Migrate the Identity Store service to AWS Go SDK v2 #26621
Conversation
Bumps [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) from 1.16.11 to 1.16.13. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](aws/aws-sdk-go-v2@v1.16.11...v1.16.13) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
github-actions
bot
added
size/L
|
Thank you for your contribution! 🚀 Please note that typically Go dependency changes are handled in this repository by dependabot or the maintainers. This is to prevent pull request merge conflicts and further delay reviews of contributions. Remove any changes to the Additional details:
|
github-actions
bot
added
client-connections
roberth-k
force-pushed
the
f-identitystore-aws-go-sdk-v2
branch
2 times, most recently
from
77b1e26 to
6579f9f
Compare
roberth-k
force-pushed
the
f-identitystore-aws-go-sdk-v2
branch
from
6579f9f to
6dec83b
Compare
ewbankkit
removed
the
needs-triage
There was a problem hiding this comment.
LGTM 🚀.
% AWS_IDENTITY_STORE_GROUP_NAME=testgroup1 AWS_IDENTITY_STORE_GROUP_ID=926776f3c6-71733eb8-b181-488e-8ed6-17b07e79380e AWS_IDENTITY_STORE_USER_NAME=testuser1 AWS_IDENTITY_STORE_USER_ID=926776f3c6-53ea24ec-f8f8-4e7c-a015-d238f4ec12fb make testacc TESTARGS='-run=TestAccIdentityStore' PKG=identitystore ACCTEST_PARALLELISM=3
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/identitystore/... -v -count 1 -parallel 3 -run=TestAccIdentityStore -timeout 180m
=== RUN TestAccIdentityStoreGroupDataSource_displayName
=== PAUSE TestAccIdentityStoreGroupDataSource_displayName
=== RUN TestAccIdentityStoreGroupDataSource_groupID
=== PAUSE TestAccIdentityStoreGroupDataSource_groupID
=== RUN TestAccIdentityStoreGroupDataSource_nonExistent
=== PAUSE TestAccIdentityStoreGroupDataSource_nonExistent
=== RUN TestAccIdentityStoreUserDataSource_userName
=== PAUSE TestAccIdentityStoreUserDataSource_userName
=== RUN TestAccIdentityStoreUserDataSource_userID
=== PAUSE TestAccIdentityStoreUserDataSource_userID
=== RUN TestAccIdentityStoreUserDataSource_nonExistent
=== PAUSE TestAccIdentityStoreUserDataSource_nonExistent
=== CONT TestAccIdentityStoreGroupDataSource_displayName
=== CONT TestAccIdentityStoreUserDataSource_userName
=== CONT TestAccIdentityStoreUserDataSource_nonExistent
--- PASS: TestAccIdentityStoreUserDataSource_nonExistent (4.56s)
=== CONT TestAccIdentityStoreGroupDataSource_nonExistent
--- PASS: TestAccIdentityStoreGroupDataSource_nonExistent (2.97s)
=== CONT TestAccIdentityStoreGroupDataSource_groupID
--- PASS: TestAccIdentityStoreUserDataSource_userName (18.11s)
=== CONT TestAccIdentityStoreUserDataSource_userID
--- PASS: TestAccIdentityStoreGroupDataSource_displayName (18.29s)
--- PASS: TestAccIdentityStoreGroupDataSource_groupID (16.52s)
--- PASS: TestAccIdentityStoreUserDataSource_userID (13.91s)
PASS
ok github.com/hashicorp/terraform-provider-aws/internal/service/identitystore 35.954s
|
@roberth-k Thanks for the contribution 🎉 👏. |
|
This functionality has been released in v4.30.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
|
Hi @roberth-k, thanks for adding this! I've been reading through your diff to try to understand exactly what changed. It seems that these changes may have resulted in code taking a different call path with different retry behavior. With AWS Provider >=4.30.0, I'm no longer able to query users from our IDP and instead we see hundreds of errors like these: I've dug around to see if there's any sort of config, environment or otherwise, that we may be able to use to work around this to no avail. Do you have any ideas? One odd thing is that I don't see this behavior from local plans, only within ECS in our VPC. These folks saw a similar issue with DynamoDB but it didn't happen when using the HTTPClient, which makes me wonder if the SDK is using a different API connection type depending on the environment. Semi-related, given that I'd love to hear your thoughts on this since I've been poking around at this for a while now and am not sure who I could chat with to get some ideas. :) It's not clear to me what the right solution is or even what the problem really is at this point... Thanks! |
|
Hi @jhebert-coursera 👋 and thank you for reporting this issue! This PR purposefully attempted to stick as close to the AWS Go SDK v1 implementation as possible. As it's using the same Identity Store API-s as before, I'm almost certain that the behaviour you're seeing is due to internal differences between the AWS Go SDK v1 and AWS Go SDK v2 that we didn't foresee. After #26598 is complete, which should not be long, the plan is to re-factor the data sources using the new GetUserId and GetGroupId API-s. There is a chance that these API-s will be more efficient and not hit the rate limiting behaviour that you're seeing. Alternatively, if you're running bulk queries on users and groups, it's worth keeping an eye out on #26770, which is likely to become the most efficient data source for this purpose. I couldn't find any documented ways of manipulating this "retry quota" at the SDK level. @ewbankkit it is possible that the AWS Go SDK v2 is too conservative in its retry strategy, and that this is going to start biting more and more as services start using v2. |
|
Hey @roberth-k, thanks for the thoughtful reply! I did end up digging through all of your code and, as far as I could tell, it looks like you were using the standard Retryer functionality correctly. I think you're correct that this is just related to the internal difference that you noted. I also couldn't find a good way to configure the Retryer although we still probably wouldn't be able to pass that config through to Terraform. After concluding that your code was okay and that I was hitting artificial token bucket limits (I was not hitting any rate limits on the service itself), I tried reducing the parallelism in our Terraform invocations and that resolved my issue. I am inclined to agree with the sentiment of your question about the rate limiter being too conservative, though. It seems incorrect for the client to rate limit calls if we're not actually hitting AWS limits. We might prefer to disable the rate limiter entirely since we are typically anticipating these failure modes and adding back-pressure accordingly if we hit actual AWS service limits. #26770 looks great as we are doing bulk queries as you mentioned, to fetch all User IDs for permission set attachments. Thanks for the note about that! |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
justinretzolk
added
the
aws-sdk-go-migration
Community Note
Relates #26598
AWS Go SDK v2 is required to update user and group attributes. (https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_AttributeOperation.html)
The
Filterattribute of theListUsersandListGroupsAPI-s has been deprecated in favour ofGetUserIdandGetGroupId, which would also lead to the deprecation of thefiltersargument to the data sources (where only one type of query is supported anyway). However, I think it'd be simpler to introduce this deprecation after the resources have been implemented, as there's an overlap of finders.Output from acceptance testing: