andrewjjenkins · March 22, 2018 21:32
diff --git a/dynamo-egress.yaml b/dynamo-egress.yaml
 apiVersion: config.istio.io/v1alpha2
 kind: EgressRule
 metadata:
  name: aws-dynamo-us-west-2-egress
  namespace: default
 spec:
  destination:
    service: dynamodb.us-west-2.amazonaws.com
  ports:
  - port: 443
    protocol: https
diff --git a/useWrapped.go b/useWrapped.go
 import (
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/dynamodb"
 	"github.com/you/repo/pkg/awswrapper"
 )

 type Dynamo struct {
 	Session *session.Session
 	Db      *dynamodb.DynamoDB
 }

 func NewWithConfig(cfg *aws.Config) (*Dynamo, error) {
 	sess, err := awswrapper.AwsSession("Test", cfg)
 	if err != nil {
 		return nil, err
 	}

 	dyn := &Dynamo{
 		Session: sess,
 		Db:      dynamodb.New(sess),
 	}
 	return dyn, nil
 }
diff --git a/wrapAwsSession.go b/wrapAwsSession.go
 package awswrapper

 import (
 	"net/http"

 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/aws/request"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/golang/glog"

 	"github.com/you/repo/pkg/tracing"
 )

 type Config struct {
 	InMesh   bool
 	Endpoint string // http://dynamodb.us-west-2.amazonaws.com
 	Label    string // Used in logging messages to identify
 }

 func istioEgressEPResolver(service, region string, optFns ...func(*endpoints.Options)) (endpoints.ResolvedEndpoint, error) {
 	ep, err := endpoints.DefaultResolver().EndpointFor(service, region, optFns...)
 	if err != nil {
 		return ep, err
 	}
 	ep.URL = ep.URL + ":443"
 	return ep, nil
 }

 func AwsConfig(cfg Config) *aws.Config {
 	config := aws.NewConfig().
 		WithEndpoint(cfg.Endpoint)

 	if cfg.InMesh {
 		glog.Infof("Using http for AWS for %s", cfg.Label)
 		config = config.WithDisableSSL(true).
 			WithEndpointResolver(endpoints.ResolverFunc(istioEgressEPResolver))
 	}
 	return config
 }

 func AwsSession(label string, cfg *aws.Config) (*session.Session, error) {
 	sess, err := session.NewSession(cfg)
 	if err != nil {
 		return nil, err
 	}

 	// This has to be the first handler before core.SendHandler which
 	// performs the operation of sending request over the wire.
 	// Note that Send Handler is used which are invoked after the signing of
 	// request is completed which means Tracing headers would not be signed.
 	// Signing of tracing headers causes request failures as Istio changes the
 	// headers and signature validation fails.
 	sess.Handlers.Send.PushFront(addTracingHeaders)
 	sess.Handlers.Send.PushBack(func(r *request.Request) {
 		glog.V(6).Infof("%s: %s %s://%s%s",
 			label,
 			r.HTTPRequest.Method,
 			r.HTTPRequest.URL.Scheme,
 			r.HTTPRequest.URL.Host,
 			r.HTTPRequest.URL.Path,
 		)
 	})
 	// This handler is added after core.SendHandler so that the tracing headers
 	// can be removed. This is required in case of retries, the request is signed
 	// again and if the request headers contain Tracing headers retry signature
 	// validation will fail as Istio will update these headers.
 	sess.Handlers.Send.PushBack(removeTracingHeaders)

 	return sess, nil
 }
	apiVersion: config.istio.io/v1alpha2
	kind: EgressRule
	metadata:
	name: aws-dynamo-us-west-2-egress
	namespace: default
	spec:
	destination:
	service: dynamodb.us-west-2.amazonaws.com
	ports:
	- port: 443
	protocol: https
	import (
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/dynamodb"
	"github.com/you/repo/pkg/awswrapper"
	)

	type Dynamo struct {
	Session *session.Session
	Db *dynamodb.DynamoDB
	}

	func NewWithConfig(cfg aws.Config) (Dynamo, error) {
	sess, err := awswrapper.AwsSession("Test", cfg)
	if err != nil {
	return nil, err
	}

	dyn := &Dynamo{
	Session: sess,
	Db: dynamodb.New(sess),
	}
	return dyn, nil
	}
	package awswrapper

	import (
	"net/http"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/endpoints"
	"github.com/aws/aws-sdk-go/aws/request"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/golang/glog"

	"github.com/you/repo/pkg/tracing"
	)

	type Config struct {
	InMesh bool
	Endpoint string // http://dynamodb.us-west-2.amazonaws.com
	Label string // Used in logging messages to identify
	}

	func istioEgressEPResolver(service, region string, optFns ...func(*endpoints.Options)) (endpoints.ResolvedEndpoint, error) {
	ep, err := endpoints.DefaultResolver().EndpointFor(service, region, optFns...)
	if err != nil {
	return ep, err
	}
	ep.URL = ep.URL + ":443"
	return ep, nil
	}

	func AwsConfig(cfg Config) *aws.Config {
	config := aws.NewConfig().
	WithEndpoint(cfg.Endpoint)

	if cfg.InMesh {
	glog.Infof("Using http for AWS for %s", cfg.Label)
	config = config.WithDisableSSL(true).
	WithEndpointResolver(endpoints.ResolverFunc(istioEgressEPResolver))
	}
	return config
	}

	func AwsSession(label string, cfg aws.Config) (session.Session, error) {
	sess, err := session.NewSession(cfg)
	if err != nil {
	return nil, err
	}

	// This has to be the first handler before core.SendHandler which
	// performs the operation of sending request over the wire.
	// Note that Send Handler is used which are invoked after the signing of
	// request is completed which means Tracing headers would not be signed.
	// Signing of tracing headers causes request failures as Istio changes the
	// headers and signature validation fails.
	sess.Handlers.Send.PushFront(addTracingHeaders)
	sess.Handlers.Send.PushBack(func(r *request.Request) {
	glog.V(6).Infof("%s: %s %s://%s%s",
	label,
	r.HTTPRequest.Method,
	r.HTTPRequest.URL.Scheme,
	r.HTTPRequest.URL.Host,
	r.HTTPRequest.URL.Path,
	)
	})
	// This handler is added after core.SendHandler so that the tracing headers
	// can be removed. This is required in case of retries, the request is signed
	// again and if the request headers contain Tracing headers retry signature
	// validation will fail as Istio will update these headers.
	sess.Handlers.Send.PushBack(removeTracingHeaders)

	return sess, nil
	}