secrets manager sdk v2 changes

Author: richardcase

pkg/cloud/endpointsv2/endpoints.go

@@ -30,6 +30,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/eventbridge"
 	rgapi "github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	"github.com/aws/aws-sdk-go-v2/service/sqs"
 	"github.com/aws/aws-sdk-go-v2/service/ssm"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
@@ -326,3 +327,25 @@ func (s *STSEndpointResolver) ResolveEndpoint(ctx context.Context, params sts.En
 	params.Region = &endpoint.SigningRegion
 	return sts.NewDefaultEndpointResolverV2().ResolveEndpoint(ctx, params)
 }
+
+// SecretsManagerEndpointResolver implements EndpointResolverV2 interface for Secrets Manager.
+type SecretsManagerEndpointResolver struct {
+	*MultiServiceEndpointResolver
+}
+
+// ResolveEndpoint for Secrets Manager.
+func (s *SecretsManagerEndpointResolver) ResolveEndpoint(ctx context.Context, params secretsmanager.EndpointParameters) (smithyendpoints.Endpoint, error) {
+	// If custom endpoint not found, return default endpoint for the service
+	log := logger.FromContext(ctx)
+	endpoint, ok := s.endpoints[secretsmanager.ServiceID]
+
+	if !ok {
+		log.Debug("Custom endpoint not found, using default endpoint")
+		return secretsmanager.NewDefaultEndpointResolverV2().ResolveEndpoint(ctx, params)
+	}
+
+	log.Debug("Custom endpoint found, using custom endpoint", "endpoint", endpoint.URL)
+	params.Endpoint = &endpoint.URL
+	params.Region = &endpoint.SigningRegion
+	return secretsmanager.NewDefaultEndpointResolverV2().ResolveEndpoint(ctx, params)
+}

pkg/cloud/scope/clients.go

@@ -217,20 +217,23 @@ func NewResourgeTaggingClient(scopeUser cloud.ScopeUsage, session cloud.Session,
 // NewSecretsManagerClient creates a new Secrets API client for a given session..
 func NewSecretsManagerClient(scopeUser cloud.ScopeUsage, session cloud.Session, logger logger.Wrapper, target runtime.Object) *secretsmanager.Client {
 	cfg := session.Session()
-
-	secretsOpts := []func(*secretsmanager.Options){
+	multiSvcEndpointResolver := endpointsv2.NewMultiServiceEndpointResolver()
+	secretsManagerEndpointResolver := &endpointsv2.SecretsManagerEndpointResolver{
+		MultiServiceEndpointResolver: multiSvcEndpointResolver,
+	}
+	secretsManagerOpts := []func(*secretsmanager.Options){
 		func(o *secretsmanager.Options) {
 			o.Logger = logger.GetAWSLogger()
 			o.ClientLogMode = awslogs.GetAWSLogLevelV2(logger.GetLogger())
+			o.EndpointResolverV2 = secretsManagerEndpointResolver
 		},
 		secretsmanager.WithAPIOptions(
 			awsmetricsv2.WithMiddlewares(scopeUser.ControllerName(), target),
 			awsmetricsv2.WithCAPAUserAgentMiddleware(),
-			throttle.WithServiceLimiterMiddleware(session.ServiceLimiter(secretsmanager.ServiceID)),
 		),
 	}
 
-	return secretsmanager.NewFromConfig(cfg, secretsOpts...)
+	return secretsmanager.NewFromConfig(cfg, secretsManagerOpts...)
 }
 
 // NewEKSClient creates a new EKS API client for a given session.

pkg/cloud/services/secretsmanager/secret.go

@@ -18,16 +18,17 @@ package secretsmanager
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"path"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	"github.com/aws/smithy-go"
 	kerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/uuid"
 
 	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
-	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/awserrors"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/convertersv2"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/scope"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/services/wait"
@@ -93,11 +94,11 @@ func (s *Service) retryableCreateSecret(name string, chunk []byte, tags infrav1.
 		Tags:         convertersv2.MapToSecretsManagerTags(tags),
 	})
 	// If the secret already exists, delete it, return request to retry, as deletes are eventually consistent
-	smithyErr := awserrors.ParseSmithyError(err)
-	if smithyErr != nil && smithyErr.ErrorCode() == "ResourceExistsException" {
-		return false, s.forceDeleteSecretEntry(name)
-	}
 	if err != nil {
+		var aerr smithy.APIError
+		if errors.As(err, &aerr) && aerr.ErrorCode() == "ResourceExistsException" {
+			return false, s.forceDeleteSecretEntry(name)
+		}
 		return false, err
 	}
 	return true, err
@@ -109,9 +110,11 @@ func (s *Service) forceDeleteSecretEntry(name string) error {
 		SecretId:                   aws.String(name),
 		ForceDeleteWithoutRecovery: aws.Bool(true),
 	})
-	smithyErr := awserrors.ParseSmithyError(err)
-	if smithyErr != nil && smithyErr.ErrorCode() == "ResourceNotFoundException" {
-		return nil
+	if err != nil {
+		var aerr smithy.APIError
+		if errors.As(err, &aerr) && aerr.ErrorCode() == "ResourceNotFoundException" {
+			return nil
+		}
 	}
 	return err
 }

test/mocks/aws_secretsmanager_mock.go

@@ -24,4 +24,6 @@ limitations under the License.
 //go:generate /usr/bin/env bash -c "cat ../../hack/boilerplate/boilerplate.generatego.txt aws_rgtagging_mock.go > _aws_rgtagging_mock.go && mv _aws_rgtagging_mock.go aws_rgtagging_mock.go"
 //go:generate ../../hack/tools/bin/mockgen -destination aws_ec2api_mock.go -package mocks sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/services/common EC2API
 //go:generate /usr/bin/env bash -c "cat ../../hack/boilerplate/boilerplate.generatego.txt aws_ec2api_mock.go > _aws_ec2api_mock.go && mv _aws_ec2api_mock.go aws_ec2api_mock.go"
+//go:generate ../../hack/tools/bin/mockgen -destination aws_secretsmanager_mock.go -package mocks sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/services/secretsmanager SecretsManagerAPI
+//go:generate /usr/bin/env bash -c "cat ../../hack/boilerplate/boilerplate.generatego.txt aws_secretsmanager_mock.go > _aws_secretsmanager_mock.go && mv _aws_secretsmanager_mock.go aws_secretsmanager_mock.go"
 package mocks