Chore/rebase from main (#3666)

Signed-off-by: Samantha Coyle <[email protected]>
Signed-off-by: Shivam Kumar <[email protected]>
Signed-off-by: joshvanl <[email protected]>
Signed-off-by: MattCosturos <[email protected]>
Signed-off-by: Matt Costuros <[email protected]>
Signed-off-by: Elena Kolevska <[email protected]>
Signed-off-by: Mike Nguyen <[email protected]>
Co-authored-by: Sam <[email protected]>
Co-authored-by: Yaron Schneider <[email protected]>
Co-authored-by: Shivam Kumar <[email protected]>
Co-authored-by: Shivam Kumar <[email protected]>
Co-authored-by: Josh van Leeuwen <[email protected]>
Co-authored-by: MattCosturos <[email protected]>
Co-authored-by: Artur Souza <[email protected]>
Co-authored-by: Elena Kolevska <[email protected]>

Author: 9 people

.build-tools/builtin-authentication-profiles.yaml

@@ -5,26 +5,37 @@ aws:
     metadata:
       - name: region
         type: string
-        required: true
+        required: false
+        description: |
+          The AWS Region where the AWS resource is deployed to.
+          This will be marked required in Dapr 1.17.
+        example: '"us-east-1"'
+      - name: awsRegion
+        type: string
+        required: false
         description: |
+          This maintains backwards compatibility with existing fields. 
+          It will be deprecated as of Dapr 1.17. Use 'region' instead.
           The AWS Region where the AWS resource is deployed to.
         example: '"us-east-1"'
       - name: accessKey
         description: AWS access key associated with an IAM account
-        required: true
+        required: false
         sensitive: true
         example: '"AKIAIOSFODNN7EXAMPLE"'
       - name: secretKey
         description: The secret key associated with the access key
-        required: true
+        required: false
         sensitive: true
         example: '"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"'
       - name: sessionToken
+        type: string
         required: false
         sensitive: true
         description: |
           AWS session token to use. A session token is only required if you are using
           temporary security credentials.
+        example: '"TOKEN"'
   - title: "AWS: Assume IAM Role"
     description: |
       Assume a specific IAM role. Note: This is only supported for Kafka and PostgreSQL.
@@ -41,6 +52,7 @@ aws:
         description: |
           IAM role that has access to AWS resource.
           This is another option to authenticate with MSK and RDS Aurora aside from the AWS Credentials.
+          This will be marked required in Dapr 1.17.
         example: '"arn:aws:iam::123456789:role/mskRole"'
       - name: sessionName
         type: string
@@ -51,7 +63,7 @@ aws:
   - title: "AWS: Credentials from Environment Variables"
     description: Use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from the environment
   - title: "AWS: IAM Roles Anywhere"
-    description: Use X.509 certificates to establish trust between AWS and your AWS account and the Dapr cluster using AWS IAM Roles Anywhere.
+    description: Use X.509 certificates to establish trust between your AWS account and the Dapr cluster using AWS IAM Roles Anywhere.
     metadata:
       - name: trustAnchorArn
         description: |

.build-tools/pkg/metadataschema/builtin-authentication-profiles.go

@@ -32,40 +32,32 @@ func ParseBuiltinAuthenticationProfile(bi BuiltinAuthenticationProfile, componen
 	for i, profile := range profiles {
 		res[i] = profile
 
-		// convert slice to a slice of pointers to update in place for required -> non-required fields
-		metadataPtr := make([]*Metadata, len(profile.Metadata))
-		for j := range profile.Metadata {
-			metadataPtr[j] = &profile.Metadata[j]
+		// deep copy the metadata slice to avoid side effects when manually updating some req -> non-req fields to deprecate some fields for kafka/postgres
+		// TODO: rm all of this manipulation in Dapr 1.17!!
+		originalMetadata := profile.Metadata
+		metadataCopy := make([]Metadata, len(originalMetadata))
+		copy(metadataCopy, originalMetadata)
+
+		if componentTitle == "Apache Kafka" || strings.ToLower(componentTitle) == "postgresql" {
+			removeRequiredOnSomeAWSFields(&metadataCopy)
 		}
 
-		if componentTitle == "Apache Kafka" {
-			removeRequiredOnSomeAWSFields(&metadataPtr)
-		}
-
-		// convert back to value slices for merging
-		updatedMetadata := make([]Metadata, 0, len(metadataPtr))
-		for _, ptr := range metadataPtr {
-			if ptr != nil {
-				updatedMetadata = append(updatedMetadata, *ptr)
-			}
-		}
-
-		merged := mergedMetadata(bi.Metadata, updatedMetadata...)
+		merged := mergedMetadata(bi.Metadata, metadataCopy...)
 
 		// Note: We must apply the removal of deprecated fields after the merge!!
 
 		// Here, we remove some deprecated fields as we support the transition to a new auth profile
-		if profile.Title == "AWS: Assume specific IAM Role" && componentTitle == "Apache Kafka" {
+		if profile.Title == "AWS: Assume IAM Role" && componentTitle == "Apache Kafka" || profile.Title == "AWS: Assume IAM Role" && strings.ToLower(componentTitle) == "postgresql" {
 			merged = removeSomeDeprecatedFieldsOnUnrelatedAuthProfiles(merged)
 		}
 
 		// Here, there are no metadata fields that need deprecating
-		if profile.Title == "AWS: Credentials from Environment Variables" && componentTitle == "Apache Kafka" {
+		if profile.Title == "AWS: Credentials from Environment Variables" && componentTitle == "Apache Kafka" || profile.Title == "AWS: Credentials from Environment Variables" && strings.ToLower(componentTitle) == "postgresql" {
 			merged = removeAllDeprecatedFieldsOnUnrelatedAuthProfiles(merged)
 		}
 
 		// Here, this is a new auth profile, so rm all deprecating fields as unrelated.
-		if profile.Title == "AWS: IAM Roles Anywhere" && componentTitle == "Apache Kafka" {
+		if profile.Title == "AWS: IAM Roles Anywhere" && componentTitle == "Apache Kafka" || profile.Title == "AWS: IAM Roles Anywhere" && strings.ToLower(componentTitle) == "postgresql" {
 			merged = removeAllDeprecatedFieldsOnUnrelatedAuthProfiles(merged)
 		}
 
@@ -92,12 +84,14 @@ func mergedMetadata(base []Metadata, add ...Metadata) []Metadata {
 // We normally have accessKey, secretKey, and region fields marked required as it is part of the builtin AWS auth profile fields.
 // However, as we rm the aws prefixed ones, we need to then mark the normally required ones as not required only for postgres and kafka.
 // This way we do not break existing users, and transition them to the standardized fields.
-func removeRequiredOnSomeAWSFields(metadata *[]*Metadata) {
+func removeRequiredOnSomeAWSFields(metadata *[]Metadata) {
 	if metadata == nil {
 		return
 	}
 
-	for _, field := range *metadata {
+	for i := range *metadata {
+		field := &(*metadata)[i]
+
 		if field == nil {
 			continue
 		}
@@ -125,7 +119,11 @@ func removeSomeDeprecatedFieldsOnUnrelatedAuthProfiles(metadata []Metadata) []Me
 	filteredMetadata := []Metadata{}
 
 	for _, field := range metadata {
-		if field.Name == "awsAccessKey" || field.Name == "awsSecretKey" || field.Name == "awsSessionToken" {
+		// region is required in Assume Role auth profile, so this is needed for now.
+		if field.Name == "region" {
+			field.Required = true
+		}
+		if field.Name == "awsAccessKey" || field.Name == "awsSecretKey" || field.Name == "awsSessionToken" || field.Name == "awsRegion" {
 			continue
 		} else {
 			filteredMetadata = append(filteredMetadata, field)

bindings/kafka/metadata.yaml

@@ -29,14 +29,6 @@ builtinAuthenticationProfiles:
         example: '"awsiam"'
         allowedValues:
           - "awsiam"
-      - name: awsRegion
-        type: string
-        required: false
-        description: |
-          This maintains backwards compatibility with existing fields. 
-          It will be deprecated as of Dapr 1.17. Use 'region' instead.
-          The AWS Region where the AWS Relational Database Service is deployed to.
-        example: '"us-east-1"'
       - name: awsAccessKey
         type: string
         required: false
@@ -82,7 +74,7 @@ builtinAuthenticationProfiles:
           If both fields are set, then 'sessionName' value will be used.
           Represents the session name for assuming a role.
         example: '"MyAppSession"'
-        default: '"MSKSASLDefaultSession"'
+        default: '"DaprDefaultSession"'
 authenticationProfiles:
   - title: "OIDC Authentication"
     description: |

bindings/postgres/metadata.go

@@ -28,7 +28,7 @@ const (
 
 type psqlMetadata struct {
 	pgauth.PostgresAuthMetadata `mapstructure:",squash"`
-	aws.AWSIAM                  `mapstructure:",squash"`
+	aws.DeprecatedPostgresIAM   `mapstructure:",squash"`
 	Timeout                     time.Duration `mapstructure:"timeout" mapstructurealiases:"timeoutInSeconds"`
 }
 

bindings/postgres/metadata.yaml

@@ -56,23 +56,21 @@ builtinAuthenticationProfiles:
         example: |
           "host=mydb.postgres.database.aws.com user=myapplication port=5432 dbname=dapr_test sslmode=require"
         type: string
-      - name: awsRegion
-        type: string
-        required: true
-        description: |
-          The AWS Region where the AWS Relational Database Service is deployed to.
-        example: '"us-east-1"'
       - name: awsAccessKey
         type: string
-        required: true
+        required: false
         description: |
+          Deprecated as of Dapr 1.17. Use 'accessKey' instead if using AWS IAM.
+          If both fields are set, then 'accessKey' value will be used.
           AWS access key associated with an IAM account.
         example: '"AKIAIOSFODNN7EXAMPLE"'
       - name: awsSecretKey
         type: string
-        required: true
+        required: false
         sensitive: true
         description: |
+          Deprecated as of Dapr 1.17. Use 'secretKey' instead if using AWS IAM.
+          If both fields are set, then 'secretKey' value will be used.
           The secret key associated with the access key.
         example: '"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"'
 authenticationProfiles:

bindings/postgres/postgres.go

@@ -26,6 +26,8 @@ import (
 	"github.com/jackc/pgx/v5/pgxpool"
 
 	"github.com/dapr/components-contrib/bindings"
+	awsAuth "github.com/dapr/components-contrib/common/authentication/aws"
+	pgauth "github.com/dapr/components-contrib/common/authentication/postgresql"
 	"github.com/dapr/components-contrib/metadata"
 	"github.com/dapr/kit/logger"
 )
@@ -45,6 +47,11 @@ type Postgres struct {
 	logger logger.Logger
 	db     *pgxpool.Pool
 	closed atomic.Bool
+
+	enableAzureAD bool
+	enableAWSIAM  bool
+
+	awsAuthProvider awsAuth.Provider
 }
 
 // NewPostgres returns a new PostgreSQL output binding.
@@ -59,18 +66,36 @@ func (p *Postgres) Init(ctx context.Context, meta bindings.Metadata) error {
 	if p.closed.Load() {
 		return errors.New("cannot initialize a previously-closed component")
 	}
-
+	opts := pgauth.InitWithMetadataOpts{
+		AzureADEnabled: p.enableAzureAD,
+		AWSIAMEnabled:  p.enableAWSIAM,
+	}
 	m := psqlMetadata{}
-	err := m.InitWithMetadata(meta.Properties)
-	if err != nil {
+	if err := m.InitWithMetadata(meta.Properties); err != nil {
 		return err
 	}
 
+	var err error
 	poolConfig, err := m.GetPgxPoolConfig()
 	if err != nil {
 		return err
 	}
 
+	if opts.AWSIAMEnabled && m.UseAWSIAM {
+		opts, validateErr := m.BuildAwsIamOptions(p.logger, meta.Properties)
+		if validateErr != nil {
+			return fmt.Errorf("failed to validate AWS IAM authentication fields: %w", validateErr)
+		}
+
+		var provider awsAuth.Provider
+		provider, err = awsAuth.NewProvider(ctx, *opts, awsAuth.GetConfig(*opts))
+		if err != nil {
+			return err
+		}
+		p.awsAuthProvider = provider
+		p.awsAuthProvider.UpdatePostgres(ctx, poolConfig)
+	}
+
 	// This context doesn't control the lifetime of the connection pool, and is
 	// only scoped to postgres creating resources at init.
 	connCtx, connCancel := context.WithTimeout(ctx, m.Timeout)
@@ -186,7 +211,11 @@ func (p *Postgres) Close() error {
 	}
 	p.db = nil
 
-	return nil
+	errs := make([]error, 1)
+	if p.awsAuthProvider != nil {
+		errs[0] = p.awsAuthProvider.Close()
+	}
+	return errors.Join(errs...)
 }
 
 func (p *Postgres) query(ctx context.Context, sql string, args ...any) (result []byte, err error) {