kitchen-ec2 1.4.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: '0629654ede02f6b7f39315c2434f07bc9325f622'
-  data.tar.gz: aa125bda4edbab056fbaf0c37ba63ee9e7fec696
+  metadata.gz: d121c852a28622ac97b1d1ecd53d8925b8d69807
+  data.tar.gz: e3099c025db1fefaadc834cc3d0af54b18a1da7a
 SHA512:
-  metadata.gz: b3fd4e4b7152d22b5c3952e8c60a718feddad53f9c69be85bbcac95803dfe1437f3cc9501e250a7d90cd8b011eccb168496e42b1339424d1a98629f637338bd2
-  data.tar.gz: 7d96f594e0600b78209d5d89c86d1ddb5ca54afc86e53f9f04c4acfd275a0cd9fdf45da80cd36069d78e326eab4746abcb31b3e25458014a81c814408f44679a
+  metadata.gz: 0a761d862424e0fa29e2d5f1304ef5a65d66f6da5e5a38fa6ac437cfff0bd1619bcb8ece93066fd8c16036c62875028f9bdbd8b2572f6f825bde7d9c410aea59
+  data.tar.gz: 3716edf1589f8952d7aa7460f5e1056d0e5c78c1a0dfb6096ae1db5bf527ec31c33c0e3aada585164c0c07b6e9400c26c347b9c894604fad3b2a74226397799c

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Change Log
 
+## [v2.0.0](https://github.com/test-kitchen/kitchen-ec2/tree/v2.0.0) (2017-12-08)
+[Full Changelog](https://github.com/test-kitchen/kitchen-ec2/compare/v1.4.0...v2.0.0)
+
+**Improvements**
+
+- Clean up original Authentication; Rely on SDK for Chain. [\#353](https://github.com/test-kitchen/kitchen-ec2/pull/320) ([rhyas](https://github.com/rhyas))
+- Use quadratic backoff when encountering RequestLimit errors [\#320](https://github.com/test-kitchen/kitchen-ec2/pull/320) ([kamaradclimber](https://github.com/kamaradclimber))
+
 ## [v1.4.0](https://github.com/test-kitchen/kitchen-ec2/tree/v1.4.0) (2017-11-29)
 [Full Changelog](https://github.com/test-kitchen/kitchen-ec2/compare/v1.3.2...v1.4.0)
 

data/README.md

@@ -149,35 +149,18 @@ follow the other `image_search` rules for preference.
 
 ### AWS Authentication
 
-In order to connect to AWS, you must specify the AWS access key id and secret key
-for your account. There are 3 ways you do this, and we will try them in the
-following order:
-
-1. You can specify the access key and access secret (and optionally the session
-   token) through config.  See the `aws_access_key_id` and `aws_secret_access_key`
-   config sections below to see how to specify these in your .kitchen.yml or
-   through environment variables.  If you would like to specify your session token
-   use the environment variable `AWS_SESSION_TOKEN`.
-2. The shared credentials ini file at `~/.aws/credentials`. This is the file
-   populated by `aws configure` command line and used by AWS tools in general, so if
-   you are set up for any other AWS tools, you probably already have this. You can
-   specify multiple profiles in this file and select one with the `AWS_PROFILE`
-   environment variable or the `shared_credentials_profile` driver config.  Read
-   [this][credentials_docs] for more information.
-3. From an instance profile when running on EC2.  This accesses the local
-   metadata service to discover the local instance's IAM instance profile.
-
-This precedence order is taken from http://docs.aws.amazon.com/sdkforruby/api/index.html#Configuration
-
-The first method attempted that works will be used.  IE, if you want to auth
-using the instance profile, you must not set any of the access key configs
-or environment variables, and you must not specify a `~/.aws/credentials`
-file.
+In order to connect to AWS, you must specify AWS credentials. We rely on the SDK
+to find credentials in the standard way, documented here: 
+https://github.com/aws/aws-sdk-ruby/#configuration
+
+The SDK Chain will search environment variables, then config files, then IAM role
+data from the instance profile, in that order. In the case config files being 
+present, the 'default' profile will be used unless `shared_credentials_profile` 
+is defined to point to another profile. 
 
 Because the Test Kitchen test should be checked into source control and ran
 through CI we no longer recommend storing the AWS credentials in the
-`.kitchen.yml` file.  Instead, specify them as environment variables or in the
-`~/.aws/credentials` file.
+`.kitchen.yml` file.
 
 ### Instance Login Configuration
 

data/lib/kitchen/driver/aws/client.rb

@@ -34,7 +34,7 @@ module Kitchen
 
         def initialize( # rubocop:disable Metrics/ParameterLists
           region,
-          profile_name = nil,
+          profile_name = "default",
           access_key_id = nil,
           secret_access_key = nil,
           session_token = nil,
@@ -42,63 +42,17 @@ module Kitchen
           retry_limit = nil,
           ssl_verify_peer = true
         )
-          creds = self.class.get_credentials(
-            profile_name, access_key_id, secret_access_key, session_token, region
-          )
           ::Aws.config.update(
             :region => region,
-            :credentials => creds,
+            :profile => profile_name,
             :http_proxy => http_proxy,
             :ssl_verify_peer => ssl_verify_peer
           )
           ::Aws.config.update(:retry_limit => retry_limit) unless retry_limit.nil?
         end
 
-        # Try and get the credentials from an ordered list of locations
-        # http://docs.aws.amazon.com/sdkforruby/api/index.html#Configuration
-        # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
-        # rubocop:disable Metrics/ParameterLists, Metrics/MethodLength
-        def self.get_credentials(profile_name, access_key_id, secret_access_key, session_token,
-                                 region, options = {})
-          source_creds =
-            if access_key_id && secret_access_key
-              ::Aws::Credentials.new(access_key_id, secret_access_key, session_token)
-            elsif ENV["AWS_ACCESS_KEY_ID"] && ENV["AWS_SECRET_ACCESS_KEY"]
-              ::Aws::Credentials.new(
-                ENV["AWS_ACCESS_KEY_ID"],
-                ENV["AWS_SECRET_ACCESS_KEY"],
-                ENV["AWS_SESSION_TOKEN"]
-              )
-            elsif profile_name
-              ::Aws::SharedCredentials.new(:profile_name => profile_name)
-            elsif default_shared_credentials?
-              ::Aws::SharedCredentials.new
-            else
-              ::Aws::InstanceProfileCredentials.new(:retries => 1)
-            end
-
-          if options[:assume_role_arn] && options[:assume_role_session_name]
-            sts = ::Aws::STS::Client.new(:credentials => source_creds, :region => region)
-
-            assume_role_options = (options[:assume_role_options] || {}).merge(
-              :client => sts,
-              :role_arn => options[:assume_role_arn],
-              :role_session_name => options[:assume_role_session_name]
-            )
-
-            ::Aws::AssumeRoleCredentials.new(assume_role_options)
-          else
-            source_creds
-          end
-        end
         # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
 
-        def self.default_shared_credentials?
-          ::Aws::SharedCredentials.new.loadable?
-        rescue ::Aws::Errors::NoSuchProfileError
-          false
-        end
-
         def create_instance(options)
           resource.create_instances(options)[0]
         end

data/lib/kitchen/driver/ec2.rb

@@ -462,12 +462,14 @@ module Kitchen
           info "Waited #{c}/#{t}s for instance <#{state[:server_id]}> #{status_msg}."
         end
         begin
-          server.wait_until(
-            :max_attempts => config[:retryable_tries],
-            :delay => config[:retryable_sleep],
-            :before_attempt => wait_log,
-            &block
-          )
+          with_request_limit_backoff(state) do
+            server.wait_until(
+              :max_attempts => config[:retryable_tries],
+              :delay => config[:retryable_sleep],
+              :before_attempt => wait_log,
+              &block
+            )
+          end
         rescue ::Aws::Waiters::Errors::WaiterFailed
           error("Ran out of time waiting for the server with id [#{state[:server_id]}]" \
             " #{status_msg}, attempting to destroy it")
@@ -485,12 +487,28 @@ module Kitchen
           # Password data is blank until password is available
           !enc.nil? && !enc.empty?
         end
-        pass = server.decrypt_windows_password(File.expand_path(instance.transport[:ssh_key]))
+        pass = with_request_limit_backoff(state) do
+          server.decrypt_windows_password(File.expand_path(instance.transport[:ssh_key]))
+        end
         state[:password] = pass
         info("Retrieved Windows password for instance <#{state[:server_id]}>.")
       end
       # rubocop:enable Lint/UnusedBlockArgument
 
+      def with_request_limit_backoff(state)
+        retries = 0
+        begin
+          yield
+        rescue ::Aws::EC2::Errors::RequestLimitExceeded, ::Aws::Waiters::Errors::UnexpectedError => e
+          raise unless retries < 5 && e.message.include?("Request limit exceeded")
+          retries += 1
+          info("Request limit exceeded for instance <#{state[:server_id]}>." \
+               " Trying again in #{retries**2} seconds.")
+          sleep(retries**2)
+          retry
+        end
+      end
+
       #
       # Ordered mapping from config name to Fog name.  Ordered by preference
       # when looking up hostname.

data/lib/kitchen/driver/ec2_version.rb

@@ -21,6 +21,6 @@ module Kitchen
   module Driver
 
     # Version string for EC2 Test Kitchen driver
-    EC2_VERSION = "1.4.0"
+    EC2_VERSION = "2.0.0"
   end
 end

data/spec/kitchen/driver/ec2/client_spec.rb

@@ -20,135 +20,6 @@ require "kitchen/driver/aws/client"
 require "climate_control"
 
 describe Kitchen::Driver::Aws::Client do
-  describe "::get_credentials" do
-    # nothing else is set, so we default to this
-    it "loads IAM credentials last" do
-      iam = instance_double(Aws::InstanceProfileCredentials)
-
-      allow(Kitchen::Driver::Aws::Client).to receive(:default_shared_credentials?).and_return(false)
-      allow(Aws::InstanceProfileCredentials).to receive(:new).and_return(iam)
-
-      env_creds(nil, nil) do
-        expect(Kitchen::Driver::Aws::Client.get_credentials(nil, nil, nil, nil, nil)).to eq(iam)
-      end
-    end
-
-    it "loads the default shared creds profile second to last" do
-      shared = instance_double(Aws::SharedCredentials)
-
-      allow(Kitchen::Driver::Aws::Client).to receive(:default_shared_credentials?).and_return(true)
-      allow(Aws::SharedCredentials).to \
-        receive(:new).and_return(shared)
-
-      env_creds(nil, nil) do
-        expect(Kitchen::Driver::Aws::Client.get_credentials(nil, nil, nil, nil, nil)).to \
-          eq(shared)
-      end
-    end
-
-    it "loads a custom shared credentials profile third to last" do
-      shared = instance_double(Aws::SharedCredentials)
-
-      allow(Aws::SharedCredentials).to \
-        receive(:new).with(:profile_name => "profile").and_return(shared)
-
-      env_creds(nil, nil) do
-        expect(Kitchen::Driver::Aws::Client.get_credentials("profile", nil, nil, nil, nil)).to \
-          eq(shared)
-      end
-    end
-
-    it "loads credentials from the environment third to last" do
-      env_creds("key_id", "secret") do
-        expect(Kitchen::Driver::Aws::Client.get_credentials(nil, nil, nil, nil, nil)).to \
-          be_a(Aws::Credentials).and have_attributes(
-            :access_key_id => "key_id",
-            :secret_access_key => "secret"
-          )
-      end
-    end
-
-    it "loads provided credentials first" do
-      expect(Kitchen::Driver::Aws::Client.get_credentials(
-        "profile",
-        "key3",
-        "value3",
-        nil,
-        "us-west-1"
-      )).to \
-        be_a(Aws::Credentials).and have_attributes(
-         :access_key_id => "key3",
-         :secret_access_key => "value3",
-         :session_token => nil
-       )
-    end
-
-    it "uses a session token if provided" do
-      expect(Kitchen::Driver::Aws::Client.get_credentials(
-        "profile",
-        "key3",
-        "value3",
-        "t",
-        "us-west-1"
-      )).to \
-        be_a(Aws::Credentials).and have_attributes(
-         :access_key_id => "key3",
-         :secret_access_key => "value3",
-         :session_token => "t"
-       )
-    end
-  end
-
-  describe "::get_credentials + STS AssumeRole" do
-    let(:shared) { instance_double(Aws::SharedCredentials) }
-    let(:iam) { instance_double(Aws::InstanceProfileCredentials) }
-    let(:assume_role) { instance_double(Aws::AssumeRoleCredentials) }
-    let(:sts_client) { instance_double(Aws::STS::Client) }
-
-    before do
-      expect(Aws::AssumeRoleCredentials).to \
-        receive(:new).with(
-          :client => sts_client,
-          :role_arn => "role_arn",
-          :role_session_name => "role_session_name"
-        ).and_return(assume_role)
-    end
-
-    # nothing else is set, so we default to this
-    it "loads an Instance Profile last" do
-      allow(Kitchen::Driver::Aws::Client).to receive(:default_shared_credentials?).and_return(false)
-
-      expect(Aws::InstanceProfileCredentials).to \
-        receive(:new).and_return(iam)
-      expect(Aws::STS::Client).to \
-        receive(:new).with(:credentials => iam, :region => "us-west-1").and_return(sts_client)
-
-      expect(Kitchen::Driver::Aws::Client.get_credentials(
-        nil,
-        nil,
-        nil,
-        nil,
-        "us-west-1",
-        :assume_role_arn => "role_arn", :assume_role_session_name => "role_session_name"
-      )).to eq(assume_role)
-    end
-
-    it "loads shared credentials second to last" do
-      expect(::Aws::SharedCredentials).to \
-        receive(:new).with(:profile_name => "profile").and_return(shared)
-      expect(Aws::STS::Client).to \
-        receive(:new).with(:credentials => shared, :region => "us-west-1").and_return(sts_client)
-
-      expect(Kitchen::Driver::Aws::Client.get_credentials(
-        "profile",
-        nil,
-        nil,
-        nil,
-        "us-west-1",
-        :assume_role_arn => "role_arn", :assume_role_session_name => "role_session_name"
-      )).to eq(assume_role)
-    end
-  end
 
   let(:client) { Kitchen::Driver::Aws::Client.new("us-west-1") }
 
@@ -167,7 +38,7 @@ describe Kitchen::Driver::Aws::Client do
       let(:client) do
         Kitchen::Driver::Aws::Client.new(
           "us-west-1",
-          "profile_name",
+          "test-profile",
           "access_key_id",
           "secret_access_key",
           "session_token",
@@ -176,12 +47,10 @@ describe Kitchen::Driver::Aws::Client do
           false
         )
       end
-      let(:creds) { double("creds") }
       it "Sets the AWS config" do
-        expect(Kitchen::Driver::Aws::Client).to receive(:get_credentials).and_return(creds)
         client
         expect(Aws.config[:region]).to eq("us-west-1")
-        expect(Aws.config[:credentials]).to eq(creds)
+        expect(Aws.config[:profile]).to eq("test-profile")
         expect(Aws.config[:http_proxy]).to eq("http_proxy")
         expect(Aws.config[:retry_limit]).to eq(999)
         expect(Aws.config[:ssl_verify_peer]).to eq(false)
@@ -196,13 +65,4 @@ describe Kitchen::Driver::Aws::Client do
   it "returns a resource" do
     expect(client.resource).to be_a(Aws::EC2::Resource)
   end
-
-  def env_creds(key_id, secret, &block)
-    ClimateControl.modify(
-      "AWS_ACCESS_KEY_ID" => key_id,
-      "AWS_SECRET_ACCESS_KEY" => secret
-    ) do
-      yield
-    end
-  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kitchen-ec2
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Fletcher Nichol
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-11-30 00:00:00.000000000 Z
+date: 2017-12-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-kitchen