chore(aws): migrate to autohive-integrations-sdk 2.0.0#360
Conversation
- Bump SDK to ~=2.0.0 in requirements.txt - Bump config.json version to 2.0.0 - Fix auth: flat context.auth.get() instead of nested credentials dict - Update helpers.py: error_result() now returns ActionError (not ActionResult) - Remove result/error/error_code fields from all 20 output schemas - Replace context.py + test_aws.py with conftest.py + unit + integration tests - All 20 actions covered by unit tests (25 tests, 25 passing) - Add AWS env vars to root .env.example
🔍 Integration Validation ResultsCommit: Changed directories:
✅ Structure Check output✅ Code Check output✅ Tests Check output✅ README Check output✅ Version Check output |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f85b63da69
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
|
All unit tests performed and passing. Live integration tests not yet run — AWS credentials required. |
TheRealAgentK
left a comment
TheRealAgentK
left a comment
There was a problem hiding this comment.
Requesting changes for the AWS integration test blockers.
|
Before approval or merge, we need a real integration test run with valid credentials, using the SDK 2 request path. The live tests must fail on |
TheRealAgentK
left a comment
TheRealAgentK
left a comment
There was a problem hiding this comment.
Added a coverage follow-up.
In production SDK 2 contexts, custom auth fields land under context.auth['credentials']. Fall back to the flat context.auth dict so existing unit-test mocks that pass auth keys at the top level continue to work.
- Add pytest.mark.integration to pytestmark - Replace ResultType.SUCCESS (doesn't exist in SDK 2) with ResultType.ACTION - Assert result.type == ResultType.ACTION on all live-path tests - Add tests for all 13 previously missing actions: Security Hub: get_finding_details, get_insights, update_finding_workflow GuardDuty: list_guardduty_findings, get_guardduty_finding_details, archive_findings CloudWatch: get_metric_data, get_alarm_history, set_alarm_state CloudWatch Logs: filter_log_events, get_log_events CloudTrail: get_trail_status, get_event_selectors - Gate service-specific tests on env vars or chain from list actions - Mark destructive tests (update_finding_workflow, archive_findings, set_alarm_state) - Add AWS_ALARM_NAME and AWS_FINDING_ARN to .env.example
…r STS credentials
Live tests:
|
TheRealAgentK
left a comment
TheRealAgentK
left a comment
There was a problem hiding this comment.
Thanks for the AWS follow-up work — this is much closer now. The integration test suite has been expanded to cover all 20 actions, destructive tests are marked, and the live-path assertions now fail on non-action results.
I left a few small comments before I’d call this fully clean: one CloudTrail live-test assertion checks the wrong output key, AWS_SESSION_TOKEN should be documented if tests support it, and session tokens should ideally come from context.auth rather than ambient process env.
| secret_key = creds.get("aws_secret_access_key") | ||
| if not access_key or not secret_key: | ||
| raise ValueError("AWS credentials are missing: aws_access_key_id and aws_secret_access_key are required") | ||
| session_token = creds.get("aws_session_token") or os.environ.get("AWS_SESSION_TOKEN") |
There was a problem hiding this comment.
Could we avoid falling back to the process environment here? Pulling AWS_SESSION_TOKEN from ambient env can mix a user’s configured access key/secret with an unrelated runtime token. It would be cleaner and safer to make aws_session_token an optional auth field in config.json and only pass it to boto3 when it comes from context.auth.
There was a problem hiding this comment.
Fixed in 38b8f48 - removed the os.environ.get("AWS_SESSION_TOKEN") fallback. Session token now comes exclusively from context.auth.get("aws_session_token"), and the import os was removed from helpers.py since it's no longer needed.
|
Follow-up from re-review: |
Exposes aws_session_token as an optional password field in the auth UI so users can configure temporary STS credentials without needing to inject them via environment variables.
…rmalize dash style
|
live test results: |
2 participants
Summary
Test plan