feat: migrate aws-sdk v2 to @aws-sdk/client-ec2 v3 (Phase 1)#17
Merged
kurok merged 2 commits intofeat/al2023-supportfrom Apr 21, 2026
Merged
feat: migrate aws-sdk v2 to @aws-sdk/client-ec2 v3 (Phase 1)#17kurok merged 2 commits intofeat/al2023-supportfrom
kurok merged 2 commits intofeat/al2023-supportfrom
Conversation
Completes Phase 1 (issue #7) of the modernization plan. ## Dependency changes - Remove 'aws-sdk' ^2.809.0 (in maintenance mode since late 2024; end-of-support announced for Nov 2025; emits DEP0169 on url.parse() in modern Node). - Add '@aws-sdk/client-ec2' 3.1033.0 pinned exact. Per-service package is dramatically smaller than v2's monolithic bundle. - Bump '@vercel/ncc' 0.25.1 -> 0.38.4. The old ncc couldn't parse modern JS (private class fields in v3's transitive deps); 0.38 is webpack-5-based and handles current syntax. ## Code changes (src/aws.js) Rewrite on the EC2Client + Command pattern: - EC2Client({}) replaces 'new AWS.EC2()'. Reads region + creds from env (same behavior, same source — configure-aws-credentials or instance profile). - client.send(new DescribeImagesCommand(params)) replaces ec2.describeImages(params).promise(). - client.send(new RunInstancesCommand(params)) replaces ec2.runInstances(params).promise(). - client.send(new TerminateInstancesCommand(params)) replaces ec2.terminateInstances(params).promise(). - client.send(new AssociateAddressCommand(params)) replaces ec2.associateAddress(params).promise(). - waitUntilInstanceRunning({client, maxWaitTime: 300}, {InstanceIds}) replaces ec2.waitFor('instanceRunning', ...).promise(). External action contract (inputs + outputs) is unchanged. Consumer workflows (notably terraform-provider-namecheap) do not need any change beyond rotating their SHA pin. ## Bundle + CI - 'npm run package' no longer needs NODE_OPTIONS=--openssl-legacy-provider (ncc 0.38 + webpack 5 don't use the legacy module-hash MD4 path). - dist/ now contains code-split chunk files (136.index.js, 360.index.js, etc.) alongside dist/index.js. All must be committed; the verify-dist CI check in pr.yml is broadened to diff the whole dist/ tree. - Bundle size: 7.9 MB -> 3.4 MB main (+ ~3.3 MB in chunks). Net smaller than v2. ## Backward compatibility The DEP0169 process.emitWarning filter added in #6 stays in place. The v3 bundle doesn't emit DEP0169, so the filter is effectively inert on the current tip — cleanup is a follow-up, not part of this PR's scope. ## Verification - npm test: 21 tests pass across tests/utils.test.js + tests/config.test.js (no aws.js tests yet; those land as Phase 8.b after Phase 4/5 stop rewriting aws.js). - npm run lint: clean. - Bundle builds cleanly on Node 20 without OpenSSL legacy provider. Signed-off-by: yuriyryabikov <22548029+kurok@users.noreply.github.com>
ncc 0.38's output contains 451 source-embedded CR bytes inside string literals (aws-sdk transitive deps). When dist/ is committed through git's default line-ending normalization, those CRs are stripped into the blob, but every subsequent 'npm run package' reproduces them — creating a permanent, symmetric 451/451 diff that the verify-dist CI gate correctly flagged as drift. Mark the whole dist/ tree as binary via .gitattributes so git never converts line endings in that path. What ncc writes is what git stores; CI's rebuild produces byte-identical output. Signed-off-by: yuriyryabikov <22548029+kurok@users.noreply.github.com>
kurok
added a commit
to namecheap/terraform-provider-namecheap
that referenced
this pull request
Apr 21, 2026
…181) namecheap/ec2-github-runner#17 merged. The new feat/al2023-support tip picks up the aws-sdk v2 to @aws-sdk/client-ec2 v3 migration and the ncc 0.25 to 0.38 bump. This rotation is the dogfood verification called out in the #15 tracker: confirms the provider's acceptance test pipeline still lifts an EC2 runner, registers it, runs make testacc, and terminates cleanly against the v3-based action code. Rotation chain: 54459d6 -> a1bd2f9 (Phase 1). Signed-off-by: yuriyryabikov <22548029+kurok@users.noreply.github.com>
8 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #7. Part of plan #15.
Scope
aws-sdkv2 (end-of-support Nov 2025, source of theDEP0169 url.parse()warning fix: silence DEP0169 url.parse deprecation from bundled aws-sdk v2 #6 papered over).@aws-sdk/client-ec2@3.1033.0(per-service package — dramatically smaller than the monolith).src/aws.json the EC2Client + Command pattern.@vercel/ncc0.25.1 → 0.38.4 (webpack-5, parses modern JS transitive deps that the old ncc choked on).verify-distCI check to diff the wholedist/tree — ncc 0.38 code-splits into chunks alongsideindex.js.NODE_OPTIONS=--openssl-legacy-providerfrom the build step.External-contract compatibility
Every
with:input consumers pass stays the same (mode,github-token,ec2-image-*,ec2-instance-type,subnet-id,security-group-id,eip-allocation-id,iam-role-name,aws-resource-tags), as do the two outputs (label,ec2-instance-id). The only consumer action post-merge is rotating their SHA pin — same as machulav#158 / machulav#164 / machulav#165.API mapping
new AWS.EC2()new EC2Client({})ec2.describeImages(p).promise()client.send(new DescribeImagesCommand(p))ec2.runInstances(p).promise()client.send(new RunInstancesCommand(p))ec2.terminateInstances(p).promise()client.send(new TerminateInstancesCommand(p))ec2.associateAddress(p).promise()client.send(new AssociateAddressCommand(p))ec2.waitFor('instanceRunning', p).promise()waitUntilInstanceRunning({client, maxWaitTime: 300}, p)Bundle
Net smaller.
Verification
npm run lintclean.npm test— 21 tests pass (utils + config from Phase 8.a). aws.js tests land in Phase 8.b after Phase 4: bootstrap hardening — non-root runner user, --ephemeral, configurable runner version #10 and Phase 5: lifecycle & cleanup reliability — retries, timeouts, always-cleanup #11 stop rewriting it.npm run packagesucceeds on Node 20 without the OpenSSL legacy provider.Dogfood plan (per #15 tracker)
After merge: rotate the SHA pin in
terraform-provider-namecheap/.github/workflows/ci.ymlto the newfeat/al2023-supporttip, confirm the acceptance-test pipeline starts an EC2 runner, registers it, runsmake testacc, and terminates cleanly. That's the end-to-end regression test that matters for this refactor.Note on the DEP0169 filter
The
process.emitWarningoverride from #6 stays in place. v3 uses WHATWG URL and doesn't emitDEP0169, so the filter is inert on the current tip. Removing it is a cleanup that I'd rather keep out of this PR's scope — smaller diff = easier rollback if something unexpected turns up in dogfood.