Migrate SSM client to AWS SDK Go V2 #4549

mye956 · 2025-03-27T21:26:51Z

Summary

This PR will migrate over the SSM client implementation and corresponding code that consumes it over to AWS SDK Go V2.

Implementation details

Changes to NewSSMClient of agent/ssm/factory/factory.go:
- Migrated over to ssm.NewFromConfig from AWS SDK Go V2
- Now using Config from github.com/aws/aws-sdk-go-v2/config in favor of Session from github.com/aws/aws-sdk-go/aws/session in NewSSMClient
- Now also returning an error in the case that LoadDefaultConfig fails
  *Updated all calls of NewSSMClient to reflect the changes mentioned before
Updated the function parameters of GetParameters in agent/ssm/interface.go to use the same one as in AWS SDK Go V2 -> https://github.com/aws/aws-sdk-go-v2/blob/64a2f067f475f9bb2129e792a9bc62bf658f9da2/service/ssm/api_op_GetParameters.go#L18-L31
Updated all calls of GetParameters to reflect changes mentioned before
Updated all uses of GetParametersInput and GetParametersOutput to now use non-pointers for some of their struct fields as part of AWS SDK Go V2 migration
- https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssm#GetParametersInput
- https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssm#GetParametersOutput
Couple of other replacements of aws-sdk-go/awsto aws-sdk-go-v2/aws

Testing

Manual testing:

[ec2-user@ip-172-31-28-107 ~]$ docker logs ecs-agent | grep ssm
level=info time=2025-03-28T22:21:10Z msg="ssm secret resource: retrieving secrets for containers in task: [arn:aws:ecs:us-west-2:*:task/default/d674f4e513e74c93a5703bd40845d9f5]" module=ssmsecret.go
level=info time=2025-03-28T22:21:10Z msg="ssm secret resource: retrieving secrets for region us-west-2 in task: [arn:aws:ecs:us-west-2:*:task/default/d674f4e513e74c93a5703bd40845d9f5]" module=ssmsecret.go
level=debug time=2025-03-28T22:21:10Z msg="ssm secret resource: retrieving resource for secrets [/VERY_SECRET_PASSWORD] in region [us-west-2] in task: [arn:aws:ecs:us-west-2:*:task/default/d674f4e513e74c93a5703bd40845d9f5]" module=ssmsecret.go
level=info time=2025-03-28T22:21:10Z msg="Transitioned resource" status="CREATED" task="d674f4e513e74c93a5703bd40845d9f5" resource="ssmsecret"
level=info time=2025-03-28T22:21:10Z msg="Managed task got resource" task="d674f4e513e74c93a5703bd40845d9f5" resource="ssmsecret" status="CREATED"
level=debug time=2025-03-28T22:21:10Z msg="Resource has already transitioned to or beyond the desired status" task="d674f4e513e74c93a5703bd40845d9f5" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED"
level=debug time=2025-03-28T22:21:10Z msg="Resource has already transitioned to or beyond the desired status" task="d674f4e513e74c93a5703bd40845d9f5" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED"
level=debug time=2025-03-28T22:21:10Z msg="Resource has already transitioned to or beyond the desired status" task="d674f4e513e74c93a5703bd40845d9f5" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED"
level=debug time=2025-03-28T22:21:10Z msg="Resource has already transitioned to or beyond the desired status" task="d674f4e513e74c93a5703bd40845d9f5" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED"
level=debug time=2025-03-28T22:21:10Z msg="Resource has already transitioned to or beyond the desired status" task="d674f4e513e74c93a5703bd40845d9f5" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED"
level=debug time=2025-03-28T22:21:11Z msg="Resource has already transitioned to or beyond the desired status" knownStatus="CREATED" desiredStatus="CREATED" task="d674f4e513e74c93a5703bd40845d9f5" resource="ssmsecret"
level=debug time=2025-03-28T22:21:15Z msg="Resource has already transitioned to or beyond the desired status" task="d674f4e513e74c93a5703bd40845d9f5" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED"
level=debug time=2025-03-28T22:21:16Z msg="Resource has already transitioned to or beyond the desired status" task="d674f4e513e74c93a5703bd40845d9f5" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED"
[ec2-user@ip-172-31-28-107 ~]$ docker ps
CONTAINER ID   IMAGE                            COMMAND                  CREATED         STATUS                   PORTS     NAMES
a2297d328c7f   nginx                            "/docker-entrypoint.…"   5 minutes ago   Up 5 minutes                       ecs-webapp-task-1-webapp-b0acbcfcebc887ee5e00
[ec2-user@ip-172-31-28-107 ~]$ docker exec -it a2297d328c7f /bin/bash
root@ip-172-31-23-68:/# echo $VERY_SECRET_PASSWORD
jk haha

FIPS testing

FIPs on agent prior to SSM V2 migration

[ec2-user@ip-172-31-18-208 ~]$ docker ps
CONTAINER ID   IMAGE                            COMMAND                  CREATED              STATUS                        PORTS     NAMES
e7868b0fa3b6   nginx                            "/docker-entrypoint.…"   32 seconds ago       Up 32 seconds                           ecs-webapp-task-1-webapp-ce87f8f39baacf888001
f0c4f4df3405   amazon/amazon-ecs-pause:0.1.0    "/pause"                 34 seconds ago       Up 34 seconds                           ecs-webapp-task-1-internalecspause-b2b6e2f49f83c3f66e00
5f5454e0a14a   amazon/amazon-ecs-agent:latest   "/agent"                 About a minute ago   Up About a minute (healthy)             ecs-agent
[ec2-user@ip-172-31-18-208 ~]$ docker logs ecs-agent | grep ssm
level=info time=2025-04-04T21:06:31Z msg="ssm secret resource: retrieving secrets for containers in task: [arn:aws:ecs:us-west-2:*:task/fips/24494e3187214e238d8c8f3d5846dd0f]" module=ssmsecret.go
level=info time=2025-04-04T21:06:31Z msg="ssm secret resource: retrieving secrets for region us-west-2 in task: [arn:aws:ecs:us-west-2::task/fips/24494e3187214e238d8c8f3d5846dd0f]" module=ssmsecret.go
level=debug time=2025-04-04T21:06:31Z msg="ssm secret resource: retrieving resource for secrets [/VERY_SECRET_PASSWORD] in region [us-west-2] in task: [arn:aws:ecs:us-west-2:*:task/fips/24494e3187214e238d8c8f3d5846dd0f]" module=ssmsecret.go
level=info time=2025-04-04T21:06:31Z msg="Transitioned resource" task="24494e3187214e238d8c8f3d5846dd0f" resource="ssmsecret" status="CREATED"
level=info time=2025-04-04T21:06:31Z msg="Managed task got resource" task="24494e3187214e238d8c8f3d5846dd0f" resource="ssmsecret" status="CREATED"
level=debug time=2025-04-04T21:06:31Z msg="Resource has already transitioned to or beyond the desired status" knownStatus="CREATED" desiredStatus="CREATED" task="24494e3187214e238d8c8f3d5846dd0f" resource="ssmsecret"
level=debug time=2025-04-04T21:06:31Z msg="Resource has already transitioned to or beyond the desired status" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED" task="24494e3187214e238d8c8f3d5846dd0f"
level=debug time=2025-04-04T21:06:31Z msg="Resource has already transitioned to or beyond the desired status" knownStatus="CREATED" desiredStatus="CREATED" task="24494e3187214e238d8c8f3d5846dd0f" resource="ssmsecret"
level=debug time=2025-04-04T21:06:31Z msg="Resource has already transitioned to or beyond the desired status" task="24494e3187214e238d8c8f3d5846dd0f" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED"
level=debug time=2025-04-04T21:06:31Z msg="Resource has already transitioned to or beyond the desired status" desiredStatus="CREATED" task="24494e3187214e238d8c8f3d5846dd0f" resource="ssmsecret" knownStatus="CREATED"
level=debug time=2025-04-04T21:06:32Z msg="Resource has already transitioned to or beyond the desired status" task="24494e3187214e238d8c8f3d5846dd0f" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED"
level=debug time=2025-04-04T21:06:33Z msg="Resource has already transitioned to or beyond the desired status" task="24494e3187214e238d8c8f3d5846dd0f" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED"
level=debug time=2025-04-04T21:06:33Z msg="Resource has already transitioned to or beyond the desired status" task="24494e3187214e238d8c8f3d5846dd0f" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED"
[ec2-user@ip-172-31-18-208 ~]$ sudo fips-mode-setup --check
FIPS mode is enabled.

FIPS after SSM V2

[ec2-user@ip-172-31-21-147 ~]$ docker ps
CONTAINER ID   IMAGE                            COMMAND                  CREATED              STATUS                   PORTS     NAMES
ac1bcb81e196   nginx                            "/docker-entrypoint.…"   About a minute ago   Up About a minute                  ecs-webapp-task-1-webapp-c09dbf8494d1fad0f101
8daa2a8f15e1   amazon/amazon-ecs-pause:0.1.0    "/pause"                 About a minute ago   Up About a minute                  ecs-webapp-task-1-internalecspause-d0f5cdcf88988bdfb101
2a0b18cbe80d   amazon/amazon-ecs-agent:latest   "/agent"                 2 minutes ago        Up 2 minutes (healthy)             ecs-agent
[ec2-user@ip-172-31-21-147 ~]$ docker logs ecs-agent | grep ssm
level=info time=2025-04-04T21:06:31Z msg="ssm secret resource: retrieving secrets for containers in task: [arn:aws:ecs:us-west-2:*:task/fips/2f557c0d9e1c432b911b1c318d67d197]" module=ssmsecret.go
level=info time=2025-04-04T21:06:31Z msg="ssm secret resource: retrieving secrets for region us-west-2 in task: [arn:aws:ecs:us-west-2:*:task/fips/2f557c0d9e1c432b911b1c318d67d197]" module=ssmsecret.go
level=debug time=2025-04-04T21:06:31Z msg="ssm secret resource: retrieving resource for secrets [/VERY_SECRET_PASSWORD] in region [us-west-2] in task: [arn:aws:ecs:us-west-2:*:task/fips/2f557c0d9e1c432b911b1c318d67d197]" module=ssmsecret.go
level=info time=2025-04-04T21:06:31Z msg="Transitioned resource" resource="ssmsecret" status="CREATED" task="2f557c0d9e1c432b911b1c318d67d197"
level=info time=2025-04-04T21:06:31Z msg="Managed task got resource" task="2f557c0d9e1c432b911b1c318d67d197" resource="ssmsecret" status="CREATED"
level=debug time=2025-04-04T21:06:31Z msg="Resource has already transitioned to or beyond the desired status" knownStatus="CREATED" desiredStatus="CREATED" task="2f557c0d9e1c432b911b1c318d67d197" resource="ssmsecret"
level=debug time=2025-04-04T21:06:31Z msg="Resource has already transitioned to or beyond the desired status" task="2f557c0d9e1c432b911b1c318d67d197" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED"
level=debug time=2025-04-04T21:06:32Z msg="Resource has already transitioned to or beyond the desired status" task="2f557c0d9e1c432b911b1c318d67d197" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED"
level=debug time=2025-04-04T21:06:32Z msg="Resource has already transitioned to or beyond the desired status" task="2f557c0d9e1c432b911b1c318d67d197" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED"
level=debug time=2025-04-04T21:06:32Z msg="Resource has already transitioned to or beyond the desired status" task="2f557c0d9e1c432b911b1c318d67d197" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED"
level=debug time=2025-04-04T21:06:33Z msg="Resource has already transitioned to or beyond the desired status" task="2f557c0d9e1c432b911b1c318d67d197" resource="ssmsecret" knownStatus="CREATED" desiredStatus="CREATED"
level=debug time=2025-04-04T21:06:33Z msg="Resource has already transitioned to or beyond the desired status" knownStatus="CREATED" desiredStatus="CREATED" task="2f557c0d9e1c432b911b1c318d67d197" resource="ssmsecret"
level=debug time=2025-04-04T21:06:33Z msg="Resource has already transitioned to or beyond the desired status" knownStatus="CREATED" desiredStatus="CREATED" task="2f557c0d9e1c432b911b1c318d67d197" resource="ssmsecret"
[ec2-user@ip-172-31-21-147 ~]$ sudo fips-mode-setup --check
FIPS mode is enabled.

New tests cover the changes: yes

Description for the changelog

Enhancement - Migrate SSM client to AWS SDK Go V2

Additional Information

Does this PR include breaking model changes? If so, Have you added transformation functions?

Does this PR include the addition of new environment variables in the README?

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

conusming SSM client changes fix unit tests removing commented out code

mye956 force-pushed the migrate-ssm branch 4 times, most recently from 863e737 to 0efe75b Compare March 27, 2025 23:32

mye956 marked this pull request as ready for review March 28, 2025 16:04

mye956 requested a review from a team as a code owner March 28, 2025 16:04

mye956 added the bot/test label Mar 28, 2025

amazon-ecs-bot removed the bot/test label Mar 28, 2025

mye956 force-pushed the migrate-ssm branch from 9f3a3d7 to c6c3695 Compare March 28, 2025 18:01

mye956 added the bot/test label Mar 28, 2025

amazon-ecs-bot removed the bot/test label Mar 28, 2025

mye956 changed the title ~~WIP~~ [WIP] Migrate SSM client to AWS SDK Go V2 Mar 28, 2025

mye956 force-pushed the migrate-ssm branch from c6c3695 to 467fda5 Compare March 28, 2025 21:48

mye956 changed the title ~~[WIP] Migrate SSM client to AWS SDK Go V2~~ Migrate SSM client to AWS SDK Go V2 Mar 28, 2025

mye956 added the bot/test label Mar 28, 2025

amazon-ecs-bot removed the bot/test label Mar 28, 2025

mye956 force-pushed the migrate-ssm branch from 467fda5 to 4159d7e Compare March 31, 2025 18:14

mye956 added the bot/test label Mar 31, 2025

amazon-ecs-bot removed the bot/test label Mar 31, 2025

sparrc previously approved these changes Apr 1, 2025

View reviewed changes

TheanLim previously approved these changes Apr 2, 2025

View reviewed changes

migrating SSM client over to AWS SDK Go V2

2f15d2b

conusming SSM client changes fix unit tests removing commented out code

mye956 dismissed stale reviews from TheanLim and sparrc via 2f15d2b April 8, 2025 22:15

mye956 force-pushed the migrate-ssm branch from 4159d7e to 2f15d2b Compare April 8, 2025 22:15

mye956 changed the base branch from dev to feature/migrate-ssm-v2 April 8, 2025 22:16

mye956 added the bot/test label Apr 8, 2025

amazon-ecs-bot removed the bot/test label Apr 8, 2025

mye956 enabled auto-merge (rebase) April 8, 2025 22:22

sparrc approved these changes Apr 8, 2025

View reviewed changes

TheanLim approved these changes Apr 8, 2025

View reviewed changes

mye956 disabled auto-merge April 9, 2025 15:50

mye956 merged commit 2e83616 into aws:feature/migrate-ssm-v2 Apr 9, 2025
40 checks passed

mye956 mentioned this pull request May 2, 2025

Migrating SSM client over to AWS SDK Go V2 #4611

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Migrate SSM client to AWS SDK Go V2 #4549

Migrate SSM client to AWS SDK Go V2 #4549

mye956 commented Mar 27, 2025 •

edited

Loading

Migrate SSM client to AWS SDK Go V2 #4549

Migrate SSM client to AWS SDK Go V2 #4549

Conversation

mye956 commented Mar 27, 2025 • edited Loading

Summary

Implementation details

Testing

FIPS testing

Description for the changelog

Additional Information

Licensing

mye956 commented Mar 27, 2025 •

edited

Loading