GODRIVER-3560 Assume ec2 role explicitly in CI (#2080)

prestonvasquez · web-flow · commit 835c5e1d8a72 · 2025-06-04T15:06:42.000-06:00
diff --git a/.evergreen/config.yml b/.evergreen/config.yml
@@ -26,6 +26,11 @@ timeout:
       script: |
         ls -la
 functions:
+  assume-test-secrets-ec2-role: 
+    - command: ec2.assume_role
+      params:
+        role_arn: ${aws_test_secrets_role}
+
   fetch-source:
     # Executes clone and applies the submitted patch, if any
     - command: git.get_project
@@ -233,9 +238,13 @@ functions:
         display_name: "test_suite.tgz"
 
   bootstrap-mongohoused:
+    - command: ec2.assume_role
+      params:
+        role_arn: ${aws_test_secrets_role}
     - command: subprocess.exec
       params:
         binary: "bash"
+        add_expansions_to_env: true
         args: 
           - ${DRIVERS_TOOLS}/.evergreen/atlas_data_lake/pull-mongohouse-image.sh
     - command: subprocess.exec
@@ -580,16 +589,6 @@ functions:
           MONGO_GO_DRIVER_COMPRESSOR=${MONGO_GO_DRIVER_COMPRESSOR} \
           make evg-test-load-balancers
 
-  run-serverless-tests:
-    - command: shell.exec
-      type: test
-      params:
-        shell: "bash"
-        working_dir: src/go.mongodb.org/mongo-driver
-        script: |
-          ${PREPARE_SHELL}
-          bash etc/run-serverless-test.sh
-
   run-atlas-data-lake-test:
     - command: shell.exec
       type: test
@@ -1830,14 +1829,6 @@ tasks:
           AUTH: "noauth"
           SSL: "nossl"
 
-  - name: "test-serverless"
-    tags: ["serverless"]
-    commands:
-      - func: start-cse-servers
-      - func: "run-serverless-tests"
-        vars:
-          MONGO_GO_DRIVER_COMPRESSOR: "snappy"
-
   - name: "testgcpkms-task"
     commands:
     - command: shell.exec
@@ -1896,10 +1887,12 @@ tasks:
 
   - name: "testawskms-task"
     commands:
+    - func: assume-test-secrets-ec2-role
     - command: shell.exec
       type: test
       params:
         shell: "bash"
+        add_expansions_to_env: true
         working_dir: src/go.mongodb.org/mongo-driver
         script: |
           ${PREPARE_SHELL}
@@ -1909,10 +1902,12 @@ tasks:
     # testawskms-fail-task runs without environment variables.
     # It is expected to fail to obtain credentials.
     commands:
+    - func: assume-test-secrets-ec2-role
     - command: shell.exec
       type: test
       params:
         shell: "bash"
+        add_expansions_to_env: true
         working_dir: src/go.mongodb.org/mongo-driver
         script: |
           ${PREPARE_SHELL}
@@ -1925,6 +1920,7 @@ tasks:
       type: test
       params:
         shell: "bash"
+        add_expansions_to_env: true
         working_dir: src/go.mongodb.org/mongo-driver
         script: |
           ${PREPARE_SHELL}
@@ -1957,10 +1953,12 @@ tasks:
     # testazurekms-fail-task runs without environment variables.
     # It is expected to fail to obtain credentials.
     commands:
+    - func: assume-test-secrets-ec2-role
     - command: shell.exec
       type: test
       params:
         shell: "bash"
+        add_expansions_to_env: true
         working_dir: src/go.mongodb.org/mongo-driver
         script: |
           ${PREPARE_SHELL}
@@ -1985,10 +1983,6 @@ tasks:
 
   - name: "test-aws-lambda-deployed"
     commands:
-      - command: ec2.assume_role
-        params:
-          role_arn: ${LAMBDA_AWS_ROLE_ARN}
-          duration_seconds: 3600
       - command: shell.exec
         type: test
         params:
@@ -2219,73 +2213,7 @@ axes:
         variables:
           GO_DIST: "/opt/golang/go1.22"
 
-  - id: os-serverless
-    display_name: OS
-    values:
-      - id: "rhel87"
-        display_name: "RHEL 8.7"
-        run_on: rhel8.7-small
-        variables:
-          GO_DIST: "/opt/golang/go1.22"
-
 task_groups:
-  - name: serverless_task_group
-    setup_group_can_fail_task: true
-    setup_group_timeout_secs: 1800 # 30 minutes
-    setup_group:
-      - func: fetch-source
-      - func: prepare-resources
-      - func: fix-absolute-paths
-      - func: make-files-executable
-      - func: start-cse-servers
-      - command: shell.exec
-        params:
-          shell: "bash"
-          script: |
-            ${PREPARE_SHELL}
-            bash ${DRIVERS_TOOLS}/.evergreen/serverless/setup-secrets.sh ${VAULT_NAME}
-            bash ${DRIVERS_TOOLS}/.evergreen/serverless/create-instance.sh
-      - command: expansions.update
-        params:
-          file: serverless-expansion.yml
-      - command: shell.exec
-        params:
-          shell: "bash"
-          script: |
-            ${PREPARE_SHELL}
-
-            # Find the crypt_shared library file in the current directory and set the CRYPT_SHARED_LIB_PATH to
-            # the path of that file. Only look for .so, .dll, or .dylib files to prevent matching any other
-            # downloaded files.
-            CRYPT_SHARED_LIB_PATH="$(find $(pwd) -maxdepth 1 -type f \
-              -name 'mongo_crypt_v1.so' -o \
-              -name 'mongo_crypt_v1.dll' -o \
-              -name 'mongo_crypt_v1.dylib')"
-
-            # If we're on Windows, convert the "cygdrive" path to Windows-style paths.
-            if [ "Windows_NT" = "$OS" ]; then
-                CRYPT_SHARED_LIB_PATH=$(cygpath -m $CRYPT_SHARED_LIB_PATH)
-            fi
-
-            echo "CRYPT_SHARED_LIB_PATH: $CRYPT_SHARED_LIB_PATH" >> crypt-expansion.yml
-
-      # Load the expansion file to make an evergreen variable with the current unique version
-      - command: expansions.update
-        params:
-          file: crypt-expansion.yml
-
-    teardown_group:
-      - command: shell.exec
-        params:
-          shell: "bash"
-          script: |
-            ${PREPARE_SHELL}
-            bash ${DRIVERS_TOOLS}/.evergreen/serverless/delete-instance.sh ${VAULT_NAME}
-      - func: handle-test-artifacts
-      - func: cleanup
-    tasks:
-      - ".serverless"
-
   - name: testgcpkms_task_group
     setup_group_can_fail_task: true
     setup_group_timeout_secs: 1800 # 30 minutes
@@ -2294,9 +2222,11 @@ task_groups:
       - func: prepare-resources
       - func: fix-absolute-paths
       - func: make-files-executable
+      - func: assume-test-secrets-ec2-role
       - command: shell.exec
         params:
           shell: "bash"
+          add_expansions_to_env: true
           script: |
             ${PREPARE_SHELL}
             $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/setup.sh
@@ -2321,9 +2251,11 @@ task_groups:
       - func: prepare-resources
       - func: fix-absolute-paths
       - func: make-files-executable
+      - func: assume-test-secrets-ec2-role
       - command: shell.exec
         params:
           shell: "bash"
+          add_expansions_to_env: true
           script: |
             ${PREPARE_SHELL}
             export AZUREKMS_VMNAME_PREFIX="GODRIVER"
@@ -2375,9 +2307,11 @@ task_groups:
       - func: prepare-resources
       - func: fix-absolute-paths
       - func: make-files-executable
+      - func: assume-test-secrets-ec2-role
       - command: subprocess.exec
         params:
           binary: bash
+          add_expansions_to_env: true
           env:
             AZUREOIDC_VMNAME_PREFIX: "GO_DRIVER"
           args:
@@ -2399,9 +2333,11 @@ task_groups:
       - func: prepare-resources
       - func: fix-absolute-paths
       - func: make-files-executable
+      - func: assume-test-secrets-ec2-role
       - command: subprocess.exec
         params:
           binary: bash
+          add_expansions_to_env: true
           env:
             AZUREOIDC_VMNAME_PREFIX: "GO_DRIVER"
           args:
@@ -2421,10 +2357,12 @@ task_groups:
     setup_group:
       - func: fetch-source
       - func: prepare-resources
+      - func: assume-test-secrets-ec2-role
       - command: subprocess.exec
         params:
           working_dir: src/go.mongodb.org/mongo-driver
           binary: bash
+          add_expansions_to_env: true
           env:
             LAMBDA_STACK_NAME: dbx-go-lambda
             AWS_REGION: us-east-1
@@ -2706,13 +2644,6 @@ buildvariants:
     tasks:
       - name: ".load-balancer"
 
-  - matrix_name: "serverless"
-    tags: ["pullrequest"]
-    matrix_spec: { os-serverless: "*" }
-    display_name: "Serverless ${os-serverless}"
-    tasks:
-      - "serverless_task_group"
-
   - matrix_name: "kms-kmip-test"
     matrix_spec: { version: ["7.0"], os-ssl-40: ["rhel87-64"] }
     display_name: "KMS KMIP ${os-ssl-40}"
diff --git a/Makefile b/Makefile
@@ -170,30 +170,6 @@ evg-test-search-index:
 evg-test-ocsp:
 	go test -v ./mongo -run TestOCSP $(OCSP_TLS_SHOULD_SUCCEED) >> test.suite
 
-.PHONY: evg-test-serverless
-evg-test-serverless:
-	# Serverless should be tested with all unified tests as well as tests in the following components: CRUD, load balancer,
-	# retryable reads, retryable writes, sessions, transactions and cursor behavior.
-	go test $(BUILD_TAGS) ./mongo/integration -run TestCrudSpec -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test $(BUILD_TAGS) ./mongo/integration -run TestWriteErrorsWithLabels -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test $(BUILD_TAGS) ./mongo/integration -run TestWriteErrorsDetails -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test $(BUILD_TAGS) ./mongo/integration -run TestHintErrors -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test $(BUILD_TAGS) ./mongo/integration -run TestWriteConcernError -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test $(BUILD_TAGS) ./mongo/integration -run TestErrorsCodeNamePropagated -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test $(BUILD_TAGS) ./mongo/integration -run TestLoadBalancerSupport -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test $(BUILD_TAGS) ./mongo/integration -run TestUnifiedSpecs/retryable-reads -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test $(BUILD_TAGS) ./mongo/integration -run TestRetryableReadsProse -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test $(BUILD_TAGS) ./mongo/integration -run TestRetryableWritesSpec -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test $(BUILD_TAGS) ./mongo/integration -run TestRetryableWritesProse -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test $(BUILD_TAGS) ./mongo/integration -run TestUnifiedSpecs/sessions -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test $(BUILD_TAGS) ./mongo/integration -run TestSessionsProse -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test $(BUILD_TAGS) ./mongo/integration -run TestUnifiedSpecs/transactions/legacy -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test $(BUILD_TAGS) ./mongo/integration -run TestConvenientTransactions -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test $(BUILD_TAGS) ./mongo/integration -run TestCursor -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test $(BUILD_TAGS) ./mongo/integration/unified -run TestUnifiedSpec -v -timeout $(TEST_TIMEOUT)s >> test.suite
-	go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) DYLD_LIBRARY_PATH=$(MACOS_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionSpec >> test.suite
-	go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) DYLD_LIBRARY_PATH=$(MACOS_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionProse >> test.suite
-
 .PHONY: evg-test-versioned-api
 evg-test-versioned-api:
 	# Versioned API related tests are in the mongo, integration and unified packages.
diff --git a/etc/run-awskms-test.sh b/etc/run-awskms-test.sh
@@ -4,17 +4,21 @@
 
 echo "Building build-kms-test ... begin"
 BUILD_TAGS="-tags=cse" \
-    PKG_CONFIG_PATH=$PKG_CONFIG_PATH \
-    make build-kms-test
+  PKG_CONFIG_PATH=$PKG_CONFIG_PATH \
+  make build-kms-test
 echo "Building build-kms-test ... end"
 
 . ${DRIVERS_TOOLS}/.evergreen/secrets_handling/setup-secrets.sh drivers/atlas_connect
 export MONGODB_URI="$ATLAS_FREE"
 
 if [ -z "${EXPECT_ERROR:-}" ]; then
-    . ${DRIVERS_TOOLS}/.evergreen/csfle/setup-secrets.sh
-    export AWS_SECRET_ACCESS_KEY=$FLE_AWS_SECRET_ACCESS_KEY
-    export AWS_ACCESS_KEY_ID=$FLE_AWS_ACCESS_KEY_ID
+  . ${DRIVERS_TOOLS}/.evergreen/csfle/setup-secrets.sh
+  export AWS_SECRET_ACCESS_KEY=$FLE_AWS_SECRET_ACCESS_KEY
+  export AWS_ACCESS_KEY_ID=$FLE_AWS_ACCESS_KEY_ID
 fi
 
+# AWS_SESSION_TOKEN is required to get credentials from the drivers/csfle vault
+# but interferes with the testkms binary causing UnrecognizedClientException.
+unset AWS_SESSION_TOKEN
+
 LD_LIBRARY_PATH=./install/libmongocrypt/lib64 PROVIDER='aws' ./testkms
