test: add storage service aws test

go.sum

@@ -4,7 +4,6 @@ github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj
 github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
-github.com/aws/aws-sdk-go v1.30.27/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.34.0/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.44.80 h1:jEXGecSgPdvM5KnyDsSgFhZSm7WwaTp4h544Im4SfhI=
 github.com/aws/aws-sdk-go v1.44.80/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
@@ -49,7 +48,6 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w=
 github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg=
@@ -81,7 +79,6 @@ github.com/hashicorp/eventlogger/filters/encrypt v0.1.8-0.20230428153751-cca4458
 github.com/hashicorp/eventlogger/filters/encrypt v0.1.8-0.20230428153751-cca445805f24/go.mod h1:EQPLoX6CONA9BSYUovTQBHfPGE91g7wOxv03sO29FzY=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
 github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-kms-wrapping/plugin/v2 v2.0.4 h1:8z+Zi0uLYXONkxwWb/D7O5t1IUucB6Ft3uvSOa950bM=
@@ -90,8 +87,6 @@ github.com/hashicorp/go-kms-wrapping/v2 v2.0.9/go.mod h1:NtMaPhqSlfQ72XWDD2g80o8
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-plugin v1.4.9 h1:ESiK220/qE0aGxWdzKIvRH69iLiuN/PjoLTm69RoWtU=
-github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6 h1:W9WN8p6moV1fjKLkeqEgkAMu5rauy9QeYDAmIaPuuiA=
-github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6/go.mod h1:MpCPSPGLDILGb4JMm94/mMi3YysIqsXzGCzkEZjcjXg=
 github.com/hashicorp/go-secure-stdlib/awsutil v0.2.2 h1:kWg2vyKl7BRXrNxYziqDJ55n+vtOQ1QsGORjzoeB+uM=
 github.com/hashicorp/go-secure-stdlib/awsutil v0.2.2/go.mod h1:oKHSQs4ivIfZ3fbXGQOop1XuDfdSb8RIsWTGaAanSfg=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
@@ -131,14 +126,10 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
-github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
@@ -172,7 +163,6 @@ github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
@@ -218,12 +208,9 @@ golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200602225109-6fdc65e7d980/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

testing/e2e_host_test.go

@@ -11,26 +11,20 @@ import (
 	"testing"
 	"time"
 
-	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/hashicorp/boundary-plugin-aws/internal/credential"
-	"github.com/hashicorp/boundary-plugin-aws/internal/values"
 	"github.com/hashicorp/boundary-plugin-aws/plugin/service/host"
 	"github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/hostcatalogs"
 	"github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/hostsets"
 	pb "github.com/hashicorp/boundary/sdk/pbs/plugin"
-	"github.com/hashicorp/go-secure-stdlib/awsutil"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/types/known/structpb"
 )
 
-const (
-	expectedIamUserCount     = 6
-	expectedEc2InstanceCount = 5
-)
+const expectedEc2InstanceCount = 5
 
 var expectedTags = []string{"foo", "bar", "baz"}
 
-func TestPlugin(t *testing.T) {
+func TestHostPlugin(t *testing.T) {
 	region := os.Getenv("AWS_REGION")
 	if region == "" {
 		t.Skip("set AWS_REGION to use this test")
@@ -195,36 +189,7 @@ func testPluginOnCreateCatalog(ctx context.Context, t *testing.T, p *host.HostPl
 	require.NotNil(response)
 	persisted := response.GetPersisted()
 	require.NotNil(persisted)
-	persistedSecrets := persisted.GetSecrets()
-	require.NotNil(persistedSecrets)
-	persistedAccessKeyId, err := values.GetStringValue(persistedSecrets, credential.ConstAccessKeyId, true)
-	require.NoError(err)
-	require.NotZero(persistedAccessKeyId)
-	if rotate {
-		require.NotEqual(accessKeyId, persistedAccessKeyId)
-	} else {
-		require.Equal(accessKeyId, persistedAccessKeyId)
-	}
-
-	persistedSecretAccessKey, err := values.GetStringValue(persistedSecrets, credential.ConstSecretAccessKey, true)
-	require.NoError(err)
-	require.NotZero(persistedSecretAccessKey)
-	if rotate {
-		require.NotEqual(secretAccessKey, persistedSecretAccessKey)
-	} else {
-		require.Equal(secretAccessKey, persistedSecretAccessKey)
-	}
-
-	persistedCredsLastRotatedTime, err := values.GetTimeValue(persistedSecrets, credential.ConstCredsLastRotatedTime)
-	require.NoError(err)
-	if rotate {
-		require.NotZero(persistedCredsLastRotatedTime)
-		requireCredentialsInvalid(t, accessKeyId, secretAccessKey)
-	} else {
-		require.Zero(persistedCredsLastRotatedTime)
-	}
-
-	return persistedAccessKeyId, persistedSecretAccessKey
+	return validatePersistedSecrets(t, persisted.GetSecrets(), accessKeyId, secretAccessKey, rotate)
 }
 
 func testPluginOnUpdateCatalog(
@@ -293,116 +258,7 @@ func testPluginOnUpdateCatalog(
 	require.NotNil(response)
 	persisted := response.GetPersisted()
 	require.NotNil(persisted)
-	persistedSecrets := persisted.GetSecrets()
-	require.NotNil(persistedSecrets)
-
-	// Complex checks based on the scenarios.
-	persistedAccessKeyId, err := values.GetStringValue(persistedSecrets, credential.ConstAccessKeyId, true)
-	require.NoError(err)
-	require.NotZero(persistedAccessKeyId)
-	persistedSecretAccessKey, err := values.GetStringValue(persistedSecrets, credential.ConstSecretAccessKey, true)
-	require.NoError(err)
-	require.NotZero(persistedSecretAccessKey)
-	persistedCredsLastRotatedTime, err := values.GetTimeValue(persistedSecrets, credential.ConstCredsLastRotatedTime)
-	require.NoError(err)
-
-	// Our test scenarios are complex due the multi-dimensional nature
-	// of criteria, so we lay them out in a switch below.
-	switch {
-	case newAccessKeyId != "" && rotated && rotate:
-		// The new access key ID was provided, we had previously rotated
-		// the credentials before, and the new credential set is to be
-		// rotated as well. In this case, the old credentials should have
-		// been deleted, and the new credentials should have been rotated,
-		// hence, should not match the new credentials initially
-		// provided. Rotation time should be non-zero and updated.
-		requireCredentialsInvalid(t, currentAccessKeyId, currentSecretAccessKey)
-		require.NotEqual(persistedAccessKeyId, newAccessKeyId)
-		require.NotEqual(persistedSecretAccessKey, newSecretAccessKey)
-		require.NotZero(persistedCredsLastRotatedTime)
-		require.True(persistedCredsLastRotatedTime.After(currentCredsLastRotatedTime))
-
-	case newAccessKeyId != "" && rotated && !rotate:
-		// The new access key ID was provided, we had previously rotated
-		// the credentials before, and the new credential is *not*
-		// rotated. In this case, the old credentials should have
-		// been deleted, But the new credentials should have not been
-		// rotated, and hence should be the same. Rotation time should be
-		// zero.
-		requireCredentialsInvalid(t, currentAccessKeyId, currentSecretAccessKey)
-		require.Equal(persistedAccessKeyId, newAccessKeyId)
-		require.Equal(persistedSecretAccessKey, newSecretAccessKey)
-		require.Zero(persistedCredsLastRotatedTime)
-
-	case newAccessKeyId != "" && !rotated && rotate:
-		// The new access key ID was provided, we *have not* previously
-		// rotated the credentials, and the new credential set is to be
-		// rotated. In this case, the old credentials should have been
-		// left alone, and the new credentials should have been rotated,
-		// hence, should not match the new credentials initially
-		// provided. Rotation time should be non-zero, but updated.
-		requireCredentialsValid(t, currentAccessKeyId, currentSecretAccessKey)
-		require.NotEqual(persistedAccessKeyId, newAccessKeyId)
-		require.NotEqual(persistedSecretAccessKey, newSecretAccessKey)
-		require.NotZero(persistedCredsLastRotatedTime)
-		require.True(persistedCredsLastRotatedTime.After(currentCredsLastRotatedTime))
-
-	case newAccessKeyId != "" && !rotated && !rotate:
-		// The new access key ID was provided, but we have not rotated
-		// the credentials previously and we still don't plan on rotating
-		// them. In this case, the old credentials should still be valid,
-		// and the persisted ones should match the new ones provided.
-		// Rotation time should be zero.
-		requireCredentialsValid(t, currentAccessKeyId, currentSecretAccessKey)
-		require.Equal(persistedAccessKeyId, newAccessKeyId)
-		require.Equal(persistedSecretAccessKey, newSecretAccessKey)
-		require.Zero(persistedCredsLastRotatedTime)
-
-	case newAccessKeyId == "" && rotated && rotate:
-		// No new credentials have been provided, but we have previously
-		// rotated and are still rotating credentials. This is a no-op.
-		// Existing credentials should still be valid and match the ones
-		// persisted to state. Rotation time should be identical since
-		// no new rotation occurred.
-		requireCredentialsValid(t, currentAccessKeyId, currentSecretAccessKey)
-		require.Equal(persistedAccessKeyId, currentAccessKeyId)
-		require.Equal(persistedSecretAccessKey, currentSecretAccessKey)
-		require.NotZero(persistedCredsLastRotatedTime)
-		require.True(currentCredsLastRotatedTime.Equal(persistedCredsLastRotatedTime))
-
-	case newAccessKeyId == "" && rotated && !rotate:
-		// No new credentials have been provided, and we have previously
-		// rotated the credentials. This is actually an error, but we
-		// don't test it here; it's covered in unit testing (see
-		// plugin_test.go).
-		require.FailNow("testing rotated-to-not-rotated scenario not implemented by this helper")
-
-	case newAccessKeyId == "" && !rotated && rotate:
-		// No new credentials have been provided, and while we did not
-		// rotate before, we want to switch to rotation. In this case,
-		// the existing persisted credentials should have been rotated,
-		// with a new non-zero timestamp.
-		requireCredentialsInvalid(t, currentAccessKeyId, currentSecretAccessKey)
-		require.NotEqual(persistedAccessKeyId, currentAccessKeyId)
-		require.NotEqual(persistedSecretAccessKey, currentSecretAccessKey)
-		require.NotZero(persistedCredsLastRotatedTime)
-
-	case newAccessKeyId == "" && !rotated && !rotate:
-		// No new credentials have been provided and we have not, nor do
-		// not, plan on rotating the credentials. This is a no-op.
-		// Existing credentials should still be valid and match the ones
-		// persisted to state. Rotation time should remain at zero.
-		requireCredentialsValid(t, currentAccessKeyId, currentSecretAccessKey)
-		require.Equal(persistedAccessKeyId, currentAccessKeyId)
-		require.Equal(persistedSecretAccessKey, currentSecretAccessKey)
-		require.Zero(persistedCredsLastRotatedTime)
-
-	default:
-		// Scenario was reached that was not covered by this function.
-		require.FailNow("unknown test scenario")
-	}
-
-	return persistedAccessKeyId, persistedSecretAccessKey
+	return validateUpdateSecrets(t, persisted.GetSecrets(), currentCredsLastRotatedTime, currentAccessKeyId, currentSecretAccessKey, newAccessKeyId, newSecretAccessKey, rotated, rotate)
 }
 
 func testPluginOnDeleteCatalog(ctx context.Context, t *testing.T, p *host.HostPlugin, region, accessKeyId, secretAccessKey string, rotated bool) {
@@ -588,53 +444,3 @@ func testPluginListHosts(ctx context.Context, t *testing.T, p *host.HostPlugin,
 	// Success
 	t.Logf("testing ListHosts: success (region=%s, tags=%v, expected/actual=(len=%d, ids=%s))", region, tags, len(actualInstances), actualInstances)
 }
-
-func requireCredentialsInvalid(t *testing.T, accessKeyId, secretAccessKey string) {
-	t.Helper()
-	require := require.New(t)
-
-	c, err := awsutil.NewCredentialsConfig(
-		awsutil.WithAccessKey(accessKeyId),
-		awsutil.WithSecretKey(secretAccessKey),
-	)
-	require.NoError(err)
-
-	// We need to wait for invalidation as while awsutil waits for
-	// credential creation, deletion of the old credentials returns
-	// immediately.
-	timeoutCtx, cancel := context.WithTimeout(context.Background(), time.Second*30)
-	defer cancel()
-waitErr:
-	for {
-		_, err = c.GetCallerIdentity()
-		if err != nil {
-			break
-		}
-
-		select {
-		case <-time.After(time.Second):
-			// pass
-
-		case <-timeoutCtx.Done():
-			break waitErr
-		}
-	}
-
-	require.NotNil(err)
-	awsErr, ok := err.(awserr.Error)
-	require.True(ok)
-	require.Equal("InvalidClientTokenId", awsErr.Code())
-}
-
-func requireCredentialsValid(t *testing.T, accessKeyId, secretAccessKey string) {
-	t.Helper()
-	require := require.New(t)
-
-	c, err := awsutil.NewCredentialsConfig(
-		awsutil.WithAccessKey(accessKeyId),
-		awsutil.WithSecretKey(secretAccessKey),
-	)
-	require.NoError(err)
-	_, err = c.GetCallerIdentity()
-	require.NoError(err)
-}