CNTRLPLANE-2217: feat(aws): migrate kms and Resource Tagging to AWS SDK v2

[LiangquanLi930]

What this PR does / why we need it:

migrate kms and Resource Tagging to AWS SDK v2

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-2217

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• Chores

  • Updated AWS service dependencies.

• Refactor

  • Migrated AWS integrations to the newer SDK and added context-aware request handling for KMS and tagging operations to improve reliability and timeouts.

• Tests

  • Updated end-to-end tests to propagate context and align test helpers with the new AWS client behavior.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Walkthrough

Migrates AWS SDK usage from v1 to v2 across the codebase: KMS client calls and credential handling updated to SDK v2 with context propagation; resource-group-tagging client and types moved to v2; two AWS SDK v2 service dependencies added to go.mod; test call sites updated to pass context.

Changes

Cohort / File(s)	Summary
AWS KMS migration control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go, test/e2e/util/aws.go	Replaces AWS SDK v1 KMS usage with SDK v2: credential provider changes, client creation via NewFromConfig, inputs/outputs use v2 types, and Encrypt/DescribeKey calls now accept context.Context. GetKMSKeyArn signature updated to ctx context.Context first.
Test call sites updated test/e2e/create_cluster_test.go, test/e2e/nodepool_kms_root_volume_test.go	All callers of GetKMSKeyArn updated to pass ctx as the first argument to match the new signature.
Resource tagging (tests) migrated to SDK v2 test/e2e/util/fixture.go	Refactors resource-group-tagging API usage to SDK v2: session/config creation, client via NewFromConfig, API call signatures (GetResources), and type changes (Tag, ResourceTagMapping, TagFilter) updated to v2 types and helpers. Function signatures adjusted to accept v2 types.
Dependencies go.mod	Adds AWS SDK v2 service dependencies: github.com/aws/aws-sdk-go-v2/service/kms v1.50.0 and github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.31.6.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: migrating KMS and Resource Tagging to AWS SDK v2, which aligns with all file changes in the changeset.
Stable And Deterministic Test Names	✅ Passed	Modified test files use struct-based test implementations without Ginkgo-style test definitions, so no dynamic test names are present to violate the custom check requirement.
Test Structure And Quality	✅ Passed	PR refactors test utilities for AWS SDK v2 migration with proper context propagation, single responsibility methods, and framework-managed lifecycle patterns.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@LiangquanLi930: This pull request references CNTRLPLANE-2217 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: LiangquanLi930
Once this PR has been reviewed and has the lgtm label, please assign jparrill for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@LiangquanLi930: This pull request references CNTRLPLANE-2217 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• Chores

• Updated AWS service dependencies to latest versions.

• Refactor

• Improved AWS integration code for enhanced reliability and maintainability. Updated internal AWS operations to better support context-based request handling, improving cancellation and timeout behavior across AWS API calls.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go (1)

2777-2793: ⚠️ Potential issue | 🔴 Critical

Guard r.awsSessionv2 before dereference to avoid panic.

At Line 2777, awsSessionv2 := *r.awsSessionv2 can panic when the AWS v2 config wasn’t initialized. GetEC2Client may leave it nil, so this path needs a defensive check.

🔧 Proposed fix

+	if r.awsSessionv2 == nil {
+		condition := metav1.Condition{
+			Type:               string(hyperv1.ValidAWSKMSConfig),
+			ObservedGeneration: hcp.Generation,
+			Status:             metav1.ConditionFalse,
+			Message:            "AWS SDK v2 session is not initialized",
+			Reason:             hyperv1.AWSErrorReason,
+		}
+		meta.SetStatusCondition(&hcp.Status.Conditions, condition)
+		return
+	}
+
 	awsSessionv2 := *r.awsSessionv2
 	awsSessionv2.Credentials = credentialsv2.NewStaticCredentialsProvider(
 		v2creds.AccessKeyID,
 		v2creds.SecretAccessKey,
 		v2creds.SessionToken,
 	)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go`
around lines 2777 - 2793, Guard the nil dereference of r.awsSessionv2 before
assigning awsSessionv2: check if r.awsSessionv2 is nil (the path where
GetEC2Client may leave it uninitialized) and handle that case (e.g., set the
ValidAWSKMSConfig condition to False or return/error appropriately) instead of
doing awsSessionv2 := *r.awsSessionv2; only create
kms.NewFromConfig(awsSessionv2) after confirming r.awsSessionv2 is non-nil so
you avoid a panic.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In
`@control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go`:
- Around line 2777-2793: Guard the nil dereference of r.awsSessionv2 before
assigning awsSessionv2: check if r.awsSessionv2 is nil (the path where
GetEC2Client may leave it uninitialized) and handle that case (e.g., set the
ValidAWSKMSConfig condition to False or return/error appropriately) instead of
doing awsSessionv2 := *r.awsSessionv2; only create
kms.NewFromConfig(awsSessionv2) after confirming r.awsSessionv2 is non-nil so
you avoid a panic.

---

ℹ️ Review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 6968c17 and 5bc9e9e.

⛔ Files ignored due to path filters (104)

• go.sum is excluded by !**/*.sum
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_client.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CancelKeyDeletion.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ConnectCustomKeyStore.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateAlias.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateCustomKeyStore.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateGrant.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateKey.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Decrypt.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DeleteAlias.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DeleteCustomKeyStore.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DeleteImportedKeyMaterial.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DeriveSharedSecret.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DescribeCustomKeyStores.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DescribeKey.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DisableKey.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DisableKeyRotation.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DisconnectCustomKeyStore.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_EnableKey.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_EnableKeyRotation.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Encrypt.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKey.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKeyPair.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKeyPairWithoutPlaintext.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKeyWithoutPlaintext.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateMac.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateRandom.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetKeyPolicy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetKeyRotationStatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetParametersForImport.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetPublicKey.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ImportKeyMaterial.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListAliases.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListGrants.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListKeyPolicies.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListKeyRotations.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListKeys.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListResourceTags.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListRetirableGrants.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_PutKeyPolicy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ReEncrypt.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ReplicateKey.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_RetireGrant.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_RevokeGrant.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_RotateKeyOnDemand.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ScheduleKeyDeletion.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Sign.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_TagResource.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UntagResource.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdateAlias.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdateCustomKeyStore.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdateKeyDescription.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdatePrimaryRegion.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Verify.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_VerifyMac.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/auth.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/deserializers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/endpoints.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/generated.json is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/internal/endpoints/endpoints.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/serializers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/types/enums.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/types/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/types/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/kms/validators.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/api_client.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/api_op_DescribeReportCreation.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/api_op_GetComplianceSummary.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/api_op_GetResources.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/api_op_GetTagKeys.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/api_op_GetTagValues.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/api_op_ListRequiredTags.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/api_op_StartReportCreation.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/api_op_TagResources.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/api_op_UntagResources.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/auth.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/deserializers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/endpoints.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/generated.json is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/internal/endpoints/endpoints.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/serializers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/types/enums.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/types/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/types/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/validators.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go/service/kms/api.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go/service/kms/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go/service/kms/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go/service/kms/service.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi/api.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi/service.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (6)

• control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go
• go.mod
• test/e2e/create_cluster_test.go
• test/e2e/nodepool_kms_root_volume_test.go
• test/e2e/util/aws.go
• test/e2e/util/fixture.go

[openshift-ci-robot]

@LiangquanLi930: This pull request references CNTRLPLANE-2217 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-2217

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• Chores

• Updated AWS service dependencies to latest versions.

• Refactor

• Improved AWS integration code for enhanced reliability and maintainability. Updated internal AWS operations to better support context-based request handling, improving cancellation and timeout behavior across AWS API calls.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@LiangquanLi930: This pull request references CNTRLPLANE-2217 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

migrate kms and Resource Tagging to AWS SDK v2

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-2217

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• Chores

• Updated AWS service dependencies to latest versions.

• Refactor

• Improved AWS integration code for enhanced reliability and maintainability. Updated internal AWS operations to better support context-based request handling, improving cancellation and timeout behavior across AWS API calls.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@LiangquanLi930: This pull request references CNTRLPLANE-2217 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

migrate kms and Resource Tagging to AWS SDK v2

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-2217

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• Chores

• Updated AWS service dependencies.

• Refactor

• Migrated AWS integrations to the newer SDK and added context-aware request handling for KMS and tagging operations to improve reliability and timeouts.

• Tests

• Updated end-to-end tests to propagate context and align test helpers with the new AWS client behavior.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go (1)

2777-2782: ⚠️ Potential issue | 🟡 Minor

Guard against nil dereference before dereferencing r.awsSessionv2.

If r.awsSessionv2 is nil (e.g., GetEC2Client returns nil when AWS_SHARED_CREDENTIALS_FILE is unset), line 2777 will panic. While AssumeRoleWithWebIdentity on line 2764 would likely surface the nil earlier, there is no explicit guard here.

🛡️ Proposed defensive nil check

+	if r.awsSessionv2 == nil {
+		condition := metav1.Condition{
+			Type:               string(hyperv1.ValidAWSKMSConfig),
+			ObservedGeneration: hcp.Generation,
+			Status:             metav1.ConditionFalse,
+			Message:            "AWS session not initialized",
+			Reason:             hyperv1.AWSErrorReason,
+		}
+		meta.SetStatusCondition(&hcp.Status.Conditions, condition)
+		return
+	}
 	awsSessionv2 := *r.awsSessionv2
 	awsSessionv2.Credentials = credentialsv2.NewStaticCredentialsProvider(

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go`
around lines 2777 - 2782, Guard against nil dereference of r.awsSessionv2 before
copying and mutating it: check if r.awsSessionv2 == nil and handle the case
(return an error, log and return, or create a default session) instead of
dereferencing; then only perform awsSessionv2 := *r.awsSessionv2 and set
awsSessionv2.Credentials = credentialsv2.NewStaticCredentialsProvider(...) when
non-nil. Reference the r.awsSessionv2 field and the awsSessionv2 local variable
(and the earlier AssumeRoleWithWebIdentity call) to locate where to add the nil
check and error-handling path.

🧹 Nitpick comments (1)

test/e2e/util/fixture.go (1)

296-321: GetResources is called without pagination — large clusters may silently miss resources.

GetResources is paginated; if the number of tagged resources exceeds the page limit, ResourceTagMappingList will be incomplete and the cleanup validation could falsely report success. This is a pre-existing gap, but the migration is a good moment to address it.

♻️ Suggested pagination loop

-		output, err = taggingClient.GetResources(ctx, &resourcegroupstaggingapi.GetResourcesInput{
-			ResourceTypeFilters: []string{
-				"elasticloadbalancing:loadbalancer",
-				"ec2:volume",
-				"s3",
-			},
-			TagFilters: []resourcegroupstaggingapitypes.TagFilter{
-				{
-					Key:    awsv2.String(clusterTag(infraID)),
-					Values: []string{"owned"},
-				},
-			},
-		})
-		if err != nil {
-			return true, err
-		}
+		input := &resourcegroupstaggingapi.GetResourcesInput{
+			ResourceTypeFilters: []string{
+				"elasticloadbalancing:loadbalancer",
+				"ec2:volume",
+				"s3",
+			},
+			TagFilters: []resourcegroupstaggingapitypes.TagFilter{
+				{
+					Key:    awsv2.String(clusterTag(infraID)),
+					Values: []string{"owned"},
+				},
+			},
+		}
+		output = &resourcegroupstaggingapi.GetResourcesOutput{}
+		for {
+			page, err := taggingClient.GetResources(ctx, input)
+			if err != nil {
+				return true, err
+			}
+			output.ResourceTagMappingList = append(output.ResourceTagMappingList, page.ResourceTagMappingList...)
+			if page.PaginationToken == nil || *page.PaginationToken == "" {
+				break
+			}
+			input.PaginationToken = page.PaginationToken
+		}

Happy to open a follow-up issue to track this if you'd like to defer it.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/util/fixture.go` around lines 296 - 321, The current GetResources
call inside the wait.PollUntilContextTimeout loop may miss pages; replace the
single taggingClient.GetResources call with a paginated loop that iterates all
pages (using the SDK paginator or NextToken) and accumulates
ResourceTagMappingList into a single slice before calling hasGuestResources;
ensure you still pass the same GetResourcesInput (resource filters and
TagFilters) and use the combined list for the hasGuestResources check so cleanup
validation is correct (refer to taggingClient.GetResources, GetResourcesInput,
output.ResourceTagMappingList, hasGuestResources, and the surrounding
wait.PollUntilContextTimeout).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In
`@control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go`:
- Around line 2777-2782: Guard against nil dereference of r.awsSessionv2 before
copying and mutating it: check if r.awsSessionv2 == nil and handle the case
(return an error, log and return, or create a default session) instead of
dereferencing; then only perform awsSessionv2 := *r.awsSessionv2 and set
awsSessionv2.Credentials = credentialsv2.NewStaticCredentialsProvider(...) when
non-nil. Reference the r.awsSessionv2 field and the awsSessionv2 local variable
(and the earlier AssumeRoleWithWebIdentity call) to locate where to add the nil
check and error-handling path.

---

Nitpick comments:
In `@test/e2e/util/fixture.go`:
- Around line 296-321: The current GetResources call inside the
wait.PollUntilContextTimeout loop may miss pages; replace the single
taggingClient.GetResources call with a paginated loop that iterates all pages
(using the SDK paginator or NextToken) and accumulates ResourceTagMappingList
into a single slice before calling hasGuestResources; ensure you still pass the
same GetResourcesInput (resource filters and TagFilters) and use the combined
list for the hasGuestResources check so cleanup validation is correct (refer to
taggingClient.GetResources, GetResourcesInput, output.ResourceTagMappingList,
hasGuestResources, and the surrounding wait.PollUntilContextTimeout).

---

ℹ️ Review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 5bc9e9e and d08dd07.

📒 Files selected for processing (5)

• control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go
• test/e2e/create_cluster_test.go
• test/e2e/nodepool_kms_root_volume_test.go
• test/e2e/util/aws.go
• test/e2e/util/fixture.go

🚧 Files skipped from review as they are similar to previous changes (1)

• test/e2e/create_cluster_test.go

[cwbotbot]

Test Results

e2e-aws

• Status: ✅ PASS
• Started: 2026-02-25T22:58:37Z
• View Job
• View Job History

e2e-aks

• Status: ❌ FAIL
• Started: 2026-02-25T23:00:23Z
• View Job
• View Job History

[LiangquanLi930]

/test e2e-aks-4-21, e2e-aws, e2e-aws-upgrade-hypershift-operator, e2e-kubevirt-aws-ovn-reduced, e2e-v2-aws

[LiangquanLi930]

/test e2e-aws, e2e-aws-4-21

[LiangquanLi930]

/test e2e-aws, e2e-aws-4-21

[LiangquanLi930]

/test e2e-aws-upgrade-hypershift-operator, e2e-kubevirt-aws-ovn-reduced, e2e-v2-aws

[LiangquanLi930]

/test e2e-aws

[LiangquanLi930]

/test e2e-aws-upgrade-hypershift-operator

[LiangquanLi930]

/test e2e-v2-aws

[LiangquanLi930]

/test e2e-kubevirt-aws-ovn-reduced

[LiangquanLi930]

/test e2e-aks

[LiangquanLi930]

/test e2e-aws-4-21

[LiangquanLi930]

/test e2e-aws

[LiangquanLi930]

/test e2e-aks

[openshift-ci]

@LiangquanLi930: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-upgrade-hypershift-operator	d08dd07	link	true	/test e2e-aws-upgrade-hypershift-operator
ci/prow/e2e-aks	d08dd07	link	true	/test e2e-aks
ci/prow/e2e-kubevirt-aws-ovn-reduced	d08dd07	link	true	/test e2e-kubevirt-aws-ovn-reduced
ci/prow/e2e-v2-aws	d08dd07	link	true	/test e2e-v2-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.