Enhanced AWS ARN handling to support more partitions

clintonk · web-flow · commit d97ab7f5abd4 · 2026-03-26T13:16:18.000-04:00
diff --git a/storage_drivers/ontap/aws_common.go b/storage_drivers/ontap/aws_common.go
@@ -88,7 +88,7 @@ func initializeAWSAPI(
 	}
 	if secretARN != "" {
 		var err error
-		secretManagerRegion, _, _, err = awsapi.ParseSecretARN(secretARN)
+		_, secretManagerRegion, _, _, err = awsapi.ParseSecretARN(secretARN)
 		if err != nil {
 			return nil, err
 		}
@@ -192,7 +192,7 @@ func getAWSSecretsManagerARNFromConfig(_ context.Context, config *drivers.OntapS
 		return config.Credentials[drivers.KeyName], nil
 	}
 
-	_, _, _, err := awsapi.ParseSecretARN(config.Username)
+	_, _, _, _, err := awsapi.ParseSecretARN(config.Username)
 	if err != nil {
 		return config.Username, errors.NotFoundError("%s, %s driver with FSxN personality must include Credentials of type %s "+
 			"in the configuration", err, config.StorageDriverName, string(drivers.CredentialStoreAWSARN))
diff --git a/storage_drivers/ontap/aws_common_test.go b/storage_drivers/ontap/aws_common_test.go
@@ -332,7 +332,7 @@ func TestParseSecretARN(t *testing.T) {
 		t.Run(test.name, func(t *testing.T) {
 			secretARN := test.userName
 
-			_, _, _, err := awsapi.ParseSecretARN(secretARN)
+			_, _, _, _, err := awsapi.ParseSecretARN(secretARN)
 			if test.error == "" {
 				assert.Nil(t, err)
 			} else {
@@ -363,7 +363,7 @@ func TestParseVolumeARN(t *testing.T) {
 		t.Run(test.name, func(t *testing.T) {
 			volumeARN := test.userName
 
-			_, _, _, _, err := awsapi.ParseVolumeARN(volumeARN)
+			_, _, _, _, _, err := awsapi.ParseVolumeARN(volumeARN)
 			if test.error == "" {
 				assert.Nil(t, err)
 			} else {
diff --git a/storage_drivers/ontap/awsapi/aws.go b/storage_drivers/ontap/awsapi/aws.go
@@ -35,8 +35,8 @@ const (
 )
 
 var (
-	volumeARNRegex = regexp.MustCompile(`^arn:(?P<partition>aws|aws-cn|aws-us-gov){1}:fsx:(?P<region>[^:]+):(?P<accountID>\d{12}):volume/(?P<filesystemID>[A-z0-9-]+)/(?P<volumeID>[A-z0-9-]+)$`)
-	secretARNRegex = regexp.MustCompile(`^arn:(?P<partition>aws|aws-cn|aws-us-gov){1}:secretsmanager:(?P<region>[^:]+):(?P<accountID>\d{12}):secret:(?P<secretName>[A-z0-9/_+=.@-]+)-[A-z0-9/_+=.@-]{6}$`)
+	volumeARNRegex = regexp.MustCompile(`^arn:(?P<partition>aws|aws-cn|aws-us-gov|aws-eusc|aws-iso(?:-[a-z0-9]+)?):fsx:(?P<region>[^:]+):(?P<accountID>\d{12}):volume/(?P<filesystemID>[A-z0-9-]+)/(?P<volumeID>[A-z0-9-]+)$`)
+	secretARNRegex = regexp.MustCompile(`^arn:(?P<partition>aws|aws-cn|aws-us-gov|aws-eusc|aws-iso(?:-[a-z0-9]+)?):secretsmanager:(?P<region>[^:]+):(?P<accountID>\d{12}):secret:(?P<secretName>[A-z0-9/_+=.@-]+)-[A-z0-9/_+=.@-]{6}$`)
 )
 
 // ClientConfig holds configuration data for the API driver object.
@@ -207,7 +207,7 @@ func (d *Client) DeleteSecret(ctx context.Context, secretARN string) error {
 }
 
 // ParseVolumeARN parses the AWS-style ARN for a volume.
-func ParseVolumeARN(volumeARN string) (region, accountID, filesystemID, volumeID string, err error) {
+func ParseVolumeARN(volumeARN string) (partition, region, accountID, filesystemID, volumeID string, err error) {
 	match := volumeARNRegex.FindStringSubmatch(volumeARN)
 
 	if match == nil {
@@ -222,6 +222,7 @@ func ParseVolumeARN(volumeARN string) (region, accountID, filesystemID, volumeID
 		}
 	}
 
+	partition = paramsMap["partition"]
 	region = paramsMap["region"]
 	accountID = paramsMap["accountID"]
 	filesystemID = paramsMap["filesystemID"]
@@ -231,7 +232,7 @@ func ParseVolumeARN(volumeARN string) (region, accountID, filesystemID, volumeID
 }
 
 // ParseSecretARN parses the AWS-style ARN for a secret.
-func ParseSecretARN(secretARN string) (region, accountID, secretName string, err error) {
+func ParseSecretARN(secretARN string) (partition, region, accountID, secretName string, err error) {
 	match := secretARNRegex.FindStringSubmatch(secretARN)
 
 	if match == nil {
@@ -246,6 +247,7 @@ func ParseSecretARN(secretARN string) (region, accountID, secretName string, err
 		}
 	}
 
+	partition = paramsMap["partition"]
 	region = paramsMap["region"]
 	accountID = paramsMap["accountID"]
 	secretName = paramsMap["secretName"]
@@ -568,7 +570,7 @@ func (d *Client) GetVolumeByName(ctx context.Context, name string) (*Volume, err
 }
 
 func (d *Client) GetVolumeByARN(ctx context.Context, volumeARN string) (*Volume, error) {
-	_, _, _, volumeID, err := ParseVolumeARN(volumeARN)
+	_, _, _, _, volumeID, err := ParseVolumeARN(volumeARN)
 	if err != nil {
 		return nil, err
 	}
@@ -663,7 +665,7 @@ func (d *Client) VolumeExistsByName(ctx context.Context, name string) (bool, *Vo
 }
 
 func (d *Client) VolumeExistsByARN(ctx context.Context, volumeARN string) (bool, *Volume, error) {
-	_, _, _, volumeID, err := ParseVolumeARN(volumeARN)
+	_, _, _, _, volumeID, err := ParseVolumeARN(volumeARN)
 	if err != nil {
 		return false, nil, err
 	}
diff --git a/storage_drivers/ontap/awsapi/aws_test.go b/storage_drivers/ontap/awsapi/aws_test.go
@@ -198,6 +198,7 @@ func TestParseVolumeARN(t *testing.T) {
 		name                 string
 		arn                  string
 		expectError          bool
+		expectedPartition    string
 		expectedRegion       string
 		expectedAccountID    string
 		expectedFilesystemID string
@@ -207,6 +208,7 @@ func TestParseVolumeARN(t *testing.T) {
 			name:                 "ValidARN",
 			arn:                  testVolumeARN,
 			expectError:          false,
+			expectedPartition:    "aws",
 			expectedRegion:       "us-east-1",
 			expectedAccountID:    testAccountID,
 			expectedFilesystemID: testFilesystemID,
@@ -236,6 +238,7 @@ func TestParseVolumeARN(t *testing.T) {
 			name:                 "AWSChinaPartition",
 			arn:                  "arn:aws-cn:fsx:cn-north-1:123456789012:volume/fs-1234567890abcdef0/fv-1234567890abcdef0",
 			expectError:          false,
+			expectedPartition:    "aws-cn",
 			expectedRegion:       "cn-north-1",
 			expectedAccountID:    testAccountID,
 			expectedFilesystemID: testFilesystemID,
@@ -245,16 +248,37 @@ func TestParseVolumeARN(t *testing.T) {
 			name:                 "AWSGovCloudPartition",
 			arn:                  "arn:aws-us-gov:fsx:us-gov-east-1:123456789012:volume/fs-1234567890abcdef0/fv-1234567890abcdef0",
 			expectError:          false,
+			expectedPartition:    "aws-us-gov",
 			expectedRegion:       "us-gov-east-1",
 			expectedAccountID:    testAccountID,
 			expectedFilesystemID: testFilesystemID,
 			expectedVolumeID:     testVolumeID,
 		},
+		{
+			name:                 "AWSTopSecretPartition",
+			arn:                  "arn:aws-iso:fsx:us-iso-east-1:123456789012:volume/fs-1234567890abcdef0/fv-1234567890abcdef0",
+			expectError:          false,
+			expectedPartition:    "aws-iso",
+			expectedRegion:       "us-iso-east-1",
+			expectedAccountID:    testAccountID,
+			expectedFilesystemID: testFilesystemID,
+			expectedVolumeID:     testVolumeID,
+		},
+		{
+			name:                 "AWSSecretPartition",
+			arn:                  "arn:aws-iso-b:fsx:us-iso-b-east-1:123456789012:volume/fs-1234567890abcdef0/fv-1234567890abcdef0",
+			expectError:          false,
+			expectedPartition:    "aws-iso-b",
+			expectedRegion:       "us-iso-b-east-1",
+			expectedAccountID:    testAccountID,
+			expectedFilesystemID: testFilesystemID,
+			expectedVolumeID:     testVolumeID,
+		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			region, accountID, filesystemID, volumeID, err := ParseVolumeARN(tt.arn)
+			partition, region, accountID, filesystemID, volumeID, err := ParseVolumeARN(tt.arn)
 
 			if tt.expectError {
 				assert.Error(t, err)
@@ -263,6 +287,7 @@ func TestParseVolumeARN(t *testing.T) {
 			}
 
 			assert.NoError(t, err)
+			assert.Equal(t, tt.expectedPartition, partition)
 			assert.Equal(t, tt.expectedRegion, region)
 			assert.Equal(t, tt.expectedAccountID, accountID)
 			assert.Equal(t, tt.expectedFilesystemID, filesystemID)
@@ -276,6 +301,7 @@ func TestParseSecretARN(t *testing.T) {
 		name               string
 		arn                string
 		expectError        bool
+		expectedPartition  string
 		expectedRegion     string
 		expectedAccountID  string
 		expectedSecretName string
@@ -284,6 +310,7 @@ func TestParseSecretARN(t *testing.T) {
 			name:               "ValidARN",
 			arn:                testSecretARN,
 			expectError:        false,
+			expectedPartition:  "aws",
 			expectedRegion:     "us-east-1",
 			expectedAccountID:  testAccountID,
 			expectedSecretName: testSecretName,
@@ -312,15 +339,52 @@ func TestParseSecretARN(t *testing.T) {
 			name:               "SpecialCharacters",
 			arn:                "arn:aws:secretsmanager:us-east-1:123456789012:secret:my/secret_name.with+special@chars-AbCdEf",
 			expectError:        false,
+			expectedPartition:  "aws",
 			expectedRegion:     "us-east-1",
 			expectedAccountID:  testAccountID,
 			expectedSecretName: "my/secret_name.with+special@chars",
 		},
+		{
+			name:               "AWSChinaPartition",
+			arn:                "arn:aws-cn:secretsmanager:cn-north-1:123456789012:secret:my/secret_name.with+special@chars-AbCdEf",
+			expectError:        false,
+			expectedPartition:  "aws-cn",
+			expectedRegion:     "cn-north-1",
+			expectedAccountID:  testAccountID,
+			expectedSecretName: "my/secret_name.with+special@chars",
+		},
+		{
+			name:               "AWSGovCloudPartition",
+			arn:                "arn:aws-us-gov:secretsmanager:us-gov-east-1:123456789012:secret:my/secret_name.with+special@chars-AbCdEf",
+			expectError:        false,
+			expectedPartition:  "aws-us-gov",
+			expectedRegion:     "us-gov-east-1",
+			expectedAccountID:  testAccountID,
+			expectedSecretName: "my/secret_name.with+special@chars",
+		},
+		{
+			name:               "AWSTopSecretPartition",
+			arn:                "arn:aws-iso:secretsmanager:us-iso-east-1:123456789012:secret:my/secret_name.with+special@chars-AbCdEf",
+			expectError:        false,
+			expectedPartition:  "aws-iso",
+			expectedRegion:     "us-iso-east-1",
+			expectedAccountID:  testAccountID,
+			expectedSecretName: "my/secret_name.with+special@chars",
+		},
+		{
+			name:               "AWSSecretPartition",
+			arn:                "arn:aws-iso-b:secretsmanager:us-iso-b-east-1:123456789012:secret:my/secret_name.with+special@chars-AbCdEf",
+			expectError:        false,
+			expectedPartition:  "aws-iso-b",
+			expectedRegion:     "us-iso-b-east-1",
+			expectedAccountID:  testAccountID,
+			expectedSecretName: "my/secret_name.with+special@chars",
+		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			region, accountID, secretName, err := ParseSecretARN(tt.arn)
+			partition, region, accountID, secretName, err := ParseSecretARN(tt.arn)
 
 			if tt.expectError {
 				assert.Error(t, err)
@@ -329,6 +393,7 @@ func TestParseSecretARN(t *testing.T) {
 			}
 
 			assert.NoError(t, err)
+			assert.Equal(t, tt.expectedPartition, partition)
 			assert.Equal(t, tt.expectedRegion, region)
 			assert.Equal(t, tt.expectedAccountID, accountID)
 			assert.Equal(t, tt.expectedSecretName, secretName)

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ func initializeAWSAPI(`
`88`	`88`	`}`
`89`	`89`	`if secretARN != "" {`
`90`	`90`	`var err error`
`91`		`- secretManagerRegion, _, _, err = awsapi.ParseSecretARN(secretARN)`
	`91`	`+ _, secretManagerRegion, _, _, err = awsapi.ParseSecretARN(secretARN)`
`92`	`92`	`if err != nil {`
`93`	`93`	`return nil, err`
`94`	`94`	`}`
`@@ -192,7 +192,7 @@ func getAWSSecretsManagerARNFromConfig(_ context.Context, config *drivers.OntapS`
`192`	`192`	`return config.Credentials[drivers.KeyName], nil`
`193`	`193`	`}`
`194`	`194`
`195`		`- _, _, _, err := awsapi.ParseSecretARN(config.Username)`
	`195`	`+ _, _, _, _, err := awsapi.ParseSecretARN(config.Username)`
`196`	`196`	`if err != nil {`
`197`	`197`	`return config.Username, errors.NotFoundError("%s, %s driver with FSxN personality must include Credentials of type %s "+`
`198`	`198`	`"in the configuration", err, config.StorageDriverName, string(drivers.CredentialStoreAWSARN))`
Original file line number	Diff line number	Diff line change
`@@ -35,8 +35,8 @@ const (`
`35`	`35`	`)`
`36`	`36`
`37`	`37`	`var (`
`38`		- volumeARNRegex = regexp.MustCompile(`^arn:(?P<partition>aws\|aws-cn\|aws-us-gov){1}:fsx:(?P<region>[^:]+):(?P<accountID>\d{12}):volume/(?P<filesystemID>[A-z0-9-]+)/(?P<volumeID>[A-z0-9-]+)$`)
`39`		- secretARNRegex = regexp.MustCompile(`^arn:(?P<partition>aws\|aws-cn\|aws-us-gov){1}:secretsmanager:(?P<region>[^:]+):(?P<accountID>\d{12}):secret:(?P<secretName>[A-z0-9/_+=.@-]+)-[A-z0-9/_+=.@-]{6}$`)
	`38`	+ volumeARNRegex = regexp.MustCompile(`^arn:(?P<partition>aws\|aws-cn\|aws-us-gov\|aws-eusc\|aws-iso(?:-[a-z0-9]+)?):fsx:(?P<region>[^:]+):(?P<accountID>\d{12}):volume/(?P<filesystemID>[A-z0-9-]+)/(?P<volumeID>[A-z0-9-]+)$`)
	`39`	+ secretARNRegex = regexp.MustCompile(`^arn:(?P<partition>aws\|aws-cn\|aws-us-gov\|aws-eusc\|aws-iso(?:-[a-z0-9]+)?):secretsmanager:(?P<region>[^:]+):(?P<accountID>\d{12}):secret:(?P<secretName>[A-z0-9/_+=.@-]+)-[A-z0-9/_+=.@-]{6}$`)
`40`	`40`	`)`
`41`	`41`
`42`	`42`	`// ClientConfig holds configuration data for the API driver object.`
`@@ -207,7 +207,7 @@ func (d *Client) DeleteSecret(ctx context.Context, secretARN string) error {`
`207`	`207`	`}`
`208`	`208`
`209`	`209`	`// ParseVolumeARN parses the AWS-style ARN for a volume.`
`210`		`-func ParseVolumeARN(volumeARN string) (region, accountID, filesystemID, volumeID string, err error) {`
	`210`	`+func ParseVolumeARN(volumeARN string) (partition, region, accountID, filesystemID, volumeID string, err error) {`
`211`	`211`	`match := volumeARNRegex.FindStringSubmatch(volumeARN)`
`212`	`212`
`213`	`213`	`if match == nil {`
`@@ -222,6 +222,7 @@ func ParseVolumeARN(volumeARN string) (region, accountID, filesystemID, volumeID`
`222`	`222`	`}`
`223`	`223`	`}`
`224`	`224`
	`225`	`+ partition = paramsMap["partition"]`
`225`	`226`	`region = paramsMap["region"]`
`226`	`227`	`accountID = paramsMap["accountID"]`
`227`	`228`	`filesystemID = paramsMap["filesystemID"]`
`@@ -231,7 +232,7 @@ func ParseVolumeARN(volumeARN string) (region, accountID, filesystemID, volumeID`
`231`	`232`	`}`
`232`	`233`
`233`	`234`	`// ParseSecretARN parses the AWS-style ARN for a secret.`
`234`		`-func ParseSecretARN(secretARN string) (region, accountID, secretName string, err error) {`
	`235`	`+func ParseSecretARN(secretARN string) (partition, region, accountID, secretName string, err error) {`
`235`	`236`	`match := secretARNRegex.FindStringSubmatch(secretARN)`
`236`	`237`
`237`	`238`	`if match == nil {`
`@@ -246,6 +247,7 @@ func ParseSecretARN(secretARN string) (region, accountID, secretName string, err`
`246`	`247`	`}`
`247`	`248`	`}`
`248`	`249`
	`250`	`+ partition = paramsMap["partition"]`
`249`	`251`	`region = paramsMap["region"]`
`250`	`252`	`accountID = paramsMap["accountID"]`
`251`	`253`	`secretName = paramsMap["secretName"]`
`@@ -568,7 +570,7 @@ func (d Client) GetVolumeByName(ctx context.Context, name string) (Volume, err`
`568`	`570`	`}`
`569`	`571`
`570`	`572`	`func (d Client) GetVolumeByARN(ctx context.Context, volumeARN string) (Volume, error) {`
`571`		`- _, _, _, volumeID, err := ParseVolumeARN(volumeARN)`
	`573`	`+ _, _, _, _, volumeID, err := ParseVolumeARN(volumeARN)`
`572`	`574`	`if err != nil {`
`573`	`575`	`return nil, err`
`574`	`576`	`}`
`@@ -663,7 +665,7 @@ func (d Client) VolumeExistsByName(ctx context.Context, name string) (bool, Vo`
`663`	`665`	`}`
`664`	`666`
`665`	`667`	`func (d Client) VolumeExistsByARN(ctx context.Context, volumeARN string) (bool, Volume, error) {`
`666`		`- _, _, _, volumeID, err := ParseVolumeARN(volumeARN)`
	`668`	`+ _, _, _, _, volumeID, err := ParseVolumeARN(volumeARN)`
`667`	`669`	`if err != nil {`
`668`	`670`	`return false, nil, err`
`669`	`671`	`}`