Merge branch '270116-region-field' into 'master'

Add region field to AWS Role See merge request gitlab-org/gitlab!47209

Merge branch '270116-region-field' into 'master'
Add region field to AWS Role See merge request gitlab-org/gitlab!47209
10e72ff5 · Tiger Watson · 13a30718 · e0796dee · 10e72ff5 · 10e72ff5
Commit 10e72ff5 authored Nov 12, 2020 by Tiger Watson
8 changed files
--- a/app/services/clusters/aws/authorize_role_service.rb
+++ b/app/services/clusters/aws/authorize_role_service.rb
@@ -41,11 +41,11 @@ module Clusters
      end

      def update_role_arn!
-        role.update!(role_arn: role_arn)
+        role.update!(role_arn: role_arn, region: region)
      end

      def credentials
-        Clusters::Aws::FetchCredentialsService.new(role, region: region).execute
+        Clusters::Aws::FetchCredentialsService.new(role).execute
      end
    end
  end

--- a/app/services/clusters/aws/fetch_credentials_service.rb
+++ b/app/services/clusters/aws/fetch_credentials_service.rb
@@ -7,10 +7,10 @@ module Clusters

      MissingRoleError = Class.new(StandardError)

-      def initialize(provision_role, provider: nil, region: nil)
+      def initialize(provision_role, provider: nil)
        @provision_role = provision_role
        @provider = provider
-        @region = provider&.region || region
+        @region = provider&.region || provision_role&.region || Clusters::Providers::Aws::DEFAULT_REGION
      end

      def execute

--- a/changelogs/unreleased/270116-region-field.yml
+++ b/changelogs/unreleased/270116-region-field.yml
+---
+title: Add region field to AWS Role
+merge_request: 47209
+author:
+type: changed
--- a/db/migrate/20201109144634_add_region_field_to_aws_role.rb
+++ b/db/migrate/20201109144634_add_region_field_to_aws_role.rb
+# frozen_string_literal: true
+
+class AddRegionFieldToAwsRole < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    unless column_exists?(:aws_roles, :region)
+      add_column :aws_roles, :region, :text
+    end
+
+    add_text_limit :aws_roles, :region, 255
+  end
+
+  def down
+    remove_column :aws_roles, :region
+  end
+end
--- a/db/schema_migrations/20201109144634
+++ b/db/schema_migrations/20201109144634
+cbb2a2027fb6083771e97510a00c07a4ded0576e89fafd6cff4faba4e21c82c0
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -9659,7 +9659,9 @@ CREATE TABLE aws_roles (
    created_at timestamp with time zone NOT NULL,
    updated_at timestamp with time zone NOT NULL,
    role_arn character varying(2048),
-    role_external_id character varying(64) NOT NULL
+    role_external_id character varying(64) NOT NULL,
+    region text,
+    CONSTRAINT check_57adedab55 CHECK ((char_length(region) <= 255))
 );

 CREATE TABLE background_migration_jobs (

--- a/spec/services/clusters/aws/authorize_role_service_spec.rb
+++ b/spec/services/clusters/aws/authorize_role_service_spec.rb
@@ -25,7 +25,7 @@ RSpec.describe Clusters::Aws::AuthorizeRoleService do

  before do
    allow(Clusters::Aws::FetchCredentialsService).to receive(:new)
-      .with(instance_of(Aws::Role), region: region).and_return(credentials_service)
+      .with(instance_of(Aws::Role)).and_return(credentials_service)
  end

  context 'role exists' do

--- a/spec/services/clusters/aws/fetch_credentials_service_spec.rb
+++ b/spec/services/clusters/aws/fetch_credentials_service_spec.rb
@@ -19,7 +19,7 @@ RSpec.describe Clusters::Aws::FetchCredentialsService do
    subject { described_class.new(provision_role, provider: provider).execute }

    context 'provision role is configured' do
-      let(:provision_role) { create(:aws_role, user: user) }
+      let(:provision_role) { create(:aws_role, user: user, region: 'custom-region') }

      before do
        stub_application_setting(eks_access_key_id: gitlab_access_key_id)
@@ -53,11 +53,11 @@ RSpec.describe Clusters::Aws::FetchCredentialsService do

      context 'provider is not specifed' do
        let(:provider) { nil }
-        let(:region) { 'custom-region' }
+        let(:region) { provision_role.region }
        let(:session_name) { "gitlab-eks-autofill-user-#{user.id}" }
        let(:session_policy) { 'policy-document' }

-        subject { described_class.new(provision_role, provider: provider, region: region).execute }
+        subject { described_class.new(provision_role, provider: provider).execute }

        before do
          allow(File).to receive(:read)
@@ -66,6 +66,13 @@ RSpec.describe Clusters::Aws::FetchCredentialsService do
        end

        it { is_expected.to eq assumed_role_credentials }
+
+        context 'region is not specifed' do
+          let(:region) { Clusters::Providers::Aws::DEFAULT_REGION }
+          let(:provision_role) { create(:aws_role, user: user, region: nil) }
+
+          it { is_expected.to eq assumed_role_credentials }
+        end
      end
    end