Add region field to AWS Role

Add migration to add field to AWS Role. Update AuthorizeRoleService and FetchCredentialsService to use new region field.

Add region field to AWS Role
Add migration to add field to AWS Role. Update AuthorizeRoleService and FetchCredentialsService to use new region field.
e0796dee · Emily Ring · Tiger Watson · 41611031 · e0796dee · e0796dee
Commit e0796dee authored Nov 12, 2020 by Emily Ring Committed by Tiger Watson Nov 12, 2020
8 changed files
--- a/app/services/clusters/aws/authorize_role_service.rb
+++ b/app/services/clusters/aws/authorize_role_service.rb
@@ -41,11 +41,11 @@ module Clusters
      end

      def update_role_arn!
-        role.update!(role_arn: role_arn)
+        role.update!(role_arn: role_arn, region: region)
      end

      def credentials
-        Clusters::Aws::FetchCredentialsService.new(role, region: region).execute
+        Clusters::Aws::FetchCredentialsService.new(role).execute
      end
    end
  end

--- a/app/services/clusters/aws/fetch_credentials_service.rb
+++ b/app/services/clusters/aws/fetch_credentials_service.rb
@@ -7,10 +7,10 @@ module Clusters

      MissingRoleError = Class.new(StandardError)

-      def initialize(provision_role, provider: nil, region: nil)
+      def initialize(provision_role, provider: nil)
        @provision_role = provision_role
        @provider = provider
-        @region = provider&.region || region
+        @region = provider&.region || provision_role&.region || Clusters::Providers::Aws::DEFAULT_REGION
      end

      def execute

--- a/changelogs/unreleased/270116-region-field.yml
+++ b/changelogs/unreleased/270116-region-field.yml
+---
+title: Add region field to AWS Role
+merge_request: 47209
+author:
+type: changed
--- a/db/migrate/20201109144634_add_region_field_to_aws_role.rb
+++ b/db/migrate/20201109144634_add_region_field_to_aws_role.rb
+# frozen_string_literal: true
+
+class AddRegionFieldToAwsRole < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    unless column_exists?(:aws_roles, :region)
+      add_column :aws_roles, :region, :text
+    end
+
+    add_text_limit :aws_roles, :region, 255
+  end
+
+  def down
+    remove_column :aws_roles, :region
+  end
+end
--- a/db/schema_migrations/20201109144634
+++ b/db/schema_migrations/20201109144634
+cbb2a2027fb6083771e97510a00c07a4ded0576e89fafd6cff4faba4e21c82c0
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -9659,7 +9659,9 @@ CREATE TABLE aws_roles (
    created_at timestamp with time zone NOT NULL,
    updated_at timestamp with time zone NOT NULL,
    role_arn character varying(2048),
-    role_external_id character varying(64) NOT NULL
+    role_external_id character varying(64) NOT NULL,
+    region text,
+    CONSTRAINT check_57adedab55 CHECK ((char_length(region) <= 255))
 );

 CREATE TABLE background_migration_jobs (

--- a/spec/services/clusters/aws/authorize_role_service_spec.rb
+++ b/spec/services/clusters/aws/authorize_role_service_spec.rb
@@ -25,7 +25,7 @@ RSpec.describe Clusters::Aws::AuthorizeRoleService do

  before do
    allow(Clusters::Aws::FetchCredentialsService).to receive(:new)
-      .with(instance_of(Aws::Role), region: region).and_return(credentials_service)
+      .with(instance_of(Aws::Role)).and_return(credentials_service)
  end

  context 'role exists' do

--- a/spec/services/clusters/aws/fetch_credentials_service_spec.rb
+++ b/spec/services/clusters/aws/fetch_credentials_service_spec.rb
@@ -19,7 +19,7 @@ RSpec.describe Clusters::Aws::FetchCredentialsService do
    subject { described_class.new(provision_role, provider: provider).execute }

    context 'provision role is configured' do
-      let(:provision_role) { create(:aws_role, user: user) }
+      let(:provision_role) { create(:aws_role, user: user, region: 'custom-region') }

      before do
        stub_application_setting(eks_access_key_id: gitlab_access_key_id)
@@ -53,11 +53,11 @@ RSpec.describe Clusters::Aws::FetchCredentialsService do

      context 'provider is not specifed' do
        let(:provider) { nil }
-        let(:region) { 'custom-region' }
+        let(:region) { provision_role.region }
        let(:session_name) { "gitlab-eks-autofill-user-#{user.id}" }
        let(:session_policy) { 'policy-document' }

-        subject { described_class.new(provision_role, provider: provider, region: region).execute }
+        subject { described_class.new(provision_role, provider: provider).execute }

        before do
          allow(File).to receive(:read)
@@ -66,6 +66,13 @@ RSpec.describe Clusters::Aws::FetchCredentialsService do
        end

        it { is_expected.to eq assumed_role_credentials }
+
+        context 'region is not specifed' do
+          let(:region) { Clusters::Providers::Aws::DEFAULT_REGION }
+          let(:provision_role) { create(:aws_role, user: user, region: nil) }
+
+          it { is_expected.to eq assumed_role_credentials }
+        end
      end
    end