Upgrade AWS EC2 usage to Go SDK V2

[gargipanatula]

What type of PR is this?

Uncomment only one, leave it on its own line:

/kind api-change
/kind bug

/kind cleanup

/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:
The AWS SDK Go V1 is being deprecated on July 31, 2025. This PR migrates usage of the EC2 SDK to use V2.
Context: https://aws.amazon.com/blogs/developer/announcing-end-of-support-for-aws-sdk-for-go-v1-on-july-31-2025/

Changes:

• CredentialsChainVerboseErrors has been removed from the EC2 Client (see NoCredentialProviders: no valid providers in chain. Deprecated. For verbose messaging see aws.Config.CredentialsChainVerboseErrors aws/aws-sdk-go#2914)
• In v1, BeforeSign caused some requests to be marked as non-retryable in some cases. Now, due to the V2's migration to middleware, the Finalize step (through delayPreSign()) now throws errors with a custom nonRetryableError error code when the same conditions are met. The EC2 Client is configured with a custom retrier, customRetryer, which will catch this error and cause the request to not be retried.
• Logging: AWS API Send has been split up into two logs due to changes in where the logged information is available throughout the middleware. Request parameters are only available in the Initialize and Serialize step.
  Old logs:

newer

I0514 05:05:54.252687      11 log_handler.go:27] AWS request: ec2 CreateTags
  
I0514 05:05:54.452106      11 log_handler.go:32] AWS API Send: ec2 CreateTags &{CreateTags POST / <nil> <nil>} {
  Resources: ["i-09271f1185db6f280"],
  Tags: [{
      Key: "aws:eks:cluster-name",
      Value: "panatula513116"
    }]
}

I0514 05:05:54.452139      11 log_handler.go:37] AWS API ValidateResponse: ec2 CreateTags &{CreateTags POST / <nil> <nil>} {
  Resources: ["i-09271f1185db6f280"],
  Tags: [{
      Key: "aws:eks:cluster-name",
      Value: "panatula513116"
    }]
} 200 OK

older

New logs:

newer

AWS API Send: EC2 CreateTags &{[i-0adbe1d0ed4bb2329] [{0xc000a20e60 0xc000a20e70 {}}] <nil> {}}

AWS API Send: EC2 CreateTags POST /

AWS request: EC2 CreateTags

AWS API ValidateResponse: EC2 CreateTags 200

older

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

Testing details:
Added unit tests to verify custom endpoint resolver and retrier in the EC2 Client, included in the aws_sdk_test.go file.
Ran make && make test. Created a personal cluster and manually added nodes to verify that tags were still properly added. Ran e2e tests on the cluster using the following commands:

export KUBECONFIG=<kubeconfig path>
export AWS_REGION=us-west-2
export TEST_PATH=./tests/e2e/...
export GINKGO_NODES=4
export GINKGO_FOCUS=[cloud-provider-aws-e2e]
export GINGKO_SKIP=[Disruptive]
go install github.com/onsi/ginkgo/[email protected]
export PATH=$PATH:$HOME/go/bin
pushd ./tests/e2e
ginkgo . -v -p --nodes=$GINKGO_NODES --focus=$GINKGO_FOCUS --skip=$GINKGO_SKIP

<...test output...>
Ran 3 of 3 Specs in 72.299 seconds
SUCCESS! -- 3 Passed | 0 Failed | 0 Pending | 0 Skipped
--- PASS: TestE2E (72.30s)
PASS

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: gargipanatula (f6656f0, 8c3247a, b2d1ea1, 1bee994, 1411b8e, 925e1c3, acbf066, c541d7e, 6c84087, b82bcf9, 81fea36, bcefb6c, cbdcf59, d296f11, 02bf013, 6860ec5, ab352af, 8f638db, 5e3a740, 72ede54, 1671354, 43ce0b8, 930fdd7, a4ee11d, 60e5164, fa28f14, e9d8941)

[k8s-ci-robot]

This issue is currently awaiting triage.

If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

Welcome @gargipanatula!

It looks like this is your first PR to kubernetes/cloud-provider-aws 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/cloud-provider-aws has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @gargipanatula. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[yue9944882]

nit: change the array type []string{..} to the new ec2 type and cast it to string when needed

[gargipanatula]

I agree that this would be better, but it's only used as a parameter to newEc2Filter, which expects a []string{}. Converting aliveFilter to strings just for that function might be a little messy, so maybe we can keep it as a []string{}? Let me know if that sounds ok, open to either way.

[yue9944882]

why do we need this interface type? is it for testing purpose?

[gargipanatula]

Yes. Previously, awsSdkEC2 and MockedEC2API wrapped ec2iface.EC2API to mock the ec2 client. In v2, the API doesn't exist, so we have to create our own interface and wrap that instead.
More details: https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/unit-testing.html

[haoranleo]

Yea, we can only keep the interface for functions required for testing for simplicity. For example, if only CreateSecurityGroup is needed for the tests, we can only keep it and remove others.

[gargipanatula]

Yeah that makes sense. All these guys are mocked though, mostly by FakeEC2Impl, so maybe we can keep it as is for now to minimize changes in this PR and address it in the future.

[yue9944882]

nit: rename it to EC2APIForTesting?

[yue9944882]

can you add a code comment here to note that original implementation in SDK v1?

[yue9944882]

why do we need EC2API interface above, if we already have this one.

[gargipanatula]

EC2API is used to mock the EC2 client in general, whereas this interface is used to provide custom implementations over existing EC2 functionality (e.g. returning []*ec2.SecurityGroup instead of the default ec2.DescribeSecurityGroupsOutput in DescribeSecurityGroups()). I assume this was originally created for mocking, because some operations return paginated results which are hard to mock.

One example of how this is in findSecurityGroup. Cloud.ec2 is iface.EC2, and the result of cloud.ec2.DescribeSecurityGroups is []*ec2.SecurityGroup.

Compare this to DescribeSecurityGroups, where awsSdkEC2.ec2 is EC2API, and the result of awsSdkEC2.ec2.DescribeSecurityGroups is *ec2.DescribeSecurityGroupsOutput.

[haoranleo]

I don't get it, the detailed implementation for mock can be different but shouldn't the interface be the same? We can only keep this interface and reuse it for mocking

[gargipanatula]

I think it's because the original authors wanted two levels of mocking. The first one is that they wanted to mock the EC2 Client functions, hence their usage of ec2iface.EC2API (now EC2API). The second one is that they had their own set of functions, and to mock these, they made iface.EC2. These functions are not really related to the EC2 Client, they're essentially functions that happen to call the EC2 API and do their own thing.

I believe that if we take out iface.EC2, then we don't have a way to mock things like awsSdkEC2.DescribeSecurityGroups

[yue9944882]

could you share the original implementation for this in v1?

[kmala]

why wrap in a func ?

[gargipanatula]

If we don't wrap, it interprets tc.work(ctx) as a function call, so I wrapped it to satisfy the fact that .Until needs a func()

[kmala]

can we just pass ctx as the argument as the second one is based on ctx anyway?

[kmala]

why is the instance if removed? without the filter it will query all the instances right ?

[gargipanatula]

My bad - fixed.

[kmala]

ctx is already provided as function param right, can we use it instead of TODO()?

[kmala]

we do provide override for the endpoint to be used https://github.com/kubernetes/cloud-provider-aws/blob/master/pkg/providers/v1/config/config.go#L192-L204

[gargipanatula]

Thank you - added client level overrides!

[kmala]

is there a way to test these in unit test? if not can you share the log details just to make sure we the behavior is same?

[gargipanatula]

Yep will paste the logs in the PR description, thank you.

[kmala]

can we test this using an unit test?

[gargipanatula]

For clarification, do we want to add a test for getCrossRequestRetryDelay or for the middleware functions themselves? The functions called in middleware, like ComputeDelayForRequest are tested in separate unit tests.

[kmala]

i see you are creating this error as a normal one using errors.new, then will errors.As succeed here ?

[gargipanatula]

Ah you're right - errors.As would be false for NON_RETRYABLE_ERRORs. Will do a simple error message check instead.

[haoranleo]

Why we pass the value instead of pointer type here?

[haoranleo]

Same as above

[haoranleo]

nit: if passing value is desired for this function, we can directly use value type var found ec2types.IpPermission. There is no need to transform to pointer and back then.

[haoranleo]

nit: maybe worth thinking a new name for existing

[haoranleo]

Yea, we can only keep the interface for functions required for testing for simplicity. For example, if only CreateSecurityGroup is needed for the tests, we can only keep it and remove others.

[haoranleo]

When creating the config, can we use

config.LoadDefaultConfig(ctx, config.WithDefaultsMode(aws.DefaultsModeInRegion), 
  awsConfig.WithRegion(regionName),
  ... // plus any other configurations
)

that will give us default configurations https://github.com/aws/aws-sdk-go-v2/blob/main/aws/defaults/defaults.go#L26-L32

[haoranleo]

nit: we can embed them into awsConfig.Withxxx in awsConfig.LoadDefaultConfig above

[haoranleo]

nit: same for retry, which can also be embedded into awsConfig.WithRetryer. But given we specify the default mode, the standard retryer will be picked by default so we don't need to explicitly set this.

If there is a need to set up custom retryer we can do something like:

awsConfig.WithRetryer(func() aws.Retryer {
    return retry.AddWithMaxAttempts(retry.NewStandard(), 5)
})

[gargipanatula]

The reason we need to have a custom retryer is because we need to mark requests as non retryable under specific conditions. In v2, we do this via a combination of middleware and custom retry logic (see here: https://github.com/kubernetes/cloud-provider-aws/pull/1146/files#r2082328615).

The custom retryer you shared would definitely limit the number of retries, but it would do it for all requests. In this case, we need to be able to catch a specific case and never retry that.

[haoranleo]

I don't get it, the detailed implementation for mock can be different but shouldn't the interface be the same? We can only keep this interface and reuse it for mocking

[haoranleo]

Why do we need this? I didn't see it used anywhere.

v2 retryer itself has an implementation to decide which errors are retryable https://github.com/aws/aws-sdk-go-v2/blob/main/aws/retry/retryable_error.go#L15. But I didn't see the purpose of custom retryer here

[gargipanatula]

We're replicating a handler function, which used to mark a request as non retryable. In v2, we can't directly mark a request as non retryable, so we have to 1) throw a custom error from the middleware stage and 2) have a retryer that can catch that error and return false for IsErrorRetryable().
Original handler:

cloud-provider-aws/pkg/providers/v1/retry_handler.go

Line 51 in 9aab0da

func (c *CrossRequestRetryDelay) BeforeSign(r *request.Request) {

It's used for the EC2 aws sdk go v2 client:

cloud-provider-aws/pkg/providers/v1/aws_sdk.go

Line 147 in f6656f0

o.Retryer = &customRetryer{

[cartermckinnon]

/ok-to-test

[gargipanatula]

/retest
/retest-required

[kmala]

/lgtm

[kmala]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kmala, yue9944882

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [kmala]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment