eks*: use 0600 in case of file overwrites (#185)

* eks*: use 0600 in case of file overwrites

Signed-off-by: Gyuho Lee <[email protected]>

* vendor: update AWS SDK Go

Signed-off-by: Gyuho Lee <[email protected]>

* CHANGELOG: add v1.5.4

Signed-off-by: Gyuho Lee <[email protected]>

CHANGELOG/CHANGELOG-1.5.md

@@ -3,6 +3,36 @@
 <hr>
 
 
+## [v1.5.4](https://github.com/aws/aws-k8s-tester/releases/tag/v1.5.4) (2020-11-11)
+
+See [code changes](https://github.com/aws/aws-k8s-tester/compare/v1.5.3...v1.5.4).
+
+### `eks`
+
+- Fix [configuration file overwrite permission errors](https://github.com/aws/aws-k8s-tester/pull/185).
+- Fix [VPC creation for us-west-1 region](https://github.com/aws/aws-k8s-tester/pull/183).
+- Increase [`clusterloader2` test timeouts](https://github.com/aws/aws-k8s-tester/pull/181).
+
+### `eksconfig`
+
+- Fix [EC2 service principals checks](https://github.com/aws/aws-k8s-tester/pull/184).
+
+### `pkg/aws`
+
+- Fix [S3 bucket creation for us-east-1 region](https://github.com/aws/aws-k8s-tester/pull/182).
+
+### Dependency
+
+- Upgrade [`github.com/aws/aws-sdk-go`](https://github.com/aws/aws-sdk-go/releases) from [`v1.35.10`](https://github.com/aws/aws-sdk-go/releases/tag/v1.35.10) to [`v1.35.25`](https://github.com/aws/aws-sdk-go/releases/tag/v1.35.25).
+
+### Go
+
+- Compile with [*Go 1.15.4*](https://golang.org/doc/devel/release.html#go1.15).
+
+
+<hr>
+
+
 ## [v1.5.3](https://github.com/aws/aws-k8s-tester/releases/tag/v1.5.3) (2020-10-20)
 
 See [code changes](https://github.com/aws/aws-k8s-tester/compare/v1.5.2...v1.5.3).

eks/app-mesh/app-mesh.go

@@ -232,7 +232,8 @@ func (ts *tester) createPolicy() error {
 		return errors.New("roles not found from node group or managed node group")
 	}
 
-	if err := ioutil.WriteFile(ts.cfg.EKSConfig.AddOnAppMesh.PolicyCFNStackYAMLPath, []byte(templatePolicy), 0400); err != nil {
+	// grant write permission in case of overwrites
+	if err := ioutil.WriteFile(ts.cfg.EKSConfig.AddOnAppMesh.PolicyCFNStackYAMLPath, []byte(templatePolicy), 0600); err != nil {
 		return err
 	}
 	if err := aws_s3.Upload(

eks/cluster/cluster.go

@@ -391,7 +391,8 @@ func (ts *tester) createEKS() (err error) {
 			return err
 		}
 
-		if err := ioutil.WriteFile(ts.cfg.EKSConfig.Status.ClusterCFNStackYAMLPath, buf.Bytes(), 0400); err != nil {
+		// grant write permission in case of overwrites
+		if err := ioutil.WriteFile(ts.cfg.EKSConfig.Status.ClusterCFNStackYAMLPath, buf.Bytes(), 0600); err != nil {
 			return err
 		}
 		if err := aws_s3.Upload(

eks/cluster/role.go

@@ -237,7 +237,8 @@ func (ts *tester) createClusterRole() error {
 		return errors.New("cannot create a cluster role with an empty Parameters.RoleName")
 	}
 
-	if err := ioutil.WriteFile(ts.cfg.EKSConfig.Parameters.RoleCFNStackYAMLPath, []byte(TemplateClusterRole), 0400); err != nil {
+	// grant write permission in case of overwrites
+	if err := ioutil.WriteFile(ts.cfg.EKSConfig.Parameters.RoleCFNStackYAMLPath, []byte(TemplateClusterRole), 0600); err != nil {
 		return err
 	}
 	if err := aws_s3.Upload(

eks/cluster/vpc.go

@@ -757,7 +757,8 @@ func (ts *tester) createVPC() error {
 
 	vpcName := ts.cfg.EKSConfig.Name + "-vpc"
 
-	if err := ioutil.WriteFile(ts.cfg.EKSConfig.Parameters.VPCCFNStackYAMLPath, []byte(TemplateVPCPublicPrivate), 0400); err != nil {
+	// grant write permission in case of overwrites
+	if err := ioutil.WriteFile(ts.cfg.EKSConfig.Parameters.VPCCFNStackYAMLPath, []byte(TemplateVPCPublicPrivate), 0600); err != nil {
 		return err
 	}
 	if err := aws_s3.Upload(

eks/fargate/fargate.go

@@ -260,7 +260,8 @@ func (ts *tester) createRole() error {
 		return errors.New("cannot create a cluster role with an empty AddOnFargate.RoleName")
 	}
 
-	if err := ioutil.WriteFile(ts.cfg.EKSConfig.AddOnFargate.RoleCFNStackYAMLPath, []byte(TemplateRole), 0400); err != nil {
+	// grant write permission in case of overwrites
+	if err := ioutil.WriteFile(ts.cfg.EKSConfig.AddOnFargate.RoleCFNStackYAMLPath, []byte(TemplateRole), 0600); err != nil {
 		return err
 	}
 	if err := aws_s3.Upload(

eks/irsa-fargate/irsa-fargate.go

@@ -404,7 +404,8 @@ func (ts *tester) createRole() error {
 		return err
 	}
 
-	if err := ioutil.WriteFile(ts.cfg.EKSConfig.AddOnIRSAFargate.RoleCFNStackYAMLPath, buf.Bytes(), 0400); err != nil {
+	// grant write permission in case of overwrites
+	if err := ioutil.WriteFile(ts.cfg.EKSConfig.AddOnIRSAFargate.RoleCFNStackYAMLPath, buf.Bytes(), 0600); err != nil {
 		return err
 	}
 	if err := aws_s3.Upload(

eks/irsa/irsa.go

@@ -381,7 +381,8 @@ func (ts *tester) createRole() error {
 		return err
 	}
 
-	if err := ioutil.WriteFile(ts.cfg.EKSConfig.AddOnIRSA.RoleCFNStackYAMLPath, buf.Bytes(), 0400); err != nil {
+	// grant write permission in case of overwrites
+	if err := ioutil.WriteFile(ts.cfg.EKSConfig.AddOnIRSA.RoleCFNStackYAMLPath, buf.Bytes(), 0600); err != nil {
 		return err
 	}
 	if err := aws_s3.Upload(

eks/key-pair.go

@@ -67,7 +67,7 @@ func (ts *Tester) createKeyPair() (err error) {
 	if err = ioutil.WriteFile(
 		ts.cfg.RemoteAccessPrivateKeyPath,
 		[]byte(*output.KeyMaterial),
-		0400,
+		0600, // grant write permission in case of overwrites
 	); err != nil {
 		return err
 	}

eks/mng/nodes.go

@@ -319,7 +319,8 @@ func (ts *tester) createASGs() (err error) {
 			}
 			stackInput.TemplateBody = aws.String(buf.String())
 
-			if err = ioutil.WriteFile(cur.MNGCFNStackYAMLPath, buf.Bytes(), 0400); err != nil {
+			// grant write permission in case of overwrites
+			if err = ioutil.WriteFile(cur.MNGCFNStackYAMLPath, buf.Bytes(), 0600); err != nil {
 				return err
 			}
 			if err = aws_s3.Upload(

eks/mng/role.go

@@ -286,7 +286,8 @@ func (ts *tester) createRole() error {
 	if err := tpl.Execute(buf, tr); err != nil {
 		return err
 	}
-	if err := ioutil.WriteFile(ts.cfg.EKSConfig.AddOnManagedNodeGroups.RoleCFNStackYAMLPath, buf.Bytes(), 0400); err != nil {
+	// grant write permission in case of overwrites
+	if err := ioutil.WriteFile(ts.cfg.EKSConfig.AddOnManagedNodeGroups.RoleCFNStackYAMLPath, buf.Bytes(), 0600); err != nil {
 		return err
 	}
 	if err := aws_s3.Upload(

eks/mng/security-groups.go

@@ -223,7 +223,8 @@ func (ts *tester) createSG(name string) error {
 		return err
 	}
 
-	if err := ioutil.WriteFile(cur.RemoteAccessSecurityCFNStackYAMLPath, buf.Bytes(), 0400); err != nil {
+	// grant write permission in case of overwrites
+	if err := ioutil.WriteFile(cur.RemoteAccessSecurityCFNStackYAMLPath, buf.Bytes(), 0600); err != nil {
 		return err
 	}
 	if err := aws_s3.Upload(

eks/ng/nodes.go

@@ -466,7 +466,8 @@ func (ts *tester) createASGs() error {
 			return err
 		}
 
-		if err := ioutil.WriteFile(cur.ASGCFNStackYAMLPath, buf.Bytes(), 0400); err != nil {
+		// grant write permission in case of overwrites
+		if err := ioutil.WriteFile(cur.ASGCFNStackYAMLPath, buf.Bytes(), 0600); err != nil {
 			return err
 		}
 		ts.cfg.Logger.Info("creating a new NG using CFN",

eks/ng/role.go

@@ -304,7 +304,8 @@ func (ts *tester) createRole() error {
 	if err := tpl.Execute(buf, tr); err != nil {
 		return err
 	}
-	if err := ioutil.WriteFile(ts.cfg.EKSConfig.AddOnNodeGroups.RoleCFNStackYAMLPath, buf.Bytes(), 0400); err != nil {
+	// grant write permission in case of overwrites
+	if err := ioutil.WriteFile(ts.cfg.EKSConfig.AddOnNodeGroups.RoleCFNStackYAMLPath, buf.Bytes(), 0600); err != nil {
 		return err
 	}
 	if err := aws_s3.Upload(

eks/ng/security-groups.go

@@ -193,7 +193,8 @@ func (ts *tester) createSG() error {
 		return err
 	}
 
-	if err := ioutil.WriteFile(ts.cfg.EKSConfig.AddOnNodeGroups.NodeGroupSecurityGroupCFNStackYAMLPath, buf.Bytes(), 0400); err != nil {
+	// grant write permission in case of overwrites
+	if err := ioutil.WriteFile(ts.cfg.EKSConfig.AddOnNodeGroups.NodeGroupSecurityGroupCFNStackYAMLPath, buf.Bytes(), 0600); err != nil {
 		return err
 	}
 	if err := aws_s3.Upload(

eks/ng/ssm.go

@@ -112,7 +112,8 @@ func (ts *tester) createSSMDocument() error {
 			continue
 		}
 
-		if err := ioutil.WriteFile(cur.SSMDocumentCFNStackYAMLPath, []byte(TemplateSSMDocument), 0400); err != nil {
+		// grant write permission in case of overwrites
+		if err := ioutil.WriteFile(cur.SSMDocumentCFNStackYAMLPath, []byte(TemplateSSMDocument), 0600); err != nil {
 			return err
 		}
 		if err := aws_s3.Upload(

eksconfig/config.go

@@ -560,6 +560,7 @@ func (cfg *Config) evaluateCommandRefs() error {
 }
 
 // Sync persists current configuration and states to disk.
+// Every call overwrites the previous contents if any.
 func (cfg *Config) Sync() (err error) {
 	cfg.mu.Lock()
 	defer cfg.mu.Unlock()

go.mod

@@ -43,7 +43,7 @@ replace (
 )
 
 require (
-	github.com/aws/aws-sdk-go v1.35.10
+	github.com/aws/aws-sdk-go v1.35.25
 	github.com/briandowns/spinner v1.11.1
 	github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575
 	github.com/davecgh/go-spew v1.1.1

go.sum

@@ -102,8 +102,8 @@ github.com/auth0/go-jwt-middleware v0.0.0-20170425171159-5493cabe49f7/go.mod h1:
 github.com/aws/aws-sdk-go v1.6.10/go.mod h1:ZRmQr0FajVIyZ4ZzBYKG5P3ZqPz9IHG41ZoMu1ADI3k=
 github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
 github.com/aws/aws-sdk-go v1.28.2/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go v1.35.10 h1:FsJtrOS7P+Qmq1rPTGgS/+qC1Y9eGuAJHvAZpZlhmb4=
-github.com/aws/aws-sdk-go v1.35.10/go.mod h1:tlPOdRjfxPBpNIwqDj61rmsnA85v9jc0Ps9+muhnW+k=
+github.com/aws/aws-sdk-go v1.35.25 h1:0+UC6ZquMOLvYABoz0olShCAe+M9oKllgPfr2hnv9zE=
+github.com/aws/aws-sdk-go v1.35.25/go.mod h1:tlPOdRjfxPBpNIwqDj61rmsnA85v9jc0Ps9+muhnW+k=
 github.com/bazelbuild/bazel-gazelle v0.18.2/go.mod h1:D0ehMSbS+vesFsLGiD6JXu3mVEzOlfUl8wNnq+x/9p0=
 github.com/bazelbuild/bazel-gazelle v0.19.1-0.20191105222053-70208cbdc798/go.mod h1:rPwzNHUqEzngx1iVBfO/2X2npKaT3tqPqqHW6rVsn/A=
 github.com/bazelbuild/buildtools v0.0.0-20190731111112-f720930ceb60/go.mod h1:5JP0TXzWDHXv8qvxRC4InIazwdyDseBDbzESUMKk1yU=