use service pattern for all validators

Author: TylerGillson

internal/controller/awsvalidator_controller.go

@@ -100,6 +100,9 @@ func (r *AwsValidatorReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		// allow flow to proceed - better errors will surface subsequently
 		r.Log.V(0).Error(err, "failed to establish AWS session")
 	}
+	iamRuleService := iam.NewIAMRuleService(r.Log, session)
+	svcQuotaService := servicequota.NewServiceQuotaRuleService(r.Log, session)
+	tagRuleService := tag.NewTagRuleService(r.Log, session)
 
 	// Get the active validator's validation result
 	vr := &valid8orv1alpha1.ValidationResult{}
@@ -125,7 +128,6 @@ func (r *AwsValidatorReconciler) Reconcile(ctx context.Context, req ctrl.Request
 	failed := &monotonicBool{}
 
 	// IAM rules
-	iamRuleService := iam.NewIAMRuleService(r.Log, session)
 	for _, rule := range validator.Spec.IamRoleRules {
 		validationResult, err := iamRuleService.ReconcileIAMRoleRule(nn, rule)
 		if err != nil {
@@ -157,7 +159,7 @@ func (r *AwsValidatorReconciler) Reconcile(ctx context.Context, req ctrl.Request
 
 	// Service Quota rules
 	for _, rule := range validator.Spec.ServiceQuotaRules {
-		validationResult, err := servicequota.ReconcileServiceQuotaRule(nn, rule, session, r.Log)
+		validationResult, err := svcQuotaService.ReconcileServiceQuotaRule(nn, rule)
 		if err != nil {
 			r.Log.V(0).Error(err, "failed to reconcile Service Quota rule")
 		}
@@ -166,7 +168,7 @@ func (r *AwsValidatorReconciler) Reconcile(ctx context.Context, req ctrl.Request
 
 	// Tag rules
 	for _, rule := range validator.Spec.TagRules {
-		validationResult, err := tag.ReconcileTagRule(nn, rule, session, r.Log)
+		validationResult, err := tagRuleService.ReconcileTagRule(nn, rule)
 		if err != nil {
 			r.Log.V(0).Error(err, "failed to reconcile Tag rule")
 		}

internal/validators/iam/iam_validator.go

@@ -22,13 +22,6 @@ import (
 	valid8orv1alpha1 "github.com/spectrocloud-labs/valid8or/api/v1alpha1"
 )
 
-type permission struct {
-	Actions    map[iamAction]bool
-	Condition  *v1alpha1.Condition
-	Errors     []string
-	PolicyName string
-}
-
 type iamAction struct {
 	Service string
 	Verb    string
@@ -47,25 +40,32 @@ type missing struct {
 	PolicyName string
 }
 
-type IamRuleObj interface {
+type permission struct {
+	Actions    map[iamAction]bool
+	Condition  *v1alpha1.Condition
+	Errors     []string
+	PolicyName string
+}
+
+type iamRule interface {
 	Name() string
 	IAMPolicies() []v1alpha1.PolicyDocument
 }
 
 type IAMRuleService struct {
-	iamSvc *iam.IAM
 	log    logr.Logger
+	iamSvc *iam.IAM
 }
 
 func NewIAMRuleService(log logr.Logger, s *session.Session) *IAMRuleService {
 	return &IAMRuleService{
-		iamSvc: aws.IAMService(s),
 		log:    log,
+		iamSvc: aws.IAMService(s),
 	}
 }
 
 // ReconcileIAMRoleRule reconciles an IAM role validation rule from an AWSValidator config
-func (s *IAMRuleService) ReconcileIAMRoleRule(nn k8stypes.NamespacedName, rule IamRuleObj) (*types.ValidationResult, error) {
+func (s *IAMRuleService) ReconcileIAMRoleRule(nn k8stypes.NamespacedName, rule iamRule) (*types.ValidationResult, error) {
 
 	// Build the default ValidationResult for this IAM rule
 	vr := buildValidationResult(rule, constants.ValidationTypeIAMRolePolicy)
@@ -95,7 +95,7 @@ func (s *IAMRuleService) ReconcileIAMRoleRule(nn k8stypes.NamespacedName, rule I
 }
 
 // ReconcileIAMUserRule reconciles an IAM user validation rule from an AWSValidator config
-func (s *IAMRuleService) ReconcileIAMUserRule(nn k8stypes.NamespacedName, rule IamRuleObj) (*types.ValidationResult, error) {
+func (s *IAMRuleService) ReconcileIAMUserRule(nn k8stypes.NamespacedName, rule iamRule) (*types.ValidationResult, error) {
 
 	// Build the default ValidationResult for this IAM rule
 	vr := buildValidationResult(rule, constants.ValidationTypeIAMUserPolicy)
@@ -125,7 +125,7 @@ func (s *IAMRuleService) ReconcileIAMUserRule(nn k8stypes.NamespacedName, rule I
 }
 
 // ReconcileIAMGroupRule reconciles an IAM group validation rule from an AWSValidator config
-func (s *IAMRuleService) ReconcileIAMGroupRule(nn k8stypes.NamespacedName, rule IamRuleObj) (*types.ValidationResult, error) {
+func (s *IAMRuleService) ReconcileIAMGroupRule(nn k8stypes.NamespacedName, rule iamRule) (*types.ValidationResult, error) {
 
 	// Build the default ValidationResult for this IAM rule
 	vr := buildValidationResult(rule, constants.ValidationTypeIAMGroupPolicy)
@@ -155,7 +155,7 @@ func (s *IAMRuleService) ReconcileIAMGroupRule(nn k8stypes.NamespacedName, rule
 }
 
 // ReconcileIAMPolicyRule reconciles an IAM policy validation rule from an AWSValidator config
-func (s *IAMRuleService) ReconcileIAMPolicyRule(nn k8stypes.NamespacedName, rule IamRuleObj) (*types.ValidationResult, error) {
+func (s *IAMRuleService) ReconcileIAMPolicyRule(nn k8stypes.NamespacedName, rule iamRule) (*types.ValidationResult, error) {
 
 	// Build the default ValidationResult for this IAM rule
 	vr := buildValidationResult(rule, constants.ValidationTypeIAMPolicy)
@@ -229,7 +229,7 @@ func (s *IAMRuleService) getPolicyDocument(policyArn *string, context []string)
 }
 
 // buildValidationResult builds a default ValidationResult for a given validation type
-func buildValidationResult(rule IamRuleObj, validationType string) *types.ValidationResult {
+func buildValidationResult(rule iamRule, validationType string) *types.ValidationResult {
 	state := valid8orv1alpha1.ValidationSucceeded
 	latestCondition := valid8orv1alpha1.DefaultValidationCondition()
 	latestCondition.Message = fmt.Sprintf("All required %s permissions were found", validationType)
@@ -239,7 +239,7 @@ func buildValidationResult(rule IamRuleObj, validationType string) *types.Valida
 }
 
 // buildPermissions builds an IAM permission map from an IAM rule
-func buildPermissions(rule IamRuleObj) map[string]*permission {
+func buildPermissions(rule iamRule) map[string]*permission {
 	permissions := make(map[string]*permission)
 	for _, p := range rule.IAMPolicies() {
 		for _, s := range p.Statements {
@@ -332,7 +332,7 @@ func updatePermissions(policyDocument *awspolicy.Policy, permissions map[string]
 }
 
 // computeFailures derives IAM rule failures from an IAM permissions map once it has been fully updated
-func computeFailures(rule IamRuleObj, permissions map[string]*permission, vr *types.ValidationResult) {
+func computeFailures(rule iamRule, permissions map[string]*permission, vr *types.ValidationResult) {
 	failures := make([]string, 0)
 	missingActions := make(map[string]*missing)
 

internal/validators/servicequota/servicequota_validator.go

@@ -40,9 +40,21 @@ var quotaUsageFuncs map[string]func(v1alpha1.ServiceQuotaRule, *session.Session,
 	"NAT gateways per Availability Zone": natGatewaysPerAz,
 }
 
+type ServiceQuotaRuleService struct {
+	log     logr.Logger
+	session *session.Session
+}
+
+func NewServiceQuotaRuleService(log logr.Logger, s *session.Session) *ServiceQuotaRuleService {
+	return &ServiceQuotaRuleService{
+		log:     log,
+		session: s,
+	}
+}
+
 // ReconcileServiceQuotaRule reconciles an AWS service quota validation rule from the AWSValidator config
-func ReconcileServiceQuotaRule(nn k8stypes.NamespacedName, rule v1alpha1.ServiceQuotaRule, s *session.Session, log logr.Logger) (*types.ValidationResult, error) {
-	sqSvc := aws.ServiceQuotasService(s, rule.Region)
+func (s *ServiceQuotaRuleService) ReconcileServiceQuotaRule(nn k8stypes.NamespacedName, rule v1alpha1.ServiceQuotaRule) (*types.ValidationResult, error) {
+	sqSvc := aws.ServiceQuotasService(s.session, rule.Region)
 
 	// Build the default latest condition for this tag rule
 	state := valid8orv1alpha1.ValidationSucceeded
@@ -70,12 +82,12 @@ func ReconcileServiceQuotaRule(nn k8stypes.NamespacedName, rule v1alpha1.Service
 			return true
 		})
 		if err != nil || quota == nil {
-			log.V(0).Error(err, "failed to get service quota", "region", rule.Region, "serviceCode", rule.ServiceCode, "quotaName", ruleQuota.Name)
+			s.log.V(0).Error(err, "failed to get service quota", "region", rule.Region, "serviceCode", rule.ServiceCode, "quotaName", ruleQuota.Name)
 			return validationResult, err
 		}
-		usageResult, err := quotaUsageFuncs[ruleQuota.Name](rule, s, log)
+		usageResult, err := quotaUsageFuncs[ruleQuota.Name](rule, s.session, s.log)
 		if err != nil {
-			log.V(0).Error(err, "failed to get usage for service quota", "region", rule.Region, "serviceCode", rule.ServiceCode, "quotaName", ruleQuota.Name)
+			s.log.V(0).Error(err, "failed to get usage for service quota", "region", rule.Region, "serviceCode", rule.ServiceCode, "quotaName", ruleQuota.Name)
 			return validationResult, err
 		}
 		if quota.Value != nil {

internal/validators/tag/tag_validator.go

@@ -17,9 +17,21 @@ import (
 	valid8orv1alpha1 "github.com/spectrocloud-labs/valid8or/api/v1alpha1"
 )
 
+type TagRuleService struct {
+	log     logr.Logger
+	session *session.Session
+}
+
+func NewTagRuleService(log logr.Logger, s *session.Session) *TagRuleService {
+	return &TagRuleService{
+		log:     log,
+		session: s,
+	}
+}
+
 // ReconcileTagRule reconciles an EC2 tagging validation rule from the AWSValidator config
-func ReconcileTagRule(nn k8stypes.NamespacedName, rule v1alpha1.TagRule, s *session.Session, log logr.Logger) (*types.ValidationResult, error) {
-	ec2Svc := aws.EC2Service(s, rule.Region)
+func (s *TagRuleService) ReconcileTagRule(nn k8stypes.NamespacedName, rule v1alpha1.TagRule) (*types.ValidationResult, error) {
+	ec2Svc := aws.EC2Service(s.session, rule.Region)
 
 	// Build the default latest condition for this tag rule
 	state := valid8orv1alpha1.ValidationSucceeded
@@ -43,7 +55,7 @@ func ReconcileTagRule(nn k8stypes.NamespacedName, rule v1alpha1.TagRule, s *sess
 			},
 		})
 		if err != nil {
-			log.V(0).Error(err, "failed to describe subnets", "region", rule.Region)
+			s.log.V(0).Error(err, "failed to describe subnets", "region", rule.Region)
 			return validationResult, err
 		}
 		for _, s := range subnets.Subnets {