WIP: chore: Migrate to aws native pulumi provider

.claude/settings.local.json

@@ -0,0 +1,20 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(find:*)",
+      "WebFetch(domain:github.com)",
+      "WebFetch(domain:raw.githubusercontent.com)",
+      "Bash(while read file)",
+      "Bash(for:*)",
+      "Bash(do)",
+      "Bash(echo \"Updating $file\")",
+      "Bash(sed:*)",
+      "Bash(done)",
+      "Bash(go build:*)",
+      "Bash(go list:*)",
+      "WebFetch(domain:www.pulumi.com)"
+    ],
+    "deny": [],
+    "ask": []
+  }
+}

go.mod

@@ -24,7 +24,6 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.88.5
 	github.com/aws/aws-sdk-go-v2/service/sts v1.38.7
 	github.com/pulumi/pulumi-aws-native/sdk v1.36.0
-	github.com/pulumi/pulumi-aws/sdk/v7 v7.8.0
 	github.com/pulumi/pulumi-awsx/sdk/v3 v3.0.0
 	github.com/pulumi/pulumi-azure-native-sdk/authorization/v3 v3.8.0
 	github.com/pulumi/pulumi-azure-native-sdk/compute/v3 v3.8.0
@@ -118,6 +117,7 @@ require (
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
 	github.com/pulumi/esc v0.18.0 // indirect
+	github.com/pulumi/pulumi-aws/sdk/v7 v7.0.0 // indirect
 	github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.15 // indirect
 	github.com/sagikazarmark/locafero v0.12.0 // indirect
 	github.com/skeema/knownhosts v1.3.2 // indirect

go.sum

@@ -292,8 +292,8 @@ github.com/pulumi/esc v0.18.0 h1:bbhRPord3GGb1xrzi9zGx+1nTRB6DOOsLbkFBEYCyMo=
 github.com/pulumi/esc v0.18.0/go.mod h1:Ny5pRVlRwdoVQvtUffTrwgXU91t+wcaAarvB2fRbnAc=
 github.com/pulumi/pulumi-aws-native/sdk v1.36.0 h1:2DL294PFa/CNuvNptAUC7TYHAY8gJ8i+SozBqcDsToQ=
 github.com/pulumi/pulumi-aws-native/sdk v1.36.0/go.mod h1:Jzds3Q+YZu9Kd6xLw/yDzAKbDcHlT2nV5tpVljqa9co=
-github.com/pulumi/pulumi-aws/sdk/v7 v7.8.0 h1:Wf9fZyegAWxxj5nuzrCU3/Q9FtWs9nBUygPimvnSYHY=
-github.com/pulumi/pulumi-aws/sdk/v7 v7.8.0/go.mod h1:4qpJdAOLlqT1l8uTAEc9RNhrRyh7DIw+XP6Fxo5YNdQ=
+github.com/pulumi/pulumi-aws/sdk/v7 v7.0.0 h1:xEp48UEBpCfbY1e0bAILQQljrU7J3+rzgpDlCYIdynk=
+github.com/pulumi/pulumi-aws/sdk/v7 v7.0.0/go.mod h1:+H62XwnzP7yBbBt+ytoZNwcZjdjCJA7tRP5zNdcDuMw=
 github.com/pulumi/pulumi-awsx/sdk/v3 v3.0.0 h1:Hm3E3CUVY9ynj/uByyDvKg5ORKCjfEbDKzbYvEnItfk=
 github.com/pulumi/pulumi-awsx/sdk/v3 v3.0.0/go.mod h1:MhFFQ7VuDIt6Tx6OlcF97Sb9FhvaNZhKaLqwp9GejMA=
 github.com/pulumi/pulumi-azure-native-sdk/authorization/v3 v3.8.0 h1:q6OTXLPujB8M6OajZgj0r4kkR+U1SmDohOy0gEBKUzM=

oci/Containerfile

@@ -16,25 +16,18 @@ RUN unset VERSION \
     && if [ "$TARGETARCH" = "arm64" ]; then export PULUMI_URL="${PULUMI_BASE_URL}-linux-arm64.tar.gz"; fi \
     && echo ${PULUMI_URL} \
     && curl -L ${PULUMI_URL} -o pulumicli.tar.gz \
-    && tar -xzvf pulumicli.tar.gz 
+    && tar -xzvf pulumicli.tar.gz
 
-# ubi 9.5-1732804088
-FROM registry.access.redhat.com/ubi9/ubi@sha256:dec374e05cc13ebbc0975c9f521f3db6942d27f8ccdf06b180160490eef8bdbc
+# ubi-minimal 9.6-1760515502
+FROM registry.access.redhat.com/ubi9-minimal@sha256:34880b64c07f28f64d95737f82f891516de9a3b43583f39970f7bf8e4cfa48b7
 ARG TARGETARCH
 LABEL org.opencontainers.image.authors="Redhat Developer"
 
 COPY --from=builder /workspace/out/mapt /workspace/pulumi/pulumi /usr/local/bin/
 
-ENV PULUMI_CONFIG_PASSPHRASE "passphrase" 
+ENV PULUMI_CONFIG_PASSPHRASE "passphrase"
 
-ENV AWS_SDK_LOAD_CONFIG=1 \
-    AWS_CLI_VERSION=2.16.7 \
-    AZ_CLI_VERSION=2.61.0 \
-    ARCH_N=x86_64
-
-# Pulumi plugins
-# renovate: datasource=github-releases depName=pulumi/pulumi-aws
-ARG PULUMI_AWS_VERSION=v7.8.0
+# Pulumi plugins for native providers and essential utilities
 # renovate: datasource=github-releases depName=pulumi/pulumi-awsx
 ARG PULUMI_AWSX_VERSION=v3.0.0
 # renovate: datasource=github-releases depName=pulumi/pulumi-azure-native
@@ -48,32 +41,18 @@ ARG PULUMI_RANDOM_VERSION=v4.18.4
 # renovate: datasource=github-releases depName=pulumi/pulumi-aws-native
 ARG PULUMI_AWS_NATIVE_VERSION=v1.36.0
 
-ENV PULUMI_HOME "/opt/mapt/run" 
+ENV PULUMI_HOME "/opt/mapt/run"
 WORKDIR ${PULUMI_HOME}
 
 RUN mkdir -p /opt/mapt/run \
-    && if [ "$TARGETARCH" = "arm64" ]; then export ARCH_N=aarch64; fi \
-    && export AWS_CLI_URL="https://awscli.amazonaws.com/awscli-exe-linux-${ARCH_N}-${AWS_CLI_VERSION}.zip" \
-    && export AZ_CLI_RPM="https://packages.microsoft.com/rhel/9.0/prod/Packages/a/azure-cli-${AZ_CLI_VERSION}-1.el9.${ARCH_N}.rpm" \
-    && echo ${AWS_CLI_URL} ${AZ_CLI_RPM} \
-    && curl ${AWS_CLI_URL} -o awscliv2.zip \
-    && dnf install -y unzip \
-    && unzip -qq awscliv2.zip \
-    && ./aws/install \
-    && curl -L ${AZ_CLI_RPM} -o azure-cli.rpm \
-    && dnf install -y azure-cli.rpm \
-    && rm -rf aws awscliv2.zip azure-cli.rpm \
-    && dnf clean all \
-  	&& rm -rf /var/cache/yum \
-    && pulumi plugin install resource aws ${PULUMI_AWS_VERSION} \
     && pulumi plugin install resource azure-native ${PULUMI_AZURE_NATIVE_VERSION} \
     && pulumi plugin install resource command ${PULUMI_COMMAND_VERSION} \
     && pulumi plugin install resource tls ${PULUMI_TLS_VERSION} \
     && pulumi plugin install resource random ${PULUMI_RANDOM_VERSION} \
-    && pulumi plugin install resource awsx ${PULUMI_AWSX_VERSION} \
     && pulumi plugin install resource aws-native ${PULUMI_AWS_NATIVE_VERSION} \
+    && pulumi plugin install resource awsx ${PULUMI_AWSX_VERSION} \
     && chown -R 1001:0 /opt/mapt/run \
-    && chmod -R g=u /opt/mapt/run
+    && chmod -R ug+rwx /opt/mapt/run 
 
 USER 1001
 ENTRYPOINT ["mapt"]

pkg/provider/aws/action/eks/eks.go

@@ -6,10 +6,10 @@ import (
 	"net/url"
 
 	"github.com/go-playground/validator/v10"
-	awsProvider "github.com/pulumi/pulumi-aws/sdk/v7/go/aws"
-	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
-	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/eks"
-	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam"
+	awsProvider "github.com/pulumi/pulumi-aws-native/sdk/go/aws"
+	"github.com/pulumi/pulumi-aws-native/sdk/go/aws/ec2"
+	"github.com/pulumi/pulumi-aws-native/sdk/go/aws/eks"
+	"github.com/pulumi/pulumi-aws-native/sdk/go/aws/iam"
 	"github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes"
 	corev1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/core/v1"
 	helmv3 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/helm/v3"
@@ -181,7 +181,7 @@ func (r *eksRequest) deployer(ctx *pulumi.Context) error {
 	// Create EKS Cluster
 	eksCluster, err := eks.NewCluster(ctx, "eks-cluster", &eks.ClusterArgs{
 		RoleArn: eksRole.Arn,
-		VpcConfig: &eks.ClusterVpcConfigArgs{
+		ResourcesVpcConfig: &eks.ClusterResourcesVpcConfigArgs{
 			PublicAccessCidrs: pulumi.StringArray{
 				pulumi.String("0.0.0.0/0"),
 			},
@@ -194,7 +194,7 @@ func (r *eksRequest) deployer(ctx *pulumi.Context) error {
 		return err
 	}
 
-	kubeconfig := generateKubeconfig(eksCluster.Endpoint, eksCluster.CertificateAuthority.Data().Elem(), eksCluster.Name)
+	kubeconfig := generateKubeconfig(eksCluster.Endpoint, eksCluster.CertificateAuthorityData, eksCluster.Name.Elem())
 	// Create a Kubernetes provider instance
 	k8sProvider, err := kubernetes.NewProvider(ctx, "k8sProvider", &kubernetes.ProviderArgs{
 		Kubeconfig: kubeconfig,
@@ -203,15 +203,15 @@ func (r *eksRequest) deployer(ctx *pulumi.Context) error {
 		return err
 	}
 
-	currentAws, err := awsProvider.GetCallerIdentity(ctx, &awsProvider.GetCallerIdentityArgs{}, nil)
+	currentAws, err := awsProvider.GetAccountId(ctx)
 	if err != nil {
 		return err
 	}
 	accountId := currentAws.AccountId
 
-	oidcIssuerUrl := eksCluster.Identities.Index(pulumi.Int(0)).Oidcs().Index(pulumi.Int(0)).Issuer().Elem()
-	_, err = iam.NewOpenIdConnectProvider(ctx, "my-oidc-provider", &iam.OpenIdConnectProviderArgs{
-		ClientIdLists: pulumi.StringArray{
+	oidcIssuerUrl := eksCluster.OpenIdConnectIssuerUrl
+	_, err = iam.NewOidcProvider(ctx, "my-oidc-provider", &iam.OidcProviderArgs{
+		ClientIdList: pulumi.StringArray{
 			pulumi.String("sts.amazonaws.com"),
 		},
 		Url: oidcIssuerUrl,
@@ -236,17 +236,17 @@ func (r *eksRequest) deployer(ctx *pulumi.Context) error {
 		return err
 	}
 
-	nodeGroup0, err := eks.NewNodeGroup(ctx, "node-group-0", &eks.NodeGroupArgs{
-		ClusterName:   eksCluster.Name,
-		NodeGroupName: pulumi.String("eks-nodegroup-0"),
-		NodeRoleArn:   nodeGroupRole.Arn,
-		SubnetIds:     subnetIds,
+	nodeGroup0, err := eks.NewNodegroup(ctx, "node-group-0", &eks.NodegroupArgs{
+		ClusterName:   eksCluster.Name.Elem(),
+		NodegroupName: pulumi.String("eks-nodegroup-0"),
+		NodeRole:      nodeGroupRole.Arn,
+		Subnets:       subnetIds,
 		InstanceTypes: pulumi.StringArray(util.ArrayConvert(
 			r.allocationData.InstanceTypes,
 			func(s string) pulumi.StringInput {
 				return pulumi.String(s)
 			})),
-		ScalingConfig: &eks.NodeGroupScalingConfigArgs{
+		ScalingConfig: &eks.NodegroupScalingConfigArgs{
 			DesiredSize: pulumi.Int(*r.scalingDesiredSize),
 			MaxSize:     pulumi.Int(*r.scalingMaxSize),
 			MinSize:     pulumi.Int(*r.scalingMinSize),
@@ -343,24 +343,20 @@ func (*eksRequest) createEksRole(ctx *pulumi.Context) (*iam.Role, error) {
 	if err != nil {
 		return nil, err
 	}
-	eksRole, err := iam.NewRole(ctx, "eks-iam-eksRole", &iam.RoleArgs{
-		AssumeRolePolicy: pulumi.String(eksRolePolicyJSON),
-	})
-	if err != nil {
-		return nil, err
-	}
 	eksPolicies := []string{
 		"arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
 		"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
 	}
-	for i, eksPolicy := range eksPolicies {
-		_, err := iam.NewRolePolicyAttachment(ctx, fmt.Sprintf("rpa-%d", i), &iam.RolePolicyAttachmentArgs{
-			PolicyArn: pulumi.String(eksPolicy),
-			Role:      eksRole.Name,
-		})
-		if err != nil {
-			return nil, err
-		}
+	eksRole, err := iam.NewRole(ctx, "eks-iam-eksRole", &iam.RoleArgs{
+		AssumeRolePolicyDocument: pulumi.String(eksRolePolicyJSON),
+		ManagedPolicyArns: pulumi.StringArray(util.ArrayConvert(
+			eksPolicies,
+			func(s string) pulumi.StringInput {
+				return pulumi.String(s)
+			})),
+	})
+	if err != nil {
+		return nil, err
 	}
 	return eksRole, nil
 }
@@ -381,35 +377,31 @@ func (*eksRequest) createNodeGroupRole(ctx *pulumi.Context) (*iam.Role, error) {
 	if err != nil {
 		return nil, err
 	}
-	nodeGroupRole, err := iam.NewRole(ctx, "nodegroup-iam-role", &iam.RoleArgs{
-		AssumeRolePolicy: pulumi.String(nodeGroupAssumeRolePolicyJSON),
-	})
-	if err != nil {
-		return nil, err
-	}
 	nodeGroupPolicies := []string{
 		"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
 		"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
 		"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
 	}
-	for i, nodeGroupPolicy := range nodeGroupPolicies {
-		_, err := iam.NewRolePolicyAttachment(ctx, fmt.Sprintf("ngpa-%d", i), &iam.RolePolicyAttachmentArgs{
-			Role:      nodeGroupRole.Name,
-			PolicyArn: pulumi.String(nodeGroupPolicy),
-		}, pulumi.DependsOn([]pulumi.Resource{nodeGroupRole}))
-		if err != nil {
-			return nil, err
-		}
+	nodeGroupRole, err := iam.NewRole(ctx, "nodegroup-iam-role", &iam.RoleArgs{
+		AssumeRolePolicyDocument: pulumi.String(nodeGroupAssumeRolePolicyJSON),
+		ManagedPolicyArns: pulumi.StringArray(util.ArrayConvert(
+			nodeGroupPolicies,
+			func(s string) pulumi.StringInput {
+				return pulumi.String(s)
+			})),
+	})
+	if err != nil {
+		return nil, err
 	}
 	return nodeGroupRole, nil
 }
 
-func (r *eksRequest) installAwsLoadBalancerController(ctx *pulumi.Context, oidcIssuerHostPath pulumi.StringOutput, accountId string, k8sProvider *kubernetes.Provider, eksCluster *eks.Cluster, vpc *ec2.Vpc, nodeGroup0 *eks.NodeGroup) error {
+func (r *eksRequest) installAwsLoadBalancerController(ctx *pulumi.Context, oidcIssuerHostPath pulumi.StringOutput, accountId string, k8sProvider *kubernetes.Provider, eksCluster *eks.Cluster, vpc *ec2.Vpc, nodeGroup0 *eks.Nodegroup) error {
 	policyDocumentJSON := getAwsLoadBalancerControllerIamPolicy()
 
 	// Create IAM policy
-	albControllerPolicyAttachment, err := iam.NewPolicy(ctx, "loadBalancerControllerPolicy", &iam.PolicyArgs{
-		Policy: pulumi.String(policyDocumentJSON),
+	albControllerPolicyAttachment, err := iam.NewManagedPolicy(ctx, "loadBalancerControllerPolicy", &iam.ManagedPolicyArgs{
+		PolicyDocument: pulumi.Any(policyDocumentJSON),
 	})
 	if err != nil {
 		return err
@@ -444,17 +436,11 @@ func (r *eksRequest) installAwsLoadBalancerController(ctx *pulumi.Context, oidcI
 	}).(pulumi.StringOutput)
 
 	iamRole, err := iam.NewRole(ctx, "loadBalancerControllerRole", &iam.RoleArgs{
-		NamePrefix:       pulumi.String("MaptLBCRole-"),
-		AssumeRolePolicy: assumeRolePolicyJSON,
-	})
-	if err != nil {
-		return err
-	}
-
-	// Attach policy to role
-	_, err = iam.NewRolePolicyAttachment(ctx, "loadBalancerControllerPolicyAttachment", &iam.RolePolicyAttachmentArgs{
-		Role:      iamRole.Name,
-		PolicyArn: albControllerPolicyAttachment.Arn,
+		RoleName:                 pulumi.String("MaptLBCRole"),
+		AssumeRolePolicyDocument: assumeRolePolicyJSON,
+		ManagedPolicyArns: pulumi.StringArray{
+			albControllerPolicyAttachment.PolicyArn,
+		},
 	})
 	if err != nil {
 		return err
@@ -529,15 +515,11 @@ func deployAddons(r *eksRequest, oidcIssuerHostPath pulumi.StringOutput, account
 			}).(pulumi.StringOutput)
 
 			awsEbsCsiDriverRole, err := iam.NewRole(ctx, "AmazonEKS_EBS_CSI_DriverRole", &iam.RoleArgs{
-				NamePrefix:       pulumi.String("MaptEBSCSIDriverRole-"),
-				AssumeRolePolicy: assumeRolePolicyJSON,
-			})
-			if err != nil {
-				return err
-			}
-			_, err = iam.NewRolePolicyAttachment(ctx, "AmazonEBSCSIDriverPolicyAttachment", &iam.RolePolicyAttachmentArgs{
-				PolicyArn: pulumi.String("arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"),
-				Role:      awsEbsCsiDriverRole.Name,
+				RoleName:                 pulumi.String("MaptEBSCSIDriverRole"),
+				AssumeRolePolicyDocument: assumeRolePolicyJSON,
+				ManagedPolicyArns: pulumi.StringArray{
+					pulumi.String("arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"),
+				},
 			})
 			if err != nil {
 				return err
@@ -553,7 +535,7 @@ func deployAddons(r *eksRequest, oidcIssuerHostPath pulumi.StringOutput, account
 				return err
 			}
 			_, err = eks.NewAddon(ctx, addon, &eks.AddonArgs{
-				ClusterName:           eksCluster.Name,
+				ClusterName:           eksCluster.Name.Elem(),
 				AddonName:             pulumi.String(addon),
 				ServiceAccountRoleArn: awsEbsCsiDriverRole.Arn,
 				ConfigurationValues:   pulumi.String(configValues),
@@ -564,7 +546,7 @@ func deployAddons(r *eksRequest, oidcIssuerHostPath pulumi.StringOutput, account
 
 		} else {
 			_, err := eks.NewAddon(ctx, addon, &eks.AddonArgs{
-				ClusterName: eksCluster.Name,
+				ClusterName: eksCluster.Name.Elem(),
 				AddonName:   pulumi.String(addon),
 			}, pulumi.DeletedWith(eksCluster))
 			if err != nil {

pkg/provider/aws/action/fedora/fedora.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 
 	"github.com/go-playground/validator/v10"
-	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
+	"github.com/pulumi/pulumi-aws-native/sdk/go/aws/ec2"
 	"github.com/pulumi/pulumi/sdk/v3/go/auto"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 	"github.com/redhat-developer/mapt/pkg/integrations/cirrus"
@@ -179,7 +179,8 @@ func (r *fedoraRequest) deploy(ctx *pulumi.Context) error {
 		fmt.Sprintf(amiRegex[*r.arch], *r.version),
 		[]string{amiOwner},
 		map[string]string{
-			"architecture": *r.arch})
+			"architecture": *r.arch},
+		*r.allocationData.Region)
 	if err != nil {
 		return err
 	}

pkg/provider/aws/action/kind/kind.go

@@ -5,7 +5,7 @@ import (
 	"regexp"
 
 	"github.com/go-playground/validator/v10"
-	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
+	"github.com/pulumi/pulumi-aws-native/sdk/go/aws/ec2"
 	"github.com/pulumi/pulumi-tls/sdk/v5/go/tls"
 	"github.com/pulumi/pulumi/sdk/v3/go/auto"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
@@ -149,7 +149,8 @@ func (r *kindRequest) deploy(ctx *pulumi.Context) error {
 	ami, err := amiSVC.GetAMIByName(ctx,
 		amiName(r.arch),
 		[]string{amiOwner},
-		map[string]string{"architecture": *r.arch})
+		map[string]string{"architecture": *r.arch},
+		*r.allocationData.Region)
 	if err != nil {
 		return err
 	}