluster))
 			if err != nil {

pkg/provider/aws/action/fedora/fedora.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 
 	"github.com/go-playground/validator/v10"
-	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
+	"github.com/pulumi/pulumi-aws-native/sdk/go/aws/ec2"
 	"github.com/pulumi/pulumi/sdk/v3/go/auto"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 	"github.com/redhat-developer/mapt/pkg/integrations/cirrus"
@@ -179,7 +179,8 @@ func (r *fedoraRequest) deploy(ctx *pulumi.Context) error {
 		fmt.Sprintf(amiRegex[*r.arch], *r.version),
 		[]string{amiOwner},
 		map[string]string{
-			"architecture": *r.arch})
+			"architecture": *r.arch},
+		*r.allocationData.Region)
 	if err != nil {
 		return err
 	}

pkg/provider/aws/action/kind/kind.go

@@ -5,7 +5,7 @@ import (
 	"regexp"
 
 	"github.com/go-playground/validator/v10"
-	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
+	"github.com/pulumi/pulumi-aws-native/sdk/go/aws/ec2"
 	"github.com/pulumi/pulumi-tls/sdk/v5/go/tls"
 	"github.com/pulumi/pulumi/sdk/v3/go/auto"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
@@ -149,7 +149,8 @@ func (r *kindRequest) deploy(ctx *pulumi.Context) error {
 	ami, err := amiSVC.GetAMIByName(ctx,
 		amiName(r.arch),
 		[]string{amiOwner},
-		map[string]string{"architecture": *r.arch})
+		map[string]string{"architecture": *r.arch},
+		*r.allocationData.Region)
 	if err != nil {
 		return err
 	}