chore: retrieve imported certificates from manifest and ssm (#3688)

This PR reads the deployed environment's manifest before attempting reading from SSM configuration for environment for imported certs.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.

Author: Lou1415926

internal/pkg/cli/deploy/svc.go

@@ -147,6 +147,10 @@ type aliasCertValidator interface {
 	ValidateCertAliases(aliases []string, certs []string) error
 }
 
+type configDescriber interface {
+	Manifest() ([]byte, error)
+}
+
 type workloadDeployer struct {
 	name          string
 	app           *config.Application
@@ -165,12 +169,30 @@ type workloadDeployer struct {
 	endpointGetter     endpointGetter
 	spinner            spinner
 	templateFS         template.Reader
+	envConfigDescriber configDescriber
 
 	// Cached variables.
 	defaultSess              *session.Session
 	defaultSessWithEnvRegion *session.Session
 	envSess                  *session.Session
 	store                    *config.Store
+	environmentConfig        *manifest.Environment
+}
+
+func (d *workloadDeployer) cachedEnvironmentConfig() (*manifest.Environment, error) {
+	if d.environmentConfig != nil {
+		return d.environmentConfig, nil
+	}
+	mft, err := d.envConfigDescriber.Manifest()
+	if err != nil {
+		return nil, fmt.Errorf("read the manifest used to deploy environment %s: %w", d.env.Name, err)
+	}
+	env, err := manifest.UnmarshalEnvironment(mft)
+	if err != nil {
+		return nil, fmt.Errorf("unmarshal the manifest used to deploy environment %s: %w", d.env.Name, err)
+	}
+	d.environmentConfig = env
+	return d.environmentConfig, nil
 }
 
 // WorkloadDeployerInput is the input to for workloadDeployer constructor.
@@ -220,7 +242,7 @@ func newWorkloadDeployer(in *WorkloadDeployerInput) (*workloadDeployer, error) {
 	imageBuilderPusher := repository.NewWithURI(
 		ecr.New(defaultSessEnvRegion), repoName, resources.RepositoryURLs[in.Name])
 	store := config.NewSSMStore(identity.New(defaultSession), ssm.New(defaultSession), aws.StringValue(defaultSession.Config.Region))
-	endpointGetter, err := describe.NewEnvDescriber(describe.NewEnvDescriberConfig{
+	envDescriber, err := describe.NewEnvDescriber(describe.NewEnvDescriberConfig{
 		App:         in.App.Name,
 		Env:         in.Env.Name,
 		ConfigStore: store,
@@ -240,9 +262,10 @@ func newWorkloadDeployer(in *WorkloadDeployerInput) (*workloadDeployer, error) {
 		templater:          addonsSvc,
 		imageBuilderPusher: imageBuilderPusher,
 		deployer:           cloudformation.New(envSession),
-		endpointGetter:     endpointGetter,
+		endpointGetter:     envDescriber,
 		spinner:            termprogress.NewSpinner(log.DiagnosticWriter),
 		templateFS:         template.New(),
+		envConfigDescriber: envDescriber,
 
 		defaultSess:              defaultSession,
 		defaultSessWithEnvRegion: defaultSessEnvRegion,
@@ -999,9 +1022,13 @@ func (d *lbWebSvcDeployer) stackConfiguration(in *StackRuntimeConfiguration) (*s
 		}
 		opts = append(opts, stack.WithNLB(cidrBlocks))
 	}
+	envConfig, err := d.cachedEnvironmentConfig()
+	if err != nil {
+		return nil, err
+	}
 	conf, err := stack.NewLoadBalancedWebService(stack.LoadBalancedWebServiceConfig{
 		App:           d.app,
-		Env:           d.env,
+		EnvManifest:   envConfig,
 		Manifest:      d.lbMft,
 		RuntimeConfig: *rc,
 		RootUserARN:   in.RootUserARN,
@@ -1026,9 +1053,13 @@ func (d *backendSvcDeployer) stackConfiguration(in *StackRuntimeConfiguration) (
 		return nil, err
 	}
 
+	envConfig, err := d.cachedEnvironmentConfig()
+	if err != nil {
+		return nil, err
+	}
 	conf, err := stack.NewBackendService(stack.BackendServiceConfig{
 		App:           d.app,
-		Env:           d.env,
+		EnvManifest:   envConfig,
 		Manifest:      d.backendMft,
 		RuntimeConfig: *rc,
 	})
@@ -1261,15 +1292,19 @@ func (d *backendSvcDeployer) validateALBRuntime() error {
 	if d.backendMft.RoutingRule.IsEmpty() {
 		return nil
 	}
+	hasImportedCerts, err := d.envHasImportedCertificates()
+	if err != nil {
+		return err
+	}
 	switch {
-	case d.backendMft.RoutingRule.Alias.IsEmpty() && d.env.HasImportedCerts():
+	case d.backendMft.RoutingRule.Alias.IsEmpty() && hasImportedCerts:
 		return &errSvcWithNoALBAliasDeployingToEnvWithImportedCerts{
 			name:    d.name,
 			envName: d.env.Name,
 		}
 	case d.backendMft.RoutingRule.Alias.IsEmpty():
 		return nil
-	case !d.env.HasImportedCerts():
+	case !hasImportedCerts:
 		return fmt.Errorf(`cannot specify "alias" in an environment without imported certs`)
 	}
 
@@ -1278,29 +1313,41 @@ func (d *backendSvcDeployer) validateALBRuntime() error {
 		return fmt.Errorf("convert aliases to string slice: %w", err)
 	}
 
-	if err := d.aliasCertValidator.ValidateCertAliases(aliases, d.env.CustomConfig.ImportCertARNs); err != nil {
+	if err := d.aliasCertValidator.ValidateCertAliases(aliases, d.environmentConfig.HTTPConfig.Private.Certificates); err != nil {
 		return fmt.Errorf("validate aliases against the imported certificate for env %s: %w", d.env.Name, err)
 	}
 
 	return nil
 }
 
+func (d *backendSvcDeployer) envHasImportedCertificates() (bool, error) {
+	env, err := d.cachedEnvironmentConfig()
+	if err != nil {
+		return false, err
+	}
+	return len(env.HTTPConfig.Private.Certificates) != 0, nil
+}
 func (d *lbWebSvcDeployer) validateALBRuntime() error {
+	hasImportedCerts, err := d.envHasImportedCertificates()
+	if err != nil {
+		return err
+	}
+
 	if d.lbMft.RoutingRule.Alias.IsEmpty() {
-		if d.env.HasImportedCerts() {
+		if hasImportedCerts {
 			return &errSvcWithNoALBAliasDeployingToEnvWithImportedCerts{
 				name:    d.name,
 				envName: d.env.Name,
 			}
 		}
 		return nil
 	}
-	if d.env.HasImportedCerts() {
+	if hasImportedCerts {
 		aliases, err := d.lbMft.RoutingRule.Alias.ToStringSlice()
 		if err != nil {
 			return fmt.Errorf("convert aliases to string slice: %w", err)
 		}
-		if err := d.aliasCertValidator.ValidateCertAliases(aliases, d.env.CustomConfig.ImportCertARNs); err != nil {
+		if err := d.aliasCertValidator.ValidateCertAliases(aliases, d.environmentConfig.HTTPConfig.Public.Certificates); err != nil {
 			return fmt.Errorf("validate aliases against the imported certificate for env %s: %w", d.env.Name, err)
 		}
 		return nil
@@ -1320,7 +1367,12 @@ func (d *lbWebSvcDeployer) validateNLBRuntime() error {
 	if d.lbMft.NLBConfig.Aliases.IsEmpty() {
 		return nil
 	}
-	if d.env.HasImportedCerts() {
+
+	hasImportedCerts, err := d.envHasImportedCertificates()
+	if err != nil {
+		return err
+	}
+	if hasImportedCerts {
 		return fmt.Errorf("cannot specify nlb.alias when env %s imports one or more certificates", d.env.Name)
 	}
 	if d.app.Domain == "" {
@@ -1334,6 +1386,14 @@ func (d *lbWebSvcDeployer) validateNLBRuntime() error {
 	return validateLBWSAlias(d.lbMft.NLBConfig.Aliases, d.app, d.env.Name)
 }
 
+func (d *lbWebSvcDeployer) envHasImportedCertificates() (bool, error) {
+	env, err := d.cachedEnvironmentConfig()
+	if err != nil {
+		return false, err
+	}
+	return len(env.HTTPConfig.Public.Certificates) != 0, nil
+}
+
 func validateLBWSAlias(aliases manifest.Alias, app *config.Application, envName string) error {
 	if aliases.IsEmpty() {
 		return nil

internal/pkg/cli/deploy/svc_test.go

@@ -462,6 +462,9 @@ func TestWorkloadDeployer_DeployWorkload(t *testing.T) {
 		inForceDeploy     bool
 		inDisableRollback bool
 
+		// Cached variables.
+		inEnvironmentConfig func() *manifest.Environment
+
 		mock func(m *deployMocks)
 
 		wantErr error
@@ -476,9 +479,11 @@ func TestWorkloadDeployer_DeployWorkload(t *testing.T) {
 			inEnvironment: &config.Environment{
 				Name:   mockEnvName,
 				Region: "us-west-2",
-				CustomConfig: &config.CustomizeEnv{
-					ImportCertARNs: mockCertARNs,
-				},
+			},
+			inEnvironmentConfig: func() *manifest.Environment {
+				envConfig := &manifest.Environment{}
+				envConfig.HTTPConfig.Public.Certificates = mockCertARNs
+				return envConfig
 			},
 			inApp: &config.Application{
 				Name: mockAppName,
@@ -492,9 +497,11 @@ func TestWorkloadDeployer_DeployWorkload(t *testing.T) {
 			inEnvironment: &config.Environment{
 				Name:   mockEnvName,
 				Region: "us-west-2",
-				CustomConfig: &config.CustomizeEnv{
-					ImportCertARNs: mockCertARNs,
-				},
+			},
+			inEnvironmentConfig: func() *manifest.Environment {
+				envConfig := &manifest.Environment{}
+				envConfig.HTTPConfig.Public.Certificates = mockCertARNs
+				return envConfig
 			},
 			inAliases: manifest.Alias{
 				AdvancedAliases: mockMultiAliases,
@@ -565,9 +572,11 @@ func TestWorkloadDeployer_DeployWorkload(t *testing.T) {
 			inEnvironment: &config.Environment{
 				Name:   mockEnvName,
 				Region: "us-west-2",
-				CustomConfig: &config.CustomizeEnv{
-					ImportCertARNs: mockCertARNs,
-				},
+			},
+			inEnvironmentConfig: func() *manifest.Environment {
+				envConfig := &manifest.Environment{}
+				envConfig.HTTPConfig.Public.Certificates = mockCertARNs
+				return envConfig
 			},
 			inApp: &config.Application{
 				Name: mockAppName,
@@ -798,9 +807,11 @@ func TestWorkloadDeployer_DeployWorkload(t *testing.T) {
 			inEnvironment: &config.Environment{
 				Name:   mockEnvName,
 				Region: "us-west-2",
-				CustomConfig: &config.CustomizeEnv{
-					ImportCertARNs: mockCertARNs,
-				},
+			},
+			inEnvironmentConfig: func() *manifest.Environment {
+				envConfig := &manifest.Environment{}
+				envConfig.HTTPConfig.Public.Certificates = mockCertARNs
+				return envConfig
 			},
 			inApp: &config.Application{
 				Name:   mockAppName,
@@ -850,16 +861,22 @@ func TestWorkloadDeployer_DeployWorkload(t *testing.T) {
 			}
 			tc.mock(m)
 
+			if tc.inEnvironmentConfig == nil {
+				tc.inEnvironmentConfig = func() *manifest.Environment {
+					return &manifest.Environment{}
+				}
+			}
 			deployer := lbWebSvcDeployer{
 				svcDeployer: &svcDeployer{
 					workloadDeployer: &workloadDeployer{
-						name:           mockName,
-						app:            tc.inApp,
-						env:            tc.inEnvironment,
-						resources:      mockResources,
-						deployer:       m.mockServiceDeployer,
-						endpointGetter: m.mockEndpointGetter,
-						spinner:        m.mockSpinner,
+						name:              mockName,
+						app:               tc.inApp,
+						env:               tc.inEnvironment,
+						environmentConfig: tc.inEnvironmentConfig(),
+						resources:         mockResources,
+						deployer:          m.mockServiceDeployer,
+						endpointGetter:    m.mockEndpointGetter,
+						spinner:           m.mockSpinner,
 					},
 					newSvcUpdater: func(f func(*session.Session) serviceForceUpdater) serviceForceUpdater {
 						return m.mockServiceForceUpdater
@@ -1276,9 +1293,13 @@ func TestBackendSvcDeployer_stackConfiguration(t *testing.T) {
 	)
 
 	tests := map[string]struct {
-		App        *config.Application
-		Env        *config.Environment
-		Manifest   *manifest.BackendService
+		App      *config.Application
+		Env      *config.Environment
+		Manifest *manifest.BackendService
+
+		// Cached variables.
+		inEnvironmentConfig func() *manifest.Environment
+
 		setupMocks func(m *deployMocks)
 
 		expectedErr string
@@ -1324,9 +1345,11 @@ func TestBackendSvcDeployer_stackConfiguration(t *testing.T) {
 			},
 			Env: &config.Environment{
 				Name: mockEnvName,
-				CustomConfig: &config.CustomizeEnv{
-					ImportCertARNs: []string{"mockCertARN"},
-				},
+			},
+			inEnvironmentConfig: func() *manifest.Environment {
+				envConfig := &manifest.Environment{}
+				envConfig.HTTPConfig.Private.Certificates = []string{"mockCertARN"}
+				return envConfig
 			},
 			Manifest: &manifest.BackendService{
 				BackendServiceConfig: manifest.BackendServiceConfig{
@@ -1351,9 +1374,11 @@ func TestBackendSvcDeployer_stackConfiguration(t *testing.T) {
 			},
 			Env: &config.Environment{
 				Name: mockEnvName,
-				CustomConfig: &config.CustomizeEnv{
-					ImportCertARNs: []string{"mockCertARN"},
-				},
+			},
+			inEnvironmentConfig: func() *manifest.Environment {
+				envConfig := &manifest.Environment{}
+				envConfig.HTTPConfig.Private.Certificates = []string{"mockCertARN"}
+				return envConfig
 			},
 			Manifest: &manifest.BackendService{
 				BackendServiceConfig: manifest.BackendServiceConfig{
@@ -1377,9 +1402,11 @@ func TestBackendSvcDeployer_stackConfiguration(t *testing.T) {
 			},
 			Env: &config.Environment{
 				Name: mockEnvName,
-				CustomConfig: &config.CustomizeEnv{
-					ImportCertARNs: []string{"mockCertARN"},
-				},
+			},
+			inEnvironmentConfig: func() *manifest.Environment {
+				envConfig := &manifest.Environment{}
+				envConfig.HTTPConfig.Private.Certificates = []string{"mockCertARN"}
+				return envConfig
 			},
 			Manifest: &manifest.BackendService{
 				BackendServiceConfig: manifest.BackendServiceConfig{
@@ -1422,14 +1449,19 @@ func TestBackendSvcDeployer_stackConfiguration(t *testing.T) {
 			if tc.setupMocks != nil {
 				tc.setupMocks(m)
 			}
-
+			if tc.inEnvironmentConfig == nil {
+				tc.inEnvironmentConfig = func() *manifest.Environment {
+					return &manifest.Environment{}
+				}
+			}
 			deployer := &backendSvcDeployer{
 				svcDeployer: &svcDeployer{
 					workloadDeployer: &workloadDeployer{
-						name:           mockSvcName,
-						app:            tc.App,
-						env:            tc.Env,
-						endpointGetter: m.mockEndpointGetter,
+						name:              mockSvcName,
+						app:               tc.App,
+						env:               tc.Env,
+						endpointGetter:    m.mockEndpointGetter,
+						environmentConfig: tc.inEnvironmentConfig(),
 					},
 					newSvcUpdater: func(f func(*session.Session) serviceForceUpdater) serviceForceUpdater {
 						return nil

internal/pkg/config/env.go

@@ -27,11 +27,6 @@ type Environment struct {
 	Telemetry        *Telemetry    `json:"telemetry,omitempty"`    // Optional environment telemetry features.
 }
 
-// HasImportedCerts return if the environment has imported certs.
-func (e *Environment) HasImportedCerts() bool {
-	return e.CustomConfig != nil && len(e.CustomConfig.ImportCertARNs) != 0
-}
-
 // CustomizeEnv represents the custom environment config.
 type CustomizeEnv struct {
 	ImportVPC                   *ImportVPC `json:"importVPC,omitempty"`